Active Directory on Aperture Zone

DRP on Hyper-V with Veeam: from chaos to clean failover

Fri, 03 Apr 2026 00:00:00 +0000

I have a virtualized infrastructure running on Hyper-V with a separate backup/DRP server. The entire stack runs on 19 VMs: two Active Directory domains with domain joining, Linux DNS forwarders (BIND9), RADIUS, monitoring, application services… in short, not something we can afford to just reboot haphazardly.

The project’s objective was simple to state, but complex to achieve:

> Switchover the entire infrastructure to the DRP server with minimal effort, ensuring service continuity (at the very least, not cutting off internet access), then return to production cleanly.

Backing up GPOs with Ansible and WinRM

Thu, 02 Apr 2026 00:00:00 +0000

Group Policy Objects are at the heart of any robust Active Directory infrastructure. They define security settings, permissions, device configurations, and software restrictions. In the event of a disaster, human error, or simply a need to roll back after a change, not having a backup of your GPOs means facing hours of tedious reconstruction.

The graphical interface of the Group Policy Management Console does offer a backup feature, but it is manual, easy to overlook, and, most importantly, not versioned. The goal of this article is to automate this process cleanly using Ansible via WinRM, on an infrastructure comprising two separate Active Directory domains, with long-term archiving on a NAS and reporting via email.

Active Directory: krbtgt, from theory to practice

Wed, 01 Apr 2026 00:00:00 +0000

In the first part of this article, we laid the groundwork: what the krbtgt account is, why the Golden Ticket is a serious threat, and a theoretical Ansible architecture for automating rotations. If you haven’t read that part, I encourage you to start there.

Now we’re getting down to business. The playbook in Part 1 was intentionally simplified to illustrate the concept. In a real production environment, things get complicated—the interactive script that refuses to be controlled, the XML file that can’t be found, the Kerberos double-hop that blocks everything, the root forest that isn’t what we think it is. These are all obstacles I’ve encountered and resolved, which I’m documenting here.

Server 2022 migration: multi-domain forest

Fri, 27 Mar 2026 00:00:00 +0000

In a previous post, I described the 2016 functional upgrade and the approvals audit between my two domains. I ended on this note: "I’ll also need to think about upgrading the OS on my other controllers."

Well, that’s done.

Background

The infrastructure is based on a two-domain Active Directory forest:

A forest root domain, dedicated to servers and hypervisors—two domain controllers ensure its availability. The first holds the domain roles (PDC Emulator, RID Master, Infrastructure Master), while the second holds the forest roles (Schema Master, Domain Naming Master).
A child domain, dedicated to workstations and users—also with two domain controllers. The first holds the domain’s FSMO roles as well as the DNS service and the primary DHCP. The second ensures continuity: Global Catalog, secondary DNS, failover DHCP, and Certificate Authority. Without these roles, a second DC would be nothing more than a passive replica—so we might as well give it a real reason to exist.

All were running on Windows Server 2016, for which mainstream support ended in 2022 and extended support ends in January 2027. The time had come to migrate to Windows Server 2022.

Active Directory: krbtgt the scary account

Wed, 25 Mar 2026 00:00:00 +0000

There are elements in Active Directory that we completely forget about because they never come up in day-to-day operations. The krbtgt account is one of them. Though invisible in everyday use, it is at the heart of all Kerberos authentication in your domain—and its compromise is one of the most catastrophic scenarios an attacker could trigger.

In this article, we’ll explore what this account really is, why you need to change its password regularly, and how to automate this process cleanly with Ansible.

Active Directory: 2016 functional upgrade and approval audit

Mon, 02 Mar 2026 00:00:00 +0000

There are some projects that we put off for years. Not because they're impossible, but because there's always something getting in the way. In my case, it was Exchange 2013—that good old mail server that stood in the way of any attempt to modernize the AD. Since migrating to a lighter solution, the coast was clear. So here's the story of a busy night's work.

The context

The infrastructure runs on two separate Active Directory domains linked by a two-way trust relationship:

Hardening AD with PingCastle

Thu, 26 Feb 2026 00:00:00 +0000

PingCastle & Hardening Active Directory

Active Directory is the cornerstone of identity and access management in most Windows environments. Its critical nature also makes it a prime target for attackers. A poorly configured AD can allow privilege escalation, lateral movement, or even total domain compromise.

PingCastle is now one of the benchmark tools for assessing the security posture of an Active Directory. It was developed by Vincent Le Toux, a renowned French expert in offensive security circles whose mastery of Windows and Active Directory internals is widely recognized. He is said to have close ties to ANSSI—a persistent urban legend in the community, fueled by the depth and quality of the tool's detection rules, which reflect a knowledge of attack vectors rarely achieved outside of government circles. Vincent Le Toux is also co-author of mimikatz, the global benchmark tool for extracting Windows credentials.