https://aperturezone.com/tags/windows-server/ Recent content in Windows-Server on Aperture Zone https://aperturezone.com/logo.webp https://aperturezone.com/logo.webp Hugo -- gohugo.io fr-fr Wed, 01 Apr 2026 00:00:00 +0000 https://aperturezone.com/posts/krbtgt2/ Wed, 01 Apr 2026 00:00:00 +0000 https://aperturezone.com/posts/krbtgt2/ <p>In the <a href="https://aperturezone.fr/posts/krbtgt/">first part of this article</a>, we laid the groundwork: what the krbtgt account is, why the Golden Ticket is a serious threat, and a theoretical Ansible architecture for automating rotations. If you haven’t read that part, I encourage you to start there.</p> <p>Now we’re getting down to business. The playbook in Part 1 was intentionally simplified to illustrate the concept. In a real production environment, things get complicated—the interactive script that refuses to be controlled, the XML file that can’t be found, the Kerberos double-hop that blocks everything, the root forest that isn’t what we think it is. These are all obstacles I’ve encountered and resolved, which I’m documenting here.</p> https://aperturezone.com/posts/migration2022/ Fri, 27 Mar 2026 00:00:00 +0000 https://aperturezone.com/posts/migration2022/ <p>In a <a href="https://aperturezone.com/posts/approvals">previous post</a>, I described the 2016 functional upgrade and the approvals audit between my two domains. I ended on this note: <em>&quot;I’ll also need to think about upgrading the OS on my other controllers.&quot;</em></p> <p>Well, that’s done.</p> <hr> <h2 id="background">Background</h2> <p>The infrastructure is based on a two-domain Active Directory forest:</p> <ul> <li>A <strong>forest root domain</strong>, dedicated to servers and hypervisors—two domain controllers ensure its availability. The first holds the domain roles (PDC Emulator, RID Master, Infrastructure Master), while the second holds the forest roles (Schema Master, Domain Naming Master).</li> <li>A <strong>child domain</strong>, dedicated to workstations and users—also with two domain controllers. The first holds the domain’s FSMO roles as well as the DNS service and the primary DHCP. The second ensures continuity: Global Catalog, secondary DNS, failover DHCP, and Certificate Authority. Without these roles, a second DC would be nothing more than a passive replica—so we might as well give it a real reason to exist.</li> </ul> <p>All were running on <strong>Windows Server 2016</strong>, for which mainstream support ended in 2022 and extended support ends in January 2027. The time had come to migrate to <strong>Windows Server 2022</strong>.</p> https://aperturezone.com/posts/krbtgt/ Wed, 25 Mar 2026 00:00:00 +0000 https://aperturezone.com/posts/krbtgt/ <p>There are elements in Active Directory that we completely forget about because they never come up in day-to-day operations. The <strong>krbtgt</strong> account is one of them. Though invisible in everyday use, it is at the heart of all Kerberos authentication in your domain—and its compromise is one of the most catastrophic scenarios an attacker could trigger.</p> <p>In this article, we’ll explore what this account really is, why you need to change its password regularly, and how to automate this process cleanly with <strong>Ansible</strong>.</p> https://aperturezone.com/posts/approbations/ Mon, 02 Mar 2026 00:00:00 +0000 https://aperturezone.com/posts/approbations/ <p>There are some projects that we put off for years. Not because they're impossible, but because there's always something getting in the way. In my case, it was Exchange 2013—that good old mail server that stood in the way of any attempt to modernize the AD. Since migrating to a lighter solution, the coast was clear. So here's the story of a busy night's work.</p> <hr> <h2 id="the-context">The context</h2> <p>The infrastructure runs on two separate Active Directory domains linked by a two-way trust relationship:</p>