Happy World Password Day! Today, I’m super excited to share some great news with you: Together, with the FIDO Alliance and other major platforms, Microsoft has announced support for the expansion of a common passwordless standard created by the FIDO Alliance and the World Wide Web consortium. These multi-device FIDO credentials, sometimes referred to as passkeys, represent a monumental step toward a world without passwords. We also have some great updates coming to our passwordless solutions in Azure Active Directory (Azure AD) and Windows that will expand passwordless to more use cases.
Passwords have never been less adequate for protecting our digital lives. As Vasu Jakkal reported earlier today, there are over 921 password attacks every second. Lots of attackers want your password and will keep trying to steal it from you. It’s better for everyone if we just cut off their supply.
Replacing passwords with passkeys
Passkeys are a safer, faster, easier replacement for your password. With passkeys, you can sign in to any supported website or application by simply verifying your face, fingerprint or using a device PIN. Passkeys are fast, phish-resistant, and will be supported across leading devices and platforms. Your biometric information never leaves the device and passkeys can even be synced across devices on the same platform – so you don’t need to enroll each device and you’re protected in case you upgrade or lose your device. You can use Windows Hello today to sign in to any site that supports passkeys, and in the near future, you’ll be able to sign in to your Microsoft account with a passkey from an Apple or Google device.
We enthusiastically encourage website owners and app developers to join Microsoft, Apple, Google, and the FIDO Alliance to support passkeys and help realize our vision of a truly passwordless world.
Going passwordless
We’re proud to have been one of the earliest supporters of the FIDO standards, including FIDO2 certification for Windows Hello. We’re thrilled to evolve the FIDO standards ecosystem to support passkeys and that passwordless authentication continues to gain momentum.
Since we started introducing passwordless sign-in nearly 5 years ago, the number of people across Microsoft services signing in each month without using their password has reached more than 240 million. And in the last six months, over 330,000 people have taken the next step of removing the password from their Microsoft Account. After all, you’re completely safe from password-based attacks if you don’t have one.
Today, we’re also announcing new capabilities that will make it easier for enterprises to go completely passwordless:
Passwordless for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure
Now that remote or hybrid work is the new norm, lots more people are using a remote or virtualized desktop to get their work done. And now, we’ve added passwordless support for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure. This is currently in preview with Windows 11 Insiders, and is on the way for Windows 10 as well.
Windows Hello for Business Cloud Trust
Windows Hello for Business Cloud Trust simplifies the deployment experience of Windows Hello for hybrid environments. This new deployment model removes previous requirements for public key infrastructure (PKI) and syncing public keys between Azure AD and on-premises domain controllers. This improvement eliminates delays between users provisioning Windows Hello for Business and being able to authenticate and makes it easier than ever to use Windows Hello for Business for accessing on-premises resources and applications. Cloud Trust is now available in preview for Windows 10 21H2 and Windows 11 21H2.
Multiple passwordless accounts in Microsoft Authenticator
When we first introduced passwordless sign-in for Azure AD (work or school accounts), Microsoft Authenticator could only support one passwordless account at a time. Now that limitation has been removed and you can have as many as you want. iOS users will start to see this capability later this month and the feature will be available on Android afterwards.
Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.
Temporary Access Pass in Azure AD
Temporary Access Pass in Azure AD, a time-limited passcode, has been a huge hit with enterprises since the public preview, and we’ve been adding more ways to use it as we prepare to release the feature this summer. Lots of customers have told us they want to distribute Temporary Access Passes instead of passwords for setting up new Windows devices. You’ll be able to use a Temporary Access Pass to sign in for the first time, to configure Windows Hello, and to join a device to Azure AD. This update will be available next month.
End user experience for Temporary Access Pass in Windows 11 onboarding.
Customers implementing passwordless today
We already have several great examples of large Microsoft customers implementing passwordless solutions, including Avanade, who went passwordless with help from Feitian to protect their clients’ data against security breaches. Amedisys, a home healthcare and hospice care provider, went passwordless to keep patient personal information secured. Both organizations are committed to using passwordless authentication not only to strengthen security, but also to make the sign-in experience easier for end users.
Microsoft has been quite aggressive in its moves to get people away from Google Chrome and over to its revamped Edge browser. In its latest move, Microsoft Edge is adding a feature that imports data from Google Chrome constantly.
As highlighted by the folks over at Windows Latest, Microsoft Edge has an option to automatically import data from another browser, specifically Google Chrome. The previous “import browser data” page in Edge’s Settings menu used to simply offer a one-time import option for your data, syncing over bookmarks, passwords, your browsing history, and more. Clicking the option to import browser data would simply open a menu for a one-time import from any other browser on your computer.
But now, Microsoft has been allowing users to import browser data from Google Chrome on every launch. From what we can tell, the feature has been available in some capacity for at least a few months, but went largely under the radar until now, even as it’s live on Edge 101. It seems that new updates may be putting more emphasis on the feature. u/Leopeva64 notes that Edge 104, now in the Canary channel, redesigns the import page with a new look for this tool that puts much more emphasis on this setting.
Edge 104
Chrome is, notably, the only option for this automatic import setting, with Mozilla Firefox not showing up as an option as it does on the manual import option. Microsoft explains the feature:
Import browser data on each launch
Always have access to your recent browsing data each time you browse on Microsoft Edge
Importing data from another browser on your computer isn’t a new idea, and it’s certainly something Edge is more than happy to do. This latest change will simply do that automatically, in what’s clearly a move to make it easier for Google Chrome users to use Edge more often.
There are also a couple of new options for this. Microsoft Edge can import data from Chrome as usual, with bookmarks (though not automatically, right now), passwords, browsing history, settings, saved passwords, personal information, and payment details. But now, Edge can also pull open tabs and extensions over from Chrome. This would effectively mean that Edge can pick up where Chrome left off. Extensions, though, are also not available automatically at this point.
Windows Latest notes that imported tabs are marked as such, and Microsoft mentions on a support page that it can import up to 50 tabs at once. Microsoft has yet to update that same page with this automatic import option.
9to5Google’s Take
Being able to use Microsoft Edge as a mirror of Google Chrome is a pretty great idea, admittedly. The idea of being able to use Chrome with a specific set of extensions, settings, and more while essentially having a backup of that data in Edge is nice. It removes a barrier from switching between the two.
However, it still feels like Microsoft is trying too hard – again. Edge is a great browser on its own, and tools like this are indeed very helpful. But is this targeted behavior really necessary? At a technical level, this might only be possible with Chrome, but it’s surely no coincidence that Microsoft is clearly marking the feature as something you can do only with Chrome. It wouldn’t be surprising if, in the future, Microsoft turned on this feature by default either during or after setup.
IT teams rely on Active Directory (AD) to keep networks secure and maintain user accounts — but they often need to adhere to strict budget limitations when it comes to selecting software to help. That’s why we’ve put together this list of the top free Active Directory management tools.
Our picks focus on AD tools that will help you complete routine AD management tasks much faster so your team has time to focus on other priorities. We’ve grouped these free Active Directory tools into three categories:
Active Directory Reporting, Monitoring and Auditing Tools
Microsoft Active Directory Explorer
Microsoft Active Directory Explorer is an advanced administration tool that makes it easy to search for, view and edit extended information about AD objects. It is similar to AD Users and Computers but has at least one key additional benefit — it allows you to view object properties and attributes without opening additional dialog boxes.
AD Explorer also enables you to save snapshots of an AD database for offline viewing and database version comparisons. When you load a saved snapshot, you can work with it as you would use a live database.
Other features include:
Defining favorite locations
Editing permissions
Viewing an object’s scheme
Executing sophisticated searches that you can save and re-execute
Netwrix Auditor for Active Directory (free community edition) gives you visibility into what’s happening inside domains while eliminating the time-consuming tasks of analyzing endless native logs. Netwrix Auditor tracks logons and all changes to Active Directory users, groups, organizational units and Group Policy. It generates a daily activity summary that details all changes and logon activity that occurred during the previous 24 hours, including the before and after values for each modification.
Netwrix Account Lockout Examiner
Netwrix Account Lockout Examiner is well known as one of the best Active Directory tools for quickly resolving one of the most pressing issues with AD: account lockouts. It enables you to identify the root cause of lockouts in a single keystroke, slashing troubleshooting time by up to 90 percent. This lightweight and intuitive tool empowers you to investigate issues like why the same account repeatedly locks out without having to slog through a mountain of cryptic event logs — just enter the username and click a button.
Netwrix Effective Permissions Reporting Tool
Netwrix Effective Permissions Reporting Tool simplifies auditing of access permissions in Active Directory. You can view a user’s account group membership, the permissions the account has to every AD object and how those permissions are granted. It also shows file and folder effective permissions, so you can determine who has access to your data and how their access was gained. You can export this information to an HTML file.
Netwrix Bulk Password Reset
Netwrix Bulk Password Reset enables you to reset local admin and user passwords across multiple workstations at once, remotely, without actually logging into them. This functionality enhances Windows Server security.
Netwrix Inactive User Tracker
Netwrix Inactive User Tracker provides insight into stale Active Directory user accounts so you can disable or delete unneeded accounts before malicious actors can exploit them to gain access to resources and services on your network.
Netwrix Password Expiration Notifier
Netwrix Password Expiration Notifier automatically sends notifications about upcoming AD password expiration to users and their managers. This proactive approach enables you to remain in compliance with password security best practices without sacrificing user productivity or increasing helpdesk workload.
Cjwdev Active Directory Info
Cjwdev Active Directory Info is a free Active Directory reporting and analysis tool that enables you to review the configuration settings of AD objects. You can quickly generate CSV, HTML or TXT reports to gain insight into things like:
Cjwdev Active Directory Permissions Reporter extracts all permissions for every object in your domain. Note that the free edition of Cjwdev AD Permissions Reporter does not support the command line and you cannot filter or export results.
ENow Compass
ENow Compass provides real-time network monitoring to help you identify issues that could evolve into bigger problems. ENow Compass is a powerful toolset, but the company does not offer a free version. Users can start with a 14-day free trial with registration.
MaxPowerSoft Active Directory Reports Lite
MaxPowerSoft Active Directory Reports Lite allows you to load up to 200 objects from Active Directory and generate auditing reports on users, groups, organizational units, computers and GPOs. The paid version of grants access to more reports and many more features.
Active Directory FastReporter
Active Directory FastReporter generates a variety of predefined reports on your AD infrastructure. The free version doesn’t allow you to create custom reports, export reports or use automation features.
LDAPSoft Active Directory Browser
LDAPSoft Active Directory Browser simplifies SSL communication and streamlines the process of browsing your AD hierarchy. You can search for entries, view all available attributes and run SQL-LDAP statements.
Softerra Browser for LDAP
Softerra Browser for LDAP is a lightweight tool that allows you to view, browse, search and export information from LDAP. It is free to use for 30 days — you’ll need to register a paid account to use it past this point.
WiseSoft Password Control
WiseSoft Password Control can reset user passwords in bulk, which saves time and effort when managing service account passwords. It also includes the ability to make other bulk changes, such as enabling and disabling user accounts, group membership functions, descriptions and departments.Handpicked related content:
Albus Bit Active Directory Administrator enables you to manage user and computer accounts across your Active Directory domain from a single interface. You can use the built-in search templates or create your own, and use the results to disable inactive accounts, move accounts to different organizational units or remove users from groups.
CjWdev Active Directory Tidy
CjWdev Active Directory Tidy allows you to easily manage your AD accounts in bulk. For example, you can add multiple accounts to a specific security group, or set random passwords or a particular expiry date for a set of accounts.
The tool’s filtering functionality makes it easy to clean up your AD. For example, you can filter by last login date to find all inactive user and computer accounts to determine whether you should remove them from your domain. The paid version of this tool also enables you to export AD settings to XML.
Spiceworks People View
Spiceworks People View allows you to view and update AD user account properties, such as email, phone number, title and department. You can also add devices to user profiles to monitor installed software programs and update it when needed. You can also reset passwords and enable or disable user accounts. The tool also offers self-administered password and user profile management on a self-service web portal, and real-time status monitoring of all your devices.
Spiceworks offers other useful tools. For example, Network Monitor performs real-time status monitoring of all your devices.
Microsoft AdRestore
Microsoft AdRestore is a single-task tool that enumerates all tombstoned objects in your AD domain and enables you to restore them individually as needed.
Windows PowerShell
Windows PowerShell is undoubtedly the most powerful Active Directory tool. However, it can be challenging to use because it lacks a graphical interface. To accomplish your tasks, you’ll need to use cmdlets and scripts like the following:
Disable a user account: Disable-ADAccount username
Enable a user account: Enable-ADAccount username
Unlock a user account: Unlock-ADAccount username
Delete a user account: Remove-ADUser username
Find all empty groups: Get-adgroup -filter * | where {-Not ($_ | get-adgroupmember)} | Select Name
Add a member to a group: Add-adgroupmember “groupname” –username
Enumerate the members of a group: Get-ADGroupMember “groupname”
See what groups a user account is a member of: Get-aduser username -property Memberof | Select -ExpandProperty memberOf
Disable a computer account: Disable-ADAccount -Identity “computername”
Create an organizational unit: New-ADOrganizationalUnit -Name OUname -Path “dc=domainname,dc=com”
Create a computer account: New-ADComputer -Name username -Path “ou=OUname,dc=DCname,dc=com”
Create a user account: New-ADUser -Name username -Path “ou=OUname,dc=DCname,dc=com”
Adaxes
Adaxes streamlines routine management functions in Active Directory, Microsoft Exchange and Microsoft 365 environments. You can use it to delegate privileges, control authorizations and stay in compliance with data mandates. Softerra offers a 30-day free trial.
CENTREL Solutions XIA Automation
CENTREL Solutions XIA Automation helps you automate IT management tasks, such as account provisioning, user management and password changes. It includes time-saving features like bulk provisioning of accounts from CSV to AD, Exchange, Google or Office 365.
Dameware Remote Everywhere
Dameware Remote Everywhere is a pricey commercial-grade tool at $540 (and up), but it is notable for its powerful functionality — especially for enterprise-level network needs.
“Remote Everywhere” refers to the tool’s cloud-based solutions. Users enjoy safe, remote support with advanced encryption and multifactor authentication, essential endpoint support for any computer or device, and a reporting engine that can handle virtually any reporting task. New users can get a fully functional version of Dameware Remote Everywhere for 14 days.
Active Directory Utility Tools
Microsoft Active Directory Replication Status (ADREPLSTATUS) Tool
Microsoft ADREPLSTATUS Tool is a single-purpose tool that helps you analyze the replication of domain controllers in your network.
Cjwdev Group Manager
Cjwdev Group Manager allows the manager of a group to manage roles and settings for the group, including adding and removing other users and exporting group members to a CSV file. The free edition enables you to manage only a single group, and you cannot or add new members from other domains.
Cjwdev Active Directory Photo Edit
Cjwdev Active Directory Photo Edit enables you to import and upload images to an AD attribute that can be displayed in Outlook 2010, Lync and SharePoint. The free edition can’t process pictures for users and contacts in bulk, but the paid version offers this feature.
Cjwdev Managed Service Accounts GUI
Cjwdev Managed Service Accounts GUI helps you configure managed service accounts using an intuitive GUI that eliminates the need for PowerShell commands.
Specops Password Auditor
Specops Password Auditor scans your Active Directory and identifies password-related vulnerabilities so you can reduce your attack surface and maintain compliance.
Specops Software Gpupdate
Specops Software Gpupdate enables remote administration of computers and organizational units. For example, you can refresh Group Policy or wake up, shut down or restart a PC remotely.
Specops Command
Specops Command is a PowerShell and VBScript interface that helps you automate many Active Directory administrative tasks.
Zohno Z-Hire and Z-Term
Zohno Z-Hire and Z-Term are single-task tools. Z-Hire speeds the user account creation process for new hires, while Z-Term helps with account removal when an employee leaves the organization.
SysOpsTools Active Directory Query
SysOpsTools Active Directory Query is a free executable tool — no installation required — that can be used to quickly search AD for information about a specific user or computer, including schema attributes that are normally not readable.
SysAdmin and SysAdmin Anywhere both offer a free trial.
Codeplex ADModify.NET
Codeplex ADModify.NET is a single-use tool that allows you to modify multiple user attributes at once.
WiseSoft Bulk Password Control
WiseSoft Bulk Password Control enables you to change passwords on multiple accounts at the same time using the tool’s password generator feature. You can also enable, disable and unlock AD accounts in bulk.
Conclusion
With so many options to choose from, it can be challenging to find the right mix of AD management tools for your needs. The most effective way to make that choice is to install different tools and try them out in your AD environment. This will give you insight into how well they will work for your specific needs and preferences.
Active Directory (AD) allows object creations, updates and deletions to be committed to any authoritative domain controller (DC). This is possible because every DC (except read-only DCs) maintains a writable copy of its own domain’s partition. Once a change has been committed, it is replicated automatically to other DCs through a process called multi-master replication. This behavior allows most operations to be processed reliably by multiple domain controllers and provides for high levels of redundancy, availability and accessibility in Active Directory.Handpicked related content:
An exception applies to certain Active Directory operations that are sensitive enough that their execution is restricted to a specific domain controller. Active Directory addresses these situations through a special set of roles. Microsoft has begun referring to these roles as the operations master roles, but they are more commonly referred to by their original name: flexible single-master operator (FSMO) roles.
What are FSMO Roles?
The 5 FSMO Roles
Active Directory has five FSMO roles:
Schema Master
Domain Naming Master
Infrastructure Master
Relative ID (RID) Master
PDC Emulator
In every forest, there is a single Schema Master and a single Domain Naming Master. In each domain, there is one Infrastructure Master, one RID Master and one PDC Emulator. At any given time, there can be only one DC performing the functions of each role. Therefore, a single DC could be running all five FSMO roles; however, in a single-domain environment, there can be no more than five servers that run the roles.
In a multi-domain environment, each domain will have its own Infrastructure Master, RID Master and PDC Emulator. When a new domain is added to an existing forest, only those three domain-level FSMO roles are assigned to the initial domain controller in the newly created domain; the two enterprise-level FSMO roles (Schema Master and Domain Naming Master) already exist in the forest root domain.
Schema Master
Schema Master is an enterprise-level FSMO role; there is only one Schema Master in an Active Directory forest.
The Schema Master role owner is the only domain controller in an Active Directory forest that contains a writable schema partition. As a result, the DC that owns the Schema Master FSMO role must be available to modify its forest’s schema. Examples of actions that update the schema include raising the functional level of the forest and upgrading the operating system of a DC to a higher version than currently exists in the forest.
The Schema Master role has little overhead and its loss can be expected to result in little to no immediate operational impact. Indeed, unless schema changes are necessary, it can remain offline indefinitely without noticeable effect. The Schema Master role should be seized only when the DC that owns the role cannot be brought back online. Bringing the Schema Master role owner back online after the role has been seized from it can introduce serious data inconsistency and integrity issues for the forest.
Domain Naming Master
Domain Naming Master is an enterprise-level role; there is only one Domain Naming Master in an Active Directory forest.
The Domain Naming Master role owner is the only domain controller in an Active Directory forest that is capable of adding new domains and application partitions to the forest. Its availability is also necessary to remove existing domains and application partitions from the forest.
The Domain Naming Master role has little overhead and its loss can be expected to result in little to no operational impact, since the addition and removal of domains and partitions are performed infrequently and are rarely time-critical operations. Consequently, the Domain Naming Master role should need to be seized only when the DC that owns the role cannot be brought back online.
RID Master
Relative Identifier Master (RID Master) is a domain-level role; there is one RID Master in each domain in an Active Directory forest.
The RID Master role owner is responsible for allocating active and standby Relative Identifier (RID) pools to DCs in its domain. RID pools consist of a unique, contiguous range of RIDs, which are used during object creation to generate the new object’s unique Security Identifier (SID). The RID Master is also responsible for moving objects from one domain to another within a forest.
In mature domains, the overhead generated by the RID Master is negligible. Since the primary domain controller (PDC) in a domain typically receives the most attention from administrators, leaving this role assigned to the domain PDC helps ensure its availability. It is also important to ensure that existing DCs and newly promoted DCs, especially those promoted in remote or staging sites, have network connectivity to the RID Master and are reliably able to obtain active and standby RID pools.
The loss of a domain’s RID Master will eventually lead to result in an inability to create new objects in the domain as the RID pools in the remaining DCs are depleted. While it might seem that unavailability of the DC owning the RID Master role would cause significant operational disruption, in mature environments the impact is usually tolerable for a considerable length of time because of a relatively low volume of object creation events. Bringing a RID Master back online after having seized its role can introduce duplicate RIDs into the domain, so this role should be seized only if the DC that owns it cannot be brought back online.
Infrastructure Master
Infrastructure Master is a domain-level role; there is one Infrastructure Master in each domain in an Active Directory forest.
The Infrastructure Master synchronizes objects with the global catalog servers. The Infrastructure Master will compare its data to a global catalog server’s data and receive any data not found in its database from the global catalog server. If all DCs in a domain are also global catalog servers, then all DCs will have up-to-date information (assuming that replication is functional). In such a scenario, the location of the Infrastructure Master role is irrelevant since it doesn’t have any real work to do.
The Infrastructure Master role owner is also responsible for managing phantom objects. Phantom objects are used to track and manage persistent references to deleted objects and link-valued attributes that refer to objects in another domain within the forest (e.g., a local-domain security group with a member user from another domain).
The Infrastructure Master may be placed on any domain controller in a domain unless the Active Directory forest includes DCs that are not global catalog hosts. In that case, the Infrastructure Master must be placed on a domain controller that is not a global catalog host.
The loss of the DC that owns the Infrastructure Master role is likely to be noticeable only to administrators and can be tolerated for an extended period. While its absence will result in the names of cross-domain object links failing to resolve correctly, the ability to utilize cross-domain group memberships will not be affected.Handpicked related content:
The Primary Domain Controller Emulator (PDC Emulator or PDCE) is a domain-level role; there is one PDCE in each domain in an Active Directory forest.
The PDC Emulator controls authentication within a domain, whether Kerberos v5 or NTLM. When a user changes their password, the change is processed by the PDC Emulator.
The PDCE role owner is responsible for several crucial operations:
Backward compatibility. The PDCE mimics the single-master behavior of a Windows NT primary domain controller. To address backward compatibility concerns, the PDCE registers as the target DC for legacy applications that perform writable operations and certain administrative tools that are unaware of the multi-master behavior of Active Directory DCs.
Time synchronization. Each PDCE serves as the master time source within its domain. The PDCE in forest root domain serves as the preferred Network Time Protocol (NTP) server in the forest. The PDCE in every other domain within the forest synchronizes its clock to the forest root PDCE; non-PDCE DCs synchronize their clocks to their domain’s PDCE; and domain-joined hosts synchronize their clocks to their preferred DC. One example of the importance of time synchronization is Kerberos authentication: Kerberos authentication will fail if the difference between a requesting host’s clock and the clock of the authenticating DC exceeds the specified maximum (5 minutes by default); this helps counter certain malicious activities, such as replay attacks.
Password update processing. When computer and user passwords are changed or reset by a non-PDCE domain controller, the committed update is immediately replicated to the domain’s PDCE. If an account attempts to authenticate against a DC that has not yet received a recent password change through scheduled replication, the request is passed to the domain PDCE, which will process the authentication request and instruct the requesting DC to either accept or reject it. This behavior ensures that passwords can reliably be processed even if recent changes have not fully propagated through scheduled replication. The PDCE is also responsible for processing account lockouts, since all failed password authentications are passed to the PDCE.
Group Policy updates. All Group Policy object (GPO) updates are committed to the domain PDCE. This prevents versioning conflicts that could occur if a GPO was modified on two DCs at approximately the same time.
Distributed file system. By default, distributed file system (DFS) root servers will periodically request updated DFS namespace information from the PDCE. While this behavior can lead to resource bottlenecks, enabling the Dfsutil.exe Root Scalability parameter will allow DFS root servers to request updates from the closest DC.
The PDCE should be placed on a highly-accessible, well-connected, high-performance DC. Additionally, the forest root domain PDC Emulator should be configured with a reliable external time source.
While the loss of the DC that owns the PDC Emulator role can be expected to have an immediate and significant impact on operations, the seizure of the PDCE role has fewer implications to the domain than the seizure of other roles. Seizure of the PDCE role is a recommended best practice if the DC that owns that role becomes unavailable due to an unscheduled outage.
Identifying Role Owners
You can use either the command prompt or PowerShell to identify FSMO role owners.
FSMO roles often remain assigned to their original domain controllers, but they can be transferred if necessary. Since FSMO roles are necessary for certain important operations and they are not redundant, it can be desirable or even necessary to move FSMO roles from one DC to another.
One method of transferring a FSMO role is to demote the DC that owns the role, but this is not an optimal strategy. When a DC is demoted, it will attempt to transfer any FSMO roles it owns to suitable DCs in the same site. Domain-level roles can be transferred only to DCs in the same domain, but enterprise-level roles can be transferred to any suitable DC in the forest. While there are rules that govern how the DC being demoted will decide where to transfer its FSMO roles, there is no way to directly control where its FSMO roles will be transferred.
The ideal method of moving an FSMO role is to actively transfer it using either the Management Console, PowerShell or ntdsutil.exe. During a manual transfer, the source DC will synchronize with the target DC before transferring the role.
To transfer an FSMO role, an account must have the following privileges:
To transfer this FSMO
The account must be a member of
Schema Master
Schema Admins and Enterprise Admins
Domain Naming Master
Enterprise Admins
PDCE, RID Master or Infrastructure Master
Domain Admins in the domain where the role is being transferred
How to Transfer FSMO Roles using the Management Console
Transferring the Schema Master Role
The Schema Master role can be transferred using the Active Directory Schema Management snap-in.
If this snap-in is not among the available Management Console snap-ins, it will need to be registered. To do so, open an elevated command prompt and enter the command regsvr32 schmmgmt.dll.
Once the DLL has been registered, run the Management Console as a user who is a member of the Schema Admins group, and add the Active Directory Schema snap-in to the Management Console:
Right-click the Active Directory Schema node and select Change Active Directory Domain Controller. Choose the DC that the Schema Master FSMO role will be transferred to and click OK to bind the Active Directory Schema snap-in to that DC. (A warning may appear explaining that the snap-in will not be able to make changes to the schema because it is not connected to the Schema Master.)
Right-click the Active Directory Schema node again and select Operations Master. Then click the Change button to begin the transfer of the Schema Master role to the specified DC:
Transferring the Domain Naming Master Role
The Domain Naming Master role can be transferred using the Active Directory Domains and Trusts Management Console snap-in.
Run the Management Console as a user who is a member of the Enterprise Admins group, and add the Active Directory Domains and Trusts snap-in to the Management Console:
Right-click the Active Directory Domains and Trusts node and select Change Active Directory Domain Controller. Choose the DC that the Domain Naming Master FSMO role will be transferred to, and click OK to bind the Active Directory Domains and Trusts snap-in to that DC.
Right-click the Active Directory Domains and Trusts node again and select Operations Master. Click the Change button to begin the transfer of the Domain Naming Master role to the selected DC:
Transferring the RID Master, Infrastructure Master or PDC Emulator Role
The RID Master, Infrastructure Master and PDC Emulator roles can all be transferred using the Active Directory Users and Computers Management Console snap-in.
Run the Management Console as a user who is a member of the Domain Admins group in the domain where the FSMO roles are being transferred and add the Active Directory Users and Computers snap-in to the Management Console:
Right-click either the Domain node or the Active Directory Users and Computers node and select Change Active Directory Domain Controller. Choose the domain controller that the FSMO role will be transferred to and click OK button to bind the Active Directory Users and Computers snap-in to that DC.
Right-click the Active Directory Users and Computers node and click Operations Masters. Then select the appropriate tab and click Change to begin the transfer of the FSMO role to the selected DC:
How to Transfer FSMO Roles using PowerShell
You can transfer FSMO roles using the following PowerShell cmdlet:
To transfers an FSMO role using ndtsutil.exe, take the following steps:
Open an elevated command prompt.
Type ntdsutil and press Enter. A new window will open.
At the ntdsutilprompt, type roles and press Enter.
At the fsmo maintenanceprompt, type connections and press Enter.
At the server connectionsprompt, type connect to server <DC> (replacing <DC> with the hostname of the DC that the FSMO role is being transferred to) and press Enter. This will bind ntdsutil to the specified DC.
Type quit and press Enter.
At the fsmo maintenance prompt, enter the appropriate command for each FSMO role being transferred:
transfer schema master
transfer naming master
transfer rid master
transfer infrastructure master
transfer pdc
To exit the fsmo maintenanceprompt, type quit and press Enter.
To exit the ntdsutilprompt, type quit and press Enter.
Seizing FSMO Roles
Transferring FSMO roles requires that both the source DC and the target DC be online and functional. If a DC that owns one or more FSMO roles is lost or will be unavailable for a significant period, its FSMO roles can be seized, rather than transferred.
In most cases, FSMO roles should be seized only if the original FSMO role owner cannot be brought back into the environment. The reintroduction of a FSMO role owner following the seizure of its roles can cause significant damage to the domain or forest. This is especially true of the Schema Master and RID Master roles.
To seize FSMO roles, you can use the Move-ADDirectoryServerOperationMasterRole cmdlet with the ?Force parameter. The cmdlet will attempt an FSMO role transfer; if that attempt fails, it will seize the roles.
How Netwrix Can Help
As we have seen, FSMO roles are important for both business continuity and security. Therefore, it’s vital to audit all changes to your FSMO roles. Netwrix Auditor for Active Directory automates this monitoring and can alert you to any suspicious change so you can take action before it leads to downtime or a data breach.
However, FSMO roles are just one part of your security strategy — you need to understand and control what is happening across your core systems. Netwrix Auditor for Active Directory goes far beyond protecting FSMO roles and facilitates strong management and change control across Active Directory.
By automating Active Directory change tracking and reporting, Netwrix Auditor empowers you to reduce security risks. You can improve your security posture by proactively identifying and remediating toxic conditions like directly assigned permissions, before attackers can exploit them to gain access to your network resources. Moreover, you can monitor changes and other activity in Active Directory changes to spot emerging problems and respond to them promptly — minimizing the impact on business processes, user productivity and security.
Microsoft has released optional cumulative update previews for Windows 11, Windows 10 version 1809, and Windows Server 2022, with fixes for Direct3D issues impacting client and server systems.
The updates are part of Microsoft’s scheduled April 2022 monthly “C” updates, allowing Windows users to test the fixes released on June 15th as part of next month’s Patch Tuesday.
Unlike regular Patch Tuesday Windows updates, scheduled non-security preview updates are optional. They are issued to test bug fixes and performance improvements before the general release, and they don’t provide security updates.
To install the updates, you have to go to Settings > Windows Update and manually ‘Check for updates.’ Windows will not install them until you click the ‘Download now’ button because they’re optional updates.
You can also manually download and install these cumulative update previews from the Microsoft Update Catalog.
“The preview update for other supported versions of Windows 10 will be available in the near term,” Microsoft said.
Windows 11 KB5014019 update (BleepingComputer)
KB5014019 fixes Direct3D app crashes
Today’s Windows optional updates come with fixes for issues that might cause some applications to crash or trigger various problems.
As Microsoft explained, KB5014019 “addresses an issue that might affect some apps that use d3d9.dll with certain graphics cards and might cause those apps to close unexpectedly.”
The same cumulative update also fixes a known issue affecting specific GPUs and could “cause apps to close unexpectedly or cause intermittent issues that affect some apps that use Direct3D 9.”
This update also fixes an issue that might cause file copying to be slower and another one preventing BitLocker from encrypting when using the silent encryption option.
KB5014019 addresses a known issue impacting the Trusted Platform Module (TPM) driver that might increase the system’s startup time.
What’s new in today’s Windows updates
After installing the KB5014019 non-security cumulative update preview, Windows 11 will have the build number changed to 22000.708.
Addresses an issue that causes blurry app icons in Search results when the display’s dots per inch (dpi) scaling is greater than 100%.
New! Windows spotlight on the desktop brings the world to your desktop with new background pictures. With this feature, new pictures will automatically appear as your desktop background. This feature already exists for the lock screen. To turn on this feature, go to Settings > Personalization > Background > Personalize your background. Choose Windows spotlight.
Addresses an issue that fails to maintain the display brightness after changing the display mode.
This week’s Windows optional cumulative update previews have introduced a compatibility issue with some of Trend Micro’s security products that breaks some of their capabilities, including the ransomware protection feature.
“The UMH component used by several Trend Micro endpoint and server protection products is responsible for some advanced features such as ransomware protection,” the antivirus vendor revealed.
“Trend Micro is aware of an potential issue where customers who apply the optional Microsoft Windows 11 or Windows 2022 optional preview patches (KB5014019) and reboot would then find that the Trend Micro UMH driver would stop.”
The known issue affects the User Mode Hooking (UMH) component used by several Trend Micro endpoint solutions, including Apex One 2019, Worry-Free Business Security Advanced 10.0, Apex One as a Service 2019, Deep Security 20.0, Deep Security 12.0, and Worry-Free Business Security Services 6.7.
The Japanese cybersecurity company is now working on a fix to address this issue before the update previews are pushed to all Windows customers as part of the June 2022 Patch Tuesday.
How to restore Trend Micro endpoint solution capabilities
Luckily, unlike regular Patch Tuesday Windows updates, this week’s preview updates are optional and they were issued to test bug fixes and performance improvements before the general release.
Windows users have to manually check for them from Settings > Windows Update. They will not be installed until you click the ‘Download now’ button, limiting the number of potentially impacted users.
Impacted Windows platforms include both client and server versions with the problems experienced on systems running Windows 11, Windows 10 version 1809, and Windows Server 2022.
Trend Micro customers who have installed the optional Windows optional patch may either uninstall the patch temporarily or reach out to support to get a UMH debug module that should revive their security solution’s capabilities.
Windows users can remove the preview updates using the following commands from an Elevated Command Prompt.
Windows 10 1809: wusa /uninstall /kb:5014022
Windows 11: wusa /uninstall /kb:5014019
Windows Server 2022: wusa /uninstall /kb:5014021
Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.
Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022.
The list of bugs is as follows –
CVE-2022-22784 (CVSS score: 8.1) – Improper XML Parsing in Zoom Client for Meetings
CVE-2022-22785 (CVSS score: 5.9) – Improperly constrained session cookies in Zoom Client for Meetings
CVE-2022-22786 (CVSS score: 7.5) – Update package downgrade in Zoom Client for Meetings for Windows
CVE-2022-22787 (CVSS score: 5.9) – Insufficient hostname validation during server switch in Zoom Client for Meetings
With Zoom’s chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.
Fratric dubbed the zero-click attack sequence as a case of “XMPP Stanza Smuggling,” adding “one user might be able to spoof messages as if coming from another user” and that “an attacker can send control messages which will be accepted as if coming from the server.”
At its core, the issues take advantage of parsing inconsistencies between XML parsers in Zoom’s client and server to “smuggle” arbitrary XMPP stanzas — a basic unit of communication in XMPP — to the victim client.
Specifically, the exploit chain can be weaponized to hijack the software update mechanism and make the client connect to a man-in-the-middle server that serves up an old, less secure version of the Zoom client.
While the downgrade attack singles out the Windows version of the app, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impact Android, iOS, Linux, macOS, and Windows.
The patches arrive less than a month after Zoom addressed two high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to local privilege escalation and exposure of memory contents in its on-premise Meeting services. Also fixed was another instance of a downgrade attack (CVE-2022-22781) in Zoom’s macOS app.
Users of the application are recommended to update to the latest version (5.10.0) to mitigate any potential threats arising out of active exploitation of the flaws.
Security incidents occur. It’s not a matter of “if,” but of “when.” That’s why you implemented security products and procedures to optimize the incident response (IR) process.
However, many security pros who are doing an excellent job in handling incidents find effectively communicating the ongoing process with their management a much more challenging task.
Feels familiar?
In many organizations, leadership is not security savvy, and they aren’t interested in the details regarding all the bits and bytes in which the security pro masters.
Luckily, there is a template that security leads can use when presenting to management. It’s called the IR Reporting for Management template, providing CISOs and CIOs with a clear and intuitive tool to report both the ongoing IR process and its conclusion.
The IR Reporting for Management template enables CISOs and CIOs to communicate with the two key points that management cares about—assurance that the incident is under control and a clear understanding of implications and root cause.
Control is a key aspect of IR processes, in the sense that at any given moment, there is full transparency of what is addressed, what is known and needs to be remediated, and what further investigation is needed to unveil parts of the attack that are yet unknown.
Management doesn’t think in terms of trojans, exploits, and lateral movement, but rather they think in terms of business productivity — downtime, man-hours, loss of sensitive data.
Mapping a high-level description of the attack route to damage that is caused is paramount to get the management’s understanding and involvement – especially if the IR process requires additional spending.
The IR Reporting for Management template follows the SANSNIST IR framework and will help you walk your management through the following stages:
Identification
Attacker presence is detected beyond doubt. Follow the template to answer key questions:
Was the detection made in-house or by a third-party?
How mature is the attack (in terms of its progress along the kill chain)?
What is the estimated risk?
Will the following steps be taken with internal resources or is there a need to engage a service provider?
Containment
First aid to stop the immediate bleeding before any further investigation, the attack root cause, the number of entities taken offline (endpoints, servers, user accounts), current status, and onward steps.
Eradication
Full cleanup of all malicious infrastructure and activities, a complete report on the attack’s route and assumed objectives, overall business impact (man-hours, lost data, regulatory implications, and others per the varying context).
Recovery
Recovery rate in terms of endpoints, servers, applications, cloud workloads, and data.
Lessons Learned
How did that attack happen? Was it a lack of adequate security technology in place, insecure workforce practices, or something else? And how can we mend these issues? Provide a reflection on the previous stages across the IR process timeline, searching for what to preserve and what to improve.
Naturally, there is no one-size-fits-all in a security incident. For example, there might be cases in which the identification and containment will take place almost instantly together, while in other events, the containment might take longer, requiring several presentations on its interim status. That’s why this template is modular and can be easily adjustable to any variant.
Communication with management is not a nice-to-have but a critical part of the IR process itself. The definitive IR Reporting to Management template helps security team leads make their efforts and results crystal clear to their management.
We’ve invested in Windows Server for nearly 30 years, and we continue to find new ways to empower businesses who trust Windows Server as the operating system for their workloads. Over this time, we understand that business requirements have become more complex and demanding. Thus, we are energized when we hear how customers continue to trust Windows Server to navigate these ever-evolving requirements and run business and mission-critical workloads.
We want to continue to invest in your organizations’ success and enable you to get the most out of Windows Server by keeping you informed of the latest product announcements, news, and overall best practices. Here are the top five to-do’s for you to make the most out of Windows Server:
1. Patch and install security updates without rebooting with Hotpatch
2. Take the recently available Windows Server Hybrid Administrator Certification
Invest in your career and skills with this brand-new Windows Server certification. With this certification, you can keep the Windows Server knowledge you have built your career on and learn how to apply it in the current state of hybrid cloud computing. Earn this certification for managing, monitoring, and securing applications on-premises, in Azure, and at the edge. Learn more about Windows Server Hybrid Administrator Associate certification today.
3. Upgrade to Windows Server 2022
With Windows Server 2022, get the latest innovation for you to continue running your workloads securely, enable new hybrid cloud scenarios, and modernize applications to meet your ever-evolving business requirements. Learn more about investing in your success with Windows Server.
4. Protect your workloads by taking advantage of free extended security updates (ESUs) in Azure
While many customers have adopted Windows Server 2022, we also understand that some need more time to modernize as support for older versions of Windows Server will eventually end.
For Windows Server 2012/2012 R2 customers, the end of support date is October 10, 2023.
For Windows Server 2008/2008 R2 customers, the third year of extended security updates are coming to an end on January 10, 2023. Customers can get an additional fourth year of free extended security updates (ESUs-only) on Azure (including Azure Stack HCI, Azure Stack Hub, and other Azure products). With this, customers will have until January 9, 2024 for Windows Server 2008/2008 R2 to upgrade to a supported release.
5. Combine extended security updates with Azure Hybrid Benefit to save even more
In addition to all the innovative Windows Server capabilities available only on Azure, it also has offers for you to start migrating your workloads with Azure Hybrid Benefit. It is a licensing benefit that allows you to save even more by using existing Windows Server licenses on Azure. Learn more about how much you can save with Azure Hybrid Benefit.
Ask questions and engage in our community
Get started implementing these Windows Server best practices today! Join the conversation by sharing stories or questions you have here:
Datacenters are a core part of any IT infrastructure for businesses that run mission-critical workloads. However, with components across compute, networking, and storage, as well as the advancement in cloud technologies, the management of your datacenter environment can quickly become complex. Ever since its release in 2008, Microsoft System Center has been the solution that simplifies datacenter management across your IT environments.
Today, we are excited to announce the general availability of System Center 2022, which includes System Center Operations Manager (SCOM), Virtual Machine Manager (VMM), System Center Orchestrator (SCORCH), Service Manager (SM), and Data Protection Manager (DPM). With this release, we are continuing to bring new capabilities for best-in-class datacenter management across diverse IT environments that could be comprised of Windows Server, Azure Stack HCI, or VMWare deployments. We have been energized to hear of organizations such as Olympia, Schaeffler, and Entain who have validated the capabilities of System Center 2022 during the preview. Now, let us dive into what is new with System Center 2022.
Why upgrade to System Center 2022
Best-in-class datacenter management
Your IT environments are ever-evolving to have applications running on a diverse set of hardware. Your workforce is spread across multiple locations and remote management is the new normal. System Center 2022 focuses on simplifying collaboration and providing consistent control for all your environments.
Enhanced access control capabilities in SCOM facilitate simpler management of permissions on the monitoring data and alert actions. A critical piece toward adoption of DevOps practices, empowering the users with the right level of control. The integration with Microsoft Teams and management of alert closures reduce the circle time between the application owners and the SCOM administrator. The developers can get notified about alerts for their applications on the Teams channels.
Additionally, to meet the needs of growing environments, you can now assign both IPv4 and IPv6 IP addresses to the software-defined networking (SDN) deployments with VMM. Performance and technology optimizations to the data protection manager mean you get more control and speed on the backups and restores.
Overall, this release gives you more control in managing the environment and working with the DevOps teams.
Flexible infrastructure platform
Datacenters are becoming more heterogeneous, with multiple host platforms and hypervisors, Windows/Linux, VMware, and Hyper-Converged Infrastructure (HCI). System Center 2022 enables the unification of management practices for the datacenter, irrespective of the platform in use.
System Center 2022 is the best toolset to manage your Windows Server 2022 and SQL Server infrastructure. This includes using Windows Server 2022 for the management infrastructure and managing the Windows Server 2022 based environment. In addition to a comprehensive management experience for Windows Server 2022 workloads, this release of System Center adds support for managing Azure Stack HCI 21H2, VMware 7.0 hosts, and the latest Linux distros. You can create, configure, and register HCI 21H2 clusters, control virtual machines on the HCI clusters, set up SDN controllers, and manage storage pools from VMM. There are new management packs in SCOM for monitoring the Azure Stack HCI clusters. To protect the virtual machines on Stack HCI clusters, Microsoft Azure Backup Server can now be used.
Hybrid management with Azure
Efficiently managing IT resources that are sprawled across various locations without slowing down developer innovation is a key challenge that IT leaders face today. Azure Arc enables you to seamlessly govern, manage, and secure Windows and Linux servers, Kubernetes clusters, and applications across on-premises, multiple clouds, and the edge from a single control plane.
We will be bringing hybrid capabilities with System Center 2022 to standardize management and governance across on-premises and cloud environments while reusing your existing investments in System Center.
Stay tuned for more on these exciting capabilities!
