ActiveDirectory – IT-DRAFTS

March 23, 2026

Windows 11 Update Breaks Offline Login — What That Really Means

If you heard about a recent Windows 11 update causing “Can’t sign in because your device needs an internet connection” errors — you’re not imagining things. Multiple reports, official feedback and user reproduction steps confirm that after installing the latest cumulative update, some devices refuse to let users sign in if they cannot reach Microsoft’s…

March 13, 2026March 12, 2026

Kerberos Is Moving to AES by Default: Are Your Domains Ready?

Hi everyone, Alex here again. Today we’re talking about a change in Active Directory authentication that may look small on paper but could have very real operational consequences if administrators are not prepared. In just over a month, the April Windows update will shift Kerberos service tickets to AES encryption by default, moving domains further…

December 1, 2025December 1, 2025

When an RODC Goes Off the Grid: A Slow, Painful, Very British Death

Oi, folks — today we’re talking about the slow, painful, deeply awkward death of an RODC that’s been cut off from the domain for far too long. You know that moment when a branch office goes offline, someone says “It’ll be fine, the RODC will handle it,”and you — the only sane person in the…

August 6, 2025August 6, 2025

Reflection Relay: Never Happened Before, and Here We Go Again (CVE-2025-33073)

Hi, so today we will start from the end, yea… TL;DR: NTLM and Kerberos relays just got a spicy new variant. Microsoft “fixed” it back in 2008. And yet… it’s 2025, and attackers are relaying back to localhost like it’s a LAN party. Again. Let’s break it down. ☠️ Relay: The Classic That Won’t Die…

June 6, 2025June 6, 2025

Your Certificate Authority might betray u, like… for real :)))

aka: how to stop trusting blindly and lock down ur Microsoft ca before it ruins ur life What’s the big deal, why care about some “ca”? So CA is a topic a spicy one. like, most people don’t even think about certificate authority. it’s just “one of those servers in the corner” that got set…

May 19, 2025

Active Directory vs OpenLDAP vs FreeIPA

Authentication Protocols Active Directory Primary Protocol: Kerberos (v5) with NTLM fallback Authentication Flow: Client requests TGT from Domain Controller DC verifies credentials against database Client receives TGT and service tickets Encryption: AES-256 (default), supports RC4 for legacy Token Lifetime: Default 10 hours (configurable) Smart Card Support: Native through PKINIT OpenLDAP Primary Protocol: LDAP (v3) with SASL mechanisms **Authentication Methods: Simple…

July 9, 2024

How to prevent lateral movement to Entra ID when your Active Directory has fallen

Hey Hey, such a long read, but please take a time for review. At the moment, the biggest threat to an Entra ID tenant in the vast majority of environments comes from the connected Active Directory. Attackers are (currently) focusing heavily on on-prem environments, as these are generally much more difficult to protect and are…