designatedsuccessor
designatedsuccessor
If you mean the "Domain Controllers" security group, it actually is not in that security group. Only our real domain controllers are in that security group. However, it is in...
That wasn't my experience. During the install, it asked me what I wanted to name it, IIRC.
Ours is named AzureADKerberos. I believe I chose that name during setup.
What attribute(s) is PingCastle looking at to determine if a domain controller is active or inactive? pwdLastSet is set to today's date on the AzureADKerberos object, and PingCastle still flags...
It looks like the AzureADKerberos object never gets a lastlogonTimeStamp: 
FWIW, Steve Syfuhs at Microsoft has confirmed that lastLogonTimestamp will not ever have a set value on an Azure AD Kerberos server object: https://twitter.com/SteveSyfuhs/status/1420127267527614466 Is there a way to adjust...
Would this be a reliable way to detect that a domain controller can be ignored (since it's almost certainly not a normal domain controller)? ``` operatingSystemVersion = AND logonCount =...
Do you know off the top of your head how PingCastle is determining what the domain controllers are?
@An-dir is there a good way to programmatically differentiate between these "fake" domain controllers and real domain controllers so that they can be checked separately?
@An-dir I know which one in my own environment, but PingCastle needs a reliable way to check programmatically so that it doesn't flag them as inactive.