By Christoffer Andersson

About Christoffer Andersson

Christoffer Andersson has been awarded the title Microsoft Most Valuable Professional (MVP) for his contribution on Directory Services from 2004-2011 and been working with Microsoft Corporation in the Technology Adoption Programs (TAP – running prerelease software in production ) for Windows Server 2008 and Windows Server 2008 R2 before they was released.

Christoffer is working as a Principal Advisor taking on large scale Active Directory projects such as:

  • Domain Migration and Consolidations (Experience from 100~domains within 92 counties)
  • Design and Implementation (200 000 users +)
  • Performing Health Checks and Reviews


Christoffer has developed the following courses and training material:

  • Active Directory features in Windows Server 2008 R2
  • Active Directory Security and Confidential Data.
  • Mastering Windows Vista.
  • Mastering Windows Server 2008.

Speaking Engagements

  • Microsoft TechNet – Windows Server 2008 Summit.
  • Microsoft TechNet – Windows Server 2008 ready for launch.
  • Microsoft TechNet – Active Directory usual mistakes and pitfalls.
  • Microsoft TechNet – Windows Vista Workshop.
  • Microsoft TechDays – Read Only Domain Controllers Deep Dive Session.
  • Microsoft TechDays – Upgrade Active Directory from WS03 to WS08 R2


  • Microsoft TechED-IT Forum – Barcelona – Ask The Experts 2005 – 2009
  • Microsoft TechED Europe – Berlin – TLC 2010


  • Fine Grain Password Policy Tool (FGPP) – Microsoft Management Console (MMC) and PowerShell CmdLet’s to manage Fine Grain Password Policies (PSOs) in Active Directory as there was no built-in support for this when Windows Server 2008 was released.
  • ESEDump – Ability to dump a NTDS.DIT – Active Directory Database and decode it’s content.


If you would like to hire me as an advisor/consultant or engage me as a trainer/speaker please contact Enfo.
If you just want to say hi or have any comments, please feel free to leave them below :)

  1. Ari says:

    Thank for you insightful and interesting articles; it has helped shed light on an issue we are dealing with in AD/LDS.

    Is your ESEDump utility available for download or purchase? If so, how would we go about obtaining it?


  2. QD says:

    Hi Christoffer,

    I have a question regarding your article on how things are deleted in AD, the recycle bin etc.
    I’m seeing a behavior in Server 2012 that I didn’t notice in older versions. Here is the situation:
    - brand new forest, only 2012 based DCs
    - one DC’s hardware failed, but it was successfully demoted
    - new hardware, new DC installed using the old name
    - using LDP with the return_deleted_objects control I can see a DCs server object and the NTDS settings object (both with mangled names) in the SERVERS container. The ‘isDeleted’ Attribute is TRUE
    Now my question: as far as I know these objects should “disappear” after 1/2 TSL (in that case 90 days). I think this feature is called “stay of exection”. Unfortunately that doesn’t happen in my environment, the objects are still there after 120+ days.
    Why do I care?
    I’m starting to get Error 1864 in the DS Log. Repadmin shows no errors, there is no metadata left to clean up with NTDSUTIL.

    Are you aware of any changes in the cleanup and deletion processes you described? Or are the 1864 errors completely unrelated to the NTDSDSA objects?


    • Christoffer Andersson says:

      This is actually by design and the expected behavior; however it seems that Microsoft has changed the behavior of the “Return Deleted Objects control” to be able to view deleted objects outside of the “Deleted Objects Container” as well.
      Not all deleted objects/tombstones are moved to the “Deleted Objects Container” – This is mentioned in the article “Logically deleted objects are moved into the ‘Deleted Objects’ container except in the following cases”
      Server objects and NTDS Settings (ntdsas) are such cases; if you look at those objects for any of your live DCs you can notice they have the “DISALLOW_MOVE_ON_DELETE” bit set. This means that when those objects are deleted, they behave as any other deleted object except that they are not moved into the “Deleted Objects Container” – So what you’re seeing is not stay of execution and those objects will be garbage collected after the TSL has passed just like any normal deleted object/tombstone.

      Dose that answer your question?

  3. Deva says:

    Hi Chris,

    You are awesome. After seeing your posts and articles, i too started writing blogs and answering to the forums.

    Your one of my inspiration.


  4. John Redford says:

    Hi Chris,

    I’m John Redford, with Paramount Defenses, an innovative cyber security company focused on Active Directory Security Solutions.

    I just wanted to let you know that we were happy to include your blog in our list of notable Active Directory blogs.

    (You can find your blog listed here – http://www.paramountdefenses.com/active-directory-security-resources.html)

    We appreciate the work you are doing for the community, and we wish you well. Please feel free to stop by and say Hello.

    Kindest regards,

  5. Chris Hair says:

    Hello Christoffer. I like your AD blog. Thanks for sharing some of the lessons you have learned.

    In a Technet forum post in 2013, you stated that “sensitive information in ntds.dit is already encrypted”. I was not aware of this. Can you point me to any documentation that describes what is considered sensitive and how it is encrypted?

    Chris Hair
    Colorado Springs, Colorado, USA

  6. vincent says:

    Hi Christoffer,
    i’m contacting you because you had the same problem like me.
    Did you resolve the problem?
    I have been working on that problem for 2 weeks and I’m desperate..
    I would really appreciate our help…
    Thanks so much

    here is your old problem: