Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

Migrate CA to another machine - private key KRA issue

December 8, 2015, 12:30 pm
$
0
0
I'm trying to migrate Subordinate Certification Authority from Windows 2003 to 2008 R2. I use Key Recovery Agent to archive users private keys. How to migrate old certificate KRA with private key to new machine? I can't see old certificates in agent cert store. There is only one valid certificate. 
Without old KRA certificates I can't restore old user certificates. 
Is there any way to copy location ApplicationData\Microsoft\Crypto\RSA to another machine? 
Search

Securing RDP

December 8, 2015, 12:55 pm
$
0
0

Hi all, 

I just want to secure rdp access on some servers. Actually rdp is configured to use a self-signed certificate, but it's not the way our Retina reports like. 

There's a lot of guides to do so, but when I tried to request a certificate, it failed 'cause it seems there's no certificate template that I can choose.

Actually in my domain there's one standalone root CA server. I suppose I need to setup ad Enterprise one, is it right?

Should I leave the standalone server and setup an Enterprise CA which is dipendant from the standalone root? I just read on best pratices that an enterprise root is not the best choice. 

Just one another question: if I decide to build an enterprise CA, should it be a domain controller or it could be a normal server with AD snap-in?


AD NetBIOS domain name rename - reboots question

December 3, 2015, 3:22 pm
$
0
0

I’m working on a domain rename plan – but just the NetBIOS domain name. There are lots of caveats and warnings out there about being really careful and maybe it’s better to just migrate etc. However, I’ve done one of these in production around the 2008R2 release timeframe, and it went pretty well. We figured out that if we shut the computers down before the rename, except for the DCs, that we could rename the domain and just boot everything back up afterwards – and avoid the double-reboot that all the domain rename articles describe. I cannot seem to find anything more about this approach. However….

I have modeled this in my lab, with 2 DCs and 9 clients, plus a trust with another domain. This is for a 2012R2 domain, BTW. I have 2003R2, 2008R2, 2012R2, Windows 7, and 8.1 clients. I’ve gone through the rename 7 times now. I just renamed if from DOGSANDCATS to BIRDSEED. Three times now, I have done this with all clients running. This time, I have Wireshark running on both DCs, and am watching the traffic. What I am seeing is that the computers are picking up the new NetBIOS namewithout a reboot. And in Wireshark I see NBNS protocol traffic like this:

This happens when:

1) on a 2003R2 server, I use the drop-down and select BIRDSEED from the list of domains (computers were NOT rebooted, they were ON during the name change)

2) on Windows 7+, it shows DOGSANDCATS but I just enter my username and password, and it says bad username or password, kicks me back to the login, but now shows BIRDSEED as the domain. And there are those packets in Wireshark. usually 4 registration packets. And notice they are broadcast packets…

So… does anyone have experience with this? Has anyone actually tested it like I’m doing, leaving the computers running, with just a NetBIOS name change of the domain? I’m seeing this consistently, but I can only find instructions that say you must reboot twice. Things are greatly simplified if I can avoid the rebooting. I’m about 95% sure we should:

1) Enable Do not display previous login name (that did cause issues)

2) put in a logon banner for those who read that says something like “Sign in with your email address and computer password, and if that won't work, try rebooting your computer once or twice before calling the helpdesk”, and

3) deal with the one-offs as they occur, and

4) just leave everything running when we do this over the weekend, maybe restart a few servers but for the most part just let Windows pick up the new name

BTW the forest trust still works without client reboots or recreating it, and gpupdate works on the clients. GPRESULT /H shows the old domain unless I reboot, but talking with a group policy expert, he thinks this is a bug and can’t think of where it’s getting that old name either.And we also are getting rid of Exchange, that’s the only thing I could find that has a known issue with the NetBIOS rename.

Server 2003 + Server 2012 - "Operations Master"

December 8, 2015, 5:36 pm
$
0
0

Hi

I am deploying an Azure 2012 Server that I am going to join to my existing domain as an additional DC. My current DC is a SBS 2003 server

How would I join and configure the 2012 server to the domain so that both DC's will function independently of one another.

I have already tried setting this up but as soon as I lose the connection between the two machines, the 2012 server stops functioning when users try to connect.

I assume this has got to do with the "Operations Master" settings but I am reluctant to make any changes to these settings as I cannot afford to have the SBS 2003 server stop working since it is the main DC in the office.

In summary, I would like to have SBS 2003 and Server 2012 both be DC's of the same domain but not require a persistent connection between them to function properly. How can I achieve this?

Thanks in advance


Disabled accounts getting locked out.

December 8, 2015, 1:03 pm
$
0
0
Seeing lockout events for disabled accounts and also see the status of the account being locked. Can not simulate the same with normal invalid logon attempts. Want to understand how these lockouts are being caused.

How to list all domain groups in a different domain

December 8, 2015, 1:37 pm
$
0
0

Hello,

I can query users in my domain by using "net user /domain".

But how can I ask domain users in a different and autheticated domain (I can access resource of the 2. domain) using windows command line (Powershell, net tool, wmic tool etc)?

blue screen after system state recovery domain controller 2008r2

November 4, 2015, 8:42 am
$
0
0

 hi ,

i have been asked to make a DR plan for our domain. we have two DCs and i am trying to make a baremetal restore of our primary dc (server 2008r2 enterprise) . all fsmo roles are reside on that server . what i did was ,

1. took a system state backup to d: drive using server backup utility

2. then a full server backup to remote share

3. restored baremetal image to a same hardware(but a new server with same size of disk) on a test network

4. after completion of my restore process i removed network cable and reboot to dsrm mode

5. issued directory restore password and issued  " wbadmin  start systemstaterecovery -backuptarget:d -authsysvol and process was completed without any errors

when i booted in to nomal mode after recovey  , i can not login to dc  giving my domain admin credentials . a lite blue scree appears hole time. i tried several reboots but still in the same state.

* i am not authorized to connect recovered dc to production lan ( promoting new server to dc )

*   can not keep another dc on DR site 

is there any  possible solutions in my case ?

 

Disabled accounts getting locked out

December 8, 2015, 1:19 pm
$
0
0
Seeing lockout events for disabled accounts and also see the status of the account being locked. Can not simulate the same with normal invalid logon attempts. Want to understand how these lockouts are being caused.
Search

MSIS7015-HttpSamlMessageException in ADFS 2.1

December 8, 2015, 9:56 pm
$
0
0

MSIS7015-HttpSamlMessageException in ADFS 2.1

Hi All

I'm trying to configure WebSphere(SP) with ADFS 2.1(IdP) for SAML SSO.The IdP initiated flow is working fine.But when I try  to send a AuthnRequest from WebSphere for a SP initiated login, the autehntication fails with an error message MSIS7015-HttpSamlMessageException:
This request does not contain the expected protocol message or incorrect protocol parameters 
were found according to the HTTP SAML protocol bindings.
I have enabled tracing in ADFS and the encoded AuthnRequest is received by ADFS and it is being decoded correctly.But then, ADFS seems to be rejecting that AuthnRequest as being invalid.

So far, I have tried with a couple of AuthnRequest with no success - 

1.

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"  ID="-54f3143a-15165c515c4--7ff7"  Version="2.0" 
ProviderName="https://portalserver:10262/samlsps/wps"  IssueInstant="2015-12-03T04:44:33Z" 
Destination="https://adfsserver/adfs/ls/" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
AssertionConsumerServiceURL="https://portalserver:10262/samlsps/wps"> 
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://portalserver:10262/samlsps/wps</saml:Issuer> 
         <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" AllowCreate="true" /> 
         <samlp:RequestedAuthnContext Comparison="exact">       <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
          </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

2.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xyzId" 
      Version="2.0" IssueInstant="2015-12-03T05:34:25Z" Destination="https://adfsserver/adfs/ls" 
       AssertionConsumerServiceURL="https://portalserver:10262/samlsps/wps" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>https://portalserver:10262/samlsps/wps</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" AllowCreate="true"/>
</samlp:AuthnRequest>

Then I took the AuthnRequest for the IdP-initiated flow from the ADFS trace log and modified it as follows but still got the same problem-


Original AuthnRequest for IdP initiated flow that is working successfully -

<samlp:AuthnRequest ID="_e2f0e9f5-c1aa-4126-a3a2-eaa3019e5edb" Version="2.0" 
    IssueInstant="2015-12-02T00:46:53.575Z" 
    Destination="https://adfsserver/adfs/ls/" 
    Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfsserver:8080/adfs/services/trust</Issuer>
        <Conditions xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
          <AudienceRestriction><Audience>https://momw42l0058.momentum.com:10262/samlsps/wps</Audience></AudienceRestriction>
        </Conditions>
</samlp:AuthnRequest>


Modified AuthnRequest for SP initiated flow that doesn't work -


<samlp:AuthnRequest ID="_e2f0e9f5-c1aa-4126-a3a2-eaa3019e5edb" Version="2.0" 
    IssueInstant="2015-12-02T00:46:53.575Z" 
    Destination="https://adfsserver/adfs/ls/" 
    Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://portalserver:10262/samlsps/wps</Issuer>
        <Conditions xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
          <AudienceRestriction><Audience>https://portalserver:10262/samlsps/wps</Audience></AudienceRestriction>
        </Conditions>
</samlp:AuthnRequest>


The error message in ADFS being too generic doesn't explain exactly what is wrong with the AuthnRequest xml.
I'm new to SAML and ADFS and so far not able to create a suitable AuthnRequest for ADFS to initiate the SP flow.
Please help.


Thanks.









Active Directory Certificate Services could not publish a Certificate for request - the administrative limit for this request was exceeded

December 7, 2015, 10:31 am
$
0
0

I am using device certificates for use with device authentication through a SCEP setup on my MobileIron MDM environment. The devices are authenticating successfully however, the below error messages are being registered on my Certification Authority for the admin account that controls access to the MDM.

--------

Active Directory Certificate Services could not publish a Certificate for request 155046 to the following location on server {server name}: CN={account name},OU=xxx,OU=xxx,OU=Users,OU=xxx,DC=xxx,DC=xx,DC=xx.  The administrative limit for this request was exceeded. 0x80072024 (WIN32: 8228).
ldap: 0xb: 00002024: SvcErr: DSID-020508DC, problem 5008 (ADMIN_LIMIT_EXCEEDED), data -1026

-------

Via the MDM console i can successfully issue test certificates, however the errors on the CA are concerning.

Any help would be appreciated 


Urgent help: need your advice on audit policy

December 8, 2015, 6:28 am
$
0
0
HI all,

We configured audit policy to show as below in domain default group policy. Windows 2008R2 forest and doamin functional level.
But, when I run auditpol /get /category:*, none of sub category is enabled for auditing.  Does it mean that audit is not enabled?
Is this supposed to be?  Thank you!

------------------------------------------

Local Policies/Audit Policy
Policy Setting 
Audit account logon events Success, Failure 
Audit account management Success, Failure 
Audit directory service access Success, Failure 
Audit logon events Success, Failure 
Audit policy change Success, Failure 
Audit privilege use Success, Failure 
Audit system events Success, Failure 




C:\Windows\system32>auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   No Auditing
Logon/Logoff
  Logon                                   No Auditing
  Logoff                                  No Auditing
  Account Lockout                         No Auditing
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     No Auditing
  Authentication Policy Change            No Auditing
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  User Account Management                 No Auditing
  Computer Account Management             No Auditing
  Security Group Management               No Auditing
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         No Auditing
  Credential Validation                   No Auditing

Change IP-Adresses of DCs

December 8, 2015, 3:35 am
$
0
0

Hello,

I have a 2008R2 DC which should be removed from our Network. The ip-adress of this DC is entered as DNS Server on many Routers etc. My plan is to demote the 2008R2 DC and give the ip-adress an existing 2012R2 DC. What should I keep in mind to do so?

Greetings

Butters

GP(Group Policy) Replication: Sysvol Replication

December 8, 2015, 5:07 am
$
0
0
Hi All, 

I want to clear some point about GP Replication

1. GPO replication use FRS/DFS but that replication does not adhere to any site boundaries. means replication will converge to all of the domain controllers within only a few minutes.
2. GPO replication does not depend on time based replication its a trigger based changed means as change occurr it will replicate among domains.

Thanks

WWW.ITtechPoint.com

pwnkmr

Issue while registering Service Prinicple Name

December 7, 2015, 4:09 am
$
0
0

Hello All,

We are facing a issue while registering a Linux base server which is part of domain.  In the below screen shots, you can see the second machine registered the SPN successfully and we get the correct output.

Issue is while registering the First machine, it simply show it as Registered service principle Name. But actually it doesn't registered.

Can you please help us in below issue

Thanks HA

"Access denied" when I grant permissions to view CA via groups, but success when I grant it directly to user

December 9, 2015, 1:41 am
$
0
0

Hi!

I have Enterprise CA on AD 2012 R2 level forest. I want to manage it on another server via remote tools.

I create Cert Admins and Cert Managers security groups and grant Manage CA and Issue and Manage certificates permissionsrespectively. I also add my user with standalone rights (non-administrator) to this groups. When I tried to view my CA remotely, I receive "Access denied" error. But when I grant this rights directly to my user, no problems occurred.

My question: WTF?


Search

repadmin removelingeringobjects

December 10, 2015, 2:26 pm
$
0
0

Hello,

I have a single DC environment (that had previously demoted DCs) I've tried searching for tutorials on how to show lingering objects in AD using repadmin.

Here is the command that I see:

repadmin /removelingeringobjects <Dest_DSA_LIST> <Source DSA GUID> <NC> [/ADVISORY_MODE]

I keep coming up with a help file like thing when trying to run it. 

Since there is only one DC at this point, I am using it like this:

repadmin /removelingeringobjects  dcname   dc_guid (found by repadmin /showrep or NTDS settings) and directory path (dc=domain,dc=tld) /advisory_mode

I keep getting errors. I am not certain if it can be run against itself in a single dc environment. If anyone can provide help. Please let me know

Thanks

Authentication restrictions for LDAP query

December 6, 2015, 1:17 pm
$
0
0

Hi,

I am trying to configure a third party service to do an LDAP query to our AD to authenticate users. I am able to authenticate to AD and can do a query using the account cn=administrator,cn=Users,DC=domain,DC=com but I cannot authenticate via LDAP with any other user account. Because this service is hosted outside I don't want to use the administrator account. I cannot find any mention of restrictions for LDAP authentication so I am not sure where I am going wrong.

thanks

Keith

Subordinate CA Redundancy Check Query

December 8, 2015, 1:49 am
$
0
0

We hav a  CA architecture in place with one offline root CA and two Enterprise subordinate CAs. All three are in Windows 2008 R2. I want to know if the subordinate CAs are configured in redundancy - means if one CA goes offline the other will take over for  normal CA tasks - like cert issuance, CRL publising, etc.

I dont want to test this by manually taking one CA offline and test redundancy, is there a way we can get this from the CA configurations? If so what are the configs to check?

The Main Domain Problem

December 10, 2015, 11:05 am
$
0
0

Hi

I Have two server and i installed active dirctory and the other server the replicate from master domain and then now my master domain die and the domain backup working good  ( the replicate) . 

So how i restore the data from the backup on New server . 

Regards

Default security AdminSDHolder

December 10, 2015, 6:41 am
$
0
0

Hi,

For reasons still undetermined, security on the AdminSDHolder object has partly disappeared...I don't have backup to allow me to restore the object (the issue date of 2013)

How can I recover/restore "good" default security on the AdminSDHolder object? (as for a new installation...)

If possible, what is the impact?

(Excempt that will propage security set on the AdminSDHolder to all accounts and groups called "protected" through the process SDPROP)

Best regards,

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>