Category Archives: Active Directory

Direct Access Computers Can’t Ping Domain Controller on Internal Network?

Can’t ping the domain controller via FQDN while on the internal network?  Trouble accessing any of the internal domains that are available via Direct Access while on your internal network?

This is a quick blog post to document an error I encountered that took me a while to figure out, as is typical with errors that are caused by configuration mistakes, yes self-inflicted.  In the Microsoft Unified Access Gateway administration documentation for configuring Direct Access (DA), it says 2 things that are extremely important but does not emphasize just how important they are, or the errors that will be encountered if they are not followed.

Your Network Location Server (NLS), which must be able to serve HTTPS requests, is used by your DA clients to determine whether they are on the internal network, this site must not and cannot be accessible through DA or any other means from outside your network, so make sure the HTTPS resource is NOT something you need to access from external networks.  If your clients can access the NLS then they will not attempt a DA connection.  If they cannot access the server, then they will attempt a DA connection.  There are a few key points to this server that also cannot be overlooked.

Continue reading Direct Access Computers Can’t Ping Domain Controller on Internal Network?

Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

So I’ve run into this problem multiple times and ‘hacked’ my way around it various ways, but there is a better way that doesn’t require the use of certutil.exe or any other console utilities.  This scenario applies under the following conditions:

  • CA (Certificate Authority) Server is running on Windows Server 2008 R2
  • Web Server is running on Windows Server 2008 R2
  • Both servers are members of the same domain
  • You want to use the Certificates snap-in
  • You want to stay away from the console if you can

By default, you cannot generate a web server certificate request directly from your servers and you are presented with this screen based on the default Active Directory Enrollment Policy:

001 denied

As you can see from the screenshot, most of the certificate templates are unavailable with the exception of the computer certificate template.

Continue reading Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

Creating and Managing a DNS Zone Using Windows Server + Quick DNS Primer

This is a quick post, or maybe not so quick, just to illustrate how to create and add records to a DNS zone on your own Windows Server with the DNS role configured.  This server can be a domain controller with DNS installed or just a DNS server, it doesn’t make any difference.

A quick primer on DNS.  DNS, or domain name servers (services), provides the ability for servers to access systems by name instead of IP address.  Without DNS servers, we would all have to navigate the Internet by typing in IP addresses, like http://74.125.19.99.  From reading this link, you’d have no idea where you were navigating to, but it just so happens that this is one of Google’s many public IP addresses.  Try it.

dns 001

Continue reading Creating and Managing a DNS Zone Using Windows Server + Quick DNS Primer

Install Certificate Services on Windows Server 2008 R2

This post picks up where the last post left off.  In the last post, we created a Windows Server 2008 R2 Active Directory Domain Controller and stopped short of going on to add Certificate Services into the mix.

If you’re not sure if you need certificate services for your environment, it never hurts to have it available.  It does not add much overhead so for development environments and small businesses you can consider adding the role to a DC (domain controller) as we are here.  Certificate Services will allow you to issue certificates to your internal resources, use client/server certificates for authentication, and set up SSL enabled websites.

I believe best practice is, and I’m sure someone will correct me if I’m wrong, to set up an Enterprise Root CA (Certificate Authority), then set up one or more subordinate CA’s.  You can then make your Root CA unavailable for access and have the subordinates handle all of the traffic without fear of compromising your Root CA.  In this tutorial, we’ll just be installing and configuring a Root CA, but the process is basically the same for the subordinates.

Now that you’ve got some background information, onto the installation/configuration of Windows Server 2008 R2 Certificate Services.

In ‘Server Manager’, select Roles in the left pane, then Add Roles in the right pane.  Place a check mark in the checkbox for Active Directory Certificate Services.  Then click Next.

002

Keep reading…

Continue reading Install Certificate Services on Windows Server 2008 R2

Build a Windows Server 2008 R2 Domain Controller

I posted a tutorial on creating a domain controller using Windows Server 2003, and decided to post an update that included step-by-step instructions for Windows Server 2008 R2.  This should be the same for Windows Server 2008.

This is great for developers, testers, and anyone looking to learn Active Directory or deploy to a small network.  If this is for a production deployment, you might want to bring in a professional to help you.  There are many other things to consider, like ‘hardening’ your server and setting up Group Policy.  Having an insecure or unprotected domain controller is inviting havoc on your network.

So without any further ado and in the immortal words of ‘Marv’, “Let’s get to it!”

In the Server Manager click on Add Roles.

001 

Keep reading…

Continue reading Build a Windows Server 2008 R2 Domain Controller

MOSS: An Unexpected Error Has Occurred

If you’ve worked with MOSS long enough, I’m sure you’ve seen this error.  The reasons that it occurs are numerous, and may even be blamed on poor error handling / reporting by the programmers.

If you’ve come across this error, and turned <customErrors /> off in your MOSS site’s web.config and it still occurs, you may have run into the issue that I did.

This can occur right after MOSS installation, or on a farm that has been up and running for some time, and this is something quick that you can check to make sure it’s not the reason, especially if your server is managed through AD or an admin that is really tight on server security.

My instance of this error was on a completely locked down Windows Server 2008 installation.  The cause was one setting that was applied through Active Directory (AD) Group Policy Objects (GPO), Use FIPS compliant algorithms for encryption, hashing, and signing.

Continue reading MOSS: An Unexpected Error Has Occurred

Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 2

In my last post, we created a VM (Virtual Machine) using VMware Workstation 6.5.2 running Windows Server 2003 R2.  If you’re getting started here with a VM of your own, or physical hardware, the current status of the VM for this tutorial is a standard Windows Server 2003 R2 installation, with all recommended updates / patches applied.

If this server is running in VMware Workstation, feel free to snapshot the VM at this point so that you have a clean build of Windows Server 2003, that can then be sysprep’ed and used to deploy multiple other servers.

Continue reading Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 2

Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 1

So I guess earlier this year someone was going through my post for setting up a development environment and called it useless because the post didn’t discuss setting up an Windows Server AD (Active Directory) Domain Controller.  They called the post useless, but I figured there are a ton of posts out there for setting up DC’s (Domain Controllers).  Oh well, since they complained and I haven’t posted anything in a while, I decided to write a tutorial on setting up AD for development purposes.  I suppose that you can also use this post to set up a production system, but I’m not going into AD Policies and such in this post.

For this tutorial, I’m going to be using VMware Workstation 6.5.2 build 156735, and by the end of the tutorial, you should have a step-by-step roadmap to setting up a DC for development.  I’ll be installing Windows Server 2003 R2, not 2008, but the steps for a Windows Server 2008 DC are very similar and if someone requests it, I’ll post pics of the Windows Server 2008 steps.

Continue reading Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 1

Run MOSS Against Multiple Active Directories

One of the great new features that MOSS introduced, was an easy way to have the same information shared between multiple portals/sites.  By extending your web applications, you can have separate authentication providers utilized to reach the same information using Forms Based Authentication (FBA).  FBA is usually associated with a custom SQL server database, or some other authentication mechanism, however you can use it to provide AD services as well.

Since implementing FBA in MOSS is pretty well documented already, I won’t go down that route, but just tell you what needs to be changed for it to work with Active Directory (AD).  If you need an article that talks about FBA specifically, try this one:
http://www.devcow.com/blogs/jdattis/archive/2007/02/23/Office-SharePoint-Server-2007-Forms-Based-Authentication-FBA-Walkthrough-Part-1.aspx.  This article assumes you have implemented FBA already or know how to, and just need the specifics for the ADMembershipProvider.

This article also assumes that you have extended a web application to use FBA.  Though there is nothing preventing you from using this on a primary web application and not using an extended web application, I use the term ‘extended web application’ to mean the web application that you want to set up for FBA.

In the extended web application’s web.config file, change the connectionString element to:

<connectionStrings>
<add name=”ADConnectionString” connectionString=LDAP://[ldapquery]/>
</connectionStrings>

I placed this node between </configSections> and <SharePoint>.

The next change is to the membership node and should read:

<membership defaultProvider=”ADMembershipProvider”>
<providers>
<add
name=”ADMembershipProvider”
type=”System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web,Version=2.0.0.0,
Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a”
connectionStringName=”ADConnectionString”
connectionUsername=”[accountName]
connectionPassword=”[password]
enableSearchMethods=”true”
attributeMapUsername=”sAMAccountName” />
</providers>
</membership>

This node, I placed between <sessionState … /> and </system.web>.  Please make sure that the ‘type’ line is properly formatted XML as this post may not display properly.  Put type=”…” all on one line.

Make sure to replace [ldapquery], [accountName], and [password] with the information specific to your AD.  You can even change sAMAccountName as the attributeMapUsername to another field in your AD if that is appropriate.  Your domain administrators will be able to help you with the LDAP query if you aren’t familiar with the technology or the domain’s structure.

You’ll also need to change the nodes in the Central Administration web.config and change the authentication provider at Central Administration > Application Management > Authentication Providers (all of which you should have touched with doing a typical FBA configuration).

Infrastructure Requirements:

  • the account used above should have ‘read’ permissions on the directory (a standard user account will usually work.)
  • the appropriate firewall ports will need to be open if traveling outside of the local network – port 389 by default.

Again, this article assumes that you know what you’re doing with MOSS and FBA and just need the specifics for the AD integration.  I had a hard time finding that information at the time, so I decided to post it here.  If you have any questions, post them into comments and I’ll get them answered ASAP.

Windows PowerShell sticker, and /n Software for free

So after following a link from a buddy’s blog, Bobby Shea, I started browsing around /n software’s web site. I filled out the form for a free Windows PowerShell Sticker, again – yes, they didn’t send it months ago the first time I tried, and I found something else interesting on their site.

Months ago, the first time I visited /n’s site, I downloaded a trial version of Netcmdlets.  Netcmdlets is /n’s PowerShell snap-in that extends PS into remoting, SSH, and other network protocols.  I ended up uninstalling the software after the trial was over.  Now, the software is FREE for hobbyists!  Since I’m not using PowerShell for work with clients, restricting my PS activities to my home network and ‘playing around’, I’m qualified as a hobbyist!  I’m on my way to download right now!

If you’re not familiar with NetCmdlets, you should definitely check out the site, the description, fill out the form for your sticker and keep your fingers crossed, then download the hobbyist version, unless you’re planning on using it commercially in which case, pay /n some money. 🙂

A quick list of the features, taken from the /n site are:

Device Management SNMP device monitoring and management capabilities, complete with SNMPv3 Security.
Remote Access Secure Shell enabled remote execution using Rexec, Rshell, or SSH.
Directory Administration Access Active Directory or OpenLDAP servers through LDAP Directory Access.
Email Send & Receive Send HTML Emails or Emails with file attachments. Retrieve Email through POP or IMAP Connectivity.
File Transfer File transfer capabilities through FTP, TFTP, & RCP connectivity.
Instant Messaging Jabber Instant Messaging, SMS messaging, and Alphanumeric Paging.
Network Monitoring Listen and react to SNMP Traps and Syslog event messages or access raw Ethernet Packet captures.
Access to Web Services Connect to web services through HTTP and RSS client capabilities.
DNS Configuration Monitor DNS and other network configuration changes.
Encoding / Decoding A complete array of utility encoding and decoding capabilities including MIME, UUEncoding, URL, Hex, etc.
Zip Compression File compression including password protection, AES Encryption, and 4GB+ archive support.

This is really good stuff, at a great price, free!  Check it out.  If you type instead of click, and you know who you are, you really need these tools.

/n software inc. – Show your support for Windows PowerShell!