12/10/16

Missing the "attributes" tab on user and computer objects in AD Users & Computers

If you're in Active Directory Users & Computers, you've enabled "Advanced Features" from the View menu and you're still unable to see the "Attributes" tab, here's the fix:

-Open ADSIedit and connect to the Configuration
-expand (click on the +) CN=configuration, DC=, DC=local
-expand CD=DisplaySpecifiers
-click on CN=your language.  The language # can be found on  http://support.microsoft.com/kb/324097  (for example US English is 409, so CN=409)
-in the right hand window locate CN=User-Display right click on it and choose properties.
    -Locate AdminPropertyPages, highlight it and click “edit” and add the line 11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}
-in the right hand window locate CN=Computer-Display right click on it and choose properties.
    -Locate AdminPropertyPages, highlight it and click “edit” and add the line 12,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}
-in the right hand window locate CN= Default-Display right click on it and choose properties.
    -Locate AdminPropertyPages, highlight it and click “edit” and add the line 4,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

11/13/16

Reinstalling DFS after upgrading Server 2008 R2 to 2012 R2

This weekend I used Disk2VHD to P2V a file server running Server 2008 R2.  Afterward, I wanted to install the Hyper-V Integration Components...which required SP1 for the OS...which required a reinstall of the OS...did all that...then upgraded to Server 2012 R2...and found that DFS shares were inaccessible.  These are my notes from troubleshooting.

1. Well, you're not supposed to re-install the OS of a DFS server (reference).

2. So I deleted the DFS namespaces and uninstalled DFS.

3. I couldn't re-install DFS.  Server Manager said "The request to add or remove features on the specified server failed.  The operation cannot be completed, because the server that you specified requires a restart."




4. Side note: Server Manager also said "Online- Cannot get role and feature data".


4a. Event Viewer contained the details - it seems that several old event log entries were corrupt or something and Server Manager couldn't enumerate them.


4b. So following instructions here, I backed up and then deleted the corresponding registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels.

5. That made Server Manager happy, but I still couldn't install DFS.  So started reading the C:\Windows\Logs\CBS\CBS.log file...and found this little gem:

"Error...EventAITrace:Channel Microsoft-Windows-DFSN-ServerFilter/Analytic is declared by an existing provider DFSN-Filter{{564af62f-e581-4998-9991-c4bc18178815}}"
...an orphaned registry key still needed to be deleted...after that, DFS installed successfully.

6. After creating a DFS namespace, I was puzzled as to why it wasn't visible in \\domain.local...the fix was to add the domain controllers to the list of namespace servers:

7. Lastly, needed to search through all the group policy settings that my predecessor had setup and find where he had mapped network drive letters to the DFS shares so I could update them...fortunately, there's a handy GPO search function.


10/21/16

DHCP and secure dynamic for DNS

Consider this.  You support a network where:

  • DNS is Active-Directory integrated and requires secure dynamic updates
  • IPAM has been implemented to track IP address utilization
  • DHCP is set to update DNS records automatically
However, the DHCP server never updates DNS records.  Domain members appear in DNS, but not the smart phones seen in the DHCP lease table.  This limits the info available in IPAM.

The solution is to give the DHCP server a specific username/password to use when registering DNS records.  Further, you want this dedicated user account to be a member of the DnsUpdateProxy group so that if the DHCP server creates a record, the workstation can come along later and update that record itself (I ran into this once in a DirectAccess manage-out scenario).

9/27/16

Configuring Web Application Proxy in Server 2012 R2 for on-premise Exchange 2010 and RDS Gateway using a single public IP address

Several clients run an on-premise Exchange server and would benefit from having a RDS Gateway to simplify their firewall rules and improve their security posture.  It also comes in handy when the CEO wants to remote into her office PC from her phone.

1. If you install the AD FS role on a domain controller, follow the steps here first: https://support.microsoft.com/en-us/kb/2832204 to grant the "Log on as a service" right to "NT SERVICE\ALL SERVICES"

2. Follow instructions at http://blog.ittoby.com/2014/04/web-application-proxy-server-in-2012-r2.html

3. Add "Authenticated Users" to the "Pre-Windows 2000 Compatible Access" group in Active Directory (reference).

4. Configure the Web Application Proxy to support *all* Exchange services: http://searchexchange.techtarget.com/tip/How-to-configure-Active-Directory-to-publish-Exchange-to-the-Internet

5. Point your firewall's NAT policy to the WAP server instead of the Exchange server.

6. Allow end-users to change expired passwords by running this on the AD FS server (source):

Enable-AdfsEndpoint "/adfs/portal/updatepassword/"
Set-AdfsEndpoint "/adfs/portal/updatepassword/" -Proxy:$true
Restart-Service AdfsSrv -Force

7. If you support Outlook 2011 clients on a Mac, you'll need to add a wildcard certificate binding per https://blogs.technet.microsoft.com/applicationproxyblog/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2/ because Outlook 2011 doesn't support the Server Name Indicator (SNI) extension of TLS SSL.

Note: the command below seems to need to be run from a CMD prompt, not Powershell.

Example:
netsh http add sslcert ipport=0.0.0.0:443 certhash=2ff79b325a0c4aa4eb5cb04b1330ff78750a1639 appid={f955c070-e044-456c-ac00-e9e4275b3f04}

Update after configuring ADFS in Server 2016 at a different place:

1) I was getting tons and tons of errors in the Application Event log - ID 28005 - "An exception occurred while enqueueing a message in the target queue.  Error:15404, State: 19. Could not obtain information about Windows NT group/user XXX\XXX, error code 0x5.



This was resolved by right-clicking the OU which contains my ADFS service account and delegating the "read all attributes" permission to "Authenticated Users".  (reference)

2) Windows Authentication wasn't working.  This was resolved by deleting the internal CNAME DNS record for adfs.domain.com and replacing it with an A record. (reference)

3) An invaluable list of ADFS customizations for Server 2016 (including how to enable changing of expired passwords)

How to deal with an expired application certificate:

So after you add a new application certificate to both the target host (e.g. Exchange server) and your Web Application Proxy server, you need to either remove and re-add the associated application in the Web Application Proxy GUI, or else use Powershell to update the associated certificate.  Here's an example of the Powershell syntax:

Get-WebApplication{ProxyApplication Autodiscover | Set-WebApplicationProxyApplication -ExternalCertificateThumbprint 50F089C9DF06EC5EC48C2110BDC3AE28BAA73543

4/20/16

Cleaning up a mish-mash of domain controllers

After seizing all the FSMO roles on a single domain controller and deleting its replication partners in AD Sites & Services, I tried to join a PC to the domain and got this error:


After verifying that the DNS server settings were correct, rebooting, and verifying that the SYSVOL share was present on the domain controller, I ran dcdiag on the domain controller and saw this:


The DNS console was unusable:


The DNS event log was littered with red ink (so to speak):


So I followed instructions from https://support.microsoft.com/en-us/kb/2751452 and it worked!  Yay!

These were the instructions:

  • Stop the KDC service.
  • Run the following command with elevated rights: netdom resetpwd /server: /userd: /passwordd:*
  • It will prompt for the password of the Domain Admin account that you used, enter that.
  • Once the command executes, reboot the server.
  • DNS zones should load now.