Archive for March, 2012


Z-Hire Employee Provisioning App

Z-Hire automates the IT account creation process for Exchange mailbox, and Active Directory and Lync accounts. With just a click of the button, your Exchange mailbox, and Active directory and Lync accounts will be created simultaneousy. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT accounts with the option for custom scripts. Z-hire will increase your account deployment time by 600%, without the need for complicated and expensive identity management solutions. Some of the features include:

Environment Auto discovery (AD/Exchange/Lync)
– Support for Active Directory, Exchange and Lync 2010 accounts
Template based deployment (allows consistency for all user accounts)
– Active Directory account creation with major attributes
– Active Directory group selection
– Lync 2010 account creation supporting all policies
– Faster performance (compared to previous version)
– Best of all, it’s freeware!

You Can get it from here or from my shared box

http://www.zohno.com/productsandservices.html

Advertisements

The Certificate Expiration Alerter helps IT departments monitor the expiration status of all certificates issued by an internal Windows Server Certificate Authority (CA). When a certificate is about to expire, the Certificate Expiration Alerter sends an email notification with information about the certificate.

This allows the IT administrator to proactively take action and renew the certificates before they expire and prevent possible service downtimes. This article explains how to use this tool:

http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx

The tool can be downloaded from my shared box folder on the right side. called CertExpAlerter.zip

Most of the applications nowadays relies on IIS and you could face a lot of issues with access authentication and authorization.

Luckily Microsoft have a very nice tool you can use to help you diagnose and get to the root cause of the issue.

the tool is called Authentication and Access Control Diagnostics 1.0 and can be downloaded from here

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18421 (X86)

http://www.microsoft.com/download/en/details.aspx?id=8614 (X64)

The AuthDiag tool is designed to help you when you see either of the following error messages:

  • 401.1 logon failed
  • 401.3 ACL

The AuthDiag tool can also help you when you experience Kerberos problems.

And this is a sample of what this tool can help you do

http://support.microsoft.com/kb/871179

I was faced with that issue today on a client side.

Trying to install an OS Image onto a laptop, The client would obtain a DHCP IP, would receive a TFTP Reply and the WinPE would download and start.

Now the issue was after obtaining the policy, it would say that “The task sequence failed to run because the packages could not be found on the distribution point”.

Well I checked that the package is updated on the distribution point, I checked that the Data Access tab is set to Copy the content to a package share on the DP as below

image

Well, I have also read it might be caused by the boundaries, so I checked

Now the thing was that the client have defined another site , and assigned the subnet I was booting from to this site. But this subnet was not defined to use a specific site server as a boundary.

So I went ahead and configured a IP Range as a boundary and added that to the Boundary Group and Voila, Computer booted.

While it is supported to do that, its against best practices to install the CA role on a domain controller for the following reasons:

1- If you are to decommission that Domain Controller, you will have to go through the procedure of moving the CA from it first before decommissioning.

2- If you are to upgrade the version of the CA , this will require the upgrade of the OS of that domain controller, and that will require a decommission for this to take place.

3- In an Event of failure on that specific DC for any reason, restoration of the full functionality of DC and CA will be lengthy, Which could affect certification validity due to downtime.

4- Administration of certain CA functions require local administrator, and this becomes an issue on a Domain Controller.

5- If you have to publish your CRLs externally, that DC will be internet facing and this poses a very big security risk.

 

You might wanna take a look at these posts below that discusses the same:

1- This link to verify local admin privileges needed. Refer to Roles and Activities http://technet.microsoft.com/en-us/library/cc732590.aspx

2- Please go through these posts for additional reasons on why not to have it on a dc, please see Sander’s reply

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042

http://www.networksteve.com/forum/topic.php/Remove_Certification_Authority_from_old_(in_use)_domain_controll/?TopicId=1969&Posts=9

To enable SAN certificate issuing on the CA you can follow below steps:

1. Open command prompt with elevated privilleges or an user credentials that have permissions to manage CAs.

2. Run the command certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

3. This command changes the values of EditFlags and adds SubjectAltName in registry located at SYSTEMCurrentControlSetServicesCertSvcConfiguration<Server Name>PolicyModulesC
ertificateAuthority_MicrosoftDefault.Policy

and the output looks like below: (Please note that the values on your CA may be different than what they look like in following example)

C:>certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
SYSTEMCurrentControlSetServicesCertSvcConfiguration<Server Name>PolicyModulesC
ertificateAuthority_MicrosoftDefault.PolicyEditFlags:

Old Value:
EditFlags REG_DWORD = 11014e (1114446)
EDITF_REQUESTEXTENSIONLIST — 2
EDITF_DISABLEEXTENSIONLIST — 4
EDITF_ADDOLDKEYUSAGE — 8
EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
EDITF_ENABLEAKIKEYID — 100 (256)
EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
EDITF_ENABLECHASECLIENTDC — 100000 (1048576)

New Value:
EditFlags REG_DWORD = 15014e (1376590)
EDITF_REQUESTEXTENSIONLIST — 2
EDITF_DISABLEEXTENSIONLIST — 4
EDITF_ADDOLDKEYUSAGE — 8
EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
EDITF_ENABLEAKIKEYID — 100 (256)
EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
EDITF_ATTRIBUTESUBJECTALTNAME2 — 40000 (262144)
EDITF_ENABLECHASECLIENTDC — 100000 (1048576)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

4. Restart certification services using services manager snap in or command prompt.

5. Once the service is restarted you can request a certificate with SAN extension using web enrollment application.

The Extended Validation is this feature that gives you the green bar on Internet Explorer as further identification of the web site.

There is a cool way to enable that for your internal servers. If you already have a CA in place you will need to create a new template and renew the certificate for any internal website with this new template.

So without Further adue, here is how to do it

Enabling this feature is a two step process to configure:

Create a new “Issuance Policy” on a certificate template to support EV certificates:

The below steps require you to be logged in as an Enterprise Admin unless you have modified the permissions on your certificate templates.

1. Open the Certificate Templates MMC (CertTmpl.msc).

2. Create a new Version 2 or Version 3 template (or modify an existing v2/v3 template).

3. Click on the Extensions tab.

4. Select Issuance Policies, and click on the Edit button.

5. Click the Add… button.

6. Click New… button.

7. Type in a name for the new Extended Validation Policy. The name for the policy can be anything you like. In my example I used “Contoso Extended Validation (EV)” as the name.

8. Type in the URL to the Certificate Practice Statement (CPS) for your extended validation policy.

NOTE: When you create a certificate policy you should have a practice statement defining how the certificate type is to be used, how the certificate type is approved to be issued, and what the requirements are to be fulfilled before issuance. CPS’s are beyond the scope of this blog however and you should do your due diligence in crafting a CPS.

9. The Object Identifier field will be filled out. You can of course replace this with an custom OID (that you obtained) from an internet authority that manages OIDs. Be sure to document and copy this OID for later use.

clip_image001

10. Click OK

11. Highlight the Issuance Policy you just created and click OK.

12. Do not check “Make this extension critical” and click OK.

13. Click “OK” to close the certificate template dialog box.

Create / modify a Group Policy to support the feature:

It’s actually pretty easy to setup, you will need either a Windows Server 2008R2 / Windows 7 client with RSAT tools (GPMC) installed, or a 2008R2 server with the Group Policy Management feature added .

clip_image002

It is important to note, that it is not required that you have a Windows Server 2008 R2 domain controller, you only need the ability to manage group policies from the newer operating system.

1. Launch Group Policy Management (GPMC.MSC).

2. Edit an existing policy / create a new policy.

3. Navigate to the following location: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

4. Right click on Trusted Root Certification Authorities and select Import

5. You need to import your internal Root Certification Authority certificate using the import wizard.

6. Once the Root Certification Authority certificate has been imported, right click on the certificate and select “Properties”

7. Click on the Extended Validation tab.

8. Paste in the OID from Issuance Policy you created above.

9. Click the Add OID button.

10. Click OK.

clip_image003

Have fun with Extended Validation and enjoy your green validated address bar in Internet Explorer.

 

Thanks to Rob from the AD team for this Smile.

Original Link

http://blogs.technet.com/b/askds/archive/2009/08/14/extended-validation-support-for-websites-using-internal-certificates.aspx