Home
Microsoft 365
Linux
Windows
Powershell
Cloud Computing
    Citrix Xendesktop
    Citrix XenApp
Useful links
About
ajni.IT -
  • Home
  • Microsoft 365
  • Linux
  • Windows
  • Powershell
  • Cloud Computing
    • Citrix Xendesktop
    • Citrix XenApp
  • Useful links
  • About

Migrate Sysvol from FRS to DFSR

March 31, 2021 by AJNI No Comments

On old Windows Active Directory environments, you might need to upgrade the Sysvol share from File Replication Service to Distributed File System Replication. This is very easy to do and it should be done asap in your environment.

Unfortunately I do not have screenshots to share with you, but here are the steps:

With dfsrmig /getmigrationstate you can see the status of the migration. Dfsrmig has 4 states starting from 0:

  • State 0 - started
  • State 1 - prepared
  • State 2 - redirected
  • State 3 - eliminated

Step 1:

dfsrmig /setglobalstate 0

Wait untill all Domain Controllers have the state "started". You can check the state with dfsrmig /getmigrationstate. Be very patient as it might take some time to replicate changes particularly if you have Domain Controllers on remote offices.

Step 2:

dfsrmig /setglobalstate 1

Wait until all Domain Controller have the state "prepared". You can check the state with dfsrmig /getmigrationstate. Once again, be very patient and double check the output.

Step 3:

dfsrmig /setglobalstate 2

Wait until all Domain Controller have the state "redirected". You can check the state with dfsrmig /getmigrationstate. Be very patient and double-check the output.

Step 3:

dfsrmig /setglobalstate 3

Wait until all Domain Controller have the state "eliminated". You can check the state with dfsrmig /getmigrationstate. Be very patient and double-check the output.

In addition to the last migration state, make sure the File Replication Service service is disabled on every Domain Controller.

References:

https://www.rebeladmin.com/2015/04/step-by-step-guide-for-upgrading-sysvol-replication-to-dfsr-distributed-file-system-replication/

Reading time: 1 min

AD Group Membership into a CSV/Excel

February 14, 2021 by AJNI No Comments

With this awesome script, you can read Active Directory group membership and convert that information into a CSV file, which can be imported in Microsoft Excel.

The file will be saved inside C:\Temp. The result looks something like this (I'm no Excel wizard):

https://github.com/ajnik/AD-Group-Membership-to-Excel/blob/main/AD-Groups-To-CSV.ps1

Note: Not my script. Check credits.

Reading time: 1 min

Automatic program start at logon with GPOs

November 28, 2020 by AJNI No Comments

You can easily run one or multiple programs at logon without messing with the Registry by using Group Policy Object (GPOs).

Under User (or Computer) configuration > Administrative Templates > System > Logon > Run these programs at user logon you can insert the path of the executable. Very clean and straight forward.

Reading time: 1 min

Reset Computer Secure Channel of a Domain Computer with one PowerShell command

November 14, 2020 by AJNI No Comments

You probably have stumbled upon this common problem: When logging into a Domain Computer with a Domain user, this error appears: The trust relationship between this workstation and the primary domain failed.

What does it mean? Well, it basically means that the Domain Computer cannot authenticate against Active Directory, because the Computer Account password on the workstation is not valid anymore (this can occur when using Sytem Restore or when restoring from a backup).

How do you solve this issue? Pretty easy. Just remove the computer from the Domain and re-join. That works, but there is a cleaner and faster solution with one line of PowerShell code:

Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

You will need to enter domain user credentials that can create or modify computer accounts in the Active Directory Domain.

You can check if the password of the Domain computer changed by viewing the attribute pwLastSet in the Attribute Editor.

Reading time: 1 min

Active Directory Certificate Services (AD CS) on Windows Server 2019

August 30, 2020 by AJNI No Comments

Active Directory Certificate Services is the Windows implementation of Public Key Encryption (PKI). ADCS is needed whenever you are hosting a web server that needs to encrypt data over the wire. Instead of buying a public certificate, you implement your own trusted internal Certificate Authority (CA), deploy the Root Certificate to your clients through GPO, and then you can create as many web server certificates as you want.

My deployment consists of two servers with Windows Server 2019. The first server will be the Offline Root Certificate Authority (offline because it will be offline for most of the time) and will not be part of the domain. The second server will be a domain member and will be the Issuing CA.

So on the first server, install the ADCS role on the Workgroup server in Server Manager:

Under Role Services, select Certification Authority.

After the role installation, proceed with the configuration.

This server will be the Standalone Root CA, the domain member will be an Enterprise Subordinate CA.

Create a new private key. SHA256 should be just fine for the hash algorithm with a key length of 2048.

Give the CA a name.

The offline Root CA should be valid for 10 years. The online CA for 5.

Here a recap of the settings we chose.

Before configuring the second server, let's change the Authority Information Access (AIA) and the CRL Distribution Point (CDP). These must be reachable by clients at any time. Open the properties and head to extensions. Remove all the distribution points on the CDP and create these ones (I am not sure if IDP is needed, please let me know):

http://www.ajni.it/pki/<CRLNameSuffix><DeltaCRLAllowed>.crl

file://C:\Cert\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Here is the only distribution point for AIA:

http://www.ajni.it/pki/<CertificateName>.crt

Change the validity period of the Subordinate CA certificate we are just going to issue and the CDP (5 years for the Subordinate CA and one year for the CDP):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\AJNI-Root-CA

Now let's install and configure the second online CA server. The feature installation wizard is the same as on the first server. The configuration is slightly different.

Like previously mentioned, we are using an Enterprise Subordinate CA.

We are creating a new key. The hash algorithm is also SHA256 with a key size of 2048.

The certificate request will be uploaded to first server and digitally signed by the offline Root CA.

Here is once again the summary of all configured settings.

Now upload the certificate request file to the first CA. Open the Certification Authority MMC on the first server and submit a new request.

Under Pending Request you should see your request (it might take a few seconds). Here you can issue the certificate.

Save the signed certificate to a file as a DER format. Also, copy the Root certificate to the second server and install it in the local certificate store.

On the online CA, start the ADCS service and install the signed certificate from the offline CA.

Select the previously saved file.

You will probably get an error when attempting to start the service because the CDP is not reachable (http://www.ajni.it/pki/...). With pkiview.msc, you can check if the distribution point are reachable and up-to-date:

Now you will need a webserver where these files are going to be hosted. I will install IIS on the same server, but it is highly recommended to host it on a separate server.

Change IIS configuration to respond to requests with the DNS name www.ajni.it:

Create a DNS entry pointing to the server:

Create the CRL file on the offline Root CA and copy them to the IIS root folder (in my case it's C:\inetpub\wwwroot\pki):

The file will be created under C:\cert. We'll also need the Root CA file. The file name needs to be Ajni-Root-CA.crt though.

Here the file inside the IIS folder:

On pkiview.msc, everything should be green on the Ajni-Root-CA. When dealing with Delta CRL, IIS might block downloads because of double escaping. To solve that allow double escaping on IIS under Request Filtering:

Now that the CDP is reachable, the Subordinate CA can be started without any issues. Like on the Root CA, we have to change CDP and AIA locations:

file://C:\inetpub\wwwroot\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

http://www.ajni.it/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

With the above configuration, CRL and delta CRL will be automatically published to the IIS root folder.

Publish the first CRL manually (you need to revoke one certificate, otherwise, the list will not be created. Do that through certlm.msc). Afterward, everything should be green in pkiview.msc.

Publish both CRL and Delta CRL.

The files should be created inside C:\inetpub\wwwroot\pki. The Subordinate CA certificate has to be copied manually and named properly. You can ignore the fact that I have 2 Subordinate CA certificates. You should only see one.

Pkiview.msc is also happy:

After everything is set, you can shut down the offline CA. You only have to start it once a year when publishing the CRL.

At last, publish the Root certificate in Active Directory with certutil. This can be also achieved with GPO.

certutil.exe -f -dspublish AJNI-Root-CA.crt RootCA

Reading time: 4 min
Page 1 of 212»

Tip Of the Day

  • Fix Search Indexing on RDS Server 2019

    1 week ago

Keep in touch

Oh hi there 👋
It’s nice to meet you.

Sign up to receive my awesome blog posts in your inbox, every week.

Check your inbox or spam folder to confirm your subscription.

Recent Posts

  • Fix Search Indexing on RDS Server 2019
  • Migrate Sysvol from FRS to DFSR
  • First look at Windows Server 2022
  • Joining Windows 10 to an Azure Active Directory Domain
  • Enable passwordless login to Microsoft Account with Microsoft Authenticator

Categories

  • Azure (7)
  • Citrix XenApp (7)
  • Citrix Xendesktop (4)
  • Cloud Computing (20)
  • Coding (1)
  • Hyper-V (5)
  • Linux (8)
  • Microsoft 365 (3)
  • Powershell (8)
  • Security (2)
  • VDI (4)
  • Virtualization (13)
  • VMware (5)
  • Windows (18)
  • Windows Client OS (14)
  • Windows Server (27)

Archives

  • April 2021
  • March 2021
  • February 2021
  • December 2020
  • November 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019

ajni IT © 2019