a blog about nothing

The “ask DS team” posted a blog post about “Two lines that can save your AD from a crisis”. Not a bad thing to do as it will prevent you or another admin to accidentally delete users or computer objects.

The lines they wrote protected users, computers and OUs. Did they forget about Groups?

Anyway, to also include all your groups:

# Set the "ProtectedFromAccidentalDeletion" attribute to "true" on all users,
# computers and groups in your domain where the attribute is set to "false"

Get-ADObject -filter {ObjectClass -eq "user" -or objectclass -eq "group"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADObject -ProtectedFromAccidentalDeletion:$true


If you try to delete a user og computer object, you will get an error stating the object is protected from accidental deletion. You will have to untick the “Protect object from accidental deletion”:

 

What if you’d like to move the user object to a different OU? Same error as above. You must set the attribute to ‘false’.

If you have hundreds of objects in an OU you’d like to move, it’s easier to use Powershell to revert the attribute of all objects in the spesific OU:

Get-ADObject -SearchBase 'OU=OU1,dc=domain,dc=com' -filter {ObjectClass -eq "user" -or objectclass -eq "group"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true} | Set-ADObject -ProtectedFromAccidentalDeletion:$false


Will Gareth Bale stay with Spurs next season?

 

If you use DirectAccess (DA), should you use a certificate on the IP-HTTPS listener from your internal CA or from a third party CA?

If you use a certificate from your internal CA, you’ll have to publish the CRL so it can be reached from the outside. If you don’t do it, external DA clients will remove the CRL from the cache after 24 hours and they will not be able to check if the certificate has been revoked or similar. DA will not work for them until they put their laptop in the internal network, and are able to reach the CRL.

The default time for the cache is 24 hours.

So I would not bother publishing the CRL, but instead use a third party certificate on the IP-HPPS listener.

If you use or consider using DA without UAG, Win8 has a lot of improvements regarding DA (features you only found in UAG).

For a complete list check out http://technet.microsoft.com/nb-no/library/hh831416.aspx

When you use DirectAccess (DA) you have to unblock ISATAP on your DNS servers, so when clients do a DNS lookup for ISATAP they will get an answer.

If you add a new domain controller with the DNS role, you must remember to remove ISATAP from the block list. You removed it on your DNS servers when you configured DA long time ago, but will you or your successor remember to remove the blocking if you add a new DC/DNS?

I didn’t until I saw a 7600 event id on the new DC/DNS…

Too see the current settings:

dnscmd /info /globalqueryblocklist

To remove ISATAP manually from the block list:

dnscmd /config /globalqueryblocklist wpad

To avoid this from happening in the future, I configured a Group Policy (GPO) to do the job. I reckon a GPO is more reliable than a Teflon brain.

Open the Group Policy Management consol.

Create the WMI:

First you need to create a WMI filter so the GPO only apply to servers with the DNS server role. Give it a meaningful name.

Query:  SELECT id FROM Win32_ServerFeature WHERE id = "13"

(ID 13 = DNS Server)

Create the GPO/GPP:

Group Policy Objects -> New

Give it a name. I called it “GPP_Unblock_ISATAP”.

Computer Configuration – Preferences – Windows Settings – Registry

Choose New – Registry Item

Action: Update

Path: HKLM\System\CurrentControlSet\Services\DNS\Parameters

Name: GlobalQueryBlockList

Value to remove: isatap

Link the GPO to the WMI filter you created:

Link the GPO to the OU where your DNS servers reside. I linked it to the Domain Controllers OU since we don’t have any standalone DNS servers. The WMI filter will anyway only apply to DNS servers, so you can link it higher up.

You’ll have to restart the DNS server service, or reboot the server before the setting is applied to the DNS server. Check the status “dnscmd /info /globalqueryblocklist”. If ISATAP is not present you are good to go.

Notice this only apply to Win2008 and newer, since legacy OS don’t have the Win32_ServerFeature class.

If you have Win2003 DNS servers, you’ll see that the WMI filter return “false” and the GPO will not apply:

On Win2008 and newer:

 

 

For proper Kerberos authentication to take place, the Service Principal Names (SPNs) have to be registered correctly on the correct account.

SPNs are AD attributes that uniquely identifies an instance of a service for a given target host.

If you have a SQL server where the SQL service run under the Network Service or Local System account, the SPN for SQL should be registered on the machine account. If you have set the service to run under a service account (a domain user account), the SPN should be registered on the domain user.

SPNs registered on a machine account will be registered automatically, but if you use a user account you’ll have to register the SPN manually. You can use the setspn.exe tool, or use adsiedit.msc.

You can only register the unique SPN on one account. If you have duplicate SPNs in the forest, Kerberos authentication will fail.

If you have an IIS server (version 6 or prior) the Service class (http) should be registered on the application pool Identity the site is using. This is not the case if you have IIS 7/7.5. By default IIS 7 has enabled “Kernel-Mode authentication”.  The Kerberos Service ticket is then encrypted with the Machine account password no matter what account is set to run the application pool.

 

 

To access Dynamics CRM 4 (on premise) from the Internet, you’d to configure IFD and you could use i.e. ISA in a DMZ if you didn’t want the CRM server to be facing the Internet.

If you decided to use ISA you couldn’t use the built-in security provided by ISA/UAG, but you had to just tunnel all traffic through and let the CRM server authenticate the user. This was not so cool, but it was fairly easy to set up and configure.

With the release of Dynamics CRM 2011 things started to get a little more complicated. If you wanted to access CRM from the Internet you’d to configure claims-based authentication, ADFS 2.0 and IFD. UAG was not supported.

I was taken by surprise when I read about this, since Microsoft uses UAG to make i.e. Exchange and SharePoint more secure. Did they forget about CRM?

Products like Citrix Access Gateway began to take a sole lead.

Things changed with the release of UAG Service Pack 1. CRM is now supported to be published via UAG. You don’t need to set up ADFS and claims. Let the UAG do the job to secure and authenticate the users. With or without two-factor authentication like RSA.

Easy to configure, easy to understand 🙂

 

 

Reference:

Publishing: http://technet.microsoft.com/en-us/library/hh490315.aspx
UAG: http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

 

Consider the following environment:

3 x Win2008R2 SP1 RDS (terminal servers with load balancing)
1 x Win2008R2 SP1 Microsoft Dynamics CRM 2011 (Rollup pack 2 at the moment)
CRM for Outlook installed on the RDS servers.

Since you don’t want users to save documents, pictures, etc. on the RDS servers, and you want the users environment to be the same no matter what RDS server they happen to be routed to, you configure Folder Redirection and Roaming Profiles.

Doing this will leave your MS CRM installation in an unsupported state as MS CRM 4 and CRM 2011 don’t support Folder Redirection.

Problems I experienced:

If you open up a window from CRM and then you close it, you’ll get: “An error occurred. Send Report to Microsoft?”

If you open CRM for Outlook as a normal user, and you try to track an email, you’ll get and error stating that it didn’t work. If you look in the Event log on the RDS server you’ll see:

EventID 5972 Source MSCRMAddin

I opened a support case with Microsoft, and got in contact with the MS CRM team. They told me that Folder Redirection (FR) is unsupported in MS CRM, so I had to remove FR if they should be able to investigate any further.

That would be a huge drawback, since we uses load balancing between the RDS’s, and the users would be saving documents directly on the RDS servers. Ouch!

Solution: Remove Folder Redirection completly

Solution (unsupported):

There are two files (caches) that have to be local on the RDS for CRM to work. “EmailCache.sdf” and “OutlookSyncCache.sdf”.

They are located in the “%userprofile%\AppData\Roaming\Microsoft\MSCRM” folder. If you redirect “Appdata(Roaming)” those two files will be on a file share. That will cause problems for the CRM client and present you some weird errors.

So if you have to use FR, you can’t redirect “AppData”. That folder has to be local. The rest of the folders didn’t seem to cause any problems redirecting.

There are no official KB’s stating that Folder Redirection is unsupported in CRM 4 and CRM 2011, but it is. The CRM support team told me the product team was working on it, and there might come a resolution in the upcoming versions / rollups.

COYS!

Without Folder Redirection, users might/will save data on their local profile on their computer. If they accidentally delete such a file, you don’t have a backup of it (unless you take backups of workstations which I doubt…).

Configuring Folder Redirection is fairly easy, but you should get it configured correctly.

In this step-by-step I will just use a domain controller (DC) to store the user folders. I always strive to keep DCs dedicated and don’t mix other roles to them. If you don’t have the HW or budget I guess you don’t have a choice.

Open up the “Share and Storage Manager” (that came along with Win2008, which in fact is a great tool).

In the Action frame, choose “Provision Share”:

Click “Browse” and “Make new folder”. Give it a meaningful name like “FolderRedir” or similar:

   

  Edit the NTFS permissions:

Remove the inheritance so it don’t get permissions from its parent folder:

Permissions:

Administrators: Full Control, “This folder, subfolders and files”
System: Full Control, “This folder, subfolders and files”
Users (or a group containing the domain users): READ & Execute + “Create folders / Append data”, “This folder only”
Creator Owner: Full Control, “Subfolders and files only“

Give it a share name and make it administrative (add a $ at the end of the share name):

Enable “Access-based enumeration” (optional). This feature will only list folders the user has access to when browsing:

Set the share permissions:

Domain admins: Full Control
Users (or a group containing the domain users): Full Control

If you use DFS, you should consider placing the folder redirection on the DFS for redundancy. If you don’t have it, just click Next:

Hit Next and Create the good stuff.

With the share and NTFS permissions in place, you have to create a Group Policy Object (GPO):

Open the Group Policy Management Consol:

Create a new GPO, and give it an informative name. I.e. “GPO_FolderRedir”.

Navigate to “User Configuration – Windows Settings – Folder Redirection”. You now have to decide what you want to redirect. You can redirect all, or just a few. “Documents”, “Desktop”  and “Favorites” are handsome to pick if you don’t pick all.

If all your users should be on the same share, you should use the “Basic” setting. If you have different shares for different domain groups you can use the “Advanced” setting.

Set “Root Path” = the share path you created earlier.

On the Settings tab, untick the “Grant the users exclusive rights to Documents” if you want domain admins to have access to the redirected folders. If you don’t untick it now and the folders are created, unticking it at a later time will not give domain admins access to the already created folders. You have to take ownership on the folder to gain access. If a user logs on the redirection will not work as the user has to be the owner.

Now you can link the GPO to an OU (not a Container like “Users”) where the users resides.
When the users logs on, the folders are created automatically and the permissions are set correctly. If the user saves i.e. a Word document to My Documents, it’s saved on the file server.

If you have terminal server users, folder redirection in conjunction with Roaming Profiles is a m.u.s.t!

COYS! 
(even though Manchester City bought a Champions League place)

No, you do not!

Unless:

• You have Exchange 2000/2003 and want to preserve full functionality. Changing a domain password with OWA 2003, export/import with Exmerge and Outlook clients prior to 2003, all requires WINS.
• You have a large sub netted network, NETBIOS broadcast may not work between the networks.
• You have a 3.party program that requires WINS.

I assume you don’t have any NT servers or Win98 clients 🙂 

If you do have a WINS server in play, you could use “Performance Monitor” to monitor WINS queries (“Successful Queries/sec”).

 

If you have a lot of queries, you should take into consideration if NETBIOS name query broadcasts are acceptable. Just take into mind that broadcasts will increase the load on your network.

References:

http://technet.microsoft.com/en-us/library/cc784180(WS.10).aspx
http://support.microsoft.com/?kbid=837391

Applies to Server 2003/2008. Not for Windows 2000.

Time is crucial in an Active Directory domain. If there are i.e. more than 5 minutes offset between a DC and a client computer, the Kerberos protocol used for authentication will fail.

You may also see problems with AD replication if two DCs are out of time sync, since attributes that are changed are time stamped when the change occurred. The time stamp is one of three functions to prevent replication/attribute conflicts.

When a user logs on to his/her workstation and authenticates, the computer will synchronize its time with the authenticating DC.

This DC, if it’s not the PDC role holder, synchronizes its time with the domain’s PDCe role holder.

The PDCe holder should synchronize its time with a reliable time source. You could find a NTP server close to you HER.
If the DC holding the PDC dies, the role is transferred or siezed you have to configure the time source on the new PDCe.
Configuring the external time source can be a mess, and maintaining it might be even more messy

The MS DS team made a blog entry about this some time ago and I must say it’s a really elegant approach!!

In short terms they create a GPO, sets an external time source, configures a WMI filter so the GPO only applies to the domains PDCe role holder, and link the GPO to the Domain Controller container.

Open the GPMC and create a new WMI filter:

 

 

 

 

 

 

 

 

 

Query: Select * from Win32_ComputerSystem where DomainRole = 5

Create a new GPO and set the external time source:

Computer Configuration/Administrative Templates/System/Windows Time Service/Time Providers/Configure Windows NTP Client

You set the NtpServer you prefer and change the type to NTP.

 

 

 

 

 

 

 

 

 

Activate the WMI filter to this GPO:

 

 

 

 

 

 

 

 

 

 

and link the GPO to the Domain Controllers container:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To see how the DCs is synchronizing their time, run: w32tm / monitor

 

 

 

Here dc01test.spurs.local (the PDCe holder) uses its HW clock while dc4test.spurs.local is synchronizing with dc01test.

Restart the time service (net stop w32time && net start w32time) and force a Group Policy update (gpupdate /force or wait 5 minutes)

Now the newly created GPO is applied and now dc01test is synchronizing with the external time source.

 

 

 

 

You can also see this in the System Event log:

 

 

 

 

 

 

 

 

So what happens if I transfer the PDCe role from dc01test to dc4test?

I wait for 5 minutes (and run w32tm /monitor just to check):

 

 

 

 

As you can see dc4test is now synchronizing with the external time source, while dc01test is synchronizing with dc4test.

You don’t have to think of configure the time source if your PDCe is transferred.
You even don’t have to clean the old PDCe holder as the registry don’t gets tattooed by this!!!
If you configure the time with a GPO, the registry settings will be located here:

HKLM/Software/Policies/Microsoft/Windows/W32time

If you don’t use a GPO, the settings will be set here:

HKLM/System/CurrentControlSet/Services/W32time

The first one takes precedence over the second one.

References:

http://www.pool.ntp.org/en/

http://support.microsoft.com/kb/816042

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx