Tag Archives: Active Directory

Active Directory Windows Server Windows XP

Use Syslog on Windows

There are a number of tools available for using Syslog in a Windows environment. I’ll look at Snare as it’s pretty flexible and easy to configure. First download the snare installation executable from http://sourceforge.net/projects/snare. Once downloaded run the installer and simply follow all of the default options, unless you’d like to password protect the admin page, at which point choose that. Note that the admin page is by default only available to localhost.

Once installed, run the “Restore Remote Access to Snare for Windows” script.

Screen Shot 2014-04-10 at 10.56.43 AM

Then open http://127.0.0.1:6161 and click on Network Configuration in the red sidebar. There, we can define the name that will be used in syslog (or leave blank to use the hostname), the port of your syslog server (we used 514 here) and the address of your syslog server (we used logger here but it could be an IP or fqdn).

Screen Shot 2014-04-08 at 10.58.04 AM

 

Once you have the settings you’d like to use, scroll down and save your configuration settings. Then, open Services and restart the Snare service.

Screen Shot 2014-04-08 at 10.56.22 AM

Then run the Disable Remote Access to Snare for Windows option and you’re done. Now, if you’re deploying Snare across a lot of hosts, you might find that scripting the config is faster. You can send the Destination hostname (here listed as meh) and Destination Port (here 514) via regedit commands (Destination and DestPort respectively) and then restart the service.

Screen Shot 2014-04-08 at 10.56.51 AM

I’ll do another article at some point on setting up a logstash server to dump all these logs into. Logstash can also parse the xml so you can search for each attribute in the logs and with elasticsearch/hadoop/Kibana makes for an elegant interface for parsing through these things.

Active Directory Windows Server

Create a Forest Trusts In Active Directory

Trusts in Active Directory allow objects from one Domain or Forest to access objects in another Domain or Forest and allows administrators. To setup a trust:

  • Login with a user in the Domain Admins group if you are setting up a Domain trust or Enterprise Admins if you are setting up a Forest trust (if you cannot use an account in one of these groups, you can use an account in the Incoming Forest Trust Builders group)
  • Open Administrative Tools
  • Open Active Directory Domains and Trusts
  • Right-click the name of the domain
  • Click Properties
  • Click on the Trust tab
  • Click New Trust
  • Click Next
  • Click on the Trust Name page
  • Type the DNS or NetBIOS name of the forest you are connecting to
  • Click Next.
  • Click on the Trust Type page
  • Click Forest trust
  • Click Next
  • Click on the Direction of Trust page
  • To create a two-way (transitive) forest trust, click Two-way or if you’d only like to share objects one-way, click One-way
  • If One-way, choose the direction of the trust
  • Click continue to complete the wizard

Once completed, click on the Trust tab to view the trust. Then open a group, go to add a member and click on the Location button. At this screen you should see your domain and then below it another that has an icon with three triangles, similar to the Hyrule logo in Zelda. In fact, a lot of Active Directory is similar to Zelda, such as where do I find that sword, where’s the shield, etc. Just without a princess…

Anyway, you can then limit who can access the trust using the Selective authentication options in the Outgoing Trust Properties page if needed.

Active Directory Mass Deployment Windows Server Windows XP

Change Active Directory Forest Mode With A Script

Changing the Forest Mode in Active Directory can be scripted. I find this useful when regression testing such tasks in a sandbox (e.g. restore image, automate login, change mode, run tests, etc). The script is very simple. First, you’ll import he ActiveDirectory modules:

Import-Module -Name ActiveDirectory

Then you’ll check for the mode prior to running:

Get-ADForest | Format-Table ForestMode

Then you’ll change the forest and domain modes (one per line):

Set-ADForestMode –Identity “krypted.com” –ForestMode Windows2008Forest
Set-ADDomainMode –Identity “krypted.com” –DomainMode Windows2008Domain

Then you’ll report the result:

Get-ADForest | Format-Table Name , ForestMode

The end result could be as simple as three lines if just testing:

Import-Module -Name ActiveDirectory
Set-ADForestMode –Identity “krypted.com” –ForestMode Windows2008Forest
Set-ADDomainMode –Identity “krypted.com” –DomainMode Windows2008Domain

Active Directory Windows Server

Ask PowerShell Who Hasn’t Changed Their Active Directory Passwords

You can use PowerShell to pretty much get anything you want out of Active Directory. Let’s say you want to see when the last time a user changed their password was. You can use the Get-ADUser commandlet to obtain any attribute for a user in the Active Directory schema. To use Get-ADUser, you’ll need to define a scope. In this example, we’ll do so using the -filter option and filter for everyone, using an *. That could be a lot of data, so we’re also going to look for the property, or attribute of PasswordLastSet using the -Properties option:

Get-ADUser –filter * -Properties PasswordLastSet

We can then add a little more logic and pipe the output to a conditional statement that just looks at who hasn’t ever changed their password.

Get-ADUser –filter * -Properties PasswordLastSet | Where { $_.passwordLastSet –eq $null }

A more common task, we could also look for the last 90 days, using “(get-date).adddays(-90)” in our filter. We don’t want to display disabled users, so we could do something like this (note the curly brackets allow us to compound search):

Get-ADUser -filter {(passwordlastset -le $90days) -AND (enabled -eq $True)}

Microsoft Exchange Server Windows Server

Script to Create Exchange Mailboxes for Active Directory Users Based On OU

Here’s a little powershell script to enable mailboxes based on an OU and put their new mailbox into a given database. To customize, change OU=ORGANIZATIONALUNIT,DC=companyname,DC=com to the DN for the OU you are configuring. Also, change DATABASENAME to the name of the information store that you’d like to use for the mailboxes in that OU.

Import-module activedirectory

$OUusers = Get-ADUser -LDAPfilter ‘(name=*)’ -searchBase {OU=ORGANIZATIONALUNIT,DC=companyname,DC=com}
foreach($username in $OUusers)
{
Enable-Mailbox -Identity $username.SamAccountName -database {DATABASENAME}
}

Active Directory Windows Server

Obtain UPN from PowerShell

A UserPrincipalName (or UPN) is an attribute that contains an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is used for a lot of different tasks, notably for Kerberos/Single Sign-On. As such, there are a lot of scripts that can now key off of a UPN.

You can use the Get-ADUser cmdlet to query accounts for the UserPrincipalName attribute. To do so, we’re going to -Filter our results to display everyone (although we could include a username to only get one user) and then define the Search Base (using -SearchBase) to refine where in the query that the search will begin. Use the –Properties parameter followed by the userPrincipalName attribute (or whatever attribute you might be curious to query from). I specify the SearchBase of the organizational unit (OU), and I use the * filter. This is shown here:

Get-ADUser -Filter * -SearchBase 'ou=Users,dc=krypted,dc=com' -Properties userPrincipalName

Overall, we’re specifically looking at userPrincipalName, but we could just as well be looking for other attributes, such as primaryGroupID, proxyAddress, pwdLastSet, sn (although we’re likely feeding sn to the command by swapping it out with the *), streetAddress, sAMAccountName, etc.

Active Directory Windows Server

Setting Up Active Directory In Windows Server 2012

Installing Active Directory services is arguably one of the first things done on many a Windows Server. And for well over a decade you could unbox, update, run dcpromo and be done with much of that. While the wizards are still there, in the case of Windows Server 2012, the process has changed ever-so-slightly. To install a domain controller in Windows Server 2012, start with Server Manager. This new tool is the place where you start many a process in a Windows Server now, and Active Directory is no different.

To get started, first open Server Manager.

Screen Shot 2013-08-08 at 3.54.57 PM

From Server Manager, click on the Manage menu and select Add Roles and Features. At the Before you begin screen in the Add Roles and Features Wizard, click on Next.

Screen Shot 2013-08-08 at 3.55.00 PM

At the Installation Type screen, choose Role-based or feature-based installation and click Next.

Screen Shot 2013-08-08 at 3.55.02 PM

At the Server Selection screen, choose the server you’d like to install the Active Directory role on and then click Next. If you only have one server then you should only have one listing here.

Screen Shot 2013-08-08 at 3.55.06 PM

There are a number of Roles a domain controller can have. For many environments, a simple Domain Services role will be sufficient, especially on the first 2012 server in the environment. To select this, at the Server Roles screen, choose Active Directory Domain Services and then click on Next.

Screen Shot 2013-08-08 at 3.55.14 PM

A sanity check will run to verify all the required Features and other Roles are installed. If not, you’ll be presented with a list of items that will be installed in support of the Role being deployed. Click Add Features for most environments, unless you have the tools to manage the Role installed elsewhere.

Screen Shot 2013-08-08 at 3.55.17 PM

Back at the Server Roles screen, click Next, unless you’d like to install other Roles as well.

Screen Shot 2013-08-08 at 3.55.21 PM

At the Features screen, click Next, unless you’d like to install other features as well.

Screen Shot 2013-08-08 at 3.55.32 PM

At the AD DS screen, click Next.

Screen Shot 2013-08-08 at 3.55.57 PM

At the Confirmation screen, click Install. You can also tell the server to restart automatically here, so do that as well.

Screen Shot 2013-08-08 at 3.56.02 PM

Once the installation is complete, you’ll see a yellow icon indicating that something needs to happen with the server. The menu that appears contains a link to promote the server to a domain controller. Click the link to bring up the Deployment Configuration wizard.

Screen Shot 2013-08-08 at 4.30.05 PM

At the Deployment Configuration screen of the wizard you can choose whether to add the domain controller to an existing domain or create a new forest. In this case, we’ll select the “Add a new forest” option. When highlighted, you will be able to provide a name for the domain. here we use krypted.com. Once the name is provided, click Next.

Screen Shot 2013-08-08 at 4.30.42 PM

At the Domain Controller Options screen, choose whether the server will be an AD Integrated DNS Server, a Global Catalog server, possibly a Read only domain controller and provide a Directory Services Restore Mode (DSRM) password used to restore the environment in case it fails. Also, choose the functional level of both the domain and forest. Because this is a new environment with no 2003 to 2008 servers we will leave the levels set to Windows Server 2012. Click Next when you’re satisfied with your entries.

Screen Shot 2013-08-08 at 4.33.14 PM

If you decided to enable DNS, you will have the option to also install DNS delegation which you should do if possible, in most environments. Click Next.

Screen Shot 2013-08-08 at 4.33.48 PM

At the Additional Options screen, provide a NetBIOS name. This is usually a 8 character or less rendition of the same domain name, often used in legacy tools or prepended to usernames and passwords when namespace collisions occur with account names. When you’ve provided the name, click Next.

Screen Shot 2013-08-08 at 4.34.09 PM

At the Paths screen, indicate where you want the directories that contain the Active Directory files stored. Most environments can leave these to the default settings and click Next.

Screen Shot 2013-08-08 at 4.34.26 PM

At the Review Options screen, click Next provided that all of the options match the information you provided/desire.

Screen Shot 2013-08-08 at 4.34.29 PM

At the Installation screen, click Install and watch the Progress (takes a minute or three usually to complete).

Screen Shot 2013-08-08 at 4.42.53 PM

Once completed, open the Tools menu in Server Manager to see the tools formerly available in the Administrative Tools section of the Start menu, including Active Directory Domains and Trusts, Active Directory Power Shell, Active Directory Sites and Services and Active Directory Users and Computers, which mostly look like they’ve looked for a long time (but with a pretty blue frame around the screen).

Screen Shot 2013-08-09 at 9.14.19 AM

Additionally, there’s an Active Directory Administrative Center, which provides quick and easy access to a number of features from other tools and allows you to change domain controllers, raise the domain/forest functional levels (useful when upgrading from previous incantations of Active Directory), etc.

Screen Shot 2013-08-10 at 3.31.59 PM

Windows Server

Adding Roles In Windows Server 2012

Out of the box a Windows Server 2012 isn’t really that helpful. But luckily, it has these things called Roles. Roles are things like Hyper-V, File Sharing, Windows Update Services, Web Server, etc. Each role then has a collection of services that it can run as well, within the Role. Roles include (borrowing from Microsoft here):

  • Active Directory Certificate Services Overview
    This content provides an overview of Active Directory Certificate Services (AD CS) in Windows Server 2012. AD CS is the server role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.
  • Active Directory Domain Services Overview
    By using the Active Directory Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for user and resource management, and provide support for directory-enabled applications such as Microsoft Exchange Server.
  • Active Directory Federation Services Overview
    This topic provides an overview of Active Directory Federation Services (AD FS) in Windows Server 2012.
  • Active Directory Lightweight Directory Services Overview
    Active Directory Lightweight Directory Services (AD LDS) is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies and domain-related restrictions of AD DS.
  • Active Directory Rights Management Services Overview
    This document provides an overview of Active Directory Rights Management Services (AD RMS) in Windows Server 2012. AD RMS is the server role that provides you with management and development tools that work with industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions.
  • Application Server Overview
    Application Server provides an integrated environment for deploying and running custom, server-based business applications.
  • Failover Clustering Overview
    This topic describes the Failover Clustering feature and provides links to additional guidance about creating, configuring, and managing failover clusters on up to 4,000 virtual machines or up to 64 physical nodes.
  • File and Storage Services Overview
    This topic discusses the File and Storage Services server role in Windows Server 2012, including what’s new, a list of role services, and where to find evaluation and deployment information.
  • Group Policy Overview
    This topic describes the Group Policy feature in Windows Server 2012 and Windows 8. Use this topic to find the documentation resources and other technical information you need to accomplish key Group Policy tasks, new or updated functionality in this version compared to previous versions of Group Policy, and ways to automate common Group Policy tasks using Windows PowerShell.
  • Hyper-V Overview
    This topic describes the Hyper-V role in Windows Server 2012—practical uses for the role, the most significant new or updated functionality in this version compared to previous versions of Hyper-V, hardware requirements, and a list of operating systems (known as guest operating systems) supported for use in a Hyper-V virtual machine.
  • Networking Overview
    This section contains detailed information about networking products and features for the IT professional to design, deploy, and maintain Windows Server 2012.
  • Network Load Balancing Overview
    By managing two or more servers as a single virtual cluster, Network Load Balancing (NLB) enhances the availability and scalability of Internet server applications such as those used on web, FTP, firewall, proxy, virtual private network (VPN), and other mission-critical servers. This topic describes the NLB feature and provides links to additional guidance about creating, configuring, and managing NLB clusters.
  • Network Policy and Access Services Overview
    This topic provides an overview of Network Policy and Access Services in Windows Server 2012, including the specific role services of Network Policy Server (NPS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP). Use the Network Policy and Access Services server role to deploy and configure Network Access Protection (NAP), secure wired and wireless access points, and RADIUS servers and proxies.
  • Print and Document Services Overview
    This is an overview of Print and Document Services, including Print Server, Distributed Scan Server, and Fax Server in Windows Server 2012.
  • Remote Desktop Services Overview
    Remote Desktop Services accelerates and extends desktop and application deployments to any device, improving remote worker efficiency, while helping to keep critical intellectual property secure and simplify regulatory compliance. Remote Desktop Services enables both a virtual desktop infrastructure (VDI) and session-based desktops, allowing users to work anywhere.
  • Security and Protection Overview
    The table on this page provides links to available information for the IT pro about security technologies and features for Windows Server 2012 and Windows 8.
  • Telemetry Overview
    Find out about Windows Feedback Forwarder—a service that enables you to automatically send feedback to Microsoft by deploying a Group Policy setting to one or more organizational units. Windows Feedback Forwarder is available on all editions of Windows Server 2012.
  • Volume Activation Overview
    This technical overview for the IT pro describes the volume activation technologies in Windows Server 2012 and how your organization can benefit from using these technologies to deploy and manage volume licenses for a medium to large number of computers.
  • Web Server (IIS) Overview
    This document introduces the Web Server (IIS) role of Windows Server 2012, describes new IIS 8 features, and links to additional Microsoft and community information about IIS.
  • Windows Deployment Services Overview
    Windows Deployment Services enables you to deploy Windows operating systems over the network, which means that you do not have to install each operating system directly from a CD or DVD.
  • Windows Server Backup Feature Overview
    This section provides an overview of the Windows Server Backup feature and lists the new features in Windows Server 2012.
  • Windows Server Update Services Overview
    Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. In Windows Server 2012, this feature is integrated with the operating system as a server role. This topic provides an overview of this server role and more information about how to deploy and maintain WSUS.
  • Windows System Resource Manager Overview
    With Windows System Resource Manager for the Windows Server 2012 operating system, you can manage server processor and memory usage with standard or custom resource policies. Managing your resources can help ensure that all the services provided by a single server are available on an equal basis or that your resources will always be available to high-priority applications, services, or users.

To add a Role is a pretty straight forward process. To get started, open Server Manager and click on the Dashboard. From the Dashboard, click on the Manage menu and click on Add Roles and Features.

Screen Shot 2013-06-04 at 3.17.44 PM

At the Add Roles and Features Wizard click on Next at the Before You Begin Screen.

Screen Shot 2013-06-04 at 3.19.47 PM

At the Installation Type screen, click on Role-based or Feature-based Installation, unless you are installing Remote Desktop Services (formerly called Terminal Services), then click on that radio button instead.

Screen Shot 2013-06-04 at 3.20.00 PM

At the Server Selection screen, click on the server you’d like to install the role on and then click on Next.

Screen Shot 2013-06-04 at 3.22.17 PM

At the Add Roles or Features screen, choose the role you’d like to install.

Screen Shot 2013-06-04 at 3.23.41 PM

If there are any requirements to use the service, you’ll then be notified that those requirements exist. I usually leave the Include management tools (if applicable) box checked the first time I install a role and click on Add Features.

Screen Shot 2013-06-04 at 3.25.52 PM

If any issues are encountered, you’ll then be alerted that there was a problem. If you’d like to correct the issue, click cancel, correct the issue and then rerun the tool. Or if you’d like to proceed anyway, click Continue.

Screen Shot 2013-06-04 at 3.27.07 PM

Back at the Server Roles screen, the box will then be checked. Click on Next. At the Features screen, you can add a feature, although in this case we won’t be doing so. Then, click Next.

Screen Shot 2013-06-04 at 3.30.43 PM

At the screen for the role you just selected, read the information, then click Next.

Screen Shot 2013-06-04 at 3.32.04 PM

At the Confirmation screen, click Install. Optionally, you can also choose whether to reboot the server when the service is finished installing.

Screen Shot 2013-06-04 at 3.37.36 PM

Once installed, click Close. Also, at this screen, you can export the configuration settings for the service for future use.

That’s it. You’ve now installed DNS services in Windows Server (or whatever service you are setting up). The services still need to be configured, but the initial install should now be complete!

Active Directory Mac OS X Mac OS X Server Windows Server

Configuring Windows 2008 As An NTP Server

When you’re configuring a Mac to leverage an existing Windows infrastructure, having the clocks in sync is an important task. Luckily, Windows Server has been able to act as an NTP server for a long time. In this article, we’ll look at configuring Server 2008 R2 to be an NTP server for Mac and Linux clients.

Note: Before you get started, or any time you’re hacking around in the registry, make sure to do a backup of your registry/SystemState!

To enable NTP on Windows Server, open your favorite registry editor and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer. From here, enter a key called Enabled as a dword with a value of 00000001.

The NTP Server should look upstream at another NTP host. To configure this, go ahead and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient and create Enabled as a dword with a value of 0000001 and SpecialPollInterval with a value of 300:

“Enabled”=dword:00000001
“SpecialPollInterval”=”300″

NTP would then need a source, so let’s go ahead and create that in the registry as well. To set that up, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters and then setup the Type key to contain NTP, the Period key to contain freq and the NtpServer key to obtain the IP address of the server followed by ,0×1, as follows (assuming an IP of 10.0.0.8 for the upstream NTP server:

“NtpServer”=10.0.0.8,0×1″
“Type”=”NTP”
“Period”=”freq”

The w32tm service doesn’t start unless your system is on a domain (and should be restarted if the system is already running as a DC). To starts the service automatically (if needed), use the sc command:

sc triggerinfo w32time start/networkon stop/networkoff

Windows systems can also use an NTP server. To configure the NTP client, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient and create Enabled as a dword with a value of 0000001 and SpecialPollInterval with a value of 300:

“Enabled”=dword:00000001
“SpecialPollInterval”=”300″

NTP would then need a source, so let’s go ahead and create that in the registry as well. To set that up, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters and then setup the Type key to contain NTP, the Period key to contain freq and the NtpServer key to obtain the IP address of the server followed by ,0×1, as follows (assuming an IP of 10.0.0.8 for the upstream NTP server:

“NtpServer”=10.0.0.8,0×1″
“Type”=”NTP”
“Period”=”freq”

Finally, you can invoke the w32tm service directly to query peers and verify that no skew has occurred with the clocks:

w32tm /query /peers

Viola, you’ve now achieved what could be done using a checkbox on an OS X Server. Hope you’ve enjoyed noodling around in the registry!