Active Directory

Want to setup 802.1x and RADIUS for your wireless network, do ya?

Posted on by adrianchatto

Got to big up FAT OF THE LAN for this one.

When prompted for which type of Certificate Authority to install, choose “Enterprise”.

When prompted for CA Type, select “Root CA” and click “Next”.

When prompted to Set Up Private Key select “Create a new private key” and click “Next”.

When prompted to Configure Cryptography for CA, accept the defaults and click “Next” for the rest of the conformation screens.

Request Certificates (optional)

Now that we have our Certificate Authority (CA) up and running we may want to request a certificate for our Authentication Server.

We’ll create a Microsoft Management Console (MMC) that will allow us to request and install the certificate for our server. Press the “Start” button and enter “MMC” in the command field to open the MMC. Next we’ll add the Certificate (For Local Computer) snap-in by clicking “File” and choosing “Add/Remove Snap-in”. Select “Certificates” and click “Add”.

Now be sure to select “Computer Account” and click “Next”.

Choose “Local Computer”, click “Finish” and “OK”.

TIP: While you’re here you might as well add the “Certificate Authority” snap-in and save this MMC to your desktop because you’ll need it again in the future.

To request a certificate for your server (if you don’t want to use the default certificate) expand “Certificates (Local Computer Account)”, “Personal”, and right-click “Certificates” and select “All Tasks”, “Request New Certificate…”

Click through the Enrollment screens choosing the settings you desire for your certificate.

Installing Network Policy and Access Services

In Windows 2008 Server you can no longer just install the Internet Authentication Service (IAS) and have RADIUS functionality. You must now install Network Policy and Access Services, which now include everything from earlier versions of Windows server such as RRAS/IAS/etc,… but now includes NAP (think NAC for Windows). We will be installing and configuring just enough to enable PEAP and RADIUS functionality with our Aruba controller. So once again head to the Server Manager and “Add a Role” selecting “Network Policy and Access Services” and click through the confirmation screen.

Select “Network Policy Server”, “Routing and Remote Access Services”, “Remote Access Service” and “Routing”. Click “Next”, click through the confirmation screen and click “Install”.

Installation will take a couple of minutes and present you with an install summery. Just click “Close”.

Now that NPS is installed, press the “Start” button and enter “nps.msc” in the command field. The NPS MMC should open up allowing you to select the “RADIUS server for 802.1X Wireless or Wired Connections” Installation Wizard from the “Standard Configuration” pull-down menu and click “Configure 802.1X”.

From the “Select 802.1X Connections Type” page, select “Secure Wireless Connections” and click “Next”.

From the “Specify 802.1X Switches” screen click “Add…” and enter the settings for your Aruba controller and press “OK”.

For the “Configure an Authentication Method” screen select “Microsoft Smart Card or other certificate” for EAP-TLS or “Microsoft Protected EAP (PEAP)” for PEAP. I will be selecting PEAP for this example and click “Configure…”

Select the appropriate certificate to use for this server. In this case we’ll use the “WLAN-DC.wlan.net” certificate and click “OK”.

For the “Specify User Groups” screen select the users and/or groups you would like to allow wireless access. For this example I am allowing all of my domain users by selecting the “Domain Users” group. If I want to enforce Machine Authentication I need to add the “Domain Computers” group as well as checking the “Enforce Machine Auth” option in the dot1x policy on my Aruba controller. Click “Next” to continue.

Note: Groups listed here are considered as an OR statement.

For the next screen you can click “Next” and “Finish” or click “Configure…” to add RADIUS attributes for Server Derivation rules.

For example, you may want to map the “Domain Users” to the “employee_role” on your Aruba controller. You could do that here with the “Filter-Id” attribute.

Note: There seems to be a bug in Windows if you mess with these attributes too much the “Filter-Id” attribute vanishes. If this happens cancel out of the wizard and start over.

Press “Next” and “Finish” to complete the wizard. This should now allow you to authenticate users against your Windows 2008 Server.

Active Directory Replication Issues fixed

Posted on by adrianchatto

So, for the past few months I have been having major Active Directory Replication issues. Here are a few:-

1. trying to UNC to servers in other sites. I kept getting a login failure error. It worked with the IP Address. Very strange

2. When correcting to the primary site (Exchange host) users could not authenticate. They had to connect via OWA.

3. Trying to connect sharepoint from Doha. Users were redirected to the Dubai domain controller twice and then connection would fail.

I first thought this was an issue with the PDC. So i moved all the FSMO roles from my DC in Dubai to Doha. This didnt help.

Solutions

1. net stop KDC

2. netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password

3. net start KDC

Other commands used:

repadmin /syncall

readmin /showreps

http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/

Ref: http://www.windowstricks.in/2011/07/target-principal-name-is-incorrect.html

Delete Failed DCs from Active Directory

Posted on by adrianchatto

How can I delete a failed Domain Controller object from Active Directory?

When you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail, or when you began to promote a member server to be a Domain Controller and failed (the reasons for your failure are not important for the scope of this article), you will be left with remains of the DCs object in the Active Directory. As part of a successful demotion process, the Dcpromo wizard removes the configuration data for the domain controller from Active Directory, but as noted above, a failed Dcpromo attempt might leave these objects in place.

The effects of leaving such remains inside the Active Directory may vary, but one thing is sure: Whenever you’ll try to re-install the server with the same computername and try to promote it to become a Domain Controller, you will fail because the Dcpromo process will still find the old object and therefore will refuse to re-create the objects for the new-old server.

In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object.

If you give the new domain controller the same name as the failed computer, then you need perform only the first procedure to clean up metadata, which removes the NTDS Settings object of the failed domain controller. If you will give the new domain controller a different name, then you need to perform all three procedures: clean up metadata, remove the failed server object from the site, and remove the computer object from the domain controllers container.

You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers.

Also, make sure that you use an account that is a member of the Enterprise Admins universal group.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

To clean up metadata

  1. At the command line, type Ntdsutil and press ENTER.
C:\WINDOWS>ntdsutil
ntdsutil:
  1. At the Ntdsutil: prompt, type metadata cleanup and press Enter.
ntdsutil: metadata cleanup
metadata cleanup:
  1. At the metadata cleanup: prompt, type connections and press Enter.
metadata cleanup: connections
server connections:
  1. At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:

Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.

  1. Type quit and press Enter to return you to the metadata cleanup: prompt.
server connections: q
metadata cleanup:
  1. Type select operation target and press Enter.
metadata cleanup: Select operation target
select operation target:
  1. Type list domains and press Enter. This lists all domains in the forest with a number associated with each.
select operation target: list domains
Found 1 domain(s)
0 - DC=dpetri,DC=net
select operation target:
  1. Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.
select operation target: Select domain 0
No current site
Domain - DC=dpetri,DC=net
No current server
No current Naming Context
select operation target:
  1. Type list sites and press Enter.
select operation target: List sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
select operation target:
  1. Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.
select operation target: Select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - DC=dpetri,DC=net
No current server
No current Naming Context
select operation target:
  1. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.
select operation target: List servers in site
Found 2 server(s)
0 - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
1 - CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
select operation target:
  1. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.
select operation target: Select server 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - DC=dpetri,DC=net
Server - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
 DSA object - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
 DNS host name - server200.dpetri.net
 Computer object - CN=SERVER200,OU=Domain Controllers,DC=dpetri,DC=net
No current Naming Context
select operation target:
  1. Type quit and press Enter. The Metadata cleanup menu is displayed.
select operation target: q
metadata cleanup:
  1. Type remove selected server and press Enter.

You will receive a warning message. Read it, and if you agree, press Yes.

FREE 180-Day Trial » System Center Virtual Machine Manager

metadata cleanup: Remove selected server
"CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net" removed from server "server100"
metadata cleanup:

At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.

  1. Type quit, and press Enter until you return to the command prompt.

To remove the failed server object from the sites

  1. In Active Directory Sites and Services, expand the appropriate site.
  2. Delete the server object associated with the failed domain controller.

To remove the failed server object from the domain controllers container

  1. In Active Directory Users and Computers, expand the domain controllers container.
  2. Delete the computer object associated with the failed domain controller.

  1. Windows Server 2003 AD might display a new type of question window, asking you if you want to delete the server object without performing a DCPROMO operation (which, of course, you cannot perform, otherwise you wouldn’t be reading this article, would you…) Select “This DC is permanently offline…” and click on the Delete button.

  1. AD will display another confirmation window. If you’re sure that you want to delete the failed object, click Yes.

To remove the failed server object from DNS

  1. In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.
  2. Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.

  1. If you have reverse lookup zones, also remove the server from these zones.

Other considerations

Also, consider the following:

  • If the removed domain controller was a global catalog server, evaluate whether application servers that pointed to the offline global catalog server must be pointed to a live global catalog server.
  • If the removed DC was a global catalog server, evaluate whether an additional global catalog must be promoted to the address site, the domain, or the forest global catalog load.
  • If the removed DC was a Flexible Single Master Operation (FSMO) role holder, relocate those roles to a live DC.
  • If the removed DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
  • If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

Links

Delete extinct server metadata; Windows Server 2003, Enterprise Edition

How to remove data in Active Directory after an unsuccessful domain controller demotion – 216498