Categories
Windows

LDAP over SSL for Domain Controller

LDAPS over SSL (LDAPS) for Domain Controller

Each of Domain Controller have Lightweight Directory Access Protocol – LDAP (port 389) open for authentication for 3rd party application/system such as firewall/VPN appliance. The LDAP protocol is insecure because the data is sent in the clear text format. Therefore, we need LDAPS (LDAP over SSL) to encrypt and secure the communication. The default port for LDAPS is 636.

If your Active Directory is installed with Enterprise CA then most likely you will have digital certificate and LDAPS activated for all the domain controller by itself. Below are the steps to request the digital certificate for the domain controller server from Microsoft Stand-alone CA and the LDAPS will be activated automatically.

1. Make sure you have at least one Microsoft Stand-alone CA installed in your organization

2. From the domain controller server that you need the LDAPS, create certificate.inf file as shown in the example below in order to generate the certificate request file

;—————– certificate.inf —————–[Version]Signature=”$Windows NT$[NewRequest]

Subject = “CN=servername.domain.local” ; replace with the FQDN of the Domain Controller
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;———————————————–

3. Create the certificate request file by the following command

certreq -new certificate.inf certificate.req

4. Submit the certificate request file to the Stand-alone CA

certreq -submit certificate.req

The system will prompt you with the option to choose with stand-alone CA you want to submit. Take not on the certificate request id

5. In the Stand-alone Certificate Authority (CA), under “Pending Requests“, right-click on the request ID, select All Tasks – Issue. The certificate will goes into “Issued Certificates” folder.

Pending Requests

6. Retrieve the certificate from the domain controller that requesting the certificate

certreq -retrieve <request id> certificate.cer

certreq

7. Import the certificate into the Personal store of the Computer Account

Certificate - personal store 1 Certificate - personal store 2 Certificate - personal store 3 Certificate - personal store 4 Certificate - personal store 5

8. Test the LDAPS using ldp

LDAP over SSL connection

LDAP over SSL result

9. You can now proceed with LDAP over SSL integration with 3rd party system/application

10. For Windows 2008 Server, you night need to import the certificate into Active Directory Domain Services certificate store

Active Directory Domain Services

Resources and References:

To renew the SSL certificate created by this post, please go to Renew SSL certificate for Domain Controller LDAPS

http://support.microsoft.com/kb/321051

http://technet.microsoft.com/en-us/library/dd941846(WS.10).aspx

Lightweight Directory Access Protocol

Categories
Windows

Extend Windows Server Partition Size without reformat

Extend Windows Server Partition Size without reformat

There are lot of case we need to addin more hard disk space for the server. Of course you have the option to create it as new partition/drive but it might not work certain application/data that must stick within the existing partition. Basically below are the steps to extend or resize the existing partition for Windows 2003 Server and above

  1. Insert the new harddisk into the server
  2. If currently using RAID1, you have to convert it to RAID5 in the RAID Management software (each brand of server will have different RAID management tool. e.g. HP Array Configuration Utility)
  3. If currently using RAID5, just extend RAID5 with new harddisk using RAID managment software. If might take up to 1 day depending on the size of harddisk and server speed.
  4. Extend the Logical Array with new free capacity in RAID Management software. This will take time as well.
  5. Use DiskPart which is available for Windows 2003 server and above. Run the following command in Dos/cmd prompt
DiskPart Disk Partitioning tool from Microsoft Windows 2003 server and above
List Volumes List the volumes/drive currently configured
Select Volume # Where # is the volume/drive gathered from the previous step
Extend Size=xxxx Where xxxx is the size in MB to grow volume. 1GB is 1024MB. If you use Extend without specifying the size, then it will use all the available free space

Reference

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/diskpart.mspx?mfr=true

http://h18000.www1.hp.com/products/servers/proliantstorage/software-management/acumatrix/index.html

Alternative

If you need perform more complicated hard disk managment task like shink or extend C: drive, you can try Parted Magic which come with GNU2 license.Just burn it into disc or USB drive and then boot it up. Personally I found the hardware (RAID/SCSI controller card) support is much more compare to certain commercial product.

Categories
Windows

Computer Cloning with similar SID might cause network problem

Computer Cloning with similar SID might cause network problem

Using Disk Image Cloning (e.g. Symantec Ghost) for mass desktop rollout/deployment can significantly saves hours of work and hassle over other rollout method but it might cause major network problem if every cloned system has an identical Computer Security Identifier (SID). This fact compromises security in Workgroup environments, and removable media security can also be compromised in networks with multiple identical computer SIDs.

 

1. Un-join from Windows Domain or Active Directory
2. Restart computer
3. Download http://download.sysinternals.com/Files/NewSID.zip and extract into local computer.
4. Run newsid.exe as shown in screenshot below to generate new SID

5. After computer restarted, join the computer back to Windows Domain or Active Directory

Command:

Alternatively, you can run the command below with system prompt:

newsid /a [newname]

References and Resources:

http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

http://support.microsoft.com/default.aspx?scid=kb;EN-US;314828

Categories
Windows

AutoEnrollment Problem

AutoEnrollment Problem

Event Viewer show error below after activated/installed Ceritifcate Authority service:

Event ID: 13
Source: AutoEnrollment
Type: Error
Description: Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

EventID 13

Solution:

1
Run the below command from command prompt:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
2 Add “Domain Controllers” as the member for CERTSVC_DCOM_ACCESS under the Users OU in your Active Directory

Reference and Resouce:

http://support.microsoft.com/kb/903220

http://technet.microsoft.com/en-us/library/cc700804.aspx