Home / user-54805

Ben Short's questions

Martin Hope
Ben Short
Asked: 2017-12-12 15:49:22 +0800 CST
  • 13

Everyone talks about domain controllers and that they should have a certificate installed, but at the end of the day it is optional. Once installed, what actually makes use of that certificate? My understanding is that it is at least needed for:

  • Smart Card Authentication
  • LDAPS

However, I am seeking to know whether there are specific native actions by the DC or Active Directory where the domain controller make use of the certificate?

I'm aware of the security implications/good practice here :) I'm just interested in the mechanics in play.

active-directory
Martin Hope
Ben Short
Asked: 2014-05-13 16:12:57 +0800 CST
  • 0

I am currently reviewing my work's default domain controller policy GPO against the MS Security Compliance Manager, and one of the things I have found is that there are many things that have user rights assignments that do not appear in the compliance baseline. Many of this things look to be machine accounts such as:

  • DOMAIN\IWAM_[Server-Name]
  • DOMAIN\SQLServer2005MSSQLUser$ [Server-Name] $MICROSOFT##SSEE
  • DOMAIN\IUSR_[Server-Name]

Should I be following the compliance manager's advice and removing them, or trust that windows knows what it is doing and leave them alone?

active-directory
Martin Hope
Ben Short
Asked: 2010-09-30 18:02:38 +0800 CST
  • 5

I am trying to script a solution to automatically submit Base64 CSRs to a Microsoft Certificate Services CA, but keep getting tripped up.

My understanding is that all I should need to specify is a Certificate Template & CSR File and it will spit out a Certificate.

The CSR is for

CN=myserver.ilo.domain.local, OU=ISS, O=Hewlett-Packard Company, L=Houston, ST=Texas, C=US

Which is a HP iLO3 device

certreq -Submit -attrib "CertificateTemplate:Webserver" infile.csr outfile.cer

Running this command however results in:

Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13)

Using the web interface for MSCS http://certsvr/certsrv and going through the advanced settings (to set Web Server Certificate) allows me to submit a certificate Request just fine.

Does anyone know where I may be going wrong with certreq?

windows-server-2008 ssl-certificate csr
Martin Hope
Ben Short
Asked: 2010-06-28 17:53:31 +0800 CST
  • 3

Am at a complete loss with this one. Recently a number of my powershell scripts have started failing as they are unable to find the command dnscmd.exe.

What has me at a loss is that the executable exists and works and I can run it just fine in the command prompt. I have tried the following in powershell to run the command:

  • dnscmd
  • & dnscmd
  • & dnscmd.exe
  • & c:\windows\system32\dnscmd.exe

All return "The term dnscmd is not recognized as the name of a cmdlet, function,script file or operable program...."

Can anyone enlighten me as to why powershell is completely unable to see the command, where the normal command prompt/windows explorer etc.. can? Using powershell 2.

powershell command-line-interface
Martin Hope
Ben Short
Asked: 2010-02-10 16:19:50 +0800 CST
  • 2

I am looking at deploying SNMP Settings for windows servers via Group Policy and have an administrative template prepared. However I am noting strange behaviour when applying the policy.

Two Community strings are created, with different permissions. ie:

MYCOMMUNITY - READ ONLY
MYCOMMUNITY - READ CREATE

The Windows Registry also shows two values being created in 

HKLM\Software\Policies\SNMP\Parameters\ValidCommunities

NAME         TYPE       DATA
1            REG_SZ     MYCOMMUNITY
MYCOMMUNITY  REG_DWORD  0x00000010 (16)

It is the latter of these two registry values that generates the READ CREATE community that I want, yet I seem to be unable to stop the first string entry from being generated.

My question is Whether READ CREATE Permissions will take precedence over READ ONLY permissions, or will there be "Random" behaviour with this configuration?

Thanks

windows group-policy snmp windows-registry
Martin Hope
Ben Short
Asked: 2009-10-19 16:07:56 +0800 CST
  • 0

We are using ultrasound to monitor FRS on a Window 2003 Domain. Domain's Functional Level is 2003 Native. Ultrasound keeps reporting on a mystery connection that is causing the backlog in our replica set.

The big mystery is that the only thing Ultrasound can tell me about the connection is what the outbound server is. There is no information about what the Inbound Server is, even though the connection health rating for both inbound & outbound is Green.

I suspect this is correlated to the alerts being received about a long Version Vector Join (VVJoin) occurring. It is true we recently promoted a DC, however it appears to be replicating fine with another server within it's site.

Is there a way for me to work out what this "Unknown" inbound server is with a command? or will it just mysteriously go away?

Thanks

windows-server-2003
Martin Hope
Ben Short
Asked: 2009-08-24 19:36:13 +0800 CST
  • 3

At the request of higher-up, I need to deploy a SSL Certificate(s) signed by our Active Directory CA to over 100 lights-out interfaces. Given all these devices have been given a hostname .ilo.my.domain a Wildcard certificate seems to be the way to go.

I've not been able to find any useful instructions on how to do this - Googling just gets me 100s of results for various SSL Resellers.

Does anyone have any experience with MS Cert Services & Wilcard SSL Certificates that they can point me in the right direction with?

Cheers

windows ssl ilo