Direct Access AD Shortcut Trusts

I recently experienced an issue with enabling Direct Access for child domains.  I have a root domain with several child domains.  My Direct Access servers are located in one child domain, for sake of simplicity let’s call it DomainA.root.local and my new clients were in a separate domain, let’s call that DomainB.root.local.  I have clients in DomainA as well who have been working just fine for quite some time.  I recently took on the endeavor of enabling clients in DomainB.root.local.  Since both domains have transitive, two-way trusts I assumed authentication between domains would not be an issue.  We were already accessing shared resources from both domains with no issues.

I deployed the updated Direct Access group policy objects for both DomainA and DomainB following the correct procedures on Microsoft TechNet.  I issued client certificates from my enterprise PKI in DomainB to all of my new clients however, I received repeated errors on my Direct Access servers when my test client in DomainB attempted to connect and form an intranet tunnel.  The infrastructure tunnel established as expected, but the Intranet tunnel refused to form. It appeared the certificate was being flagged as invalid.  On further inspection of the Windows firewall on the client, it was obvious the client was either unable to authenticate against the domain controllers in DomainB.root.local or the certificate being used was not setup properly.  I opened a support case with Microsoft and ultimately it was determined that “shortcut trusts” needed to be created between DomainA and DomainB.  Once the new shortcut trusts were put in place, my Direct Access clients in DomainB were able to successfully authenticate.  Perhaps else can shed some light on why the shortcut trusts were necessary, but this resolved our issues.  Hope this saves someone else troubleshooting time and perhaps a Microsoft support call!

Tech Talk Live 2012 Presentation Files

Leveraging Microsoft Direct Access/UAG Presentation

http://sdrv.ms/HZrAEK

Tech Talk Live 2011 Presentation Powerpoint Files

Link to Skydrive for my TTL 2011 PowerPoints: http://bit.ly/h6RjT4

KeePass Password Safe

How do you keep track of service account and administrative credentials?  Everyone has their own take on the best way to secure passwords from pen and paper in a safe to multi-factor authenticated, encrypted databases.  Each method has it’s  own strengths and weaknesses.

At my office, we use an open source password manager called “KeePass Password Safe”

KeePass is a free, open source, light-weight password manager.  The encrypted database file created by KeePass allows you to securely store your passwords through an easy-to-use interface.  You can create folders and organize your account names and passwords so they are easy to locate and identify.  KeePass also doubles as a random password generator to assist in creating complex passwords suitable for administrative and service accounts.

RandomPasswordGenerator

KeePass also features the ability to turn on multi-factor authentication for even more peace of mind.  Choose from a “Master Password”, “Key file / provider” or “Windows User Account” for authentication options.  The Key file / provider option provides you with everything you need to turn an ordinary, old USB thumb drive into a second form of authentication.

If you are looking for a secure, easy-to-use tool for managing passwords in your environment, give KeePass a try!

SQL Server Management Studio–Error on Saving Maintenance Plan

Today I attempted to modify the maintenance plan “User Databases – Weekly Backup” on a SQL 2005 SP3 server and received the following error message: “Error loading type library/DLL.‘

SQL_MaintenancePlanErrorOnSave

The fix for this is to open a command line and run the following commands:

regsvr32 msxml6.dll

regsvr32 msxml3.dll

I couldn’t seem to locate a reason why re-registering these DLL files would be necessary.  After registering the DLL’s and making my changes to the maintenance plan everything saved properly.

SysInternals Utility–BGInfo

Have you ever found yourself with multiple RDP sessions to clients or servers open on your desktop and accidentally performed a task on the wrong host?  How many times have you sat down at a machine and wondered what kind of hardware resources the machine has or the current IP address?  Sure, you can right-click my computer or open a command prompt to get this information but how great would it be if the information you were looking for was right there on the desktop?  If you answered yes to any of the above questions, then I have a nifty tool for you!

Windows Sysinternals is a collection of advanced system utilities for the Windows operating system.  I highly encourage everyone to take a look at the available tools as they can save you a lot of time and frustration.  BGInfo is a sysinternals utility that creates a desktop bitmap with customizable information.  BGInfo can be run on both clients (Windows XP and higher) and servers (Windows Server 2003 and higher).

In the example that follows, I will be demonstrating how I setup and configure BGInfo on a Windows Server 2008 machine.

After creating an easily distinguishable folder like C:\BGInfo, download the .exe utility and copy into the folder.

Double-click the application to launch the configuration interface.

UserInterface

Here you can customize your dynamic background to show only the information you are looking for and format it to be aesthetically pleasing.  One side note here – if you do not click anywhere in the GUI interface within 10 seconds, the application will terminate.  The countdown timer is in the upper right-hand corner.  You will see why this is necessary a little later…

Once you have the settings configured for your tastes, save the template by going to the File menu and clicking Save As.

SaveTemplate

The corresponding template can be saved anywhere but I just choose to store mine locally in the same location as the application.

In order to make BGInfo refresh the system information, you can create a batch file that launches on login.  To do this, open Notepad and type the following: “[Path to BGInfo App]\bginfo.exe” “[Path to template]\[TemplateName].bgi” /TIMER:0 /accepteula

The /TIMER:0 option forces the application to launch with the timer set to 0 seconds so the application GUI used earlier to configure the template never displays to the user.

The /accepteula flag prevents the user agreement splash screen from displaying during the first launch.

Save the new notepad file as a batch script.  I choose to just store this file in the same location as the application and template.

CreateBatchScript

The next step is to setup the .bat file to launch on login.  Among the many ways to accomplish this, I choose to use the registry. (Note: The example that follows demonstrates on a Windows 2008 server)

Open the registry by using regedit and navigate to the key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Create a String value named something like BGInfo to identify the application being launched.  In the value field type the path to your batch file (i.e. C:\BGInfo\bginfo.bat)

Close the registry editor and you are all set!  Logoff/Login to the machine to verify the new background is working properly.

Desktop

If your environment is anything like mine, you may have over a hundred servers or clients you wish to deploy this too.  Performing these manual steps on each individual servers is tedious and time consuming.  Fortunately, many software deployment tools can be utilized to push this application out.  In my case, Microsoft System Center Configuration Manager is being used to maintain our servers so I simply created a deployment package and scripted the installation with a batch file.  Active Directory can also handle this deployment rather easily.

AD Default: Domain Users have rights to add up to 10 workstations to your domain

During one of the Microsoft TechEd sessions I attended this past June in New Orleans, I learned a valuable tidbit of security information related to Active Directory.  By default, every domain user in your active directory has the rights to add up to 10 machines to your domain.  This seems absurd for those of us that have a tightly delegated environment however, certain circumstances warrant this feature.  I won’t get into the circumstances in this post, just how to disable this default feature.

Open a command prompt on a domain controller and type adsiedit.msc(In the example screenshots I will be using a Windows Server 2008 R2 domain controller)

Use the connection point “Default Naming Context” if it is not already selected by default.  Right-Click on your domain’s root folder and select Properties

ADSIEdit_AddMachinesQuotaStep1

Scroll down the list of attributes until you find ms-DS-MachineAccountQuota.  Click Edit to modify the value.

ADSIEdit_AddMachinesQuotaStep2

Change the value to 0 to disable regular users from having the rights to join machines to your domain.

ADSIEdit_AddMachinesQuotaStep3

 

*It’s important to note that you should be delegating only a particular set of users the ability to join machines to your domain.  It is not best practice to use an account such as the domain administrator account to bind machines to the domain.  Recommended best practice is to pre-stage the computer accounts in ADUC, then bind the machine using delegated privileges.