Move AD Group Members to an OU
Dec23

Move AD Group Members to an OU

KB ID 0001266 Dtd 23/12/16 Problem I got asked to do this at work this week, PLEASE BE AWARE, moving users about within AD may drastically change the way your 'User Group Policies' are being applied. So do some Group Policy Modelling beforehand, to avoid any problems. Solution In the example above, I've got ten users in a security group called 'Source-Group'. For simplicity, they are all in the same source OU as well, (but they don't...

Read More
Windows Server 2016 – Locating, Transferring, and Seizing FSMO Roles
Nov10

Windows Server 2016 – Locating, Transferring, and Seizing FSMO Roles

KB ID 0001257 Dtd 10/11/16 Problem I've written about transferring and sizing FSMO roles, (Flexible Single Master Operations) before, see the following article; Transferring Your FSMO Roles Now you have a PowerShell Commandlet to help 'Move-ADDirectoryServerOperationMasterRole'. Solution As before you can view your FSMO role holders, by using the following command. netdom query fsmo To transfer them to another server, (in the case a...

Read More
Install and Configure Certificate Enrolment Policy Web Service
Oct26

Install and Configure Certificate Enrolment Policy Web Service

KB ID 0001250 Dtd 26/10/16 Problem A client had moved a domain joined server into their DMZ, and while they had opened the correct ports for Domain Authentication on their firewall, no one had considered the certificates on the server which had expired, and could not be renewed.  Some research, pointed me towards Certificate Enrolment Web Service. Its job is to let clients enrol and renew certificates, from either non domain joined...

Read More
URI Was Validated Successfully But there Was No Friendly Name Returned
Oct22

URI Was Validated Successfully But there Was No Friendly Name Returned

KB ID 0001249 Dtd 23/10/16 Problem When attempting to connect a host to a Certificate Enrolment Policy Server it worked but had the following complaint; WARNING: The URI “https://{Host-Name}ADPolicyPRovice_CEP_{Method}/service.svc/CEP” was validated sucessfully but there was no friendly name returned by the remote machine.   Solution On your certificate enrolment policy server, open the Internet Information Servers (IIS)...

Read More
Certificate Enrolment – URI This ID conflicts with an Existing ID
Oct22

Certificate Enrolment – URI This ID conflicts with an Existing ID

KB ID 0001248 Dtd 22/10/16 Problem When attempting to connect a host to a Certificate Enrolment Policy Server I got this error; The URI Entered above had ID : “{Random-GUID}”. This ID conflict with an existing ID Solution On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos,...

Read More
Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)
Oct12

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

KB ID 0001244 Dtd 12/10/16 Problem This is pretty much PART TWO of two posts addressing the need to migrate away from SHA1 before February 2017. Back in PART ONE we looked at how to upgrade the ROOT CA. It does not matter if it's an offline or online root CA the process is the same. In many organisations their PKI is multi tiered, they either have a RootCA <> SubCA, or a ROOTCA <> IntermediateCA <> IssuingCA. (which...

Read More