Windows – Unable to Move an OU
KB ID 0001336 Problem I was doing some AD redesign work for a client this week, and I needed to move an Organisational Unit (OU). However the domain had other ideas; Active Directory Domain Services Windows cannot move object {OU-Name} because: Access is denied. It wasn’t a rights issue, (I was an Enterprise Administrator). Solution As it turns out, it was the same problem I’d had back when Server 2008 first came out...
Windows Folder Redirection
KB ID 0000467 Problem Q: What is Folder Redirection? A: Essentially you can take folders that hold things like your “My documents” or your “Favorites” folder, and put them out on a network server, which is great if you want to back that sort of information up for disaster recovery. Q: What’s the difference between this and a roaming / roving profile? A: Folder redirection keeps information on a server...
Microsoft PKI Planning and Deploying Certificate Services Part 3
KB ID 0001312 Problem Following on from Part Two, now we have an offline Root CA, and a CRL server, our next step is defined by our PKI design, are we three tier, or two tier? (Look in Part One for a definition). Solution As previously mentioned, Microsoft just treats Intermediate CAs and Issuing CA’s as the same thing (SubCAs). So the next step is identical for either. But I would suggest one difference, If I was deploying an...
WannaCry – Protect Yourself
KB ID 0001311 Problem Last Friday, the IT world was hit by another attack, WannaCry is a Ransomware infection, that exploits a hole in the windows SMB Protocol. This hole was patched back in March, (Security update MS17-010) so if your, (windows update supported systems) have updates enabled, you will probably already be protected. Why were big organisations like the NHS hit? Primarily because they have systems that are no longer...
Microsoft PKI Planning and Deploying Certificate Services Part 2
KB ID 0001310 Problem In Part One we deployed our offline Root CA Server, now we are going to deploy a ‘Certificate Revocation Location’ server. Solution Before you start: Create a DNS record for ‘pki’ that points to the IP address, that you will have the CRL web server hosted on. I’m installing my CRL server on a separate web server because thats good practice. Starting with a domain joined member...
ADMT (Active Directory Migration Tool) Domain Migration – Part 4
KB ID 0001308 Problem On the homeward stretch now, back in Part Three, we migrated service accounts, groups, and users. Now we turn our attention to our machines. Note ADMT 3.2 Only support the migration of Operating Systems up to Windows 7, (that doesn’t mean Windows 8 and Windows 10 wont work, it just means they are not supported). Migrating Windows 8 and 10 throws a lot of security translation errors, because of the way it...
Microsoft PKI Planning and Deploying Certificate Services
KB ID 0001309 Problem “I don’t know what it is about Certificates, I just don’t like them, I don’t understand them, and I don’t like working with them” I hear this a lot, In fact I heard it this week, and as I’m usually the ‘go-to-guy’ for certificates and PKI, it winds me up! IT pros take the time to learn concepts like DNS, DHCP, Kerberos etc. But mention Certificate Services and...
ADMT (Active Directory Migration Tool) Domain Migration – Part 3
KB ID 0001307 Problem Seems like ages since I wrote Part Two, now we are ready to actually start moving objects from one domain to another. Solution ADMT: Service Account Migration Why would you want to do this first? Well this replaces any service accounts on the OLD domain machines with migrated service accounts form the NEW domain, so when the client machines, (or servers,) are migrated they’re already using the new service...
ADMT (Active Directory Migration Tool) Domain Migration – Part 2
KB ID 0001306 Problem Back in Part One we setup our migration admin account, and installed ADMT. Now, as I’m going to migrate the users passwords I need a ‘Password Export Server’, but first I need to tackle the subject of user SIDs Solution Domain Migrations and SID Filtering Every user has a SID (Security Identifier) it’s the thing AD uses to refer to and apply security to users, (and other objects). This...
ADMT (Active Directory Migration Tool) Domain Migration – Part 1
KB ID 0001305 Problem I’ve not used ADMT for ages, I’ve got a domain migration to do soon, so I thought I’d get on the bench and have a reminder. Although ADMT 3.2 was ‘re-jigged’ to support Server 2012 R2, I’m still going to install it on Server 2008 R2. I’ve got a test domain built to migrate from, and a new domain setup ready to migrate into. Old/Source Domain: olddomain.com Old/Source...