IIS Certificate Authentication for Windows 7 and Vista

In order to support the new security features of Windows 7/ Vista, Microsoft has made fundamental changes to the certificate web enrollment process that Windows Certificate Services uses to provide certificates to end users. In the past, Xenroll was the process that was responsible for the assignment and processing of certificate requests through the web site. Now this has been replaced with the CertEnroll process. Unfortunately, this process was not seamless. For months, the only way to use the Certsrv site to provide certificates to Vista was to use Windows Server 2008 or to overlay the Server 2008 ASP site over the older Xenroll-based site on Server 2003. This lead to a number of problems, especially considering the lag between the release of Windows Vista and Server 2008. Fortunately, a patch has been released to allow Server 2003 to comply with the new CertEnroll process and hand out certificates to all clients.

Resources

The Hotfix can be found:

http://support.microsoft.com/?kbid=922706

An Unexpected Result

Many companies that rely on certificate authentication for web site authentication are running into problems with Windows Vista as the enrollment process appears to work as it had before, but when navigating to the site no certificate is found. This means that you will see the normal “Choose a Digital Certificate” popup on the site, but the box is blank and no certificates are listed. This is further confusing as valid certificates appear in the certificate store on the local machine.

The problem arises in the default certificate type that is requested by Windows Vista, Windows 7 and Server 2008. Instead of the Base or Enhanced Cryptographic Provider, Windows Vista chooses another option. This is especially confusing if you are using the basic enrollment pages or even custom skinned pages as you will not see the advanced options that Vista is changing by default. Once these are changed as below, you will be able to use the certificate for user authentication as you’d expect.

Resolution Steps

  1. Navigate to the normal certsrv page on your CA
  2. On the initial Welcome page of the Certificate server, click Request a certificate, and then click Next
  3. On the Choose Request Type page, click Advanced request, and then click Next
  4. On the Advanced Certificate Requests page, click Submit a certificate request to this CA using a form, and then click Next
  5. On the Advanced Certificate Request page, complete the requesting information, as appropriate
  6. Under Type of certificate Needed , click Client Authentication Certificate
  7. Under Key Options , select Microsoft Base Cryptographic Provider v1.0, click Signature for Key Usage , and then enter 1024 for Key Size
  8. Leave the Create new key set option selected (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store
  9. Leave all the other options set to the default value unless you have to make a specific change
  10. Click Submit . If the Certificate Authority is configured to issue certificates automatically, the Certificate Issued page appears
  11. Click Install this Certificate. The Certificate Installed page appears with the following message: “Your new certificate has been successfully installed.”
Advertisements

AD Health Check (Server 2003/ SBS 2003)

IT Lives!

Every once in a while, I am reminded that nothing on the web should really die.  Looking at my server logs, I noticed a number of hits a day looking for my Health Check best practice document for Active Directory.  When I moved from Community Server to wordpress, this one didn’t make the cut as the command syntax had changed for Server 2008, but I neglected to take into account everyone needing to validate their domains before migration or who are not able to do the upgrade for one reason or other.  For you, here is the blog resurrected from the dead!

Active Directory Health Check

This document outlines a basic procedure for validating the health of your Windows Server 2003 domain and is a good practice for iterative maintenance and an excellent pre-check before doing any potentially dangerous domain operations, like migration or update.

Before doing anything that might jeopardize the integrity of your domain, it is important to ensure that there are no outstanding health issues.  While important, doing this kind of check needn’t be horribly complicated or take a lot of time.  It is important to do every time to be sure that you aren’t replicating problems across your forest as you do domain maintenance.  This is especially critical before schema operations and domain migrations.  Using a few simple Microsoft tools in the Windows Resource Kit, the general health of the domain can be validated and much of the risk associated with the projects can be mitigated.

Tools & Resources

DCDiag —  Basic Domain Diagnostics
NetDiag — Domain Controller Network Diagnostics
REPLMon — Replication Monitor
NETDom — Domain and Trust Diagnostics

 Procedure Steps

A number of people have requested that these steps be posted in HTML format as they don’t have Microsoft Project or can’t open the file with their version of the software.  To make this a little bit easier for everyone, here we go:


Domain Controller Health Check


Preparatory Work

Update Server Documentation

Gather Inventory of domain controllers from the ADU&C | Domain Controllers node

Locate current documentation from client on AD structure

Locate current documentation from client of site/ core topology

Document name of every AD domain and Sub-domain

Document name and IP address of every Server

Document all trust relationships

 

Install Support Tools

On Each Server

Log on to the server with Server Administrator privileges

Insert the windows 2000/2003 disk into the CD drive

Navigate to CD:\\tools\Support Tools

Run Setup.exe

Wait as the Support Tools are installed on the server

 

              Preparatory Work Completed

 

 

Verify Health of the Domain

Create Log Directories for all Diagnostic Files

Create a Logs Directory at the root of C:\ on the server as C:\Logs

 

Verify DNS function with NSLOOKUP

Drop to a Command Prompt

At the Command Prompt, key in ‘Nslookup’ <enter>

Resolve each replication partner

Resolve every AD domain and Sub-domain

Remediate any failed resolutions\

 

Verify replication function and topology with REPLMON
<ServerName>

Navigate to Start | Programs | Administrative Tools | Support Tools | Replmon

Select the server (<ServerName>) in the Monitored Servers

Select Action | Server | Generate Status Report

When Prompted, specify the file name as c:\Logs\<ServerName> MMDDYYYY.log in the Report Options, select all of the reporting options

Click OK

 

Verify DC health with DCDIAG /verbose on each domain controller
<ServerName>

Drop to a Command Prompt

Key in ‘DCDIAG /s:<ServerName> /v  /c > c:\Logs\ServerName-DCDIAG-MMDDYYYY.log’ <enter>

Wait as the Diagnostic completes

Remediate any errors displayed

Run DCDIAG /s:<ServerName> /fix

Repeat the diagnostic

 

Verify network connectivity health with NETDIAG /verbose
<ServerName>

Drop to a Command Prompt

NETDIAG /v > C:\Logs\<ServerName>-NetDiag-MMDDYYYY.txt

Wait as the diagnostic completes

Remediate any errors displayed

Run Netdiag /fix

Run the NETDIAG diagnostic again

 

Verify all trusts with NETDOM
<ServerName>

Drop to a Command Prompt

At the Command Prompt, key in ‘NetDom query /verify’ <enter>

Verify that all trusts are working and responding to the stored passwords

Remediate all errors before continuing

Repeat for each additional Controller

Interviewing Active Directory Engineers

One of the most difficult challenges an IT manager faces is hiring the right people. Finding the right employee is more than just looking for strong performance in a single area, but requires that you consider several different skill domains to not only measure technical ability, but to ensure that the prospective employee is a good fit for your organization.

Know Thyself

Before jumping into a technical interview, it is important to take a step back to look at the environment and team that you will be bringing this candidate. Some questions you might want to ask yourself:

  1. What criteria do I use to describe a successful candidate?
  2. What qualities do I see in my best people that I am looking for in a new employee?
  3. Am I looking for someone to tow the line or be an agent of change? (Think hard and be honest)
  4. How would I describe my corporate culture? Challenges integrating with the team?

The Golden Mean

Once you have taken an honest look at your environment and the role that you are really looking for the new person to fill, it is time to look at specific interview questions that will help you narrow the field. It is always hard to find people who have a high-level of technical competency, but I’ll often have to reject these people for other reasons. It is usually easier to train a quality candidate than it is to hammer someone with amazing book knowledge into the right mold.

There are a couple of key skills that can’t be easily taught and take a significant investment over time to develop:

  • Logical Progression through Fault Isolation – It is important that a candidate be able to troubleshoot a complex situation through methodical fault isolation dealing with one variable at a time and be able to narrow the field of probability in a logical order. Lack of this skill leads to a network engineer that grasps at straws and can’t decide what is important and what is not.
  • Ability to Communicate in Written and Verbal Media – This is of the utmost importance to be able to lead a team and act as a focal point for end-user communication. This comes down to the ability to clearly express ideas and to be able to break problems into common experiences and clear ideas that anyone can understand.
    Lack of this skill leads to alienation of the working team as well as mistrust on the part of the users.
  • Ability to Understand the Business – This doesn’t require an MBA or advanced training, but every employee with system/ enterprise-level responsibility should be able to identify when a situation has the ability to impact the bottom line and how revenue streams are driven through the company. Lack of this skill leads to a mis-prioritization of tasks and a lack of ability to evaluate the risk involved in work items.
  • Ability to Work as a Team – This skill encompasses leadership and appropriately handling team dynamics. Active Directory and Windows Server often form the nexus of many disparate IT systems and will require team integration to serve these different consumers. It is important to be able to recognize politically charged situations and appropriately deal with these situations driving consensus. Lack of this skill leads to team alienation and infighting between teams and team members.
  • Ability to Face Mistakes and Learn from Them – Nothing it more frustrating than dealing with a coworker or employee who does the same thing over and over and expects a different result. Even worse is when the outcome is always blamed on other people. A strong candidate will be able to talk freely about mistakes made as these are often the birthplace of high-level expertise. Lack of this skill is usually expressed through displays of bravado and ego contests. This is a lack of objective self-evaluation. In its worst expression, this leads to an institutional culture of blame and lying to cover missteps.
Counter-Example: Hiring by Skill Alone
—————————————————–

About three years ago, I was looking for an engineer that had both high-end Active Directory skills and moderate-level Cisco infrastructure skills for a client I had in the Chicago metro area. On the resume and in the technical interview the candidate hit all of the technical requirements out of the park. He was able to answer all of my questions and was even able to push back to read into the questions and challenge the suppositions behind the relatively simple scenarios posed by the questions.

At the time, I was having a hard time finding qualified technical people to put into a client who was already contracting for the FTE – needless to say, I really wanted a qualified body to put into that role. This eagerness caused me to gloss over some of my non-technical questions and ignore minor idiosyncrasies that I was picking up on in the interview.

This misstep on my part led to a tumultuous working relationship that disrupted the rest of the team and caused us to lose weeks of work time to deal with personality conflicts.

This eventually came to a head with the engineer refusing to take criticism on his work and refusing to be held to the same standards as the rest of team. In a morning progress meeting where we were reviewing status and needs, the employee got so upset at having his work reviewed that he lost control of himself and even asked me, his manager, to leave the room so he didn’t have to punch me!

Needless to say, that was his last day.

Active Directory Interview Questions

Situational Questions

  1. What was the hardest technical challenge you’ve ever faced? How did you overcome that?
  2. Describe a situation where it was you against the technology and the technology won? How did you handle the communication during the crisis?
  3. What do you consider your best technical strength? How do you use that to give back to the community to mentor new people?
  4. Talk about a project with which you’ve been involved that was abandoned/ cancelled before it was completed? What went into making that decision? What positive things came out of the project in spite of its overall failure?

Team Dynamics

  1. What things to you do on a day-to-day basis to maintain your skills?
  2. What skills do you think most AD/ Windows engineers lack? How would you help them get up to speed?
  3. How would you describe your learning style? How do you learn best from experiences? Other coworkers?
  4. Who was the most frustrating person you’ve ever had to work with? What made that so painful? How did you help that person become a better team member?
  5. If a coworker were to tell you that you were at the top of their list for most frustrating team mate, how would you address that? What would they probably see as your worst trait?
  6. The last time your manager made you angry, how did you bring that to a positive conclusion?
  7. How would you describe your ideal team environment? What would make it rewarding for you?
  8. Describe your best day at work? What is the one thing you could do to make your life better?

Active Directory (Yes, finally)

  1. What are the 5 FSMO (Fizz-mō) roles and what do they do?
    (A lot of interviews will skip a question like this that will spark a long explanation on the part of the interviewee, but it is important to ask as this will demonstrate attention to detail, handling several things at once, and handling of the core of AD. I’ve found that 75% of MCSEs can’t answer this question and can often hurt the interview so much that this is the only technical question I’ll get to.)
    1. Primary Domain Controller Emulator (PDCe) – This role handles ubiquity of password changes and some GPO operations. This also participates as a PDC in NT4 Domains.
    2. Schema Master (SM) – Acts as the single point of authority in maintaining the AD Schema
    3. Infrastructure Master (IM) – This is responsible for the mapping of GUUIDs to objects across the domains. This role maintains object references.
    4. Domain Naming Master (DNM) – This is responsible for the addition, removal, and management of domains in the forest.
    5. Relative ID Master (RID Master) – This role is responsible for the assignment of unique SIDs to objects created in the domain.
  2. Which FSMO roles are Forest-specific?
    1. There is only on Schema in a forest. This is managed by the Schema Master
    2. The Domain Naming Master controls domain declarations and object identity (uniqueness) in a forest as a whole.
  3. What is the role of the Global Catalog (GC)? Why is this not a FSMO Role?
    1. The GC holds a flat/ denormalized version of the Active Directory that can be more quickly searched and accessed without having to traverse the hierarchical tree
    2. Since any DC can hold a copy of the GC, this is not a Single Master in the FSMO sense. This is an important piece of the AD system, though.
  4. Which role is no longer used if all Domain Controllers are holders of the GC?
    1. The Infrastructure Master is not used if all DCs are GCs
    2. Normally the IM and the GC should not be on the same server, but this is not the case if all DCs also have the GC
    3. In smaller networks (under a dozen DCs, usually all DCs should be GCs and ADi DNS holders)
  5. What is the role of the PDC Emulator (PDCe) if you are in 2003 native mode and all of your clients are running Windows XP?
    1. The PDCe is required for GPO and Password Updates
    2. Unavailability of this service results in long logon times and policy application problems
    3. Time services are also bound here
    4. If the answer is that this service is only for backwards compatibility, this is a HUGE flag that the candidate only has book knowledge!
  6. Talk about the role of DNS in the Active Directory
    1. DNS is the backbone of AD as all resource location is done against the DNS
    2. DNS helps to shape all communication patterns and is integral to replication
    3. DNS also supports the location of servers and maps to the AD topology of the domain
    4. 80% of AD problems can be traced DNS problems
  7. How would you repopulate the SRV records if you needed to update them?
    1. Restart the NETLOGON service
    2. You can also reboot the server, but this isn’t the preferred method as it requires downtime.
  8. Why would one choose AD integrated (ADi) DNS over standard DNS or BIND?
    1. ADi DNS uses the replication strategy of the AD itself providing a better replication topology and a differential replication of changes rather than whole zone transfers
    2. This is the most reliable DNS to support all of the features of Active Directory
  9. How would you check the health of your domain?
    1. You can use a combination of DCDIAG, NetDIAG and REPLMON
    2. Event logs can also be used, but these will not give deep knowledge into the AD’s innerworkings
  10. What tools would you use to check replication?
    1. REPLMON in the Server Support Tools is the best tool
    2. You can also force replication in AD Sites& Services
  11. What does it mean when an object is tombstoned?
    1. This means that the object hasn’t replicated in a long time and the tombstone threshold was exceeded. (60 days in W2K and 120 in W2K3)
    2. This object gets sent to garbage collection
    3. This usually happens when a DC is offline or cannot replicate for a long time. The DC has to be rebuilt to rejoin the domain.
  12. How would you remove a failed Domain Controller from the domain if it couldn’t be demoted gracefully?
    1. DCPROMO /forceremove
    2. Delete from AD Sites and Services
    3. Delete the DNS records
    4. Perform a metadata cleanup (NTDSUtil)
  13. What are the three objects to which you can attach GPOs?
    1. Domain
    2. Organizational Unit (OU)
    3. Site – this is the least common
  14. If your domain is in Windows 2003 Native mode and your clients are all Vista/ XP, when would you run WINS?
    1. When you cross subnet boundaries it is still necessary to run WINS. Otherwise the workstations will still rely on NetBIOS elections to populate the master browser. This will also provide a list in My Network Places/ Computers Near Me that cross the subnet boundaries providing a full list.
  15. What does DHCP do in your network? How does a workstation find a DHCP server?
    1. DHCP hands out IP addresses and network configuration information to workstations and hosts.
    2. A workstation will broadcast on the network to find a server and will respond to whatever server responds first
    3. If there isn’t one on the local broadcast domain, a router or layer-3 switch can direct the server request using an IP Helper-Address to cross domains.
  16. What is the difference between an Authoritative and non-Authoritative AD restore?
    1. Authoritative takes control of the AD and overwrites the current version with records of a timestamp. Non-authoritative will allow newer records to be replicated on top of the restored records.
  17. Under what circumstances would you need a new domain? A new Forest?
    1. New Domain
      1. In the case of needing a new domain security policy or password policy (not Server 2008 though)
      2. If you need a soft security boundary for administration
      3. If you need a separate IPSec policy
      4. Crossing geopolitical boundaries
    2. New Forest
      1. If you need to split Namespace (mycompany.com vs. yourcompany.com)
      2. If you need a hard security boundary without an implicit trust
  18. What tools would you use to join two domains together?
    1. Active Directory Migration Tool (ADMT)
    2. 3rd party tools are available like the Qwest tools
  19. How would you copy files from one server to another and keep the NTFS permissions?
    1. Use xcopy or xcopy.vbs
    2. Use a 3rd party tool like robocopy
  20. What commands would you put in a logon script to map the W: drive to the Home Directory?
    1. Net use W: /home

Conclusion

There are a number of considerations that should be taken when looking for new Active Directory engineers, both on the soft skills as well as the technical. Of course, a list like this can never be complete and would have to be tailored on a case-by-case basis, but should act as a guide for the careful interviewer.