Step by Step Active Directory Certificate Service – Part 2

Introduction

In part 1 of this blog series, we have successfully installed Active Directory Certificate Services and performed post-installation tasks. In this blog series, we will configure certificate template for client and workstation authentication and configure a group policy to auto enrollment of certificate.

To secure AD CS infrastructure, It’s highly recommended to deploy subordinate certificate authority and shutdown your root certificate authority.

Step by Step Configure Certificate Template

So far, we have AD CS installed and configured. To proceed with further configuration of AD CS, we need to configure a certificate template for workstations and clients authentication. To configure a certificate template, perform the following steps.

  • Navigate to Server Manager > Tools > Certification Authority

Step by Step Active Directory Certificate Service – Part 2

  • Navigate to Certification Authority > Machine Name > Certificate Template. Right click on Certificate Template and click on Manage

Step by Step Active Directory Certificate Service – Part 2

  • Duplicate the template for “Workstation Authentication

Step by Step Active Directory Certificate Service – Part 2

Step by Step Active Directory Certificate Service – Part 2

  • Setup the template properties as per your requirement. Under General Template, define the name of the duplicate template and setup validity period

Step by Step Active Directory Certificate Service – Part 2

  • Under Security Tab, Ensure that domain joined machines has permissions to Read, Enroll and auto-enroll

Step by Step Active Directory Certificate Service – Part 2

  • Click on Extension Tab and edit Application Policies to add Server Authentication to the template

Step by Step Active Directory Certificate Service – Part 2 Step by Step Active Directory Certificate Service – Part 2 Step by Step Active Directory Certificate Service – Part 2 Step by Step Active Directory Certificate Service – Part 2

  • Click on Subject Name and ensure DNS and User Principal Name options are selected

Step by Step Active Directory Certificate Service – Part 2

  • Click on Apply and close the certificate properties.
  • Navigate to Certification Authority > Certificate Template > Right Click New > Certificate Template to Issue

Step by Step Active Directory Certificate Service – Part 2

  • Select the certificate and click ok

Step by Step Active Directory Certificate Service – Part 2So far we have the certificate template created for workstations authentication. Next step is to create a group policy to configure the automatic enrollment of the certificate via Group Policy.

Group Policy for Automatic Certificate Enrollment

As of now, we have our AD CS setup ready for certificate enrollment. With the help of group policy we will setup our workstations on domain joined machines to request AD CS for certificate. To configure a group policy for AD CS, perform the following steps.

  • Login to domain controller and launch Group Policy Management Console from Control Panel > Administrative Tools > Group Policy Management

  • Navigate to the OU where you have all your domain joined computers. In my case, I’ve a server OU that contains all domain joined computers.

  • Right click on Servers OU and click on “Create a GPO in this domain, and link it here”

  • Define the name of the GPO and Click ok

  • Select the GPO, Right Click and click on Edit to modify the GPO Settings

  • Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies

  • Select the Certificate Services Client – Certificate Enrollment Policy and click on Properties

  • Under configuration model, select enable

  • Next step is to select “Certificate Services Client – Auto Enrollment” and go to properties and enable configuration model

  • Once done, Right click on GPO and click on Enforce and then Group Policy Update

  • Click ok on Group policy pop up message to finish the process

Now your Group policy deployment for certificate authority is completed now. You can now navigate to Issued certificate to see that the computer accounts has started to receive the certificate from your AD CS infrastructure.

Conclusion

In this blog article we have configured the Active Directory Certificate authority template for end user workstations and deployed a group policy on server OU to request the certificate from internal CA. Hope this series help you deploy your PKI infrastructure using AD CS.

 

 

Step by Step Active Directory Certificate Service – Part 1

Introduction

Microsoft Active Directory Certificate Service (AD CS) provides an infrastructure for securely issuing and managing your public key infrastructure. Active Directory Certificate Services can also be leverage to authenticate the computer, user or devices on corporate network based on Infrastructure security requirements.

In this blog series, we will setup a single server AD CS on a domain joined machine and configure active directory group policy to auto enroll the certificate on one OU. Please note that it’s a single server deployment and enterprise deployments of Active Directory Certificate Service requires a detailed planning and designing of the solution.

To secure AD CS infrastructure, It’s highly recommended to deploy subordinate certificate authority and shutdown your root certificate authority.

Active Directory Certificate Service design options are discussed on TechNet. AD CS includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. Active Directory Certificate Service service architecture is defined here that helps customizing AD CS.

Step by Step Active Directory Certificate Service Role Installation

Below is a step by step active directory certificate service role installation guide to deploy the services.

  • Login to Active Directory Certificate Service server and launch Server Manager
  • On Server Manager, Click on Add Roles and Feature

Step by Step Active Directory Certificate Service - Part 1

 

  • Click Next on the following screen

Step by Step Active Directory Certificate Service - Part 1

  • By default, Role based or feature based installation is selected, click next

Step by Step Active Directory Certificate Service - Part 1

  • Select the server you want to install this role and click Next

Step by Step Active Directory Certificate Service - Part 1

 

  • Select Active Directory Certificate Service. Click on Add Features in the pop up window and click on Next

 

  • Click on Next as we don’t need to install any additional feature for AD CS

Step by Step Active Directory Certificate Service - Part 1

 

  • Click Next on AD CS Page

 

  • On Role Services page, Select Certificate Authority and Click Next

 

  • Click Install to start the installation process

 

  • Once the installation is completed, Click on Close to exit the wizard.

Configure Active Directory Certificate Service

As of now, We have our Active Directory Certificate Service server role installed. Next step is to perform post installation steps and configure active directory certificate service. To configure active directory certificate service, perform the following steps.

  • Click on Configure Active Directory Certificate Services on target computer. This will open a configuration wizard for certificate authority

  • Provide the credential of a user account that has Enterprise Admin and Local Admin rights and click next

  • Select the Role Service to configure, We’re setting up on Certificate Authority

 

  • As we are using a domain joined machine and setting up for Domain infrastructure, select Enterprise CA and click Next

  • As it’s our first Active Directory Certificate Services server, select Root CA and Click next

  • Select “Create a new private key” and click next

  • Select your cryptography options and Click next

We are using SHA256 as SHA1 is depreciated by all browsers and Microsoft Server Authentication.

  • CA Name will be automatically pop up and click next

  • Define validity period and click Next

 

  • Specify the database location for certificate and click Next

 

  • Review the configurations and Click Configure

 

  • Once the configuration is completed, click on Close to exit the configuration wizard.

Conclusion

In this blog article of Active Directory Certificate Services series, we have successfully installed and completed post installation tasks Active Directory Certificate services. In part 2 of this series we will Configure the certificate template and group policy for Certificate authority auto enrollment.

Configuring Office 365 Preferred Language Settings

Introduction

Office 365 empower organizations to use cloud based services for their business to ensure anytime anywhere access to corporate information. When you setup Office 365 tenant for an organization with offices in different regions then you’re also required to empower your end users to setup up their own preferred language settings in Office 365. For example, if you have a user in Japan then his preference will be to use Japanese language for his Office 365 portal instead of using English. In Office 365 you can set up language settings for users based on how you setup identities in Office 365. You can easily update language settings for users using PowerShell. Preferred language settings depends on how user identity is provisioned. If you have cloud based identities then you need to use Azure AD to modify the user account properties in Office 365. If you are using Azure AD Connect to sync on-premises active directory accounts with Office 365, then you have to update the settings in local active directory.

Configuring Office 365 Preferred Language Settings for Cloud Identities

Configuring Office 365 language settings for cloud based identities requires you to connect with Azure AD powershell. Perform the following steps to configure these settings.

  • Connect with Azure AD powershell using global admin credentials

C:\> Connect-MsolService

Configuring Office 365 Preferred Language Settings

  • Run the following cmdlet to configure the preferred language settings for user pgarcia@msexperttalk.com to Urdu

PS C:\> Set-MsolUser -UserPrincipalName pgarcia@msexperttalk.com -PreferredLanguage “ur-PK”

  • To verify the language settings for the user account, run the following PS cmdlet

PS C:\> Get-MsolUser -UserPrincipalName pgarcia@msexperttalk.com | fl PreferredLanguage

Configuring Office 365 Preferred Language Settings

Configuring Office 365 Preferred Language Settings for Synced Identities

When you are using synced identities with Office 365, you need to modify the on-premises user attribute in Active Directory to setup preferred language in Office 365. To modify the preferred language in Office 365 to Urdu for a user Phil, you need to set the “PreferredLanguage” attribute in user account properties in Active Directory. By default, this attribute does not contain any value and set to use English as default language.

  • To modify the individual user account properties, you can run the following PowerShell cmdlet.

Set-ADUser pgarcia@msexperttalk.com -Replace @{‘PreferredLanguage’=”ur-PK”}

  • To update the preferred language attribute in a specific OU, run the following cmdlet.

Get-ADUser SearchBase “OU=Test,OU=IT, DC=msexperttalk,DC=com” Filter * Properties PreferredLanguage | ForEach-Object {Set-ADUser $_.SAMAccountName –replace @{PreferredLanguage=“ur-PK”}}

  • To update the preferred language attribute of users in a specific domain, run the following cmdlet. Following cmdlet will set the attribute for those users who do not have any this attribute setup.

Set-AdServerSettings -RecipientViewRoot “msexperttalk.com”
#Change language to ur-PK for all users with a setting of NULL in the MSExpertTalk.com domain
Get-ADUser -SearchBase “DC=msexperttalk,DC=com” -Filter * -Properties PreferredLanguage | where {$_.PreferredLanguage -eq $null} | Select SAMAccountName | ForEach-Object {Set-ADUser $_.SAMAccountName –replace @{PreferredLanguage=”ur-PK”}}

Preferred Language attribute settings will update the language for the following in Office 365.

  • Office 365 Default Landing page
  • General settings and menu
  • Office 365 Management portal
  • Video
  • Groups
  • OneDrive for Business
  • Delve
  • Office Online
  • Planner

To review a complete list of available language codes, please visit the Microsoft TechNet site.

Configuring Azure AD Connect to use specific Domain Controller

Introduction

Microsoft Azure AD Connect (AAD Connect) tool replicates your on-premises Active Directory with Office 365. Configuring Azure AD Connect to use specific domain controller can help expedite the process of replicating the changes to Office 365. I have seen scenario’s where on-premises Active Directory changes have not been replicated to Office 365 after 30minutes and Azure AD Connect shows a successful Delta Sync status in MIIS client. The fact why it happens is because Azure AD Connect is replicating the changes to Office 365 from a domain controller which doesn’t have your latest updates.

How Azure AD Connect locate a Domain Controller?

When you deploy Azure AD Connect tool in Active Directory forest, Azure AD Connect leverage DNS to locate a domain controller. Once Azure AD connect has a domain controller information, it connects with the same domain controller every time until the domain controller is not reachable and than Azure AD Connect tries to connect to another domain controller.

Why we need to Configure Azure AD Connect to use specific Domain Controller?

Configuring Azure AD Connect to use specific domain controller is required when you are implementing directory synchronization with Office 35 for multi-site active directory infrastructure where users are in multiple active directory sites across the globe.If you are modifying active directory changes and need to have them replicated to Office 365 quickly than we have 2 options, option 1 is to modify the changes to the domain controller from where Azure AD Connect is replicating the changes to Office 365. Downside of option 1 is that, you have to check the domain controller information from where the changes were being replicated during the last sync cycle. Option 2 is to configure the AAD Connect tool to use specific domain controllers. It’s much easy to configure the list of domain controllers in directory sync tool than to wait for replication changes to happen across active directory sites.

Configuring Azure AD Connect to use specific Domain Controller

Once the directory synchronization tool is installed. Follow the steps mentioned below to configure the list of domain controllers to which Azure AD Connect tool will connect.

  • Login to Azure AD Connect server and run the miis client

if you have installed the tool on default location, than Miis client can be located from C:\Program Files\Microsoft Azure AD Sync\UIShell

Configuring Azure AD Connect to use specific Domain Controller

  • Navigate to connectors and go to the properties of your connector

Configuring Azure AD Connect to use specific Domain Controller

  • In properties windows, select Configure Directory Partition and click on Configure to define your prefer domain controllers

Configuring Azure AD Connect to use specific Domain Controller

  • Enter the FQDN of your preferred domain controllers and click on Add

Configuring Azure AD Connect to use specific Domain Controller

 

  • Once you have defined the preferred domain controllers, make sure you have mark the checkbox next to Only use preferred Domain Controllers

Configuring Azure AD Connect to use specific Domain Controller

  • Click OK button to complete the configuration of preferred domain controller in Azure AD Connect tool

Azure AD connect tool is now configured to use preferred domain controllers only. Azure AD Connect will always check the preferred domain controllers for any modification in Active Directory to replicate with Office 365. More information on Azure AD Connect tool can be found here

 

Ldifde.exe Failed to Import Schema File Error Code 8224

bannerExchange 2013 — Ldifde.exe Failed to Import Schema file error code 8224

Exchange Server install and upgrade usually involve an update to the Active Directory schema. During my Exchange 2013 Lab Installation I’ve encountered the following error during schema preparation.

There was an error while running ‘ldifde.exe’ to import the schema file ‘C:WindowsTempExchangeSetupSetupDataPostExchange2003_schema0.ldf’. The error code is: 8224.

Above error message indicates that the import of schema changes have been failed and when you check your Schema Master FSMO role domain controller in your forest you’ll notice the following event log in Directory Services logs.

Ldifde.exe Failed to Import Schema file error code 8224

From this warning message we can notice that the root cause is a replication issue in your Directory services infrastructure. In my experience this is due to either a domain controller in the environment is offline or decommissioned incorrectly causing replication issues. To check the status of replication in your Active Directory infrastructure you can either use RepAdmin or Active Directory Replication Services Tool. Once you resolved replication issues in your Active Directory infrsatructure you will be able to extend AD Schema and Exchange setup will not have any issues during the schema extension.

In my lab, one of the child domain controller went offline and i forgot to check that. Once the child domain controller was up and running and I’ve a success message of replication in my lab i was able to extend the Schema during Exchange 2013 SP1 installation.

schema