Sep
06
2010
When you install Windows 2008 Certification Authority a new domain controller certificate template named Kerberos Authentication is available. It replaces the Domain Controller Authentication template. If you need more information about the new certificate templates shipped with a Windows 2008 CA you can read this article.
Here is a tab that outlines the specific attributes of the Domain Controller Authentication and Kerberos Authentication templates:
|
Domain Controller Authentication |
Kerberos Authentication |
Key Usage |
Client Authentication
Server Authentication
Smart Card Logon |
Client Authentication
Server Authentication
Smart Card Logon
KDC Authentication. |
Subject Alternate Name |
DNS Name : Domain Controller FQDN. |
DNS Name : Domain FQDN.
DNS Name : Domain NetBios name. |
Read more »
Aug
07
2010
You might already know that Windows 2000 and XP SP2 are not supported by MS since the 13th of july 2010. As a consequence you cannot install new security patches released by MS on these platforms. A critical security vulnerability MS10-46 is corrected by the KB2286198 patch which was released the 3rd of august. This patch applies at least to Windows XP SP3 (for workstation versions) and Windows 2003 SP2 (for server versions). The KB article explains a workaround for the security patch, you need to edit two registry keys and disable a service.
You can apply this workaround on earlier version of Windows, if all your computers are not up to date. The disavdantage of this method is that icon images will disappear on some of your *.lnk files. So my advice is to upgrade as soon as possible your computers to a version which is supported by MS and apply the official security patch. Use the workaround only as last resort, the purpose of this post is to show you how to deploy this workaround with a GPO and play with WMI filtering. The Group Policy Center already wrote an article on how to deploy this workaround with GPO. We will just show you in this post how to target more precisely your computers which need the workaround by using WMI filers. We will achieve this under Windows 2008 by using Group Policy Preferences and activate the GPO workaround on the computers which have not the KB2286198 security patch installed. And we will show you how to achieve the same thing under AD 2003, without using Group Policy Preferences.
Read more »
Aug
05
2010
The purpose of this article is to show how to restore deleted objects with their group membership using Powershell. In order to achieve this you will need to set up a lag site in your domain. If your domain functional level is Windows 2008R2 and you have turned on the recycle bin, you can simply restore an object with its group membership using Microsoft Powershell 2.0 Cmdlets without any lag site.
The method we will describe to achieve practically the same result works starting Windows 2003 server and later versions. We will restore objects from the Tombstone using Quest AD Cmdlets, your administration console should be at least running Windows XP, you do not need to install the RSAT (running on Windows 7 and 2008 server). You might have noticed on the “latest AD news sidebar“ that QAD Cmdlets version 1.4 was released a few days ago. The disadvantage of the method described is that it might be not supported by MS, for best practices regarding deleted objects restore you can read this KB article, you will also need to modify your Active Directory schema. Use this method if a few accounts are deleted, if have you deleted an entire OU use a proper authoritative restore. The advantage of using the powershell script is that the restore process is really quick.
Read more »