Blog on Microsoft Technologies

Why send Event log Security is an important issue these days. Sending security event logs to Sentinel provides an additional level of security for onPrem servers. For this, we rely on Azure Sentinel, the SIEM from Microsoft. However, this operation has an Azure cost, so it is preferable to limit the events sent to the necessary logs (security, defender, etc.) In this post we will first set up the transfer of events on a collector via WinRMS and then configure…

Read More Read More

In Best practice, it is important to have an offline root certificate authority and an Subordinate certificate authority that distributes certificates. We will look at how to migrate these two server (Windows Server 2012 R2 servers to Windows Server 2019).

Recently one of my customers want to change KRBTGT password for security reason. This account present in Active Directory is used by Key Distribution Centre. He is disabled and he can’t be deleted or enlabled. It’s recommanded to change his password two or four times by year.

Secure your desktop with BitLocker Today, mobility means securing your workstations. BitLocker functionality has been integrated into operating systems for many years. This functionnalitty permit to ensures data confidentiality in the event of computer is loss or theft.

Install and configure Windows Server Role With Windows Server 2012 R2, it is necessary to install the Volume Activation Services role from the Server Manager console.

What is Honolulu Honolulu is a new way to manage servers. He consist in performing operations from a web interface instead of the different MMC consoles. How Honolulu works The Honolulu application works through a web browser. It is possible to manage servers Windows Server 2016, 2012 R2 and 2012. All of these servers are manage with an Honolulu gateway. It can be installed on a server running Windows Server 2016 or on a Windows 10 workstation. All operation is…

Read More Read More

SetupConfig.ini file When creating a master Windows 10, it is common to remove part or all of universal apps Windows Update. During the update of 10 Windows Builds with WSUS or SCCM, previously deleted applications are installed again. To avoid the problem, it is necessary to use the Setupconfig.ini file

Nano Server Image Builder With Windows Server 2016, Microsoft has implemented a new feature called Nano Server. Very light operating system, just a few mega bytes to make it work. This “mini operating system” allows to install roles such as HyperV, Server DNS, web server,…

Why set up a subscription ? If you have computer in workgroup, it may be interesting to centralize events in the event logs. This allows to facilitate the analysis of different events log. The computer being in workgroup, we use authentication based on certificates. In order to secure exchange, we will proceed to the use of the HTTPS protocol.

How to manage machines in a workgroup If you have machines in a domain, it is easy to execute remote administration (through gpo, script,…). Regarding the positions in workgroup, the task turns out to be more complex. Indeed, the latter only contain their own GPOs and their account base.Thus it is possible to use winrm to perform remote administration. In order to secure the communications betweens the two computers (or computer and server) it is possible to encrypt exchanges using…

Read More Read More

Why manually delete a PKI? When you remove a pki since the wizards Windows will scavenge records in Active Directory. However if the server is reinstalled or the VM deleted unless the certification authority role is deleted beforehand, these records remain present in the Active Directory directory. It is therefore necessary to carry out the cleaning of it before any new installation of an enterprise certification authority. This article details the different steps for cleaning of the Active Directory.

Fix KB3148812 problem The KB3148812 update installation problems. In fact after installing the administration console WSUS becomes inaccessible. Moreover customers no longer have the opportunities to contact the WSUS server. Initially Microsoft recommended not to install or remove it for those who carry out the installation of the update.

Licensing Server 2016 Windows Server 2016 will consist of two editions as Windows Server 2012 and 2012 R2. Standard Edition: Concerns them little or no virtualized environments. Datacenter editions: Used for private and hybrid cloud environments.

Manage Local Account Password An element that is rarely changed it’s the password of local accounts. It is common to put the same password for a local administrator on all workstations and servers. This has created an impact of a security breach.

Problem Bitlocker During a Bitlocker project at a customer I had a problem with the storage of bitlocker recovery key in Active DirectoryAfter you set up group policy which configured the desktop and laptop client (store in AD the recovery key, use tpm,…), I launched the script which enabled BitLocker on the system partition or opther partition.

Problem Active Directory Migrating Active Directory at one of my clients, it seems interesting to share a solution to a problem. When you update the schema to add the RODC objetcts (adprep /rodcprep), an error 0x3 appears. At the time of depromote domain controller, the error messages appear informing me of a problem.

During the AD audit at a client’s site, I encountered the following problem: The gpo tool command does not raise replication issues at GPO levels. However, when preparing a Group Strategy Result report, a warning appears: AD/SYSVOL version Mismatch.

Create PSO An AD domain contains a password policy that is applied to all users. However, in some cases, it is necessary to apply a different policy to one or more users.

Deploy MBAM MBAM (microsoft bitlocker administration and monitoring) permit to secure and protect your desktop and laptop. You can deploy it from operating system and store key on Active Directory. However, if you have MBAM licenses, you will be able to implement it. This product allows you to implement portals for the management of these recovery keys. Thus it is no longer necessary to have domain administrator rights to have the bitlocker recovery key. Deployment Guide for MBAM 2.0 Deployment…

Read More Read More

Security fix Microsoft has issued a security bulletin for a flaw in the Secure Channel. With this vulnerability the attacker has the possibility to force the downgrade of the SSL/TLS version used.

Thanks to the Technet team for this great article: “Configuring Scheduled Tasks in Powershell”. The creation of a task planned by GPO is not always feasible, the workstation may not be a member of the domain or may never be connected to the network. To overcome this problem, it is possible to perform the creation directly in Powershell. So we have at our disposal two applets: One for creating configuration options One to apply configuration options http://blogs.technet.com/b/heyscriptingguy/archive/2015/01/14/use-powershell-to-configure-scheduled-task.aspx

Update not approval on WSUS downstream server After synchronizing a downstream server, updates appear in the Unapproved category.

After installing SP2 of WSUS (KB2720211) and if you activate SSL, IIS application for WSUS not working. There is a lot of error in event viewer. Error id 12052, DSS Authentification web service is not working For fix this error, you must install KB2734608. You can download file here.. When the installation is complete, run the following commands on the WSUS server : iisreset net stop wsusservice net start wsusservice From the WSUS Server, run wsusutil /checkhealth. You can see…

Read More Read More

WDS is closely linked to the DHCP server, however if the two roles are installed on different servers a slight modification to the DHCP needs to be made. In this case it is necessary to add options 67 and 68 at the DHCP level. Option 66 : IP Address of the server Option 67 : boot\x86\wdsnbp.com After this modification, pxe boot functions properly.

The lastlogon attribute can help to do some cleanup in its AD database. The recovery of the ldap attribute value can be done in powershell, vbs or dos.

It is sometimes necessary to rename a server, depending on the role installed some steps are to be applied. Let’s take the example of a domain controller running Windows Server 2012. It is necessary to ensure first of all the functional level. This must be at least Windows Server 2003 level.

An AD forest may contain one or more AD domains, depending on your situation the placement of FSMO roles may be different. In order to carry out a good positioning of the different roles, Microsoft provides documentation on their site that allows you to make the right decision.

It has happened to all administrators to find themselves with an isolated domain controller. In this case, after performing a dcpromo /forceremoval, all AD and DNS databases should be cleaned. For this purpose Microsoft gives the procedure that has been carried out. For Windows Server 2003 : http://technet.microsoft.com/en-us/library/cc736378(v=ws.10).aspx For Windows Server 2008 R2 : http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

When migrating a server, it is necessary to retrieve network shares and authorisations.

Since Windows 2000, a user of a domain can be enter up to 10 machines on the domain. When joining to the domain, a login and password is requested. It will be sufficient for a user to enter his username and password. He will be able to do the same for 9 other stations.

Gpo’s are replicated by two systems : AD replication (GPC, the GPO console) and file system replication (GPT contained in SYSVOL, the different components configured). It happens nevertheless that the AD replication goes badly, so we will have a difference between the GPC and the GPT.

One of the new features of Windows Server 2008 R2 is the Active Directory Recycle Bin. We can now “restore” a user account that has been deleted. However, this requires a functional Windows Server 2008R2 level.