Active Directory: Corrupt Certificate Templates

I was trying to get my Windows Mobile 6.5 to work with Exchange 2010, but when I tried to request a certificate to my CA i got the following error:

Eventid: 53, CertificationAuthority
Message: Active Directory Certificate Services denied request 17 because The requested certificate template is not supported by this CA. 0x80094800 (-2146875392). The request was for CN="". Additional information: Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: User.

Now what? For some reason it thinks my User certificate does not exist or something? It seemed the User Certificate Template on my CA was corrupt for some reason. This is how I fixed it.

Note: I assume you backup your CA before changing settings, because of this I'll not mention it in the Howto.

1. Stop the Certificate Services Service.

net stop CertSvc

2. Log in to ADSI Edit and open the Configuration naming context. Then go to CN=Services,CN=Public Key Services,CN=Certificate Templates. If all is correct there should be quite a few items listed there. Empty out the CN=Certificate Templates container. This is most easily done by deleting CN=Certificate Templates and recreating it with the same name.

3. Start the Certificate Services Service.

net start CertSvc

4. Open the Certification Authority Snap-In and go to Certificate Templates. You should see all templates listed with an X in front of it.

If this is the case, right-click on Certificate Templates and choose Manage. Windows should give a popup with a message like: "New certificate templates are found, would you like to install them?". Agree with the message and see the magic work. After a few moments (depending on the size of your AD) you'll be able to issue certificates again.

Exchange 2010 Certified!

I just recieved the following email from MS Learning:

Congratulations on earning your Microsoft Exchange Server 2010, Configuration certification! We hope you enjoy the benefits of your certification and of membership in the Microsoft Certified Professional community.

Active Directory: AD Recycle Bin GUI

Earlier on I blogged about the AD Recycle Bin. In this blog we checked out how the AD Recycle Bin is activated and how it's used through Powershell or LDP.

The fellows at Overall Solutions Inc. made a very nice GUI. In this GUI it's possible to see which items are deleted and also recover the deleted items.

The download can be found http://www.overall.ca/index.php?option=com_content&view=article&id=40:adrecyclebin&catid=15:adrecyclebinexe&Itemid=64

The GUI is built like this:

Exchange 2010 RTM!

Yesterday at TechNet Live they already had some interesting information. At the end of the day when asked the question: "When will Exchange 2010 be RTM" the only answer we got was: "Check out the Exchange Team blog tomorrow". And what have we got? Finally! Exchange 2010 got RTM'd!

For the full announcement see: http://msexchangeteam.com/archive/2009/10/08/452775.aspx

In my opinion some very good news to get on Friday!

Regards,

Stefan Hazenbroek

Active Directory: FSMO Roles in Windows Server 2008 R2

I've been getting alot of questions and debate about FSMO roles in an Active Directory domain environment. Where should you place what role? What does a specific role do? Should I seize it if it's not available?

I'll start by summing up the available roles and their task. The function of each role is defined for Windows Server 2008 R2.

Schema Master

There can only be one Schema Master defined per forest. The Schema Master contains the only writable copy of the schema and additions to it can only be done by a member of the Schema Admins and the Enterprise Admins security group.

When this role is unavailable additions or changes to the schema  cannot be made.

Domain Naming Master

The Domain Naming Master is responsible for the addition or removal of domains in the forest. The Domain Naming Master is a forest-wide role, which means only one can be defined per forest.

When this role is unavailable no domains can be added, removed or renamed.

Infrastructure Master

The Infrastructure Master is a domain-wide role, which means it is defined per domain. Logically, if you have 3 domains within your forest, you have 3 domain controllers that contain the Infrastructure Master role. The Infrastructure Master is responsible for updating links to objects in the domain to objects in other domains. There can only be one defined per domain.

When the infrastructure master is unavailable changes in objects do not get replicated. However, when all domain controllers are also a Global Catalog, the Infrastructure Master does not have a function.

RID Master

The RID (or Relative-ID) Master is responsible for RID-requests from all domain controllers within that domain. When the RID pool of a domain controller depletes, it requests a new pool from the RID Master. The RID Master can only be defined once per domain.

When the RID Master is unavailable and a domain controller runs out of available RID's no new objects (as users, groups, computers and such) cannot be created.

PDC Emulator

The PDC (or Primary Domain Controller) Emulator role is used to act as PDC when Windows NT BDC's are used. The PDC Emulator also acts as Master Browser for the domain and handles password updates for the domain. The PDC Emulator can only be defined once per domain.

When the PDC Emulator is unavailable password-changes get updated with the regular replication traffic instead of right away through the PDC emulator. Also, the time (net time) will not get synced during this time, which can be an issue in a domain environment.

Now, what if a domain controller is unavailable for a while and you need to seize the role? In a pre-windows 2008 R2 environment, thus: in an environment without the use of AD Powershell this can be quite the hassle. When you need to move the Schema Master you first have to load the dll for the mmc, after which you can move it. It just costs needless time.

   

Move-ADDirectoryServerOperationMasterRole -Identity ADDirectoryServer -OperationMasterRole ADOperationMasterRole []

For example, when you want to move the Infrastructure Master to domain controller "DC001" you'll use:

   

Move-ADDirectoryServerOperationMasterRole -Identity DC001 -OperationMasterRole InfrastructureMaster

Now, if the server that contains the role is unavailable you can ofcourse Seize it. This can also be done in Powershell, by adding the -Force parameter to the CMDLet. In case of seizing the Infrastructure Master to domain controller DC001 you'll use:

   

Move-ADDirectoryServerOperationMasterRole -Identity DC001 -OperationMasterRole InfrastructureMaster -Force

Finally, one shell to manage your complete AD in!

Regards,

Stefan Hazenbroek

ConfigMgr: SMS Site Component Manager failed to reinstall this component on this site system.

Within a ConfigMgr environment it's possible you run into the following error when running SMS_SITE_SQL_BACKUP and the SQL Server runs on a remote system.

SMS Site Component Manager failed to reinstall this component on this site system.


Solution: Review the previous status messages to determine the exact reason for the failure. SMS Site Component Manager will automatically retry the reinstallation in 60 minutes. To force SMS Site Component Manager to immediately retry the reinstallation, stop and restart SMS Site Component Manager using the SMS Service Manager.

I noticed this error at home (yes, I'm running ConfigMgr 2007 SP1 + R2 at home, call me crazy ;-)) and started looking around if there's a solution available. After finding no KB-article or anything about it I started searching on. The reason for this error seems to be that the SQL Server cannot bootstrap the executable to install the service on the SQL Server.

Luckily, the fix is quite easy. Go to the ConfigMgr installation directory, in my case

C:\Program Files (x86)\Microsoft Configuration Manager\

and open the file install.MAP with notepad. In this file you'll search for the following lines:

BEGIN_COMPONENT_FILELIST
<SMS_SITE_SQL_BACKUP>
<1193>
BEGIN_DIRECTORY
<bin\i386>
<9><X86><>
FILE <smssqlbkup.exe><1><766496>
END_DIRECTORY
BEGIN_DIRECTORY
<bin\x64>
<17\><AMD64><>
FILE <smssqlbkup.exe><1><1547296>
END_DIRECTORY
UNIT <SMS>
END_COMPONENT_FILELIST

Change these lines to the following

BEGIN_COMPONENT_FILELIST
<SMS_SITE_SQL_BACKUP>
<1193>
BEGIN_DIRECTORY
<bin\i386>
<9><X86><>
FILE <smssqlbkup.exe><1><766496>
FILE <srvboot.exe><0><219904>
END_DIRECTORY
BEGIN_DIRECTORY
<bin\x64>
<17><AMD64><>
FILE <smssqlbkup.exe><1><1547296>
END_DIRECTORY
UNIT <SMS>
END_COMPONENT_FILELIST

Afterwards restart the SMS_SITE_COMPONENT_MANAGER at the site server and after a minute or so reopen the Components log. After changing the install.MAP and restarting the SMS_SITE_COMPONENT_MANAGER I got the following happy message:

SMS Site Component Manager successfully reinstalled this component on this site system.

I hope this helps resolve some issues.

Active Directory: Configure AD Recycle Bin

Every Active Directory manager deals with it eventually, a user, a group of users or even an OU gets deleted by accident. Retrieving the objects using an authorative restore isn't the nicest job to do, because a lot of fields are stripped out when the account is deleted.


Windows Server 2008 R2 has a solution for this, namely the Active Directory Recycle Bin. In this blogpost I will explain how you setup the AD Recycle bin and how you can retrieve items afterwards. One drawback though: There is no nice interface available from Microsoft yet.



First off, it's necessary that the Forest Functional Level is at the level of Windows Server 2008 R2. This can be done using Active Directory Domains and Trusts, but can easily be done using Powershell.


Through Active Directory Domains and Trusts:

Through Powershell:

Set-ADForestMode -Identity domain.test -ForestMode Windows2008R2Forest

Now that the Forest is at the right level we'll start by configuring the AD Recycle Bin. First off we load the optional module in Powershell by using the following command.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=test’ –Scope ForestOrConfigurationSet –Target ‘domain.test’

When this is done we need to make the forest aware the optional feature is installed. This can be done using LDP. Fire up LDP using Run and type: ldp.exe. Open LDP and connect to the domain controller that hosts the root domain (so the firest domain). This can be done by clicking Connection then choosing Connect and typing in the hostname of the DC you want to connect to, after which you choose Bind. In the menu bar open the menu View and choose Tree. In the popupbox choose Configuration BaseDN

Navigate to the CN=Partitions container, rightclick this and choose Modify

Make sure the field DN is empty and fill in the following in the other two fields:


Edit Entry Attribute

enableOptionalFeature

Values

CN=Partitions,CN=Configuration,DC=domain,DC=test:766ddcd8-acd0-445e-f3b9-a7f9b6744f2a

In the field Operation choose Add and click Enter. The extension will now appear in the field Entry List. At the bottom of the popup box choose Run and then choose Close. When you doubleclick on CN=Partitions at the left side the following appears in the details field at the right side.

msDS-Behavior-Version: 4 = ( WIN2008R2 );
msDS-EnabledFeature: CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=test;
name: Partitions;

If this is the case the Recycle Bin is installed correctly and we can start using it.

ATTENTION! From this moment on the Recycle Bin feature is activated. Any user deleted before this action cannot be retrieved using the AD Recycle Bin.

Through LDP:
Open up LDP again and connect and bind to the DC hosting the root domain. Click Options and choose Controls in the menubar.

When this is loaded up in choose View and Tree and choose the BaseDN of the Forest, in my case DC=domain,DC=test. When you look at the left side, you'll see the CN CN=Deleted Objects,DC=domain,DC=test. When you doubleclick this a list with all deleted users opens up at the left side. When you find the user you are looking for rightclick the user and choose Modify. Make sure the popupscreen looks like the following screen:

Afterwards choose Run and the object will be retrieved from the Recycle Bin, after which you can see this in Active Directory Users and Computers again.


Through Powershell:
I know what you're thinking. We have an awesome tool called Powershell, why won't we use that? Well, that's what we're going to look at now. Because we enabled the optional feature using Enable-ADOptionalFeature we have access to the Restore-ADObject CMDLet. What if, you know the username of the user you want to recover. You can see this by running the following CMDLet:

Get-ADObject -Filter {sAMAccountname -eq "test"} -IncludeDeletedObjects

When this is executed the output will be as following:

If this is the account you want to recover run the following CMDLet:

Get-ADObject -Filter {sAMAccountname -eq "test"} -IncludeDeletedObjects | Restore-ADObject

That's it, the filter can be adapted to about anything you're comfortable with using Powershell. In a later blog post I'll post more information about retrieving objects or OU's.



For more information about retrieving objects from the Recycle Bin please look at the following link:

http://technet.microsoft.com/en-us/library/dd379509(WS.10).aspx