Monthly Archives: September 2011

Remote Desktop Services RDS – Unable to logon from Windows 7 when certificate has expired

In Remote Desktop Services it is possible to tunnel all traffic over TLS. You can choose between a default certificate or from an external CA. If you pick a certificate that is autoenrolled from another CA there are some issues. When the … Continue reading

Posted in Windows | Tagged , , , | Comments Off on Remote Desktop Services RDS – Unable to logon from Windows 7 when certificate has expired

Write a CSR to a CA with Openssl

If you order i.e a wildcart certificate you dont want to generate the keys on a webserver because you cant just export them without special tools. Instead you can use openssl to make the CSR. 1. First we create a … Continue reading

Posted in PKI | Tagged , , , , | Comments Off on Write a CSR to a CA with Openssl

Create users in Active Directory with powershell

New-ADUser -Name “Donald Duck” -SamAccountName DonaldDuck -DisplayName “Donald Duck” -Title “User Account” -Enabled $true -AccountPassword (ConvertTo-SecureString “Password ” -AsPlainText -force) -PassThru -path “OU=Users,DC=Domain,DC=Com” -AccountExpirationDate “2012-04-17T14:22:48.0000000”

Posted in Active Directory, Powershell | Tagged , , | Comments Off on Create users in Active Directory with powershell

Add third party CA in Active Directory to enable smart card logon

If you want to be able to use a smartcard issued by a third pary CA to logon to your Active Directory there are a few steps you have to do. You have to tell Active Directory to trust the … Continue reading

Posted in Active Directory, PKI | Tagged , , | Comments Off on Add third party CA in Active Directory to enable smart card logon

Active Directory – Disable inital sync

Before Active Directory starts it will do an inital sync with the other domain controllers. This can take several minutes if the other DC are offline. i.e in an test enviroment. Add the registry value below and reboot the DC … Continue reading

Posted in Active Directory | Tagged , | Comments Off on Active Directory – Disable inital sync

How to issue a new revocation list without the CA online

The CA certificate must be installed in the computers certificate store. Re-sign CRL InFile OutFile Validity period Days:Hours certutil -v -f -sign “PKI LAB ISSUING CA.crl” “PKI LAB ISSUING CA2.crl” 90:00

Posted in PKI | Tagged , , | Comments Off on How to issue a new revocation list without the CA online

Vmware, Slow console for Win2008-R2 on ESX 4.1

By  default the video RAM (Edit Settings/Video/Video Ram) is set to 8meg.  With that setting VM Tools will not install the WDDM driver. You need to  increase the ram to 32meg before doing VM Tools. If you don’t change the … Continue reading

Posted in Vmware | Tagged , , | Comments Off on Vmware, Slow console for Win2008-R2 on ESX 4.1

Working with openssl and pkcs12 files

Extract the private key without password (encryption) from your pkcs12 file openssl >pkcs12 –in keyexport.pfx –nocerts –nodes –out keyexport.prv Enter the password used to create your pkcs12 (.pfx) file Extract the private with password (encryption) from your pkcs12 file openssl >pkcs12 –in keyexport.pfx … Continue reading

Posted in PKI | Tagged , | Comments Off on Working with openssl and pkcs12 files

Metadata cleanup of a domain controller with ntdsutil

This can normaly be done by just deleting the domain controllers computer account. (Not prior to Windows 2008) Start ntdsutil.exe Act ins ntds metadata cleanup con connect to server [domain controller] q select op target list domains Select domain % list … Continue reading

Posted in Active Directory | Comments Off on Metadata cleanup of a domain controller with ntdsutil

Activate Netlogon debug logging

Activate Netlogon debug logging Enable: nltest /DBFlag:2080FFFF Restart the Netlogon service Disable: nltest /dbflag:0x0 Restart the Netlogon service OR Remove: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/DBFlag Restart the Netlogon service The log is found in %windir%\debug\netlogon.log http://support.microsoft.com/kb/109626

Posted in Active Directory | Tagged , , | Comments Off on Activate Netlogon debug logging