Hello All,
I am running win 2003 ADCS environment, we recently faced an situation where everything stopped working (Lync, VPN, Wifi etc)
It was root certificate expiration on actual ADCS server, if their way for us to configure e-mail notifications alerts.
Thanks
I'm a General Manager of Engineering Organization, and i have critical data folders on a file server (Accounts, Financial Data, HR) and i want to ask if there any solution to restrict the network administrator from accessing these folders?
I can demote his account to power user but then i will face other issues in the future if i want him to troublshoot any network problem.
please try to give me some options
Thanks
Hello,
I do have win 2003 ADCS server. When I do mmc snap in for local computer, I can see one of the certificate under operation manager expiring soon.
Can anyone please tell me the purpose of operation manager store - ADCS server.
Thanks
Hi
we have requirement to prevent local admin to view the data of the server.
Please suggest steps if some one have do that and what will be best approach to do this.
Thanks
V.S
I have a complex issue related to the Certificate template. the enviroment at my end is as follows-
I have 2 machines -
1) windows server 2012 R2 , a domain controller having the certificate enrollment custom application, that enroll the certificate to the user.
2) windows server 2008 R2 , a member server having the Certificate Authority configured.
i dont want to add authenticated user group in my certificate template . so i have created a new Certificate Template , removed the Authenticated Users group from the ACL of this template and added a new user group with the read and enroll permission on it.
when i tried to enroll the certificate from 2012 R2 machine i am getting the error of The permissions on the certificate Template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422)
i tried to find out the reason , then from one of the blog i come to know this-
CA itself is included in the Authenticated User’s group. Once we remove this group from the certificate template, the Certificate Authority stops contacting with the template, as a result we get the error in the system log as well as in the revoked certificates list–Certificate Request Denied So if you do not want to add Authenticated user group in the template, you have to add the CA computer machine’s name in the template with the read permission on it.
i tried it but still i am facing the issue.
one more thing is if i tried to enroll certificate using mmc without my certificate enrollment custom application, enrollment is taking place.
Kindly help me to resolve this.
Regards
Sonam
Hello.
I want to join a new client to my network and this client wants to doing some test on system but I don't like this client see other systems and server in network Parts, How can I limit it?
Thank you.
I am trying to capture through SCOM events when specific accounts RDP into servers. I know it is logon type 3 but the workstation name the session is initiated from is blank. Is there a specific configuration required to log this information?
Thanks
Paul
Paul Glickenhaus
Can someone please point me in the right direction or provide instructions on how to migrate the CA to a new Windows 2008 R2 box...?
Thank you in Advance
We are continuously getting SSH, Sql Server and ftp requests and may be more, on few of our Web Servers... We managed to work on ftp by installing filezilla and configuring autoban ip after failed authentications. How this can be done for other services to protect the complete server?
More Details: We are a team of web developers and have a total of 7 servers, 4 of them are on Windows 2008 R2 & rest are on 2012 R2. In these servers 2 are used for development and testing & 5 are on production environments. We use Sql browser, RDP, FTP & http(s) so we cannot totally close these ports.
Couple of weeks back: Where is a lot going on these server so we could not monitor everything. 2 weeks before a couple of websites went down, later by checking these websites were there but the files got renamed like index.html to index.html'''''' and also found some new folders with files written in chinese or japanese or something like that. We cannot block countries as we have some ecommerce sites running and have business with them.
Now: Now we disabled the previous admin account and created new ones. Also filezilla server is providing autoban which is proving good, things seems to be fine now but in event viewer security logs we daily found tons of failed login attempts. Many of them are anonymous and does not showing any source ip address. We have tried cyberarms idds but that wasn't helpful with anonymous attempts.
Active Directory service did not start. Could not load or verify the current CA certificate.
The revocation function was unable to check revocation because the revocation server was offline
0x80092013
any idea? I can start the certificate services but fails after a few secs
Hello,
What are people's thoughts on using the Web Application Proxy role as a reverse proxy with only a Firewall between it and the internet...?
We need to replace our ISA 2006 boxes and I have been advocating using WAP with ADFS.
However other 'Reverse Proxy' solution available seem to have more capabilities then just WAP and a Firewall; without we leave ourselves exposed. For instance FortiNet's product FortiWeb has the following 'additional' capabilities:
Are these required? Does WAP provide these capabilities but use different terminology?
Dear Friends,
I've got a quite urgent problem. Maybe you can help me...
Here’s my problem:
I need to renew a sub-ca cert. To do so I followed a huge amount of blogs and tutorials, for example:
http://support.risualblogs.com/blog/2014/05/13/renew-issuingsubordinate-ca-certificate/
But in every Tutorial the writers are able to choose an online CA or export the request by clicking Cancel in the following Step:
My problem is, that this window isn’t showing up. When I choose “No” in the Window before where he asks me whether to create a new key or not and continue, he is just starting the services again and nothing has changed. In the Properties of the sub-ca is still one cert which will expire soon:
When I try to renew it by using certutil, I get the following message:
PS C:\Users\administrator.CLOUD4YOU> certutil -renewcert ReuseKeys -f CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023) CertUtil: The group or resource is not in the correct state to perform the requested operation.
I’ve googled the error-message already, but none of the solutions applied for us.
When I try the 3<sup>rd</sup> option by renewing the cert with the same key over mmc -> Certificates, I get the same error as this writer: https://social.technet.microsoft.com/forums/windowsserver/en-US/90c78256-6291-4e6d-8dd8-82280cc00e69/unable-to-renew-subca but in our deployment the template was already activated
I really don’t know what to do next… Do you have any idea?
Thanks in advance!
Carsten Brenner IT-Engineer at cloud4you GmbH (Germany)
Good Morning!
In need of some assistance from you more experienced SCCM admins. Let me quickly run down the steps of what I've done:
1) Created a network share for CRM 2015 that everyone can see
2) Ran the EXE from Microsoft and followed the instructions from them to create the CrmClient_32.msi
3) In SCCM, created a new application, and linked the shared folder. SCCM auto-populated the install command, publisher data, etc. The only thing I added was "/s" for the MSI package to install
4) Created a Device Collection with one test PC that already has CRM 2013 installed
5) Deployed the application to the device collection with the following options:
Under Content Tab:
Content Location: \\networkshare\Installs\CRM2015
Persist content in the client cache is NOT checked
Allow clients to share content with other clients on the same subnet IS checked
Deployment options: Do not download content
Under the Programs Tab:
Installation program: msiexec /i /s "CrmClient_32.msi"
Installation start in: blank
Uninstall program: msiexec /x
Run installation and uninstall program as 32-bit process on 64-bit clients IS checked
Under User Experience Tab:
Installation Behavior: Install for system
Logon requirement: Whether or not a user is logged on
Installation program "margin-bottom:9px;padding-right:0px;padding-font-family:Arial, Helvetica, sans-serif;font-size:14px;line-height:21px;word-wrap:break-word;color:#333333;">Maximum allowed run time ( 120 minutes)
Estimated installation time (0 minutes)
6) I schedule the install (for most applications I've seen this works best)
Now when I go to Monitoring, all I see is the deployment is "In Progress" and the category is "Waiting for content"
I'm frustrated because I don't understand why this won't work. It seems so painless and the method I've described above works for almost any other application I've pushed out.
I'm all ears - is there anything you see that isn't correct? Any ideas or suggestions? If you've successfully pushed out CRM 2015 some how (even if it's not through SCCM), could you please share your solution?
Thank you so much! -Nick
Hello,
I recently deployed a two tier PKI infrastructure; 2x Windows 2012 R2 CA servers, 1 Standalone Root CA (offline) and 1 Enterprise Subordinate CA
I created a new User setting GPO to enable auto-enrollment which has been deployed throughout the organization; I setup a new certificate template with domain users / authenticated users Read, Enroll and Auto-enroll permissions.
When I logon a client machine I do not see any certificates; I ran certutil -pulse which ran without any issues and verified the correct autoenrollment registry setting is listed 0x0000007. But when I go into certmgr.msc and try to "Automatically Enroll and retrieve certificates" it says "Certificate types are not available" then I select show all templates and under the template with auto-enroll enabled the following error appears:
"Cannot find the original signer; Information about available certificates cannot be obtained at this time. This type of certificate has already been installed on your computer"
I am kinda lost.. right now im digging through event logs and verifying certificate template settings. Any suggestions would be greatly appreciated.
Thank You
I am facing so many errors even i had renewed the CRL:-
Pls see the below command output:-
Hey All,
I have a requirement where
1 - I need to find out which userlogged onto server XYZ (a server 2003 machine) and what time he logged off (from RDP)
2 - There are certain times that a user might logon to a different server ABC(a server 2003 machine) go into Server ABC's services.msc and thenconnect to Server XYZ's (a server 2003 machine) services.msc and restrt a service (on Server XYZ). How can I find out
a) Who connected from a different server to server XYZ?
b) from what server did he connect to server XYZ?
c) which service (name) did he restart on server XYZ?
Please give me full steps on how to check this andconfigure this (I am not sure if the necessary auditing has even been enabled to log the stuff that I asked above
Thanks a lot for all your help!
Hi,
Just want to know if there is a SP2 for Windows server 2008 R2. Thanks in advance.
Regards,
Sooraj M
