Search This Blog

Sunday, November 14, 2021

Cannot Delete Domain Controller - Access is Denied

Description:

You are using Domain Admins account and wanted to delete a "stale" Domain Controller (DC) from Active Directory Users and Computers console. However you got an access denied error.

Resolution:

Most probably there's a protection against accidental deletion of DC.

  • Go to Active Directory Sites and Services
  • Expand the Sites folder > expand the site name where the DC you want to delete is > expand the Servers folder > expand the DC you want to delete
  • Right click on NTDS Settings
  • Click on the Object tab
  • Uncheck the “Protect object from accidental deletion” checkbox.
  • Click OK.

Now you should be able to delete the Domain Controller from Active Directory Users and Computers console.

Monday, September 27, 2021

BitLocker Deployment with Active Directory - How to Start Automatic Encryption

Description:

You deployed BitLocker using Active Directory only. You have setup the necessary Group Policy, run manual BitLocker Encryption and can see the recovery password is being store at Active Directory.

Now you are wondering how it could start auto encryption without user interaction.

Resolution:

From https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html we can see that we can create a task scheduler on the machine and run it with System credential.

Detail:

Task name: BL (name it as you want, but please don’t forget to change the name in the last script line)

Triggers: at logon of any user

Executing account: system

Action: powershell.exe with the argument \\server\share\BL.ps1


The script:

$pin=(Get-Random -Minimum 0 -Maximum 999999).ToString('000000')
echo "$pin" | out-file \\server\pins\$env:computername.txt -Append
$SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
Add-BitlockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector
manage-bde -on c: -s -used -rp
msg * /time:0 Your hard drive is being encrypted. To start your PC, you need your Bitlocker-PIN, which is $pin
schtasks /delete /tn BL /f

Thursday, September 9, 2021

Error connecting to SQL Server after changing Service Account to normal domain users

Description:

As security best practice, we should not run SQL Server Services with domain admin credential. However after changing it to the normal domain user credential, you encounter connection error message when trying to connect from SQL Server Management Studio.

The error may say something like "The target principal name is incorrect.  Cannot generate SSPI context."

Resolution:

We need to provide the appropriate permission for the domain user credential to modify ServicePrincipalName attribute in Active Directory.

  • Run Adsiedit.msc
  • In the ADSI Edit snap-in, expand Domain [YourDomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= [YourAccountName, and then click Properties.
  • In the CN= AccountName Properties dialog box, click the Security tab.
  • On the Security tab, click Advanced.
  • In the Advanced Security Settings dialog box, select one (any) of "SELF"'s row
  • Click Edit, Open Permission Entry dialog box.
  • Make sure Pricipal is "SELF", Type is "Allow" and "Applied to" is "This Object Only", in Properties section, select the properties below:
    • Read servicePrincipalName
    • Write servicePrincipalName
  • Click OK to apply all changes and exit the ADSI Edit snap-in
  • Restart the SQL Service(s) that use the account in question.

Error Connecting to SQL Server Instances after enabling Windows Firewall

Description:
For security reason, you need to enable the Windows Firewall on your SQL server machine.
However, after you enable them, user cannot connect to one of your SQL Instances. You already create Inbound TCP rule to allow port 1433 and another TCP port where the instance listened, but users still cannot connect. They can connect if the specified the port number for that instance was directly written on the connection page.

Resolution:
Make sure you also create inbound rule for UDP port 1434. The SQL Server browser service runs on UDP port 1434 and listens for incoming connections to a named instance.

Wednesday, September 8, 2021

How to Rename A Domain Controller

Description:

During Active Directory Upgrade, you might need to maintain the old Domain Controller name because of certain application requirement. You planned to use the swing method, where the new Domain Controller will be renamed to old Domain Controller name.

Resolution:

  1. Make sure the old DC name is not being use anymore in the entire domain. Check Active Directory Object, check DNS Record, Check DFSR Object, etc.
  2. Use Netdom command to rename the Domain Controller according to the following steps:
    • On the new Domain Controller, open Command Prompt with Administrative Privileges
    • Type netdom computername “current_name” /add:”fqdn_newname” > press enter
    • Type netdom computername “current_name” /make primary:”fqdn_newname” > press enter
    • Restart Domain Controller
    • Type netdom computername “current_name” /remove:”fqdn_oldname” > press enter

Search Google