Active Directory

A late one for this release of ‘from around the web’ after being on holiday for the last week – as the case always seems to be I’ve come out of the sun quite red. This week we have another step in the right direction to getting rid of passwords, some helpful templates for building a first config for a Palo Alto Networks Next Generation Firewall and an interesting (short) review of the Hubitat home automation hub.

New Azure Active Directory capabilities help you eliminate passwords at work
It’s been promised by Microsoft (and some others) for quite some time and it looks like another leap in the right direction has been made. With FIDO2 and devices like the YubiKey password less login on Windows 10 Azure AD domain joined devices is happening. Be sure to watch the video at the bottom of the page!

iron-skillet
All the options within a PAN NGFW can seem quite daunting and while the out of the box settings for security policies will help they are far from best practice. That’s where the IronSkillet comes in handy to take some of that pain away and give you a serious starting point.

Smart Home Hub – Hubitat Review
For the people who don’t have the time (or know how) to invest in something like Home Assistant but aren’t up for relying on a connection to the ‘cloud’ for home automation then Hubitat may well be for you. I’ve been exploring home automation for quite some time (at the moment using LIFX and HomeSeer) and may well consider looking into Hubitat some more if/when I decide to expand on it.

Check DCsOne of those monthly jobs that every SysAdmin will come across is good old Patch Tuesday; to help make Patch Tuesday a little more fun after all of the servers have been updated I use Hyper-V Replica (run by a PowerShell script) to shutdown each Virtual Machine and move it onto another host (ticks the box for the machine reboot component of Windows Updates and also tests our DR solution in one hit!).
However as both of my DCs are Virtual Machines I want to make sure that at least one DC is up at all times, to do that I have built a little PowerShell function (see below to download it within a zip file!) that is run before every migration to ensure that both DCs are up and running (along with the Network Policy Server service which is used to authenticate clients on the network (and so is very important!!)) before any migration happens.

Hopefully this will help someone someday!

  See if DCs are up (905 bytes, 1,360 hits)

Microsoft SQL Server Integration Services (SSIS) is a powerful tool that comes with any of the paid editions of SQL server. By design its main function is to extract, transform and load data into databases however by mixing in CSV exports and PowerShell commands it can help automate various workflows.

Although I won’t delve into too much detail in this post I’ll take a look at what is possible in particular-

  • Automating the generation of a new staff or student user account
  • Alerting the service desk when a student or staff member leaves the school
  • Importing new staff members into the asset management system (to assign school resources to them)
  • Emailing a report on printing activity to the finance department
  • Generating email distribution lists automatically

In the majority of businesses (and in all schools) there will be some kind of central database which stores information on employees/staff and in schools students. Where I work this is Capita SIMS, the database its self comprises of a great number of tables however its possible to avoid rooting through the tables to find the data you want by using the commandreporter.exe application. Continue reading

Moodle InstallThe past few weeks at work have been filled up with going from what has been a very successful pilot of Moodle 2.6 to a fully featured install of Moodle 2.7.1. Hopefully as time allows I’ll be able to get out some posts about how each aspect of Moodle goes down with the staff and students but for now this post serves as a way for me to highlight some features (in no great detail) which I think deserve recognition.

Things to be covered include-

  • Linking AD accounts to class lists in Capita SIMS (a Schools Information Management System)
  • Using the auto login feature to put Moodle front and centre
  • My home
  • OneDrive, Google Drive and Dropbox integration
  • Moodle updates (going from 2.7 to 2.7.1)

Continue reading

The large amount of printers are missing

For a few days I’ve found that printers that have been published in Active Directory (from our 2008 R2 printer server) were not appearing in the directory or find printers tabs (see above). With about 120 printers deployed and only 5 showing up there had to be something wrong.

As it turns out the Printer Service was starting before the Server service which was causing a whole load of Errors in event log with error Event 315, PrintService being logged.

The printer spooler failed to share printer <printer name> with shared resource name <printer share name> Error 2114. The printer cannot be used by others on the network.

The fix in this case was to restart the Server service (and if the printers do not appear for a few minutes in directory restart the Printer Spooler service as well).

The reasoning behind this is the server service was starting up after the printer spooler service; because of this the printer service was trying to share out the printers and couldn’t (because the server service needs to be running to do this). A simple reboot of the whole server wouldn’t fix this as the same could just happen again where the services start up in the wrong order.

More details can be seen in the screen shots below.

For a long time we’ve been using the built in features of Windows Server to allow users to recover their own work through the ‘Previous Versions’ tab in Windows Explorer (which works on the Volume Snapshot service) however the long term plan has been to get our DPM 2012 server to do the heavy lifting instead.

When trying to extend the AD schema (as per this Technet Article) we were coming across this error message

Active Directory could not be configured because the Active Directory domain could not be found. Make sure that the domain name is properly constructed. The following example shows a properly constructed domain name: city.corp.company.com

The best fix I have found is to manually extend the schema by copying the EXE that DPM uses to extend the schema right onto your domain controller that runs the Schema Master role and running it there.

In my case that file can be found here C:\Program Files\Microsoft System Center 2012\DPM\DPM\End User Recovery

The screenshots below show how to do this in a little more detail

NB about DFS shares: If you intend on using end user recovery against shares that are using DFS you will need Hotfix KB2466048. Why this is a hotfix and not included with Windows 7 SP1 I do not know – I just hope it comes along in SP2.

When setting up a new Moodle install with LDAP authentication I was finding that my test users wen’t able to login with the normal Active Directory user name/password (sAMAccountName). After a little playing I found that they could login fine if they used what is known as the container name (cn).

After a little digging it turns out this is one of the big ‘gotchas’ about Moodle and LDAP in that the default Moodle LDAP setup goes for the cn user attribute as the username instead of the sAMAccountName user attribute as you would expect.

Simple solution is to go into the LDAP authentication on your Moodle install and put in samaccountname as you see above in the box ‘User attribute’.