Active Directory on John Billekens | Notes from the field

Manipulate the 'NameID' SAML content - part 1

Thu, 28 Oct 2021 15:22:45 +0000

Some companies want to allow other (guest) companies to connect to their environment and for example allow them to open a Citrix Desktop. This can be achieved by Connecting an existing Citrix environment to the guest company via SAML (and yes there are other possibilities). SAML is an authentication method based on a two-way trust. Two Microsoft products that can offer SAML authentication are ADFS (Active Directory Federation Services, an on-premises solution) and the other is and Enterprise App you can configure from the Azure portal. The other requirement is Citrix FAS (Federated Authentication Services). In this article I will show you a way to connect a guest (company) via SAML to allow them access to your Citrix environment without the need for adding the guest companies suffix to your domain.

Manage Native OTP tokens via Windows, Part 2

Tue, 20 Apr 2021 19:31:56 +0000

A couple weeks ago someone asked me if OTP4ADC could also support encrypted tokens. And at that time I hadn’t done anything with encrypted tokens on a Citrix ADC. And if you not have heard of the OTP4ADC tool/script you can read my initial blog article from when I released the first version and the basics of how it works.

Manage Native OTP tokens via Windows

Tue, 29 Sep 2020 20:36:32 +0000

Today I want to release an early (beta) version of a new tool I created, “OTP4ADC” With this tool you can add, remove or change the native OTP tokens used within your Citrix ADC, previously called NetScaler.

Changing Microsoft ADCS from sha1 to sha256

Wed, 05 Nov 2014 13:34:14 +0000

When ADCS uses sha1 for their certificates, you might want to change it to sha254. NOTE: Make sure all your devices support sha256 sha1 sha256 To achieve this enter the following commands in an elivated DOS-box:

Active Directory RecycleBin

Sun, 23 Feb 2014 08:57:10 +0000

Requirements:

At least one Domain Controller running Windows Server 2012 with the Active Directory Administrative Center enabled.
All Domain Controllers (or servers running AD LDS) must be running Windows Server 2008 R2 or higher.
The Forest must be running at Windows Server 2008 R2 functional level.

Import the Active Directory modules in PowerShell

AD Defragmentatie (Server 2012)

Tue, 14 May 2013 10:16:42 +0000

Stop de ADDS Service

ntdsutil
activate instance ntds
files
compact to c:

copy "c:ntds.dit" "c:WindowsNTDSntds.dit"

del c:WindowsNTDS*.log

Start de ADDS Service

Profile Permissions

Mon, 18 Mar 2013 18:40:37 +0000

NTFS Permissions for Roaming Profile Parent Folder User Account : Minimum Permissions Required Creator Owner : Full Control, Subfolders and Files Only Administrator : Full Control (Microsoft actually recommends none but it simplifies things if you give admins full control) Security group of users needing to put data on share : List Folder/Read Data, Create Folders/Append Data - This Folder Only Everyone : No permissions Local System : Full Control, This Folder, Subfolders and Files Share level (SMB) Permissions for Roaming Profile Share User Account : Minimum Permissions Required Everyone : No permissions Security group of users needing to put data on share : Full Control

FSMO

Sat, 29 Dec 2012 16:35:11 +0000

How to place FSMO and Global Catalog roles in Active Directory During installation of Active Directory on a Windows Server 2000/2003/2008 all FSMO roles will automatically be installed on the first server. But Best Practice dictates to move some of theese Flexible Single Master of Operation (FSMO) roles to seperate servers. If you only have one domain controller (not recommended), there is nothing to do since all roles must be on this server, but if you have multiple servers you should move some of theese roles on to more servers. It is also important to be aware of what servers are Global Catalog servers, especially if you have more than one domain and even if only one domain, they will be prefered by applications like Exchange server. It is recommended to place the forest roles on one Domain Controller (DC) and the domain roles on another server. If not all Domain Controllers are Global Catalog servers, it is also important to place the infrastructure master on a server that is NOT a Global Catalog server. Recommended Best Practice setup of FSMO roles. Domain Controller #1 Place the two forest roles on this server.