Wednesday, July 1, 2015

WHAT IS Cryptography

WHAT IS Cryptography

Cryptography is closely related to the disciplines of cryptology and cryptanalysis. Cryptography includes techniques such as microdots, merging words with images, and other ways to hide information in storage or transit. However, in today's computer-centric world, cryptography is most often associated with scrambling plaintext(ordinary text, sometimes referred to as cleartext) into ciphertext (a process called encryption), then back again (known as decryption). Individuals who practice this field are known as cryptographers.
Modern cryptography concerns itself with the following four objectives:
1) Confidentiality (the information cannot be understood by anyone for whom it was unintended)
2) Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected)
3) Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information)

4) Authentication (the sender and receiver can confirm each other?s identity and the origin/destination of the information)

Public Key Infrastructure


Public Key Infrastructure
Public Key Infrastructure (PKI) is a system that validates a user's digital identity over a public or private network. It does so by associating a pair of public and private keys with the individual's identity credentials. These keys are created with a cryptographic algorithm and shared by a certificate authority (CA) that links them to the user's unique identity. The CA stores this information in a database and issues digital certificates, which include the public key or information about the public keys, in order to verify the user's identity. The public key is available as part of a digital certificate within a directory that can be freely accessed. The private key remains secure and is not transmitted over the network. It is used to:


  1. Authenticate - for certificate-based authentication, the private key is used to generate a digital certificate that is sent to an authentication server. When it is received, the certificate is decrypted with the user's public key to validate the login credentials.
  2. Encrypt - a message or document can be encrypted with the intended recipient's public key that is obtained and sent from a public directory. Only the intended recipient can decrypt the information with his or her matching private key.
  3. Digitally sign - a digital signature for a message, document or transaction is created with the user's private key, encrypted and attached to the signed contents. When the contents are received, the signature is decrypted along with the user's public key to validate the sender's identity.
  4. This technology offers a range of security features for the enterprise, including authentication, confidentiality and non-repudiation. PKI applications for end-users also provide network and workstation login, secure remote access, single sign-on, email encryption, secure data storage, digital signatures and secure online transactions.

Difference between Enterprise CA & Standalone CA


Difference between Enterprise CA & Standalone CA 

An Enterprise CA is integrated with Active Directory. The server will use domain services for certificate management, integrates with the directory for naming and authentication, and provides a ton of other integration points that simplify the user experience.

A Standalone CA is one that doesn’t integrate with AD. This is a great implementation choice for many scenarios including non-AD clients, offline servers, or simply because you don’t want to use Active Directory to manage certificates

WHAT IS ACTIVE DIRECTORY CERTIFICATE SERVICES


WHAT IS ACTIVE DIRECTORY CERTIFICATE SERVICES
Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private networks (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS) and digital signatures.
AD CS, which can be managed through Microsoft Management Console snap-ins or Server Manager,  has six components:
1.    CA Web enrollment - connects users to a CA with a Web browser
2.    Certification authorities (CAs) - manages certificate validation and issues certificates
3.    Certificate Enrollment Policy Web Service - allows computers and users to retrieve information about their certificate enrollment policy
4.    Certificate Enrollment Web Service - allows computers and users to enroll certificates using HTTPS
5.    Network Device Enrollment Service - lets network devices without domain accounts retrieve certificates.

6.    Online Responder - responds to requests about a certificate's status

Monday, June 8, 2015

How to Rename Domain Name in Windows Server 2012?

How to Rename Domain Name in Windows Server 2012?

            

For Server Admin who familiar with Windows Server 2000 & 2003, you maybe still remember about RENDOM utility, which is this use to rename Windows 2000 @ 2003 domain name and have to install manually.


1 – Open your System Properties and check your existing domain name, if you see from my Windows Server 2012 system properties, my existing domain name is Adatum.com. This will be change to cpx.local in the short while.
1

2 – Next, open your Server Dashboard, go to Tools & click DNS to open DNS Manager..
2

3 – on the DNS Manager, you must create the New DNS Zone (cpx.local), this is to make sure that after whole process successfully, your member server @ Windows clients can join to new Domain name.
** to create new DNS Zone, Right Click Forward Lookup Zone, and click New Zone
3
4 – On the Welcome to the New Zone Wizard, just click Next button..
4
5 – On the Zone Type, Click Primary Zone and click Next..
5
6 – On the Active Directory Zone Replication Scope, click button To all DNS servers running on domain controllers in this domain:Adatum.com and click Next…
6
7 – In the Zone Name, key in your new Domain Name, my new Domain Name is cpx.local
7
8 – On the Dynamic Update, Click Allow only secure dynamic updates (recommended for Active Directory), and click Next…
8
9 – On the completing the New Zone Wizard, click Finish to complete the process.
9
10 – On DNS Manager, you can see my new Domain Name is listed (cpx.local)
10
11 – Next, open Command Prompt, run as administrator.. 
11
12 – In CMD, type rendom /list and press enter – this command use to generate a state file named Domainlist.xml. This file contains the current forest configuration.
12
13 – Next, open computer and browse to C:\Users\Administrator folder to get your Domainlist.xml.
13
14 – Once you see the Domainlist.xml, right click the file name & choose Edit.. I going to change the DNSname and NetBiosName in this  Domainlist.xml file.
14
15 – Once the  Domainlist.xml open, you can see there are few existing Domain name, change this existing domain name to new domain name.. refer to picture:
15
16 – once you change to new Domain name, make sure you save the  Domainlist.xml file..
16
17 – After you save the  Domainlist.xml file, close it and return to CMD. On the CMD, type rendom /showforest. This is to show the potential changes; this step does not make any changes.
17
18 – Next, type rendom /upload. This is to upload the rename instructions (Domainlist.xml) to the configuration directory partition on the domain controller holding the domain naming operations master role.
18
19 – Next, type rendom /prepare. This use to verify the readiness of each DC in the forest to carry out the rename instructions. This should contact all DC’s successfully and return no errors before proceed to next process.
19
20 – Next, type rendom /execute. This is to verifies readiness of all DC’s and then preforms the rename action on each one.
** Remember also there will be a service interruption during this process. Once the process successful, your DC Server will be restarted.
20
21
21 – Once your DC Server restarted, log in using the new Domain name as administrator.
22
22 – Next, after you successfully log in, open System Properties and check your old Domain Name is now gone.. replace by new Domain name…
23
23 – Next, open CMD again, and type gpfixup /olddns:adatum.com /newdns:cpx.local. This is to refresh all intradomain references and links to group policy objects.
24

24 – Next, type gpfixup /oldnb:lon-dc1 /newnb:cpx..
25

25 – Next, type rendom /clean. This is to remove references of the old domain name from AD.
26

26 – Next, type rendom /end. This is to unfreeze the forest configuration and allow further changes. This was frozen during the rendom /upload step.
27

27 – Next, Open DNS Manager, click your new created domain (cpx.local), here you can see your own IP listed but we still have long way to go to make sure this DNS Zone is working..
28

28 – Next, turn on your client PC, for this exercise I’m using Windows 8 as a client. Open System Properties and join to new Domain (cpx.local). in case you getting an error, don’t get scared!!.. just click OK and you Windows Security box will show up and now key in administrator and domain password and click OK (Welcome to the cpx.local domain). Refer pictures..
29

30

31

29 – After your Windows 8 restart, log in as a domain administrator.
32

30 – Once you log in, double check Windows 8 System Properties. Now your Windows 8 successfully join in to new Domain (cpx.local).
33

31 – Now, go to the Server 2012 and open DNS Manager, you can see now your Windows 8 Client is listed in DNS.
34

32 – You can also check in Active Directory Users & Computers that your Windows 8 Client now also listed.
35

Seize FSMO roles in Server 2012

Seize FSMO roles in Server 2012
One of the beautiful things of a test lab is getting to try things you might not get chance to do in a production environment.  So when my main Domain Controller went pop the other day, rather than work on bringing it back online I saw a good chance to test seizing the FSMO roles with PowerShell.

Previously the main way to seize the roles was using the Ntdsutil in Server 2003 & 2008.

Since PowerShell is now my weapon of choice I thought it would be useful to quickly document the method.

Move-ADDirectoryServerOperationMasterRole is the command that is used for this task.  More information on the command can be found here:
http://technet.microsoft.com/en-us/library/ee617229.aspx

You can use either the Role Name or Number to specify which role to move, this table shows the details:

Operation Master Role Name
Number
PDCEmulator
0
RIDMaster
1
InfrastructureMaster
2
SchemaMaster
3
DomainNamingMaster
4
 
 
Use the -Identity switch to specify the target Domain Controller and the –OperationMasterRole to specify which role to transfer. I've also used the -Force command as my current FSMO holder is offline.
 
I'll be moving all the roles to a target DC called TLDC02.
N.B. To move the SchemaMaster role you'll need to be a member of the Schema Admins group.  My account was also a member of Enterprise Admins when I ran this.
  1. Logon to a working Domain Controller and launch an elevated PowerShell session.
  2. Type: Move-ADDirectoryServerOperationMasterRole -Identity TLDC02 -OperationMasterRole 0,1,2,3,4 -Force


  3. Either type Y on each role move prompt, or type A to accept all prompts
  4. After a while, all the roles should be successfully moved.
Last thing, a couple of PowerShell command just to list the FSMO roles and who now owns them:

Get-ADForest DomainName | FT SchemaMaster,DomainNamingMaster
Get-ADDomain DomainName | FT PDCEmulator,RIDMaster,InfrastructureMaster


One thing to note, only seize the roles if you have no intention of bringing the original holding Domain Controller back online.  Domains don't tend to like having two FSMO role holders...

Wednesday, June 3, 2015

Delegate Control "How to configure Delegate Control" in Server 2012R2


Delegate Control "How to configure Delegate Control" in Server 2012R2