Part 2: Certificate Authority (Server 2016)

Next step is to run up a CA this is optional, some reasons why you might want a CA for SCCM:

  • HTTPS – You need all SCCM communication to be encrypted
  • TDE – You need to encrypt your databases, MBAM for example
  • MDM – You want mobile devices to use certificates to authenticate instead of requiring credentials for company resources like mail and Wi-Fi.

In my lab I’m going to implement a two tier Certificate Authority, an Offline RootCA and a subordinate CA which will be co-hosted on my primary Domain Controller (DC01). For some more details on planning production CA architecture see Securing PKI: Planning a CA Hierarchy.

  1. Create a new Virtual Machine with the below config:
    Name: RootCA
    Generation: 2
    Startup Memory: 1024
    Use Dynamic memory for this VM: Yes
    Connection: vNet External
  2. Install Windows Server 2016 Standard
    Note: This server MUST NOT be joined to your domain.
  3. Set a static IP address, mines 192.168.0.250
  1. Give your server a name, mines RootCA.
  2. In Server Manger click Manage> Add roles and Features
  3. Under Server Roles tick Active Directory Certificate Services and click Next.
    2017-03-20_16-53-19.png
  4. Click Next until you get to Role Services.
  5. Select Certificate authority and click Next.
    2017-03-20_16-56-08.png
  6. Click Install
  7. Under Server Manager click the flag> Configure Active Directory Certificate Services.
    2017-03-20_16-58-01
  8. Make sure you’re using the administrator account.
    2017-03-20_16-59-11.png
  9. Select Certificate Authority and click Next.
    2017-03-20_17-00-17.png
  10. Select Standalone CA and click Next.
    2017-03-20_17-01-15.png
  11. Select RootCA and click Next.
    2017-03-20_17-02-21
  12. Select create a new private key and click next.
    2017-03-20_17-03-19
  13. Leave the default cryptography and click next. You’ll be fine as long as it’s not SHA-1
    2017-03-20_17-04-30.png
  14. Change the common name, i’m using RootCA and click next.
    2017-03-20_17-06-26.png
  15. Increase validity period to 20 years and click next.
    2017-03-20_17-07-13
  16. Leave the certificate database in the default location and click next.
  17. Click Configure
  18. Confirm configuration successful.
    2017-03-20_17-08-58.png
  19. Open Regedit and increase the REG_DWORD ‘ValidityPeriodUnits’ to ’20’, located here:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\RootCA\ValidityPeriodUnits
  20. Open PowerShell and run the following commands:
    certutil –setreg caDSConfigDN CN=Configuration,DC=lab,DC=local
    certutil -setreg caDSDomainDN “DC=lab,DC=local”
  21. Launch Certificate Authority from Server Manager
  22. Right Click RootCA>Properties
    2017-03-20_17-20-16.png
  23. Browse to the Extensions tab.
    2017-03-20_18-05-41.png
  24. Add a new CRL Distribution Point extension – http://DC01/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl and select the following:
    2017-03-20_18-07-56.png
  25. Select ‘C:\Windows…’ CRL Distribution Point and select Publish CRLs to this location only.
    2017-03-20_18-10-04
  26. Under Select extension change to AIA.
    2017-03-20_18-11-38.png
  27. Add a new AIA – http://DC01/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt and select the following:
    2017-03-20_18-13-59.png
  28. In Certificate Authority right click Revoked Certificates>Properties
    2017-03-20_18-15-13.png
  29. Change CRL interval to 20 years
    2017-03-20_18-16-55.png
  30. In Certificate Authority right click Revoked Certificates>All Tasks>Publish
    2017-03-20_18-18-28.png
  31. Click Next.
    2017-03-20_18-19-48.png
  32. Copy files in C:\Windows\System32\CertSrv\CertEnroll ->  \\DC01\C$\Windows\System32\CertSrv\CertEnroll
  33. Now Jump on DC01 and install Certificate Authority
  34. Under Role Services, select Certificate Authority and Web Enrollment point.
    2017-03-20_18-26-26.png
  35. Install the roles and features.
  36. Under Server Manager click the flag> Configure Active Directory Certificate Services.
    2017-03-20_19-14-56.png
  37. Make sure your using an account with Enterprise Administrator rights and click Next.
  38. Select Certification Authority and Certification Authority Web Enrollment point and click next.
    2017-03-20_19-24-08
  39. Select Enterprise CA and click next.
    2017-03-20_19-25-54
  40. Select Subordinate CA and click next.
    2017-03-20_19-27-06
  41. Select create a new Private Key and click Next.
    2017-03-20_19-28-32
  42. Leave the default cryptography and click next.
    2017-03-20_19-39-40
  43. Give the subordinate CA a common name, mines SubCA.
    2017-03-20_19-41-57
  44. Save a certificate request to the local machine.
    2017-03-20_19-44-16
  45. Finish the Installation with the remaining defaults.
    2017-03-20_19-57-39
  46. Copy the certificate back to RootCA
  47. On RootCA open Certificate Authority and right click on RootCA>All Tasks>Submit new request.
    2017-03-20_19-48-04
  48. Browse to the req file.
  49. Select Pending requests and right click on the pending request>All tasks>Issue
    2017-03-20_19-50-07
  50. Select Issued Certificates and open the certificate just issues
  51. Click Copy file
  52. Select Cryptographic Message Syntax Standard and tick Include all certificates in the certification path if possible.
    2017-03-20_19-54-36
  53. Export file to C:\SubCA.p7b
  54. Copy the file back to Dc01
  55. On DC01 Open Certificate Authority>All Tasks Install CA Certificate and browse to the SubCA.p7b
    2017-03-20_20-00-00
  56. Click Ok to the warning.
    2017-03-20_20-01-16
  57. Start the CA service, you should get a green tick as per below.
    2017-03-20_20-02-54
  58. Export Certificates and deploy via Group Policy.
Advertisements

Part 1: Hyper-V, Networks, DC, DNS

This post will really only be applicable where you are running this up at home or a lab. Please don’t use this as guidance on building a production domain…

Some details on my hypervisor spec –

CPU – Intel Xeon E5-1650 @ 3.5GHz
RAM – 64GB
C:\ – 256GB SSD
V:\ – 1TB SSD

Hypervisor

  1. Install Windows Server 2016 Datacenter, media can be downloaded here.
  2. Set a static IP address, mines 192.168.0.100 as it’s sitting on my home network.
  3. Give your server a name, mines HV01 as in hypervisor 1.
  4. Install Hyper-v, open PowerShell and run the below:
    Install-WindowsFeature –Name Hyper-V -IncludeManagementTools -Restart

    2017-03-13_12-24-54

  5. Open Hyper-V Manager
    2017-03-13_12-44-09
  6. Open Hyper-V Settings
    2017-03-13_12-46-35
  7. Change Virtual Hard Disks to ‘V:\Hyper-V\Virtual Hard Disks’
    2017-03-13_12-52-24
  8. Change Virtual Machines to ‘V:\Hyper-V\Virtual Machines’
    2017-03-13_12-56-22.png
  9. Open Virtual Switch Manager
    2017-03-13_17-55-53.png
  10. Select New virtual network switch, external and click Create Virtual Switch
    2017-03-13_17-53-35
  11. Give it a name and select external network.
    2017-03-13_17-59-32.png
  12. Install data deduplication, open PowerShell and run the below:
    Import-Module ServerManager
    Add-WindowsFeature -name FS-Data-Deduplication

    2017-03-13_15-24-50

  13. In Server Manager browse to File and Storage Services>Volumes
    2017-03-13_15-29-10.png
  14. Right click on the volume you’re storing your VM’s on, ‘V:’ in my case and select ‘Configure data deduplication’.
    2017-03-13_15-35-24
  15. Change Data Deduplication to Virtual Desktop Infrastructure and then click Set Deduplication Schedule.
    2017-03-13_15-39-04.png
  16. Configure an appropriate schedule, mines pretty aggressive because it’s a lab and I’m not fussed when it runs.
    2017-03-13_15-43-55.png
  17. Install all Windows Updates

Domain Controller 1

  1. Create a new Virtual Machine with the below
    Name: DC01
    Generation: 2
    Startup Memory: 1024
    Use Dynamic memory for this VM: Yes
    Connection: vNet External
  2. Install Windows Server 2016 Standard
  3. Set a static IP address, mines 192.168.0.101
  4. Give your server a name, mines DC01 as in Domain Controller 1
  5. Install Active Directory Domain Services, DNS, open PowerShell and run the below:
    Install-windowsfeature AD-Domain-Services
    Install-Windowsfeature DNS

    2017-03-13_22-05-34.png

  6. In Server Manager click on the flag and run Promote this server to a domain controller.
    2017-03-13_22-06-49
  7. Select Add a new forest and enter a domain name and click Next.
    2017-03-13_22-09-20
  8. Enter a password and click Next.
    2017-03-13_22-12-32
  9. Click Next.
    2017-03-13_22-14-06.png
  10. Set an NetBIOS name and click next.
    2017-03-13_22-15-31.png
  11. Configure locations, I’m using the defaults.
    2017-03-13_22-17-02.png
  12. Review options and click Next.
    2017-03-13_22-18-16.png
  13. Review pre-requisite check and click install.
    2017-03-13_22-24-25
  14. Server will be restarted
  15. Launch DNS from Server Manager
    2017-03-16_17-41-14.png
  16. Select DC01>Forwarders>Edit
    2017-03-16_17-43-23.png
  17. Enter Google or another external DNS server, I’m using 8.8.8.8 then hit enter.
    2017-03-16_17-45-58.png
  18. Confirm you can resolve your new domain with nslookup.
    2017-03-16_17-48-12

Domain Controller 2

  1. Create a new Virtual Machine with the below
    Name: DC02
    Generation: 2
    Startup Memory: 1024
    Use Dynamic memory for this VM: Yes
    Connection: vNet External
  2. Install Windows Server 2016 Standard
  3. Set a static IP address, mines 192.168.0.102
  4. Give your server a name, mines DC02 as in Domain Controller 2
  5. Join the server to your newly created domain
  6. Install Active Directory Domain Services, DNS, open PowerShell and run the below:
    Install-windowsfeature AD-Domain-Services
    Install-Windowsfeature DNS

    2017-03-13_22-05-34.png

  7. In Server Manager click on the flag and run Promote this server to a domain controller.
    2017-03-16_18-00-20.png
  8. Select Add a domain controller to an existing domain, enter your domain name and click Next.
    2017-03-16_18-02-01.png
  9. Enter a password and click next.
    2017-03-16_18-03-58.png
  10. Click Next
    2017-03-16_18-04-56.png
  11. Click Next
    2017-03-16_18-09-02
  12. Set paths and click Next
    2017-03-16_18-09-59.png
  13. Review config and click next.
    2017-03-16_18-10-19.png
  14. Confirm pre-reqs are met and click install.
    2017-03-16_18-12-00
  15. Confirm you can resolve your new domain with nslookup.
    2017-03-16_17-48-12

References:
Windows Server 2012 Hyper-V Best Practices (In Easy Checklist Form)

 

SCCM Collection: Dynamically Identifying Users that have had their mailbox migrated to O365

One of the challenges I’ve recently had is identifying users that have had their mailbox migrated to Office365. This becomes quite a task if like me you’re using InTune integrated with SCCM but need separate mail profiles for mobile users. Now this isn’t an issue if you’re happy to manually maintain an AD group which can then be referenced by SCCM, however I want this to dynamically be updated and not rely on Humans.

John Bailey, has written an excellent article on some key AD attributes which can be used to identify whether the mailbox is on-prem or in O365. For my environment I can simply extend my Active Directory User Discovery to include the attribute ‘msExchRecipientDisplayType’ and then use a WQL query to identify the users that have been migrated.

Common values:

Value

Object Type

1

User Mailbox

2

Linked Mailbox

4

Shared Mailbox

2048

Dynamic Distribution Group

2147483648

Remote Mailbox (O365)

The query for where the mailbox has been migrated to Office365:

SELECT *
FROM
SMS_R_User
WHERE
SMS_R_User.msExchRecipientTypeDetails = 2147483648

Most used WQL Queries

Here are some of my most used WQL Queries for collection creation.

User is in AD group

SELECT
SMS_R_USER.ResourceID,
SMS_R_USER.ResourceType,
SMS_R_USER.Name,
SMS_R_USER.UniqueUserName,
SMS_R_USER.WindowsNTDomain
FROM
SMS_R_User
WHERE
SMS_R_User.UserGroupName = "DOMAIN\\GROUP"

Device is in AD Group

SELECT
SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client 
FROM 
SMS_R_System 
WHERE
SMS_R_System.SystemGroupName = "DOMAIN\\GROUP"

Device is in OU

SELECT
SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client 
FROM 
SMS_R_System 
WHERE 
SMS_R_System.SystemOUName = "DOMAIN.LOCAL/OU/OU"

Devices where the Primary User is in a specific AD Group

SELECT
SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client 
FROM
SMS_R_System 
JOIN SMS_UserMachineRelationship ON SMS_R_System.Name=SMS_UserMachineRelationship.ResourceName 
JOIN SMS_R_User ON SMS_UserMachineRelationship.UniqueUserName=SMS_R_User.UniqueUserName 
WHERE 
SMS_UserMachineRelationship.Types=1 AND 
SMS_R_User.UserGroupName="DOMAIN\\USER GROUP"

Specific Application is installed

SELECT
SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client 
FROM 
SMS_R_System inner
JOIN SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId 
INNER JOIN SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId 
WHERE 
SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Name from Add/Remove Programs" OR 
SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Name from Add/Remove Programs"

Specific Application is installed but has not been used in >= 90 days

I always limit this collection with a Specific Application is installed collection.

SELECT
SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
FROM
SMS_R_System
INNER JOIN SMS_G_System_CCM_RECENTLY_USED_APPS on SMS_G_System_CCM_RECENTLY_USED_APPS.ResourceID = SMS_R_System.ResourceId
WHERE
SMS_G_System_CCM_RECENTLY_USED_APPS.ExplorerFileName = "SameEXEasMetering.EXE" AND
DATEDIFF(day, LastUsedTime, GETDATE()) > 90 order by SMS_R_System.Name

By Architecture

SELECT
SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
FROM
SMS_R_System
INNER JOIN SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceID
WHERE SMS_G_System_COMPUTER_SYSTEM.SystemType = "x86-based PC/X64-based PC"

All Workstations

SELECT
SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client 
FROM
SMS_R_System 
WHERE
SMS_R_System.operatingSystem NOT LIKE "%Server%"

All Servers

SELECT
SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
FROM
SMS_R_System
WHERE
SMS_R_System.operatingSystem LIKE"%Server%"

Clients with specific CCM version

SELECT
SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
FROM
SMS_R_System
WHERE
SMS_R_System.ClientVersion LIKE "5.00.8325%"

A few points on Active Directory OU structure and Group Policy

Active Directory is one of those things that is typically the center point of any infrastructure. Everything sits on top of it and it is often just taken for granted. It’s important to note that the structure of your Organisational Units and Group Policy is really important, with that in mind here are a few points I like to always keep in mind when designing AD Structures.

Continue reading