December 19

Powershell: Pull all user’s displaynames, emailaddress, samaccountname

Install needed powershell modules:

import-module servermanager
Add-WindowsFeature -Name “RSAT-AD-PowerShell” -IncludeAllSubFeature
import-module activedirectory

Run the following command:
Get-ADUser -Filter * -Properties DisplayName, EmailAddress, SamAccountName | select DisplayName, EmailAddress, SamAccountName | Export-CSV “C:\Email_Addresses.csv”

By: Timothy Jay Conrad

Category: Programming, Windows Server | Comments Off on Powershell: Pull all user’s displaynames, emailaddress, samaccountname
February 10

Linux: Connecting a Linux server to Active Directory. All of the needed steps.

Setting up an Ubuntu Server 16.04 linux server to be a part of an Active Directory domain has never been a small task.
The following are the steps involved. I hope you are as successful as I have been.
Keep in mind that most kinit errors are do to the linux server not properly identifying the Active directory server by name.

The following assumes you have an understanding of Linux and Microsoft Active Directory:

1. On your Ubuntu/Debian server.
sudo apt-get -y install ntp nano ntpdate winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

During the software package install a new page will open and ask you the domain name, write it (Use all Caps):
YOURDOMAIN.LOCAL

2. Configure the date to have the same that your domain controller.
Edit the file ntp.conf and provide the name or the IP of your domain controller. Comment out unneeded servers:
sudo cp /etc/ntp.conf /etc/ntp.oldconf
sudo nano /etc/ntp.conf

pool DC1.YOURDOMAIN.LOCAL

3. Restart the NTP service:
sudo service ntp restart

4. Configure the Kerberos
sudo cp /etc/krb5.conf /etc/krb5.oldconf
sudo truncate -s0 /etc/krb5.conf
sudo nano /etc/krb5.conf

Use the configuration below. Change the names where appropriate:

[libdefaults]
ticket_lifetime = 24000
default_realm = YOURDOMAIN.LOCAL
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes

[realms]
YOURDOMAIN.LOCAL = {
kdc = DC1.YOURDOMAIN.LOCAL
kdc = DC2.YOURDOMAIN.LOCAL
default_domain = DC1.YOURDOMAIN.LOCAL
}

[domain_realm]
.YOURDOMAIN.LOCAL= DC1.YOURDOMAIN.LOCAL
YOURDOMAIN.LOCAL = DC1.YOURDOMAIN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

Save the file.

5. Modify your /etc/hosts file to reflect the pc names associated with the IP.
It should look something like this:

127.0.0.1 SERVER1.YOURDOMAIN.LOCAL SERVER1
127.0.1.1 SERVER1.YOURDOMAIN.LOCAL SERVER1
172.22.11.251 DC1.YOURDOMAIN.LOCAL YOURDOMAIN.LOCAL

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

6. Modify your networkinterface to make it aware of your dns server
sudo vi /etc/network/interfaces

# change name server to AD’s one
dns-nameservers 192.168.1.10

sudo ifdown eth0 && ifup eth0 (If this does not work for you simply reboot)

7. Create an Active Directory token on the Linux server using a Domain Administrator account.
sudo kinit AdminName

8. Check to see if a token is created:
sudo klist

You will hopefully see something like this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting Expires Service principal
02/10/2017 08:57:59 02/10/2017 15:37:52 krbtgt/[email protected]

9. Configure Samba
sudo cp /etc/samba/smb.conf /etc/samba/smb.oldconf
sudo nano /etc/samba/smb.conf

Use the configuration below. Change the names where appropriate:

workgroup = YOURDOMAIN
security = ADS
realm = YOURDOMAIN.LOCAL
encrypt passwords = yes

idmap config *:backend = rid
idmap config *:range = 5000-100000

winbind allow trusted domains = no
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes

template shell = /bin/bash

Save the configuration.

10. Modify the file nsswitch.conf to indicate that we will use groups and users of the Active Directory (winbind):
sudo cp /etc/nsswitch.conf /etc/nsswitch.oldconf
sudo nano /etc/nsswitch.conf

Use the configuration below. Change the names where appropriate:

Add winbind to the appropriate options. It should look something like this:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
Save the file.
11. Join the Linux server to Active Directory:
sudo net ads join -U AdminName

You can ignore the error concerning the DNS. The object in the Active Directory:

You should see something like this:

Unknown parameter encountered: “winbind allow trusted domains”
Ignoring unknown parameter “winbind allow trusted domains”
Unknown parameter encountered: “winbind allow trusted domains”
Ignoring unknown parameter “winbind allow trusted domains”
Enter AdminName’s password:
Using short domain name — YOURDOMAIN
Joined ‘SERVER1’ to dns domain ‘yourdomain.local’

12. Check Active Directory Users and Computers to verify that your Linux server shows up in the Computers OU.

13. Setup local PAM authorization options:
sudo pam-auth-update

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login
[*] GNOME Keyring Daemon – Login keyring management

Be sure that the line Winbind NT/Active Directory authentication is selected. You can have directorys automatically created on logon.
14. Restart services to apply all changes:
sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart

You can use the following commands to check that the Active Directory synchronization has working fine:
wbinfo -u
wbinfo -g
wbinfo -i AdminUser
getent passwd
getent group

15. If you want your user to have sudo rights add them as follows:
sudo adduser AdminUser sudo

You can test this from another linux computer by doing the following:
ssh [email protected]

Notes taken from:
F Appointaire, Server-World.info, and T Conrad

Category: Linux, Windows Server | Comments Off on Linux: Connecting a Linux server to Active Directory. All of the needed steps.
September 12

Windows 2008 – Windows update stuck on “Preparing to configure. Do not turn off your computer.”

When doing a Windows update you may run into a circumstance where it becomes stuck or frozen on “Preparing to configure. Do not turn off your computer.”  Do not hard boot your computer.  It may not come back up.  To resolve this issue try the following:
1. If you are an administrator, on your Windows workstation/server Run services.msc
2. Right click on Services (Local) and select Connect to another computer.
3. Once connected scroll down to Windows Modules Installer
If this is in a stopping state then this post is for you.
4. Get a copy of pskill from the Sysinternals Suite
5. Run a command prompt as Administrator
6. cd\ to the directory that you saved pskill to
7. Run the following command: pskill -t \\yourservername -u yourusername -p yourpassword trustedinstaller.exe
This should immediately stop the service and the server will finish its rebooting and updating cycle.

By: Timothy Conrad

Category: Windows Server | Comments Off on Windows 2008 – Windows update stuck on “Preparing to configure. Do not turn off your computer.”
April 5

Windows Server: How do I import an ADMX/ADML file in Windows 2012 and Active Directory

To import an ADMX file
1. Copy the ADMX files to the folder C:WindowsPolicyDefinitions folder on the machine performing the group policy object editing
2. Copy the ADML files to the folder C:WindowsPolicyDefinitions<language> folder on the machine performing the group policy object editing

If you’re using a central store for Active directory:

1. copy the ADMX  files to the folder SYSVOL<domain>policiesPolicyDefinitions
2. copy the ADML files to the folder SYSVOL<domain>policiesPolicyDefinitions<language>

(Replace <language> with the correct language, such as EN-US)

By J Savill and Nighthawk

Category: Windows Server | Comments Off on Windows Server: How do I import an ADMX/ADML file in Windows 2012 and Active Directory