If you are new to a Read Only Domain Controller concept it is easy to get lost in the options and specifics.  One aspect that is sometimes misunderstood with an RODC server is that all users can still authenticate through them.   There is an ability to allow and denied users and groups, but what is denied is the ability for the RODC to cache the user’s credentials.  When in “Active Directory Users and Computers”, if you right click on an RODC and choose properties, there is a new tab that is available called “Password Replication Policy”.  In this tab are the Groups of users that are Allowed or Denied the ability to cache their credentials on the server.  Caching credentials will speed up the authentication process, but also leave the hashes on the server.

Below is a great summary from Ned Pyle’s technet blog , “Understanding “Read Only Domain Controller” authentication”

Now let’s take a look at the “Password Replication Policies” and how they affect the RODC authentication behavior. With the installation of an RODC, there are four new attributes and two built-in groups to support RODC operations:

• msDS-Reveal-OnDemandGroup. This attribute points to the distinguished name (DN) of the Allowed List. The credentials of the members of the Allowed List are permitted to replicate to the RODC.
• msDS-NeverRevealGroup. This attribute points to the distinguished names of security principals that are denied replication to the RODC. This has no impact on the ability of these security principals to authenticate using the RODC. The RODC never caches the credentials of the members of the Denied List. A default list of security principals whose credentials are denied replication to the RODC is provided. This helps ensure that RODCs are secure by default.
• msDS-RevealedList. This attribute is a list of security principals whose passwords have ever been replicated to the RODC.
• msDS-AuthenticatedToAccountList. This attribute contains a list of security principals in the local domain that have authenticated to the RODC. The purpose of the attribute is to help an administrator determine which computers and users are using the RODC for logon. This enables the administrator to refine the Password Replication Policy for the RODC.

  ——————

• Allowed RODC Password Replication Group. This group is added to the msDS-Reveal-OnDemandGroup.
• Denied RODC Password Replication Group. This group is added to the msDS-NeverRevealGroup.

Note: The “Allowed RODC Password Replication Group” has no members by default, and the “Denied RODC Password Replication Group” contains all the ‘VIP’ accounts (Enterprise Administrators, Cert Publishers, Schema Administrators, Etc). As with most things, Deny always trumps Allow.

Using the commands for “Repadmin.exe” (this is built into Windows Server 2008) an administrator can modify the Password Replication Policy groups. To view the current PRP for a specified user:

Repadmin /prp view <RODC> {<List_Name >|<User>}

After installing a cert into the AD controller from your local root CA server it is important to remember that your external non AD server will also need a certificate installed.  You will want to export the trusted root cert of the CA server from your CA server into the non AD server.  Be certain to open 636 in your firewall.  This will allow secure SSL over LDAP to go from your Non AD server to your domain controller.

Creating a Domain Authentication certificate.

Here are the steps in creating a server certificate to allow LDAPS communication from any server to a Domain controller.

1. Connect to the domain controller
2. create a file called request.ini
3. Copy and paste the information below:

[Version]

Signature=”$Windows NT$

[NewRequest]

Subject = “CN=servername.domainname.local” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; This is for Server Authentication

4. From a command line with administrator priviledges enter: certreq -new request.inf request.req
This will create your certificate request.
5. Goto your certificate server via it’s web interface: http://servername/certsrv
6. Click Request a certificate
7. Click advanced certificate request
8. Click “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal by using a base-64-encoded PKCS#7 file.”
9. Fill out the form as follows:

Request: text box copy and past the text that is inside the request.req file.

Certificate Template: Domain Controller Authentication

10. Click Submit

11. Download the Der and/or Base 64 encoded certificates

You are now ready to install the certificates into your server

As of 1/5/2015 the Surface Pro 3 still has wireless problems when waking up from sleep.
One way to address this is by resetting the wireless adapter when the PC wakes up.
The following process is based on capturing the wake up event and then running a script to reset the wireless adapter when this event occurs.

If you have not already done so, setup up powershell to execute scripts along with the already set interactive commands.

Prepare your powershell environment
1. Start powershell as administrator
2. enter: set-executionpolicy RemoteSigned
3. When prompted, select y and press enter to accept the policy change

———————–

Setting up the automated process
4. In notepad, create a Powershell file called resetwifi.ps1 and put it in a folder you can remember. eg: c:scriptsresetwifi.ps1
5. Save the following command in the file: get-netadapter “wi-fi” | restart-netadapter

6. Start the task scheduler
7. select Event Viewer, right click, select Create Basic Task
8. Name it: resetwifi
9. Click Next
10. Select When a specific event is logged
11. Click Next
12. Click Log: System, Source: Power-Troubleshooter, Type: Event ID: 1
13. Click Next
14. Select Start a Program
15. Under Program/script type: powershell, Add arguments: -command c:scriptsresetwifi.ps1
16. Click Next
17. Checkmark Open the Properties dialogue for this task when I click Finish
18. Click Finish
19. Under the General tab select Run whether user is logged on or not
20. Enter your password
21. Select Run with highest privileges
22. Select the Conditions tab and remove the checkmark under Power Start the task only if the computer is on AC
23. Click OK

Next time you press the power button to wake up your computer the wifi adapter will be restarted.

Microsoft removed netsend from Windows after Windows XP.

Here is the command to send message to another PC from the command line.

MSG remoteusersusername /SERVER:computername Hello your PC is going to shutdown in 10 seconds!!!

By: JHoff