Simple yet powerful Two-Tier PKI

I thought i start of the new year to learn how Git works and publish my first project on Github for easier version control and sharing capabilities.

This project is my take on Two-Tier PKI environment using Active Directory Certificate Services (ADCS).

The configuration is pretty simple. It consist of two servers, virtual or physical doesn’t matter. One is used for Root/Offline Certification Authority (CA) and the other one is for Enterprise/Subordinate CA.


The installation procedure and scripts is available on the Github repository.

DISCLAIMER:
This script is published on “As Is” basis. I will not take any responsibility for any damage this script might do to your production or test server environment. Please ensure that you test this properly in a non-production environment before running or scheduling the script in a production environment.

Help section for the installation scripts below:

What is my IP with a twist

I needed a tool, preferably a Powershell script, which could show my WAN IP address using alternate outgoing TCP ports, other then default http/s (80 & 443) when using websites like whatismyip.com.

The reason for this is that I use multiple WAN/VPN connections based on protocol for different purposes like web surfing uses one WAN/VPN connection and all other protocols uses the default WAN gateway.
I use pFsense Firewall and create firewall rules with an advanced settings and choose a Gateway other than the default like the example below:

pfsense

For the tool, script or function I needed a site or service which responds to all different protocols. The one i found that were free, simple and used most ports in the TCP range, 1-65535, was portquiz.net.
The decision wasn’t hard, create a Powershell function that leverage the cmdlet Invoke-WebRequest to parse the content of the site and match against keywords using regular expressions.

This is the result:

DISCLAIMER: This script is published on “As Is” basis. I will not take any responsibility for any damage this script might do to your production or test server environment. Please ensure that you test this properly in a non-production environment before running or scheduling the script in a production environment.

Add Network Location/Drive using Powershell + Context Menu

I’ve received a request from one of my customers were they wanted a button or an application that could bypass the 255 max char file path length. Some inexperienced users often like the file tree structure so much that they name their folders with a complete essay which will override the max char file path length in a few seconds.

One way to overcome the file path length is to use mapped network drives, i.e. \\contoso.com\dfs\human_resources will be L:\. This method replaces any UNC network path with three letters instead of 33 in the example above.

Now you may start to wonder if this blog post is necessary. Use Group Policy Preference (Drive Maps) to map the UNC network path and manage every thing from a central location. Well of course this works when you have a few network shares and the users build their file tree structure on the width instead on the depth.
With our larger customers we try to use “Network Locations” using “GPP Shortcuts” instead of Drive Maps, the reasons are:

  1. Drive Maps only have a limited number of letters to use. 22 letters available (A,B, C and D excluded).
  2. Some Servicedesk conversations can be misinterpreted if you use the same drive letter for two or more locations.
  3. Application/system owners may use a drive letter for file based application search paths.
    Trust med this is an issue with slow WAN-links and when you want change or do some restructure in the file servers.
  4. Network Locations uses shortcuts to point to a UNC path. When accessed the shortcut translates to the full UNC path.

And of course with Network Locations there are some side effect and that are the max file path length issue when you have some users you like to write. So the reason that i started to write this script is for the end user to use when he or she encounters large file path lengths.

Here is the script:

 

An issue with this script is that the end users doesn’t use Powershell so I’ve had to come up with a way every user in the organization can bypass the long path file name with their favorite tool (the computer mouse). The first thing I did was to compile the script to executable file using Powershell Studio 2016. Now that I have the .exe file I need some way for the users to run the file using their mouse.

Context menu was the clear way to go.
Context Menu

The following registry settings are applied to accomplish the picture above:

One problem with the registry settings above is that C: is the SystemDrive disk.
This settings only apply to folders when you right click on them, according to the picture. You will not be able to right click in a folder to map to a network drive / location.

To insert the registry settings and the .exe application on the users computer I’ve created a .msi installer again using Powershell Studio 2016 so we can deploy everything either with GPO or ConfigMgr. I you are interested in the .exe or the .msi just write back to me or create your own using the source code above.

I hope this will help someone with network location or drive maps when using Powershell and a start with context menu while right clicking folders.

Outlook prompts for credentials with Exchange 2010 and 2013/2016 coexistence

For some time ago I stumbled upon a strange credential prompt in Outlook for an entire organization after changing the Autodiscover namespace to point to the Exchange 2016 servers.
Outlook 2010 Credential Prompt

When you search for this issue with your favorite search engine you get several hits where other administrators and users got the same error.  The solutions posted in the forums, blogs and articles were all different but they were all touching the same subject, Autodiscover.
So I decided to try the top solutions i found to see if it resolves my issue.

Our servers:
1 Exchange 2010 CAS/HUB
1 Exchange 2010 Mailbox
2 Exchange 2016 Mailbox (Mailbox role in Exchange 2016 has all Exchange roles except Edge)
Namespace URLs for both Exchange 2010 and Exchange 2016:
Outlook Anywhere: mail.contoso.com
OWA: https://mail.contoso.com/owa
ECP: https://mail.contoso.com/ecp
ActiveSync: https://mail.contoso.com/MicrosoftServerActiveSync
EWS: https://mail.contoso.com/EWS/Exchange.asmx
OAB: https://mail.contoso.com/oab
MAPI: https://mail.contoso.com/mapi
Autodiscover SCP: https://mail.contoso.com/Autodiscover/Autodiscover.xml
We are using a SRV-record for autodiscover instead of a A-record for the external DNS Zone.

New-CsOnlineSession returns (404) Not Found

For some time ago I was in the process of setting up a Hybrid “Skype for Business Online” and “Lync 2013 On-oprem” environment.
When it was time to activate the Lync-federation with the New-CsOnlineSession cmdlet I got rejected with a (404) Not Found

I received the following output:

VERBOSE: Determining domain to admin
VERBOSE: AdminDomain = ‘domain.onmicrosoft.com’
VERBOSE: Discovering PowerShell endpoint URI

Get-CsPowerShellEndpoint : The remote server returned an error: (404) Not Found.
At C:\Program Files\Common Files\Skype for Business Online\Modules\SkypeOnlineConnector\SkypeOnlineConnectorStartup.psm1:94 char:26
+ $targetUri = Get-CsPowerShellEndpoint -TargetDomain $adminDomain
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CsPowerShellEndpoint], WebException
+ FullyQualifiedErrorId : System.Net.WebException,Microsoft.Rtc.Management.OnlineConnector.GetPowerShellEndpointCmdlet

The solution to this wasn’t easy to find since 404 usually means network issues.
The Office 365 support was very help full and we discovered after a few hours that the Skype for Busniess Online tenant wasn’t “Active”.
So the solution was to give a user, any user, a license for Skype for Business so that users shows up in the Skype for Business admin portal.

Monitor IIS Performance Data with Nagios / NSClient

I’ve been working on a script for our customers so we more accurately can measure the load on IIS Websites using Nagios.
Currently the script only gets the performance data and outputs an OK (exitcode 0). In the future I will implement  WARNING and CRITICAL the performance values we need.

Example graph from a labserver.
IIS:Performance Check

Feel free to use and modify this script as you like.
Continue reading

First post

This blog is to share my thoughts and ideas for others where PowerShell is the main topic. I will try to use PowerShell for the discoveries where it’s possible.

Any questions or feedback regarding my posts, post a comment and I will answer as soon as possible.

A snippet from one of my first ISE-Snippets that I use.