Posted on No Comments on Microsoft LAPS – The LDAP server is unavailable.

Microsoft LAPS – The LDAP server is unavailable.

If you haven’t used Microsoft LAPS, it’s a neat feature that helps enhance domain security by setting a randomized password for each local administrator account on each domain computer/server. Gone are the days of using one password for local admin access across hundreds or thousands of endpoints.

Microsoft LAPS is not new and has been around for a few years but is a must for a properly secured domain environment. The lack of randomized local admin passwords is often an item detected on internal penetration tests.

Today, I encountered an error that I haven’t seen before with a Microsoft LAPS deployment. I spent the better half of the afternoon trying to figure out why extending the domain schema wasn’t working.

I’ve been following this great Microsoft technet article on deploying LAPS and while trying to extend the schema, I was getting the following error:

I have confirmed that my management machine didn’t have windows firewall enabled, domain replication was functional and LDP.exe would connect to the schema master at the required IP:389.

Everything checked out. One thing I didn’t review yet was Event Viewer.

I remember in College, some of our professors would tell us that Event Viewer will be one of the most powerful tools that we will use, if we choose to use it.

I’ve spent a considerable amount of time in my career searching through logs, exporting and reviewing problems. Event viewer has been an extremely valuable tool and I’ve worked with other team members to educate and help them learn to use Event Viewer to assist their troubleshooting methods.

Anyways, I launched event viewer on my management station that has LAPS installed and where the Schema is attempting to be extended from. Looking under Windows Logs –> Applications, I noticed a bunch of Information events that reference PowerShell, TCP port 389 and my host IP going to a DC.

This environment is utilizing Carbon Black for its endpoint protection and it slipped my mind when I was initially installing this.

I was able to work with our security team to allow traffic from this endpoint and to the other DCs so that the schema extension can occur.

After a bit of waiting, I was given the green light and tried once more.

Voila, it worked.

I wanted to share this because after searching around, I saw references to firewalls and blocking but I can’t recall reading anything about endpoint protection/AV causing this.

Thanks for reading and hopefully this helps somebody in the future.

Posted on No Comments on Fantastic Article regarding Domain Controller Security

Fantastic Article regarding Domain Controller Security

I’ve been recently doing a bit of reading regarding corporate domain security and I came across this short but detailed Microsoft Article that references some best practices.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack

One interesting thing that I came across and it might already be common knowledge is the recommendation to enable BitLocker on Domain Controllers.

I figure if anybody is looking at working on their homelab and building skills, you might as well start off with good/best practices which would follow you from the homelab to the corporate world.

The article also has links that open up further security documents such as Administering security policy settings, Avenues to Compromise and configuration of firewall for AD Domains and Trusts.

As I continue to review and read more into these, I wanted to share this link in case anybody else has an interest in this topic.

Posted on No Comments on The trouble with hacks

The trouble with hacks

/rant

I want to rant. I’ve been working as an IT/Sysadmin for about 2 years now and there are two things that I am haunted by.

  1. DNS
  2. Group Policies

Now, I am always learning and I am by no means an expert at windows systems administration. I took on more and more responsibilities that removed me from the ‘IT Support’ role and let me grow into Systems Administration and I continue to learn daily.

Now, not get into specifics, but taking over a AD infrastructure that was neglected by hacks is terrifying. I refer to hacks, as in people that neglect the network, that don’t have a proper vision for documentation and structure and that don’t understand how AD and GPOs work.

Within the IT SysAdmin community “It’s always DNS” is a common phrase and a joke at times. Well god dam, I can’t believe how accurate it is or how powerful DNS is in a network.

You know what irks me? People that use crafty stupid hostnames for critical servers or any server at that. Stupid names such as “Sugar Baby” “Super Man” “Bat Man”, etc… you get the gist.

When you take over a network and have critical servers with stupid naming conventions like that, it can get very easy to shut down the wrong server or make changes because all of the names are so irrelevant. Especially when nothing is documented and you are left to your own to research and investigate carefully.

Not that I’ve had that happen, but I have had a mishap with a DNS record that was named something ridiculous. The server wasn’t even around anymore but a critical server was using that DNS record for a link to an IP in it’s hostfile. Something I never thought to check nor look into.

The other thing that annoys me is the ignorance of not knowing how to properly setup GPO’s and push them out to AD. You do NOT need to enforce everything. Stop doing that. After spending time looking around and cleaning up GPO’s, you wonder what would drive a person to just enforce everything.

Sure, if it’s a critical policy that you want in every OU regardless if it has Inheritance blocking or not but don’t enforce everything just because you are trying to push the policy out faster or believe that it will guarantee that the policy will get to the clients.

I cannot believe that a novice admin is correcting domain wide issue that a senior IT director of many years had made.

I can spend the rest of my afternoon ranting about stuff that I’ve come across but that’s not the point of this post. I wanted to get DNS and GPO’s off my chest only.

I suppose you will find this in any job/career. People that want to take initiative, drive, pride in their work and do the best with what they can. Others will just let things fall into disarray and not bother.

/rant