AD Integration: 1 Forest containing 2 Domains - Run Accounts/Profiles (SCOM 2012)

Similar Messages

• Changing RunAs account in SCOM 2012R2

  For SCOM 2007R2, we had SetActionAccount.ps1 to change the RunAs account for a group of servers (from the console, via OM shell). Does anyone have a way to change the RunAs account for a group of servers in 2012R2? I'm not smart enough to hack the SetActionAccount.ps1
  for 2012R2.
  "Fear disturbs your concentration"

  Hi,
  param ([string]$newActionAccountName)
  $str=get-history | select-object -first 1
  $str=$str.commandline | out-string
  $start = $str.indexOf("-Id") + 4
  $end = $str.indexOf(" ;", $start)
  $length = $end - $start
  $context = $str.substring($start, $length)
  $Group = Get-SCOMGroup -id $context
  $mg = Get-SCOMManagementGroup
  $newActionAccount = Get-SCOMrunAsAccount -Name $newActionAccountName
  $actionAccountRunAsProfile = $mg.GetMonitoringSecureReferenceForActionAccount()
  if ($newActionAccount -eq $null -or $newActionAccount.Count -eq 0)
  throw "Action Account '$newActionAccountName' was not found."
  if ($newActionAccount.Count -gt 1)
  throw "More than one action account was found with the same names as '$newActionAccountName'."
  $ComputerGroup=$Group.GetRelatedMonitoringObjects().DisplayName
  $healthServices=Get-SCOMClassInstance -Class (Get-SCOMClass -Name "Microsoft.SystemCenter.HealthService") | ? {$ComputerGroup -eq $_.displayname}
  $secureDataHSRefs = $mg.GetMonitoringSecureDataHealthServiceReferenceBySecureReferenceId($actionAccountRunAsProfile.Id) |
  where {$healthServices -contains $mg.GetPartialMonitoringObject($_.healthServiceId)}
  foreach($secureDataHSRef in $secureDataHSRefs)
  $healthService = $mg.GetMonitoringObject($secureDataHSRef.HealthServiceId)
  $currentActionAccount = $mg.GetMonitoringSecureData($secureDataHSRef.MonitoringSecureDataId)
  "Computer: '" + $healthService.DisplayName + "' ...changing action account" + "'`n From: '" + $currentActionAccount.Name + "'`n To : '" +
  $newActionAccountName + "'"
  $secureDataHSRef.MonitoringSecureDataId = $newActionAccount.Id
  $secureDataHSRef.Update()

• Forest and domain functional level Windows Server 2012 R2 - what's new?

  Hi, I still can't find documentation about the new domain and forest functional levels in WS 2012 R2.
  a) "What's New in Active Directory in Windows Server 2012 R2"
  http://technet.microsoft.com/en-us/library/dn268294.aspx
  No word about it.
  b) "Understanding Domain and Forest Functional Levels"
  http://technet.microsoft.com/en-us/library/cc771294.aspx
  Still WS 2012.
  Thorsten

  For what's New in Active Directory in windows server 2012 R2,
  Read the following Blog
  http://policelli.com/blog/archive/2013/06/27/whats-new-in-active-directory-in-windows-server-2012-r2-preview/
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer".

• Again - Active Directory Management Pack - AD MP - SCOM 2012R2 - AD 2012R2 - Action / RunAs Account permissions

  Hi,
  after reading many Posts and Blogs i came to the conclusion that it is still unclear to me what is needed to Monitor Active Directory successfully and what is the securest way configuring the RunAs or Action Account. I hope the experts here can make a clear
  Statement to answer the question for all time ;-)
  1. Action Account:
  Here is described what permissions and rights are needed to use a low-privileged account:
  https://technet.microsoft.com/en-us/library/hh212808.aspx
  Now you might say: that was asked and answered so many times..you are right, but the answer was from run as "local System" to "you Need local admin". So also the AD MP documentation still says you Need a local Admin account.
  here are other references which says you Need local admin rights:
  http://micloud.azurewebsites.net//2014/02/26/scom-agent-grayed-out-when-trying-to-monitor-domain-controllers/
  Even Kevin Holman says here
  https://social.technet.microsoft.com/Forums/systemcenter/en-US/2a0e5a2b-a3d9-42d4-8474-9f690007caa0/opsmgrlatency-cn-gets-auto-created-in-domain-not-configuration:
  "Basically - if your domain controllers are running as local system default agent action account, in most cases you will not need to ever set up any replication monitoring run-as accounts.... as local system on a DC has all the rights necessary. 
  (in most cases).
  "Simple questions: Is this really enought to Monitor every aspect of an ActiveDirectory Domain and Domain Controller using a low privilege account the the permissions in the article? Or is using local System better? Is there a difference when
  using SCOM2012R2 with the new Agent? Most documentation referes to SCOM2007(except the replication Monitoring where it is clear that other permissions are needed:
  http://blogs.technet.com/b/jimmyharper/archive/2009/05/20/configuring-or-disabling-replication-monitoring-in-the-active-directory-management-pack.aspx )

  The MP guide is not really clear about it. The only thing they are clear about is whenever you want to use client monitoring. In those situations low privileged will not work.
  For each of the client-side monitoring scripts to run successfully, the
  Action Account must be a member of the Administrators group on both the computer
  on which the client management pack is running and the domain controller that is being monitored. The
  Action Account must also be a member of the
  Operations Manager Administrators group, which is configured through the Operations console in so that all the scripts that are configured on the Root Management Server can run properly
  Both a local system and domain admin are a risk. If someone loads a malicious management pack that makes changes to the AD services you are screwed. The local system has unrestricted access to local resources including domain services.
  The only reason I don't want a domain admin account in SCOM is that you have an additional layer where the password potentially could be retrieved. That's not the case with a local system account. But the risks are the same.
  See: https://msdn.microsoft.com/en-us/library/ms677973%28v=vs.85%29.aspx
  But this not an answer to your question. :-)

• Alert summary MP run as account profile in multiple domains

  Hi,
  I have a general question about run as account profiles and targeting of objects.    We have an Alert Summary MP account that uses the scom action account.   The target is all objects.   the Runas account used is a domain
  account in domain XYZ.  When targeting all objects, it tries to run on domain ABC and caused an alert.
  How can I specifically configure the profile to use account  XYZ\accountname for objects in XYZ domain and then ABC\accountname in the ABC account.
  Thanks Lance

  1) Create Group XYZ contains all objects in domain XYZ
  2) Create Group ABC contains all objects in domain ABC 
  3) Create two runas account, ones in domain XYZ(XYZSCOMActioAccount) and the others in domain ABC(ABCSCOMActioAccount)
  4) In the account profiles, add two runas as account, ones with account XYZSCOMActioAccount and target group XYZ and the others with account ABCSCOMActioAccount and target group ABC
  Roger

• I am running 4 ipod classica through one computer and one itunes account/profile.  The ipods belong to me, husband and 2 kids.  How can the kids now get their own accounts but keep the stuff I have already downloaded for them?  They have their own laptops

  I am currently running 4 ipod classics through my own account/profile on itunes.  They belong to me, my husband and 2 kids. 
  The kids are getting older now and have their own laptops.  I would like them to have their own itunes accounts as they will be away from home much of the time and will want to make their own puchases. 
  How can I set them up so that they are independent from my account, but not lose the content that I have downloaded for them over the years?  (A lot of content).

  You and your husband can share a store account and still have seperate iCloud accounts for your contacts, bookmarks and stuff like that.  Click here for instructions to make an apple account without entering a credit card.  Make sure you use a different email address for each apple account. 
  Set up your iPhone/iPad whatever using the new account for iCloud.  Then go into settings/store and sign in with your purchasing account, you may need to sign out of the other account.  To the best of my knowledge, your household is allowed to share purchased legally, someone please correct me if I'm wrong.
  Once you each have your own devices set to your own accounts you can set them to backup to that account and it will keep all your contacts seperate.

• SharePoint farm - SQL Server - MSSQLSERVER service is running as "Local System" - Can I change it to Domain User account?

  Hi there,
  In my SharePoint 2010 farm - on the SQL Server:
  The MSSQLSERVER service is running under Local System.
  1. Can I change it to run as a normal Domain User account?
  2. Does it need any extra privileges?
  3. Is it a safe thing to do?
  Brief description will be very useful.
  Thanks so much.

  You need to create Service account with password never expire option+ User never change password
  Then you need to go through below recommendation from Microsoft
  Security Considerations for a SQL Server Installation
  Planning for Services, Accounts, and Connections
  Hope you got starting point
  Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.

• "Administrator" Domain Admin account is loggen in on temporary profile.

  Good day,
  I have an issue on logging in on my "Administrator" domain admin account on windows server 2008r2. I noticed it because my wallpaper, and desktop shortcuts are different from what I set before. Also, I checked the path for my docs and noticed
  that it's no longer pointing where it has should be.
  I attached pictures for more details of my problem.
  akosijesyang - the conqueror

  Hi,
  Checkout the below thread for similar discussion,
  http://social.technet.microsoft.com/Forums/en-US/43c7c956-7f15-4e51-bf99-f775cd2fb5e9/windows-server-2008-r2-temporary-profile-for-admin-account?forum=winservergen
  Regards,
  Gopi
  JiJi
  Technologies

• The Health Service could not log on the RunAs account ...event ID 7000 Health Service

  Hello everyone,
  While using the Web Application Transaction Monitoring to monitor certain websites using specific credentials, this Event 7000 occures on the Watcher Nodes which happen to be also Management Servers.
  Here are the details:
  The Run As Accounts used are Windows account types.
  They have been tested on the websites and are correct.
  In the Distribution the More Secure option is selected but no object is present. They are used only for web monitoring.
  The Web Application in WATM is using NTLM as the authentication method.
  In Monitoring, the web application appears healthy as it is working properly and is being correctly monitored.
  In Profiles there is a User Authentication Action Account profile created automatically and has the Run As Account. It is scoped to the management server which is also the watcher node for the web application.
  The problem:
  On the management server acting as a Watcher Node for the web application, in the OpsMgr log the event ID 7000 is recorded, causing a trigger for a monitor that changes the health of the Management Server to Warning. The monitor should automaticaly resolve
  when all Run As Accounts are validated.
  Any ideeas on how to resolve this issue without overriding the monitor?
  Thanks,
  Marius 
  http://mariusene.wordpress.com/

  The SCOM Run As Account wizard does not allow me to specify the basic/simple/digest type account in the form domain\username. I belive the website uses Windows integrated (NTLM) authentication so there is no workaround but to create a Windows
  Account type in SCOM.
  I just dont want the Health Service to try to validate the run as account locally on the watcher node because its in a different domain.
  I suppose in this case a disable of the monitor for those watcher nodes is the only solution?
  http://mariusene.wordpress.com/

• SharePoint 2010 MP - override ConnectionString to content/config databases - how to set RunAs account?

  Hi, I experienced the Data Source Could Not Be Initialized issue with the SharePoint Database Monitor.
  From the suggested related topic, I tried to override the ConnectionString for each of the database. Example as below
  Provider=SQLOLEDB;Server=server1;Database=database1;Integrated Security=SSPI
  server1 is a active-passive cluster for failover. And now I got the error message "Login Failed for user domain\momaccount. I expect the default SharePoint monitor account will be used instead of MOM service account.
  Is it possible to override the RunAs account to use the SharePoint credential that's already created for others MOSS monitoring?
  Thanks.
  SonicWave

  Hi Sonic, This thread has been open for some time without any replies. Is it still current or has it been answered already? In which case we could close the thread.
  Have you ran through the sharepoint management pack guides and set sharepoint monitoring runas account to the right profiles?
  Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient

• "Unable to check revocation" error while checking CDP from non-domain user account

  Hi!
  I use 3-tier PKI infrastructure:
  Stand-alone offline Root CA: RootCA;
  Stand-alone offline Intermediate subordinate CA: SubCA;
  Enterprise CA: EntSubCA.
  In certificate we have three CDP point for CRL check:
  ldap:///, http:// and file://
  I have Windows 2008 R2 server joined to domain.
  I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
  When I use domain user account for revocation checking, all OK.
  I have access to any CDP and all fine.
  But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
  My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
  Here is the logfile from local user:
  Issuer:
  CN=EntSubCA
  DC=DED
  DC=ROOT
  Subject:
  CN=servername.domain_name
  Cert Serial Number: 5a896145000300006ee2
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  NotBefore: 05.02.2015 20:03
  NotAfter: 05.02.2016 20:03
  Subject: CN=servername.domain_name
  Serial: 5a896145000300006ee2
  SubjectAltName: DNS Name=servername.domain_name
  Template: Machine
  70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crt
  ---------------- Certificate CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Verified "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  Verified "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Base CRL CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  OK "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  OK "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 018d:
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=SubCA
  NotBefore: 13.11.2014 19:12
  NotAfter: 13.11.2017 19:22
  Subject: CN=EntSubCA, DC=DED, DC=ROOT
  Serial: 6109015b000100000008
  Template: SubCA
  9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
  file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\SubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/SubCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (32)" Time: 0
  [0.0] file://\\ca\crl\SubCA.crl
  Verified "Base CRL (32)" Time: 4
  [1.0] http://webserver/crl/SubCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 32:
  Issuer: CN=SubCA
  8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
  CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 28.05.2008 12:09
  NotAfter: 28.05.2058 12:19
  Subject: CN=SubCA
  Serial: 616bd19f000100000004
  Template: SubCA
  06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 4
  [0.0] http://webserver/crl/RootCA.crl
  Verified "Base CRL (1c)" Time: 0
  [1.0] file://\\ca\crl\RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 27.05.2008 16:10
  NotAfter: 27.05.2110 16:20
  Subject: CN=RootCA
  Serial: 258de6fbd3bbab92460530e9e9f10536
  5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crl
  Verified "Base CRL (1c)" Time: 4
  [1.0] http://webserver/crl/RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
  Exclude leaf cert:
  5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
  Full chain:
  ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
  Verified Issuance Policies: None
  Verified Application Policies:
  1.3.6.1.5.5.7.3.2 Client Authentication
  1.3.6.1.5.5.7.3.1 Server Authentication
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.

  What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
  (you also use FILE URLs for publication, which again is not recommended).
  The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
  For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
  an internally and externally accessible, highly available Web cluster.
  the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
  certutil -dspublish -f RootCA.crt.
  This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
  Brian

• Software always installs to Domain Admin account on connected PC-cant install to Domain User account

  I have completed the following steps:
  Set up Windows Server 2012 R2 Essentials successfully
  Successfully connected a Windows 8.1 Pro PC to the network by running the Essentials Connector software
  The PC has the following users: Original local account created when I installed Windows 8, Domain Admin account created when I ran the Essentials Connector account, Domain User created after PC was connected to the network.
  Everything seems to be working fine. I have installed MS Office 365 Pro, Skype, various other applications while logged in as the Domain User. Every one of these installs triggered a UAC prompt, which was expected, and after entering the Domain Admin
  credentials the install proceeded successfully. After install, the software was available to the Domain User, shortcuts appeared in the Start Menu or Desktop, appropriate directories were created in the Documents folder.
  All except for 3 applications - upon being prompted for permission to install, I enter the Domain Admin credentials, installation proceeds, but the software is installed to the Domain Admin account-not the Domain User account. Shortcuts appear on the Domain
  Admin desktop-Not the Domain User account, etc. I've tried:
  Downloading a new copy of the software to the Domain User desktop & running it from there
  Right-click file, Install as Admin
  click file, Install as a different user
  Right clicking file, Properties>Compatibility & changing compatibility settings
  Right clicking file, Properties>Compatibility>Run as Administrator
  None of these options have changed the result, the software is still installed to the Domian Admin account as opposed to the Domain User account. Any idea why these 3 software wont install correctly but everything else has? Any suggestions as to how to install
  the software to the profile that doesn't involve making the Domain User an Administrator? Thanks for any help!

  Hi voltron5,
  Many programs may provide options: "install for everyone" or "just for current user", when you install them.
  Please check if there are such options during the installation process.
  If those three programs are all third-party applications. I suggest you should contact with the corresponding
  support and confirm this.
  If those three programs are Microsoft applications, would you please let me know specific information of those
  three applications? Such as their names and so on. Meanwhile, when complete the installation, please check the software path was added in administrator environment variables or system environment variables.
  Hope this helps.
  Best regards,
  Justin Gu

• AD FS in Forest Root Domain

  I have a AD FS 2.0 server (Server 2012) in my forest root domain. My user domain is a child domain within that forest. I am unable to find any documentation that tells me if I need to do any further configuration to have it authenticate users from the child
  domain or if that should just magically happen because of the Parent Child trust relationship.
  Upon rebuilding the server again and making sure that the server name and the pool name were diffrent so I could create the proper SPN entries, I am now unable to access my server using any of the AD FS urls'. It will prompt me for my credentials 3 times
  and then tell me I am not Authorized. I have been searching on the web but have been unable to find the solutionsI have made DNS changes, added http SPN entries. Changed the Authentication settings on IIS... I am stuck. Any help would be great.

  I have been using the "AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation".
  I am trying to federate with a diffrent organization where I am the IP and I have no control over the SAML 2.0 side... That being said, I changed my DNS and now I can get to my server using the IDPInitiatedlogon URL. When I run
  through the URL that bounces me between the other organization and then back to my AD FS server.... I get stuck in a loop where it asks me for credentials 3 times and then tells me I am "Not Authorized"
  Here is a bit of the fiddler trace:
  <a href="https:///adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust">https://<other-org-adfs>/adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust
  http://<my-org-adfs>:443
  http://<my-org-adfs>:443
  http://<my-org-adfs>:443
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  http://<my-org-adfs>:443
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
  http://<my-org-adfs>:443
  It seems to be stuck looping between /adfs/ls and /adfs/ls/auth/integrated . It then times out and gives me the error in the browser.

• Forest root domain displayed as network label, rather than child domain

  Following on from this post (which I stupidly contributed to without realising it's a gaziillion years old):
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/44cab27b-e2ef-4496-bfa7-add7ac014401/server-2008-and-windows-7-detect-their-domain-incorrectly-why?forum=winserverPN&prof=required
  I run a DMZ child domain which is pretty tightly locked-down, and the display name when you hover over the NIC shows the network as the forest root domain. None of the answers in the above thread state why this should be the case clearly, and a vague response
  from support saying that 'Product Group' (which one?!) have been asked for feedback was never followed up on.
  Since I can't open LDAP directly between my DMZ machines and the forest root PDC, and therefore can't even generate a profile to copy into a registry key & deploy either by GPO or batch file, I'm SOL finding a solution to this - but would at least like
  a viable explanation for the behaviour, as opposed to 'it's by design'

  Can I ask if something is not working correctly because of this?  The display of the connected network does not affect communication or how DNS will resolve.  Are you chasing this down because you don't like the display, or is there an outage?
  Thanks!
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• Workflow Manager 1.0 configuration- Specified RunAs account is invalid

  Hello - I am trying to install and configure Workflow manager 1.0. As part of workflow manager configuration specifying the user id in
  Configure Service Account  section throwing error as "Specified RunAs account is invalid".
  I tried different ways and means suggested in forums and KBs - but I think it is unable to validate the user in Active Directory. Our Active Directory is AD 2003 functional level and wondering it has any issues with Workflow manager 1.0?
  Here are the environment details:
  WF Machine: Windows Server 2008 R2 SP1
  AD: Active Directory 2003
  Workflow Manager 1.0 installed and also applied the below latest workflow and service bus hotfixes.
  http://support.microsoft.com/kb/2799754; 
  http://support.microsoft.com/kb/2799752
  Also moved the service account to the default OU=Users container in AD as specified in below forum but no luck.
  http://social.msdn.microsoft.com/Forums/en-US/servbus/thread/3d803e15-606a-4f06-96fe-97c23ad3c01a
  I am not sure where the issue is wondering if any one has run into similar issue. Appreciate any feedback.

  Thanks for your response.
  No it still didnt work, we right clicked the users OU, provided read permissions on it directly not from any groups. as well as for computers OU.
  For me it is not showing invalid user, but wizard crashes as soon as we enter the service account details in the wizard. may be since the solution you are providing is not working for me.
  http://social.technet.microsoft.com/Forums/office/en-US/d70662fc-8e10-4862-975d-e441bf9c32f0/what-permission-does-the-service-account-requires-on-ad-for-the-workflow-manager-10-to-be?forum=sharepointadmin
  However we had one other test account which has full control on many areas is able to pass thru in this wizard with out crashing.
  We arent able to get the same permissions applied for prod account as it isnt right to simply take elevated permissions full control on AD Objects.
  Windows/AD team is looking for specific permission which this workflow manager requires to provide access.
  I dont see this documented with microsoft Either.
  SQL DB creation ability, Domain Account, Farm admin - is the criteria i believe.