Change default key size on non Domain joined CA.
Hello,
I have one standalone non domain joined CA I would like to change the default key size of all issued certs to 2048. Since it is a stand along, there are no AD template to modify. Can this be changed in the registry?
Shawn
CAPolicy.inf is the way to go.
See the following thread
http://social.technet.microsoft.com/Forums/windowsserver/en-US/ce001d8f-c722-4429-83cb-328b92876292/how-to-change-root-certificate-keys-length-and-validity-period?forum=winserversecurity
Hth, Anders Janson Enfo Zipper
Similar Messages
-
DNS working intermittently for non-domain joined machines
I have a small single Server 2012 based network, with about 90% windows clients. DNS is running on the Windows Server 2008 machine, but DHCP is provided via a unix based firewall machine. Within the DNS configuration I have all of my windows
clients (mostly Windows 8.x clients, but there are a few Windows 7 ones as well) and a few *nix ones as well. All of the Windows clients are domain joined, except for one machine which is currently running Windows 10 preview, though it was a Windows
7 machine originally. In the DNS configuration I have a number of statically entered A records, used to give my *nix machines a name on the local network.
When trying to access systems by name (via ping or by other services), there is a very consistent behavior - my domain joined machines are able to resolve all names 100% of the time without any issues. However, the non-domain joined machines, both
Windows and not, are consistently inconsistent. To be more precise, when I try to resolve a name it will randomly work and randomly not. IP setup and configuration looks correct, meaning they have valid IP, DNS is set to my Windows Server,
default gateway, etc. are all correct. Pinging external machines (ie google.com, etc.) works 100% of the time, but trying to ping any internal machine is a total crap shoot. The only exception to this is the Windows Server 2012 machine itself,
which always works.
From past experience I know that the moment I join a machine to the domain all of the DNS issues goes away, which is fine for the Windows boxes but not so much for the rest. I also have visitors occasionally come by, who I cannot expect to join my
domain just to make things work normally.
This network originally started life out as Windows Server 2003 domain, but was upgraded to 2012 about two months ago. I have been seeing this problem for years, but have always assumed it to be a Server 2003 issue and figured it would go away when
I upgraded. Nope...
Any ideas as to the cause of this and what I can do about it?
Thanks,
peterIts really weird - I can ping an address and not have it work, then do a NSLookup of the same address against my DNS server and it resolves just fine. Take a look at this screen copy below:
C:\Users\Peter>ping apollo.bakonet.local
Ping request could not find host apollo.bakonet.local. Please check the name and try again.
C:\Users\Peter>nslookup apollo.bakonet.local 192.168.124.9
Server: orac.bakonet.local
Address: 192.168.124.9
Name: apollo.bakonet.local
Address: 192.168.124.27
C:\Users\Peter>ping apollo.bakonet.local
Ping request could not find host apollo.bakonet.local. Please check the name and try again.
C:\Users\Peter>ipconfig /all |more
Windows IP Configuration
Host Name . . . . . . . . . . . . : Win10
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bakonet.local
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-21-CC-65-1B-8F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : A0-88-B4-A2-41-81
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : bakonet.local
Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
Physical Address. . . . . . . . . : A0-88-B4-A2-41-80
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::fc47:8a91:6b25:bd0e%2(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.124.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, January 5, 2015 7:34:47 PM
Lease Expires . . . . . . . . . . : Tuesday, February 3, 2015 7:15:20 PM
Default Gateway . . . . . . . . . : 192.168.124.1
DHCP Server . . . . . . . . . . . : 192.168.124.1
DHCPv6 IAID . . . . . . . . . . . : 60852404
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-C6-18-82-00-21-CC-65-1B-8F
DNS Servers . . . . . . . . . . . : 192.168.124.9
24.229.54.212
216.144.187.199
Primary WINS Server . . . . . . . : 192.168.124.9
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : EC-55-F9-F5-14-76
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Does this actually make sense? Obviously the DNS server is online, it works and when a lookup is requested directly it works, and the DNS server is listed as first in the IP configuration. So why would it not work?! -
Non-Domain joined clients connect to server initially but cannot connect via Launchpad
Running SBS 2011 Essentials in a small office. Running XP/Vista/7 clients. All working fine until we swapped routers. Old router died, new router was installed.
Now all domain-joined PC's connect as normal, but all NON-Domain-Joined PC's cannot access the server via the launchpad. I get the "The server appears to be offline. Do you want to sign in to offline mode?" box.
Tried removing PC from the SBS Dashboard, uninstalling the connector from the client, restarting client, and reinstalling the connector. I can install the connector (using
http://<server ip>/connect , but not http://<servername>/connect
). Connector installs but it still tells me the server is offline when trying to use dashboard or launchpad on the client.
Note: I can add a network location or Map a network drive to ther server after inputting my network password from Windows.
Any Services to check? Firewalls exceptions to ensure? Advice?
EDIT: Dashboard on Server shows Client, sometimes as online, sometimes as offline.Sounds like name resolution issue to me.
Are all your clients set to use the IP of the Essentials Server for their primary DNS?
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+ -
Non domain-joined Clients (CES/CEP)
Hello Everyone!
This is my first post to the security forum and it is not an overly familiar tech for me so please be gentle. :)
I am looking at building a lab to test a web based application for a client. The client has very stringent security requirements and as such have mandated the need for both the web server to be secured using SSL certs and requires the connecting
users to have a certificate. The infrastructure will be hosted in a central DC in it's own AD forest whilst the users connecting in will have their own AD as they work for different companies. Each user will have an AD account within the hosted
environment. My initial thought was to provide public certs for the web servers but my problem was providing certificates to the clients. Clearly using public certs would be very expensive. After a bit of research I stumbled across the following:
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
What I am trying to understand is, will the combination of Certificate services & CES/CEP effectively do away with the need for public certs in this instance? Can I simply use the internal authority to publish certificates to the web server and
to the end users?Yes - I think this is one of the scenarios CES/CEP have been developed for.
End users would have to trust your internal CA and validate the chain, so intermediate CAs should be found via AIA URLs. But since you need user - not computer - certificates this is simpler than described in the article as users do not need to be local
admins to import a root. (But on principle the admin of a user's home AD could restrict this though I have never encountered that.)
You would need to publish the CES/CEP services via a reverse proxy and external users would have to configure the enrollment HTTP URLs and enter their AD credentials in the hosted AD when connecting.
As users have imported your CA certificate they will also trust the web server's certificate issued from the same CA.
Elke -
Problems connecting a non-domain joined outlook to exchange
Hello,
i'm having issues configuring outlook (be it 2007, 2010 or 2013 all fail the same) on non-domain joined computers in the LAN to a exchange 2013 server.
I select manual config, in server we put "mail.domain.local" and user "domain\user" and it bounces with "cannot complete action, the connection to exchange is not available, outlook must be online".
We tried with external full email address, nothing
tried setting the outlook anywhere proxy, same, tried using ip address, same
it simply refuses to configure.
any ideaS?Hi,
Generally, the external non-domain joined computers can connect to Exchange 2013 by using Outlook Anywhere and the Autodiscover service to auto-setup the Exchange account.
If the auto-setup for Exchange account fails, please check the Autodiscover service and Outlook Anywhere configuration by the following command:
Get-OutlookAnywhere | FL
Directly access the following URL in IE respectively, and check whether an Error 600 returns:
Https://autodiscover.domain.com/autodiscover/autodiscover.xml
Https://mail.domain.com/autodiscover/autodiscover.xml
Please make sure the the ExternalHostName parameter for Outlook Anywhere is configured to your external namespace for Exchange 2013 (for example: mail.domain.com).
In Exchange certificate, please make sure the namespace mail.domain.com is included in your trusted certificate which is assigned with IIS service.
For manual Exchange account setup, please run the following command to get the mailbox GUID for server name configuration:
Get-Mailbox UserA | FL Identity,ExchangeGuid
Then go to Control Pane > Mail to configure the Outlook profile. In Server Settings, import the [email protected] into the Server box and click Check Name to have a try.
Regards,
Winnie Liang
TechNet Community Support -
Problem changing default key bindings using Oracle Terminal
Hello,
I'm facing a problem changing default key bindings using Oracle Terminal. I changed
some bindings, saved them in forms60/fmrusw.res, started the generation and saved again.
I thought that's it but it wasn't. It took no effect at all in Forms (even after recompilation) although reopening the file in Terminal showed the changes. I'm using Forms in German, which means that even the key bindings displayed in Forms are translated i.e. STRG+F1 instead if CTRL+F1,
but I can't find a german version of this resource file, so i think it's the same resource file for all supported languages. But what is needed for the changes to take effect ?
Thanks in advance
STD
nullHi,
is it client/server you are working?
if so you should not be using the fmrusw.res file because I guess your NLS_LANG is German_Germany.WE8ISO8859P1 or something like that. This means the terminal that is being opened is fmrdw.res instead of fmrusw.res and this file should be edited using Oracle Terminal.
if you are working via the web implementation than you can open the file fmrweb.res in a text editor and change the keybindings in there. If you need to have the PC like key bindings on the web just open the fmrpcweb.res and see if it contains the German texts. If so you can either copy this file over the frmweb.res file or you can specify term=fmrpcweb.res in the serverargs parameter.
Hope this helps.
Kind regards,
Frank van der Borden
Oracle Support Services
Netherlands -
Create a certificate for non domain-joined PCs
We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
PCs look to the CA to get their trusted certificate from.
This is the issue I am encountering:
Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
"DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
"DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!It sounds like the question you are really asking is :
How do I designate the internal root CA as a trusted root CA
Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
Run Certutil -addstore CA IssuingCA.crt
Brian -
Windows 2012 R2 ADRMS domain controller version and Non-domain-joined Mac Client with outlook 2011
Hi,
What is the AD version for Windows 2012R2 ADRMS? Is it possible to have Windows 2003 R2 DC with Windows 2012R2 ADRMS?
Any installation guide Non-domain-joined Mac Client with outlook 2011?
What is the SQL version for Windows 2012R2 ADRMS?
Please advise. Thanks.
Kelvin TeangHi Kelvin -
There is no RMS Client for Macs. That functionality is actually provided through the Office for Mac application (this is different compared to the PC). Domain-joined clients will autodiscover the RMS server and should be able to create and consume
protected content. Non-domain-joined clients cannot automatically discover their RMS server. In this scenario, prepare a protected document or email from a domain-joined machine and send it to your non-domain-joined users. They will open
the document or email up and the URLs contained in the publishing license of the document will direct them to the correct RMS server.
I hope that helps!
Micah LaNasa
Synergy Advisors
synergyadvisors.biz -
Licensing for non domain joined machines
Good Day
would additional licensing be required to manage non domain joined machines or would this be covered by the current EA. can someone explain how licensing for the management of non domain machines would work?
thanks
danielHi,
There is no difference if you don't want to license them differently and if that is possibly in you agreement, so you should contact you MS License reseller.
You could buy a System Center Configuration Manager CAL if you want to manage it, that will only cover ConfigMgr and not Endpoint protection for instance. So you should really contact your reseller and see what is the most optimal solution for you company/organisation.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
Install AADSync on a Workgroup server (non-domain joined)
Does anyone has experiences with installing AADSync on a non-domain joined server (workgroup). A company with multiple forests wants to have a "neutral" server for the identity synchronisation. It looks like the tool is installing fine, but can
there be some configuration issues?This is supported. See here:
"Your computer can be stand-alone, a member server or a domain controller. "
ref: http://msdn.microsoft.com/en-us/library/azure/dn757602.aspx
Mike Crowley | MVP
My Blog --
Planet Technologies -
Change default composition size in After Effects cs6
I am editing several different videos tommorow for a friend, each of them need to be 640x250. They are simple edits, so I'd really hate to have to change the export settings on every clip when I render and export. Is there any way to make a default export size of 640x250 at 60fps?
Macro Photography EquipmentNo, no, no.... that isn't what Rick meant. 60 fps is a non-standard frame rate. Almost always -- think about 99% of the time -- the frame rate you really want to use is 59.94 fps. No kidding.
Now, if you're just farting around with AE, use any frame rate you want. If you actually want to use your AE work for something in a different application, you need to keep such things in mind. Frame rate is one item on a list of items you must technically meet known as delivery specifications.
And speaking of delivery specifications, 640x250 is a very weird resolution. Perhaps you can elaborate on what will happen with your AE work when you're done with it. -
How to change default window size?
I'm using MX 6.0 on Mac... For some reason I can't figure out
how to change the default window size in the work windows. Every
time I open a new file to work on it opens to a smaller size than
the actual page is. When opening pages dozens of times a day, it
gets annoying to have to resize each time. I'm sure it wasn't
always like this, but I can't figure out how to change it so the
default size that it opens to each time is larger.
Thanks for any help,
DDWindow | Workspace | Save Current
This gives you the opportunity to save a current layout look
that you like
You might also look under
Edit |Preferences | Status bar - but I don't see that this
does anything
in DWCS3 -
Change default document size in PDF
The default document page setting in my PDF is set as 36"x24". I am not able to print the same in A4 even after making it ti fit to A4. ANy solution to change the default document size to A4
CreatePDF, perhaps? Try the forum at http://forums.adobe.com/community/createpdf
-
How do you change default page size in pdf?
I purchased CREATE solely to create a pdf file from a scanned document. I created the PDF but the default page size is 30.15 x 20.83 INCHES. I cannot seem to change the page size. I called support services 4 times (talking with Sakthivel, Shashank, Medhet, and one other.) Each time they indicated that they would connect me to the correct people and they disconnected. I want some answers please. This seems to be a simple question. Is Adobe CREATE merely a scam?
CreatePDF, perhaps? Try the forum at http://forums.adobe.com/community/createpdf
-
How do you change default note size
This must be an old question but search found me nothing. I just want to find a default to change the note size for all slides to something besides the very large one I'm now stuck with. Thanks!
Thanks, Sam. Yes, I could easily change the individual slides, too, but there seems to be a rather large hole in the program, if you're promoting this for kiosk use or even just being able to send to possible interested parties without being present and therefore you want to narrate it. AARGH! Is there NO one at Apple who even occasionally looks at it's own forums! And it's not in the Knowledge database either.
Maybe you are looking for
-
Print text file with labview 2011 and windows 7
I am having some strange problem, hope someone out there knows the solution. We have a labview program running under windows xp, the program runs some test and print label from a local label printer. Last week, I have to upgrade the computer to windo
-
Printing graph and other text in the same page
Hi, I am aware that for providing graphs in ABAP report we have a FM which is called via a pushbutton in the output screen generally. Is there any way I can do away with the pushbutton and print the graph and other text in the same page at one go ? I
-
Table structure changed in testing system after system refresh.
Hi Team, Recently we underwent a system refresh in Testing System where the Testing data is filled with Production data. But now we find that in one table some fields which we had deleted they are again found there. The version history of table is al
-
HELPPP
-
All App downloads stop at 42%
I have been usung CC for over a year with no issues. Then yesterday none of my apps would not update. I had to reformat my mac for other reasons but now it will not download any program. They all stop at 42%. I am on on a 64 bit mac running 10.9.2 -