Its been a couple of months since I last posted, and it’s more because I have been just really busy with work more than anything, with not a lot of time spent on scripts. So instead I’ll post about some things I have been working on and people are welcome to do a Q&A in the comments forum:
Remember WINS? The NETBIOS name resolution service before DNS? Yea me either. It was however rather widespread throughout where I worked though, with the big problem being that the service was a window component that was installed but not managed as a service.
What I learnt about this was that ownership of WINS records are very important. where multiple WINS servers are replicating and one server is decommissioned, all the records associated with that server will remain active (at least that is what happened for me). As a result, there were some 60,000 WINS records in an environment with less than 9000 machines.
As a result there has been a project since December 2011 to remove WINS settings from all DHCP Scopes and manually removed from all Static IP hosts, and gradually decommission the WINS Service. The static IP removal was made much easier using my DNS & WINS Update script. In early March the job was complete, with only a couple of legacy servers having access to a WINS service on a machine. Only two machines out of the 9000 had issues raised, one of them being an NT4 (!) machine. Quite Successful.
My curiosity had been piqued as to why all certificates that had been created since September 2011 were all expiring on the same date. A little bit of investigation and my suspicions were confirmed – the CA Root Certificate is due to expire.
I’ve had to do a reasonable crash course in PKI and have found that when the CA was set up, it was set up as both the Root CA and the issuing CA – this is bad news. To make things even more difficult most of the information available on PKI and CA’s is surrounding OpenSSL, which does not help in a MS Certificate Services Environment. And it would seem that no-one can provide me the highly detailed information I want to know about how the Host Server <-> CA CSR <-> Root CA works in a Certificate Services Environment.
The short term fix has been to renew the Root CA – This is not the ideal solution, but a band-aid. I envisage the long-term solution will be to overhaul our CA Infrastructure with the assistance from someone who knows a lot more about PKI than I do.
Remarkably, we are still running our AD in 2003 mixed mode, over 12 months after the schema extensions were done to upgrade AD. As a result, I have decided to get our AD upgraded hopefully by the end of June. We are by no means a large AD site, with up to 20,000 user accounts and are sites are mostly “well connected”, yet we have 30 domain controllers. I have in recent weeks made inroads into reducing this number to less than 10.
I still have a little way to go – there are applications that are hard coded to a domain controller that need to be moved to a load balanced solution and replacing physical domain controllers, but I am hoping to have the AD in 2008 R2 native mode by the end of June.
Threat Management Gateway 2010
Work has started to replace the current ISA 2006 server that acts as a reverse proxy into our corporate network. This has required a crash course in TMG2o10, as many of us have not had anything to do with the ISA server since the person who looked after it left the team a couple of years ago. The importance of the system came to the fore when the ISA box decided to bind to a firewalled IP Address (long story, don’t ask) which meant it could no longer authenticate against AD.
So there you have it really – these are the major projects on the go, and along with the myriad of smaller work I also need to do, there is not a lot of time left to write scripts that make people happy. If I come across something of particular interest, you can be sure I will post about it 🙂