Summary

When a CA server is uninstalled or crashes beyond recovery some objects are left in Active Directory. It’s good practice to remove these obsolete objects.

Background

When you install a version of Certificate Authority that is Active Directory-integrated (i.e. Enterprise Root or Enterprise Subordinate) the following 6 objects are created/modified in the Active Directory database:

Name: <CA Common Name>
Type: certificateAuthority
LDAP Path: CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=DC=example,DC=com
Used for: Contains CA certificates that clients can fetch when validating a certificates chain. Certificates can point to this location via the Authority Information Access (AIA) certificate extension.

Name: <CA Common Name>
Type: crlDistributionPoint
LDAP Path: CN=<CAServerName>,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=DC=example,DC=com
Used for: Contains CRLs (base and delta) that CAs has published in the AD. Certificates can point to this location via the CRL Distribution Point (CDP) certificate extension.

Name: <Root CA Common…

When deploying a Windows Server 2019 Network Policy Server (NPS) to support a Windows 10 Always On VPN implementation, administrators may encounter the following error when attempting to establish a VPN connection on a remote Windows 10 client.

Can’t connect to [connection name].

The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

In addition, an event ID 20227 from the RasClient will be recorded in the application event log with the following error message.

The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 812.

Common Causes

Always On VPN error code 812 indicates an authentication policy mismatch…

Many of the Microsoft AD cmdlets have a –Filter and an –LDAPFilter parameter. So what’s the difference?

PS> Get-Help Get-ADUser -Parameter *Filter*

-Filter <String>
Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression
Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter.

-LDAPFilter <String>
Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter.

This means you have two ways to approach a problem. Lets think about finding a…

Hello, sandwich fans!  It’s been awhile since I’ve written, but I have some fresh deli meat for you today.  If you recall, last year I wrote a blog post about setting up VMware, Synology, and iSCSI MPIO.   It turns out to have been my most-read post so far, for which I thank you.  Since I’ve gotten such positive feedback, today I’m going to show you a similar setup, but this time I’m going to use NFS instead of iSCSI.

There are some pretty significant differences between iSCSI and NFS, both in terms of architecture and performance. One big difference is that NFS really doesn’t have support for multi-pathing (MPIO) in the way that iSCSI does.  It has a few work-arounds like using alternate subnets and so forth, but for today we’re going to rely on simple failover on the host side with LACP link bonding on the storage side.   …

I often use the EMP and DEPT tables for test and demonstration purposes. Both these tables are owned by the SCOTT user, together with two less frequently used tables: BONUS and SALGRADE. Execute the below code snippets to create and seed the EMP and DEPT tables in your own schema. The BONUS and SALGRADE tables are included as well, but are commented out. The DDL (data definition language) part creates the tables, the DML (data manipulation language) part inserts the data.