TechShizz | Tech Guides

PKI Setup (Offline Root CA)

Place CAPolicy.inf in the c:\Windows folder on the CA

Install the Root CA

Configure the Root CA:

Remove ALL CRL Locations BEFORE issuing any certificates

On the root CA run  

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg ca\ValidityPeriodUnits "20"

 Copy files from Root CA from c:\windows\system32\certserv\ to the Sub-CA or Web server in c:\CertEnroll

Make CertEnroll Modify permissions for Cert Publishers and read for everyone.

Install the Sub-CA - Place the CAPolicy.inf file in the C:\Windows folder on the Sub-CA

Import the Request into the Root and Issue cert. The Save it to file and Install on the Sub-CA.

Start the CA Service on the SUB-CA - Errors will occur for the Sub CA in the PKI Hierarchy.

Go to the Webserver

Run Cmd:

C:\windows\system32\inetsrv\Appcmd set config "Default Web Site" /section:system.webserver/Security/requestFiltering -allowDoubleEscaping:True

Iisreset

 

Cd \CertEnroll

certutil -f -DSPublish CA-Root.contoso.com_CAROOT.crt RootCA
 

Finally configure DNS

if domain ends in .local an A record will need to be created to point to the websever.

Application Directory Partitions

To create a DNS application directory partition

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:

dnscmd <ServerName> /CreateDirectoryPartition <FQDN>

This will need to be done only once. It will create the partition in the NTDS.dit file and replicate around AD.

https://technet.microsoft.com/en-us/library/cc772361.aspx

 

To enlist a DNS server in a DNS application directory partition

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:

dnscmd <ServerName> /EnlistDirectoryPartition <FQDN>

This will need to be repeated on each DNS Server that requires access to the partition.

https://technet.microsoft.com/en-us/library/cc772361.aspx

 

To remove a DNS server from a DNS application directory partition

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:

dnscmd <ServerName> /UnenlistDirectoryPartition <FQDN>

https://technet.microsoft.com/en-us/library/cc772361.aspx

Test SMTP Email with Telnet

In this example I'll email from test@outlook.com to rich@techshizz.com

 

First ID the SMTP server via it's MX record:

 

Nslookup -q=mx techshizz.com

 

From a Telnet client run:

 

Telnet mail.techshizz.com 25

 

At this point you should get a 220 response which means everything is OK up to this point.

 

Helo techshizz.com    <  just type the domain after helo - (not important)

 

Mail from: test@outlook.com

 

250 OK

 

Rcpt to: rich@techshizz.com

 

Data

This is a test - Ignore

.

    < Hit Enter then  <Period Key> then enter to submit.

 

250 OK

 

Quit

Active Directory Compaction Script

Compaction Script


@ECHO OFF

ECHO To compact the NTDS.dit file for this domain

ECHO controller ensure you have the following

ECHO folders set up on the c:\

ECHO.

ECHO C:\Temp

ECHO C:\OriginalNTDS

ECHO.

pause

del C:\temp\*.dit

del C:\originalntds\*.dit

net stop ntds /y

ntdsutil "activate instance NTDS" files "compact to C:\temp" quit quit

cd \windows\ntds

del *.log

copy ntds.dit \originalntds

del ntds.dit

copy c:\temp\ntds.dit

ntdsutil "activate instance NTDS" files integrity quit "semantic database analysis" "go fixup" quit quit

ECHO To restart the AD DS press enter.

pause

net start ntds

ECHO Compacting Finished.

pause