The Acumen IT Support blog provides you with helpful articles about the Microsoft Active Directory.

Microsoft Active Directory provides user and computer security for your Windows computers. Like a phonebook stores information about people, Active Directory stores information about your network’s components.

Several web sites provide good overviews.

Official Microsoft Overview

Active Directory Wikipedia

Active Directory Consulting

Troubleshooting Active Directory Account Lockouts

A how-to on diagnosing the cause of a (user’s) Active Directory account repeatedly locking out.

Download the Account Lockout Status tools from Microsoft

Below is the Active Directory Solution:

Read more

Configuring Active Directory/LDAP over TLS on SonicOS

Article Applies To: Active Directory Firmware/Software Version: Sonic OS Enhanced

Services: LDAP over TLS

Feature:

This article explains how to integrating SonicWALL appliance with an LDAP directory service using SSL . This requires configuring your LDAP server for certificate management, installing the correct certificate on your SonicWALL appliance, and configuring the SonicWALL appliance to use the information from the LDAP Server.

Before beginning your LDAP configuration, you should prepare your LDAP server and your SonicWALL for LDAP over TLS support. This requires:

Installing a server certificate on your LDAP server.

Installing a Certificate Authority (CA) certificate for the issuing CA on your SonicWALL appliance.

Deployment Steps:

Please note: In this article we have used Windows 2003 server for Certificate Authority and Active Directory. If you are using windows server other than 2003 please check Microsoft site for configuring CA and Active directory, however the steps on the SonicOS Enhanced remains the same.

The following procedures describe how to Configure LDAP over TLS.

Step 1. Configuring the CA on the Active Directory Server 

Step 2. Exporting the CA Certificate from the Active Directory Server

Step 3. Importing the CA Certificate onto the SonicWALL

Step 4. Configuring LDAP settings on SonicWALL Appliance

Step 1: Configuring the CA on the Active Directory (Windows 2003 Server)

To configure the CA on the Active Directory server (skip the first five steps if Certificate Services are already installed):

  1. Navigate to Start > Settings > Control Panel > Add/Remove Programs.
  2. Select Add/Remove Windows Components.
  3. Select Certificate Services.
  4. Select Enterprise Root CA when prompted.
  5. Enter the requested information. See http://support.microsoft.com/kb/931125.

Step 2: Exporting the CA Certificate from the Active Directory Server

To export the CA certificate from the AD server:

  1. Launch the Certification Authority application: Start > Run > certsrv.msc.
  2. Right click on the CA you created and select Properties.

active directory

  1. On the General tab, click the View Certificate button.
  2. On the Details tab, select Copy to File.

active directory
active directory

  1. Follow through the wizard, and select the DER Encoded binary X.509 (.cer) format.

active directory
active directory

  1. Click on the browseand Specify a path and filename to which to save the certificate.

active directory
active directory

  1. Click on the Nextbutton and click Finish

active directory
active directory
active directory

Step 3: Importing the CA Certificate onto the SonicWALL

To import the CA certificate onto the SonicWALL:

  1. Browse to System > CA Certificates.
  2. Click on Import. Select the certificate file you just exported.

active directory

  1. Select Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file, Click on Browse and Select the certificate file you just exported from the MS Certificate Authority.

active directory
active directory

  1. Once the root certificate is selected, Click on the import

active directory

  1. Once the CA root certificate is imported, it will be listed under the System > Certificatesection with Type as CA Certificate

active directory

Step 4: Configuring LDAP settings on SonicWALL Appliance

  1. Go to Users > Settings page

In the Authentication method for login drop-down list, select LDAP + Local Usersand Click Configure

active directory

If you are connected to your SonicWALL appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the “Do not show this message again” box and click Yes.

  1. On the Settingstab of the LDAP Configuration window, configure the following fields

Name or IP address:  The FQDN  of the LDAP server against which you wish to authenticate. When using a name, be certain that it can be resolved by your DNS server.(Recommended to use the name of the server)

Port Number: The default LDAP over TLS port number is TCP 636.

Server timeout (seconds): The amount of time, in seconds, that the SonicWALL will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.

Overall operation timeout (minutes): 5(Default)

Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.

Login User Name – Specify a user name that has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation. This can be any account with LDAP read privileges (essentially any user account) – Administrative privileges are not required.

Note that this is the user’s name, not their login ID.

Login Password – The password for the user account specified above.

Protocol Version – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including Active Directory, employ LDAPv3.

Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server. It is strongly recommended that TLS be used to protect the username and password information that will be sent across the network. Most modern implementations of LDAP server, including Active Directory, support TLS. Deselecting this default setting will display an alert that you must accept to proceed.(Check this Option)

Send LDAP ‘Start TLS’ Request – Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client. Active Directory does not use this option, and it should only be selected if required by your LDAP server. Require valid certificate from server – Validates the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate. Deselecting this default option will present an

alert, but exchanges between the SonicWALL and the LDAP server will still use TLS – only without issuance validation.

Local certificate for TLS – Optional, to be used only if the LDAP server requires a client certificate for connections. Useful for LDAP server implementations that return passwords to ensure the identity of the LDAP client (Active Directory does not return passwords). This setting is not required for Active Directory. Leave this option unchecked if not sure.

active directory

  1. On theSchema tab, configure the following fields:

LDAP Schema: Microsoft Active Directory

active directory

  1. On the Directory tab, configure the following fields:

Primary domain: The user domain used by your LDAP implementation

User tree for login to server: The location of where the tree is that the user specified in the settings tab

Click on Auto-configure

Select Append to Existing trees and Click OK

active directory
active directory

This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.

  1. On the LDAP Userstab, configure the following fields:

Default LDAP User Group : Trusted Group

How to Test:

active directory

On the LDAP Test tab, test a Username and Password in Active directory to make sure that the communication is successful.

active directory

SOLVED: DCPromo Config Wizard Site List

When running dcpromo on Windows Server 2012 in a new site in an existing domain, the Site Name dropdown is empty.  When any page in the wizard is incomplete, you cannot continue.  This post found a resolution.

When you run dcpromo, you begin to see the “Active Directory Domain Services Configuration Wizard.  This wizard automatically detects your domain and suggests the appropriate domain selections.  This includes asking you which site should contain this new domain controller.  In prior versions of dcpromo, you set the site after installing the domain controller using AD Sites and Services.

In our case, we noticed that the sites were listed correctly, but we wanted to create a new site so we could select it in this dropdown.  We exited dcpromo, went to an existing domain controller, ran AD Sites and Services, and created the new site.

Next we returned to dcpromo on our target server and found that our new site wasn’t in the wizard.  We figured this was a replication issue and went to lunch.  When we came back, the site name still wouldn’t appear in the wizard, so we restarted the target server.

Now when we ran dcpromo, the site list was completely blank.  dcpromo clearly saw our domain by the other detections, but would no longer list the sites.  So, we changes DNS servers on the target server to use alternate DCs, but no change.

After seeing that Google had nothing to offer but hundreds of “How to run dcpromo” blogs, we started clicking around in dcpromo to see if we could make something work.  We tried selecting the domain, even though the detections showed our proper domain.  The domain selector showed some hexadecimal string that we presume was the hex value representation of our domain “mycompany.local”.  We selected this just to see if it fixed anything and found that it actually selected the hex value, not the domain string – and the wizard would not continue.

We then typed in our actual domain name in the domain textbox and clicked Next.

Now the Site Name selection list had our Sites listed correctly.

EDIT:  We realized after the fact that the corresponding site subnet entry has the wrong subnet mask.  We don’t know if this was the cause of the problem or just coincident.

See our Active Directory page for more information!