Preventing crawling of web sites

Robots.txt is a standard way of preventing web crawlers from indexing a page.
However, it is still possible for a website with a robots.txt file to appear in search results.
This usually happens if the site is linked to from other sites, with a description of it in the anchor text. In such a scenario, the site will still not be crawled, but search results can still deduce that it is a useful site for certain queries due to the number of links to it.
In these cases, there will be no snippet of content from the site in the search results since it still can't be crawled.

Alternative ways are to allow the site to be crawled but add a no index mate tag to the pages. This will allow search engines to crawl the site but they will drop it again as soon as they see the no index tags.

You can also use URL removal tools to remove sites from indexes.

Certificate Services and Domain Controllers

When you create a new instance of an Enterprise Certificate server in the forest, you'll find that with a vanilla installation all of your domain controllers start to register certificates based on the Domain Controllers v1 template. This can be troublesome if you already have certificates in the local computer stores on DCs because the DCs may suddenly switch to use these new ones.
This will happen despite the fact that there are no auto-enrollment GPOs in place.

The reason for this is that it is just hard-coded into the operating system for DCs to auto-enroll using the Domain Controller certificate template, regardless of the presence of any policies instructing them to do this.
If there were a policy in place then you would likely find that the DCs would auto-enroll a Domain Controller  Authentication certificate instead as this supersedes the Domain Controller one.

To prevent it, remove that certificate template from the CA.
This can be done by either deleting it from the Certificate Templates container through the Certification Authority snap-in, or by configuring LoadDefaultTemplates=False (or LoadDefaultTemplates=0) in the CAPolicy.inf file so that the default v1 templates are never loaded on to the CA at installation time.
This is my preferred way as I never use the v1 templates (the general practice is to create your own templates). The v1 templates also cannot be auto-enrolled as this permission does not exist on a v1 template.

Creating iSCSI Volumes on Windows clusters

I created this to remind me of all of the steps that need to be done in order to create an iSCSI volume that can be shared across multiple servers (under the assumption that these servers will be clustered).

On the server that will host the shared volume, install Microsoft iSCSI Software Target. This can be dowloaded for free. It will bring up a web page that allows you to install the software. The installation will work out what version of the OS you are running and install the correct software.

Once installed:

1. Launch Microsoft iSCSI Software Target.
2. Right click Devices and Create Virtual Hard Disk.
3. Under File, put in the path to the virtual hard disk and call it whatever you want with a .vhd extension.
4. Put in the size of the volume that you want to create. The description can be whatever you want.
5. There won't be any iSCSI targets yet so just click next on this screen and finish.
6. Then, under iSCSI Targets, this is where we configure who can connect to the disk.
7. Right click - Create iSCSI Target.
8. iSCSI Initiator Identifers - Advanced - Add - specify the IP addresses (or whatever) of the clients that will be connecting. Here, if you are having multiple servers connecting to it, add both IP addresses. Accept the warning and click Finish.
9. Click on the disk that was created under Devices and right click - Assign/Remove Target.
10. Add the iSCSI target that was just created.
11. Next, swap to the client machines that need to connect to the iSCSI volume.
12. In Administrative Tools, launch iSCSI Initiator. It will want to start the service so accept this.
13. In the target field, type the IP address of the machine hosting the iSCSI volume and then Quick Connect - Done. If you are using a separate NIC to make the iSCSI connection, you could find that this stage fails. In my case, the additional NIC was just for this iSCSI connection, and I wasn't publishing this NIC to DNS and hadn't configured DNS servers for it. In order to get it to work I had to disable the production interface first before this step would work.
14. Once working it should show the name of the iSCSI target name as part of the name of the discovered target e.g. iqn.1991-05.com.microsoft:-iSCSITargetName>-target.
15. The Discovery tab will show the targets - no need to do anything on this screen.
16. Volumes - click Autoconfigure to create the volume automatically.
17. This is now complete.
18. Go into Disk Management and you will see the new disk.
19. Right click it to set it Online, and then right click again to Initialize Disk. From there you can create a new simple volume as normal or whatever your partitioning needs.
20. At this point re-enable the primary NIC if you had to previously disable it.

How to re-create the secure channel

We recently had an incident where a CA on a test domain had its computer account deleted. As it was the CA, we couldn't drop it from the domain and rejoin it (system properties showed "Note: The identification of the computer cannot be changed because: - The Certification Authority is installed on this computer."

To solve the issue, I recreated the computer account manually.
Then, on the server itself I reset the machine password a couple of times using:
netdom resetpwd /Server:name of DC /UserD:domain user /PasswordD:password

Then, I reset the secure channel. This is the part that actually fixed the problem:
netdom reset computer to reset /Domain:DNS name of domain /Server:name of DC /UserO:domain user /PasswordO:password

After that, nltest /SC_QUERY:DNS name of domain shows that the secure channel is operative again.

Refreshing Group Membership Without Logging Off and On Again

I haven't done much investigation into what limitations there are with this (for instance, does group policy filtered to a an added security group take effect), but klist allows you to get a new kerberos ticket, with any new access rights added, without logging off and on again.

Run: klist purge - this will purge the existing kerberos ticket.
klist tgt - TGT refresh, should display the ticket.

The user can now access any resources secured by groups they have been added to since they last logged on.

Tools like whoami /groups will still not display the new group membership, but will if you create a new cmd window using runas since the process will be created using the updated security token.
It may be that by launching a new cmd in this way ansd then running gpupdate, that this will also allow group policies targeted to any new groups to also take effect.

TGT Refresh v TGT renewal
Using klist in this way refreshes the TGT, and new group memberships are added.
A TGT is renewed by default every 10 hours, but this will not add the new group memberships as it only extends the old TGT's validity. After 7 days, TGT refresh happens and the new memberships will be added.

VAMT

This is the Volume Activation Management Tool. When KMS is not an option (Technet subscriptions do not provide KMS keys), VAMT can provide a good alternative using MAK keys.

This article describes how I set up VAMT to activate VMs running on a VirtualBox host-only environment. In this example, VMs will be activated using the VAMT server as a proxy.

1. Install a Windows Server 2008 R2 server with both host-only and bridged network adapters.
2. Install VAMT.
3. Open the console and choose how to locate machines (searching AD for example).
4. Once the scan finds some machines, they will be in the "Status Unknown" section on the left hand side of the user interface. At this stage no license scanning has taken place.
5. Highlight a machine, right click and choose "Update Status". You will be able to do this either using the current credentials with which you are logged on with, or you can specify alternative credentials. Ultimately you need to perform this operation with an account with local admin privileges on the remote machine.
6. Once scanned the machine will be placed in either the Licensed, Not Licensed or Unmanaged sections on the left.
7. You can add a product key by entering it in the relevant place (it also requires a description). Click "Add Product Key".
8. You can then right click on the remote computer and choose "Install Product Key".
9. If the remote client has internet connectivity you can then right click on it and choose Activate - Online Activate. Since in this example the remote computers are on a host-only network, I will set up the VAMT as the proxy activation server. to do this, right click on the remote machine and choose Activate - Proxy Activate. The VAMT will then activate on the client's behalf.
10. Once done, save the configuration of VAMT, otherwise you'll tend to find the computers won't be there when you next open it, and neither will the product keys. To do this, choose "Save List as" to save the cli file. Next time you go into VAMT, open this file.

AD Searches with DistinguishedName

I've seen this with both LDAP filters and Get-ADUser:
It seems that you cannot use wildcards when searching with distinguishedName.
So for example the following is not valid:

Get-ADUser -Filter 'distinguishedName -like "CN*"'

The only valid use of wildcards with distinguishedName is to test for existence or non-existence of the value.

e.g. Get-ADUser -Filter 'distinguishedName -like "*"'

The easiest way I have seen to do this is with ADFIND and use the -excldn switch

e.g. adfind -excldn "OU=Admin Accounts,OU=User Management";"OU=Shared Accounts,OU=User Management" -b "OU=User Management,DC=test,DC=com" -f "(&(objectCategory=Person)(objectClass=User))" dn

This will show you just the dn's for the users that are under the OU=User Management,DC=test,DC=com OU structure, but excluding any that have either "OU=Admin Accounts,OU=User Management" or "OU=Shared Accounts,OU=User Management" in their distinguished names.