Skip to content

Month: March 2017

Synchronize time with external NTP server

A reliable time source within an Active Directory environment (or networks in general) is critical.
A prefer an expensive GPS Clock; others don’t care… I decided a while ago that I sync my DCs with an NTP source.

Please keep in Mind, that your servers need access to the NTP Servers on the UDP Port 123 (NTP) to sync the clock with them. So your Firwall needs to allow this.

In a minimum your Server with the FSMO Role PDC should sync. Here is how to find this server:

1
2
3
rem Get the PDC FSMO Role (Or apply it to all your DCs)
netdom /query fsmo
rem This will show you all FSMO Roles, see the PDC role for your main DC server

You can do that on all your DCs (or at least on one in every location/Site).

This content is older than 2 years. It might be outdated.

Microsoft AD FS hinter einem Load Balancer

Heute hat mich ein guter bekannter ganz aufgelöst angerufen: Warum zeigt unser neuer Load Balancer alls AD FS Knoten down an?

Die Antwort ist so einfach wie kompliziert: AD FS (Active Directory Federation Services) antwortet nicht wie die Load Balancer es erwarten, deswegen markieren diese alle Knoten als Down. Wenn man sich den Traffic genauer ansieht (Zum Beispiel mit WireShark) sieht man, dass die AD FS Server einen SSL Protokoll Error zurückgeben. Das ganze hat damit zu tun, wie Microsoft das ganze SSL hHandling für SNI (Server Name Indication) in AD FS implementiert hat. Das Microsoft WAP (Web Application Proxy) kommt im Gegensatz zu den meisten Load Balancen damit dann auch zurecht.

Das folgende in einer Shell (elevated, also als Administrator gestartet) eingeben:

1
2
3
netsh
http add sslcert ipport=0.0.0.0:443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY
http add sslcert ipport=0.0.0.0:49443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY

Das *** muss noch gegen eueren Zertifikats Hash getauscht werden und die APPID sollte zur Sicherheit auch noch geprüft werden. Das geht ganz einfach wie folgt: netsh http show sslcert

This content is older than 2 years. It might be outdated.

Microsoft AD FS behind a Load Balancer

A friend called me today with a urgent question: Why did our Load Balancer shows all Nodes in our AD FS Farm as down?

The answer is a bit complicated: AD FS (Active Directory Federation Services) doesn’t answer correct to the bind/probe and therefore, the Load Balancer marks the Server(s) as down. The Problem is Layer 6/7 and based on how Microsft handles SSL for SNI (Server Name Indication) within AD FS. WAP (Web Application Proxy) handles that, but most load balancers have an issue with that.

This content is older than 2 years. It might be outdated.
Copyright © 2018 by Joerg Hochwald. All rights reserved. ● Site is powered by Author