2019-01-08

Cannot Access Public Website due to AD Domain

Lately it is getting more popular to drop the www from your public domain; this means that www.contoso.one becomes contoso.one
For a lot of the smaller domains that I work with, that means the public website is the same place as their domain controllers inside the network, which causes problems. 

The ideal solutions to this are to either 
  1. Host your AD off a subdomain, like ad.contoso.one 
  2. Don't redirect www.contoso.one to contoso.one on your website
But that doesn't work well for an existing domain. AD migrations are not a simple endeavor, and as I mentioned before, dropping the www is the hip thing to do. 

As a quick work around, I found out about the netsh portproxy capabilities. 

Simply put, this lets the server listen on a port and forward it to another hostname or IP address - we can use this to listen to port 80 and 443 on the domain controllers and forward the traffic to our public website. Keep in mind that when you `nslookup www.contoso.one` you need to get the correct IP address for the website. 




This will look up the hostname www.contoso.one, and forward the traffic received on ports 80 and 443 to it. However, these port forwards are lost on reboot, so I used a Scheduled Task to run the script on startup and once an hour to setup the port forwards.

You could easily change these commands to run directly from the Scheduled Task, amd/or push the Scheduled Task through GPO to all domain controllers.
Here is a quick Scheduled Task that you could import to run on system startup.

There are more benefits to moving AD of to it's own subdomain, like being able to let normal public DNS come through, but still override interior records for internal connections to things like Exchange or internal hosts.

2018-10-23

Syncing MFA Office Phone information with extensions from AD to Azure AD / Office 365


In anticipation of rolling out MFA to our Office 365 users I was looking at the setup page (aka.ms/MFASetup) and I noticed that the Office Phone area was showing some of my information, but not the correct information.

Let's track that down, figure out how it works, talk about the Standards, and push a correctly formatted Office Phone to all the users



2018-09-22

Setting up email for Brand Protection domains


So at my dayjob we have a pretty good amount of domain names we've registered for brand protection or typo domains. 3 domains we send or receive emails on, and 23 domains that just forward to a URL on our main domain. Our customer care got word of someone sending scam emails on one of the brand protection domains that should never be sending emails.

Let's explore how I setup our parked domains to report spoofers to me and help other mail servers know they shouldn't trust these emails pretending to be us.
Image Source: LifeHacker

2018-02-20

Updating iDRAC SSL Certs through Powershell


One of the things I'm working on at work right now is updating all our iDRACs after Meltdown/Spectre. We had never had the SSL set up, we had just always clicked through the security warning. I got tired of this and decided to setup proper SSL from our enterprise CA,

At first I went to do a manual signing for a multi-year period with a wildcard issued from my enterprise CA, but I decided that automating it with PowerShell would be better, since it would be more dynamic, and scale to more servers.

In this post, I will be talking about setting

  1. generating a Certificate Signing Request (CSR) from the iDRAC,
  2. sign it with an enterprise CA, 
  3. uploads the signed cert to the iDRAC, and  
  4. reloads the iDRAC to apply the new cert

Cannot Access Public Website due to AD Domain

Lately it is getting more popular to drop the www from your public domain; this means that www.contoso.one  becomes contoso.one For a lot ...