Archive for March, 2019

NDES is the Microsoft Implementation of SCEP:

NDES installation and operations:


(NDES) Frequently Asked Questions (FAQ):


Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates:


NDES enrollment process:

1) Generate a key pair and install it on your device by using procedures provided by your device vendor.

2) Request a password by using the NDES admin site. The default URL is http://<computer_name>/certsrv/mscep_admin.

3) Establish trust between the device and the CA by downloading the CA certificate using the GetCACert operation and procedures provided by your device vendor. The default NDES URL for calling GetCACert is http://<computer_name>/certsrv/mscep?operation=getcacert&message=.

4) Submit the password and certificate request from the device to NDES by using procedures provided by your vendor.

5) NDES uses the request from the device to generate a certificate request and submit it to the configured CA.

6) If NDES certificate requests do not require certificate manager approval, the certificate is immediately returned to the device as part of the NDES response message.

7) If NDES certificate requests require certificate manager approval, the certificate request is held on the CA until it is reviewed by a certificate manager. Check the request status from the device using procedures provided by your vendor until NDES responds with the certificate.

Apple iPads and NDES:

1) The device connects to a deployment wireless network (isolated) while connected via USB to the Mobile Device Management Software (MDM). In this example, the IPad is connected to the Iphone Configuration Utility.

2) The device Administrator connects to the Network Device Enrollment Service (NDES) to obtain a temporary password which is entered in the Mobile Device Management (MDM) as the device’s profile.

3) The Mobile Device Management (MDM) software pushes the profile configuration to the device.

4) The device creates the private/public pair key and sends a request to the Network Device Enrollment Service (NDES)to request a certificate

5) The Network Device Enrollment Service (NDES) sends an RA request to the Certification Authority (CA)

6) The Certification Authority (CA) sends the certificate to the Network Device Enrollment Service (NDES)

7) The Network Device Enrollment Service (NDES) sends the certificate to Device which in turn installs it

8) The Device connects to the corporate network using 802.1X

NDES Operations 101:

– On the Ndes server verify if IIS is running and if NDES application pool is started

– backup IIS and export the HKLM\software\microsoft\cryptography\NDES registry key

– on the Ndes server, on Certificate Computer Store, check if the RA certificates has not been expired (else renew NDES Service Certificates):

Configuring NDES with custom certificates:


– verify if the issuing CA is responding


Collection of Web resources about dig usage:

Download dig (part of Bind):

Some commands:

What is the website’s IP address ?

dig +short

How to identify the name servers associated with a domain ?

dig NS +short

What does the delegation path to my zone look like ?

dig +trace

Which Mail Server is responsible for a domain ?

dig MX

Which value is in cache in a given resolver ?

dig @

Which domain name is this IP associated with ?

dig +short -x

Which are the name servers of a TLD ?

dig +short NS nl.

When will the cache of an answer expire ?

dig +noall +answer

Is the zone synchronized to all my NS ?

dig +nssearch

Is a zone existing on this name server ?

dig SOA

Using Dig to Retrieve Different Record Types?

dig srv

How to Troubleshoot Active Directory Replication Issues

In the previous article:

we explained all the methodology to troubleshoot AD replication:

This second article will deep dive with the most well known and out of the box AD utility called REPADMIN.exe

This utility recommended to run as Domain Administrator or Enterprise Administrator.

repadmin /replsummary /bydest

above command summarizes the replication status for all domain controllers based on the replication destination. This parameter does not display the source domain controller.

repadmin /replsummary /bysrc

above command summarizes the replication status for all domain controllers based on the replication source. This parameter does not display the destination domain controller.

repadmin /showrepl

above command shows the replication partners for serverdc1.mydomain.comand the status of last sync attempt.

repadmin /showrepl /errorsonly

above command will list down the replication partners which have replication errors (last sync attempt failed)

we also can view results in CSV format.

repadmin /showrepl /csv

repadmin /syncall serverdc1 dc=mydomain,dc=com

above command initiates domain directory partition synchronization with all replication partners of serverdc1.

It will also indicate if there were any issues by doing it.

repadmin /queue

above command shows if there are any unprocessed inbound replications requests. If system keep que requests it can be due to high number of AD changes, System resource issue or too many replication partners.

repadmin /showchanges serverpdc1 e4f89917-5fff-40a8-scc2-b148b60d9359 dc=mydomain,dc=com

above command list down the changes which are not replicated between server serverpdc1 and serverdc1. In here serverdc1 is the source server and it is listed with object GUID.
repadmin /replicate serverdc1 serverpdc1 dc=mydomain,dc=com

above command initiate immediate directory partition replication from serverpdc1 to serverdc1.

Apart from the repadmin, there are certain PowerShell cmdlets which we can use to troubleshoot replication issues. Get-ADReplicationFailure cmdlet is one of those which can collect data about replication failures.

Get-ADReplicationFailure -Target serverdc1

Above command will collect information about replication failures associated with serverdc1.
This also can do with multiple servers.

Get-ADReplicationFailure -Target serverdc1,serverpdc1

Further we can target all the domain controllers in the domain.

Get-ADReplicationFailure -Target “” -Scope Domain

Or even entire forest

Get-ADReplicationFailure -Target “” -Scope Forest

Get-ADReplicationConnection cmdlet can list down replication partner details for the given domain controller.

Get-ADReplicationConnection -Filter *

Above command will list down all replication connection for the domain controller you logged in.

We also can filter the replication connections based on the attributes.

Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq “serverdc1”}

Above command will list down the replication connections with destination server as serverdc1.
We also can force sync object between domain controllers.

Sync-ADObject -object “foo” -source serverdc1 -destination serverpdc1

Above command will sync user object foo from serverdc1 to serverpdc1

Best practices for DNS forwarding:

To create a conditional forwarder zone in powershell:

read this reference doc:


To create a conditional forwarder zone (stored in the registry of the DNS Server):

Add-DnsServerConditionalForwarderZone -Name “” -MasterServers 2001:4898:7020:f100:458f:e6a2:fcaf:698c, -PassThru

ZoneName                            ZoneType        IsAutoCreated   IsDsIntegrated  IsReverseLookupZone  IsSigned

——–                            ——–        ————-   ————–  ——————-  ——–                         Forwarder       False           False           False


This command creates an Active Directory-integrated conditional forwarder zone for

Add-DnsServerConditionalForwarderZone -Name “” -ReplicationScope “Forest” -MasterServers 2001:4898:7020:f100:458f:e6a2:fcaf:698c,


To change an existing conditional forwarder zone, use the cmdlet:


Good articles to explain the differences and how to merge the S&C Sensitivity labels and AIP labels,


MS technet:

S&C labels:

AIP labels:

Azure Cloud shell



On first launch Cloud Shell prompts to create a resource group, storage account, and Azure Files share on your behalf. This is a one-time step and will be automatically attached for all sessions. A single file share can be mapped and will be used by both Bash and PowerShell in Cloud Shell.

Read more to learn how to mount a new or existing storage account.

  • Cloud Shell runs on a temporary host provided on a per-session, per-user basis
  • Cloud Shell times out after 20 minutes without interactive activity
  • Cloud Shell requires an Azure file share to be mounted
  • Cloud Shell uses the same Azure file share for both Bash and PowerShell
  • Cloud Shell is assigned one machine per user account
  • Cloud Shell persists $HOME using a 5-GB image held in your file share
  • Permissions are set as a regular Linux user in Bash

Learn more about features in Bash in Cloud Shell and PowerShell in Cloud Shell.

Azure cloud shell limitations:



How to access Azure cloud shell from Visual Studio Code ?

On a windows computer

Install VS code:

then install NodeJS:

then on VS Code install the extension “Azure Account



Azure DevOps

Azure DevOps Services provides development collaboration tools including high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and continuous testing capabilities. For the on-premises platform, Azure DevOps Server (previously named Visual Studio Team Foundation Server), see Azure DevOps Server Documentation.

Main portal:

Azure devOps and AzureAD groups (security of O365groups):


Devops and identities management:


Azure Sentinel

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft Threat Protection solutions, and Microsoft 365 sources, including Office 365, Azure AD, Azure ATP, and Microsoft Cloud App Security, and more.

In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel as well.