Wednesday, March 27, 2024

"The namespace cannot be queried. Access is denied" error when you try to create a domain-based DFS namespace

Working on setting up a new DFS Namespace today.  Ran directly into this issue.  When you sign in to Windows by using an account that belongs to the Domain Admins group, and then you try to create a domain-based namespace on any Distributed File System (DFS) namespace server, the operation fails. Windows returns an error message that resembles the following:

\\domainname.com\Public The namespace cannot be queried. Access is denied.

However, when this error occurs, you can still successfully create a standalone namespace.

The fix is to remove your account from the Protected Users group.

If you're curious, here's why it doesn't work:  When you create a new domain-based namespace, the computer queries the Domain Name System (DNS) server for domain information. The DNS server responds by sending a list of the A records of the domain controllers for that domain. The computer then contacts one of the domain controllers and tries to use your account credentials to authenticate by using NTLM authentication.

If your account belongs to the Protected Users group, your account can't use NTLM authentication. In this situation, authentication fails and generates a STATUS_ACCOUNT_RESTRICTION error.

Thursday, July 06, 2023

Is Port 80 Needed for On-Premise Exchange?

 Simply put...NO! 

Now if you go digging you will see the official Microsoft documentation stating that it is needed for failback for some HTTPS services.  From a security standpoint if the HTTPS services aren't working then I will refuse to go back to an unencrypted service just to keep it working.

Some will say if you're keeping Exchange patched and updated then having port 80 open to Exchange is no big deal.  While that may be true why risk it?

I had a customer recently that was asking why their Exchange server was showing C&C callbacks being blocked from the outside, why are there other items being blocked from the outside.  Each thing in the endpoint protection logs showed this server was being attacked on port 80.

I connected to their Cisco ASA and disabled the rule allowing port 80 to the Exchange server.  Guess what, a week went by with no further attacks being blocked.  Even though the endpoint protection was stopping them, it would only be a matter of time before an exploit is found via port 80 and then there goes the server's security posture.

I don't see a need to expose this port in 2023 on the modern Internet with all of the risks we already face daily.

Just be smart and disable port 80.  If your application won't work without it then it's time to update the application or get one that is more focused on security.  Don't compromise your network security to accommodate old software.

My $.02.  

Good luck!

Thursday, April 20, 2023

Start All Exchange Services Automatically

One Command to Rule Them All!

Little joke there....this command will start all Exchange services on a server in the event they do not start automatically as they should after a restart.

Get-Service -DisplayName "Microsoft Exchange*" | Where-Object {$_.Starttype -eq "Automatic" -and $_.Status -ne "Running"} | Start-Service

The process waits for each service to start before moving to the next one.  Really handy when you've got a lot going on and don't want to start them all by hand.

Good luck!

Friday, January 20, 2023

How to Configure a Startup Script to Map a Network Printer

A Windows startup script can be used to map a network printer at logon. Here is an example of a simple script that maps a network printer using the "net use" command:

net use LPT1: \\printserver\printer /persistent:yes

This script maps the network printer located at "\printserver\printer" to the local LPT1 port, and the "/persistent:yes" flag ensures that the mapping will remain after a reboot.

You can also use the rundll32 printui.dll,PrintUIEntry command to map network printers at logon. Here is an example of the command to map a network printer with IP address 192.168.1.100 and share name printer:

rundll32 printui.dll,PrintUIEntry /in /n\\192.168.1.100\printer

You can also use a batch file that contains the above commands, and then schedule it to run at startup using the Task Scheduler.

It is important to note that you need to have the necessary permissions to map the network printer and that the printer should be shared and available on the network.

Thursday, August 25, 2022

ADFS Web Proxy Service Won't Start

 I've seen lots of articles across the web on this.  Here's a fast way to get this fixed so you can move on to other things.  Sadly, I hit this too often when renewing certificates on ADFS servers.

NOTE:  This does not require a server restart.

Source: https://blogs.technet.microsoft.com/rmilne/2015/04/20/adfs-2012-r2-web-application-proxy-re-establis...

1)      Launch regedit.

2)      Navigate to HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus.

3)      Change ProxyConfigurationStatus from “2” (configured) to “1” (not configured).

4)      Launch the Remote Access Manager snap-in.

5)      Select Web Application Proxy.

6)      Select Run the Web Application Proxy Configuration Wizard.

7)      During the wizard it will prompt you to select a certificate. Select the certificate you were using before. Enter in some Domain Admin credentials (I don't think they're saved? Just used to authenticate?). Finish the config wizard.

9)      Web Application Proxy now works again.


Works for me every time.  Good luck!