Authentication of the Windows user via Active Directory NPS for remote access to the Cisco router (MS-CHAPv2 and / or PEAP)

I googled for hours and didn't find my answer. I found information about PEAP and MS-CHAPv2, of course, but nothing for my particular situation (which seems like something that should be easy to find). Basically, I'm trying to have a Windows user on a PC remotely (though on the same subnet) access a Cisco router to manage and configure it. Topology here. This user is authenticated via the Active Directory NPS. The user has an AD account and this credential is used to log in to the router. I got this working with PAP, but now I have to do it with MS-CHAPv2 and then PEAP (same general configuration, separate instances).

The router is configured as a client in NPS under Active Directory. The network policy for MS-CHAPv2 can be found here. You can find the for PEAP here. Is there something wrong with these network policies so far? The service type and framed protocol are parts that I'm not 100% sure of for this part.

The biggest challenge is getting information about what needs to be configured on the Cisco router (7200). Here is the configuration for what I have using the PAP:

aaa group server radius RAD_SERVER
 server-private  auth-port 1812 acct-port 1813 key 7 03105E07030C2E417D584D51
!
aaa authentication login default group RAD_SERVER local
aaa authorization console
aaa authorization exec default group RAD_SERVER local if-authenticated

crypto pki trustpoint NPS.domain.org
 enrollment mode ra
 enrollment url http://:80/certsrv/mscep/mscep.dll
 serial-number
 fqdn R1.domain.org
 subject-name CN=R1.domain.org
 revocation-check none
!
!
crypto pki certificate chain NPS.domain.org
 certificate ca 2ED7D81DA1FFF88D46A85518E717BE02 

As far as I know, the client must be able to authenticate the RADIUS server. That's why I installed the RADIUS server certificate on the router (also a necessary step for PEAP). So I have to somehow change the above configuration to tell the Cisco router to use EAP-MS-CHAPv2 or PEAP (whichever I want to use) instead of PAP. How do I do that?

tl; dr: Windows AD users must authenticate with MS-CHAPv2 and PEAP on separate routers. Let this work with PAP.

Active Directory – How can I integrate users from two different Office 365 accounts into a team instance?

Our company has approximately half of our users in an Office 365 account and all in the domain (e.g. example1.com) and the other half in a completely separate Office 365 account, example2.com.

We want to use MS Teams and need a way to "link" these two accounts. I am aware that it is possible to invite users as "guests" from one to the other, but this would be painful and there are serious limitations.

(It is also worth noting that it is NOT really practical for us to combine the two Office 365 accounts into one that hosts both domains. Of course this would be the easiest solution, but it is not feasible.)

Is it possible to get the Active Directory servers to collaborate for each account so that we can present a single, unified MS Teams environment with all features to all users?

Active Directory – Dynamic DNS with Bind9 and BIND_DLZ cannot be started?

I have a device that is running Samba as an Active Directory domain controller and uses BIND_DLZ as the backend.

In addition, I use a secondary device, which is also configured as an Active Directory domain controller, with BIND_DLZ as a backend for redundancy reasons.

IP addresses are assigned by the ISC DHCP server, which can update DNS resource records using an encryption key (TSIG).

Anyway: on my problem.

Here is my current setup

named.conf.options:

options 
{
     directory "/var/cache/bind";

     forwarders {
            2001:4860:4860::8888;
            2001:4860:4860::8844;
            8.8.8.8;
            8.8.4.4;
     };

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { any; };

     listen-on port 53 { 192.168.1.240; };
     listen-on port 5353 { 127.0.0.1; }; <-- Used for Netflix IPv6 filter only.

     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
     minimal-responses yes;
     recursion yes;
};

acl "home-net"
{
    127.0.0.1;
    192.168.1.0/24;
    2001:db8:cafe:beef::/56; # <-- I am using a IPv6 range from Tunnelbroker in real life.
};

view "normal"
{
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/named.conf.internal";

    # Netflix really dislike Tunnelbroker IPv6, so I am dropping any Netflix AAAA ressources records.
    include "/etc/bind/netflix-ipv6-blackhole.conf";  

    match-clients
    {
        home-net; # <-- Only respond to queries originating from my own network.
    };

    dnssec-enable yes;
    dnssec-validation auto;

    allow-query { any; };
    allow-query-cache { home-net; };
    allow-recursion { home-net; };

    forwarders {
      8.8.8.8;
      8.8.4.4;
      2001:4860:4860::8888;
      2001:4860:4860::8844;
   };
};

named.conf.internal:

zone "1.168.192.in-addr.arpa"
{
    type master;
    file "/etc/bind/db.192.168.1.rev";
    notify yes;

    allow-query { any; };
    allow-transfer { xfer; };

    # If allow-update is enabled instead of the include named.conf.update line, 
    # then Dynamic DNS works fine due to ISC DHCP can update the ressource records. 
    #
    # Sadly you can't have both lines enabled. It is either / or.

    // allow-update { key ddns-key; };

    include "/var/lib/samba/bind-dns/named.conf.update"; # <-- Having issues with THIS line only.
};

include "/var/lib/samba/bind-dns/named.conf";

/var/lib/samba/bind-dns/named.conf:

dlz "AD DNS Zone" {
    # For BIND 9.11.x
    database "dlopen /usr/lib/arm-linux-gnueabihf/samba/bind9/dlz_bind9_11.so";
};

/var/lib/samba/bind-dns/named.conf.update:

/* this file is auto-generated - do not edit */
update-policy {
        grant EXAMPLE.COM ms-self * A AAAA;
        grant Administrator@EXAMPLE.COM wildcard * A AAAA SRV CNAME;

        # Main Active Directory Domain Controller
        grant HARDY$@example.com wildcard * A AAAA SRV CNAME;

        # Backup Active Directory Domain Controller
        grant LAUREL$@example.com wildcard * A AAAA SRV CNAME;
};

When I try to bind with this configuration, I get a rather strange error that I can't figure out:

/var/lib/samba/bind-dns/named.conf.update:3: name field not set to placeholder value '.'

Is there anyone who can point out what's wrong with named.conf.update?

How to save your files: separate partition / hard drive or top-level directory? [closed]

There are two "schools of thought" among Windows users:

  • Some people keep their personal files somewhere in the %UserProfile%.
  • And some people use a separate partition or hard drive. (For these reasons: https://www.zdnet.com/article/windows-10-october-update-problems-wiped-docs-plus-intel-driver-warning/)

For many years I was a dedicated supporter of the second approach, but now I realized that there is the third option: storing all of your personal files in a top-level directory somewhere on a system hard drive, something like C:disk_D.

Things that are important to me:

  • The files should not be accidentally deleted (e.g. during the update or during the system reset / reinstallation) by Windows or third party software.
  • The approach should be suitable for backup strategies.

What are the advantages and disadvantages of this approach compared to the second one?

Active Directory – Failed to trigger AD Group Policy update

The entire environment is therefore in AWS. I have 2 VPCs A and B – A has AD and B has multiple domain-joined servers. Domain joining and other AD connections work across VPC peering. I can successfully log in to the VPC B servers with the domain administrator (although there is a slight delay). In AD, I added all users to the Remote Desktop Users group. However, the other domain users can only log on to a server if their domain credentials have been added to the remote desktop users group of the local server. I know this is not the way to go. When I check the rsop, I see that the Domain Group Policy is inherited, but when I try to update the Group Policy (gpupdate), the error occurs:

The computer policy could not be updated successfully. The following errors have occurred:

Group Policy processing failed. Windows was unable to resolve the computer name. This can be caused by one of the following:
a) Error in name resolution on the current domain controller.
b) Active Directory replication latency (an account created on another domain controller was not replicated to the current domain controller).

User policy could not be updated successfully. The following errors have occurred:

Group Policy processing failed. Windows was unable to resolve the username. This can be caused by one of the following:
a) Error in name resolution on the current domain controller.
b) Active Directory replication latency (an account created on another domain controller was not replicated to the current domain controller).

Can someone help me understand what this is about? Any help would be really appreciated.

PDOException: SQLSTATE[HY000] [2002] No such file or directory in lock_may_be_available () (line 167)

I have Drupal 7.2 application site and have upgraded from PHP 5.6 to PHP 7.2 since it reached its EOL. I also upgraded from Rhel 6.5 to Rhel 8. However, the following error appears when connecting to RDS, but when trying to connect to DB locally. was able to connect successfully. What does this mean and how can I solve it?
Enter the image description here

How can the user save a file in the plugin directory without having it deleted during the update?

Therefore I want to allow the user to customize the CSS for my plugin. However, if a user creates a CSS file and then stores it in my plugin directory, the file will be deleted the next time the plugin is updated, since it is not part of the plugin files.

How do I mark a user added file or a subdirectory / file in my plugin folder so that it is not deleted?

Thank you very much