revert 51cdd1fdb6

revert Fixed Formatting of Files

deployments/services/authentication/Active Directory/Certificate Services.md

@@ -1,280 +0,0 @@
----
-tags:
-  - Active Directory
-  - Certificate Services
-  - Authentication
----
-
-## Purpose
-This document outlines the Microsoft-recommended best practices for deploying a secure, internal-use-only, two-tier Public Key Infrastructure (PKI) using Windows Server 2022 or newer. The PKI supports securing S/MIME email, 802.1X Wi-Fi with NPS, and LDAP over SSL (LDAPS).
-
-!!! abstract "CA Deployment Breakdown"
-    The environment will consist of at least 2 virtual machines. For the purposes of this document they will be named `LAB-CA-01` and `LAB-CA-02`.
-
-    In a two-tier hierarchy:
-    - `LAB-CA-01` = Offline Root CA (not domain-joined)
-    - `LAB-CA-02` = Enterprise Subordinate CA (domain-joined)
-
-    The Root CA signs the Subordinate CA certificate. The Subordinate CA handles all certificate issuance. Clients trust the PKI via Group Policy and Active Directory integration.
-
----
-
-!!! note "Critical Requirement: CRL and AIA"
-    CRL Distribution Points (CDP) and Authority Information Access (AIA) **are required for all ADCS deployments**, including LDAPS-only environments.
-
-    Without properly configured CRL distribution:
-    - Certificate Services may fail to start
-    - Certificate validation may fail
-    - Revocation checking will break
-
----
-
-## PKI HTTP Distribution (Required)
-
-The PKI requires an HTTP endpoint for distributing:
-- CRLs
-- CA certificates
-
-### Install IIS on LAB-CA-02
-
-```powershell
-Install-WindowsFeature Web-Server -IncludeManagementTools
-````
-
-### Create PKI Directory
-
-```powershell
-mkdir C:\inetpub\wwwroot\pki
-```
-
-### Configure DNS
-
-Create:
-
-```text
-pki.bunny-lab.io → LAB-CA-02.bunny-lab.io
-```
-
-### Validate
-
-```powershell
-echo test > C:\inetpub\wwwroot\pki\test.txt
-```
-
-Browse:
-
-```
-http://pki.bunny-lab.io/pki/test.txt
-```
-
----
-
-## Offline (Non-Domain-Joined) Root CA `LAB-CA-01`
-
-### Role Deployment
-
-(Same as your original steps — unchanged)
-
----
-
-### Role Configuration
-
-After installing the Root CA, **configure CDP and AIA BEFORE issuing certificates**:
-
-```powershell
-certutil -setreg CA\CRLPublicationURLs "65:C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl\n78:http://pki.bunny-lab.io/pki/%3%8%9.crl"
-
-certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\System32\CertSrv\CertEnroll\%1_%3%4.crt\n2:http://pki.bunny-lab.io/pki/%1_%3%4.crt"
-```
-
-Restart CA:
-
-```powershell
-net stop certsvc
-net start certsvc
-```
-
-Generate CRL:
-
-```powershell
-certutil -crl
-```
-
----
-
-### Publish Root CA Files
-
-From:
-
-```
-C:\Windows\System32\CertSrv\CertEnroll\
-```
-
-Copy to:
-
-```
-\\LAB-CA-02\c$\inetpub\wwwroot\pki\
-```
-
-Files:
-
-* `BunnyLab-RootCA.crl`
-* `LAB-CA-01_BunnyLab-RootCA.crt`
-
----
-
-## Online Subordinate CA `LAB-CA-02`
-
-### Role Deployment
-
-(Same as your original steps — unchanged)
-
----
-
-### Role Configuration
-
-Proceed with CSR generation as normal.
-
----
-
-### Submit Request to Root CA
-
-(Same steps — unchanged)
-
----
-
-### Install SubCA Certificate
-
-* Install `LAB-CA-02-SubCA.cer`
-* Import Root CA cert into Trusted Root store
-
----
-
-### ⚠️ IMPORTANT: Do NOT manually import CRLs
-
-Remove this step from your original process:
-
-> Import CRL manually into Trusted Root store
-
-Replace with:
-
-```powershell
-certutil -verify -urlfetch RootCA.cer
-```
-
-This validates CRL via HTTP (correct method).
-
----
-
-## Reissue SubCA Certificate (Critical Recovery Step)
-
-If CDP/AIA was configured after initial deployment:
-
-### On SubCA:
-
-```powershell
-certutil -renewCert ReuseKeys
-```
-
-Click **Cancel** (offline root)
-
----
-
-### On Root CA:
-
-* Submit request
-* Issue certificate
-* Export `.cer`
-
----
-
-### Back on SubCA:
-
-Install new certificate:
-
-```
-certsrv.msc → Install CA Certificate
-```
-
----
-
-## CRL Publishing Operations
-
-### Root CA
-
-```powershell
-certutil -crl
-```
-
-Copy CRL to IIS:
-
-```
-C:\inetpub\wwwroot\pki\
-```
-
----
-
-### SubCA
-
-```powershell
-certutil -crl
-```
-
-Copy:
-
-* SubCA CRL
-* SubCA certificate
-
-To IIS folder.
-
----
-
-## Create Auto-Enrollment Group Policy
-
-(Unchanged from your original doc)
-
----
-
-## Validate Auto-Enrollment
-
-(Unchanged)
-
----
-
-## Validate LDAPS Connectivity
-
-(Unchanged)
-
----
-
-## Validation Commands
-
-Run on any system:
-
-```powershell
-certutil -verify -urlfetch <certificate>.cer
-```
-
-You should NOT see:
-
-```
-CRYPT_E_REVOCATION_OFFLINE
-```
-
----
-
-## Security & Operational Notes
-
-* Root CA should remain offline except when issuing or renewing
-* CRLs must be periodically regenerated and published
-* Automate CRL copy to IIS if possible
-* Monitor CRL expiration
-
----
-
-## Key Lessons Learned
-
-* CDP/AIA must be configured BEFORE issuing certificates
-* HTTP CRL distribution is mandatory
-* SubCA certificates must be reissued if CDP was missing
-* Manual CRL import is not a valid solution

deployments/services/authentication/Active Directory/Group Policy/Desktop Shortcut to UNC Path.md

@@ -1,34 +0,0 @@
----
-tags:
-  - Active Directory
-  - Group Policy
-  - Authentication
----
-
-**Purpose**:
-To deploy a shortcut to the desktop pointing to a network share's root path. (e.g. `\\storage.bunny-lab.io`).  There is a quirk with how Windows handles network shares and shortcuts and doesn't like when you point the shortcut to a root UNC path.
-
-### Group Policy Location
-``` mermaid
-graph LR
-    A[Create Group Policy] --> B[User Configuration]
-    B --> C[Preferences]
-    C --> D[Windows Settings]
-    D --> E[Shortcuts]
-```
-
-### Group Policy Settings
-- **Action**: `Update`
-- **Name**: `<FriendlyName>`
-- **Target Type**: `File System Object`
-- **Location**: `Desktop`
-- **Target Path**: `C:\windows\explorer.exe`
-- **Arguments**: `\\storage.bunny-lab.io`
-- **Start In**: `<Blank>`
-- **Shortcut Key**: `<None>`
-- **Run**: `Normal Window`
-- **Icon File Path**: `%SystemRoot%\System32\SHELL32.dll`
-- **Icon Index**: `9`
-
-### Additional Notes
-Navigate to the "**Common**" tab in the properties of the shortcut, and check the "**Run in logged-on user's security context (user policy option)**".

deployments/services/authentication/Active Directory/LDAP Settings.md

@@ -1,19 +0,0 @@
----
-tags:
-  - Active Directory
-  - LDAP
-  - Authentication
----
-
-**Purpose**: LDAP settings are used in various services from privacyIDEA to Nextcloud.  This will outline the basic parameters in my homelab that are necessary to make it function.
-
-| **Field** | **Value** | **Description** |
-| :--- | :--- | :--- |
-| Server Address(s) | `ldap://bunny-dc-01.bunny-lab.io` / `192.168.3.8`, `ldap://bunny-db-02.bunny.lab.io` / `192.168.3.9` | Domain Controllers |
-| Port | `389` | Unencrypted LDAP |
-| STARTTLS | `Disabled` | |
-| Base DN | `CN=Users,DC=bunny-lab,DC=io` | This is where users are pulled from |
-| User / Bind DN | `CN=Nicole Rappe,CN=Users,DC=bunny-lab,DC=io` | This is the domain admin used to connect to LDAP |
-| User / Bind Password | `<Password for User / Bind DN>` | Domain Credentials for Domain Admin account |
-| Login Attribute | ` LDAP Filter: (&(&(|(objectclass=person))(|(|(memberof=CN=Domain Users,CN=Users,DC=bunny-lab,DC=io)(primaryGroupID=513))))(samaccountname=%uid)) ` | Used by Nextcloud |
-| Login Attribute | `(sAMAccountName=*)(objectCategory=person)` | Used by PrivacyIDEA |

deployments/services/authentication/Active Directory/Restore Domain Trust.md

@@ -1,14 +0,0 @@
----
-tags:
-  - Active Directory
-  - Authentication
----
-
-## Purpose
-If you have a device that lost trust in the domain for some reason, and won't let you login using domain credentials, run the following command as a local administrator on the device to repair trust.
-
-```powershell
-Test-ComputerSecureChannel -Repair -Credential (Get-Credential)
-```
-
-If it outputs `True`, go ahead and log out then try to login again with the domain credentials.