revert 59909dd12a

revert revert 51cdd1fdb6

revert Fixed Formatting of Files

deployments/services/authentication/Active Directory/Certificate Services.md

@@ -0,0 +1,280 @@
+---
+tags:
+  - Active Directory
+  - Certificate Services
+  - Authentication
+---
+
+## Purpose
+This document outlines the Microsoft-recommended best practices for deploying a secure, internal-use-only, two-tier Public Key Infrastructure (PKI) using Windows Server 2022 or newer. The PKI supports securing S/MIME email, 802.1X Wi-Fi with NPS, and LDAP over SSL (LDAPS).
+
+!!! abstract "CA Deployment Breakdown"
+    The environment will consist of at least 2 virtual machines. For the purposes of this document they will be named `LAB-CA-01` and `LAB-CA-02`.
+
+    In a two-tier hierarchy:
+    - `LAB-CA-01` = Offline Root CA (not domain-joined)
+    - `LAB-CA-02` = Enterprise Subordinate CA (domain-joined)
+
+    The Root CA signs the Subordinate CA certificate. The Subordinate CA handles all certificate issuance. Clients trust the PKI via Group Policy and Active Directory integration.
+
+---
+
+!!! note "Critical Requirement: CRL and AIA"
+    CRL Distribution Points (CDP) and Authority Information Access (AIA) **are required for all ADCS deployments**, including LDAPS-only environments.
+
+    Without properly configured CRL distribution:
+    - Certificate Services may fail to start
+    - Certificate validation may fail
+    - Revocation checking will break
+
+---
+
+## PKI HTTP Distribution (Required)
+
+The PKI requires an HTTP endpoint for distributing:
+- CRLs
+- CA certificates
+
+### Install IIS on LAB-CA-02
+
+```powershell
+Install-WindowsFeature Web-Server -IncludeManagementTools
+````
+
+### Create PKI Directory
+
+```powershell
+mkdir C:\inetpub\wwwroot\pki
+```
+
+### Configure DNS
+
+Create:
+
+```text
+pki.bunny-lab.io → LAB-CA-02.bunny-lab.io
+```
+
+### Validate
+
+```powershell
+echo test > C:\inetpub\wwwroot\pki\test.txt
+```
+
+Browse:
+
+```
+http://pki.bunny-lab.io/pki/test.txt
+```
+
+---
+
+## Offline (Non-Domain-Joined) Root CA `LAB-CA-01`
+
+### Role Deployment
+
+(Same as your original steps — unchanged)
+
+---
+
+### Role Configuration
+
+After installing the Root CA, **configure CDP and AIA BEFORE issuing certificates**:
+
+```powershell
+certutil -setreg CA\CRLPublicationURLs "65:C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl\n78:http://pki.bunny-lab.io/pki/%3%8%9.crl"
+
+certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\System32\CertSrv\CertEnroll\%1_%3%4.crt\n2:http://pki.bunny-lab.io/pki/%1_%3%4.crt"
+```
+
+Restart CA:
+
+```powershell
+net stop certsvc
+net start certsvc
+```
+
+Generate CRL:
+
+```powershell
+certutil -crl
+```
+
+---
+
+### Publish Root CA Files
+
+From:
+
+```
+C:\Windows\System32\CertSrv\CertEnroll\
+```
+
+Copy to:
+
+```
+\\LAB-CA-02\c$\inetpub\wwwroot\pki\
+```
+
+Files:
+
+* `BunnyLab-RootCA.crl`
+* `LAB-CA-01_BunnyLab-RootCA.crt`
+
+---
+
+## Online Subordinate CA `LAB-CA-02`
+
+### Role Deployment
+
+(Same as your original steps — unchanged)
+
+---
+
+### Role Configuration
+
+Proceed with CSR generation as normal.
+
+---
+
+### Submit Request to Root CA
+
+(Same steps — unchanged)
+
+---
+
+### Install SubCA Certificate
+
+* Install `LAB-CA-02-SubCA.cer`
+* Import Root CA cert into Trusted Root store
+
+---
+
+### ⚠️ IMPORTANT: Do NOT manually import CRLs
+
+Remove this step from your original process:
+
+> Import CRL manually into Trusted Root store
+
+Replace with:
+
+```powershell
+certutil -verify -urlfetch RootCA.cer
+```
+
+This validates CRL via HTTP (correct method).
+
+---
+
+## Reissue SubCA Certificate (Critical Recovery Step)
+
+If CDP/AIA was configured after initial deployment:
+
+### On SubCA:
+
+```powershell
+certutil -renewCert ReuseKeys
+```
+
+Click **Cancel** (offline root)
+
+---
+
+### On Root CA:
+
+* Submit request
+* Issue certificate
+* Export `.cer`
+
+---
+
+### Back on SubCA:
+
+Install new certificate:
+
+```
+certsrv.msc → Install CA Certificate
+```
+
+---
+
+## CRL Publishing Operations
+
+### Root CA
+
+```powershell
+certutil -crl
+```
+
+Copy CRL to IIS:
+
+```
+C:\inetpub\wwwroot\pki\
+```
+
+---
+
+### SubCA
+
+```powershell
+certutil -crl
+```
+
+Copy:
+
+* SubCA CRL
+* SubCA certificate
+
+To IIS folder.
+
+---
+
+## Create Auto-Enrollment Group Policy
+
+(Unchanged from your original doc)
+
+---
+
+## Validate Auto-Enrollment
+
+(Unchanged)
+
+---
+
+## Validate LDAPS Connectivity
+
+(Unchanged)
+
+---
+
+## Validation Commands
+
+Run on any system:
+
+```powershell
+certutil -verify -urlfetch <certificate>.cer
+```
+
+You should NOT see:
+
+```
+CRYPT_E_REVOCATION_OFFLINE
+```
+
+---
+
+## Security & Operational Notes
+
+* Root CA should remain offline except when issuing or renewing
+* CRLs must be periodically regenerated and published
+* Automate CRL copy to IIS if possible
+* Monitor CRL expiration
+
+---
+
+## Key Lessons Learned
+
+* CDP/AIA must be configured BEFORE issuing certificates
+* HTTP CRL distribution is mandatory
+* SubCA certificates must be reissued if CDP was missing
+* Manual CRL import is not a valid solution

deployments/services/authentication/Active Directory/Group Policy/Desktop Shortcut to UNC Path.md

@@ -0,0 +1,34 @@
+---
+tags:
+  - Active Directory
+  - Group Policy
+  - Authentication
+---
+
+**Purpose**:
+To deploy a shortcut to the desktop pointing to a network share's root path. (e.g. `\\storage.bunny-lab.io`).  There is a quirk with how Windows handles network shares and shortcuts and doesn't like when you point the shortcut to a root UNC path.
+
+### Group Policy Location
+``` mermaid
+graph LR
+    A[Create Group Policy] --> B[User Configuration]
+    B --> C[Preferences]
+    C --> D[Windows Settings]
+    D --> E[Shortcuts]
+```
+
+### Group Policy Settings
+- **Action**: `Update`
+- **Name**: `<FriendlyName>`
+- **Target Type**: `File System Object`
+- **Location**: `Desktop`
+- **Target Path**: `C:\windows\explorer.exe`
+- **Arguments**: `\\storage.bunny-lab.io`
+- **Start In**: `<Blank>`
+- **Shortcut Key**: `<None>`
+- **Run**: `Normal Window`
+- **Icon File Path**: `%SystemRoot%\System32\SHELL32.dll`
+- **Icon Index**: `9`
+
+### Additional Notes
+Navigate to the "**Common**" tab in the properties of the shortcut, and check the "**Run in logged-on user's security context (user policy option)**".

deployments/services/authentication/Active Directory/LDAP Settings.md

@@ -0,0 +1,19 @@
+---
+tags:
+  - Active Directory
+  - LDAP
+  - Authentication
+---
+
+**Purpose**: LDAP settings are used in various services from privacyIDEA to Nextcloud.  This will outline the basic parameters in my homelab that are necessary to make it function.
+
+| **Field** | **Value** | **Description** |
+| :--- | :--- | :--- |
+| Server Address(s) | `ldap://bunny-dc-01.bunny-lab.io` / `192.168.3.8`, `ldap://bunny-db-02.bunny.lab.io` / `192.168.3.9` | Domain Controllers |
+| Port | `389` | Unencrypted LDAP |
+| STARTTLS | `Disabled` | |
+| Base DN | `CN=Users,DC=bunny-lab,DC=io` | This is where users are pulled from |
+| User / Bind DN | `CN=Nicole Rappe,CN=Users,DC=bunny-lab,DC=io` | This is the domain admin used to connect to LDAP |
+| User / Bind Password | `<Password for User / Bind DN>` | Domain Credentials for Domain Admin account |
+| Login Attribute | ` LDAP Filter: (&(&(|(objectclass=person))(|(|(memberof=CN=Domain Users,CN=Users,DC=bunny-lab,DC=io)(primaryGroupID=513))))(samaccountname=%uid)) ` | Used by Nextcloud |
+| Login Attribute | `(sAMAccountName=*)(objectCategory=person)` | Used by PrivacyIDEA |

deployments/services/authentication/Active Directory/Restore Domain Trust.md

@@ -0,0 +1,14 @@
+---
+tags:
+  - Active Directory
+  - Authentication
+---
+
+## Purpose
+If you have a device that lost trust in the domain for some reason, and won't let you login using domain credentials, run the following command as a local administrator on the device to repair trust.
+
+```powershell
+Test-ComputerSecureChannel -Repair -Credential (Get-Credential)
+```
+
+If it outputs `True`, go ahead and log out then try to login again with the domain credentials.