Step-by-Step Guide to Azure AD Privileged Identity Management – Part 1

Privileged Identity Management is boarder topic to discuss with. First thing first do not think it as another feature or product from Microsoft. The way I see it as a lot of methodologies, technologies came together and making a new process. I am saying it because with this concept we need to rethink about how current identities been managed in infrastructure. Administrators, users need to change the way they think about the permissions. 

In any infrastructure we have different type of administrators. It can be domain administrators, local administrators, service administrators. If its hybrid setup it may have cloud administrators too. The question is do you have fully control over these accounts and its permissions? do you aware of their activities using these permissions? how do you know it’s not been compromised already? If I say solution is to revoke these administrator privileges yes it will work but problem is how much additional work to restore this permission when needed? and also how practical it is? it’s also have a social impact too, if you walk down to your users and say that I’m going to revoke your admin privileges what will be their response? 

Privileged access management is not a new topic it’s been in industry for long but problem is still not lot considering about it. Microsoft step up and introduce new products, concepts to bring it forward again as this is definitely needed in current infrastructures to address modern threats towards identities. The good thing about this new tools and technologies, its more automated and the user accounts will have the required permissions whenever they needed. In your infrastructure this can achieve using Microsoft identity manager 2016 but need lot more work with new concepts which I will explain in future posts. Microsoft introduce same concept to the azure cloud as well. In this post we going to look in to this new feature. 

Using azure privileged identity management, we can manage, control and monitor the permissions to the azure resources such as azure AD, office 365, intune and SaaS applications. Identity management will help to do following,

Identify the current azure AD administrators your azure subscriptions have

Just-in-Time administration – This is something I really like. Now you can assign administration permissions on demand for period of time. For example, user A can be office 365 administrator for 11am to 12pm. Once the time limit reach system will revoke the administrator privileges automatically

Reports to view the privileged accounts access history and changes in administrator assignments

Alerts when access to privileged role

Azure AD privileged identity management can manage following organizational roles,

Global Administrator – Has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.

Billing Administrator – Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

Service Administrator – Manages service requests and monitors service health.

User Administrator – Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

Password Administrator – Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.

Let’s see how to enable azure AD privileged identity management,
Before start make sure you got global administrator privileges to the azure AD directory that you going to enable this feature.
 
1) Log in to the azure portal as global administrator
2) Go to New > Security + Identity > Azure AD privileged identity management 
 
aim1
 
3) Then click on create to start the process
 
aim2
 
4) In first step it will identify the privileged roles exist in current directory. In my demo I have 3 roles. In same page you can view what are these accounts by clicking on each role. After review click on next
 
aim3
 
5) In next window its list which accounts eligible for activate the roles. Select the account you want and click on next
 
aim4
 
6) In next window can review the changes. As per my selection only one account will remain as permanent admin. To complete click on OK
 
aim5
 
7) Once it’s done, you can load the console from the dashboard. 
 
aim6
 
In part 2 of the post I will explain what we can do with it in details. 
If you got any questions feel free to contact me on rebeladm@live.com
 
Reference :  https://azure.microsoft.com/en-us/documentation/articles/active-directory-privileged-identity-management-configure/

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Get Started with Azure Security Center

Whenever we talk about cloud, one of the main questions still comes from customers is “what about security?“. Azure cloud built by using SDL (Security Development Lifecycle) from initial planning to product launch. It’s continues uses different measurements, safeguards to protect the infrastructures and customer data. You can find details about azure security on https://www.microsoft.com/en-us/TrustCenter/Security/AzureSecurity

Microsoft releases Azure Security Center to allow you to prevent, detect and respond to the threats against you azure resources with more visibility. Based on your requirements, can use different policies with resources groups.

Azure security center capabilities focused on 3 areas (https://azure.microsoft.com/en-us/documentation/articles/security-center-intro/),

Capabilities

Details

Prevent

·         Monitors the security state of your Azure resources

·         Defines policies for your Azure subscriptions and resource groups based on your company’s security requirements, the types of applications that you use, and the sensitivity of your data

·         Uses policy-driven security recommendations to guide service owners through the process of implementing needed controls

·         Rapidly deploys security services and appliances from Microsoft and partners

 

Detect

·         Automatically collects and analyzes security data from your Azure resources, the network, and partner solutions like antimalware programs and firewalls

·         Leverages global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds

·         Applies advanced analytics, including machine learning and behavioral analysis

 

Respond

·         Provides prioritized security incidents/alerts

·         Offers insights into the source of the attack and impacted resources

·         Suggests ways to stop the current attack and help prevent future attacks

Azure Security Center currently in Preview but it’s still worth to try and see its capabilities.
Let’s see how we can enable and start using it.

1)    You need to have valid azure subscription and you need to log in as global administrator.
2)    Then go to browse and type security. There you can see security center. Click on there to start.

sec1

3)    Then we can see the main window.

sec2

4)    If it’s red something not right :) to start with lets click on virtual machines.

sec3

5)    As we can see the data collection off. We need data collect from VM to detect the problems. Let’s go ahead and enable data collection.
6)    Click on Policy tile, and then it will load up the policy page. As can see data collection is off.  Click on the policy.

sec4

sec5

7)    Click on “On” and then click on Save

sec6

sec7

8)    After that we can see the recommendations based on collected data and security policy.  We can follow each recommendation and fix the security threats.

sec8

sec15


How to apply custom policy for the different resources?

1)    By default the default prevention policy will be inherited to all the resources. But we can apply custom policy based on the requirement. To start with click on policy tile again, and click on the arrow next to policy to list the resources. As we can see security policy inherited.

sec9

2)    To change, click on the resource to select, and in next tile, for the inherit policy click “unique” and click on “Save

sec10

3)    After save, click on prevention policy

sec11

4)    There you can change the policy settings and click ok to apply the policy settings.

sec12

5)    This new settings are unique for the resource now.

sec13

Enable Email Notifications

You can enable notifications in azure security center so if any issues detected you will get notifications. It’s currently runs with limited features.
Currently it can only enable on default prevention policy.

sec14

Hope this article helps and if you got any question feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Azure Rights Management (Azure RMS) – Part 1

Microsoft Right management service help organizations to protect organization’s sensitive data getting unauthorized access. This service been used on-premises active directory infrastructures in years and it’s also available in azure.

If you not familiar with RMS let me explain it in simpler way. Let’s say user A got a document which contain some sensitive data about company stock prices. User A sending it to User B. This we know should be a conversation between user A and B. and how we can verify these data not been to pass to another user? What if someone gets a printed copy of this document? What if the user B edit this and add some false information? Using RMS you can prevent those. RMS can use to encrypt, managed identities and apply authorization policies in to your files and emails. The files you can define to open only by the person who you wished to open it, set it to read-only and also prevent user from printing it.

Using Azure RMS you can integrate the above features with your cloud applications, office 365 to protect the confidential data.

azrms_elements

In order to enable the Azure RMS you need the following prerequisites.

1)    Valid Azure Subscription – You need to have valid azure subscription to start with. If you not have paid version you still can start with a trial.
2)    Azure AD – You must have Azure AD configured to have RMS. I have written articles about how to get Azure AD services enable and you can simply search the blog if you need help with it. Also you can integrate it with your on-premises Ad infrastructure.
3)    RMS Supported Devices – you need to have devices runs with RMS supported OS to use this features. The list is available at https://docs.microsoft.com/en-us/rights-management/get-started/requirements-client-devices
4)    RMS Supported Applications – to use RMS features its need to be used with RMS supported applications. The list is available here https://docs.microsoft.com/en-us/rights-management/get-started/requirements-client-devices

Once you are ready with above first step is to enable the Azure RMS Service.
1)    Log in to the Azure Portal with a privileged account
2)    Go to Brows and then type rms, then it will list the RMS service then click on it.

rms1

3)    It will load the classic portal. In here you can see all the azure Ad instance running and its RMS service status. In my demo I do not have any instance enable with RMS.

rms2

4)    To enable the RMS service, select the AD instance and the click on “Activate” button in the bottom of the page.

rms3

Once it’s activated we have RMS enabled. In next part of the article let’s see how to use its features.

If you have any questions feel free to get back to me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Step-by-Step Guide to create Organizational Unit (OU) in Azure AD Domain Service Managed Domain

Organizational unit in active directory is a container where you can place users, computers, groups and other organization units even. OU are helps to create logical structure of the AD. You can use it to assign group policies and manage the resources.  This is common procedure in in-house domain environment, but what about the Azure managed domain? Can engineers use same method?

Answer is YES, but with some limitations. It is managed domain so you do not have full control over the functions such as complex group policies etc. I will explain those in later article but for the Organizational units, we can create those and manage those in azure managed domain. There is no option in azure portal to create this, this need to be created using a PC, server which is connected to the Azure Ad managed domain.

I wrote an article about adding a VM to the Azure managed domain. It is good place to start with http://www.rebeladmin.com/2016/05/step-step-guide-manage-azure-active-directory-domain-service-aad-ds-managed-domain-using-virtual-server/ . To create OU, you must have this done before start.

You also need be a member of AAD DC Administrators group.

Let’s see how we can create OU.

In my demo I am using a windows 2016 TP5 server which is connected to managed domain. Also I logged in as a member of AAD DC Administrators group.

ou1

Also I have already installed AD DS and AD LDS Tools (Remote server administration tools > Role administration tools > AD DS and AD LDS Tools)

ou2

To start the process, go to Server Manager > Tools > Active Directory Administrative Center

ou3

In left hand side in the console click on the managed domain

ou4

In the right hand under the Tasks click on New > Organizational Unit

ou5

In next window we can provide the information about new OU and click OK to complete.

ou6

Then you can see the new OU added.

ou7

By default the user account I used for to create the OU got full permissions to control the OU.

ou8

Now you can create new users, groups under this OU. But keep in mind you CANNOT move any users, groups which is already under AADDC users OU. It’s the default OU for the users, groups added via azure portal.

ou13

Also the users and groups added under new OU will not be visible on azure portal. It’s only valid inside the managed domain environment.

Hope this article was helpful. If you got any questions feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Step-by-Step guide to enable Secure LDAP (Lightweight Directory Access Protocol) on Azure AD managed domain

In active directory environment, LDAP (Lightweight Directory Access Protocol) is responsible for read and write data from AD. By default LDAP traffic transmitted un-secure. You can make this secured transmit based on SSL. In security prospective even in more “local” network it’s important to make secure even though most of engineers not using it. But when you have hybrid or cloud only setup this is more important. Idea of this post is to demonstrate how to enable secure LDAP on Azure AD managed domain.

There is few prerequisite required to perform this task.

1)    Azure AD Domain Service – Azure AD domain service must be enabled and configured with all prerequisite. If you need any help over please refer to my last few posts which explain how to configure.
2)    SSL Certificate – It is need to have valid SSL certificate and it need to be from valid certificate authority such as public certificate authority, enterprise certificate authority. Also you can still use self-sign SSL certificate.

In my demo,
1)    I have already configured a Azure AD managed domain and running with active subscription

sldap1

2)    I got an Azure VM connected to Azure managed domain and I will be using it to demonstrate to enable Secure LDAP.
3)    I am going to use self-signed certificate to create the secure LDAP

Create self-signed certificate

1)    Log in to domain joined server, or PC and open windows power-shell session as administrator.
2)    Execute following

$validtill=Get-Date
New-SelfSignedCertificate -Subject *.rebeladmin.onmicrosoft.com -NotAfter $validtill.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.rebeladmin.onmicrosoft.com

In here you can replace rebeladmin.onmicrosoft.com with your managed domain name.

This will generate the self-sign certificate.

sldap2

Export the SSL Certificate

Now we have the certificate, but we need to export it to use to enable secure LDAP.
1)    Log in to the PC or Server which generated certificate as administrator
2)    Go to run > mmc

sldap3

3)    File > Add/remove Snap-in

sldap4

4)    Select Certificates and click on button Add

sldap5

5)    Then select the Computer Account and click next

sldap6

6)    Select local computer and click on finish

sldap7

7)    Click on OK to open the certificate mmc

sldap8

8)    Then in console go to Personal > Certificates and you can see the new self-signed certificate we just created in previous step

sldap9

9)    Right click on the certificate and click on All tasks > export

sldap10

10)    Then its start the certificate export wizard, click on next to start

sldap11

11)    In this window select option “Yes, export the private key” and click on next
12)    Leave the .pfx option selected and click next

sldap12

13)    In next window define a password and click on next

sldap13

14)    Then define the location to save the file and click on next

sldap14

15)    Click on finish to complete the export process

sldap15

Enable Secure LDAP

Now we got the SSL exported and ready. Now it’s time to enable the secure LDAP.
1)    Log in to the azure portal and load the Azure Domain Services configuration page for your relevant directory

sldap16

2)    Then to the domain service section and click on “configure certificate” button

sldap17

3)    Then brows for the .pfx file we just exported and provide the password, then click ok to proceed

sldap18

4)    After few minutes we can see the secure LDAP is enabled

sldap19

5)    The next step is to enable the secure LDAP connection over the internet for your managed domain. For that click on the “Yes” for the option “Enable secure LDAP access over the internet” and the click save

sldap20

sldap21

6)    After few minute we can see the feature is enabled and also displaying the public ip address which can use on this.

sldap22

7)    If you wish to use secure ldap over the internet you need to create DNS entry in your dns provider and create A record to point domain to the public ip address its given.

Hope this was helpful post and if you have any question on this feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Step-by-Step Guide to exclude user or user group from group policy

After few sick weeks I am back in blogging :). In an active directory infrastructure some time you may need to exclude user or user group from a group policy. It can be due to application setting or system setting. Sometime I seen administrators create separate OU and move users there just to get user exclude from particular group policy. It is not necessary to create new OU to exclude users from GPO. In this post I am going to demonstrate how you can exclude a user or group from a GPO.

1)    Log in to a server with administrator privileges (it can be DC server or a server with group policy management feature installed on). I am using windows server 2016 TP5 DC for the demo.
2)    Open the Group policy mmc with server manager > tools > group policy management

gpe1

3)    Then expand the tree and go to the group policy that you like to exclude users or group. In my demo it’s going to be GP called Test1

gpe2

4)    Click on the selected GPO and in right hand panel it will list the settings. Click on delegation tab.

gpe3

5)    Then click on the Advanced button

gpe4

6)    In window, click on add to add the user or the group that you like to exclude

gpe5

gpe6

7)    Then in the permission list, you can see by default Read permission is allowed. Leave it same and scroll down the list to select permission called Apply group policy. Then click on deny permission.

gpe7

8)    Then click on OK to apply the changes. In warning message click on Yes. Now we successfully exclude user2 from the Test1 GPO.

gpe8

gpe9

Hope this post informative and if you got any questions feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Step-by-Step Guide to manage DNS records in Azure Managed Domain (AAD-DS)

In my recent articles I was explaining how to enable Azure Active Directory Domain Service and how to manage its services using domain-joined server.

If you not read it yet please check my last post in here.

When you manage a local active directory instance, using DNS mmc you can manage the DNS records. But can we do same with Azure managed domain? Answer is yes. In this post I am going to show how to manage dns records using domain-joined azure vm.

In order to do that we need following prerequisites.

1)    Azure Active Directory Domain Service (AAD-DS) managed domain Instance
2)    Domain Joined Virtual Server
3)    User account with member of AAD DC Administrators group

I have explain all of above in my last 3-4 posts. Please follow them if you like to know more about those.
So in this demo, I am going to use the already setup Azure managed domain instance.

dnsad1

I also have a virtual server running on Azure with windows server 2016 TP5. It is already jointed to the managed domain.

dnsad2

dnsad3

To start with the configuration RDP to the virtual server

1)    Log in to server with member account of AAD DC Administrators group

dnsad4

2)    Open Server Manager > Add Roles and Features

dnsad5

3)    In first screen of wizard click on next to proceed

dnsad6

4)    In next window keep the default and click next

dnsad7

5)    In server selection keep it default and click next

dnsad8

6)    In server roles keep default and click next

dnsad9

7)    Under the features, go to Remote Server Administration Tools > Roles Administration Tools > DNS Server Tools. Then click next to proceed

dnsad10

8)    In next confirmation window click on install to install the tools

dnsad11

9)    Once it’s done go to server manager > tools > DNS

dnsad12

10)    On first start it will prompt where to connect. In their select the option as below and then type the managed domain you have in place. Then click ok

dnsad13

11)    It will open up the DNS mmc.

dnsad14

In here we can manage the DNS records as we need. There are some dns records which related to the managed domain service. So make sure those records are not modified or deleted.

The virtual machine no need to be on server version, if you install desktop version you can still managed dns by installing RSAT tools.

If you have any questions about the post feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Step-by-Step Guide to manage Azure Active Directory Domain Service (AAD-DS) managed domain using Virtual Server

In my last two blog post I explain how to enable Azure Active Directory Domain Service and how to configure it properly. If you still not read those you can find those in following links.

Step-by-Step Guide to enable Azure AD Domain Services

Step-by-Step Guide to enable password synchronization to Azure Active Directory Domain Services (AAD DS)

In this post I am going to demonstrate how to add a virtual server which is setup on azure in to the managed domain and how to use Active Directory administration tools to manage the AAD-DS managed domain.

One thing I need to make clear is since it’s a managed domain services you do not going to have same manageability as in house domain controller.

According to Microsoft

Administrative tasks you can perform on a managed domain

•    Join machines to the managed domain.
•    Configure the built-in GPO for the 'AADDC Computers' and 'AADDC Users' containers in the managed domain.
•    Administer DNS on the managed domain.
•    Create and administer custom Organizational Units (OUs) on the managed domain.
•    Gain administrative access to computers joined to the managed domain.

Administrative privileges you do not have on a managed domain

•    You are not granted Domain Administrator or Enterprise Administrator privileges for the managed domain.
•    You cannot extend the schema of the managed domain.
•    You cannot connect to domain controllers for the managed domain using Remote Desktop.
•    You cannot add domain controllers to the managed domain.

Create VM

As the first step I am going to setup new VM under the same virtual network as the managed domain.

1)    In order to join VM to the same virtual network, we have to use Azure classic portal to build the VM.
2)    Log in to the azure classic portal > New > Compute > Virtual Machine > From Gallery ( The reason is using this option can define the advanced options)

md1

3)    Then select the template from the list. I am going to use windows server 2016 TP 5. Click on arrow to proceed.

md2

4)    In next window provide the info for the new VM (such as name, resources and local admin account) and click proceed arrow.

md3

5)    In Next window select the Virtual network as same as the one you setup the AAD-DS managed domain. If you do not select correct virtual network you will not be able to connect this vm to the managed domain. Once done, click on button to proceed.

md4

6)    In next window can add the extensions you like and click to button to setup the vm.

md5

Connect VM to the Managed Domain

1)    Once New VM is up and running, click on connect to log in to the VM

md6

2)    Now the server is ready, next step is to join it to the domain.

md7

3)    In domain, type the managed domain name and type the credentials. The use account used for authentication should be member of AAD DC Administrators group ( I explain on my first article how to setup this group)

md8

md9

md10

4)    Once connected to the domain, reboot it to complete the process.

Manage domain using AD administration tools

In this step I am going to install AD admin tools using that we can manage the Azure managed domain.
Note – This also can do using desktop operating system as well. Ex- windows 10. To do it, need to install RSAT for windows 10. (https://www.microsoft.com/en-gb/download/details.aspx?id=45520)

1)    Log in to the server as member of AAD DC Administrators group
2)    Server Manager > Add Roles and Features

md11

3)    Click next in the wizard

md12

4)    In next window keep the default and click next

md13

5)    In next window keep the default and click next to proceed

md14

6)    On the roles page, keep default values and click next

md15

7)    In features select Remote server administration tools > Role administration tools > AD DS and AD LDS Tools and then click next to proceed.

md16

8)    In next window click on install to proceed with the installation

md17

9)    Once install done go to Server Manager > Tools > Active Directory Users and Computers
Here we can see the AD console which Admins familiar with.

md18

md19

md20

Hope this is helpful and if you have any question feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Step-by-Step Guide to enable password synchronization to Azure Active Directory Domain Services (AAD DS)

In my previous post I have explain how to enable azure ad domain services. If you not read it yet you can find it here.

Once the domain service are enabled the next step to sync the credentials to the Azure AD domain services. Then users can use their logins to log in to the managed domain services. This post is to explain how we can do it in cloud-only environment as well as in hybrid setup.

Cloud-Only Setup

If you have cloud only setup the users who is going to use azure ad domain services need to change their passwords. Once user reset the password it generate the credential hashes which is uses by azure ad domain services for Kerberos and NTLM Authentication.

There is 2 ways to do it,

1)    Force password reset – in the console we can reset the password for user. It will generate temporally password for the user. So in next login, user need to provide new password.

To do this, log in to Azure AD instance (which is enabled with Azure AD Domain services) and then click on users tab.

pass1

Then select the user to reset the password and in the bottom click on RESET PASSWORD button

pass2

pass3

2)    Change Passwords from use logins – By login in to the Azure portal, users can reset their passwords. (https://portal.azure.com)

Once user log in to the portal click on the right hand corner where user name displays and then click on “change password

pass4

pass5

Hybrid Setup

If you have on-premises AD and sync it already with Azure AD, we need to sync credential hashes required for NTLM and Kerberos authentication via Azure AD Connect. These are not sync with azure ad by default.

First thing first, if you have Azure AD connect installed in your servers, it need to upgrade with latest version. The latest recommended version is 1.1.130.0 – published on April 12, 2016. You can download it using https://www.microsoft.com/en-us/download/details.aspx?id=47594 , this is important as older version of Azure AD Connect do not have this sync feature.

After upgrade (or new install) make sure the password synchronization is enabled. To do that,

•    Log in to the server which have Azure Ad sync installed (with appropriate permissions).
•    Double click on Azure AD Connect

pass6

•    Then in new window select the option “View current configuration” and click on “Next

pass7

•    In next window check if the password sync is enabled

pass8

•    If not go back to the previous window and select option “Customize Synchronization Options” and click next 

pass9

•    Then under the “Optional Features” enable password hash synchronization.

pass10

With the install if use the express settings this is enabled by default. Also check if the synchronization happening without errors.

To check that go to start > azure ad connect > synchronization services

pass11

pass12

To do a full forceful password sync you can use following PowerShell script

$adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"
$aadConnector = "<CASE SENSITIVE AAD CONNECTOR NAME>"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

In here
$adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"
$aadConnector = "<CASE SENSITIVE AAD CONNECTOR NAME>"

Should replace with the info related to your setup, this can find using “synchronization services” window. Click the “connectors” tab.

pass13

Once it’s edited with relevant info it can execute.

pass14

Hope this helped and if you have any questions about post feel free to contact me on rebeladm@live.com
 

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Step-by-Step Guide to enable Azure AD Domain Services

Azure AD, Azure AD Domain Services, On-premises Active Directory, AD-sync ….. All these terms are now start to appear on most of now a days infrastructure projects. Based on the questions I get from the blog also represent still engineers struggle how to implements Azure services with their needs and how to get best benefits out from it. So this article also a series of articles I was doing to cover up Azure AD related services and how to use these services to enhanced your current infrastructure operations.

Azure AD Domain Services

Azure AD Domain Services is in preview for a while now (6 months). Azure AD Domain Services is a managed domain service which provides group policy, LDAP, NTLM/Kerberos Authentication without need of “Domain Controller” in your azure cloud setup.

If you have “cloud-only” service with Azure, this service will allow you to manage your azure identities more affectively. You can deploy the azure ad domain services in to the same virtual network your other IaaS workloads runs. Then these VM can connect to the Azure AD as typical domain join servers and can control those centrally. Also can apply group policies if you like.

If its hybrid setup you can sync your on-premises identities to the cloud and use those along with the azure Iaas workloads.

These are the main features of Azure Active Directory Domain Services (From: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-ds-features/)

•    Simple deployment experience: You can enable Azure AD Domain Services for your Azure AD tenant using just a few clicks. Regardless of whether your Azure AD tenant is a cloud-tenant or synchronized with your on-premises directory, your managed domain can be provisioned quickly.
•    Support for domain-join: You can easily domain join computers in the Azure virtual network that Azure AD Domain Services is available in. The domain join experience on Windows client and Server operating systems works seamlessly against domains serviced by Azure AD Domain Services. You can also use automated domain join tooling against such domains.
•    One domain instance per Azure AD directory: You can create a single Active Directory domain for each Azure AD directory.
•    Create domains with custom names: You can create domains with custom names (eg. contoso.local) using Azure AD Domain Services. This includes both verified as well as unverified domain names. Optionally, you can also create a domain with the built-in domain suffix (i.e. *.onmicrosoft.com) that is offered by your Azure AD directory.
•    Integrated with Azure AD: You do not need to configure or manage replication to Azure AD Domain Services. User accounts, group memberships and user credentials (passwords) from your Azure AD directory are automatically available in Azure AD Domain Services. New users, groups or changes to attributes ocurring in your Azure AD tenant or in your on-premises directory are automatically synchronized to Azure AD Domain Services.
•    NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows Integrated Authentication.
•    Use your corporate credentials/passwords: Passwords for users in your Azure AD tenant work with Azure AD Domain Services. This means users in your organization can use their corporate credentials on the domain – for domain joining machines, logging in interactively or over remote desktop, authenticating against the DC etc.
•    LDAP bind & LDAP read support: You can use applications that rely on LDAP binds in order to authenticate users in domains serviced by Azure AD Domain Services. Additionally, applications that use LDAP read operations to query user/computer attributes from the directory can also work against Azure AD Domain Services.
•    Group Policy: You can leverage a single built-in GPO each for the users and computers containers in order to enforce compliance with required security policies for user accounts as well as domain joined computers.
•    Available in multiple Azure regions: See the Azure services by region page to know the Azure regions in which Azure AD Domain Services are available.
•    High availability: Azure AD Domain Services offer high availability for your domain. This offers the guarantee of higher service uptime and resilience to failures. Built-in health monitoring offers automated remediation from failures by spinning up new instances to replace failed instances and to provide continued service for your domain.
•    Use familiar management tools: You can use familiar Windows Server Active Directory management tools such as the Active Directory Administrative Center or Active Directory PowerShell in order to administer domains provided by Azure AD Domain Services.

In my demo today I am going to show how to enable Azure AD Domain Services and how to configure it properly for cloud-only IaaS setup.

I have created Azure AD instance called REBELADMIN already. I will be using it during the demo.

aads1

Setup Azure Virtual Network

I am going to show how to setup new azure virtual network. The azure AD domain service instance also need to assign to the same virtual network as your other service run in order to integrate those resources.

1)    In Azure Classic Portal click on “Networks” option in left side.

aads2

2)    Then click on “Create a Virtual Network

aads3

3)    In wizard type the name for the virtual network and select the location, then click on proceed button to go to next step

aads4

4)    In next page, I am not going to define any DNS servers as I will setup it in later time in this demo, click on proceed button

aads5

5)    In next window it will show the address space, you can either customize or proceed with default. I am going to use default.

aads6

6)    After proceed, its created the new virtual network successfully

aads7

Enable Azure AD Domain Service

Now we got the virtual network setup. Next step is to enable the domain service.

1)    Click on the Azure AD directory instance which needs to enable Azure AD Domain Service (if you not done yet you can do it using New > App Services > Active Directory > Directory )

aads8

2)    Then click on “Configure

aads9

3)    Under the “Domain Services” click on “Yes” button to enable the domain services.

aads10

4)    DNS Domain name of domain services – This option to define the dns domain name. If you do not have domain setup you still can use default azure name which is ends up with onmicrosoft.com.
Connect domain service to this virtual network – in here you can define which virtual network domain service should assign to. I have selected the new virtual network created on previous step.
After changes click on “Save

aads11

5)    Then it will start to activate the service.

aads12

6)    Currently it takes like 30 minutes to get service enabled. Once its setup we can see the DNS server ip address appears. This is important as we need to add these in to virtual network in order to join servers to domain.

aads13

Add DNS server details into Virtual Network

1)    Click on the virtual network where Azure AD domain service also associated with.

aads14

2)    Click on the configure and then add the DNS server info

aads15

3)    Click on Save to submit the changes

Create “AAD DC Administrator” group

Since Azure AD Domain service is managed service you will not get domain admin or enterprise administrator privileges to the Ad instance. But you allowed to create this group and all the members of this group will be granted with administrator privileges to the domain join servers (This group will added to the administrators group in domain join servers).

In order to do that need to load the Azure AD instance again,

1)    Click on the relevant Azure AD instance.

aads16

2)    Click on the “Groups” and then Add Group

aads17

3)    Then in next window type the group name as “AAD DC Administrators” and type as “Security” then click on proceed button. Please note you must use the text on same format in order to get enable this group.

aads18

4)    Then you can add the member as you prefer

aads19

With this our initial configuration is done. The next step is to enable password synchronization to allow users to use their cooperate logins to log in to the domain. I will explain it on my next post as another step-by-step guide.

If you have any questions about the post feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter