Tag Archives: Active Directory 2016

Find Active Directory Objects (PowerShell Guide)

Active Directory can hold near 2 billion objects. When the number of objects grows, the requirement for affective object filtering grows as well. Active Directory have several GUI options to search/filter specific objects. We also can filter objects using PowerShell. 

In previous posts, we learned about Get-ADUser and Get-ADComputer cmdlets and how it can be used with other commands to filter out objects from Active directory and perform administrative tasks.  It is also can use to retrieve specific attribute values from filtered objects. 

Get-ADUser -Identity user1 -Properties *

In above command, it will list down all the attributes and its values associated with user1. This helps to find exact attributes names and common values which can use for further filtering. 

I need to know values of Name, UserPrincipalName and Modified for all the users. Following command will create a table with attributes and its values. 

Get-ADUser -Filter * -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified

fobj01

I can see some accounts in the list which is service accounts and administrator account. I only want to see the accounts which is in Kingston office

Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified  

With above it filters it further based on the City value.

Now I have the list of data I needed, I like to export it to a CSV file for future use. 

Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | select-object Name,UserPrincipalName,Modified | Export-csv -path C:\ADUSerList.csv

So, above example shows how search query can build up from granular level to find the exact information needed from objects. 

Search-ADAccount cmdlet can also use to search for the active directory objects based on account and password status. Full syntax for the cmdlet can retrieve using,

Get-Command Search-ADAccount -Syntax 

As an example, it can use to filter the accounts which is locked out. 

Search-ADAccount -LockedOut | FT Name,UserPrincipalName

Above command will list down all the lockout accounts with name and UPN

Unlikely the graphical tools, Powershell queries can build to filter the exact objects and data from active directory. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Managed Service Accounts (PowerShell Guide)

Services Accounts are recommended to use when install application or services in infrastructure. It is dedicated account with specific privileges which use to run services, batch jobs, management tasks. In most of the infrastructures, service accounts are typical user accounts with “Password never expire” option. Since these service accounts are not been use regularly, Administrators have to keep track of these accounts and their credentials. I have seen in many occasions where engineers face in to issues due to outdated or misplace service account credential details. Pain of it is, if you reset the password of service accounts, you will need to update services, databases, application settings to get application or services up and running again. Apart from it Engineers also have to manage service principle names (SPN) which helps to identify service instance uniquely. 

After considering all these challenges Microsoft has introduced Managed Service Accounts with windows server 2008 R2. These accounts got following features and limitations,

No more password management. It uses a complex, random, 240-character password and change that automatically when it reaches the domain or computer password expire date.

It cannot be lock out or use for interactive login. 

One managed service account only can use in one computer. it cannot be share between multiple computers

Simplified SPN Management – System will automatically change the SPN value if sAMaccount details of the computer change or DNS name property change. 

In order to create Managed service account, we can use following command, I am running this from the domain controller.

New-ADServiceAccount -Name "MyAcc1" -RestrictToSingleComputer

In above command I am creating service account called MyAcc1 and I am restricting it to one computer. 

Next step is associate the service account with the Host REBEL-SRV01 where I am going to use this service account. 

Add-ADComputerServiceAccount -Identity REBEL-SRV01 -ServiceAccount "MyAcc1"

Next step is to install service account in the REBEL-SRV01 server. We need active directory PowerShell module for this. We can install it using RSAT tools. Once its ready run the command,

Install-ADServiceAccount -Identity "MyAcc1"

Once it’s done, we can test it using,

Test-ADServiceAccount "MyAcc1"

It is return the value True which means the test is successful. 

msa1
 
From active directory server, we can verify the service account by running
 
Get-ADServiceAccount "MyAcc1"
 
msa2
 
Tip – When configure the Manager service account in service make sure to leave the password as empty. You do not need to define any password there as system auto generate the password. 
 
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Create Active Directory User Objects using PowerShell

There are few ways to create user objects in Active Directory. If it’s using GUI, it can be done using Active Directory Administrative Center or Active Directory Users and Computers MMC. If it is using command line, it can be done using windows command-line or PowerShell. In this demo, I am going to show how we can create user object using PowerShell. 

In order to create user object in active directory we can use New-ADUser cmdlet in PowerShell. You can view the full syntax for the command along with the accepted data types using,

Get-Command New-ADUser -Syntax

In order to create a New User account using PowerShell the minimum value you need to pass is -Name. it will create a disabled user account and you still can define values for other attributes later. 

This is a sample which can use to create a user account,

New-ADUser -Name "Talib Idris" -GivenName "Talib" -Surname "Idris" -SamAccountName "tidris" -UserPrincipalName "tidris@rebeladmin.com" -Path "OU=Users,OU=Europe,DC=rebeladmin,DC=com" -AccountPassword(Read-Host -AsSecureString "Type Password for User") -Enabled $true

In the command,

Name – Defines the Full Name

Given Name – Defines the First Name

Surname – Defines the Surname

SamAccountName – Defines the User Name

UserPrincipalName – Defines the UPN for the user account

Path – Defines the OU path. The default location is “CN=Users,DC=rebeladmin,DC=com”

AccountPassword – This will allow user to input password for the user and system will convert it to the relevant data type

Enable – defines if the user account status is enabled or disabled. 

uadd1
 
You can create a user account with minimum attributes such as Name and UPN. Then later can define a password and enable the account. User account cannot enable without a password. To define password can use Set-ADAccountPassword -Identity cmdlet and to enable account can use Enable-ADAccount -Identity cmdlet. 
 
Instead of executing multiple commands to create multiple user objects, we can create a CSV (comma-separated values) file which include data for attributes and use it to create accounts in one go. 
 
In demo I am using following CSV file. 
 
uadd2

Import-Csv "C:\ADUsers.csv" | ForEach-Object {
$upn = $_.SamAccountName + “@rebeladmin.com” 
New-ADUser -Name $_.Name `
 -GivenName $_."GivenName" `
 -Surname $_."Surname" `
 -SamAccountName  $_."samAccountName" `
 -UserPrincipalName  $upn `
 -Path $_."Path" `
 -AccountPassword (ConvertTo-SecureString “Pa$$w0rd” -AsPlainText -force) -Enabled $true
}
 
In above script Import-Csv cmdlet used to import the CSV file created. I have defined parameter $upn = $_.SamAccountName + “@rebeladmin.com” to use for the  -UserPrincipalName value. In script, I have defined a common password for all the accounts using -AccountPassword (ConvertTo-SecureString “Pa$$w0rd” -AsPlainText -force) 
 
uadd3
 
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step Migration Guide to Active Directory 2016 (PowerShell Guide)

This is my first blog post in 2018. So, first of all Happy New year to my blog readers!

In many occasions, I have written articles about Active Directory Migrations. But still I get lots of emails from readers to clarify things about AD migrations. So, I thought to revisit it by covering most common questions I gets. Also in this blog post, I will show how to do the AD migration only using PowerShell.

Migration task itself is very straight forward. But there are other things you need to consider before you do an AD migration. In below I listed a checklist you can use in many occasions. 

Active Directory Migration Check List 

Evaluate business requirement for active directory migration 

Perform Audit on Existing Active Directory Infrastructure to verify its health status

Create Plan for implementation Process

Prepare Physical / Virtual resources for Domain Controller

Install Windows server 2016 Standard / Datacenter

Patch Servers with latest Windows Updates

Assign Dedicate IP address to Domain Controller

Install AD DS Role

Migrate Application and Server Roles from the Existing Domain Controllers

Migrate FSMO roles to new Domain Controllers

Add New Domain controller to the Existing DR Solution

Decommission old domain controllers 

Raise the Domain and Forest Functional level

On Going Maintenance 

Tips – During audit process you need to verify if your applications will support new AD schema. it is very rare but I have seen legacy applications which is not support newer schema versions. 
 
Also in some scenarios, it is hard to replace primary dc with a DC running with different IP address. AD is supported for IP changes even after FSMO role changes. There for if need you can swap IP addresses after you migrate FSMO roles. 
 
Topology
 
In my demo environment, I have an existing domain controller running with windows server 2012 R2. I am going to migrate it to a windows server 2016 server.
 
mig1
 
In the demonstration, REBEL-WIN-DC01 is the domain controller with windows server 2012 R2 and REBEL-SDC01 is the domain controller with windows server 2016. 
 
Tip – When you introduce new domain controllers to the existing infrastructure it is recommended to introduce to the forest root level first and then go to the domain tree levels.
 
Add Additional Domain Control 
 
As per plan I need to add a new domain controller with windows server 2016 to existing domain first.
 
1) Log in to the Server (Windows server 2016) as a member of local administrators group. 
2) Add server to the existing domain as member. 
3) Log in to domain controller as enterprise administrator.  
4) Verify the static IP address allocation using ipconfig /all.
5) Launch the PowerShell Console as an Administrator
6) Before the configuration process, we need to install the AD DS Role in the given server. In order to do that we can use Following command. 

Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools
 
7) After successful role service Installation, next step is to configure the domain controller. It can be done using following PowerShell command. 
 
Install-ADDSDomainController
-CreateDnsDelegation:$false
-InstallDns:$true
-DomainName "rebeladmin.com"
-SiteName "Default-First-Site-Name"
-ReplicationSourceDC "REBEL-WIN-DC01.rebeladmin.com"
-DatabasePath "C:\Windows\NTDS"
-LogPath "C:\Windows\NTDS"
-SysvolPath "C:\Windows\SYSVOL"
-Force:$true 


Argument

Description

Install-ADDSDomainController

This cmdlet will install the domain controller in active directory infrastructure.

-SiteName

This Parameter can use to define the active directory site name.  the default value is Default-First-Site-Name

-DomainName

This parameter defines the FQDN for the active directory domain.

-ReplicationSourceDC

Using this parameter can define the active directory replication source. By default, it will use any available domain controller. But if need we can be specific.

-InstallDns

Using this can specify whether DNS role need to install with active directory domain controller. For new forest, it is default requirement to set it to $true.

-LogPath

Log path can use to specify the location to save domain log files.

-SysvolPath

This is to define the SYSVOL folder path. Default location for it will be C:\Windows

-Force

This parameter will force command to execute by ignoring the warning. It is typical for the system to pass the warning about best practices and recommendations. 

 
Once execute the command it will ask for SafeModeAdministrator Password. Please use complex password to proceed. This will be used for DSRM.
 
After configuration completed, restart the system and log back in as administrator to check the AD DS status. 

Get-Service adws,kdc,netlogon,dns
 
Move FSMO Roles 
 
Now we have additional domain controller and next step is to migrate FSMO roles to the new server. 
 
We can migrate all five FSMO roles to the New domain controller using following powershell command,
 
Move-ADDirectoryServerOperationMasterRole -Identity REBEL-SDC01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
 
In above the REBEL-SDC01 is domain controller running with windows server 2016. Once its completed, we can verify the new FSMO role holder using 
 
Netdom query fsmo
 
mig2

 
Decommission Old Domain Controller 
 
Now we moved FSMO roles over and next step is to decommission old DC which is running with windows server 2012 R2. 
In order to do that, log in to old DC as enterprise administrator and run following powershell command,

Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition
 
After execute the command it will ask to define password for the local administrator account.
 
mig3
 
Once its completed it will be a member server of the rebeladmin.com domain.
 
Raise Domain and Forest Functional level

After you remove your last domain controller running with windows server 2012 r2 (if its 2012 or 2008 r2 same thing apply) we can raise Domain and Forest Functional level to windows server 2016. You need it to have features comes with AD 2016. 
To upgrade domain functional level, you can use following powershell command
 
Set-ADDomainMode –identity rebeladmin.com -DomainMode Windows2016Domain
 
To upgrade forest function level, you can use following command

Set-ADForestMode -Identity rebeladmin.com -ForestMode Windows2016Forest
 
After the migration completes we still need to verify if its completes successfully.
 
Get-ADDomain | fl Name,DomainMode
 
This command will show the current Domain functional level of the domain after the migration. 
 
Get-ADForest | fl Name,ForestMode
 
Above command will show the current forest functional level of the domain. 
Also, you can use
 
Get-EventLog -LogName 'Directory Service' | where {$_.eventID -eq 2039 -or $_.eventID -eq 2040} | Format-List
 
To search event ID 2039 and 2040 in the “Directory Service” log which will show the forest and domain functional level updates.
 
mig4
 
Event ID 1458 will verify the transfer of the FSMO roles. 

Get-EventLog -LogName 'Directory Service' | where {$_.eventID -eq 1458} | Format-List
 
You can use following to verify the list of domain controllers and make sure the old domain controller is gone. 
 
Get-ADDomainController -Filter * | Format-Table Name, IPv4Address
 
Apart from these you also can go through Directory Service and DNS Logs to see if there’s any issues recorded.
 
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Microsoft Advanced Threat Analytics (ATA) – Part 02

In previous part of this blog post I have explain what is ATA and what it is capable of. If you not read it yet you can find it in here http://www.rebeladmin.com/2017/05/microsoft-advanced-threat-analytics-ata-part-01/

In this part of the post I am going to demonstrate how we can setup ATA. Before we start I like to explain about the demo environment we going to use.

  • This deployment is going to use AD environment which running AD DS 2016 with Forest and Domain functional levels set to Windows Server 2016.
  •  All the servers used in the demo is running with windows server 2016 with latest updates.
  • The Server which is going to use as ATA center has two IP addresses assigned which is 192.168.0.190 and 192.168.0.191
  • In demo, we are going to use ATA Lightweight Gateway, which will be installed on domain controller directly. There for no port mirroring or separate gateway server required.
  • All the SSL used in deployment are self-signed certificates.
  • We will be using separate service account to connect ATA center with Domain Controller.

First Step of the setup is to get ATA center setup,

Deploying ATA Center

1) Log in to the server which is planned to use as ATA center as domain and or enterprise administrator.

2) Download ATA Center Installation files. It is allowing to use 90 days’ trial as well. 

3) Then run Microsoft ATA Center Setup.exe as Administrator

4) Then In the first window select the relevant language and click Next.

5) In next window, it shows license terms. Read and click on Next to continue

6) Then it asks how you like to know about updates. It is recommended to use Microdot Updates for that. Choose option Use Microsoft Update when I check for updates and then click Next.

7) Then in next window we can define application installation paths, database path, center service IP address and port, SSL certificates, Console IP address. After changes, click on Install to begin the installation. 

ata1

8) Once installation finished, it will give option to launch the ATA center. 

9) After launch ATA center, log in to it using the account used to install ATA center. If you need later you can add additional administrator accounts. 

10) As soon as login, it gives window to provide account and domain info to connect to Active directory. Type the service account info you going to use for this. This account is just a typical user account and no additional permission needed (except read permission for all AD objects). once account details entered, click on test connection option to verify the connection and then click on Save

 ata2

Deploying ATA Lightweight Gateway

1) Log in to the Domain Controller as Domain Admin or Enterprise Admin. 

2) Launch IE and connect to ATA Center URL. It is via the console IP we specify during the ATA center installation. 

3) Log in to ATA center as an Administrator. 

4) In initial page, it will look like following. Click on link Download gateway setup and install the first Gateway

ata3

5) In next page, it gives option to download the Gateway Setup files. Click on the download button to download the installation files. 

ata4

6) After download completes, extract the file and run the Microsoft ATA Gateway Setup.exe 

7) In language page, select the relevant language and click Next to continue.  

8) Then, it will give the confirmation about deployment type. By default, it detects the type as Lightweight Gateway. Click Next to proceed with the deployment.

ata5

9) In next window, we can specify the installation path, SSL certificate information and account details to register the gateway with the ATA center. This account should be a member of ATA administrator group. once all typed in, click on Install to begin the installation. 

ata6

10) Once it completed, log in to ATA center and verify if you can see it is successfully registered. 

ata7

 ATA Testing

 The easiest way to test the ATA functions is to simulate a DNS reconnaissance attack. In order to do that,

1) Log in to a Domain Computer

2) Open the command prompt and type, nslookup – REBE-PDC01.therebeladmin.com and press enter. The server name can be replaced by any available domain controller FQDN. 

3) The type ls msn.com

4) Then log in to ATA center and check the timeline. There we can see the detected event. 

ata8

In here it is only display it as a time line entry, but ATA also allows to send events as email alerts. This configuration can be done using ATA Center > Configuration > Mail Server Settings and Notification Settings

ata9

Then, once an event is raised it will sent out an email alert too.

ata10

This completes the ATA deployment. If you have any questions feel free to contact me on rebeladm@live.com

Time Based Group Membership – AD DS 2016

In new AD DS 2016 allows administrators to assign temporally group membership which is expressed by TTL (Time-To-Live) value. This value will add to the Kerberos ticket. This also called as “Expiring-Link” feature. When user assign to a temporally group membership, his login Kerberos ticket granting ticket (TGT) life time will be equal to lowest TTL value he has. 

This feature is not enabled by default. The reason for that is, to use this feature the forest function level must be windows server 2016. Also, once this feature is enabled, it cannot be disabled. 

Let’s see how it works

Enable-ADOptionalFeature ‘Privileged Access Management Feature’ -Scope ForestOrConfigurationSet -Target rebeladmin.com

tg2

Rebeladmin.com can be replaced with your FQDN.

I have a user called Peter which I need to assign Domain Admin group membership for 15 minutes.

Get-ADGroupMember “Domain Admins” will list the current member of domain admin group. 

tg1

Next step is to add the peter to the domain admin group for 15 minutes.

Add-ADGroupMember -Identity ‘Domain Admins’ -Members ‘peter’ -MemberTimeToLive (New-TimeSpan -Minutes 15)

tg3

Once its run, we can verify the TTL value remaining for the group membership using,

Get-ADGroup ‘Domain Admins’ -Property member -ShowMemberTimeToLive

tg4

Once I log in as the user and list the Kerberos ticket it shows the renew time with less than 15 minutes as I log in as user after few minutes of granting.

tg5

Once the TGT renewal come the user will no longer be member of domain admin group. 

hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com