Tag Archives: AD

Azure AD Connect Staging Mode

Azure AD Connect is the tool use to connect on-premises directory service with Azure AD. It allows users to use same on-premises ID and passwords to authenticate in to Azure AD, Office 365 or other Applications hosted in Azure. Azure AD connect can install on any server if its meets following,

• The AD forest functional level must be Windows Server 2003 or later.

• If you plan to use the feature password writeback, then the Domain Controllers must be on Windows Server 2008 (with latest SP) or later. If your DCs are on 2008 (pre-R2), then you must also apply hotfix KB2386717.

• The domain controller used by Azure AD must be writable. It is not supported to use a RODC (read-only domain controller) and Azure AD Connect does not follow any write redirects.

• It is not supported to use on-premises forests/domains using SLDs (Single Label Domains).

• It is not supported to use on-premises forests/domains using "dotted" (name contains a period ".") NetBios names.

• Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials. The server must be using Windows Server standard or better.

• The Azure AD Connect server must have a full GUI installed. It is not supported to install on server core.

• Azure AD Connect must be installed on Windows Server 2008 or later. This server may be a domain controller or a member server when using express settings. If you use custom settings, then the server can also be stand-alone and does not have to be joined to a domain.

• If you install Azure AD Connect on Windows Server 2008 or Windows Server 2008 R2, then make sure to apply the latest hotfixes from Windows Update. The installation is not able to start with an unpatched server.

• If you plan to use the feature password synchronization, then the Azure AD Connect server must be on Windows Server 2008 R2 SP1 or later.

• If you plan to use a group managed service account, then the Azure AD Connect server must be on Windows Server 2012 or later.

• The Azure AD Connect server must have .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.

• If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be enabled on these servers for remote installation.

• If Active Directory Federation Services is being deployed, you need SSL Certificates.

• If Active Directory Federation Services is being deployed, then you need to configure name resolution.

• If your global administrators have MFA enabled, then the URL https://secure.aadcdn.microsoftonline-p.com must be in the trusted sites list. You are prompted to add this site to the trusted sites list when you are prompted for an MFA challenge and it has not added before. You can use Internet Explorer to add it to your trusted sites.

• Azure AD Connect requires a SQL Server database to store identity data. By default a SQL Server 2012 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10GB size limit that enables you to manage approximately 100,000 objects. If you need to manage a higher volume of directory objects, you need to point the installation wizard to a different installation of SQL Server.

What is staging mode?

In a given time, only one Azure AD connect instance can involve with sync process for a directory. But this gives few challenges.

Disaster Recovery – If the server with Azure AD connect involves in a disaster it going to make impact on sync process. This can be worse if you using features such as password pass-through, single-sing-on, password writeback through AD connect.

Upgrades – If the system which running Azure AD connect needs upgrade or if Azure AD connect itself needs upgrade, will make impact for sync process. Again, the affordable downtime will be depending on the features and organization dependencies over Azure AD connect and its operations.

Testing New Features – Microsoft keep adding new features to Azure AD connect. Before introduce those to production its always good to simulate and see how it will impact. But if its only one instance, it is not possible to do so. Even you have demo environment it may not simulate same impact as production in some occasions.

Microsoft introduced the staging mode of Azure AD connect to overcome above challenges. With staging mode, it allows you to maintain another copy of Azure AD connect instance in another server. it can have same config as primary server. It will connect to Azure AD and receive changes and keep a latest copy to make sure the switch over is seamless as possible. However, it will not sync Azure AD connect configuration from primary server. it is engineer’s responsibility to update staging server AD connect configuration, if primary server AD connects config modified.

Installation

Let’s see how we can configure Azure AD connect in staging mode.

1) Prepare a server according to guidelines given in prerequisites section to install Azure AD Connect.

2) Review current configuration of Azure AD connect running on primary server. you can check this by Azure AD Connect | View current configuration

3) Log in to server as Domain Administrator and download latest Azure Ad Connect from https://www.microsoft.com/en-us/download/details.aspx?id=47594

4) During the installation, please select customize option.

5) Then proceed with the configuration according to settings used in primary server.

6) At the last step of the configuration, select Enable staging mode: When selected, synchronization will not export any data to Ad or Azure AD and then click install.

7) Once installation completed, in Synchronization Service (Azure AD Connect | Synchronization Service) we can confirm there is no sync jobs.

Verify data

As I mentioned before, staging server allows to simulate export before it make as primary. This is important if you implement new configuration changes.

In order to prepare a staged copy of export,

1) Go to Start | Azure AD Connect | Synchronization Service | Connectors

2) Select the Active Directory Domain Services connector and click on Run from the right-hand panel.

3) Then in next window select Full Import and click OK.

4) Repeat same for Windows Azure Active Directory (Microsoft)

5) Once both jobs completed, Select the Active Directory Domain Services connector and click on Run from the right-hand panel again. But this time select Delta Synchronization, and click OK.

6) Repeat same for Windows Azure Active Directory (Microsoft)

7) Once both jobs finished, go to Operation tab and verify if jobs were completed successfully.

Now we have the staging copy, next step is to verify if the data is presented as expected. to do that we need to get help of a PowerShell script.

Param(

    [Parameter(Mandatory=$true, HelpMessage="Must be a file generated using csexport 'Name of Connector' export.xml /f:x)")]

[string]$xmltoimport="%temp%\exportedStage1a.xml",

[Parameter(Mandatory=$false, HelpMessage="Maximum number of users per output file")][int]$batchsize=1000,

[Parameter(Mandatory=$false, HelpMessage="Show console output")][bool]$showOutput=$false

)

#LINQ isn't loaded automatically, so force it

[Reflection.Assembly]::Load("System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089") | Out-Null

[int]$count=1

[int]$outputfilecount=1

[array]$objOutputUsers=@()

#XML must be generated using "csexport "Name of Connector" export.xml /f:x"

write-host "Importing XML" -ForegroundColor Yellow

#XmlReader.Create won't properly resolve the file location,

#so expand and then resolve it

$resolvedXMLtoimport=Resolve-Path -Path ([Environment]::ExpandEnvironmentVariables($xmltoimport))

#use an XmlReader to deal with even large files

$result=$reader = [System.Xml.XmlReader]::Create($resolvedXMLtoimport)

$result=$reader.ReadToDescendant('cs-object')

do

{

#create the object placeholder

#adding them up here means we can enforce consistency

$objOutputUser=New-Object psobject

Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name ID -Value ""

Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name Type -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name DN -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name operation -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name UPN -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name displayName -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name sourceAnchor -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name alias -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name primarySMTP -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name onPremisesSamAccountName -Value ""

Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name mail -Value ""

$user = [System.Xml.Linq.XElement]::ReadFrom($reader)

if ($showOutput) {Write-Host Found an exported object... -ForegroundColor Green}

#object id

$outID=$user.Attribute('id').Value

if ($showOutput) {Write-Host ID: $outID}

$objOutputUser.ID=$outID

#object type

$outType=$user.Attribute('object-type').Value

if ($showOutput) {Write-Host Type: $outType}

$objOutputUser.Type=$outType

#dn

$outDN= $user.Element('unapplied-export').Element('delta').Attribute('dn').Value

if ($showOutput) {Write-Host DN: $outDN}

$objOutputUser.DN=$outDN

#operation

$outOperation= $user.Element('unapplied-export').Element('delta').Attribute('operation').Value

if ($showOutput) {Write-Host Operation: $outOperation}

$objOutputUser.operation=$outOperation

#now that we have the basics, go get the details

foreach ($attr in $user.Element('unapplied-export-hologram').Element('entry').Elements("attr"))

{

$attrvalue=$attr.Attribute('name').Value

$internalvalue= $attr.Element('value').Value

switch ($attrvalue)

{

"userPrincipalName"

{

if ($showOutput) {Write-Host UPN: $internalvalue}

$objOutputUser.UPN=$internalvalue

}

"displayName"

{

if ($showOutput) {Write-Host displayName: $internalvalue}

$objOutputUser.displayName=$internalvalue

}

"sourceAnchor"

{

if ($showOutput) {Write-Host sourceAnchor: $internalvalue}

$objOutputUser.sourceAnchor=$internalvalue

}

"alias"

{

if ($showOutput) {Write-Host alias: $internalvalue}

$objOutputUser.alias=$internalvalue

}

"proxyAddresses"

{

if ($showOutput) {Write-Host primarySMTP: ($internalvalue -replace "SMTP:","")}

$objOutputUser.primarySMTP=$internalvalue -replace "SMTP:",""

}

$objOutputUsers += $objOutputUser

    Write-Progress -activity "Processing ${xmltoimport} in batches of ${batchsize}" -status "Batch ${outputfilecount}: " -percentComplete (($objOutputUsers.Count / $batchsize) * 100)

#every so often, dump the processed users in case we blow up somewhere

if ($count % $batchsize -eq 0)

{

Write-Host Hit the maximum users processed without completion... -ForegroundColor Yellow

#export the collection of users as as CSV

Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow

$objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation

#increment the output file counter

$outputfilecount+=1

#reset the collection and the user counter

$objOutputUsers = $null

$count=0

}

$count+=1

#need to bail out of the loop if no more users to process

if ($reader.NodeType -eq [System.Xml.XmlNodeType]::EndElement)

{

break

}

} while ($reader.Read)

#need to write out any users that didn't get picked up in a batch of 1000

#export the collection of users as as CSV

Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow

$objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation

This is available on https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-operations#appendix-csanalyzer

Save this as .ps1 on C Drive.

1) Open PowerShell and type cd "C:\Program Files\Microsoft Azure AD Sync\Bin" (if your install path is different use the relevant path)

2) Then run .\csexport "myrebeladmin.onmicrosoft.com – AAD" C:\export.xml /f:x in here myrebeladmin.onmicrosoft.com -AAD should replace with your Azure AD connector name. This will export config to C:\export.xml

3) Then type .\analyze.ps1 -xmltoimport C:\export.xml in here analyze.ps1 is the script we saved in beginning of this section.

4) Then it will create CSV file called processedusers1.csv and it’s contain all changes which will sync to Azure AD.

However, this step is always not required. It can make as primary server without import and verify process.

How to make it as primary Server?

In order to make staging server as primary server,

1) Go to Start | Azure AD Connect | Azure AD Connect

2) Then click on Configure in next page.

3) In next page select option Configure staging mode and click Next

4) In next page provide the Azure AD login credentials for directory sync account.

5) In next window, untick Enable staging mode and click Next

6) In next window select start the synchronization process… and click Configure

This completes the process of promoting staging server in to primary. Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

What is Content Freshness protection in DFSR?

Healthy Replication is a must for active directory environment. SYSVOL folder in domain controllers contain policies and log on scripts. It is replicated between domain controllers to maintain up to date config (consistency). Before windows server 2008, it used FRS (File Replication Service) to replicate sysvol content among domain controllers. With Windows server 2008 FRS was deprecated and introduced Distributed File System (DFS) for replication.

A healthy replication required healthy communication between domain controllers. sometime the communication can interrupt due to domain controller failure or link failure. Based on the impact it is still possible that the communication re-established after period of time. Then it will try to resume replication and catch up with SYSVOL changes. In such scenario, we may see event 4012 in event viewer.

The DFS Replication service stopped replication on the replicated folder at local path c:\xxx. It has been disconnected from other partners for 70 days, which is longer than the MaxOfflineTimeInDays parameter. Because of this, DFS Replication considers this data to be stale, and will replace it with data from other members of the replication group during the next replication. DFS Replication will move the stale files to the local Conflict folder. No user action is required.

With windows server 2008, Microsoft introduced a setting called content freshness protection to protect DFS shares from stale data. DFS also use a multi-master database similar to active directory. It also has tombstone time limit similar to Active Directory. The default value for this is 60 days. If there were no replication more than that time and resume replication in later time, it can have stale data. It is similar to lingering objects in AD. To protect from this, we can define value for MaxOfflineTimeInDays. if the number of days from last successful DFS replication is larger than MaxOfflineTimeInDays it will prevent the replication.

We can review this value by running,

For /f %m IN ('dsquery server -o rdn') do @echo %m && @wmic /node:"%m" /namespace:\\root\microsoftdfs path DfsrMachineConfig get MaxOfflineTimeInDays

There is two ways to recover from this. First method is to increase the value of MaxOfflineTimeInDays. it can be done using,

wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=120

It is recommended to run this on all domain controllers to maintain same config.

If you not willing to change this value, it still can recover using non-authoritative restore. It will remove all conflicting values and take an updated copy.

I have already written an article about non-authoritative restore of SYSVOL and it can be find in http://www.rebeladmin.com/2017/08/non-authoritative-authoritative-sysvol-restore-dfs-replication/

This is not only for SYSVOL replication. It is valid for DFS replication in general.

Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step guide to setup Fine-Grained Password Policies

In AD environment, we can use password policy to define passwords security requirements. These settings are located under Computer Configuration | Policies | Windows Settings | Security Settings | Account Policies

Before Windows server 2008, only one password policy can apply to the users. But in an environment, based on user roles it may require additional protection. As an example, for sales users 8-character complex password can be too much but it is not too much for domain admin account. With windows server 2008 Microsoft introduced Fine-Grained Password Policies. This allow to apply different password policies users and groups. In order to use this feature,

1) Your domain functional level should be windows server 2008 at least.

2) Need Domain/Enterprise Admin account to create policies.

Similar to group policies, sometime objects may end up with multiple password policies applied to it. but in any given time, an object can only have one password policy. Each Fine-Grained Password Policy have a precedence value. This integer value can define during the policy setup. Lower precedence value means the higher priority. If multiple policies been applied to an object, the policy with lower precedence value wins. Also, policy linked to user object directly, always wins.

We can create the policies using Active Directory Administrative Centre or PowerShell. In this demo, I am going to use PowerShell method.

New-ADFineGrainedPasswordPolicy -Name "Tech Admin Password Policy" -Precedence 1 `

-MinPasswordLength 12 -MaxPasswordAge "30" -MinPasswordAge "7" `

-PasswordHistoryCount 50 -ComplexityEnabled:$true `

-LockoutDuration "8:00" `

-LockoutObservationWindow "8:00" -LockoutThreshold 3 `

-ReversibleEncryptionEnabled:$false

In above sample I am creating a new fine-grained password policy called “Tech Admin Password Policy”. New-ADFineGrainedPasswordPolicy is the cmdlet to create new policy. Precedence to define precedence. LockoutDuration and LockoutObservationWindow values are define in hours. LockoutThreshold value defines the number of login attempts allowed.

More info about the syntax can find using,

Get-Help New-ADFineGrainedPasswordPolicy

Also, can view examples using

Get-Help New-ADFineGrainedPasswordPolicy -Examples

Once policy is setup we can verify its settings using,

Get-ADFineGrainedPasswordPolicy –Identity “Tech Admin Password Policy”

Now we have policy in place. Next step is to attach it to groups or users. In my demo, I am going to apply this to a group called “IT Admins”

Add-ADFineGrainedPasswordPolicySubject -Identity "Tech Admin Password Policy" -Subjects "IT Admins"

I also going to attach it to s user account R143869

Add-ADFineGrainedPasswordPolicySubject -Identity "Tech Admin Password Policy" -Subjects "R143869"

We can verify the policy using following,

Get-ADFineGrainedPasswordPolicy -Identity "Tech Admin Password Policy" | Format-Table AppliesTo –AutoSize

This confirms the configuration. Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

When AD password will expire?

In Active Directory environment users have to update their passwords when its expire. In some occasions, it is important to know when user password will expire.

For user account, the value for the next password change is saved under the attribute msDS-UserPasswordExpiryTimeComputed

We can view this value for a user account using a PowerShell command like following,

Get-ADuser R564441 -Properties msDS-UserPasswordExpiryTimeComputed | select Name, msDS-UserPasswordExpiryTimeComputed

In above command, I am trying to find out the msDS-UserPasswordExpiryTimeComputed attribute for the user R564441. In output I am listing value of Name attribute and msDS-UserPasswordExpiryTimeComputed

In my example, it gave 131412469385705537 but it’s not mean anything. We need to convert it to readable format.

I can do it using,

Get-ADuser R564441 -Properties msDS-UserPasswordExpiryTimeComputed | select Name, {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}

In above the value was converted to datetime format and now its gives readable value.

We can further develop this to provide report or send automatic reminders to users. I wrote following PowerShell script to generate a report regarding all the users in AD.

$passwordexpired = $null

$dc = (Get-ADDomain | Select DNSRoot).DNSRoot

$Report= "C:\report.html"

$HTML=@"

<title>Password Validity Period For $dc</title>

<style>

BODY{background-color :LightBlue}

</style>

"@

$passwordexpired = Get-ADUser -filter * –Properties "SamAccountName","pwdLastSet","msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "SamAccountName",@{Name="Last Password Change";Expression={[datetime]::FromFileTime($_."pwdLastSet")}},@{Name="Next Password Change";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

$passwordexpired | ConvertTo-Html -Property "SamAccountName","Last Password Change","Next Password Change"-head $HTML -body "<H2> Password Validity Period For $dc</H2>"|

Out-File $Report

Invoke-Expression C:\report.html

This creates HTML report as following. It contains user name, last password change time and date and time it going to expire.

The attributes value I used in here is SamAccountName, pwdLastSet and msDS-UserPasswordExpiryTimeComputed. pwdLastSet attribute holds the value for last password reset time and date.

Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Non-Authoritative and Authoritative SYSVOL Restore (DFS Replication)

Healthy SYSVOL replication is key for every active directory infrastructure. when there is SYSVOL replication issues you may notice,

1. Users and systems are not applying their group policy settings properly.

2. New group policies not applying to certain users and systems.

3. Group policy object counts is different between domain controllers (inside SYSVOL folders)

4. Log on scripts are not processing correctly

Also, same time if you look in to event viewer you may able to find events such as,

Event Id

Event Description

2213

The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.

Recovery Steps

1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.

2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:

wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid=”xxxxxxxx″ call ResumeReplication

5002

The DFS Replication service encountered an error communicating with partner <FQDN> for replication group Domain System Volume.

5008

The DFS Replication service failed to communicate with partner <FQDN> for replication group Home-Replication. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.

5014

The DFS Replication service is stopping communication with partner <FQDN> for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Some of these errors can be fixed with simple server reboot or running commands describe in the error ( ex – event 2213 description) but if its keep continuing we need to do Non-Authoritative or Authoritative SYSVOL restore.

Non-Authoritative Restore

If it’s only one or few domain controller (less than 50%) which have replication issues in a given time, we can issue a non-authoritative replication. In that scenario, system will replicate the SYSVOL from the PDC.

Authoritative Restore

If more than 50% of domain controllers have SYSVOL replication issues, it possible that entire SYSVOL got corrupted. In such scenario, we need to go for Authoritative Restore. In this process, first we need to restore SYSVOL from backup to PDC and then replicate over or force all the domain controllers to update their SYSVOL copy from the copy in PDC.

SYSVOL can replicate using FRS too. This is deprecated after windows server 2008, but if you migrated from older Active Directory environment you may still have FRS for SYSVOL replication. It also supports for Non-Authoritative and Authoritative restore but in this demo, I am going to talk only about SYSVOL with DFS replication.

Non-Authoritative DFS Replication

In order to perform a non-authoritative replication,

1) Backup the existing SYSVOL – This can be done by copying the SYSVOL folder from the domain controller which have DFS replication issues in to a secure location.

2) Log in to Domain Controller as Domain Admin/Enterprise Admin

3) Launch ADSIEDIT.MSC tool and connect to Default Naming Context

4) Brows to DC=domain,DC=local > OU=Domain Controllers > CN=(DC NAME) > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription

5) Change value of attribute msDFSR-Enabled = FALSE

6) Force the AD replication using,

repadmin /syncall /AdP

7) Run following to install the DFS management tools using (unless this is already installed),

Add-WindowsFeature RSAT-DFS-Mgmt-Con

8) Run following command to update the DFRS global state,

dfsrdiag PollAD

9) Search for the event 4114 to confirm SYSVOL replication is disabled.

Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl

10) Change the attribute value back to msDFSR-Enabled=TRUE (step 5)

11) Force the AD replication as in step 6

12) Update DFRS global state running command in step 8

13) Search for events 4614 and 4604 to confirm successful non-authoritative synchronization.

All these commands should run from domain controllers set as non-authoritative.

Authoritative DFS Replication

In order to perform to initiate authoritative DFS Replication,

1) Log in to PDC FSMO role holder as Domain Administrator or Enterprise Administrator

2) Stop DFS Replication Service (This is recommended to do in all the Domain Controllers)

3) Launch ADSIEDIT.MSC tool and connect to Default Naming Context

4) Brows to DC=domain,DC=local > OU=Domain Controllers > CN=(DC NAME) > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription

5) Update the given attributes values as following,

msDFSR-Enabled=FALSE

msDFSR-options=1

6) Modify following attribute on ALL other domain controller.

msDFSR-Enabled=FALSE

7) Force the AD replication using,

repadmin /syncall /AdP

8) Start DFS replication service in PDC

9) Search for the event 4114 to verify SYSVOL replication is disabled.

10) Change following value which were set on the step 5,

msDFSR-Enabled=TRUE

11) Force the AD replication using,

repadmin /syncall /AdP

12) Run following command to update the DFRS global state,

dfsrdiag PollAD

13) Search for the event 4602 and verify the successful SYSVOL replication.

14) Start DFS service on all other Domain Controllers

15) Search for the event 4114 to verify SYSVOL replication is disabled.

16) Change following value which were set on the step6. This need to be done on ALL domain controllers.

msDFSR-Enabled=TRUE

17) Run following command to update the DFRS global state,

dfsrdiag PollAD

18) Search for events 4614 and 4604 to confirm successful authoritative synchronization.

Please note you do not need to run Authoritative DFS Replication for every DFS replication issue. It should be the last option.

Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com

Step-by-Step Guide to enable Azure AD Domain Services

Azure AD, Azure AD Domain Services, On-premises Active Directory, AD-sync ….. All these terms are now start to appear on most of now a days infrastructure projects. Based on the questions I get from the blog also represent still engineers struggle how to implements Azure services with their needs and how to get best benefits out from it. So this article also a series of articles I was doing to cover up Azure AD related services and how to use these services to enhanced your current infrastructure operations.

Azure AD Domain Services

Azure AD Domain Services is in preview for a while now (6 months). Azure AD Domain Services is a managed domain service which provides group policy, LDAP, NTLM/Kerberos Authentication without need of “Domain Controller” in your azure cloud setup.

If you have “cloud-only” service with Azure, this service will allow you to manage your azure identities more affectively. You can deploy the azure ad domain services in to the same virtual network your other IaaS workloads runs. Then these VM can connect to the Azure AD as typical domain join servers and can control those centrally. Also can apply group policies if you like.

If its hybrid setup you can sync your on-premises identities to the cloud and use those along with the azure Iaas workloads.

These are the main features of Azure Active Directory Domain Services (From: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-ds-features/)

•    Simple deployment experience: You can enable Azure AD Domain Services for your Azure AD tenant using just a few clicks. Regardless of whether your Azure AD tenant is a cloud-tenant or synchronized with your on-premises directory, your managed domain can be provisioned quickly.
•    Support for domain-join: You can easily domain join computers in the Azure virtual network that Azure AD Domain Services is available in. The domain join experience on Windows client and Server operating systems works seamlessly against domains serviced by Azure AD Domain Services. You can also use automated domain join tooling against such domains.
•    One domain instance per Azure AD directory: You can create a single Active Directory domain for each Azure AD directory.
•    Create domains with custom names: You can create domains with custom names (eg. contoso.local) using Azure AD Domain Services. This includes both verified as well as unverified domain names. Optionally, you can also create a domain with the built-in domain suffix (i.e. *.onmicrosoft.com) that is offered by your Azure AD directory.
•    Integrated with Azure AD: You do not need to configure or manage replication to Azure AD Domain Services. User accounts, group memberships and user credentials (passwords) from your Azure AD directory are automatically available in Azure AD Domain Services. New users, groups or changes to attributes ocurring in your Azure AD tenant or in your on-premises directory are automatically synchronized to Azure AD Domain Services.
•    NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows Integrated Authentication.
•    Use your corporate credentials/passwords: Passwords for users in your Azure AD tenant work with Azure AD Domain Services. This means users in your organization can use their corporate credentials on the domain – for domain joining machines, logging in interactively or over remote desktop, authenticating against the DC etc.
•    LDAP bind & LDAP read support: You can use applications that rely on LDAP binds in order to authenticate users in domains serviced by Azure AD Domain Services. Additionally, applications that use LDAP read operations to query user/computer attributes from the directory can also work against Azure AD Domain Services.
•    Group Policy: You can leverage a single built-in GPO each for the users and computers containers in order to enforce compliance with required security policies for user accounts as well as domain joined computers.
•    Available in multiple Azure regions: See the Azure services by region page to know the Azure regions in which Azure AD Domain Services are available.
•    High availability: Azure AD Domain Services offer high availability for your domain. This offers the guarantee of higher service uptime and resilience to failures. Built-in health monitoring offers automated remediation from failures by spinning up new instances to replace failed instances and to provide continued service for your domain.
•    Use familiar management tools: You can use familiar Windows Server Active Directory management tools such as the Active Directory Administrative Center or Active Directory PowerShell in order to administer domains provided by Azure AD Domain Services.

In my demo today I am going to show how to enable Azure AD Domain Services and how to configure it properly for cloud-only IaaS setup.

I have created Azure AD instance called REBELADMIN already. I will be using it during the demo.

Setup Azure Virtual Network

I am going to show how to setup new azure virtual network. The azure AD domain service instance also need to assign to the same virtual network as your other service run in order to integrate those resources.

1) In Azure Classic Portal click on “Networks” option in left side.

2) Then click on “Create a Virtual Network”

3) In wizard type the name for the virtual network and select the location, then click on proceed button to go to next step

4) In next page, I am not going to define any DNS servers as I will setup it in later time in this demo, click on proceed button

5) In next window it will show the address space, you can either customize or proceed with default. I am going to use default.

6) After proceed, its created the new virtual network successfully

Enable Azure AD Domain Service

Now we got the virtual network setup. Next step is to enable the domain service.

1) Click on the Azure AD directory instance which needs to enable Azure AD Domain Service (if you not done yet you can do it using New > App Services > Active Directory > Directory )

2) Then click on “Configure”

3) Under the “Domain Services” click on “Yes” button to enable the domain services.

4) DNS Domain name of domain services – This option to define the dns domain name. If you do not have domain setup you still can use default azure name which is ends up with onmicrosoft.com.
Connect domain service to this virtual network – in here you can define which virtual network domain service should assign to. I have selected the new virtual network created on previous step.
After changes click on “Save”

5) Then it will start to activate the service.

6) Currently it takes like 30 minutes to get service enabled. Once its setup we can see the DNS server ip address appears. This is important as we need to add these in to virtual network in order to join servers to domain.

Add DNS server details into Virtual Network

1) Click on the virtual network where Azure AD domain service also associated with.

2) Click on the configure and then add the DNS server info

3) Click on Save to submit the changes

Create “AAD DC Administrator” group

Since Azure AD Domain service is managed service you will not get domain admin or enterprise administrator privileges to the Ad instance. But you allowed to create this group and all the members of this group will be granted with administrator privileges to the domain join servers (This group will added to the administrators group in domain join servers).

In order to do that need to load the Azure AD instance again,

1) Click on the relevant Azure AD instance.

2) Click on the “Groups” and then Add Group

3) Then in next window type the group name as “AAD DC Administrators” and type as “Security” then click on proceed button. Please note you must use the text on same format in order to get enable this group.

4) Then you can add the member as you prefer

With this our initial configuration is done. The next step is to enable password synchronization to allow users to use their cooperate logins to log in to the domain. I will explain it on my next post as another step-by-step guide.

If you have any questions about the post feel free to contact me on rebeladm@live.com

The Active Directory Replication Status Tool (ADREPLSTATUS)

Healthy Active directory replication is important for active directory infrastructure. REPADMIN is command line utility which can use to check the AD replication status. I wrote an article before about common replication errors and how to use these command line utilities for troubleshooting. If you till not read it you can find it in here.

The Active Directory Replication Status Tool (ADREPLSTATUS) is a small but handy tool Microsoft published which can use to analyze the replication status of active directory environment. The output is similar to output of command REPADMIN /SHOWREPL * /CSV but with few enhancements.

Specific capabilities for this tool include:

    • Expose Active Directory replication errors occurring in a domain or forest
    • Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
    • Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
    • Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

System Requirement

Domain membership requirements:

• Must be joined to the Active Directory domain or forest you intend to monitor
.NET Framework requirements:
• .NET Framework 4.0 (you may be prompted to install .NET Framework 3.5.1 first on Windows Server 2008)

Required User Credentials:

• Target forest/domain user account

Other Requirements:

ADREPLSTATUS will not work when the following security setting is enabled on the operating system:
• System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

The tool can be download from https://www.microsoft.com/en-gb/download/details.aspx?id=30005

Installation

It is very straight forward. All need to do is double click on the file.

Once install, double click on the icon to run the application.

Once tool is loaded, you can check the replication on entire forest or specific domains.

After you specify the replication boundaries, click on refresh replication status button. It will discover the current configuration and replication status.

If you required you can export the data to xps or csv format.

hope this info helps. If you have any questions feel free to contact me on rebeladm@live.com

Step by Step Guide to downgrade domain and forest functional level

Till Windows server 2008 R2, forest and domain functional level are not possible to downgrade once it’s upgraded. Well it’s not a problem if you properly plan you active directory upgrades. But sometime it’s save life with difficulties admins face with AD upgrades. With starting windows server 2008 R2 you can downgrade forest and function levels. The minimum level it can downgrade is windows server 2008.

In here on my demo I am using domain controller with forest and domain function level set to windows 2012 R2.

There is no GUI to perform this downgrade. We have to use PowerShell commands to do it.

First, log in to the domain controller as domain admin / Enterprise admin.

Then load PowerShell with Admin rights.

Then we need to import the AD module.

To do that type Import-Module -Name ActiveDirectory

Before proceed as confirmation here my domain and forest function levels are set to windows server 2012 R2.

First I am going to set forest function level to windows server 2008.
To do that,

Set-ADForestMode –Identity “CANITPRO.com” –ForestMode Windows2008Forest

In here my FQDN is CANITPRO.com you can replace it with your domain name.
After run the command ask for the confirmation, type Y or A to confirm the change.

Next step is to downgrade the domain function level to windows server 2008.
To do that,

Set-ADDomainMode –Identity “CANITPRO.com” –DomainMode Windows2008Domain

After successfully commands, next step is to confirm the new forest and domain function levels. This time I am using PowerShell.

If you have any questions feel free to contact me on rebeladm@live.com

How to fix error “No mapping between account names and security IDs” in Active Directory

Happy New Year to all my blog reader! It’s been quite time for the blog as I was stuck on some projects. With New Year I am back in blogging.

Today I am going to show how to fix the Active directory group policy related error. The relevant event viewer error code is 1202.

It can be in either on domain controllers itself or the local computers. It will be visible in Event viewer > Windows Logs > Application Log

So what is this error about?

As it describes in error it’s saying no mapping between account names and security IDs. Which means there is a GPOs setting which used for domain computers, controllers with orphaned account details. Those accounts couldn’t resolved to correct SID.

How it is possible?

Well there is only two possibilities.
1) The relevant account used in the GPO is removed from AD.
2) Within the GPO the account name is typed incorrectly.

Microsoft done great job on the event log explaining how to fix that error. But let’s see how we really can trigger down the problem.

The first thing we need to do is find out the accounts which have problems with.

To find it need to run command from the domain controller as domain administrator

FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log

Oh, it is saying no log file. It is because its not enabled. To do it go to regedit,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}

And then double click on key ExtensionDebugLevel and set it to 2.

If the log is created first time, we need to wait for some time till it collect the logs.

Then let’s try again same command.

This time it shows canitpro_prg1 is the account. So next step is to find where it is used.

To do it run RSoP (Resultant Set of Policy) mmc to identify the source GPO that contain the problems.

To do it go to Run > RSoP.msc > Enter

Then in result window it shows problem is stick with the computer configuration

Then when go to Computer Configuration > Security Settings > Local Policies > User Rights Assignment it shows log on as a service got the faulty account applied.

So let’s see if this account exist in AD.

As can see its not existing in AD, the error is clear. To fix the issue we need to remove this account from the list. Once you done that, make sure you run gpupdate /force to apply the new policy setting.

If you have any question about article feel free to contact me on rebeladm@live.com

Step-by-Step Guide to install Active Directory on Windows server technical preview 2

Microsoft released Windows Server 2016 Technical Preview 2 for the public. I am sure most of you already got the news. In this article I am going to demonstrate how we can install AD in Windows server 2016 TP2.

You can download windows 2016 TP2 from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-previewit

You can deploy it using .iso or .vhd file. If you notice, installation no longer allows to select the GUI option during the installation. It gives 2 options to select from, one is goes as core version and the one with administrative tools gives ability to use admin tools such as server manager. If you like to install GUI you need to install it using server manager or using command Install-WindowsFeature Server-Gui-Shell –Restart -Source wim:E:\sources\install.wim:4

In here E: is the DVD with the windows server 2016 source files.

What is new in AD DS?

Well it may be too early to look for what is going to be in windows server 2016 in AD end. But here is the few new features, enhancements available for TP.

Privileged Access Management – This PAM feature allows to mitigate security concerns in AD environment which cause by techniques such as pass-the-hash, spear fishing etc.

Azure AD Join – This enhance identity experience for businesses. Including benefits such as SSO, access organizational resources, MDM integration etc.

Microsoft Passport – Microsoft Passport is a new key-based authentication approach organizations and consumers that goes beyond passwords. This form of authentication relies on breach, theft, and phish-resistant credentials.

Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels – Although File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in previous versions of Windows Server, it bears repeating that the Windows Server 2003 operating system is no longer supported. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

Complete description about these features can find on https://technet.microsoft.com/en-us/library/mt163897.aspx

Let’s gets started. In here my demo I am using windows server 2016 TP2 with GUI.
Log in to server as administrator. Then load server manager.

Then go to Manage > Add Roles and Features

In the wizard click on next.

In installation type selection, let the default selection run and click on next.

For the server selection leave the default and click on next.

From the role selection window select “Active Directory Domain Services” click next. Then it will ask to add the dependent features. Click on add features button. Then click next.

In the features selection will keep the default selection and then click next to continue.

Then it gives description window about AD DS. Click next to proceed.

Then in next window click on install button to install AD DS role.

Once it is finished, click on link “Promote this server to a domain controller”

Then it will open up the new wizard for the AD DS configuration. In here I am going to deploy new forest, so do the relevant selection and fill information and click on next.

In next window select the forest function and domain function level, to “Windows server technical preview” and then add the domain controller capabilities such as DNS, then submit the DSRM password and click next.

Then click next to complete DNS delegation.

In next window we can specify the Netbios name and then click next to continue.

In next window select the paths for database installation etc. then click next.

Then it gives option to review the configuration, and click next to continue.

Once prerequisite check is done, click on install to proceed.

Then it starts the installation process. It will reboot server automatically once completed.
Once reboot, we can see AD DS is configured and functioning as expected.

This completes installation process. The steps are very similar to with AD DS installation on windows server 2012.

If you have any issues feel free to contact me on rebeladm@live.com