Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Archives for October 2018

Step-by-Step guide to Azure AD Password protection

Last Updated on October 28, 2018 by Dishan M. Francis

Complex passwords are a basic requirement to protect a system from cyber-attack. Even today most of the cyber-attack could have prevented if users were using complex, un-guessable passwords. I agree this is not the best solution especially as we are moving towards password-less authentication (Azure AD already released preview for it you can find more about it via https://www.rebeladmin.com/2018/09/step-step-guide-azure-ad-password-less-authentication-public-preview/). However, attackers always try the low hanging fruits first. In on-premises AD environment we can force users to use complex passwords via group policy. however, we couldn’t ban passwords using this method. Now Azure AD support banned password lists and smart lockout for Azure AD & on-premise AD in hybrid setup. Smart lockout is using cloud intelligence to detect password spoofing attempts from attackers. In this demo I am going to demonstrate, how to enable this feature in hybrid environment to protect both sides. 

As the first step, let’s enable the password protection. 

1. Log in to Azure Portal as global admin

2. Click on Azure Active Directory

3. Then Authentication Method

4. New window is to define password protection settings. In this demo, I am keeping the default thresholds for custom smart lockout. To define ban password list, click on Yes for Enforce custom list and then type the passwords you like to ban. 

[Read more…] about Step-by-Step guide to Azure AD Password protection

Azure AD Self-Service password reset for Windows 7/8.1 Devices

Last Updated on October 26, 2018 by Dishan M. Francis

Password resets requests are very common in any helpdesk. Azure AD self-service password reset service is allowing users to reset their passwords without IT helpdesk involvement. So far this was only supported on Windows 10 Azure AD join devices. Now with few modifications we can do the same thing with Windows 7 or Windows 8.1 devices. In this demo I am going to demonstrate how we can do self-service password reset with these non-windows 10 devices. 

This process required few prerequisites. 

1) Enable SSPR in Azure AD – We need to enable SSPR service in Azure AD first. I have explain those steps in here https://www.rebeladmin.com/2017/11/step-step-guide-reset-user-password-azure-ad-joined-windows-10-device/ 

2) Up to date Patches – Make sure the latest windows updates are applied to Windows 7/ Windows 8.1 devices. 

3) Users need to register with additional verification methods – As part enabling SSPR process, we also need to define how many methods it should use for user verifications. 

If you using multiple methods, make sure user is register with those method before use SSPR service. 

4) TLS 1.2 enabled – In Windows PC you must have TLS 1.2 enabled. It should not just set to auto negotiate. This can be done by using registry entries. 

Under HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols you will be able to see TLS 1.2 (if it is not, go ahead and create a key). under that folder there will be two sub folders called client & server. I prefer to do changes under both roles. In there we need to create a key with following values.

DisabledByDefault – DWORD value 0

[Read more…] about Azure AD Self-Service password reset for Windows 7/8.1 Devices

Step-By-Step guide to create Point-to-Site VPN using Azure Network Adapter in Windows Server 2019

Last Updated on October 18, 2018 by Dishan M. Francis

Azure point-to-site VPN means VPN tunnel between end-point & Azure without using corporate firewall. I have already written a complete guide on how to create point-to-site VPN with Azure. You can access it using https://www.rebeladmin.com/2018/07/step-step-guide-azure-point-site-vpn/ 

The above method includes many different tasks which we need to perform in both azure and on-premise to get it going. With Windows Server 2019, Microsoft introduced Azure Network Adapter which can use to create point-to-site VPN in a straightforward way. In this demo, I am going to demonstrate how we can create a point-to-site VPN using Azure Network Adapter. 

This feature currently available via new Windows Admin Center. So, before you start you need to get it running in your environment. In my demo setup, I have a domain joined server which running latest Windows Admin Center (build 1809). 

1. Log in to the Server as Administrator

2. Launch Windows Admin Center 

3. Click on the relevant server from the list

4. Click on Network

5. Then click on Actions | Add Azure Network Adapter

[Read more…] about Step-By-Step guide to create Point-to-Site VPN using Azure Network Adapter in Windows Server 2019

Step-by-Step Guide to install Active Directory in Windows Server 2019 (PowerShell Guide)

Last Updated on October 7, 2018 by Dishan M. Francis

Finally waiting game is over, Windows server 2019 is now available for public. So, it is time to start planning for your production migrations. In this demo I am going to demonstrate how we can setup Active Directory 2019 with new AD forest. I will discuss new features of AD 2019 in a later post. 

In below, I created a checklist which we can use to track the progress of installation. 

Active Directory Domain Service Installation Check List for First Domain Controller

Produce Active Directory Design Document 

Prepare Physical / Virtual resources for Domain Controller

Install Windows server 2019 Standard / Datacenter

Patch Servers with latest Windows Updates

Assign Dedicate IP address to Domain Controller

Install AD DS Role

Configure AD DS according to Design

Review logs to verify the healthy AD DS installation and configuration

Configure Service and Performance Monitoring 

AD DS Backup / DR Configuration 

Produce System Documentation 

Design Topology
 
As explain in the above figure, in my demo environment, rebeladmin.com will be the forest root domain. The first domain controller install on the forest will hold all five FSMO roles. Once additional domain controllers are in place you can place them in appropriate locations. 
 
1. To start the configuration, I logged in to Windows server 2019 server as local administrator.