REBELADMIN Technical Blog

Active directory

Step-by-Step Guide to Active Directory “Protected Users security group”

The Protected Users security group was introduced with Windows Server 2012 R2 and continued in Windows Server 2019. This group was developed to provide better protection for high privileged accounts from credential theft attacks. Members of this group have non-configurable protection applied. In order to use the Protected Users group, PDC should be running with a minimum of Windows Server 2012 R2 and the client computers should be running with a minimum of Windows 8.1 or Windows 2012 R2.

If a member of this group logs into Windows 8.1, Windows Server 2012 R2, Windows 10, Windows Server 2016 or Windows server 2019, we can expect the following:

Members of this group cannot use NTLM, digest authentication, or CredSSP for authentication. Plain text passwords are not cached. So, any of the devices using these protocols will fail to authenticate to the domain.

Kerberos long-term keys not cached. For accounts in this group, the Kerberos protocol verifies authentication at each request (the TGT acquired at log on).

Sign-in is offline. A cached verifier is not created at sign-in.

For the Protected Users group feature, it is not a must to have a domain or forest functional level run on Windows Server 2012 R2 or higher (Windows Server 2008 is the minimum as Kerberos needs to use AES). The only requirement is to run the PDC emulator FSMO role in the Windows Server 2012 R2 domain controller.

If the AD environment uses Windows Server 2012 R2 or Windows Server 2016 domain functional levels, it provides additional protections with Protected User groups, as:

No NTLM authentication

No DES or RC4 encryption in Kerberos pre-authentication

No delegation using the unconstrained or constrained method

No Kerberos TGT valid more than 4 hours

[su_note]Service accounts and computers cannot be members of the Protected Users' security group. These accounts can be protected using different features, such as policy silos, which I will explain later in this chapter.[/su_note]

To start with, we can review the Protected Users security group using the following command:

Get-ADGroup -Identity "Protected Users"

The following screenshot shows the output for the preceding command:

We can add users to the Protected Users group using ADAC, ADUC MMC, and PowerShell. This group is located in the default Users container in AD.

In here, we are going to add the user account Adam in to the Protected Users group using the following command:

Get-ADGroup -Identity "Protected Users" | Add-ADGroupMember –Members "CN=Adam,CN=Users,DC=rebeladmin,DC=com"

The first part of the command will retrieve the group and the second part will add the user Adam to it. [Read more…] about Step-by-Step Guide to Active Directory “Protected Users security group”

Step-by-Step Guide to Restrict Azure AD Administration portal

In order to manage Azure AD, we use Azure Active Directory option in https://portal.azure.com. By default, any user under Azure AD can access this option event they do not have a Directory role. In my demo setup, I have a user called "Emily Braun". She doesn't have any Directory role assigned. 

Then I log in to Azure portal https://portal.azure.com as the user and then go to Azure Active Directory option. It didn't block me accessing it. 

I can go to All users and see user account details. 

I even can see the Groups memberships details. 

 

Also, can view application assignments. 

As an end user I also can see the Azure AD Connect details. 

[Read more…] about Step-by-Step Guide to Restrict Azure AD Administration portal

Step-by-Step Guide to Migrate from Active Directory 2012 R2 to Active Directory 2019 (PowerShell Guide)

Windows server 2019 was available for public (GA) from early oct 2018. In past i have written many articles about domain migrations by covering different Active Directory versions. So, it is time me to write about AD 2019 migrations. In this demo I am going to demonstrate how to migrate from Active Directory 2012 R2 to Active Directory 2019. The same procedure is going to apply for any AD version from Windows Server 2008.   

Migration itself is very straight forward task. But there are other things you need to consider before you do an AD migration. In below I listed a checklist you can use in many occasions.

Evaluate business requirement for active directory migration 

Perform Audit on Existing Active Directory Infrastructure

Provide Plan for implementation Process

Prepare Physical / Virtual resources for Domain Controller

Install Windows server 2019 Standard / Datacenter

Patch Servers with latest Windows Updates

Assign Dedicate IP address to Domain Controller

Install AD DS Role

Migrate Application and Server Roles from the Existing Domain Controllers.

Migrate FSMO roles to new Domain Controllers

Add New Domain controllers to the Existing Monitoring system

Add New Domain controllers to the Existing DR Solution

Decommission old domain controllers 

Raise the Domain and Forest Functional level

On Going Maintenance 

As per the above figure therebeladmin.com domain has two domain controllers.  In here, the FSMO role holder is running windows server 2012 R2. Domain and forest functional level currently operating at Windows server 2012 R2. A new domain controller with Windows server 2019 will be introduce and it will be the new FSMO role holder for the domain. once FSMO role migration completed, Domain controller running windows server 2012 R2 will be decommissioned. After that forest and domain function level will raised to the windows server 2019. 
In the demonstration, REBEL-DC2012 is the domain controller with windows server 2012 R2 and REBEL-DC2016 is the domain controller with windows server 2019. 
 
[su_note]When you introduce new domain controllers to the existing infrastructure it is recommended to introduce to the forest root level first and then go to the domain tree levels.[/su_note]
 
 
1. Log in to the Server 2019 as a member of local administrators group. 
2. Add server to the existing domain as member
 
 
3. After restart, log in to the server as Enterprise Administrator
4. Assign static IP address to the server
5. Launch the PowerShell Console as an Administrator
6. Before the configuration process, we need to install the AD DS Role in the given server. In order to do that we can use Following command. 
 
Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools
 
 
7. Configure the new server as additional domain controller.
 
Install-ADDSDomainController
-CreateDnsDelegation:$false
-NoGlobalCatalog:$true
-InstallDns:$true
-DomainName "therebeladmin.com"
-SiteName "Default-First-Site-Name"
-ReplicationSourceDC "REBEL-DC2012.therebeladmin.com"
-DatabasePath "C:\Windows\NTDS"
-LogPath "C:\Windows\NTDS"
-NoRebootOnCompletion:$true
-SysvolPath "C:\Windows\SYSVOL"
-Force:$true
 
 
There are no line breaks for the command and I have listed it as above to allow readers to identify on the parameters clearly.
 

Argument

Description

Install-ADDSDomainController

This cmdlet will install the domain controller in active directory infrastructure.

-NoGlobalCatalog

If you do not need to create the domain controller as global catalog server, this parameter can use. By default, system will enable global catalog feature.

-SiteName

This Parameter can use to define the active directory site name.  the default value is Default-First-Site-Name

-DomainName

This parameter defines the FQDN for the active directory domain.

-ReplicationSourceDC

Using this parameter can define the active directory replication source. By default, it will use any available domain controller. But if need we can be specific.

Once execute the command it will ask for SafeModeAdministrator Password. Please use complex password to proceed. This will be used for DSRM.

8. After configuration completed, restart the system and log back in as administrator to check the AD DS status. 

Get-Service adws,kdc,netlogon,dns

Will confirm the status of the AD DS service. 

Get-ADDomainController -Filter * |  Format-Table Name, IPv4Address, Site

Will list down the domain controllers along with the IP address and Sites it belongs to.

9. Migrate all five FSMO roles to the New domain controller using following command,

Move-ADDirectoryServerOperationMasterRole -Identity REBEL-DC2019 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster

In above the REBEL-DC2019 is domain controller running with windows server 2019. 

Once its completed, we can verify the new FSMO role holder using 

Netdom query fsmo

10. The new step of the process is to decommission the old windows domain controller which running with windows server 2012 R2. To do that execute the following command as enterprise administrator from the relevant DC. 

Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition

After execute the command it will ask to define password for the local administrator account.

Once its completed it will be a member server of the therebeladmin.com domain.

11. Next step is to raise the domain and forest functional level to windows server 2019. To do that can use the following commands.

To upgrade domain functional levels

Set-ADDomainMode –identity therebeladmin.com -DomainMode Windows2016Domain

To upgrade forest function levels

Set-ADForestMode -Identity therebeladmin.com -ForestMode Windows2016Forest

[su_note]With windows server 2019, there is no domain or forest functional level called windows2019. It is still 2016. [/su_note]

Now we have completed the migration from AD DS 2012R2 to AD DS 2019. Same steps apply when migrate from windows server 2008, Windows server 2008 R2, Windows server 2012 & Windows server 2016.

12. After the migration completes, we still need to verify if its completes successfully. 

Get-ADDomain | fl Name,DomainMode

This command will show the current Domain functional level of the domain after the migration. 

Get-ADForest | fl Name,ForestMode

Above command will show the current forest functional level of the domain. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

MVP for Last 6 Years

I am glad to announce that I have been awarded with MVP award by Microsoft for 6th consecutive time. It is a true honor to be a part of such a great community. I got my first award back in 2014 under Active Directory category. After that for last 5 years I was awarded under Enterprise Mobility Category.

What is MVP Award?

For more than two decades,the Microsoft MVP Award is our way of saying “Thanks!” to outstanding community leaders. The contributions MVPs make to the community, ranging from speaking engagements, to social media posts, to writing books, to helping others in online communities, have incredible impact. Key benefits to MVPs include early access to Microsoft products, direct communication channels with our product teams and an invitation to the Global MVP Summit, an exclusive annual event hosted in our global HQ in Redmond. They also have a very close relationship with the local Microsoft teams in their area, who are there to support and empower MVPs to address needs and opportunities in the local ecosystem.

I take this opportunity to thank my MVP program Manager Betsy Weber, former program manager Simran Chaudhry for their awesome support over the years.

I also like to thank my readers for their support and encouragement over last 7 years. In coming weeks, you will see more enhancements in my blog to give you more user-friendly experience. Also, glad to announce that soon you will able to connect with my YouTube channel. So, stay touch! if you need help with subject matters always feel free to contact me on rebeladm@live.com or follow me on twitter @rebeladm

How Active Directory Authentication Works?

AD DS security is key for any environment as it is foundation of identity protection. Before look in to improvements of AD DS security in an environment, it is important to understand how Active Directory authentication works with Kerberos. In this post I am going to explain how AD authentication works behind the scene.

In infrastructure, there are different types of authentication protocols been used. Active Directory uses Kerberos version 5 as authentication protocol in order to provide authentication between server and client. Kerberos v5 became default authentication protocol for windows server from windows server 2003. It is an open standard and it provides interoperability with other systems which uses same standards.

Kerberos protocol is built to protect authentication between server and client in an open network where other systems also connected. The main concept behind authentication is, two parties agreed on a password (secret) and both use it to identify and verify their authenticity. 

auth1
In above example, Dave and Server A have regular communications. They exchange confidential data between them more often. In order to protect this communication, they agreed on a common secret 1234 to use to verify their identities before exchange data. When Dave make initial communication, he passes his secret to server A and say “I’m Dave”. Server A checks the secret to see if it’s true. If its correct its identify him as Dave and allowed further communication. 
 
auth2
Communication between Dave and Server A, happens in open network which means there are other connected systems. Sam is a user connected in same network where dave is in. He is aware about communication between Dave and Server A. He has interest about data exchange between them and like to get his hands on those. He starts to listen to traffic between these two hosts to find out the secret they use. Once he founds it, he starts to communicate to Server A and says he is Dave and also provides the secret 1234. From Server A side, it doesn’t see different between message from dave and sam now as both provides the correct secret. 
Kerberos solved this challenge by using shared symmetric cryptographic key instead of the secrets. It uses same key to encryption and decryption. Kerberos name came from three headed strong dog in Greek mythology. As the three-headed dog, Kerberos protocol has three main components. 
 
1) A Client
2) A Server
3) A trusted authority to issue secret keys
 
This trusted authority is called as Key Distribution Center (KDC). Before we look in to Kerberos in detail, better to understand how typical key exchange works.  [Read more…] about How Active Directory Authentication Works?