Microsoft Defender for Identity sensor installation failing - error code 0x80070643

Description:

You are trying to install Microsoft Defender for Identity sensor on a Domain Controller. The Domain Controller need to use proxy to communicate to the internet. You've enter the correct proxy setting on the Domain Controller system setting. And you've make sure the required communication port (443) are already open from Domain Controller to *.atp.azure.com. However you still got stop error 0x80070643.

Resolution:

Configure the proxy setting using registry. You must copy the proxy configuration that you use in user context to the localsystem and localservice. To copy your user context proxy settings:

1. Make sure to back up the registry keys before you modify them.

2. In the registry, search for the value DefaultConnectionSettings as REG_BINARY under the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings. Export all the value inside the Connections key.

3. Open the exported file and edit the location to become HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings. Save the first copy of the file.

4. Double click the new file to import the value from the Current_user DefaultConnectionSettings to LocalSystem.

5. After that, open the exported file and edit the location to become HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings. Save the second copy of the file.

6. Double click the second file to import value from the Current_User DefaultConnectionSettings to LocalService.

7. Close the registry editor.

Try to re-run the installation process again.

Cannot Re-Install NPCAP

Description:

You are trying to re-install NPCAP as part of Microsoft Defender for Identity Sensor deployment on a Domain Controller. However you got stuck uninstall error problem.

You have try to remove the registry from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst. However the problem still exist.

Resolution:

Search for possible services that were using NPCAP. Example is Wireshark or Cisco Tetration. Stop those services and try to re-install NPCAP again.

Fixing Error nvlddmkm.sys on Event Viewer

Description:

You are using Nvidia GPU. And sometimes you saw nlddmkm.sys error in the event viewer. The GPU is crash and cannot restart normally.

Resolution:

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers

Add new Dword record. Enter TdrDelay as the name of the new DWORD. Set its Value Data to 8.

Click OK and close Registry Editor. Restart the Server.

Note:

If you still experiencing nlddmkm crash error after this, you may need to upgrade or downgrade your NVDIA Graphic driver. Version 472.12 seems to provide more stabile result.

Azure B2B Script to create Guest On-Prem Active Directory Account is Not Working

Description:

You are configuring Azure B2B to allow external users to access your on-premise application securely.

You have configure the Azure B2B setting and have publish the on-premise application using Azure AD Application Proxy. Now you want to use the Azure B2B script to create the Guest account in on-premise Active Directory automatically. 

You downloaded the script from https://www.microsoft.com/en-us/download/details.aspx?id=51495. 

However when you run it, you saw some error and the users never get created in on-premise Active Directory. 

During troubleshooting, you found out that the script has not enough application permission to connect or query to Azure AD. You even triple check the API permission, but cannot found the cause of the error.

Resolution:

The "AppProxy-GuestAccountCreation-v1.0.3.ps1" script is not updated. PowerShell script still uses deprecated Azure AD Graph API instead of MS Graph API. 

You can download the updated script from https://github.com/MicrosoftDocs/azure-docs/files/7090340/AppProxy-GuestAccountCreation-v1.0.3.txt.

Make sure you install Microsoft Graph PowerShell SDK prior to executing the script.

Error when using PowerShell Connect-MgGraph not recognized

Description:

You already install the Microsoft Graph PowerShell SDK on your machine. However when trying to run a script that has "Connect-MgGraph" command, you encountered not recognized cmdlet, function, script  error. You have also restarted the machine and make sure the Microsoft Graph Module was loaded.

Resolution:

There might be some conflict between Microsoft Graph module and other module on your machine. The possible conflict are with Azure AD or MSOnline modules.

Try to install the Microsoft Graph PowerShell SDK on other machine which has minimum or has only the default PowerShell module.

Intermittent ADFS Event ID 224 & 245 at WAP Server

Description:

At Web Application Proxy Server (WAP) configured to connect to ADFS, you saw several Event ID 224 & 245 intermittently appear. TCP Port 443 are already open between WAP and ADFS.

Resolution:

Make sure you have all the required certificate on WAP server, including the intermediate and trusted root of the SSL certificate.

Error 1297 when starting AD FS Service

Description:

When you try to start ADFS Service for the first time after finishing the configuration, you may encounter 1297 error.

Resolution:

You need to make sure that the service account that you use to run the ADFS Service has the following rights on the ADFS Server:

• Logon As Service
• Generate Security Audits

How to set mutisubnetfailover option on ADFS to SQL Database connection string

Description:

You want to use SQL Always On capability for your application. 

You need to change the Database Connection string.

Resolution:

Please run the following at PowerShell on all ADFS Server (one by one):

$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
$temp.ConfigurationdatabaseConnectionstring=”data source=<you sql instance>;multisubnetfailover=true;initial catalog=adfsconfiguration;integrated security=true”
$temp.put()

Set-AdfsProperties –artifactdbconnection ”Data source=<you sql instance>;multisubnetfailover=true;Initial Catalog=AdfsArtifactStore;Integrated Security=True”

Exception Error when Running PowerShell command to Update the ADFS SQL Connection String.

Description:

As per article from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server, we need to run the following command to update the SQL connection string for the AD FS configuration database:

PS:\>$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService

PS:\>$temp.ConfigurationdatabaseConnectionstring="datasource=<SQLCluster\SQLInstance>;initial catalog=adfsconfiguration;integrated security=true"

PS:\>$temp.put()

The update is necessary to support SQL Always On feature.

However, there's an "exception error" when you run the above script in PowerShell.

Resolution:

For modifying the connection string on the additional ADFS server in the Farm, you need to stop the ADFS Service first. After that run the above script and start the ADFS Service again.

Error when adding a new Windows Server 2016 to ADFS Server Farm with SQL Database

Description:
You have successfully configured the first ADFS Server with SQL Database in a ADFS farm. Now you want to add another node to the ADFS Farm. 

However when you run the ADFS Configuration wizard, you encountered an error and the process stops.

At the prerequisite checks, we can see several errors as per below:

• "An error occurred during an attempt to connect to the AD FS configuration database. Error: Login failed for user 'Domain\The account I am logged into the server with'.. Confirm that the database hostname and instance name are correct and that the specified service account has logon access to the database."

• "Cannot open database "AdfsConfigurationV0" requested by the login. The login failed.

• Login failed for user 'domain\managed service account$'."

Resolution:
Make sure the account that you are using have the Owner Access to the ADFS database. 
The permissions can be removed after adding the new nodes.

Cannot Start ADFS Service after changing the Database Connection string to support SQL Always On

Description:
You have configured the first ADFS 2016 Server with SQL as the Database. Later on the day, the SQL Admin has also set the ADFS Database to have Always On capability.

You've follow the syntax from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server to change the SQL Connection string on the first ADFS server to support SQL Always On feature.

However when you try to restart the ADFS service, it is always failed.

Example Script:

PS:\>$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
PS:\>$temp.ConfigurationdatabaseConnectionstring="data source=<SQLCluster\SQLInstance>;initial catalog=adfsconfiguration;integrated security=true"
PS:\>$temp.put()

Resolution:

You need to modify the above example script. Make sure the "data source" are correct, and also the "initial catalog" value are the same as the actual database name in SQL. For example you may need to write "adfsconfgurationv3" instead of just "adfsconfiguration" on the above script.

Cannot Delete Domain Controller - Access is Denied

Description:

You are using Domain Admins account and wanted to delete a "stale" Domain Controller (DC) from Active Directory Users and Computers console. However you got an access denied error.

Resolution:

Most probably there's a protection against accidental deletion of DC.

• Go to Active Directory Sites and Services
• Expand the Sites folder > expand the site name where the DC you want to delete is > expand the Servers folder > expand the DC you want to delete
• Right click on NTDS Settings
• Click on the Object tab
• Uncheck the “Protect object from accidental deletion” checkbox.
• Click OK.

Now you should be able to delete the Domain Controller from Active Directory Users and Computers console.

BitLocker Deployment with Active Directory - How to Start Automatic Encryption

Description:

You deployed BitLocker using Active Directory only. You have setup the necessary Group Policy, run manual BitLocker Encryption and can see the recovery password is being store at Active Directory.

Now you are wondering how it could start auto encryption without user interaction.

Resolution:

From https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html we can see that we can create a task scheduler on the machine and run it with System credential.

Detail:

Task name: BL (name it as you want, but please don’t forget to change the name in the last script line)

Triggers: at logon of any user

Executing account: system

Action: powershell.exe with the argument \\server\share\BL.ps1

The script:

$pin=(Get-Random -Minimum 0 -Maximum 999999).ToString('000000')
echo "$pin" | out-file \\server\pins\$env:computername.txt -Append
$SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
Add-BitlockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector
manage-bde -on c: -s -used -rp
msg * /time:0 Your hard drive is being encrypted. To start your PC, you need your Bitlocker-PIN, which is $pin
schtasks /delete /tn BL /f

Error connecting to SQL Server after changing Service Account to normal domain users

Description:

As security best practice, we should not run SQL Server Services with domain admin credential. However after changing it to the normal domain user credential, you encounter connection error message when trying to connect from SQL Server Management Studio.

The error may say something like "The target principal name is incorrect.  Cannot generate SSPI context."

Resolution:

We need to provide the appropriate permission for the domain user credential to modify ServicePrincipalName attribute in Active Directory.

• Run Adsiedit.msc
• In the ADSI Edit snap-in, expand Domain [YourDomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= [YourAccountName, and then click Properties.
• In the CN= AccountName Properties dialog box, click the Security tab.
• On the Security tab, click Advanced.
• In the Advanced Security Settings dialog box, select one (any) of "SELF"'s row
• Click Edit, Open Permission Entry dialog box.
• Make sure Pricipal is "SELF", Type is "Allow" and "Applied to" is "This Object Only", in Properties section, select the properties below:
  • Read servicePrincipalName
  • Write servicePrincipalName
• Click OK to apply all changes and exit the ADSI Edit snap-in
• Restart the SQL Service(s) that use the account in question.

Error Connecting to SQL Server Instances after enabling Windows Firewall

Description:

For security reason, you need to enable the Windows Firewall on your SQL server machine.

However, after you enable them, user cannot connect to one of your SQL Instances. You already create Inbound TCP rule to allow port 1433 and another TCP port where the instance listened, but users still cannot connect. They can connect if the specified the port number for that instance was directly written on the connection page.

Resolution:

Make sure you also create inbound rule for UDP port 1434. The SQL Server browser service runs on UDP port 1434 and listens for incoming connections to a named instance.

How to Rename A Domain Controller

Description:

During Active Directory Upgrade, you might need to maintain the old Domain Controller name because of certain application requirement. You planned to use the swing method, where the new Domain Controller will be renamed to old Domain Controller name.

Resolution:

1. Make sure the old DC name is not being use anymore in the entire domain. Check Active Directory Object, check DNS Record, Check DFSR Object, etc.
2. Use Netdom command to rename the Domain Controller according to the following steps:
• On the new Domain Controller, open Command Prompt with Administrative Privileges
• Type netdom computername “current_name” /add:”fqdn_newname” > press enter
• Type netdom computername “current_name” /make primary:”fqdn_newname” > press enter
• Restart Domain Controller
• Type netdom computername “current_name” /remove:”fqdn_oldname” > press enter

Migrate SYSVOL from FRS to DFSR

Migration of SYSVOL from FRS to DFSR is actually quite simple.

First, you need to make sure all the Domain Controllers (DC) in the Domain are online and the AD replication and SYSVOL Replication are working normally.

After that, just need to run few of the following command in sequence:

1. At command Prompt, type "dfsrmig /setglobalstate 1". This is to enter the Prepared state.
• Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state
2. Next at Command Prompt, type "dfsrmig /setglobalstate 2". This is to enter the Redirected state.
• Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state
3. Next at command prompt, "type dfsrmig /setglobalstate 3". This is to enter the Emilinated state.
• Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state

Cannot Access Remote Share on Workgroup Computer using Local Admin Account

Description:

You have several servers in Workgroup environment. You know the Local Administrator Account and Password. You try to connect to the Administrative Share from Remote Workgroup machine but always failed. Network port for Ping, RPC, SMB from source to destination are all open. Username and password are both correct.

Resolution:

Open Regedit and go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System". 

1. On the Edit menu, point to New, and then click DWORD (32-bit) Value.

2. Type LocalAccountTokenFilterPolicy to name the new entry, and then press Enter.

3. Right-click LocalAccountTokenFilterPolicy, and then click Modify.

4. In the Value data box, type 1, and then click OK.

5. Exit Registry Editor.

BitLocker with MBAM Failed to Encrypt because Access Denied by Remote Endpoint

Description:

You have configure MBAM Application server, MBAM Database server and set GPO for Drive Encryption to run automatically with minimal user interaction. However when you test it, it shows error "failed to encrypt".

When you look at the event viewer in the client machine, it said "Unable to connect to the MBAM Recovery and Hardware Service". It also give Error Code: -2143485947 and more detail "Access was denied by the remote endpoint".

Resolution:

Make sure the account for MBAM web application pool has the correct SPN.

You can use the following command to set the SPN for FQDN and NETBIOS.

Setspn -s http/mbamvirtual contoso\mbamapppooluser

Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

Error when Encrypting Drive in BitLocker with MBAM

Description:

You have configure MBAM Application server, MBAM Database server and set GPO for Drive Encryption to run automatically with minimal user interaction. However when you test it, it shows error "failed to encrypt".

When you look at the event viewer in the client machine, it said "an error occurred while applying MBAM policies" And it also give error code -2147217402.

Resolution:

Please update the MBAM client on that machine to the latest servicing update. At the moment it can be downloaded from Download Microsoft Desktop Optimization Pack October 2020 Servicing Release from Official Microsoft Download Center. After restart you will see the encryption process is running successfully.

Error when Granting Access to the User at tenant root scope “/” to deploy Enterprise-Scale

Description:

You want to deploy Enterprise-Scale Architecture at your Azure Environment.

One of the prerequisite is to explicitly provide roleAssignment (RBAC) at the tenant root scope via CLI or PowerShell (Note: There’s no portal UX to make this roleAssignment)

However several error occurred when you try to run the following command at Azure CLI to provide the role Assignment.

• az login

Error message: The following tenants don't contain accessible subscriptions. Use 'az login --allow-no-subscriptions' to have tenant level access.

• az role assignment create --scope '/'  --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query  objectId)

Error message: Failed to query --assignee-principal-type for "7786a679-034b-42cc-a23a-xxxxxxxxxxxx" by invoking Graph API. RBAC server might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually. The Principal ID '"7786a679-034b-42cc-a23a-xxxxxxxxxxxx"' is not valid. Principal ID must be a GUID.

Resolution:

To fix the issue, the command needs some small changes. Instead of using the above command, try to use the following command:

• az login -t yourdomainname.onmicrosoft.com

• az role assignment create --scope '/'  --role 'Owner' --assignee-object-id "7786a679-034b-42cc-a23a-xxxxxxxxxxx"

How to connect to RDP with Azure AD account?

Description:

You have an Azure AD joined machine in the network. You want to use the Azure AD credentials to remote desktop that machine.

You try to enter the Azure AD username and password when prompted, however the login process is always fail.

Resolution:

1. Open Control Panel and go to System, then open Remote settings.

2. Uncheck the Allow connections only from computers running Remote Desktop with Network Level Authentication.

3. Edit the RDP connection file in notepad.

4. Add a line to the file and type "enablecredsspsupport:i:0". Save the File.

5. Use the RDP connection file to connect to the Azure AD  joined machine.

Azure Service Endpoints vs Private Link

Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

Service Endpoints do have some limitations or downsides. Firstly it is key to remember that traffic to a Service Endpoint is still leaving your virtual network, and the Azure PaaS resource is still being accessed on its public address. Service Endpoints cannot be used by traffic originating on-premises, through VPN or Express Route, only for traffic coming from your Azure Virtual Network.

Private Link is a newer solution than Service Endpoints, introduced about a year ago. The key difference between Private Link and Service Endpoints is that with Private Link you are injecting the multi-tenant PaaS resource into your virtual network. With Service Endpoints, traffic still left you vNet and hit the public endpoint of the PaaS resource, with Private Link the PaaS resource sits within your vNet and gets a private IP on your vNet. When you send traffic to the PaaS resource, it does not leave the virtual network.

Private Link also allows access from resources on your on-premises network through VPN or ExpressRoute, and from peered networks. You can also connect to resources across region.

How to choose?

According to https://samcogan.com/service-endpoints-and-private-link-whats-the-difference/

Service Endpoints are more straightforward and easier to set up than Private Link. You can enable Service Endpoints with a couple of clicks in the portal, and there is no requirement for any additional services. Private Link, however, requires you to implement DNS changes and possibly use Azure Private DNS, it also requires deciding where the service will attach to your Virtual Network. So if you need some additional access restriction for your PaaS Services quickly, or don’t have the rights or knowledge to make changes to DNS, then Service Endpoints are probably the way to go.

Other than complexity, Private Link is superior to Service Endpoints in nearly every other way.

Azure Load Balancing

There are various option that Azure provides for load balancing services that you can use to distribute your workloads across multiple computing resources.

• Application Gateway
• Front Door
• Load Balancer
• Traffic Manager

So how to choose? From https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview we can see the flowchart that can help us making the right choice.

Azure Private Endpoint, Private Link, and Private Link Service

Azure Private Endpoint

Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet. The service could be an Azure service such as Azure Storage, Azure Cosmos DB, SQL, etc.

Azure Private Link

Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network

Azure Private Link Service

Azure Private Link Service is the reference to your own service that is powered by Azure Private Link. Your service that is running behind Azure Standard Load Balancer can be enabled for Private Link access so that consumers to your service can access it privately from their own VNets. Your customers can create a private endpoint inside their VNet and map it to this service.

ExpressRoute Direct VS FastPath VS Global Reach

ExpressRoute Direct

ExpressRoute Direct gives you the ability to connect directly into Microsoft’s global network at peering locations strategically distributed around the world. ExpressRoute Direct provides dual 100 Gbps or 10-Gbps connectivity, which supports Active/Active connectivity at scale. You can work with any service provider for ER Direct.

ExpressRoute FastPath

ExpressRoute virtual network gateway is designed to exchange network routes and route network traffic. FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.

ExpressRoute Global Reach

ExpressRoute Global Reach is designed to complement your service provider’s WAN implementation and connect your branch offices across the world. For example, if your service provider primarily operates in the United States and has linked all of your branches in the U.S., but the service provider doesn’t operate in Japan and Hong Kong, with ExpressRoute Global Reach you can work with a local service provider and Microsoft will connect your branches there to the ones in the U.S. using ExpressRoute and our global network.

ExpressRoute Private Peering VS Microsoft Peering in Azure

 

Azure Private Peering

Azure compute services, namely virtual machines (IaaS) and cloud services (PaaS), that are deployed within a virtual network can be connected through the private peering domain. The private peering domain is considered to be a trusted extension of your core network into Microsoft Azure. You can set up bi-directional connectivity between your core network and Azure virtual networks (VNets). This peering lets you connect to virtual machines and cloud services directly on their private IP addresses. You can connect more than one virtual network to the private peering domain.

Microsoft Peering

Connectivity to Microsoft online services (Microsoft 365 and Azure PaaS services) occurs through Microsoft peering. We enable bi-directional connectivity between your WAN and Microsoft cloud services through the Microsoft peering routing domain. You must connect to Microsoft cloud services only over public IP addresses that are owned by you or your connectivity provider and you must adhere to all the defined rules.

The recommended configuration is that private peering is connected directly to the core network, and the public and Microsoft peering links are connected to your DMZ.

Availability Sets VS Availability Zones in Azure

Availability Sets

Availability Sets is for virtual machine only. When you configure virtual machine with availability sets, it will make a copy of your virtual machine in isolated separate physical server, compute rack, storage units and network switches within a single datacentre within an Azure Region.

Availability Zones

Availability Zones can be use by many Azure Services including virtual machine. With Availably Zones, your workload will be spread out across the different zones that make up an Azure region. An Azure region is made up of multiple datacentres and each zone is made up of one or more datacentres.  Each datacentre is equipped with independent power, cooling and networking.

Availability Zone has better SLA compare to Availability Sets

Azure AD Connect account usage

Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory. These accounts are:

• AD DS Connector account: used to read/write information to Windows Server Active Directory

• ADSync service account: used to run the synchronization service and access the SQL database

• Azure AD Connector account: used to write information to Azure AD

In addition to these three accounts used to run Azure AD Connect, you will also need the following additional accounts to install Azure AD Connect. These are:

• Local Administrator account: The administrator who is installing Azure AD Connect and who has local Administrator permissions on the machine.

• AD DS Enterprise Administrator account: Optionally used to create the “AD DS Connector account” above.

• Azure AD Global Administrator account: used to create the Azure AD Connector account and configure Azure AD. 

• SQL SA account (optional): used to create the ADSync database when using the full version of SQL Server. This SQL Server may be local or remote to the Azure AD Connect installation. This account may be the same account as the Enterprise Administrator. Provisioning the database can now be performed out of band by the SQL administrator and then installed by the Azure AD Connect administrator with database owner rights.

Cannot Start Azure ATP or Defender for Identity Services when using gMSA

Description:

You are deploying Azure Advanced Threat Protection (AATP) or Microsoft Defender for Identity (MDI) in your Multi-Domain Single-Forest IT environment. You plan to use gMSA account for the Defender for Identity services account when communicating to Active Directory. 

You have created a new universal group or domain local group and add all of the Domain Controllers in the Forest to that group. You also have created the gMSA account and configured that group to be able to retrieve password and use the gMSA account.

However when you configure MDI to use the gMSA account, the Sensor Services on the Domain Controllers cannot be start.

Resolution:

Make sure you have Restarted the Domain Controllers that you put inside the new universal or domain local group. After the Domain Controller restart, try to login and notice that Azure ATP Sensor Services will be able to start properly. Delayed start is expected for Azure ATP services.

How to Add NT Service\All Services group to Active Directory User Rights Assignment

Description:

You want to use a group Managed Service Account (gMSA) on multiple domain in your forest. You also have Group Policy that managed the User Rights Assignment setting on Active Directory. You need to add NT Service\All Services to those User Rights Assignment policy.

Resolution:

1. Open up Group Policy Manager, and edit the Group Policy. Example is the “Default Domain Controller Policy” if you want to modify the user Rights Assignment at Domain Controllers.
2. Navigate down to “Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment”
3. Edit the “Log on as a service” properties and ensure the box next to “Define these policy settings:” is ticked. Click “Add User or Group” and manually type “NT SERVICE\ALL SERVICES” (Do Not Click Browse)
4. Click OK twice
5. Close the Group Policy Manager

Error when Configuring Azure AD Connect - Authorization Manager check failed

Description:

When you configure your Azure AD Connect, you encounter Authorization Manager check failed error message.

It said "An error occurred while retrieving the Active Directory Schema. The error are: AuthorizationManager check failed."

Resolution:

Try to manually installing the Microsoft certificate:

1.  Go to C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1
2. Right click the file, and open properties
3. Go to 'Digital Signatures' tab and open the details for the certificate
4. Click View certificate
5. Click Install certificate for local machine
6. Manually choose to store certificates at 'Trusted publishers'
7. Click Ok to close the certificate wizard.
8. Go Back to the Azure AD Connect Wizard > Click Previous > and Click Next again.

Error when configuring Azure AD Connect at MSOnline.Format.ps1xml file

Description:

When you configure your Azure AD Connect, you encounter Authorization Manager check failed error message.

It said " Unable to retrieve the Azure Active Directory configuration. Errors occurred while reading the format data file: Microsoft.PowerShell, , C:\Program Files\Microsoft Active Directory Connect\AADPowerShell\MSOnline.Format.ps1xml: The file was skipped because of the following validation exception: AuthorizationManager check failed."

Resolution:

Try to manually installing the Microsoft certificate:

1.  Go to C:\Program Files\Microsoft Azure Active Directory Connect\AADPowerShell\MSonline.Format.ps1xml
2. Right click the file, and open properties
3. Go to 'Digital Signatures' tab and open the details for the certificate
4. Click View certificate
5. Click Install certificate for local machine
6. Manually choose to store certificates at 'Trusted publishers'
7. Click Ok to close the certificate wizard.
8. Go Back to the Azure AD Connect Wizard > Click Previous > and Click Next again.

Group Managed Service Accounts (gMSA) - PowerShell Command

Following are several useful group Managed Service Accounts (gMSA) PowerShell command.

• To query the Active Directory for list of host where a specific gMSA account could be use, please run the following:

• Get-ADServiceAccount [-Identity] ITFarm1 -Properties PrincipalsAllowedToRetrieveManagedPassword

• To add member hosts to where the gMSA account could be use, please run the following:

• Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1$,Host3$

• To install gMSA account to a host, please run the following command on the host machine:

• Install-ADServiceAccount -Identity ITFarm1

• To create a new gMSA account, please run the following

• New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.contoso.com -PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts$

Removing Extended Rights delegation on AdminSDHolder

Description:

You have Active Directory and Exchange servers running in your environment. One day, the Security team told you that they encounter an account with excessive access on AdminSDHolder container. The Account was "DomainName\Exchange Servers" and has Extended Rights permission of Replication Synchronization. Yow want to remove this excessive access.

First, you try to remove it through the GUI. Open AD User and Computer console, go to System, go to AdminSDHolder container. Right click, open Properties, open Security, and click Advanced. You try to search the "DomainName\Exchange Servers" with permission Replication Synchronization, but couldn't find it.

Second, you try to confirm the existence of the extended rights by running the following command:

DSACLS "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local"

And you can confirmed the existence of the permission as per below picture:

Third, your try to remove it using Exchange Management Shell, and run the following PowerShell command:

Remove-ADPermission -Identity "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local" -User "DomainName\Exchange Servers" -ExtendedRights "Replication Synchronization"

However it fails with access denied error.

Resolution:

We can remove the Extended Rights in AdminSDHolder container with the help of LDP.exe

1. Open LDP.exe
2. Go to Connection > Click Connect > Click OK
3. Go to Connection again > Click Bind > Click OK
4. Click View > Click Tree
5. Enter the Base DN "DC=DomainName ,DC=Local". Click OK
6. On the left, double click Domainname, double click "CN=System, DC=DomainName, DC=Local", right click AdminSDHolder container.
7. Click Advanced > Click Security Descriptor
   
   
   
8. Check the SACL box > Click OK
9. Scroll Down until you find the Rights that you want to remove 
   
   
   
10. Click Delete ACE > Select Yes
11. Click Update to commit the changes
12. Close the LDP.exe

Note:

Be careful when removing this "Rights" as it may affect your Exchange Servers behavior. Prior testing is required.

Prerequisites and Best Practices for Changing ADFS Account

Description:

You have ADFS farm and you want to change the existing ADFS service account. You already have the step by step and the PowerShell module for changing the service account as written at other article in this blog.. However you want to know if there any pre-requisites or problem that you might encounter during the process

Resolution:

The prerequisites for changing the ADFS service account are:

1. On each machine of the ADFS farm, install the following:
• Visual C++ Redistributable for Visual Studio 2017
• ODBC Drive 17 for SQL Server
• SQLCMD.exe from Microsoft command line utilities for Microsoft SQL Server 2019
2. Enable AD & AD LDS PowerShell tool from Server Manager on all ADFS server
3. Domain Admin Account

Best practices:

1. Run the command to change the service account using Domain Admin Account. Logon Interactively on the ADFS server using Domain Admin, avoid using "Run As".
2. ADFS services will be restarted during the process. Plan the maintenance time carefully.

Recover Active Directory after Ransomware Attack if you only have VM Snapshot

Description:

You have a security incident in Active Directory where a ransomware attack encrypt your VCenter infrastructure. All you have left is a backup from a month before the attack.

Resolution:

Although it's not recommended to use VM Snapshot as your Active Directory backup method, in this situation, you can use what you have at the moment.

You can follow the following high-level guidance.

1. Choose the snapshot from time where the malware or malicious file hasn't entered your production environment.

2. Choose to recover only single Domain Controller from the snapshot. Preferable the one who doesn't hold the Flexible Single Master Operation (FSMO) role. The rest of the DC will be build manually from fresh using AD replication.

3. Perform recovery at isolated network.

4. Make sure the Active Directory recover successfully. Make sure SYSVOL and NETLOGON are shared properly. 

5. Seize FSMO to the recovered Domain Controller. Perform metadata cleanup of the rest of DCs.

6. Increase RID pool number.

7. Reset all High Privilege account password twice.

8. Update security patches and Antivirus.

9. Connect new Domain Controller to the production network.

10. Re-create Users or Re-join Computer as needed.

11. Continue building new Domain Controller from clean machine as needed.

Note*:

The guidance assume you are able to get the snapshot from the time before the attack occur. Sometimes this attack could start many months in advance which make recovering from snapshot have less benefit.

 

Point Client Machine or Member Server to a Specific Domain Controller

There maybe times when you want to restrict client machine or member server authentication to a specific Domain Controller only. One possible reasons is that you're doing security hardening to Domain Controller or Active Directory and want to test the impact to a limited production system before going company wide.

To restrict the client or member server authentication to specific DC only, please do the following:

1. Open Active Directory Sites and Services Console.

• Create a new Site.
• Assign a proper subnet to that site.
• Move the Specific Domain Controller to that site.

2. Open Registry Editor on the client or member server.

• In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
• Add the following multistring value (REG_MULTI_SZ) Value Name: SiteName
• For Value Data: TheNewSitename

3. Restart the client or member server to get the new setting. If you cannot restart the machine, you can run the following command:

nltest /dsgetdc:domainname /force 

Integrating Dahua CCTV with Hikvision NVR

Description:

You have Hikvision IP POE NVR up and running. You want to add Dahua CCTV camera to the Hikvision NVR.

Resolution:

1. Change the Dahua CCTV IP Address to the IP Address within the Hikvision NVR existing scope. Make sure there's no IP conflict.

2. Enable ONVIF at Hikvision NVR. 

Go to Maintenance > ONVIF > Enable ONVIF

3. Add the Dahua CCTV to the Hikvision NVR

Go to Camera > Click the Camera Channel that connected to Dahua CCTV > click Edit

Choose Manual, Enter the correct IP Address, Select ONVIF as the protocol, Select 80 as the Management Port, enter the Dahua CCTV Default username and password, Click OK.