Azure AD Connect account usage

Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory. These accounts are:

• AD DS Connector account: used to read/write information to Windows Server Active Directory

• ADSync service account: used to run the synchronization service and access the SQL database

• Azure AD Connector account: used to write information to Azure AD

In addition to these three accounts used to run Azure AD Connect, you will also need the following additional accounts to install Azure AD Connect. These are:

• Local Administrator account: The administrator who is installing Azure AD Connect and who has local Administrator permissions on the machine.

• AD DS Enterprise Administrator account: Optionally used to create the “AD DS Connector account” above.

• Azure AD Global Administrator account: used to create the Azure AD Connector account and configure Azure AD. 

• SQL SA account (optional): used to create the ADSync database when using the full version of SQL Server. This SQL Server may be local or remote to the Azure AD Connect installation. This account may be the same account as the Enterprise Administrator. Provisioning the database can now be performed out of band by the SQL administrator and then installed by the Azure AD Connect administrator with database owner rights.

Cannot Start Azure ATP or Defender for Identity Services when using gMSA

Description:

You are deploying Azure Advanced Threat Protection (AATP) or Microsoft Defender for Identity (MDI) in your Multi-Domain Single-Forest IT environment. You plan to use gMSA account for the Defender for Identity services account when communicating to Active Directory. 

You have created a new universal group or domain local group and add all of the Domain Controllers in the Forest to that group. You also have created the gMSA account and configured that group to be able to retrieve password and use the gMSA account.

However when you configure MDI to use the gMSA account, the Sensor Services on the Domain Controllers cannot be start.

Resolution:

Make sure you have Restarted the Domain Controllers that you put inside the new universal or domain local group. After the Domain Controller restart, try to login and notice that Azure ATP Sensor Services will be able to start properly. Delayed start is expected for Azure ATP services.

How to Add NT Service\All Services group to Active Directory User Rights Assignment

Description:

You want to use a group Managed Service Account (gMSA) on multiple domain in your forest. You also have Group Policy that managed the User Rights Assignment setting on Active Directory. You need to add NT Service\All Services to those User Rights Assignment policy.

Resolution:

1. Open up Group Policy Manager, and edit the Group Policy. Example is the “Default Domain Controller Policy” if you want to modify the user Rights Assignment at Domain Controllers.
2. Navigate down to “Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment”
3. Edit the “Log on as a service” properties and ensure the box next to “Define these policy settings:” is ticked. Click “Add User or Group” and manually type “NT SERVICE\ALL SERVICES” (Do Not Click Browse)
4. Click OK twice
5. Close the Group Policy Manager

Error when Configuring Azure AD Connect - Authorization Manager check failed

Description:

When you configure your Azure AD Connect, you encounter Authorization Manager check failed error message.

It said "An error occurred while retrieving the Active Directory Schema. The error are: AuthorizationManager check failed."

Resolution:

Try to manually installing the Microsoft certificate:

1.  Go to C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1
2. Right click the file, and open properties
3. Go to 'Digital Signatures' tab and open the details for the certificate
4. Click View certificate
5. Click Install certificate for local machine
6. Manually choose to store certificates at 'Trusted publishers'
7. Click Ok to close the certificate wizard.
8. Go Back to the Azure AD Connect Wizard > Click Previous > and Click Next again.

Error when configuring Azure AD Connect at MSOnline.Format.ps1xml file

Description:

When you configure your Azure AD Connect, you encounter Authorization Manager check failed error message.

It said " Unable to retrieve the Azure Active Directory configuration. Errors occurred while reading the format data file: Microsoft.PowerShell, , C:\Program Files\Microsoft Active Directory Connect\AADPowerShell\MSOnline.Format.ps1xml: The file was skipped because of the following validation exception: AuthorizationManager check failed."

Resolution:

Try to manually installing the Microsoft certificate:

1.  Go to C:\Program Files\Microsoft Azure Active Directory Connect\AADPowerShell\MSonline.Format.ps1xml
2. Right click the file, and open properties
3. Go to 'Digital Signatures' tab and open the details for the certificate
4. Click View certificate
5. Click Install certificate for local machine
6. Manually choose to store certificates at 'Trusted publishers'
7. Click Ok to close the certificate wizard.
8. Go Back to the Azure AD Connect Wizard > Click Previous > and Click Next again.

Group Managed Service Accounts (gMSA) - PowerShell Command

Following are several useful group Managed Service Accounts (gMSA) PowerShell command.

• To query the Active Directory for list of host where a specific gMSA account could be use, please run the following:

• Get-ADServiceAccount [-Identity] ITFarm1 -Properties PrincipalsAllowedToRetrieveManagedPassword

• To add member hosts to where the gMSA account could be use, please run the following:

• Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1$,Host3$

• To install gMSA account to a host, please run the following command on the host machine:

• Install-ADServiceAccount -Identity ITFarm1

• To create a new gMSA account, please run the following

• New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.contoso.com -PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts$

Removing Extended Rights delegation on AdminSDHolder

Description:

You have Active Directory and Exchange servers running in your environment. One day, the Security team told you that they encounter an account with excessive access on AdminSDHolder container. The Account was "DomainName\Exchange Servers" and has Extended Rights permission of Replication Synchronization. Yow want to remove this excessive access.

First, you try to remove it through the GUI. Open AD User and Computer console, go to System, go to AdminSDHolder container. Right click, open Properties, open Security, and click Advanced. You try to search the "DomainName\Exchange Servers" with permission Replication Synchronization, but couldn't find it.

Second, you try to confirm the existence of the extended rights by running the following command:

DSACLS "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local"

And you can confirmed the existence of the permission as per below picture:

Third, your try to remove it using Exchange Management Shell, and run the following PowerShell command:

Remove-ADPermission -Identity "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local" -User "DomainName\Exchange Servers" -ExtendedRights "Replication Synchronization"

However it fails with access denied error.

Resolution:

We can remove the Extended Rights in AdminSDHolder container with the help of LDP.exe

1. Open LDP.exe
2. Go to Connection > Click Connect > Click OK
3. Go to Connection again > Click Bind > Click OK
4. Click View > Click Tree
5. Enter the Base DN "DC=DomainName ,DC=Local". Click OK
6. On the left, double click Domainname, double click "CN=System, DC=DomainName, DC=Local", right click AdminSDHolder container.
7. Click Advanced > Click Security Descriptor
   
   
   
8. Check the SACL box > Click OK
9. Scroll Down until you find the Rights that you want to remove 
   
   
   
10. Click Delete ACE > Select Yes
11. Click Update to commit the changes
12. Close the LDP.exe

Note:

Be careful when removing this "Rights" as it may affect your Exchange Servers behavior. Prior testing is required.

Prerequisites and Best Practices for Changing ADFS Account

Description:

You have ADFS farm and you want to change the existing ADFS service account. You already have the step by step and the PowerShell module for changing the service account as written at other article in this blog.. However you want to know if there any pre-requisites or problem that you might encounter during the process

Resolution:

The prerequisites for changing the ADFS service account are:

1. On each machine of the ADFS farm, install the following:
• Visual C++ Redistributable for Visual Studio 2017
• ODBC Drive 17 for SQL Server
• SQLCMD.exe from Microsoft command line utilities for Microsoft SQL Server 2019
2. Enable AD & AD LDS PowerShell tool from Server Manager on all ADFS server
3. Domain Admin Account

Best practices:

1. Run the command to change the service account using Domain Admin Account. Logon Interactively on the ADFS server using Domain Admin, avoid using "Run As".
2. ADFS services will be restarted during the process. Plan the maintenance time carefully.

Recover Active Directory after Ransomware Attack if you only have VM Snapshot

Description:

You have a security incident in Active Directory where a ransomware attack encrypt your VCenter infrastructure. All you have left is a backup from a month before the attack.

Resolution:

Although it's not recommended to use VM Snapshot as your Active Directory backup method, in this situation, you can use what you have at the moment.

You can follow the following high-level guidance.

1. Choose the snapshot from time where the malware or malicious file hasn't entered your production environment.

2. Choose to recover only single Domain Controller from the snapshot. Preferable the one who doesn't hold the Flexible Single Master Operation (FSMO) role. The rest of the DC will be build manually from fresh using AD replication.

3. Perform recovery at isolated network.

4. Make sure the Active Directory recover successfully. Make sure SYSVOL and NETLOGON are shared properly. 

5. Seize FSMO to the recovered Domain Controller. Perform metadata cleanup of the rest of DCs.

6. Increase RID pool number.

7. Reset all High Privilege account password twice.

8. Update security patches and Antivirus.

9. Connect new Domain Controller to the production network.

10. Re-create Users or Re-join Computer as needed.

11. Continue building new Domain Controller from clean machine as needed.

Note*:

The guidance assume you are able to get the snapshot from the time before the attack occur. Sometimes this attack could start many months in advance which make recovering from snapshot have less benefit.

 

Point Client Machine or Member Server to a Specific Domain Controller

There maybe times when you want to restrict client machine or member server authentication to a specific Domain Controller only. One possible reasons is that you're doing security hardening to Domain Controller or Active Directory and want to test the impact to a limited production system before going company wide.

To restrict the client or member server authentication to specific DC only, please do the following:

1. Open Active Directory Sites and Services Console.

• Create a new Site.
• Assign a proper subnet to that site.
• Move the Specific Domain Controller to that site.

2. Open Registry Editor on the client or member server.

• In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
• Add the following multistring value (REG_MULTI_SZ) Value Name: SiteName
• For Value Data: TheNewSitename

3. Restart the client or member server to get the new setting. If you cannot restart the machine, you can run the following command:

nltest /dsgetdc:domainname /force 

Integrating Dahua CCTV with Hikvision NVR

Description:

You have Hikvision IP POE NVR up and running. You want to add Dahua CCTV camera to the Hikvision NVR.

Resolution:

1. Change the Dahua CCTV IP Address to the IP Address within the Hikvision NVR existing scope. Make sure there's no IP conflict.

2. Enable ONVIF at Hikvision NVR. 

Go to Maintenance > ONVIF > Enable ONVIF

3. Add the Dahua CCTV to the Hikvision NVR

Go to Camera > Click the Camera Channel that connected to Dahua CCTV > click Edit

Choose Manual, Enter the correct IP Address, Select ONVIF as the protocol, Select 80 as the Management Port, enter the Dahua CCTV Default username and password, Click OK.

Azure Messaging Services Comparison

 

Service	Purpose	Type	When to use
Event Grid	Reactive programming	Event distribution (discrete)	React to status changes
Event Hubs	Big data pipeline	Event streaming (series)	Telemetry and distributed data streaming
Service Bus	High-value enterprise messaging	Message	Order processing and financial transactions

Azure Monitor vs Azure Log Analytics

 

Azure Monitor delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. 

At the center of the diagram are the data stores for metrics and logs, which are the two fundamental types of data used by Azure Monitor. On the left are the sources of monitoring data that populate these data stores. On the right are the different functions that Azure Monitor performs with this collected data. This includes such actions as analysis, alerting, and streaming to external systems.

Log Analytics is the functions of Azure Monitor to query, consolidate, and analyze 

the collected data.

Azure Storage Type Differences

 The Azure Storage platform includes the following data services:

• Azure Blobs:

A massively scalable object store for text and binary data. Also includes support for big data analytics through Data Lake Storage Gen2.

 Blob storage is designed for:

• Serving images or documents directly to a browser.
• Storing files for distributed access.
• Streaming video and audio.
• Writing to log files.
• Storing data for backup and restore, disaster recovery, and archiving.
• Storing data for analysis by an on-premises or Azure-hosted service.

• Azure Files:

Managed file shares for cloud or on-premises deployments.

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB or NFS protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments.

Azure Files SMB file shares are accessible from Windows, Linux, and macOS clients. Azure Files NFS file shares are accessible from Linux or macOS clients. Additionally, Azure Files SMB file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.

 

• Azure Queues:

A messaging store for reliable messaging between application components.

Azure Queue Storage is a service for storing large numbers of messages. You access messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue message can be up to 64 KB in size. A queue may contain millions of messages, up to the total capacity limit of a storage account. Queues are commonly used to create a backlog of work to process asynchronously.

• Azure Tables:

A NoSQL store for schemaless storage of structured data.

Azure Table storage is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design. 

You can use Table storage to store flexible datasets like user data for web applications, address books, device information, or other types of metadata your service requires.

• Azure Disks:

Block-level storage volumes for Azure VMs.

Azure managed disks are block-level storage volumes that are managed by Azure and used with Azure Virtual Machines. Managed disks are like a physical disk in an on-premises server but, virtualized.