Cannot Install PowerShell Module - Unable to find module repositories

Description:

You try to Install a new PowerShell Module. But you got an error saying "No match was found for the specified search criteria and module name ' ' Try Get-PSRepository to see all available registered module repositories". However when you try to run Get-PSRepository command you got "Unable to find module repositories error".

You have try the following, but still have the problem:

• Make sure to Run as Administrator, 
• Make sure to use TLS 1.2 

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

• Unregister and Register
• Unregister-PSRepository -Name PSGallery
• Register-PSRepository -Default

Resolution:

Make sure there's no blocking at the Internet (proxy). Switch using different Internet connection and try to install again.

Modifying AdminSDHolder Permission Delegation

Description:

You want to delegate permission to write certain user attribute for member of protected groups in Active Directory to a "normal" users. You have add the permission at the AdminSDholder container through GUI for that "normal" users. However during testing, you find that the "normal" users is still unable to modify the protected groups users attribute.

Resolution:

You need to use command line instead of GUI.

In order to grant access to a specific user object attribute, for example department, use dsacls:

dsacls “CN=AdminSDHolder,CN=System,DC=example,DC=com” /G Allow-User-Management:WP;department;

Using Microsoft Graph to Find Inactive Guest Users in Azure Active Directory

Description:

You have been using Azure Active Directory for a while. Now you notice you have several "external - guest" user listed in your Azure AD users. You need to gather the list of inactive guest user account.

Resolution:

We can try to get the list of inactive users by using Microsoft Graph.

Connect-MgGraph -Scopes "User.Read.All","AuditLog.Read.All"

 #Logon using Global Admin

$guestUsers = Get-MgUser -Filter "userType eq 'Guest' and accountEnabled eq true" -Property DisplayName, UserPrincipalName, SignInActivity, CreatedDateTime

$inactiveGuestUsers = $guestUsers | Where-Object {($_.SignInActivity.LastSignInDateTime -lt (Get-Date).AddDays(-90)) -or ($_.SignInActivity.LastSignInDateTime -eq $null)}

# Display the list of inactive guest users

$inactiveGuestUsers | Select-Object DisplayName, UserPrincipalName, @{Name="LastSignInDateTime"; Expression={$_.SignInActivity.LastSignInDateTime}}, CreatedDateTime

Windows 2019 NPS Server Firewall Exclusion

Description:

You have completed the NPS configuration using Windows Server 2019. You have put the correct secrets at the VPN servers. You also have make sure there's no Network Firewall between the VPN server and NPS Server. 

However client machine cannot connect to the VPN. And you cannot see the traffic reaching the NPS Server. There's nothing in the NPS Server event viewer.

Resolution:

At the NPS server, open command prompt with elevated permission and type:

sc sidtype IAS unrestricted

Restart the server after that.

Windows Defender Firewall on the NPS should be automatically configured with exceptions, during the installation of NPS, to allow this RADIUS traffic to be sent and received.

With Server 2019 this firewall exception requires a modification to the service account security identifier to effectively detect and allow RADIUS traffic. If this security identifier change is not executed, the firewall will drop RADIUS traffic. The above command changes the IAS (RADIUS) service to use a unique SID instead of sharing with other NETWORK SERVICE services.

Failed F5 Big-IQ connection to Azure MFA

Description

You have setup Azure MFA with NPS Extension in your Organization. You have make sure the firewall from and to your NPS server is configure properly. You have also make sure the internet connection from NPS Server to Azure MFA is working properly
Now, you want to test the the connection from your F5 Big-IQ to the NPS Server. However you got an error saying "Failed while connecting to radius server, server responded with: Access-Challenge". 

You also notice that there are No authentication challenge or prompt at Microsoft Authenticator Apps. 

From the event viewer you can see the following "NPS Extension for Azure MFA: CID xxxxx : Challenge requested in Authentication Ext for user Domain\UserName with state xxxxx".

Resolution

NPS extension version 1.2.2216.1 or later is prompted to sign in with a TOTP method instead of Approve/Deny. If the Client doesn't support it, take the following steps to return to the Approve/Deny behavior.
Go to NPS Server, open the Registry Editor.

1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
2. Create the following String/Value pair:

1. Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
2. Value = FALSE

Restart the NPS Service.

Cannot Delete DNS Zone - Access was Denied

Description:

You have several DNS Zone listed in your Active Directory Integrated DNS Server.

One day, you want to remove one of the DNS Zone there. However you got an error message saying Access was Denied.

You are already using a Domain Admins account.

Resolution:

You or other Admin probably already set the protection from accidental deletion for those DNS Zones.

On the DNS Manager Console, go to the DNS Zone that you want to delete. Open the properties and go to Security Tab. Open Advanced and Edit the Everyone (Deny) permission. Remove the check mark on the Delete Objects and Delete All Child Objects permission. Click Apply, click Ok.

You should be able to delete the DNS Zone.

How to Fix "Trust Relationship Failed" error without Rejoin Domain

Description:

One of your users suddenly sees the error message "Trust Relationship Between This Workstation And The Primary Domain Failed" when trying to logon to their machine.
You have verify the Computer Account is exist on Active Directory. DNS settings are properly set and there's no problem with port or networking.
You wish to remediate the issue without having to disjoin and rejoin the computer to the domain.

Resolution:

On the problematic machine, logon using local admin credential. Open PowerShell and run as Administrator. 
Type the following:
Reset-ComputerMachinePassword -Server DomainController -Credential

DomainAdmin

If the command completed successfully, logoff and try to logon again.

Migrate from Windows Hello to Windows Hello For Business (WHFB)

Description:

You have deployed Windows Hello in the past to several machines in the organizations. Recently you got direction from Management to deploy Windows Hello For Business (WHFB) for your organization. 
You have enable the Hybrid Cloud Kerberos trust and the configured required group policy. However, on the test machine, no WHFB got the prompt for provision. You have try to restart and make sure the WFHB group policy apply correctly.

Resolution:

Since you previously deployed Windows Hello, you need to make sure the "old" policy is being disabled.
Go to "Computer Configuration\Administrative Templates\System\Logon\Turn on convenience PIN sign-in". Make sure it is Disabled.

Multiple Prompt when creating Azure AD Kerberos Server object

Description:

You want to Deploy Windows Hello For Business with Hybrid Cloud Kerberos type in your environment.
You have met all the require prerequisites. However when trying to create Azure AD Kerberos Server object using below PowerShell command you encounter multiple prompt asking for Azure AD credential.

# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN
# Enter an Azure Active Directory global administrator username and password.
$cloudCred = Get-Credential -Message 'An Active Directory user who is a member of the Global Administrators group for Azure AD.'
# Enter a domain administrator username and password.
$domainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.'
# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

Resolution:

Make sure the Azure AD Global Administrator account that you are using during configuration are not included in any of Azure AD Conditional Access rules. You may also need to close the previous PowerShell session and try again.