Modifying AdminSDHolder Permission Delegation

Description:

You want to delegate permission to write certain user attribute for member of protected groups in Active Directory to a "normal" users. You have add the permission at the AdminSDholder container through GUI for that "normal" users. However during testing, you find that the "normal" users is still unable to modify the protected groups users attribute.

Resolution:

You need to use command line instead of GUI.

In order to grant access to a specific user object attribute, for example department, use dsacls:

dsacls “CN=AdminSDHolder,CN=System,DC=example,DC=com” /G Allow-User-Management:WP;department;

Cannot Delete DNS Zone - Access was Denied

Description:

You have several DNS Zone listed in your Active Directory Integrated DNS Server.

One day, you want to remove one of the DNS Zone there. However you got an error message saying Access was Denied.

You are already using a Domain Admins account.

Resolution:

You or other Admin probably already set the protection from accidental deletion for those DNS Zones.

On the DNS Manager Console, go to the DNS Zone that you want to delete. Open the properties and go to Security Tab. Open Advanced and Edit the Everyone (Deny) permission. Remove the check mark on the Delete Objects and Delete All Child Objects permission. Click Apply, click Ok.

You should be able to delete the DNS Zone.

How to Fix "Trust Relationship Failed" error without Rejoin Domain

Description:

One of your users suddenly sees the error message "Trust Relationship Between This Workstation And The Primary Domain Failed" when trying to logon to their machine.
You have verify the Computer Account is exist on Active Directory. DNS settings are properly set and there's no problem with port or networking.
You wish to remediate the issue without having to disjoin and rejoin the computer to the domain.

Resolution:

On the problematic machine, logon using local admin credential. Open PowerShell and run as Administrator. 
Type the following:
Reset-ComputerMachinePassword -Server DomainController -Credential

DomainAdmin

If the command completed successfully, logoff and try to logon again.

PowerShell Command to Identify Local Admin Account

Description:

You have several local account on your computer. One day, you need to find out which one is the real local Admin Account.

Resolution:

You can run the following PowerShell command on the local computer:

Get-CimInstance -ClassName Win32_UserAccount -Filter "LocalAccount = TRUE and SID like 'S-1-5-%-500'"

Error while creating Windows 2016 Cluster at "Find a suitable Domain Controller"

Description:

You want to create Windows 2016 cluster on Windows 2012 R2 Domain. You run the Wizard, however encountered error and the cluster cannot be created. 

During investigation, you saw several error message such as:
"Check whether the computer object "clustername" for node "hostnameFQDN" exists in the domain. More data is available".

At event viewer (after enabling Debug Log) you could see:
"Failed to find suitable DC. Error 234"
"Searching for object "clustername" on first choice DC failed. Error 234"
"Couldn't resolve RPC binding to cluster, Status = 1753"

You then try to run the Cluster Validation wizard but everything seems to pass. You validated that the required AD permission for the User Account creating the Cluster are already meet. You also verify the Group Policy setting for "Deny Access to this computer from the Network" is correct. You check the network port requirement and verify all the necessary port are open.

Resolution:

First, verified the DNS record in your DNS Server. Especially the record for all of your Domain Controllers. Make sure the Active Directory required Zones has the correct NS records, CNAME records, A Records, and also SRV DNS records. Remove the stale records for old or unknown broken Domain Controllers.

Second, check the Application partition (DomainDnsZone and ForestDnsZone) in your Active Directory. Use ADSIedit to connect to the application partition and try to browse the content. If you encountered error, you may need to delete the application partition using NTDSUtil.

You should be able to create the Windows Cluster afterwards.

DNS Event 4015 on Windows 2012 R2 Domain Controller

Description:

At DNS Server which also a Domain Controller, you notice the Event Viewer is full with the following error.

The DNS server has encountered a critical error from the Active Directory. 
Check that the Active Directory is functioning properly. 
The extended error debug information (which may be empty) is 0000051B: AtrErr: DSID-031508EF, #1:0: 0000051B: DSID-031508EF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor).

Resolution:

Enabled AD diagnostic logging, Enabled Directory access key and set the value to 5.
Look for Event ID 1175 at event viewer and noticed the Object Distinguished Name. You may need to change the ownership of that AD Object to SYSTEM and restarted the DNS service on the domain controller.

Invalidate RID Pool Script

 

To invalidate the current RID pool in Active Directory

Open an elevated Windows PowerShell session, run the following command and press ENTER:

$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DomainSid = $Domain.objectSid
$RootDSE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")
$RootDSE.UsePropertyCache = $false
$RootDSE.Put("invalidateRidPool", $DomainSid.Value)$RootDSE.SetInfo()

Clear Cached Kerberos Tickets

To clear the cached Kerberos tickets:

Open Command Prompt with Administrative permission

Type:

Klist purge

klist purge –li 0x3e7

Cannot Re-Install NPCAP

Description:

You are trying to re-install NPCAP as part of Microsoft Defender for Identity Sensor deployment on a Domain Controller. However you got stuck uninstall error problem.

You have try to remove the registry from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst. However the problem still exist.

Resolution:

Search for possible services that were using NPCAP. Example is Wireshark or Cisco Tetration. Stop those services and try to re-install NPCAP again.

Cannot Delete Domain Controller - Access is Denied

Description:

You are using Domain Admins account and wanted to delete a "stale" Domain Controller (DC) from Active Directory Users and Computers console. However you got an access denied error.

Resolution:

Most probably there's a protection against accidental deletion of DC.

• Go to Active Directory Sites and Services
• Expand the Sites folder > expand the site name where the DC you want to delete is > expand the Servers folder > expand the DC you want to delete
• Right click on NTDS Settings
• Click on the Object tab
• Uncheck the “Protect object from accidental deletion” checkbox.
• Click OK.

Now you should be able to delete the Domain Controller from Active Directory Users and Computers console.

Error connecting to SQL Server after changing Service Account to normal domain users

Description:

As security best practice, we should not run SQL Server Services with domain admin credential. However after changing it to the normal domain user credential, you encounter connection error message when trying to connect from SQL Server Management Studio.

The error may say something like "The target principal name is incorrect.  Cannot generate SSPI context."

Resolution:

We need to provide the appropriate permission for the domain user credential to modify ServicePrincipalName attribute in Active Directory.

• Run Adsiedit.msc
• In the ADSI Edit snap-in, expand Domain [YourDomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= [YourAccountName, and then click Properties.
• In the CN= AccountName Properties dialog box, click the Security tab.
• On the Security tab, click Advanced.
• In the Advanced Security Settings dialog box, select one (any) of "SELF"'s row
• Click Edit, Open Permission Entry dialog box.
• Make sure Pricipal is "SELF", Type is "Allow" and "Applied to" is "This Object Only", in Properties section, select the properties below:
  • Read servicePrincipalName
  • Write servicePrincipalName
• Click OK to apply all changes and exit the ADSI Edit snap-in
• Restart the SQL Service(s) that use the account in question.

How to Rename A Domain Controller

Description:

During Active Directory Upgrade, you might need to maintain the old Domain Controller name because of certain application requirement. You planned to use the swing method, where the new Domain Controller will be renamed to old Domain Controller name.

Resolution:

1. Make sure the old DC name is not being use anymore in the entire domain. Check Active Directory Object, check DNS Record, Check DFSR Object, etc.
2. Use Netdom command to rename the Domain Controller according to the following steps:
• On the new Domain Controller, open Command Prompt with Administrative Privileges
• Type netdom computername “current_name” /add:”fqdn_newname” > press enter
• Type netdom computername “current_name” /make primary:”fqdn_newname” > press enter
• Restart Domain Controller
• Type netdom computername “current_name” /remove:”fqdn_oldname” > press enter

Migrate SYSVOL from FRS to DFSR

Migration of SYSVOL from FRS to DFSR is actually quite simple.

First, you need to make sure all the Domain Controllers (DC) in the Domain are online and the AD replication and SYSVOL Replication are working normally.

After that, just need to run few of the following command in sequence:

1. At command Prompt, type "dfsrmig /setglobalstate 1". This is to enter the Prepared state.
• Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state
2. Next at Command Prompt, type "dfsrmig /setglobalstate 2". This is to enter the Redirected state.
• Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state
3. Next at command prompt, "type dfsrmig /setglobalstate 3". This is to enter the Emilinated state.
• Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state

BitLocker with MBAM Failed to Encrypt because Access Denied by Remote Endpoint

Description:

You have configure MBAM Application server, MBAM Database server and set GPO for Drive Encryption to run automatically with minimal user interaction. However when you test it, it shows error "failed to encrypt".

When you look at the event viewer in the client machine, it said "Unable to connect to the MBAM Recovery and Hardware Service". It also give Error Code: -2143485947 and more detail "Access was denied by the remote endpoint".

Resolution:

Make sure the account for MBAM web application pool has the correct SPN.

You can use the following command to set the SPN for FQDN and NETBIOS.

Setspn -s http/mbamvirtual contoso\mbamapppooluser

Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

Azure AD Connect account usage

Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory. These accounts are:

• AD DS Connector account: used to read/write information to Windows Server Active Directory

• ADSync service account: used to run the synchronization service and access the SQL database

• Azure AD Connector account: used to write information to Azure AD

In addition to these three accounts used to run Azure AD Connect, you will also need the following additional accounts to install Azure AD Connect. These are:

• Local Administrator account: The administrator who is installing Azure AD Connect and who has local Administrator permissions on the machine.

• AD DS Enterprise Administrator account: Optionally used to create the “AD DS Connector account” above.

• Azure AD Global Administrator account: used to create the Azure AD Connector account and configure Azure AD. 

• SQL SA account (optional): used to create the ADSync database when using the full version of SQL Server. This SQL Server may be local or remote to the Azure AD Connect installation. This account may be the same account as the Enterprise Administrator. Provisioning the database can now be performed out of band by the SQL administrator and then installed by the Azure AD Connect administrator with database owner rights.

How to Add NT Service\All Services group to Active Directory User Rights Assignment

Description:

You want to use a group Managed Service Account (gMSA) on multiple domain in your forest. You also have Group Policy that managed the User Rights Assignment setting on Active Directory. You need to add NT Service\All Services to those User Rights Assignment policy.

Resolution:

1. Open up Group Policy Manager, and edit the Group Policy. Example is the “Default Domain Controller Policy” if you want to modify the user Rights Assignment at Domain Controllers.
2. Navigate down to “Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment”
3. Edit the “Log on as a service” properties and ensure the box next to “Define these policy settings:” is ticked. Click “Add User or Group” and manually type “NT SERVICE\ALL SERVICES” (Do Not Click Browse)
4. Click OK twice
5. Close the Group Policy Manager

Error when Configuring Azure AD Connect - Authorization Manager check failed

Description:

When you configure your Azure AD Connect, you encounter Authorization Manager check failed error message.

It said "An error occurred while retrieving the Active Directory Schema. The error are: AuthorizationManager check failed."

Resolution:

Try to manually installing the Microsoft certificate:

1.  Go to C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1
2. Right click the file, and open properties
3. Go to 'Digital Signatures' tab and open the details for the certificate
4. Click View certificate
5. Click Install certificate for local machine
6. Manually choose to store certificates at 'Trusted publishers'
7. Click Ok to close the certificate wizard.
8. Go Back to the Azure AD Connect Wizard > Click Previous > and Click Next again.

Removing Extended Rights delegation on AdminSDHolder

Description:

You have Active Directory and Exchange servers running in your environment. One day, the Security team told you that they encounter an account with excessive access on AdminSDHolder container. The Account was "DomainName\Exchange Servers" and has Extended Rights permission of Replication Synchronization. Yow want to remove this excessive access.

First, you try to remove it through the GUI. Open AD User and Computer console, go to System, go to AdminSDHolder container. Right click, open Properties, open Security, and click Advanced. You try to search the "DomainName\Exchange Servers" with permission Replication Synchronization, but couldn't find it.

Second, you try to confirm the existence of the extended rights by running the following command:

DSACLS "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local"

And you can confirmed the existence of the permission as per below picture:

Third, your try to remove it using Exchange Management Shell, and run the following PowerShell command:

Remove-ADPermission -Identity "CN=AdminSDHolder, CN=System, DC=DomainName, DC=Local" -User "DomainName\Exchange Servers" -ExtendedRights "Replication Synchronization"

However it fails with access denied error.

Resolution:

We can remove the Extended Rights in AdminSDHolder container with the help of LDP.exe

1. Open LDP.exe
2. Go to Connection > Click Connect > Click OK
3. Go to Connection again > Click Bind > Click OK
4. Click View > Click Tree
5. Enter the Base DN "DC=DomainName ,DC=Local". Click OK
6. On the left, double click Domainname, double click "CN=System, DC=DomainName, DC=Local", right click AdminSDHolder container.
7. Click Advanced > Click Security Descriptor
   
   
   
8. Check the SACL box > Click OK
9. Scroll Down until you find the Rights that you want to remove 
   
   
   
10. Click Delete ACE > Select Yes
11. Click Update to commit the changes
12. Close the LDP.exe

Note:

Be careful when removing this "Rights" as it may affect your Exchange Servers behavior. Prior testing is required.

Recover Active Directory after Ransomware Attack if you only have VM Snapshot

Description:

You have a security incident in Active Directory where a ransomware attack encrypt your VCenter infrastructure. All you have left is a backup from a month before the attack.

Resolution:

Although it's not recommended to use VM Snapshot as your Active Directory backup method, in this situation, you can use what you have at the moment.

You can follow the following high-level guidance.

1. Choose the snapshot from time where the malware or malicious file hasn't entered your production environment.

2. Choose to recover only single Domain Controller from the snapshot. Preferable the one who doesn't hold the Flexible Single Master Operation (FSMO) role. The rest of the DC will be build manually from fresh using AD replication.

3. Perform recovery at isolated network.

4. Make sure the Active Directory recover successfully. Make sure SYSVOL and NETLOGON are shared properly. 

5. Seize FSMO to the recovered Domain Controller. Perform metadata cleanup of the rest of DCs.

6. Increase RID pool number.

7. Reset all High Privilege account password twice.

8. Update security patches and Antivirus.

9. Connect new Domain Controller to the production network.

10. Re-create Users or Re-join Computer as needed.

11. Continue building new Domain Controller from clean machine as needed.

Note*:

The guidance assume you are able to get the snapshot from the time before the attack occur. Sometimes this attack could start many months in advance which make recovering from snapshot have less benefit.

 

Point Client Machine or Member Server to a Specific Domain Controller

There maybe times when you want to restrict client machine or member server authentication to a specific Domain Controller only. One possible reasons is that you're doing security hardening to Domain Controller or Active Directory and want to test the impact to a limited production system before going company wide.

To restrict the client or member server authentication to specific DC only, please do the following:

1. Open Active Directory Sites and Services Console.

• Create a new Site.
• Assign a proper subnet to that site.
• Move the Specific Domain Controller to that site.

2. Open Registry Editor on the client or member server.

• In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
• Add the following multistring value (REG_MULTI_SZ) Value Name: SiteName
• For Value Data: TheNewSitename

3. Restart the client or member server to get the new setting. If you cannot restart the machine, you can run the following command:

nltest /dsgetdc:domainname /force