Windows 2019 NPS Server Firewall Exclusion

Description:

You have completed the NPS configuration using Windows Server 2019. You have put the correct secrets at the VPN servers. You also have make sure there's no Network Firewall between the VPN server and NPS Server. 

However client machine cannot connect to the VPN. And you cannot see the traffic reaching the NPS Server. There's nothing in the NPS Server event viewer.

Resolution:

At the NPS server, open command prompt with elevated permission and type:

sc sidtype IAS unrestricted

Restart the server after that.

Windows Defender Firewall on the NPS should be automatically configured with exceptions, during the installation of NPS, to allow this RADIUS traffic to be sent and received.

With Server 2019 this firewall exception requires a modification to the service account security identifier to effectively detect and allow RADIUS traffic. If this security identifier change is not executed, the firewall will drop RADIUS traffic. The above command changes the IAS (RADIUS) service to use a unique SID instead of sharing with other NETWORK SERVICE services.

Failed F5 Big-IQ connection to Azure MFA

Description

You have setup Azure MFA with NPS Extension in your Organization. You have make sure the firewall from and to your NPS server is configure properly. You have also make sure the internet connection from NPS Server to Azure MFA is working properly
Now, you want to test the the connection from your F5 Big-IQ to the NPS Server. However you got an error saying "Failed while connecting to radius server, server responded with: Access-Challenge". 

You also notice that there are No authentication challenge or prompt at Microsoft Authenticator Apps. 

From the event viewer you can see the following "NPS Extension for Azure MFA: CID xxxxx : Challenge requested in Authentication Ext for user Domain\UserName with state xxxxx".

Resolution

NPS extension version 1.2.2216.1 or later is prompted to sign in with a TOTP method instead of Approve/Deny. If the Client doesn't support it, take the following steps to return to the Approve/Deny behavior.
Go to NPS Server, open the Registry Editor.

1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
2. Create the following String/Value pair:

1. Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
2. Value = FALSE

Restart the NPS Service.

Cannot Delete DNS Zone - Access was Denied

Description:

You have several DNS Zone listed in your Active Directory Integrated DNS Server.

One day, you want to remove one of the DNS Zone there. However you got an error message saying Access was Denied.

You are already using a Domain Admins account.

Resolution:

You or other Admin probably already set the protection from accidental deletion for those DNS Zones.

On the DNS Manager Console, go to the DNS Zone that you want to delete. Open the properties and go to Security Tab. Open Advanced and Edit the Everyone (Deny) permission. Remove the check mark on the Delete Objects and Delete All Child Objects permission. Click Apply, click Ok.

You should be able to delete the DNS Zone.

How to Fix "Trust Relationship Failed" error without Rejoin Domain

Description:

One of your users suddenly sees the error message "Trust Relationship Between This Workstation And The Primary Domain Failed" when trying to logon to their machine.
You have verify the Computer Account is exist on Active Directory. DNS settings are properly set and there's no problem with port or networking.
You wish to remediate the issue without having to disjoin and rejoin the computer to the domain.

Resolution:

On the problematic machine, logon using local admin credential. Open PowerShell and run as Administrator. 
Type the following:
Reset-ComputerMachinePassword -Server DomainController -Credential

DomainAdmin

If the command completed successfully, logoff and try to logon again.

Migrate from Windows Hello to Windows Hello For Business (WHFB)

Description:

You have deployed Windows Hello in the past to several machines in the organizations. Recently you got direction from Management to deploy Windows Hello For Business (WHFB) for your organization. 
You have enable the Hybrid Cloud Kerberos trust and the configured required group policy. However, on the test machine, no WHFB got the prompt for provision. You have try to restart and make sure the WFHB group policy apply correctly.

Resolution:

Since you previously deployed Windows Hello, you need to make sure the "old" policy is being disabled.
Go to "Computer Configuration\Administrative Templates\System\Logon\Turn on convenience PIN sign-in". Make sure it is Disabled.

Multiple Prompt when creating Azure AD Kerberos Server object

Description:

You want to Deploy Windows Hello For Business with Hybrid Cloud Kerberos type in your environment.
You have met all the require prerequisites. However when trying to create Azure AD Kerberos Server object using below PowerShell command you encounter multiple prompt asking for Azure AD credential.

# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN
# Enter an Azure Active Directory global administrator username and password.
$cloudCred = Get-Credential -Message 'An Active Directory user who is a member of the Global Administrators group for Azure AD.'
# Enter a domain administrator username and password.
$domainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.'
# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

Resolution:

Make sure the Azure AD Global Administrator account that you are using during configuration are not included in any of Azure AD Conditional Access rules. You may also need to close the previous PowerShell session and try again.

ADRMS and SharePoint IRM Integration Error - 0x80020009

Description:

You have configure ADRMS properly in your environment. Now you want to make SharePoint to use ADRMS. At the SharePoint Central Admin, you specify the location of the RMS Server.

However when you try to open a document protected with RMS, there's a pop-up error saying couldn't find the document. At the SharePoint event viewer you saw the following error:

Information Rights Management (IRM): There was a problem while ensure IRM client. Status value: -1, error value: 0x80020009.

[Information Rights Management (IRM): There was a problem while creating the generic issuance license template.

All issuance licenses for protected documents are constructed from a generic, base issuance license template.

Additional Data

Error value: 0x800704DC

Resolution:

Please go to the SharePoint Central Admin and make sure you already select or type in the correct RMS cluster server address. Use HTTPS instead of HTTP when typing the RMS cluster address.

Sample SQL Script to Update ADRMS Configuration Database during Parallels Upgrade

UPDATE [dbo].[DRMS_ClusterPolicies]

SET PolicyData = '' --(your new string with updated information goes between the ' ' )
WHERE PolicyName='CertificationUserKeyStorageConnectionString'
 
UPDATE [dbo].[DRMS_ClusterPolicies]
SET PolicyData = '' --(your new string with updated information goes between the ' ' )
WHERE PolicyName='DirectoryServicesCacheDatabase'
 
UPDATE [dbo].[DRMS_ClusterPolicies]
SET PolicyData = '' --(your new string with updated information goes between the ' ' )
WHERE PolicyName='LoggingDatabaseServer'

Update AD RMS Config Database using SQL Server Management Studio during Parallels Upgrade

Description:

During AD RMS Parallels Upgrade, you need to modify the restored database to point to the new database servers.

Resolution:

1. Log on to the AD RMS configuration database server as local Administrator or another user account that is a member of the local Administrators group.
2. Click Start, point to All Programs, point to Microsoft SQL Server 2012, and then click SQL Server Management Studio.
3. On the Connect to Server page, ensure that the new database server name is listed in the Server name box, and then click Connect.
4. Expand Databases, expand DRMS_Config_<RMS cluster name>_<Port>, and then expand Tables.
5. Right-click DRMS_ClusterPolicies, and then click Open Table.
6. In the results pane, change the value in the PolicyData column of the LoggingDatabaseServer row to the new RMS database server name.
7. Change the value in the PolicyData column of the CertificationUserKeyStorageConnectionString row to reflect the new database server. The value should be data source=<new database server name>;integrated where <new database server name> is the name of the new database server.
8. Repeat steps 6–7 for the value in the PolicyData column of the DirectoryServicesCacheDatabase row.
9. Close Microsoft SQL Server Management Studio.

Active Directory Rights Management Services - Parallels Upgrade

Description:
You have an Active Directory Rights Management Services (ADRMS) being deployed in your IT Environment. You need to upgrade the version of ADRMS, the Windows OS, and also the Database with minimal downtime and minimal risk to new Windows 2019 and SQL 2019 machines.
You decided to do a Parallel Upgrade.

Resolution:

You would need to perform the following:

1. Prepare the new Windows 2019 OS and SQL 2019 Databases on different machines. Install all the necessary patches.
2. Back up the existing AD RMS database.
3. Restore the AD RMS databases to a new location (new instance, new SQL server, etc.).
4. The following SQL changes must be made on the restored databases.
• Database: DRMS_Config
• Table: DRMS_ClusterPolicies
• PolicyName entries in which the PolicyData value needs to reflect the new SQL connection string information.
• LoggingDatabaseServer
• CertificationUserKeyStorageConnectionString
• DirectoryServicesCacheDatabase
5. Built a new Windows Server of the desired version for the AD RMS cluster upgrade.
6. Add the AD RMS role.
7. When it gets to the role configuration choose the “join an existing cluster” option.
8. At the SQL database dialog enter the NEWLY RESTORED SQL database location, not the actual production database currently in use.
9. Complete the role configuration using all the same settings, service accounts, etc.
10. Edit the NTFS permissions on new AD RMS server's "C:\inetpub\wwwroot\_wmcs\certification\ServerCertification.asmx" file. Configure the same permissions as on the existing AD RMS server.

PowerShell Command to Identify Local Admin Account

Description:

You have several local account on your computer. One day, you need to find out which one is the real local Admin Account.

Resolution:

You can run the following PowerShell command on the local computer:

Get-CimInstance -ClassName Win32_UserAccount -Filter "LocalAccount = TRUE and SID like 'S-1-5-%-500'"

Cannot Publish or Missing Certificates Template

Description:

You created a certificate template in your Windows Enterprise CA. However when you want to publish it, you cannot saw the templates inside the "Enable Certificate Templates" wizard. All other Certification Authority function works normally and you've used the account which has proper permission.

Resolution:

Try to use the following command:
Certutil -setcatemplates +templatename

Note: The plus (+) sign is mandatory. Otherwise it will replace all of the other published template.

Error while creating Windows 2016 Cluster at "Find a suitable Domain Controller"

Description:

You want to create Windows 2016 cluster on Windows 2012 R2 Domain. You run the Wizard, however encountered error and the cluster cannot be created. 

During investigation, you saw several error message such as:
"Check whether the computer object "clustername" for node "hostnameFQDN" exists in the domain. More data is available".

At event viewer (after enabling Debug Log) you could see:
"Failed to find suitable DC. Error 234"
"Searching for object "clustername" on first choice DC failed. Error 234"
"Couldn't resolve RPC binding to cluster, Status = 1753"

You then try to run the Cluster Validation wizard but everything seems to pass. You validated that the required AD permission for the User Account creating the Cluster are already meet. You also verify the Group Policy setting for "Deny Access to this computer from the Network" is correct. You check the network port requirement and verify all the necessary port are open.

Resolution:

First, verified the DNS record in your DNS Server. Especially the record for all of your Domain Controllers. Make sure the Active Directory required Zones has the correct NS records, CNAME records, A Records, and also SRV DNS records. Remove the stale records for old or unknown broken Domain Controllers.

Second, check the Application partition (DomainDnsZone and ForestDnsZone) in your Active Directory. Use ADSIedit to connect to the application partition and try to browse the content. If you encountered error, you may need to delete the application partition using NTDSUtil.

You should be able to create the Windows Cluster afterwards.

Error Event ID 345 on ADFS Server

Description:

You recently just upgraded your ADFS to newer OS version. After a while you notice Event ID 345 on one of the secondary ADFS server. It said "There was a communication error during AD FS configuration database synchronization. Synchronization of the data from primary federation server to a secondary federation server did not occur". You are sure that all of the network port requirement are met.

Resolution:

The previous ADFS upgrade process is somehow causing the farm behavior level (FBL) on the secondary server doesn't match with the FBL on the primary server.

We need to remove the ADFS role and WID database feature on the problematic secondary ADFS server. After that try to re-install the ADFS role and finish the post configuration. 

The secondary server will then use the correct version of ADFS configuration database and synchronization will works as expected.

DNS Event 4015 on Windows 2012 R2 Domain Controller

Description:

At DNS Server which also a Domain Controller, you notice the Event Viewer is full with the following error.

The DNS server has encountered a critical error from the Active Directory. 
Check that the Active Directory is functioning properly. 
The extended error debug information (which may be empty) is 0000051B: AtrErr: DSID-031508EF, #1:0: 0000051B: DSID-031508EF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor).

Resolution:

Enabled AD diagnostic logging, Enabled Directory access key and set the value to 5.
Look for Event ID 1175 at event viewer and noticed the Object Distinguished Name. You may need to change the ownership of that AD Object to SYSTEM and restarted the DNS service on the domain controller.

ADFS Error - MSIS8022: Unable to find the specified user account.

Description:

You saw several error at ADFS server event viewer. The error was saying "MSIS8022: Unable to find the specified user account."

Resolution:

First, always double check on the user name, make sure they are exist inside Active Directory. After that check for Extranet Lockout feature in ADFS.

When the Extranet Lockout is enabled, ADFS needs to query the badPwdCount attribute of the user, so it tries to look for it in AD before even trying to authenticate. If the user does not exist, you get the error message you see.

WAP and ADFS trust certificate lifetime

Description:

The proxy trust certificate between WAP and ADFS is a rolling certificate which valid for 2 weeks and periodically updated. This is stored in an internal, protected store so we can't see it in any of the usual certificate stores. 

What we see in the local machine store is the initial temporary certificate thumbprint used while the proxy trust is first being established. This explains why the WAP event log error included a strange, unknown certificate thumbprint.

If we leave our WAP server offline for more than 2 weeks, the proxy trust certificate will expire and we’ll need to re-initialise the proxy trust (Install-WebApplicationProxy cmdlet).

This can also happen when we move the VM’s configuration to another storage.

Resolution:

We can solve this issue by setting the following registry key to 1 on the WAP server and re-running post-install config from the Remote Management console:

HKLM\Software\Microsoft\ADFS

ProxyConfigurationStatus

• 1 (not configured)
• 2 (Web Application Proxy is configured)

Invalidate RID Pool Script

 

To invalidate the current RID pool in Active Directory

Open an elevated Windows PowerShell session, run the following command and press ENTER:

$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DomainSid = $Domain.objectSid
$RootDSE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")
$RootDSE.UsePropertyCache = $false
$RootDSE.Put("invalidateRidPool", $DomainSid.Value)$RootDSE.SetInfo()

Cannot Install .Net Framework on Windows Server

Description:

You try to install .Net Framework 4.7.x to a Windows Server.

However the installation seems to be hang or stuck forever.

Resolution:

Go to "services.msc"  and check for Windows Installer services. Make sure the services is running. If not, perform a manual start and wait for a while. The installation should continue and completed within a couple of minutes.

Log Files Deleted or Missing after Running Performance Monitor on Windows Server

Description:

You run a performance monitor on Windows Server. You use one of the existing template to collect the data. You leave it running for 5 minutes (default). After it completes, no report being generated and the log files seems to be gone. However if you run it for only 1 minutes, the report can be generated normally.

Resolution:

Go to Data Manager section in Data Collector. Uncheck at the Maximum root path size option.

Try to run the data collector again.

Clear Cached Kerberos Tickets

To clear the cached Kerberos tickets:

Open Command Prompt with Administrative permission

Type:

Klist purge

klist purge –li 0x3e7

Microsoft Defender for Identity sensor installation failing - error code 0x80070643

Description:

You are trying to install Microsoft Defender for Identity sensor on a Domain Controller. The Domain Controller need to use proxy to communicate to the internet. You've enter the correct proxy setting on the Domain Controller system setting. And you've make sure the required communication port (443) are already open from Domain Controller to *.atp.azure.com. However you still got stop error 0x80070643.

Resolution:

Configure the proxy setting using registry. You must copy the proxy configuration that you use in user context to the localsystem and localservice. To copy your user context proxy settings:

1. Make sure to back up the registry keys before you modify them.

2. In the registry, search for the value DefaultConnectionSettings as REG_BINARY under the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings. Export all the value inside the Connections key.

3. Open the exported file and edit the location to become HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings. Save the first copy of the file.

4. Double click the new file to import the value from the Current_user DefaultConnectionSettings to LocalSystem.

5. After that, open the exported file and edit the location to become HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings. Save the second copy of the file.

6. Double click the second file to import value from the Current_User DefaultConnectionSettings to LocalService.

7. Close the registry editor.

Try to re-run the installation process again.

Cannot Re-Install NPCAP

Description:

You are trying to re-install NPCAP as part of Microsoft Defender for Identity Sensor deployment on a Domain Controller. However you got stuck uninstall error problem.

You have try to remove the registry from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst. However the problem still exist.

Resolution:

Search for possible services that were using NPCAP. Example is Wireshark or Cisco Tetration. Stop those services and try to re-install NPCAP again.

Fixing Error nvlddmkm.sys on Event Viewer

Description:

You are using Nvidia GPU. And sometimes you saw nlddmkm.sys error in the event viewer. The GPU is crash and cannot restart normally.

Resolution:

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers

Add new Dword record. Enter TdrDelay as the name of the new DWORD. Set its Value Data to 8.

Click OK and close Registry Editor. Restart the Server.

Note:

If you still experiencing nlddmkm crash error after this, you may need to upgrade or downgrade your NVDIA Graphic driver. Version 472.12 seems to provide more stabile result.

Azure B2B Script to create Guest On-Prem Active Directory Account is Not Working

Description:

You are configuring Azure B2B to allow external users to access your on-premise application securely.

You have configure the Azure B2B setting and have publish the on-premise application using Azure AD Application Proxy. Now you want to use the Azure B2B script to create the Guest account in on-premise Active Directory automatically. 

You downloaded the script from https://www.microsoft.com/en-us/download/details.aspx?id=51495. 

However when you run it, you saw some error and the users never get created in on-premise Active Directory. 

During troubleshooting, you found out that the script has not enough application permission to connect or query to Azure AD. You even triple check the API permission, but cannot found the cause of the error.

Resolution:

The "AppProxy-GuestAccountCreation-v1.0.3.ps1" script is not updated. PowerShell script still uses deprecated Azure AD Graph API instead of MS Graph API. 

You can download the updated script from https://github.com/MicrosoftDocs/azure-docs/files/7090340/AppProxy-GuestAccountCreation-v1.0.3.txt.

Make sure you install Microsoft Graph PowerShell SDK prior to executing the script.

Error when using PowerShell Connect-MgGraph not recognized

Description:

You already install the Microsoft Graph PowerShell SDK on your machine. However when trying to run a script that has "Connect-MgGraph" command, you encountered not recognized cmdlet, function, script  error. You have also restarted the machine and make sure the Microsoft Graph Module was loaded.

Resolution:

There might be some conflict between Microsoft Graph module and other module on your machine. The possible conflict are with Azure AD or MSOnline modules.

Try to install the Microsoft Graph PowerShell SDK on other machine which has minimum or has only the default PowerShell module.

Intermittent ADFS Event ID 224 & 245 at WAP Server

Description:

At Web Application Proxy Server (WAP) configured to connect to ADFS, you saw several Event ID 224 & 245 intermittently appear. TCP Port 443 are already open between WAP and ADFS.

Resolution:

Make sure you have all the required certificate on WAP server, including the intermediate and trusted root of the SSL certificate.

Error 1297 when starting AD FS Service

Description:

When you try to start ADFS Service for the first time after finishing the configuration, you may encounter 1297 error.

Resolution:

You need to make sure that the service account that you use to run the ADFS Service has the following rights on the ADFS Server:

• Logon As Service
• Generate Security Audits

How to set mutisubnetfailover option on ADFS to SQL Database connection string

Description:

You want to use SQL Always On capability for your application. 

You need to change the Database Connection string.

Resolution:

Please run the following at PowerShell on all ADFS Server (one by one):

$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
$temp.ConfigurationdatabaseConnectionstring=”data source=<you sql instance>;multisubnetfailover=true;initial catalog=adfsconfiguration;integrated security=true”
$temp.put()

Set-AdfsProperties –artifactdbconnection ”Data source=<you sql instance>;multisubnetfailover=true;Initial Catalog=AdfsArtifactStore;Integrated Security=True”

Exception Error when Running PowerShell command to Update the ADFS SQL Connection String.

Description:

As per article from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server, we need to run the following command to update the SQL connection string for the AD FS configuration database:

PS:\>$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService

PS:\>$temp.ConfigurationdatabaseConnectionstring="datasource=<SQLCluster\SQLInstance>;initial catalog=adfsconfiguration;integrated security=true"

PS:\>$temp.put()

The update is necessary to support SQL Always On feature.

However, there's an "exception error" when you run the above script in PowerShell.

Resolution:

For modifying the connection string on the additional ADFS server in the Farm, you need to stop the ADFS Service first. After that run the above script and start the ADFS Service again.

Error when adding a new Windows Server 2016 to ADFS Server Farm with SQL Database

Description:
You have successfully configured the first ADFS Server with SQL Database in a ADFS farm. Now you want to add another node to the ADFS Farm. 

However when you run the ADFS Configuration wizard, you encountered an error and the process stops.

At the prerequisite checks, we can see several errors as per below:

• "An error occurred during an attempt to connect to the AD FS configuration database. Error: Login failed for user 'Domain\The account I am logged into the server with'.. Confirm that the database hostname and instance name are correct and that the specified service account has logon access to the database."

• "Cannot open database "AdfsConfigurationV0" requested by the login. The login failed.

• Login failed for user 'domain\managed service account$'."

Resolution:
Make sure the account that you are using have the Owner Access to the ADFS database. 
The permissions can be removed after adding the new nodes.

Cannot Start ADFS Service after changing the Database Connection string to support SQL Always On

Description:
You have configured the first ADFS 2016 Server with SQL as the Database. Later on the day, the SQL Admin has also set the ADFS Database to have Always On capability.

You've follow the syntax from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server to change the SQL Connection string on the first ADFS server to support SQL Always On feature.

However when you try to restart the ADFS service, it is always failed.

Example Script:

PS:\>$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
PS:\>$temp.ConfigurationdatabaseConnectionstring="data source=<SQLCluster\SQLInstance>;initial catalog=adfsconfiguration;integrated security=true"
PS:\>$temp.put()

Resolution:

You need to modify the above example script. Make sure the "data source" are correct, and also the "initial catalog" value are the same as the actual database name in SQL. For example you may need to write "adfsconfgurationv3" instead of just "adfsconfiguration" on the above script.

Cannot Delete Domain Controller - Access is Denied

Description:

You are using Domain Admins account and wanted to delete a "stale" Domain Controller (DC) from Active Directory Users and Computers console. However you got an access denied error.

Resolution:

Most probably there's a protection against accidental deletion of DC.

• Go to Active Directory Sites and Services
• Expand the Sites folder > expand the site name where the DC you want to delete is > expand the Servers folder > expand the DC you want to delete
• Right click on NTDS Settings
• Click on the Object tab
• Uncheck the “Protect object from accidental deletion” checkbox.
• Click OK.

Now you should be able to delete the Domain Controller from Active Directory Users and Computers console.