Search This Blog

Sunday, February 28, 2021

Upgrading Active Directory Federation Service (ADFS) Server

Description:

You want to upgrade existing ADFS and ADFS Proxy (WAP) to new version in new machines.

Resolution:

Upgrade ADFS Server
  • Export the existing SSL Certificate with Private Key
  • Import the SSL Certificate with Private Key on new ADFS and ADFS Proxy machines
  • Install the AD FS Role using Server Manager on the new machines
  • Configure AD FS using Server Manager > Will need Domain Admin Account and Service Account for ADFS
  • Move the Primary ADFS Role to the new ADFS machine
    • To check the role, please run: Get-AdfsSyncProperties
    • On the new primary machine, please run:
Set-AdfsSyncProperties -Role PrimaryComputer
    • On the old ADFS primary machine, please run:
Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName FQDNnewADFS

  • Demote the old ADFS machines 
  • Raise the ADFS Farm Behavior Level (FBL)

    • Please run the following
      • Get-AdfsFarmInformation
      • Invoke-adfsfarmbehaviorlevelraise

  • Change DNS Record to point to the new AD FS Server
  • Test access and authentication to new ADFS

https://adfs.fabrikam.com/adfs/ls/idpinitiatedsignon.aspx

Upgrade WAP Server
  • Install Web Application Proxy Role using Server Manager on the new machines
  • Configure WAP using Server Manager > Will need local administrator account on the federation servers
  • Verifying the trust with the AD FS farm
    • Navigate to Applications and Services Logs > AD FS > Admin
    • You should be able to see an event with ID 245

Friday, February 12, 2021

Local Administrator Password Solution (LAPS) - Cannot Reset Password

Description:

You have properly setup Local Administrator Password Solution (LAPS) in your Domain Environment.

  • Admpwd.dll is being deployed and register at client computer
  • Group Policy to manage password is configured and linked to the proper OU
  • Permission to read and reset password is properly setup at the OU

However when you try to reset the local admin password for one of the computer, the new password never get generated automatically.

Resolution:

Please check the time configuration on where you reset the password. Does the machine time sync properly with the Domain Controller? If not, please fix it, restart the machine, and try to reset the password again.

Please also check the following registry at the machine:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Value Name: Type

Value Data: NT5DS


Thursday, February 11, 2021

Azure AD Connect - AD DS Connector Account

If we want to know the specifics of the service account for the Active Directory connector(s). 

Use the following two lines of Windows PowerShell:

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

Get-ADSyncADConnectorAccount

Network Policy Server (NPS) - Event Logs not appear

Description:

You have setup NPS in your environment and it seems to work properly. However when you check the event viewer at Custom Views\Server Roles\Network Policy and Access Services, you only saw very minimum event.

Resolution:

Run the following at elevated command prompt on the NPS Server

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable


Tuesday, February 9, 2021

PowerShell Script to Find Last Logon Date Information from Computer with Windows 7 Operating System

Description:

You need to get a list of all Windows 7 computer with Last Logon Date information in your domain.

Resolution:

Run the following PowerShell command:

Get-ADComputer -Filter * -Properties OperatingSystem, LastLogonDate | where {$_.OperatingSystem -match "Windows 7 Professional"} | select Name, OperatingSystem, LastLogonDate | sort LastLogonDate –unique | Export-Csv c:\workcomputers.csv

Search Google