Cannot Start ADFS Service after changing the Database Connection string to support SQL Always On

Description:
You have configured the first ADFS 2016 Server with SQL as the Database. Later on the day, the SQL Admin has also set the ADFS Database to have Always On capability.

You've follow the syntax from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server to change the SQL Connection string on the first ADFS server to support SQL Always On feature.

However when you try to restart the ADFS service, it is always failed.

Example Script:

PS:\>$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
PS:\>$temp.ConfigurationdatabaseConnectionstring="data source=<SQLCluster\SQLInstance>;initial catalog=adfsconfiguration;integrated security=true"
PS:\>$temp.put()

Resolution:

You need to modify the above example script. Make sure the "data source" are correct, and also the "initial catalog" value are the same as the actual database name in SQL. For example you may need to write "adfsconfgurationv3" instead of just "adfsconfiguration" on the above script.

Cannot Delete Domain Controller - Access is Denied

Description:

You are using Domain Admins account and wanted to delete a "stale" Domain Controller (DC) from Active Directory Users and Computers console. However you got an access denied error.

Resolution:

Most probably there's a protection against accidental deletion of DC.

• Go to Active Directory Sites and Services
• Expand the Sites folder > expand the site name where the DC you want to delete is > expand the Servers folder > expand the DC you want to delete
• Right click on NTDS Settings
• Click on the Object tab
• Uncheck the “Protect object from accidental deletion” checkbox.
• Click OK.

Now you should be able to delete the Domain Controller from Active Directory Users and Computers console.

BitLocker Deployment with Active Directory - How to Start Automatic Encryption

Description:

You deployed BitLocker using Active Directory only. You have setup the necessary Group Policy, run manual BitLocker Encryption and can see the recovery password is being store at Active Directory.

Now you are wondering how it could start auto encryption without user interaction.

Resolution:

From https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html we can see that we can create a task scheduler on the machine and run it with System credential.

Detail:

Task name: BL (name it as you want, but please don’t forget to change the name in the last script line)

Triggers: at logon of any user

Executing account: system

Action: powershell.exe with the argument \\server\share\BL.ps1

The script:

$pin=(Get-Random -Minimum 0 -Maximum 999999).ToString('000000')
echo "$pin" | out-file \\server\pins\$env:computername.txt -Append
$SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
Add-BitlockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector
manage-bde -on c: -s -used -rp
msg * /time:0 Your hard drive is being encrypted. To start your PC, you need your Bitlocker-PIN, which is $pin
schtasks /delete /tn BL /f

Error connecting to SQL Server after changing Service Account to normal domain users

Description:

As security best practice, we should not run SQL Server Services with domain admin credential. However after changing it to the normal domain user credential, you encounter connection error message when trying to connect from SQL Server Management Studio.

The error may say something like "The target principal name is incorrect.  Cannot generate SSPI context."

Resolution:

We need to provide the appropriate permission for the domain user credential to modify ServicePrincipalName attribute in Active Directory.

• Run Adsiedit.msc
• In the ADSI Edit snap-in, expand Domain [YourDomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= [YourAccountName, and then click Properties.
• In the CN= AccountName Properties dialog box, click the Security tab.
• On the Security tab, click Advanced.
• In the Advanced Security Settings dialog box, select one (any) of "SELF"'s row
• Click Edit, Open Permission Entry dialog box.
• Make sure Pricipal is "SELF", Type is "Allow" and "Applied to" is "This Object Only", in Properties section, select the properties below:
  • Read servicePrincipalName
  • Write servicePrincipalName
• Click OK to apply all changes and exit the ADSI Edit snap-in
• Restart the SQL Service(s) that use the account in question.

Error Connecting to SQL Server Instances after enabling Windows Firewall

Description:

For security reason, you need to enable the Windows Firewall on your SQL server machine.

However, after you enable them, user cannot connect to one of your SQL Instances. You already create Inbound TCP rule to allow port 1433 and another TCP port where the instance listened, but users still cannot connect. They can connect if the specified the port number for that instance was directly written on the connection page.

Resolution:

Make sure you also create inbound rule for UDP port 1434. The SQL Server browser service runs on UDP port 1434 and listens for incoming connections to a named instance.