Author: sabrinaksy

Just an ordinary lady who love what she does best.

Microsoft Exchange: Unable to export Exchange attributes (MxExchArchiveGUID) from Active Directory after shut down

Hi everyone, has been awhile, due to Chinese New Year. Anyway, is good to be back!

Situation for this issue, is that you have shut down the Microsoft Exchange server and you are in the process of rebranding (Example, changing UPN, email address or Logon), but you encounter that some users having the issue to open their online archiving. Hence, you would like to export their MsExchArchiveGUID from Active Directory and perform a comparison with the Cloud’s Archive GUID instead of turning on the Exchange Server (You do not want to make your effort redundant). However, no matter how you try with this command on your Active Directory, Get-ADUser -Filter * -Properties * | Export-csv filename.csv and you still can’t get them to show up on your csv file.

This article would require review of the reference links.

Don’t panic! All you got to do is:

  1. Prepare a test PC (OS version of Windows 10 at least) or a server (Non-critical ones, OS version of Windows Server 2012 R2) that is a domain joined
    • I would recommend using a test PC, to avoid the hassle of checking whether the Windows Server is critical or notor the hassle of stuck at Exchange Server Wizard (Role Selections)
  2. Prepare an account that has a domain admin rights.
  3. Make sure you know what your Exchange Server’s version (Example, CU 2013, CU 2010, CU 2016, or CU 2019).
    • If you don’t remember you can always relocate the Exchange Server’s object from your AD. Else, you have to guess.
  4. Logon the PC with the account that has domain admin rights > Install the RSAT tool onto the PC
    • Recommended RSAT tools are: Active Directory Domain Services and Lightweight Directory Services Tools, and Server Manager
  5. Install IIS 6 Metabase Compatibility and IIS 6 Management Console
  6. Reboot the PC
  7. Relogin to the PC with the account that you had logon too, go to browser and search for your Exchange Server CU version and then download the package
  8. Export/eject the .iso file, run the Setup.exe
  9. Choose the option of not to allow windows update > Next
  10. Agree the license agreement > Next
  11. On Recommended setting page > Choose recommended or not.
  12. On the Server role Selection > Choose only Management tools > Next
  13. Location of the installation you can remain with the default
  14. On Checking the prerequisites page, if you faced any of these errors just follow the instructions on how to resolve them or Google Search how to do it based on your PC’s OS version.
  15. Once you have successfully downloaded the exchange management tool you can start to export your msExchArchiveGUID
  16. Once finish remember to revert you configuration to the PC

References:

  1. https://learn.microsoft.com/en-us/exchange/install-exchange-2013-using-the-setup-wizard-exchange-2013-help
  2. https://learn.microsoft.com/en-us/exchange/iis-6-compatibility-components-not-installed-longhorniis6mgmtconsolenotinstalled-exchange-2013-help
  3. https://learn.microsoft.com/en-us/powershell/exchange/filter-properties?view=exchange-ps#archiveguid

Defender for Identity: NTLM Warning Troubleshoot

Hi everyone hope you guys are enjoying your weekend, today is actually the day where Malaysian votes for their new leader (Prime Minister).

Prove that I have voted! This year voting allocation for special needs and old folks was really convenient.



Anyway, let’s start the topic of today!

Microsoft recently alerts tenant’s Defender for Identity admin portal due to new requirements require to implement on the domain controller’s GPO.

The warning should look like this in your Defender for Identity Admin portal:

There is a link of recommendations that it should guide you to how to resolve this issue. However, I realize the article by Microsoft did not CLEARLY wrote the steps on how to locate the Group Policy. This feedback had been raised to the authors and they had already attended to it.

In your domain controller’s Event viewer logs you should receive an event ID showing 8004.

It would affect to those domain controllers that does not have this policy enabled. To enable the policy, you should follow the steps below.

Resolution Steps:

  1. Login to a writable domain controller with the right permission that can modify the GPO
  2. Go to Start > Search and Launch Group Policy Management
  3. Select Group Policy Objects > Find Default Domain Controllers Policy > Right click and edit Default Domain Controllers Policy
  4. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  5. Select “Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers” > Choose Audit all > OK
  6. Select “Network security: Restrict NTLM: Audit NTLM authentication in this domain” > Choose Enable all > OK
  7. Select “Network security: Restrict NTLM: Audit Incoming NTLM Traffic” > Choose Enable auditing for all accounts > OK
  8. Go to Start > Search and launch Command Prompt > Run this command “gpupdate /force“. (For immediate apply, do this to all the available Domain controllers with the sensor agent too)

References:

  1. https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#event-id-8004

Microsoft Purview: Things to know when you are using Name Entities as Data Classification in Data Loss Protection

Good morning, and I would like to wish my fellow Indian friends a Happy Deepavali and hope you enjoy your long holiday with families or friends!

Let’s begin with our topic of today!

I was not really expecting that this would be an experience that I would never forget.

Attention Require

Before you would want to recommend name entities classification, there are few things you should take note from Microsoft article.

  1. Policy tip does not support name entities on Office 365 apps (64 bits and 32 bits)
  2. If you created a DLP rule containing a name entity and credit card as your condition and enable policy tip. Hence, even if your content contains credit card information only, the policy tip on your office 365 apps would not show up too.
  3. For further list of what does the name entities does not support, feel free to review the following references.

Suggestions

I would suggest that you either acknowledge this and move on with deploying DLP as silently monitoring at the backend or proceed to enforce and send with notification instead. Best to enforce it.

If you would still want your policy tip to work for non-name entities than you would have to create an extra rule to manage. Still keep the DLP policy as minimal as possible based on the locations type.

I would suggest that to perform these in your lab environment, if you are new to name entities. Hence, you would know that matching confidence level and what was able to cover in its matching capability.

Microsoft Support would likely request you to perform removal of the PolicyNudges Key from Registry Editor or Run the SARA application as resolution. However, this does not work.

References:

  1. https://learn.microsoft.com/en-us/microsoft-365/compliance/named-entities-use?view=o365-worldwide

Active Directory and DNS: Why you should not practice adding 8.8.8.8 in DNS forwarder?

Hi everyone and hope you are doing great today. A new day is a new start.

If you are the type of engineer that treat every DNS feature as it must add 8.8.8.8 or filling the DNS forwarder with values, then you must having trouble in understanding active directory and its DNS functionality.

Why mistakes happen?

When you are in a rush to rectify connectivity to the internet and the only idea is to point to 8.8.8.8 as the DNS. However, amending this into your DNS as your practice would impact the connectivity by an additional delay in DNS resolution and potentially adding a point of failure.

How DNS resolution works actually?

These are the basic order of resolution attempts. The first to reply wins either it’s right or wrong.

First phase: Local Windows Host File

Second phase: Computer’s DNS Server list

Third phase: Internal DNS Server

Fourth phase: Designated Conditional Forwarders

Fifth phase: DNS forwarders

Sixth phase: Root hints

What are the impacts?

Host file is static. It should only be used for troubleshooting and then immediately set back to it’s default after resolving the issue via internal DNS Servers.

If your DNS is only pointing to 8.8.8.8, it will reach out externally for DNS resolution. This means it will give you internet access but it will not resolve local DNS. Thus, will prevent your devices from communicating to Active Directory and devices won’t be able to grab policies, logins will be really slow and would cause intermittency with the domain.

Doing this would allow the local DNS queries will broadcasting your internal request to the internet. However, this is not recommended as its violating of your security policies.

DNS forwarders that points to 8.8.8.8 only are using your ISP connection to hop to 8.8.8.8 when resolving DNS. You have a local DNS resolution much closer that will speed up requests if used instead.

Moreover, if your DNS is set to 8.8.8.8, DNS failures may seem to be an ISP outage when your ISP connection if fine. If there is a failover rules set in place that are NOT using your ISP’s DNS, your system may failover when there is not an outage.

If you disabled root hints, one external DNS provider outage can stop external DNS resolution at your business.

Your Windows firewall internally would see you are on public network, which can cause it to start blocking network traffic. When you have a domain controller in your environment with its primary or secondary DNS pointing to an external address like 8.8.8.8, it can cause the same as well. Checking and unchecking IPv6 is a temporarily fix the public error, but it will continue happening until you remove 8.8.8.8.

It’s recommended that any domain controller/DNS servers local network interface should always point to another domain controller/DNS interface then itself, never to an external IP.

DNS Forwarders should be configured in the DNS management console to point to external DNS servers of your ISP. Doing this should resolve external DNS resolution.

References:

  1. https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/best-practices-for-dns-client-settings
  2. https://www.mirazon.com/stop-using-8-8-8-8-for-your-production-network/#:~:text=That%20is%20not%20recommended%20and,connection%20to%20hop%20to%208.8

Active Directory and Microsoft Defender for Identity: Defender for Identity agent failed to communicate with domain controller

Hi guys hope you guys are having a nice day today. Today I would like to bring to you about an experience that I had met involving the defender for identity and domain controller.

The problem was the defender for identity stop working all of the sudden and same goes to the group policy. This environment has more than 1 domain controllers running and only 1 of them having issue. There was no one to keep track of what was being done previously.

There was no proper error code to be found in the event logs, on the affected domain controller mentioning what was the reason. There was list of Kerberos error code and intermittent sync on the DNS, DFS replication and directory sync.

Hence, I have collected the event logs on the affected domain controller and the defender for identify logs from C:\Program Files\Azure Advanced Threat Protection Sensor\version number\Logs. Based on my findings, that the affect domain controller’s computer object was not in the default domain controller organizational unit.

These was what in the defender for identity logs shows:

A task was canceled. Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers

Warn GroupManagedServiceAccountImpersonationHelperGetGroupManagedServiceAccountAccessTokenAsync started. Error Service Controller Extension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed. at System.ServiceProcess.ServiceController. WaitForStatus(ServiceControllerStatus desiredStatus,TimeSpam timeout]

Resolution

  1. Schedule a downtime if required
  2. Analyze the affected domain controller’s computer object location
  3. Move the affected domain controller into the default domain controller Organizational Unit
  4. On impacted domain controller, run the command sc triggerinfo kdssvc start/networkon.  By doing this, we are changing the trigger for the Microsoft Key Distribution Service (KdsSvc) to start the service as soon as the network is available
  5. Then restart the affected domain controller

References

  1. https://docs.microsoft.com/en-us/defender-for-identity/troubleshooting-using-logs

Azure AD Connect: Reminder All version 1.x is Retiring this August, 2022

Hi fellow friends, hope you guys are having a good day today, everyday is a brand new day.

Today’s article here is to remind you that the Azure AD Connect all version 1 will be expiring soon, on 31st August 2022, this year this month.

What happen if you don’t upgrade before the due date?

Basically you will face service disruption such as accounts, computers objects and passwords will be affected.

Accounts/User objects:
– New users created in Active Directory will no longer synchronized to Microsoft 365 cloud

– New values added into the accounts/user will no longer reflecting the updates/changes into your Microsoft 365 cloud

– Basically any changes you make towards the accounts/user that you would like to sync to Microsoft 365 would not allowed

Computer objects:

– If your environment has Microsoft Intune or Hybrid join devices then you will have issue onboarding new devices to Microsoft Intune

Passwords:

– If your environment allow users to reset their own password from Microsoft 365 and synchronized back the new password to the Active directory would not be not allowed

– This is affecting the environment that has password writeback feature enabled in the Azure AD Connect

Any concerns should I take in for the current configuration before upgrading?

  1. Remember your Microsoft 365 global administrator credential, because you are require to re-establish the connection when you are performing an upgrade of the Azure AD Connect
  2. Make sure your server’s storage, Operating System and RAM size is still following the best practice
  3. Make sure you are following the new version of Azure AD Connects prerequisite

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#retiring-azure-ad-connect-1x-versions

Microsoft Sentinel: Things to know before you start migrate to a new resource group in the same tenant

Good morning fellow friends. Hope you are having a fresh start of the day. I would like to write about my journey on Microsoft Sentinel during migration phase.

Microsoft Sentinel is SIEM and SOAR security solution providing corporate the flexibility and better visibility in terms of managing security logs from Microsoft security products and third-party products and threats prevention.

Let’s begin…

Current situation of what I have in my Microsoft Sentinel is,

  1. Solution running on a trial subscription
  2. Resource group 1
  3. Some queries
  4. Some connectors (Microsoft and third-party)
  5. Some Logic app
  6. Some Automation rules

I would like to migrate from the trial subscription to the CSP subscription, this migration would likely be perform by your license provider and request them to provide the appropriate permission so that you can perform your management on the Microsoft Sentinel in the new subscription.

Note: This is not migrating from one tenant to another tenant.

The highlighted in RED are the ones you would need to perform backup, making sure the connection is up and the authentication is establish.

The New resource group has the current resource group resources,

  1. Solution is now running on paid subscription
  2. Resource group 2 (You would need to create a new resource group)
  3. Some queries (Custom queries needs to be regenerate)
  4. Some connectors (Make sure connectors with log forwarder is working else you would have to reestablish)
  5. Some Logic app (Reauthenticate your log workflow)
  6. Some Automation rules
Example of warning in Logic app designer

That is all you would need to know in advance before you start your migration. Hopefully you would find this article knowledgeable for you if you are heading to migrating your Microsoft Sentinel to a new subscription. Is never a waste of time if you are used to double checking or triple checking that all the resources are connecting and working well after migrated.

References:

  1. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

Azure AD Connect: What to know about In-place Upgrade from version 1.0 to 2.0 ?

Hi everyone, hope you guys are having a blast weekend. Today I would like to bring to you Azure AD Connect.

In the past, the 1.0 in-place upgrade, I would have to kept a record of the “before” changes of settings, such as the organization units, and etc. This would likely need me to schedule a day to capture the settings.

Anyway, not all of the 1.0 version can support the in-place upgrade to 2.0 version, if you have an older Azure AD Connect, that do not support in-place upgrade you would need to plan a migration or transition, to the 2.0 version. It may sounds simple, but there are few things you would need to take note of, that is avoiding duplicated records sync to Office 365, and duplicated service accounts, else you will likely get more stuff to clean up in the end. Is good to plan your transition and your clean-up first.

*Note: 31st August 2022, 1.0 version will be end of life

For those who are on the supported version of 1.0, that can perform in-place upgrade to 2.0 version, here are some tips or hint you can take note of before performing the upgrade,

  1. Full backup on the server
  2. Make sure you know what are the impacts
  3. Make sure the existing service account has the required permissions based on the 2.0 prerequisites
  4. During the upgrade, the wizard will request you to re-enter the global administrator account from Office 365
  5. You do not need to keep a record of the existing organizational unit because it will automatically bring forward the settings to your 2.0, same goes with your SSO, password hash settings, or device join settings
  6. Yes, version 2.0 does support single-label domain

If you would like to know more about the prerequisites of version 2.0, feel free to refer the references below,

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version
  2. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Exchange Online Protection: Configuration Analyzer (Your Mail Security Advisor)

Hi guys and ladies, today I’m going to write about the hidden guru in your Exchange Online Protection, a.k.a Office 365 Mail Security or Microsoft Defender for Office 365.

Why improving your mail security configuration is important? Well, malicious attacks gets improve from time to time, so does security too. In the past, scammers used to send fake letters to houses claiming to be from the bank or police officer, to lure you into turning yourself in with money. Now 2022, scammers are sending blast mails to any IP address or available legit domain in the world, claiming to be an authorized organization and to seek their victims.

There are times you would like to compare what your vendors recommendation and the global recommendation of mail security configuration, now you have it in your Microsoft Exchange Online portal. Basically configuration analyzer scans your existing policies and provide either Standard or strict recommendation to improve your mail policies.

*Note:

Do not make changes to default policies by Microsoft. Recommended to create new ones.

How to get that?

  1. First you login to your https://security.microsoft.com portal
  2. At the left taskbar, you can see the “Email and collaboration” category
  3. Select the “Policies & rules”
  4. Select “Threat policy”
  5. Select “Configuration Analyzer”

As you can see they do scan your default policies by you can ignore them. The most important thing inside this table, is the structured and convenient information that provide you understanding on how you can improve your existing policies.

You may refer to the references below to know whether is your license has this feature available.

References

  1. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide

Microsoft Information Protection: Planning Your Sensitive Labels

Hey guys and girls, hope you guys are having a great weekend! Remember to stay healthy and stay safe as your priority.

Today’s blog is more towards talking about the Microsoft information protection labels, how to plan before deploying it. Each organization has their own preferences and requirements. Planning is a crucial part of every deployment especially when the deployment would have to roll-out to the users to use it for their daily work. Layman is the key to the users understanding.

Some organization have a compliance team and some does not have it. Having a compliance team would able to make this deployment much more clearer in terms of what the organization needs. If the organization does not have a compliance team, then we would help to identity together in terms what do they require only. Labels are structure in the form of priorities, so best to make it simple, and easier for administrator to manage too.

Phase 1: Give them the feel and look

Microsoft do provide default labels to organization, you can roll-out these default labels to smaller team or compliance team, allowing them to play around with it for a period of time. This allows them to have an idea how sensitive labels works and coming out a template would be easier for them. Having a template is the quickest way and easier way to roll-out the labels.

Default labels

Phase 2: Feedback and Drafting Template

Getting feedback and drafting template phase, is a closer phase to rolling out the labels that suits the organization needs. In this phase, there are few items that you would need to involve into and would take a bit of time,

  • Categories the labels based on location (Exchange online, SPO, OneDrive and etc)
    • There is difference in terms of protection features for each location
  • What can or can’t do in the labels
  • Users description about the labels (keep it as layman as you can)
  • Priority of the labels
  • Design structure of the labels/sub-labels (Simple is better)
  • Permissions (Flexible or Set)
  • Action for the priority labels (Flexible, Warning or Strict-Justification)
  • Customization notifications (Majority would decide to maintain the default, so you don’t need to spend too much time on this part)

Here are some design types that you can reference,

Design type 1

This design is for organization that would like to remain some default labels, and has new labels for other departments and its purposes. No sub-labels to be manage.

Design type 2

This design is for organization that would wish to keep some default labels but does not want to have other new labels to manage. Has sub-labels to manage.

Design type 3

This design is for organization that would like to manage their labels in the form of departments and with each department has their own labels. I wouldn’t recommend this though, because is complicated. As I mention earlier, labels are arrange in the form of priority.

Phase 3: Final Template

This is the phase where you can start to roll-out the final template of the labels back to the small team or compliance team to give it one last confirmation.

References:

  1. https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
  2. https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide