Active Directory: Setup Multiple Enterprise Root Certificate Authority in a Single Forest For Zero Downtime

Hey guys and girls, how are you all doing working from home? Please stay safe and keep your distance.

Today’s topic is about creating multiple root certificate in a single forest, please take note that this is not a best practice by Microsoft but it was the right solutions for my situations. There will not be errors/stopping you to proceed, if you setup multiple root certificate authority.

So basically I have this tested on my lab only I proceed into production. Whenever you aren’t confident about the solutions please always run your lab. Don’t give people heart attack. Active Directory is a sensitive being.

My situation is that we have existing Windows Server 2008 R2 and is moving to Windows Server 2019, currently there is a root certificate authority siting in Windows Server 2008 R2 and would like to transition to Windows Server 2019 without downtime. Hence, Migrating is not the right word for this situation, because Migration required downtime. Imagine people working from home unable to VPN access into the work environment. You will get the scream and shout by them, Good Luck.

For having a multiple root CA, so that at the network layer/firewall layer, the network administrator can create another certificate access for user to VPN access using either the old Root CA or new Root CA. Hence, zero downtime.

Step by Step:

  1. You have to add the roles and feature into your Windows Server 2019
  2. Once you have the role installed and the configuration setup (just follow the default configuration, please choose Enterprise Root CA)
  3. Make sure your instance naming or certificate authority name is not duplicated with your other certificate authority server name
  4. This is the result of successful setup of the certificate authority
  5. So now you got to make sure the certificate authority server has its certificate propagate on its local machine too
  6. Launch Start > Run > mmc
  7. MMC > File > Add/Remove Snap-in… > Certificates
  8. Certificates > Computer account > Local computer > Finish
  9. Certificates (Local Computer) > Expand the folder > Personal > Certificates
  10. Certificates (Local Computer) > Expand the folder > Trusted Root Certification Authorities > Certificates
  11. Because now the forest has 2 Root CA, so your trusted root CA folder would have 2 Root CA certificate
  12. To export the new root CA certificate to your network administrator, Launch your command prompt on the Root CA server > run the following command
    • certutil -ca.cert <filename>.cer
  13. To allow the other server members of the forest, please access to the server and follow step 6 to step 9, remove the old Root CA
  14. Then run a gpupdate /force command line > Reboot the server, to have the changes reflected
  15. Perform a checking whether the changes has reflected to the other server(s) after performing step 13 to 14, please access to their local computer certificate and check. Repeat step 6 to step 10.

*Note:

  1. Do not export the Root CA certificate and import to the servers, because this would beat the purpose Enterprise Root Certificate Authority
  2. If you have a larger environment it would take awhile for the change to replicate. Hence, continue the gpupdate /force until you receive the result you wanted on the server

Azure ATP: gMSA limitation for single label domain

Good afternoon everyone, and Happy Holiday to you all. Today’s blog post is another Azure ATP, or you could say Microsoft Identity Defender or MDI for short.

As you might know that gMSA is a type of service account for Windows Server 2012 and above. For some reason it failed to establish authentication between a Windows Server 2016 and Azure ATP portal for this particular environment. This environment is running single label domain on a Windows Server 2016. It was migrate from Widows Server 2008 R2 to Windows Server 2016.

To locate the logs in the server that you installed the sensor to further identify the cause and issue,

C:\ProgramFiles\Azure Advanced Threat Protection\<sensor version> \Logs

In the server where your sensor installed, if you notice the Azure ATP services keeps stopping and starting, from the services.msc, then it means there is problem with the sensor trying to establish the connection to the Azure ATP.

There wasn’t much article found to prove that gMSA limitation with single label domain, so I go ahead and proceed a testing. I created a managed service account with no special permission included, and add the credential to the Azure ATP > Directory Service. Upon monitoring, there wasn’t any alert prompt from Azure ATP, Azure ATP alert is pretty instant when detected failure on authentication.

So the resolution was to use managed service account instead of the gMSA account for this situation. The sensor start to working well with managed service account.

Active Directory: Troubleshoot ADPREP /DOMAINPREP “Access is denied” issue

Good day, hope you guys are having a good weekend. This blog post is about active directory portion. My situation was the environment contains Windows Server 2008, and would wish to upgrade to Windows Server 2008 R2, by setting up new VMs with Windows Server 2008 R2 Operating System. The environment contain a parent domain and 2 child domains. Due to Microsoft has stop supporting pushing updates to legacy servers, the environment had to use a third-party product to support the pushing of windows update to the legacy servers and the product is also served as Anti-virus/malware.

Before you are going to prep domain and forest you have to make sure your account has the proper permissions to perform the prep.

While I was about to prep a child domain using the command prompt in elevation mode, I receive an error saying “Access is denied”, there was no log to refer to, to know about details what caused this issue. Same goes to event viewer logs.

After long research there was no resolution and the next try was to disable the third-party product and re-run the adprep command and was able to run successfully.

If you have other issues with adprep, you may refer the logs from this path “C:\Windows\Debug\adprep\”.

References:

  1. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731728(v=ws.11)

OneDrive and Active Directory: Error Code 0x8004de40

First time experience such error and behaviour, so the situation is that this user has problem getting her OneDrive to work on her desktop, it was her first time setting it up and she receive the above error code after she sign in and authenticate her account.

Capture

Well from Azure AD, it will shows that her login activity for OneDrive is successful, but Azure AD doesn’t shows that her setup was failed. At first I suspect it could be network issue, tested another account it went through the setup successfully. Hence, running PowerShell (Msol), to query the user account information and perform comparison and everything was showing in good condition.

Another thing is that she can successfully use the web based on SharePoint Online and OneDrive online.

As I went through to the Exchange Admin center and notice her email addresses missing a type, that is the SPO. This type of email address is generated once the user is assigned with the Office 365 license with Sharepoint Online and OneDrive online features.

The only resolution to this is to recreate the account. 

  1. Backup mailboxes to PST and files to a local drive or external drive
    • There are many ways to backup
  2. Unassign the user license
  3. Go to Active Directory and disable the account and move it to a unsync Organization Unit
  4. Go to Azure AD Connect Server and perform the sync
  5. Go to Office 365 make sure that the account has been move to deleted users, well you could use PowerShell to query -ReturnDeletedUsers.
    • Get-MsolUser -UserPrincipalName <username>@domain.com.my -ReturnDeletedUsers
    • Once it is found, then run the remove command, you can use GUI to remove them at the Azure portal “portal.azure.com”
      • Get-MsolUser -UserPrincipalName <username>@domain.com.my -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
  6. Go back to your Active Directory and recreate the user account, and make sure it is in the sync OU
  7. Run another sync at your Azure AD Connect Server
  8. Go to Office 365 > Active Users > Search for the user and assign the license

 

There are few reasons why this happen, for my case was the old Azure AD Connect server died or corrupted and had to re-provision a new one. Users are some still on Exchange on-premise and some are in cloud, due to budget. Sometime things happen.

Anyway, hope this helps! 

 

Azure Active Directory: Troubleshoot Immutable ID Matching Error “AttributeMustBeUnique”.

Nowadays there are becoming lots of tools to convert objectGUID to immutable ID. However, one of my friend was facing a problem “AttributeMustBeUnique” in the Azure AD Connect (AADC). Mostly the articles that talk about this error “AttributeMustBeUnique“, is asking people to look at the “Deleted User” or Query the duplicate account from Recycle Bin.

For this case, is slight different.

To understand what is he facing,

  1. A user account was created at cloud first.
  2. A user account status is “in cloud” in Office 365 > Active Users
  3. There is no duplicated account in the Recycle Bin
  4. My friend he empty the Immutable ID and replace it with a new Immutable ID that is covert from objectGUID, to match the account in cloud with its account in on-premise
  5. He used a tool to convert the objectGUID to Immutable ID.
  6. Replace the empty Immutable ID with the converted ones and run a full sync from AADC server. However, he was still getting the error.

After checking upon it was the objectGUID that he copied wrongly. Thus, converted the Immutable ID value wasn’t matching the ones that Azure AD detected.

Azure AD Sync error detection able to detect, identify and provide the suppose correct value of Source Anchor (Immutable ID). Every deployment of Azure AD Connect will match the account via source anchor.

04

What is source anchor? In layman term is the Unique ID from cloud.

References:

  1. http://guid-convert.appspot.com/
  2. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts

Windows Server 2019: How to activate OS license after promoted the server as Domain Controller?

Happy Chinese New Year to my Chinese friends and Happy holiday to the non-Chinese friends!

There are cases where you have to apply the license later due to you have to wait for the license key. So you had to proceed deploying and running your tasks. However, the GUI of activate the Windows Server license doesn’t prompt to allow you to key in the product key and there is no error shown. (After you have promoted the server as Domain Controller)

The solution is to activate the license key through command prompt or Windows PowerShell and run as administrator.

If you have forgotten the command, is “slmgr” and to see the list of the command’s option just type “slmgr /help“, it will prompt the list.

Here is an example;

Capture

Below is the command to activate your license key;

slmgr /ipk <your product key>

Capture

If you wish to view expiration of your license key, then you could use this command;

slmgr /xpr

Capture

The Factor of Corrupted Domain Controller, Windows Server 2016

Having a corrupted domain controller is highly troublesome and is irritating. It was my first time to experience an environment with a corrupted domain controller. Luckily, it wasn’t the master domain controller that is corrupted.

Before jumping into conclusion by blaming the domain controller is the cause. Let’s check what are the symptoms and what could be the possible cause. Anything that is related to the domain controller will get affected.

What are the symptoms that you will experience?

  1. Delay synchronization between other domain controllers
  2. Unexpected broke down of synchronization between other domain controllers
  3. Inconsistent reading of synchronization
  4. Loss of locating the master domain controller
  5. Time-sync delay
  6. Users unable to log in to Office 365 after password reset
  7. Newly created Exchange Hybrid users are not reflecting
  8. Exchange Hybrid failure to connect
  9. Unexpected slow performance
  10. Unexpected network detection failure

 

The factor of the causes?

When you have a corrupted domain controller, you really have drawn the layers to investigate.

  1. Configuration/Settings of the domain controller
  2. System Information and configuration on the server
  3. Operating system
  4. Host
  5. Virtual appliance
  6. Network (firewall or infrastructure)
  7. Storage
  8. Hardware

 

So it is best to analyze what is the possible cause of this and how to avoid it in the future. Logs are the friends you need.

 

 

 

 

Why can’t I use RODC DNS IP address on join to domain for client’s PCs?

What is RODC?

  • RODC stands for Read-Only Domain controller. Obviously, the name is the answer.

What is RODC purpose?

  • RODC act as a disaster plan or authentication for branches. RODC is deployed in a data center or at another site, it acts as a pull action. It pulls information and changes from the writable domain controller(s) only.

Why can’t I join to the domain on client’s PCs using RODC IP address?

  • Joining new PCs to the domain environment, this is considered as adding/modifying information and changes to the domain controller and this is the writable domain controller’s responsibility, not RODC.

 

 

 

 

PowerShell: How to export values into table format .csv file?

Again I’m no expert in PowerShell, it took me few hours to figure it out. Searched many articles but are difficult for me to understand.

However, the answer was right under my nose. Please refer to the reference I’ve include below this blog. Sorry about the attribute naming, well this is only an example. Hope this helps.

*Note:

  • Always run this(PowerShell) on a test account before moving production (bulk).
  • This script only supports PowerShell version 3.0 or above

Here is an example of what I’m saying;

#Purpose: This powershell is to get the office phone and copy 
#the last 4 digit into a temporary programming attribute and than 
#merge with a string value with the last 4 digits
#Export the user's name, office phone and New Phone

#Merge value
$merge= "123"

#Get the filename
$users = import-csv .\file.csv -delimiter ","

foreach ($i in $users)
{
#Attributes
$name = $i.Name
$officephone = $i.OfficePhone

#If the user's OfficePhone has value
if ($officephone -ne "")
{
#Copy the last 4 digit of the OfficePhone
$lastfourdigit = $officephone.substring($officephone.length - 4)
#Merge the string value with the 4digit to create a new phone number
$newvalue= $merge + $lastfourdigit

#Table format for csv
$content = [PSCustomObject]@{Name = $name; OfficePhone = $officephone; NewPhone= $newvalue}
#Export the table to new csv file
$content | Export-csv newfile.csv -Append

}
else{
#Table format for csv
$content = [PSCustomObject]@{Name = $name; OfficePhone = $officephone; NewPhone= ""}
#Export the table to new csv file
$content | Export-csv newfile.csv -Append

}

}

So the end result is;

newfile

 

I prefer to keep my codes simple and understandable.

Reference

  1. https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-csv?view=powershell-6

Office 365: How to handle resign user mailbox with litigation hold enabled?

Litigation hold is a feature that allows you to keep your mailbox with specific period or unlimited period. However, this is only the high level definition of litigation hold. Through out my deep and many research of Microsoft articles, especially technet it only state high level of definition of litigation hold but nothing about notices.

Few weeks ago I’ve encounter one of my user reported to me, saying that they have a user account that is disable (in Active Directory)blocked sign in and unlicensed but the mailbox still in active state and able to send (etc inbox forwarding rules) and receive mails and also able to login if with full access. After few research, I found a Microsoft article (support article “https://support.office.com/en-us/article/manage-inactive-mailboxes-in-office-365-296a02bd-ebde-4022-900e-547acf38ddd7“) , about how to handle inactive mailboxes. However, it still didn’t state why it happens or how this mechanism works.

We call this as deprecated account but active mailbox. I really hope that Microsoft could do something about this as it seems to me it is pretty troublesome to go extra further step to handle this, and also hope that they could elaborate more about litigation hold pro and cons or how this mechanism works.

*Note:

Please take note if you have mailboxes with unlimited litigation hold enabled, and user account in Active Directory is disable but in a sync Organization Unit, please move them to a unsync organization unit IMMEDIATELY or else it will full up the mailbox storage. 

To check whether which Organization unit is unsync;

  1. Just go to your Azure Active Directory Server
  2. Windows Start button
  3. open MIISCLIENT or Synchronize Services
  4. On top select “Connection”
  5. double on your local domain
  6. select Configure Directory Partition
  7. at the bottom right button
  8. select “Containers”
  9. enter Azure Active Directory credential
  10. you will able to view unchecked boxes means they are the unsync organization unit.

 

References:

  1. https://support.office.com/en-us/article/manage-inactive-mailboxes-in-office-365-296a02bd-ebde-4022-900e-547acf38ddd7
  2. https://technet.microsoft.com/en-us/library/ff637980(v=exchg.160).aspx#lithold
  3. https://technet.microsoft.com/library/dn743673(v=exchg.150).aspx
  4. https://technet.microsoft.com/en-us/library/dn790612.aspx