Active Directory and DNS: Why you should not practice adding 8.8.8.8 in DNS forwarder?

Hi everyone and hope you are doing great today. A new day is a new start.

If you are the type of engineer that treat every DNS feature as it must add 8.8.8.8 or filling the DNS forwarder with values, then you must having trouble in understanding active directory and its DNS functionality.

Why mistakes happen?

When you are in a rush to rectify connectivity to the internet and the only idea is to point to 8.8.8.8 as the DNS. However, amending this into your DNS as your practice would impact the connectivity by an additional delay in DNS resolution and potentially adding a point of failure.

How DNS resolution works actually?

These are the basic order of resolution attempts. The first to reply wins either it’s right or wrong.

First phase: Local Windows Host File

Second phase: Computer’s DNS Server list

Third phase: Internal DNS Server

Fourth phase: Designated Conditional Forwarders

Fifth phase: DNS forwarders

Sixth phase: Root hints

What are the impacts?

Host file is static. It should only be used for troubleshooting and then immediately set back to it’s default after resolving the issue via internal DNS Servers.

If your DNS is only pointing to 8.8.8.8, it will reach out externally for DNS resolution. This means it will give you internet access but it will not resolve local DNS. Thus, will prevent your devices from communicating to Active Directory and devices won’t be able to grab policies, logins will be really slow and would cause intermittency with the domain.

Doing this would allow the local DNS queries will broadcasting your internal request to the internet. However, this is not recommended as its violating of your security policies.

DNS forwarders that points to 8.8.8.8 only are using your ISP connection to hop to 8.8.8.8 when resolving DNS. You have a local DNS resolution much closer that will speed up requests if used instead.

Moreover, if your DNS is set to 8.8.8.8, DNS failures may seem to be an ISP outage when your ISP connection if fine. If there is a failover rules set in place that are NOT using your ISP’s DNS, your system may failover when there is not an outage.

If you disabled root hints, one external DNS provider outage can stop external DNS resolution at your business.

Your Windows firewall internally would see you are on public network, which can cause it to start blocking network traffic. When you have a domain controller in your environment with its primary or secondary DNS pointing to an external address like 8.8.8.8, it can cause the same as well. Checking and unchecking IPv6 is a temporarily fix the public error, but it will continue happening until you remove 8.8.8.8.

It’s recommended that any domain controller/DNS servers local network interface should always point to another domain controller/DNS interface then itself, never to an external IP.

DNS Forwarders should be configured in the DNS management console to point to external DNS servers of your ISP. Doing this should resolve external DNS resolution.

References:

  1. https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/best-practices-for-dns-client-settings
  2. https://www.mirazon.com/stop-using-8-8-8-8-for-your-production-network/#:~:text=That%20is%20not%20recommended%20and,connection%20to%20hop%20to%208.8

Active Directory and Microsoft Defender for Identity: Defender for Identity agent failed to communicate with domain controller

Hi guys hope you guys are having a nice day today. Today I would like to bring to you about an experience that I had met involving the defender for identity and domain controller.

The problem was the defender for identity stop working all of the sudden and same goes to the group policy. This environment has more than 1 domain controllers running and only 1 of them having issue. There was no one to keep track of what was being done previously.

There was no proper error code to be found in the event logs, on the affected domain controller mentioning what was the reason. There was list of Kerberos error code and intermittent sync on the DNS, DFS replication and directory sync.

Hence, I have collected the event logs on the affected domain controller and the defender for identify logs from C:\Program Files\Azure Advanced Threat Protection Sensor\version number\Logs. Based on my findings, that the affect domain controller’s computer object was not in the default domain controller organizational unit.

These was what in the defender for identity logs shows:

A task was canceled. Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers

Warn GroupManagedServiceAccountImpersonationHelperGetGroupManagedServiceAccountAccessTokenAsync started. Error Service Controller Extension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed. at System.ServiceProcess.ServiceController. WaitForStatus(ServiceControllerStatus desiredStatus,TimeSpam timeout]

Resolution

  1. Schedule a downtime if required
  2. Analyze the affected domain controller’s computer object location
  3. Move the affected domain controller into the default domain controller Organizational Unit
  4. On impacted domain controller, run the command sc triggerinfo kdssvc start/networkon.  By doing this, we are changing the trigger for the Microsoft Key Distribution Service (KdsSvc) to start the service as soon as the network is available
  5. Then restart the affected domain controller

References

  1. https://docs.microsoft.com/en-us/defender-for-identity/troubleshooting-using-logs

Azure AD Connect: Reminder All version 1.x is Retiring this August, 2022

Hi fellow friends, hope you guys are having a good day today, everyday is a brand new day.

Today’s article here is to remind you that the Azure AD Connect all version 1 will be expiring soon, on 31st August 2022, this year this month.

What happen if you don’t upgrade before the due date?

Basically you will face service disruption such as accounts, computers objects and passwords will be affected.

Accounts/User objects:
– New users created in Active Directory will no longer synchronized to Microsoft 365 cloud

– New values added into the accounts/user will no longer reflecting the updates/changes into your Microsoft 365 cloud

– Basically any changes you make towards the accounts/user that you would like to sync to Microsoft 365 would not allowed

Computer objects:

– If your environment has Microsoft Intune or Hybrid join devices then you will have issue onboarding new devices to Microsoft Intune

Passwords:

– If your environment allow users to reset their own password from Microsoft 365 and synchronized back the new password to the Active directory would not be not allowed

– This is affecting the environment that has password writeback feature enabled in the Azure AD Connect

Any concerns should I take in for the current configuration before upgrading?

  1. Remember your Microsoft 365 global administrator credential, because you are require to re-establish the connection when you are performing an upgrade of the Azure AD Connect
  2. Make sure your server’s storage, Operating System and RAM size is still following the best practice
  3. Make sure you are following the new version of Azure AD Connects prerequisite

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#retiring-azure-ad-connect-1x-versions

Azure AD Connect: What to know about In-place Upgrade from version 1.0 to 2.0 ?

Hi everyone, hope you guys are having a blast weekend. Today I would like to bring to you Azure AD Connect.

In the past, the 1.0 in-place upgrade, I would have to kept a record of the “before” changes of settings, such as the organization units, and etc. This would likely need me to schedule a day to capture the settings.

Anyway, not all of the 1.0 version can support the in-place upgrade to 2.0 version, if you have an older Azure AD Connect, that do not support in-place upgrade you would need to plan a migration or transition, to the 2.0 version. It may sounds simple, but there are few things you would need to take note of, that is avoiding duplicated records sync to Office 365, and duplicated service accounts, else you will likely get more stuff to clean up in the end. Is good to plan your transition and your clean-up first.

*Note: 31st August 2022, 1.0 version will be end of life

For those who are on the supported version of 1.0, that can perform in-place upgrade to 2.0 version, here are some tips or hint you can take note of before performing the upgrade,

  1. Full backup on the server
  2. Make sure you know what are the impacts
  3. Make sure the existing service account has the required permissions based on the 2.0 prerequisites
  4. During the upgrade, the wizard will request you to re-enter the global administrator account from Office 365
  5. You do not need to keep a record of the existing organizational unit because it will automatically bring forward the settings to your 2.0, same goes with your SSO, password hash settings, or device join settings
  6. Yes, version 2.0 does support single-label domain

If you would like to know more about the prerequisites of version 2.0, feel free to refer the references below,

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version
  2. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Active Directory: Setup Multiple Enterprise Root Certificate Authority in a Single Forest For Zero Downtime

Hey guys and girls, how are you all doing working from home? Please stay safe and keep your distance.

Today’s topic is about creating multiple root certificate in a single forest, please take note that this is not a best practice by Microsoft but it was the right solutions for my situations. There will not be errors/stopping you to proceed, if you setup multiple root certificate authority.

So basically I have this tested on my lab only I proceed into production. Whenever you aren’t confident about the solutions please always run your lab. Don’t give people heart attack. Active Directory is a sensitive being.

My situation is that we have existing Windows Server 2008 R2 and is moving to Windows Server 2019, currently there is a root certificate authority siting in Windows Server 2008 R2 and would like to transition to Windows Server 2019 without downtime. Hence, Migrating is not the right word for this situation, because Migration required downtime. Imagine people working from home unable to VPN access into the work environment. You will get the scream and shout by them, Good Luck.

For having a multiple root CA, so that at the network layer/firewall layer, the network administrator can create another certificate access for user to VPN access using either the old Root CA or new Root CA. Hence, zero downtime.

Step by Step:

  1. You have to add the roles and feature into your Windows Server 2019
  2. Once you have the role installed and the configuration setup (just follow the default configuration, please choose Enterprise Root CA)
  3. Make sure your instance naming or certificate authority name is not duplicated with your other certificate authority server name
  4. This is the result of successful setup of the certificate authority
  5. So now you got to make sure the certificate authority server has its certificate propagate on its local machine too
  6. Launch Start > Run > mmc
  7. MMC > File > Add/Remove Snap-in… > Certificates
  8. Certificates > Computer account > Local computer > Finish
  9. Certificates (Local Computer) > Expand the folder > Personal > Certificates
  10. Certificates (Local Computer) > Expand the folder > Trusted Root Certification Authorities > Certificates
  11. Because now the forest has 2 Root CA, so your trusted root CA folder would have 2 Root CA certificate
  12. To export the new root CA certificate to your network administrator, Launch your command prompt on the Root CA server > run the following command
    • certutil -ca.cert <filename>.cer
  13. To allow the other server members of the forest, please access to the server and follow step 6 to step 9, remove the old Root CA
  14. Then run a gpupdate /force command line > Reboot the server, to have the changes reflected
  15. Perform a checking whether the changes has reflected to the other server(s) after performing step 13 to 14, please access to their local computer certificate and check. Repeat step 6 to step 10.

*Note:

  1. Do not export the Root CA certificate and import to the servers, because this would beat the purpose Enterprise Root Certificate Authority
  2. If you have a larger environment it would take awhile for the change to replicate. Hence, continue the gpupdate /force until you receive the result you wanted on the server

Azure ATP: gMSA limitation for single label domain

Good afternoon everyone, and Happy Holiday to you all. Today’s blog post is another Azure ATP, or you could say Microsoft Identity Defender or MDI for short.

As you might know that gMSA is a type of service account for Windows Server 2012 and above. For some reason it failed to establish authentication between a Windows Server 2016 and Azure ATP portal for this particular environment. This environment is running single label domain on a Windows Server 2016. It was migrate from Widows Server 2008 R2 to Windows Server 2016.

To locate the logs in the server that you installed the sensor to further identify the cause and issue,

C:\ProgramFiles\Azure Advanced Threat Protection\<sensor version> \Logs

In the server where your sensor installed, if you notice the Azure ATP services keeps stopping and starting, from the services.msc, then it means there is problem with the sensor trying to establish the connection to the Azure ATP.

There wasn’t much article found to prove that gMSA limitation with single label domain, so I go ahead and proceed a testing. I created a managed service account with no special permission included, and add the credential to the Azure ATP > Directory Service. Upon monitoring, there wasn’t any alert prompt from Azure ATP, Azure ATP alert is pretty instant when detected failure on authentication.

So the resolution was to use managed service account instead of the gMSA account for this situation. The sensor start to working well with managed service account.

Active Directory: Troubleshoot ADPREP /DOMAINPREP “Access is denied” issue

Good day, hope you guys are having a good weekend. This blog post is about active directory portion. My situation was the environment contains Windows Server 2008, and would wish to upgrade to Windows Server 2008 R2, by setting up new VMs with Windows Server 2008 R2 Operating System. The environment contain a parent domain and 2 child domains. Due to Microsoft has stop supporting pushing updates to legacy servers, the environment had to use a third-party product to support the pushing of windows update to the legacy servers and the product is also served as Anti-virus/malware.

Before you are going to prep domain and forest you have to make sure your account has the proper permissions to perform the prep.

While I was about to prep a child domain using the command prompt in elevation mode, I receive an error saying “Access is denied”, there was no log to refer to, to know about details what caused this issue. Same goes to event viewer logs.

After long research there was no resolution and the next try was to disable the third-party product and re-run the adprep command and was able to run successfully.

If you have other issues with adprep, you may refer the logs from this path “C:\Windows\Debug\adprep\”.

References:

  1. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731728(v=ws.11)

OneDrive and Active Directory: Error Code 0x8004de40

First time experience such error and behaviour, so the situation is that this user has problem getting her OneDrive to work on her desktop, it was her first time setting it up and she receive the above error code after she sign in and authenticate her account.

Capture

Well from Azure AD, it will shows that her login activity for OneDrive is successful, but Azure AD doesn’t shows that her setup was failed. At first I suspect it could be network issue, tested another account it went through the setup successfully. Hence, running PowerShell (Msol), to query the user account information and perform comparison and everything was showing in good condition.

Another thing is that she can successfully use the web based on SharePoint Online and OneDrive online.

As I went through to the Exchange Admin center and notice her email addresses missing a type, that is the SPO. This type of email address is generated once the user is assigned with the Office 365 license with Sharepoint Online and OneDrive online features.

The only resolution to this is to recreate the account. 

  1. Backup mailboxes to PST and files to a local drive or external drive
    • There are many ways to backup
  2. Unassign the user license
  3. Go to Active Directory and disable the account and move it to a unsync Organization Unit
  4. Go to Azure AD Connect Server and perform the sync
  5. Go to Office 365 make sure that the account has been move to deleted users, well you could use PowerShell to query -ReturnDeletedUsers.
    • Get-MsolUser -UserPrincipalName <username>@domain.com.my -ReturnDeletedUsers
    • Once it is found, then run the remove command, you can use GUI to remove them at the Azure portal “portal.azure.com”
      • Get-MsolUser -UserPrincipalName <username>@domain.com.my -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
  6. Go back to your Active Directory and recreate the user account, and make sure it is in the sync OU
  7. Run another sync at your Azure AD Connect Server
  8. Go to Office 365 > Active Users > Search for the user and assign the license

 

There are few reasons why this happen, for my case was the old Azure AD Connect server died or corrupted and had to re-provision a new one. Users are some still on Exchange on-premise and some are in cloud, due to budget. Sometime things happen.

Anyway, hope this helps! 

 

Azure Active Directory: Troubleshoot Immutable ID Matching Error “AttributeMustBeUnique”.

Nowadays there are becoming lots of tools to convert objectGUID to immutable ID. However, one of my friend was facing a problem “AttributeMustBeUnique” in the Azure AD Connect (AADC). Mostly the articles that talk about this error “AttributeMustBeUnique“, is asking people to look at the “Deleted User” or Query the duplicate account from Recycle Bin.

For this case, is slight different.

To understand what is he facing,

  1. A user account was created at cloud first.
  2. A user account status is “in cloud” in Office 365 > Active Users
  3. There is no duplicated account in the Recycle Bin
  4. My friend he empty the Immutable ID and replace it with a new Immutable ID that is covert from objectGUID, to match the account in cloud with its account in on-premise
  5. He used a tool to convert the objectGUID to Immutable ID.
  6. Replace the empty Immutable ID with the converted ones and run a full sync from AADC server. However, he was still getting the error.

After checking upon it was the objectGUID that he copied wrongly. Thus, converted the Immutable ID value wasn’t matching the ones that Azure AD detected.

Azure AD Sync error detection able to detect, identify and provide the suppose correct value of Source Anchor (Immutable ID). Every deployment of Azure AD Connect will match the account via source anchor.

04

What is source anchor? In layman term is the Unique ID from cloud.

References:

  1. http://guid-convert.appspot.com/
  2. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts

Windows Server 2019: How to activate OS license after promoted the server as Domain Controller?

Happy Chinese New Year to my Chinese friends and Happy holiday to the non-Chinese friends!

There are cases where you have to apply the license later due to you have to wait for the license key. So you had to proceed deploying and running your tasks. However, the GUI of activate the Windows Server license doesn’t prompt to allow you to key in the product key and there is no error shown. (After you have promoted the server as Domain Controller)

The solution is to activate the license key through command prompt or Windows PowerShell and run as administrator.

If you have forgotten the command, is “slmgr” and to see the list of the command’s option just type “slmgr /help“, it will prompt the list.

Here is an example;

Capture

Below is the command to activate your license key;

slmgr /ipk <your product key>

Capture

If you wish to view expiration of your license key, then you could use this command;

slmgr /xpr

Capture