Using a gMSA account with AADConnect

If you haven’t heard of a gMSA, you haven’t lived. That’s what my Mum tells me anyway.

A gMSA is also known as a Group Managed Service Account, and it really is the future of Service Accounts. It doesn’t allow interactive logons, it recycles it’s credentials automatically and can also be tied down so it can only be used on specific hosts. Most importantly it is recommended if you use Azure AD Connect with a dedicated SQL Server.

It does require Server 2012 or above on your domain controllers (for the schema extensions) and an Azure AD Connect server, but if you aren’t using this OS or newer yet, then I think you have other priorities you need to address ūüôā

So the big question is; how do we use this magical feature? The guide below is for a new installation of AADConnect.

Firstly, if you haven’t done so already you need to enable the KDS Root Key ūüĒź required for generating the passwords¬†used by the service account. Run this PS Command from an AD Powershell prompt to enable the KDS Root Key ūüĒź. This can be done from a Domain Controller or from a server running RSAT ADDS tools.

Add-KdsRootKey ‚ÄďEffectiveImmediately

Funnily enough, even though we used -EffectiveImmediately, it is only available instantly on the DC you ran the command from. The other DC’s need to wait for replication to complete for the key to be available.

You then need to create the AAD Connect gMSA service account. Use this PS command to do this:

New-ADServiceAccount -Name AADC-gMSA -Description "AAD Connect Service Account" -DNSHostName aadc.Contoso.com -PrincipalsAllowedToRetrieveManagedPassword MGMT01$,MGMT01$ -Passthru

Replace the sections in red with your own information. MGMT01 and MGMT02 are the names of our primary and staging AAD Connect servers in this instance, and the DNSHostName parameter essentially sets a DNS name of the service we are running.

Once this is done, you need to head over to your AAD Connect server and add the account using:

Install-ADServiceAccount AADC-gMSA

Lastly, during AADConnect installation, we need to select the service account. During initial installation, choose the ‘Customise’ option as shown below:

Screenshot 2019-05-21 at 16.55.44

And then select ‘Use an existing service account’ and enter the service account name using the domain\accountname$ format.

Screenshot 2019-05-21 at 16.57.43

This process will help you automate and secure your service accounts in the future, and is a great choice whenever a service account is required and gMSA is supported.

 

 

DNS Traffic Management Policies

This awesome new Server 2016 feature can be used to create a DNS policy which responds to a query for the IP address of a web server with a different IP address based on the source subnet of the client.

Let’s take an example; we have ADFS configured in Azure using the following settings:

Hostname: sts.misstech.co.uk
Internal IP: 192.168.9.11
External IP: 57.119.128.179 (this is made up so don’t try and go there!)

There are 2 sites, London and Manchester. London has a VPN link to Azure, however Manchester has no route to Azure. Both sites are connected to each other and the Domain Controller is located in London.

This means that London users (on 192.168.10.0/24) can access ADFS, however Manchester users (on 192.168.11.0/24) cannot access ADFS using the internal IP. We need to route Manchester users to ADFS via the external ADFS IP, but how to do this when they are resolving DNS records via the same Domain Controller? Host files can do this but that is complex and doesn’t allow for mobility. Enter Traffic Management using Server 2016.

To do this, the following steps need to do performed.

·       First, add the subnets which you want to use for traffic management.

AddDnsServerClientSubnet Name “Manchester” IPv4Subnet “192.168.11.0/24” PassThru

·       Next, add the subnet associated zone. The zone must already exist for this command to work.

Add-DnsServerZoneScope -ZoneName “eacsdemo.online” -Name “Manchester” -PassThru

·       Add the DNS Resource Record

Add-DnsServerResourceRecord -ZoneName “eacsdemo.online” -A -Name “sts” -IPv4Address “52.169.178.129” -ZoneScope “Manchester” -PassThru

·       Add the Traffic Management Policy to route Manchester requests through to

Add-DnsServerQueryResolutionPolicy -Name “ManchesterPolicy” -Action ALLOW -ClientSubnet “eq,Manchester” -ZoneScope “Manchester,1” -ZoneName “eacsdemo.online” -PassThru

These policies are very versatile, allowing you to combine multiple parameters (using AND/OR) such as client subnet, protocol, or time of day to create complex policies which can help you direct clients to the correct location.

I’ll finish this post with a small tip; if you want to remove or get the policy, make sure you specify the zone name or a null value will be returned. For example:

Get-DnsServerQueryResolutionPolicy -ZoneName “misstech.co.uk” -PassThru

remove-DnsServerQueryResolutionPolicy -ZoneName “misstech.co.uk” -PassThru

 

Azure RMS – File Classification Infrastructure Fail

I’ve been doing a bit of work recently with Azure RMS and FCI (using FSRM) to protect files located on traditional file servers.

One issue I came across whilst following various pieces of guidance which I found online was related to file classification. When attempting to run my File Management Task I was seeing no results.

I attempted to run the RMS protection script manually from PowerShell ISE (called RMS-Protect-FCI.ps1 in my case) and this returned an error as follows:

RMSProtection module not loaded

I had followed all the instructions I had seen so far, and luckily this error is quite descriptive. All I ended up having to do was to install the RMS Protection Tool, which can be found here: https://www.microsoft.com/en-us/download/details.aspx?id=47256

It’s important to remember to install the pre-requisites for this too, as otherwise you will receive another error about failure to connect using bpostenantid. The key element I missed out was the RMS Client, found here: https://www.microsoft.com/en-us/download/details.aspx?id=38396

Essentially I didn’t read the fine print and got lost in Powershell without installing the software I needed!

Some of the resources I used to configure this are listed below. All in all, FCI is a very powerful tool for protecting File Servers with RMS, but it has a lot of configuration steps and can appear (on the surface) very complex indeed!

https://docs.microsoft.com/en-us/information-protection/rms-client/configure-fci
https://technet.microsoft.com/library/hh847874.aspx
https://msdn.microsoft.com/library/mt433202.aspx
http://simon-may.com/setup-azure-rms-file-protection-encryption-file-classification-infrastructure-fci-prem-file-servers/
https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-servers-rms-connector#configuring-a-file-server-for-file-classification-infrastructure-to-use-the-connector

 

 

 

How many users are in my AD group?

Nice simple three liner here. I often want to check how many users are in a particular group, and find it a bit annoying that ADUC doesn’t show this in the Group Properties. So to find out, run this from a Powershell window on a DC:

Import-Module ActiveDirectory
$group = Get-ADGroupMember "group name" -recursive | Select-Object name
$group.count

The second line puts all the members into a variable called $group, and if you didn’t already know, putting .count after any variable will enumerate the objects in that variable ūüôā

Happy days!

Append Description to a list of users

Today I needed to append, not overwrite, the description variable for a list of users. To do this, I created a simple .txt file containing the usernames I wanted to change.

lewish
nicor
maxv
sebastienv
kimir
danielr

I then ran this very simple command which takes the existing Description and adds the phrase “User Enabled 07/06/2016” to the end of the Description.

Get-Content "c:\migration\userstest.txt" | get-aduser -Properties Description | ForEach-Object { Set-ADUser $_ -Description "$($_.Description) User Enabled 07/06/2016" }

Easy peasy lemon squeezy!

Stale Forest / External Trust

Recently I had to remove an External Trust between two domains and replace it with a Forest Trust. Simple work for an Active Directory consultant, you might think, but as with most consultancy work, it’s the simple stuff that catches you out!

After removing the external trust, I validated that it had indeed been removed by checking in Active Directory Domains & Trusts, and also by running netdom query trust. However when trying to create the new Forest Trust, an error message was shown stating that an external trust still existed. More specifically, the error stated:

A trust relationship with the domain you specified already exists

It turned out that, although both the GUI and the netdom commands showed that the trust had been deleted, a stale object still existed. To remove this object, ADSIEdit.msc was used, which is always a risky business! The process for this was:

  1. Open ADSIEdit.msc – If you are running Server 2003, you must install the Windows Server 2003 Support Tools
  2. Connect to the Domain partition
  3. Expand the System container
  4. Find the stale object, the name of this will be of the domain being trusted, and the class is trustedDomain
  5. Delete this trust object

trustedDomain object

This should allow you to create the new trust object.

AADSync / AADConnect default Domain Controller

I came across an odd situation recently whereby my AADConnect installation had decided to communicate with a Domain Controller which was in another site, across an Active Directory replication link with a 180 minute replication interval. This was no good for my customer as they made their AD changes on the site local to AADConnect, so I decided to remedy this by forcing AADConnect to communicate with a particular DC. This can be useful for many reasons, and you can actually set a list of ‘preferred Domain Controllers’ to allow for fault tolerance.

To do this, go into the Synchronisation Service, head on over to the Connectors tab and find your Active Directory Domain Services Connector. The below example is synchronising multiple AD Forests. Once you’ve selected your domain, you can see which Domain Controller is currently in use by checking the ‘Connection Status’ area (shown in the central area of the below screenshot).

Synchronisation Service

To change the Domain Controller in use, go to the Properties tab for your domain (on the right hand ‘Actions’ pane). Go into the ‘Configure Directory Partitions’ tab and you will see¬†a handy tick box entitled ‘Only use preferred domain controllers’.

AADConnect - Directory Partitions

Place a checkmark in this box, and a window will appear, allowing you to enter your shortlist of Domain Controllers.

AADConnect - Preferred DCs

Once you’ve entered your preferred DCs, OK your way out of these windows and hey presto, you are done! It’s a nice and easy task to perform, but not one I’ve seen documented online before.

Thanks for reading!