Tag Archives: Active

How to fortify your virtualized Active Directory design

Active Directory is much more than a simple server role. It has become the single sign-on source for most, if not all, of your data center applications and services. This access control covers workstation logins and extends to clouds and cloud services.

Since AD is such a key part of many organizations, it is critical that it is always available and has the resiliency and durability to match business needs. Microsoft had enough foresight to set up AD as a distributed platform that can continue to function — without much or, in some cases, no interruption in services — even if parts of the system went offline. This was helpful when AD nodes were still physical servers that were often spread across multiple racks or data centers to avoid downtime. So, the question now becomes, what’s the right way to virtualize Active Directory design?

Don’t defeat the native AD distributed abilities

Active Directory is a distributed platform, so virtualizing it will hinder the native distributed functionality of the software. AD nodes can be placed on different hosts and fail-over software will restart VMs if a host crashes, but what if your primary storage goes down? It’s one scenario you should not discount.

When you undertake the Active Directory design process for a virtualization platform, you must go beyond just a host failure and look at common infrastructure outages that can take out critical systems. One of the advantages of separate physical servers was the level of resiliency the arrangement provided. While we don’t want to abandon virtual servers, we must understand the limits and concerns associated with them and consider additional areas such as management clusters.

Management clusters are often slightly lower tier platforms — normally still virtualized — that only contain management servers, applications and infrastructure. This is where you would want to place a few AD nodes, so they are outside of the production environment they manage. The challenge with a virtualized management cluster is that it can’t be placed on the same physical storage location as production; this defeats the purpose of separation of duties. You can use more cost-effective storage platforms such as a virtual storage area network for shared storage or even local storage.

Remember, this is infrastructure and not core production, so IOPS should not be as much of an issue because the goal is resiliency, not performance. This means local drives and RAID groups should be able to provide the IOPS required.

How to keep AD running like clockwork

One of the issues with AD controllers in a virtualized environment is time drift.

All computers have clocks and proper timekeeping is critical to both the performance and security of the entire network. Most servers and workstations get their time from AD, which helps to keep everything in sync and avoids Kerberos security login errors.

These AD servers would usually get their time from a time source if they were physical or from the hosts if virtualized from them. The AD servers would then keep the time synchronized with the internal clock of the computer based on CPU cycles.

When you virtualize a server, it no longer has a set number of CPU cycles to base its time on. That means time can drift until it reaches out for an external time check to reset itself. But that time check can also be off since you might be unable to tell the passage of time until the next check, which compounds the issue. Time drift can become stuck in a nasty loop because the virtualization hosts often get their time from Active Directory.

Your environment needs an external time source that is not dependent on virtualization to keep things grounded. While internet time sources are tempting, having the infrastructure reach out for time checks might not be ideal. A core switch or other key piece of networking gear can offer a dependable time source that is unlikely to be affected by drift due to its hardware nature. You can then use this time source as the sync source for both the virtualization hosts and AD, so all systems are on the same time that comes from the same source.

Some people will insist on a single physical server in a virtualized data center for this reason. That’s an option, but one that is not usually needed. Virtualization isn’t something to avoid in Active Directory design, but it needs to be done with thought and planning to ensure the infrastructure can support the AD configuration. Management clusters are key to the separation of AD nodes and roles.

This does not mean that high availability (HA) rules for Hyper-V or VMware environments are not required. Both production and management environments should have HA rules to prevent AD servers from running on the same hosts.

Rules should be in place to ensure these servers restart first and have reserved resources for proper operations. Smart HA rules are easy to overlook as more AD controllers are added and the rules configuration is forgotten.

The goal is not to prevent outages from happening — that’s not possible. It is to have enough replicas and roles of AD in the right places so users won’t notice. You might scramble a little behind the scenes if a disruption happens, but that’s part of the job. The key is to keep customers moving along without them knowing about any of the issues happening in the background.

Go to Original Article
Author:

Using Azure AD conditional access for tighter security

As is standard with technologies in the cloud, the features in Azure Active Directory are on the move.

The Azure version of Active Directory differs from its on-premises version in many ways, including its exposure to the internet. There are ways to protect your environment and be safe, but that’s not the case by default. Here are two changes you should make to protect your Azure AD environment.

Block legacy authentication

Modern authentication is Microsoft’s term for a set of rules and requirements on how systems can communicate and authenticate with Azure AD. This requirement is put in place for several security benefits, but it’s also not enforced by default on an Azure AD tenant.

Legacy authentication is used for many types of attacks against Azure AD-based accounts. If you block legacy authentication, then you will block those attacks, but there’s a chance you’ll prevent users trying to perform legitimate tasks.

This is where Azure AD conditional access can help. Instead of a simple off switch for legacy authentication, you can create one or more policies — a set of rules — that dictate what is and isn’t allowed under certain scenarios.

You can start by creating an Azure AD conditional access policy that requires modern authentication or it blocks the sign-in attempt. Microsoft recently added a “report only” option to conditional access policies, which is highly recommended to use and leave on a few days after deployment. This will show you the users still using legacy authentication that you need to remediate before you enforce the policy for real. This helps to ensure you don’t stop users from doing their jobs.

However, this change will severely limit mobile phone email applications. The only ones officially supported with modern authentication are Outlook for iOS and Android, and Apple iOS Mail.

Implement multifactor authentication

This sounds like an obvious one, but there are many ways to do multifactor authentication (MFA). Your Microsoft licensing is one of the factors that dictates your choices. The good news is that options are available to all licensing tiers — including the free one — but the most flexible options come from Azure AD Premium P1 and P2.

With those paid plans, conditional access rules can be a lot nicer than just forcing MFA all the time. For example, you might not require MFA if the user accesses a Microsoft service from an IP address at your office or if the device is Azure AD-joined. You might prefer that both of those scenarios are requirements to avoid MFA while other situations, such as a user seeking access on a PC not owned by the company, will prompt for extra authentication.

MFA doesn’t have to just be SMS-based authentication. Microsoft’s Authenticator App might take a few more steps for someone to set up the first time they register, but it’s much easier to just accept a pop-up on your mobile device as a second factor of authorization, rather than waiting for an SMS, reading the six-digit number, then typing it into your PC.

Without MFA, you’re running a high risk of having an internet-exposed authentication system that attackers can easily try leaked credentials or use spray attacks until they hit a successful login with a username and password.

The other common attack is credential phishing. This can be particularly successful when the threat actor uses a compromised account to send out phishing emails to the person’s contacts or use fake forms to get the contact’s credentials, too. This would be mostly harmless if the victim’s account required MFA.

Accounts in Azure AD will lock out after 10 failed attempts without MFA, but only for a minute, then gradually increase the time after further failure attempts. This is a good way to slow down the attackers, and it’s also smart enough to only block the attacker and keep your user working away. But the attacker can just move onto the next account and come back to the previous account at a later time, eventually hitting a correct password.

Azure AD conditional access changes are coming

The above recommendations can be enabled by four conditional access baseline policies, which should be visible in all Azure AD tenants (still in preview), but it appears these are being removed in the future.

baseline protection policies
Microsoft plans to replace the baseline protection policies with security defaults

The policies will be replaced by a single option called Security Defaults, found under the Manage > Properties section of Azure AD. The baseline policies helped you be a bit more granular about what security you wanted and the enablement of each feature. To keep that flexibility, you’ll need Azure AD Premium once these baseline policies go.

Turning on Security Defaults in your Azure AD tenant will:

  • force administrators to use MFA;
  • force privileged actions, such as using Azure PowerShell, to use MFA;
  • force all users to register for MFA within 14 days; and
  • block legacy authentication for all users.

I suspect the uptake wasn’t enough, which is why Microsoft is moving to a single toggle option to enable these recommendations. I also hazard to guess that Microsoft will make this option on by default for new tenants in the future, but there’s no need for you to wait. If you don’t have these options on, you should be working on enabling them as soon as you can.

Go to Original Article
Author:

Get back on the mend with Active Directory recovery methods

Active Directory is the bedrock of most Windows environments, so it’s best to be prepared if disaster strikes.

AD is an essential component in most organizations. You should monitor and maintain AD, such as clear out user and computer accounts you no longer need. With routine care, AD will run properly, but unforeseen issues can arise. There are a few common Active Directory recovery procedures you can follow using out-of-the-box technology.

Loss of a domain controller

Many administrators see losing a domain controller as a huge disaster, but the Active Directory recovery effort is relatively simple — unless your AD was not properly designed and configured. You should never rely on a single domain controller in your domain, and large sites should have multiple domain controllers. Correctly configured site links will keep authentication and authorization working even if the site loses its domain controller.

You have two possible approaches to resolve the loss of a domain controller. The first option is to try to recover the domain controller and bring it back into service. The second option is to replace the domain controller. I recommend adopting the second approach, which requires the following actions:

  • Transfer or seize any flexible single master operation roles to an active domain controller. If you seize the role, then you must ensure that the old role holder is never brought back into service.
  • Remove the old domain controller’s account from AD. This will also remove any metadata associated with the domain controller.
  • Build a new server, join to the domain, install AD Directory Services and promote to a domain controller.
  • Allow replication to repopulate the AD data.

How to protect AD data

Protecting data can go a long way to make an Active Directory recovery less of a problem. There are a number of ways to protect AD data. These techniques, by themselves, might not be sufficient. But, when you combine them, they provide a defense in depth that should enable you to overcome most, if not all, disasters.

First, enable accidental deletion protection on all of your organizational units (OUs), as well as user and computer accounts. This won’t stop administrators from removing an account, but they will get warned and might prevent an accident.

protect from accidental deletion option
Select the option to protect from accidental deletion when creating an organizational unit in AD Administrative Center.

Recover accounts from the AD recycle bin

Another way to avoid trouble is to enable the AD recycle bin. This is an optional feature used to restore a deleted object.

Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet `-Target sphinx.org -Confirm:$false

After installing the feature, you may need to enable it through AD Administrative Center. Once added, you can’t uninstall the recycle bin.

Let’s run through a scenario where a user, whose properties are shown in the screenshot below, has been deleted.

Active Directory user account
An example of a typical user account in AD, including group membership

To check for deleted user accounts, run a search in the recycle bin:

Get-ADObject -Filter {objectclass -eq 'user' -and Deleted -eq $true} -IncludeDeletedObjects

The output for this command returns a deleted object, the user with the name Emily Brunel.

Active Directory recycle bin
An AD object found in the recycle bin

For a particularly volatile AD, you may need to apply further filters to identify the account you wish to restore.

If you have a significant number of objects in the recycle bin, use the object globally unique identifier (GUID) to identify the object to restore.

Get-ADObject -Filter {ObjectGUID -eq '73969b9d-05fa-4b45-a667-79baba1ac9a3'} 
`-IncludeDeletedObjects -Properties * | Restore-ADObject

The screenshot shows the restored object and its properties, including the group membership.

restored Active Directory user account
Restoring an AD user account from recycle bin

Generate AD snapshots

The AD recycle bin helps restore an object, but what do you do when you restore an account with incorrect settings?

To fix a user account in that situation, it helps to create AD snapshots to view previous settings and restore attributes. Use the following command from an elevated prompt:

ntdsutil snapshot 'Activate Instance NTDS' Create quit quit

The Ntdsutil command-line tool installs with AD and generates the output in this screenshot when creating the snapshot.

Active Directory snapshot
The command-line output when creating an AD snapshot

You don’t need to take snapshots on every domain controller. The number of snapshots will depend on the geographic spread of your organization and the arrangement of the administration team.

The initial snapshot captures the entire AD. Subsequent snapshots take incremental changes. The frequency of snapshots should be related to the amount of movement of the data in your AD.

Restore data from a snapshot

In this test scenario, let’s assume that the group memberships of a user account have been incorrectly changed. Run the following PowerShell commands to remove the user’s group memberships:

Remove-ADGroupMember -Identity finance -Members (Get-ADUser -Identity EmilyBrunel) -Confirm:$false
Remove-ADGroupMember -Identity department1 -Members (Get-ADUser -Identity EmilyBrunel) -Confirm:$false
Remove-ADGroupMember -Identity project1 -Members (Get-ADUser -Identity EmilyBrunel) -Confirm:$false

You need to identify the snapshot from which you will restore the data. The following command lists the snapshots:

ntdsutil snapshot 'List All' quit quit
Active Directory snapshots list
The Ntdsutil utility produces a list of the available AD snapshots.

To mount the snapshot, run the following command:

ntdsutil snapshot "mount f828eb4e-3a06-4bcb-8db6-2b07b54f9d5f" quit quit

Run the following command to open the snapshot:

dsamain -dbpath 'C:$SNAP_201909161530_VOLUMEC$WindowsNTDSntds.dit' -ldapport 51389

The Dsamain utility gets added to the system when you install AD Domain Services. Note that the console you use to mount and open the snapshot is locked.

Active Directory snapshot
Mount and open the AD snapshot.

When you view the group membership of the user account in your AD, it will be empty. The following command will not return any output:

Get-ADUser -Identity EmilyBrunel -Properties memberof | select -ExpandProperty memberof

When you view the same account from your snapshot, you can see the group memberships:

Get-ADUser -Identity EmilyBrunel -Properties memberof -Server TTSDC01.sphinx.org:51389  | select -ExpandProperty memberof
CN=Project1,OU=Groups,DC=Sphinx,DC=org
CN=Department1,OU=Groups,DC=Sphinx,DC=org
CN=Finance,OU=Groups,DC=Sphinx,DC=org

To restore the group memberships, run the following:

Get-ADUser -Identity EmilyBrunel -Properties memberof -Server TTSDC01.sphinx.org:51389  | select -ExpandProperty memberof | 
ForEach-Object {Add-ADGroupMember -Identity $_ -Members (Get-ADUser -Identity EmilyBrunel)}

After reinserting the group memberships from the snapshot version of the account, add the user into those groups in your production AD.

Your user account now has the correct group memberships:

Get-ADUser -Identity EmilyBrunel -Properties memberof | select -ExpandProperty memberof
CN=Project1,OU=Groups,DC=Sphinx,DC=org
CN=Department1,OU=Groups,DC=Sphinx,DC=org
CN=Finance,OU=Groups,DC=Sphinx,DC=org

Press Ctrl-C in the console in which you ran Dsamain, and then unmount the snapshot:

ntdsutil snapshot "unmount *" quit quit

Run an authoritative restore from a backup

In the last scenario, imagine you lost a whole OU’s worth of data, including the OU. You could do an Active Directory recovery using data from the recycle bin, but that would mean restoring the OU and any OUs it contained. You would then have to restore each individual user account. This could be a tedious and error-prone process if the data in the user accounts in the OU changes frequently. The solution is to perform an authoritative restore.

Before you can perform a restore, you need a backup. We’ll use Windows Server Backup because it is readily available. Run the following PowerShell command to install:

Install-WindowsFeature -Name Windows-Server-Backup

The following code will create a backup policy and run a system state backup:

Import-Module WindowsServerBackup
$wbp = New-WBPolicy

$volume = Get-WBVolume -VolumePath C:
Add-WBVolume -Policy $wbp -Volume $volume

Add-WBSystemState $wbp

$backupLocation = New-WBBackupTarget -VolumePath R:
Add-WBBackupTarget -Policy $wbp -Target $backupLocation

Set-WBVssBackupOptions -Policy $wbp -VssCopyBackup

Start-WBBackup -Policy $wbp

The following command creates a backup of the system state, including the AD database:

Add-WBSystemState $wbp

The following code creates a scheduled backup of the system state at 8 a.m., noon, 4 p.m. and 8 p.m.

Set-WBSchedule -Policy $wbp -Schedule 08:00, 12:00, 16:00, 20:00
Set-WBPolicy -Policy $wbp

In this example, let’s say an OU called Test with some critical user accounts got deleted.

Reboot the domain controller in which you’ve performed the backup, and go into Directory Services Recovery Mode. If your domain controller is a VM, you may need to use Msconfig to set the boot option rather than using the F8 key to get to the boot options menu.

$bkup = Get-WBBackupSet | select -Last 1
Start-WBSystemStateRecovery -BackupSet $bkup -AuthoritativeSysvolRecovery

Type Y, and press Enter to restore to original location.

At the prompt, restart the domain controller to boot back into recovery mode.

You need to mark the restored OU as authoritative by using Ntdsutil:

ntdsutil
C:Windowssystem32ntdsutil.exe: activate instance NTDS
Active instance set to "NTDS".
C:Windowssystem32ntdsutil.exe: authoritative restore
authoritative restore: restore subtree "ou=test,dc=sphinx,dc=org"

A series of messages will indicate the progress of the restoration, including the number of objects restored.

Exit ntdsutil
authoritative restore: quit
C:Windowssystem32ntdsutil.exe: quit

Restart the domain controller. Use Msconfig before the reboot to reset to a normal start.

The OU will be restored on your domain controller and will replicate to the other domain controllers in AD.

A complete loss of AD requires intervention

In the unlikely event of losing your entire AD forest, you’ll need to work through the AD forest recovery guide at this link. If you have a support agreement with Microsoft, then this would be the ideal time to use it.

Go to Original Article
Author:

How to rebuild the SYSVOL tree using DFSR

Active Directory has a number of different components to keep track of user and resource information in an organization….

If one piece starts to fail and a recovery effort falters, it could mean it’s time for a rebuilding process.

The system volume (SYSVOL) is a shared folder found on domain controllers in an Active Directory domain that distributes the logon and policy scripts to users on the domain. Creating the first domain controller also produces SYSVOL and its initial contents. As you build domain controllers, the SYSVOL structure is created, and the contents are replicated from another domain controller. If this replication fails, it could leave the organization in a vulnerable position until it is corrected.

How the SYSVOL directory is organized

SYSVOL contains the following items:

  • group policy data;
  • logon scripts;
  • staging folders used to synchronize data and files between domain controllers; and
  • file system junctions.
domain controller shares
Figure 1: Use the Get-SmbShare cmdlet to show the SYSVOL and NETLOGON shares on an Active Directory domain controller.

The Distributed File System Replication (DFSR) service replicates SYSVOL data on Windows 2008 and above when the domain functional level is Windows 2008 and above.

SYSVOL folder contents
Figure 2. The SYSVOL folder contains four folders: domain, staging, staging areas and sysvol.

The position of SYSVOL on disk is set when you promote a server to a domain controller. The default location is C:WindowsSYSVOLsysvol, as shown in Figure 1.

For this tutorial, we will use PowerShell Core v7 preview 3, because it fixes the .NET Core bug related to displaying certain properties, such as ProtectedFromAccidentalDeletion.

SYSVOL contains a number of folders, as shown in Figure 2.

How to protect SYSVOL before trouble strikes

As the administrator in charge of Active Directory, you need to consider how you’ll protect the data in SYSVOL to protect the system in case of corruption or user error.

Windows backs up SYSVOL as part of the system state, but you should not restore from system state, as it might not result in a proper restoration of SYSVOL. If you’re working with the relative identifier master flexible server master operations holder, you definitely don’t want to restore system state and risk having multiple objects with the same security identifier. You need a file-level backup of the SYSVOL area. Don’t forget you can use Windows Server backup to protect SYSVOL on a domain controller if you can’t use your regular backup approach.

If you can’t use a backup, then login scripts can be copied to a backup folder. Keep the backup folder on the same volume so the permissions aren’t altered. You can back up group policy objects (GPOs) with PowerShell:

Import-Module GroupPolicy -SkipEditionCheck

The SkipEditionCheck parameter is required, because the GroupPolicy module hasn’t had CompatiblePSEditions in the module manifest set to include Core.

Create a folder for the backups:

New-Item -ItemType Directory -Path C: -Name GPObackup

Use the date to create a subfolder name and create the subfolder for the current backup:

$date = (Get-Date -Format ‘yyyyMMdd’).ToString()

New-Item -ItemType Directory -Path C:GPObackup -Name $date

Run the backup:

Backup-GPO -All -Path (Join-Path -Path C:GPObackup -ChildPath $date)

If you still use login scripts, rather doing everything through GPOs, the system stores your scripts in the NETLOGON share in the C:WindowsSYSVOLdomainscripts folder.

Restore the SYSVOL folder

SYSVOL replication through DFSR usually works. However, as with any system, it’s possible for something to go wrong. There are two scenarios that should be covered:

  • Loss of SYSVOL information on a single domain controller. The risk is the change that removed the data from SYSVOL has replicated across the domain.
  • Loss of SYSVOL on all domain controllers, which requires a compete rebuild.

The second case involving a complete rebuild of SYSVOL is somewhat more complicated, with the first case being a subset of the second. The following steps explain how to recover from a complete loss of SYSVOL, with added explainers to perform an authoritative replication of a lost file.

Preparing for a SYSVOL restore

To prepare to rebuild the SYSVOL tree, stop the DFSR service on all domain controllers:

Stop-Service DFSR

On domain controllers where you can’t perform a restore, you’ll need to rebuild the SYSVOL tree folder structure and share structure.

On the domain controller with the SYSVOL you want to fix — or the one with the data you need to replicate — disable DFSR and make the server authoritative.

Get-ADObject -Identity “CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=TTSDC01,OU=Domain Controllers,DC=Sphinx,DC=org” -Properties * |

Set-ADObject -Replace @{‘msDFSR-Enabled’=$false; ‘msDFSR-options’=1}

Disable DFSR on the other domain controllers in the domain. The difference in the commands is you’re not setting the msDFSR-options property.

Get-ADObject -Identity “CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=TTSDC02,OU=Domain Controllers,DC=Sphinx,DC=org” -Properties * |

 Set-ADObject -Replace @{‘msDFSR-Enabled’=$false}

Rebuild the SYSVOL tree data

The next step is to restore the data. You can skip this if you’re just forcing replication of lost data.

On domain controllers where you can’t perform a restore, you’ll need to rebuild the SYSVOL tree folder structure and share structure. This tutorial assumes you’ve created SYSVOL in the default location with the following folder structure:

C:WindowsSYSVOL

C:WindowsSYSVOLdomain

C:WindowsSYSVOLdomainpolicies

C:WindowsSYSVOLdomainscripts

C:WindowsSYSVOLstaging

C:WindowsSYSVOLstagingdomain

C:WindowsSYSVOLstaging areas

C:WindowsSYSVOLsysvol

You can use the following PowerShell commands to re-create the folders in the minimum number of steps. Be sure to change the nondefault location of the Stest folder used below to match your requirements.

New-Item -Path C:StestSYSVOLdomainscripts -ItemType Directory

New-Item -Path C:StestSYSVOLdomainpolicies -ItemType Directory

New-Item -Path C:StestSYSVOLstagingdomain -ItemType Directory

New-Item -Path C:StestSYSVOL’staging areas’ -ItemType Directory

New-Item -Path C:StestSYSVOLsysvol -ItemType Directory

Re-create the directory junction points. Map SYSVOLdomain (source folder) to SYSVOLSYSVOL and SYSVOLstagingdomain (source folder) to SYSVOLstaging areas.

You need to run mklink as administrator from a command prompt, rather than PowerShell:

C:Windows>mklink /J C:stestSYSVOLSYSVOLsphinx.org C:stestSYSVOLdomain

Junction created for C:stestSYSVOLSYSVOLsphinx.org <<===>> C:stestSYSVOLdomain

C:Windows>mklink /J “C:stestSYSVOLstaging areassphinx.org” C:stestsysvolStagingdomain

Junction created for C:stestSYSVOLstaging areassphinx.org <<===>> C:stestsysvolStagingdomain

Set the following permissions on the SYSVOL folder:

NT AUTHORITYAuthenticated Users                           ReadAndExecute, Synchronize

NT AUTHORITYSYSTEM                                                        FullControl

BUILTINAdministrators           Modify, ChangePermissions, TakeOwnership, Synchronize

BUILTINServer Operators                                   ReadAndExecute, Synchronize

Inheritance should be blocked.

If you don’t have a backup of the GPOs, re-create the default GPOs with the DCGPOFIX utility, and then re-create your other GPOs.

You may need to re-create the SYSVOL share (See Figure 1). Set the share permissions to the following:

Everyone: Read

Authenticated Users: Full control

Administrators group: Full control

Set the share comment (description) to Logon server share.

Check that the NETLOGON share is available. It remained available during my testing process, but you may need to re-create it. 

Share permissions for NETLOGON are the following:

Everyone: Read

Administrators: Full control

You should be able to restart replication.

How to restart Active Directory replication

Start the DFSR service and reenable DFSR on the authoritative server:

Start-Service  -Name DFSR

Get-ADObject -Identity “CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=TTSDC01,OU=Domain Controllers,DC=Sphinx,DC=org” -Properties * | Set-ADObject -Replace @{‘msDFSR-Enabled’=$true}

Run the following command to initialize SYSVOL:

DFSRDIAG POLLAD

If you don’t have the DFS management tools installed, run this command from a Windows PowerShell 5.1 console:

Install-WindowsFeature RSAT-DFS-Mgmt-Con

The ServerManager module cannot load into PowerShell Core at this time.

Start DFSR service on other domain controllers:

Start-Service -Name DFSR

Enable DFSR on the nonauthoritative domain controllers. Check that replication has occurred.

Get-ADObject -Identity “CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=TTSDC02,OU=Domain Controllers,DC=Sphinx,DC=org” -Properties * | Set-ADObject -Replace @{‘msDFSR-Enabled’=$true}

Run DFSRDIAG on the nonauthoritative domain controllers:

DFSRDIAG POLLAD

The results might not be immediate, but replication should restart, and then SYSVOL should be available.

The process to rebuilding the SYSVOL tree is not something that occurs every day. With any luck, you won’t have to do it ever, but it’s a skill worth developing to ensure you can protect and recover your Active Directory domain.

Go to Original Article
Author:

New to Microsoft 365 in July—updates to Azure AD, Microsoft Teams, Outlook, and more

This month, we’re announcing updates to Azure Active Directory (Azure AD) and Microsoft Defender Advanced Threat Protection (ATP) to help improve your security posture, updates to Microsoft Teams and Outlook on the web to help you be more productive, and updates to Desktop Analytics and Office 365 ProPlus to streamline IT management and improve efficiency.

Here’s a look at what’s new in July.

Strengthen security while simplifying processes

New capabilities help you protect against, discover, and remediate cybersecurity threats.

Go passwordless to reduce risk and improve account security—This month, we announced the public preview of FIDO2 security keys support in Azure AD. Now, with FIDO2 technologies, you can provide users with seamless, secure, and passwordless access to all Azure AD-connected apps and services. Additionally, administrators can assign passwordless credentials to users and groups and allow self-service sign-up. To get started, check out our step-by-step documentation on enabling passwordless sign-in for Azure AD.

Discover, prioritize, and remediate vulnerabilities in real-time—Last month, we announced the general availability of Microsoft Threat & Vulnerability Management (TVM). TVM delivers a new set of advanced, agentless, cloud-powered capabilities that provide continuous, real-time, risk-based vulnerability management. If you already have Microsoft Defender ATP, the TVM solution is now available within your Microsoft Defender ATP portal. If you don’t have a subscription, you can sign up for a trial of Microsoft Defender ATP including TVM.

Improve productivity and collaboration

New capabilities in Microsoft 365 help you collaborate easily with others, organize tasks, and quickly find answers.

Communicate and collaborate more easily with new capabilities in Microsoft Teams—This month, we added new capabilities to Teams including Read receipts and Priority notifications to help ensure time-sensitive messages are received and prioritized. We also announced the new Announcements feature to highlight important news and now post a single message across multiple channels.

Animated screenshot of Select channels being used in Microsoft Teams.

Finally, the new time clock feature in Teams for Firstline Workers brings clock in/out capabilities to the Team Shifts module. And the targeted communication feature enables messages to be sent to everyone within a specific role—such as sending a message to all cashiers in a store or all nurses in a hospital.

These updates for Teams will be rolling out over the next couple of months.

Add polls to your Outlook emails and book meeting rooms with Outlook on the web—This month, we’re announcing two new generally available features in Outlook on the web. With Microsoft Quick Poll, you can now add polls directly to your Outlook emails, so recipients can vote directly in the email or click the provided link and vote in a browser window. To get started, download the Quick Poll add-in for Outlook.

Additionally, you can now easily book meeting rooms in Outlook on the web. When creating a meeting, you can quickly see which rooms are available, search by city or room, and view rooms that are available during recurring events.

Animated screenshot of a Teams meeting being created in Outlook.

Make answers in Yammer more discoverable—Now, questions in Yammer will stand out from general discussions with new, unique styling. Post authors and group admins can also mark the best response to questions as a “Best Answer,” making it easier for users to find answers. These changes are currently in private preview and will roll out to all Office 365 subscribers later this summer.

Animated screenshot of a Best Answer being voted up in Yammer.

Work together on tasks in Microsoft To-Do—Now, you can assign a task to someone on a shared To-Do list and work together to knock out tasks more quickly. To get started, just @mention someone to assign them a task, and everyone on the shared list will be able to see it.

Animated screenshot of a task being assigned in Microsoft To-Do.

Streamline IT management

Data-driven tools help you deliver seamless software deployments and improvements for Office in virtualized environments.

Improve the quality and reliability of software deployments—This month, we announced the public preview of Desktop Analytics, a cloud-based service that provides intelligence for you to make more informed decisions about the update readiness of your Windows clients ahead of new Windows 10 deployments. In combination with System Center Configuration Manager, Desktop Analytics is designed to create an inventory of the Windows apps running in the organization and assess app compatibility with the latest feature updates of Windows 10. Desktop Analytics is currently offered as an Office 365 service and requires an Office 365 subscription in your Azure AD tenant. To get started, enable Desktop Analytics in the Configuration Manager console.

Screenshot of Desktop Analytics dashboard.

Improve the Office app experience in virtual environmentsThis month, we announced new capabilities to help improve the user experience in virtualized environments. First, FSLogix technology, which improves the performance of Office 365 ProPlus in multi-user virtual environments, is now available at no additional cost for Microsoft 365 customers. Second, Windows Server 2019 will now support Office 365 ProPlus and OneDrive Files On-Demand in the coming months. Lastly, Outlook, OneDrive, and Teams are getting new capabilities to improve the user experience in a virtualized environment.

Drive digital transformation with new Microsoft cloud regions—Microsoft Office 365 services are now available from our new cloud regions located in South Africa and the United Arab Emirates (UAE). These local datacenters open the door for more organizations to embrace the benefits of the cloud with resilient cloud services that can help meet data residency, security, and compliance needs.

Other updates

  • Teams is now included in the monthly Office 365 updates for existing customers and will begin rolling out to existing installations over several weeks.
  • We retired the “Online” branding for the Office apps on the web. You’ll see this change reflected in the product experience in places such as the app headers, platform-specific commands, and help menus. This change reinforces that Office is a cloud-connected experience, which you can use through apps on the desktop, web, or mobile devices.
  • We recently announced OneDrive Personal Vault, a protected area in OneDrive that you can only access with a strong authentication method or second step of identity verification.
  • These five Outlook mobile tips and tricks can help small business owners save time and get more done quickly.

Go to Original Article
Author: Microsoft News Center

Enzoic for Active Directory brings continuous password protection

Enzoic has launched a new version of Enzoic for Active Directory that includes support for real-time password monitoring to fight against the use of compromised passwords.

Enzoic for Active Directory screens users’ passwords against its continuously updated database of compromised credentials, including billions of unique username and password combinations, according to the vendor.

Microsoft Azure Active Directory manages permissions and access to networked resources, making it a target for hackers to gain unauthorized access to user accounts, according to Enzoic. Verizon’s Data Breach Investigations Report found 29% of security breaches involved stolen credentials.

Enzoic for Active Directory 2.0 brings Continuous Password Protection that triggers an alert if a password becomes vulnerable, enabling Active Directory administrators to enforce password changes in response to real-time credential exposures, not just against a static list of exposed credentials or with periodic password resets.

Once a password is flagged as vulnerable, Enzoic notifies users and automates follow-up action, from prompting a user to change it to disabling the account according to an organization’s policies.

Enzoic for Active Directory 2.0 meets the National Institute of Standards and Technology 800-63B requirements with the following functions:

  • password screening against lists of commonly used passwords, passwords in cracking dictionaries and compromised passwords;
  • password checks upon password creation, as well as on a daily basis against a live database;
  • immediate response trigger when a compromised password is detected; and
  • elimination of periodic password resets due to continuous password monitoring.

According to a OneLogin study, only 35% of organizations’ password creation requirements check against common password lists, despite 92% of organizations claiming their current password guidelines are adequate. Furthermore, common passwords only represent a small portion of vulnerable passwords, with many password-related incidents stemming from cracking dictionaries used by hackers.

Many security vendors such as SolarWinds, Specops and nFront Security offer password complexity plugins for Active Directory, but do not offer around-the-clock monitoring. Enzoic claimed its continuous monitoring updates enhance overall enterprise security.

Go to Original Article
Author:

How does AD DS differ from Microsoft Azure Active Directory?

While Active Directory Domain Services and Microsoft Azure Active Directory appear similar, they are not interchangeable.

Administrators exploring whether to move to Azure Active Directory for enterprise authentication and authorization should understand how the cloud-based platform differs from the traditional on-premises Active Directory.

Distinguish on-premises AD from Azure AD

Active Directory (AD) is a combination of services to help manage users and systems, including Active Directory Domain Services (AD DS) and Active Directory Federation Services (AD FS). AD DS is the database that provides the directory service, which is essentially the foundation of AD.

AD uses an X.500-based hierarchical framework and traditional tools such as domain name systems to locate assets, lightweight directory access protocol (LDAP) to work with directories both on premises and on the internet, and Kerberos and NT LAN Manager (NTLM) for secure authentication. AD also supports the use of organizational units (OUs) and group policy objects (GPOs) to organize and present assets.

Microsoft Azure Active Directory is a directory service from Microsoft’s cloud that handles identity management across the internet using the HTTP and HTTPS protocols. Azure AD’s flat structure does not use OUs and GPOs, which prevents the use of the organizational structure of on-premises AD.

Instead of Kerberos, Azure AD uses authentication and security protocols such as Security Assertion Markup Language and Open Authorization. In addition, the AD Graph API queries Azure AD rather than LDAP.

Structural differences between Azure AD and AD DS

Microsoft Azure Active Directory cannot create domains, trees and forests like AD DS. Instead, Azure AD treats each organization like a tenant that accesses Azure AD via the Azure portal to manage the organization’s users, passwords and permissions.

Administrators can use AD DS and Microsoft Azure Active Directory separately or use both for a single AD entity.

Organizations that subscribe to a Microsoft cloud service, such as Office 365 or Exchange Online, are Azure AD tenants. Azure AD supports single sign-on to give users access to multiple services after logging in.

Microsoft Azure Active Directory is different from Azure Active Directory Domain Services. Where Azure AD provides fewer features than on-premises AD, Azure AD DS serves as a more full-featured domain controller that uses LDAP, domain joining, Kerberos and NTLM authentication. Azure AD DS is a complete version of AD in the Azure cloud.

When to consider a combination of AD DS and Azure AD

Administrators can use AD DS and Microsoft Azure Active Directory separately or use both for a single AD entity. For example, an application hosted in the cloud could use on-premises AD, but it might suffer from latency from authentication requests that bounce from Azure to the on-premises AD DS.

Organizations have several options to implement AD in Azure. For example, an organization can build an AD domain in Azure that integrates with the local AD domain via Azure AD Connect. This creates a trust relationship between the domains.

Alternatively, an organization can extend its on-premises AD DS to Azure by running AD DS as a domain controller in an Azure VM. This is a common method for enterprises that have local and Azure resources connected via a virtual private network or dedicated connectivity, such as an ExpressRoute connection.

There are several other ways to use a combination of the cloud and on-premises directory services. Admins can create a domain in Azure and join it to the local AD forest. A company can build a separate forest in Azure that is trusted by the on-premises AD forest. Admins can use AD FS to replicate a local AD DS deployment to Azure.

What is Active Directory? – Definition from WhatIs.com

Active Directory (AD) is a Microsoft product that consists of several services that run on Windows Server to manage permissions and access to networked resources.

Active Directory stores data as objects. An object is a single element, such as a user, group, application or device, such as a printer. Objects are normally defined as either resources — such as printers or computers — or security principals — such as users or groups.

Active Directory categorizes objects by name and attributes. For example, the name of a user might include the name string, along with information associated with the user, such as passwords and Secure Shell (SSH) keys.

The main service in Active Directory is Domain Services (AD DS), which stores directory information and handles the interaction of the user with the domain. AD DS verifies access when a user signs into a device or attempts to connect to a server over a network. AD DS controls which users have access to each resource. For example, an administrator typically has a different level of access to data than an end user.

Other Microsoft products, such as Exchange Server and SharePoint Server, rely on AD DS to provide resource access. The server that hosts AD DS is the domain controller.

Active Directory services

Several other services comprise Active Directory. They are Lightweight Directory Services, Certificate Services, Federation Services and Rights Management Services. Each service expands the product’s directory management capabilities.

Lightweight Directory Services (AD LDS) has the same codebase as AD DS, sharing similar functionalities, such as the API. AD LDS, however, can run in multiple instances on one server and holds directory data in a data store using Lightweight Directory Access Protocol (LDAP).

[embedded content]

How to use the identity and access tool
from Microsoft

LDAP is an application protocol used to access and maintain directory services over a network. LDAP stores objects — such as usernames and passwords — in directory services — such as Active Directory — and shares that object data across the network.

Certificate Services (AD CS) generates, manages and shares certificates. A certificate uses encryption to enable a user to exchange information over the internet securely with a public key.

Active Directory Federation Services (AD FS) authenticates user access to multiple applications — even on different networks — using single sign-on (SSO). As the name indicates, SSO only requires the user to sign on once rather than use multiple dedicated authentication keys for each service.

Rights Management (AD RMS) controls information rights and management. AD RMS encrypts content, such as email or Word documents, on a server to limit access.

Major features in Active Directory Domain Services

Active Directory Domain Services uses a tiered layout consisting of domains, trees and forests to coordinate networked elements.

A domain is a group of objects, such as users or devices, that share the same AD database. Domains have a domain name system (DNS) structure.

Group Policy Management console
Active Directory’s Group Policy Management console gives admins a tool to customize user and computer settings in their organization.

A tree is one or more domains grouped together. The tree structure uses a contiguous namespace to gather the collection of domains in a logical hierarchy. Trees can be viewed as trust relationships where a secure connection, or trust, is shared between two domains. Multiple domains can be trusted where one domain can trust a second, and the second domain can trust a third. Because of the hierarchical nature of this setup, the first domain can implicitly trust the third domain without needing explicit trust.

A forest is a group of multiple trees. A forest consists of shared catalogs, directory schemas, application information and domain configurations. The schema defines an object’s class and attributes in a forest. In addition, global catalog servers provide a listing of all the objects in a forest.

Organizational Units (OUs) organize users, groups and devices. Each domain can contain its own OU. However, OUs cannot have separate namespaces, as each user or object in a domain must be unique. For example, a user account with the same username cannot be created.

History and development of Active Directory   

Microsoft offered a preview of Active Directory in 1999 and released it a year later with Windows 2000 Server. Microsoft continued to develop new features with each successive Windows Server release.

Windows Server 2003 included a notable update to add forests and the ability to edit and change the position of domains within forests. Domains on Windows Server 2000 could not support newer AD updates running in Server 2003.

Windows Server 2008 introduced AD FS. Additionally, Microsoft rebranded the directory for domain management as AD DS, and AD became an umbrella term for the directory-based services it supported.

Windows Server 2016 updated AD DS to improve AD security and migrate AD environments to cloud or hybrid cloud environments. Security updates included the addition of privileged access management (PAM).

PAM monitored access to an object, the type of access granted and what actions the user took. PAM added bastion AD forests to provide an additional secure and isolated forest environment. Windows Server 2016 ended support for devices on Windows Server 2003.

In December 2016, Microsoft released Azure AD Connect to join an on-premises Active Directory system with Azure Active Directory (Azure AD) to enable SSO for Microsoft’s cloud services, such as Office 365. Azure AD Connect works with systems running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016.

Active Directory versus Workgroup

Workgroup is another Microsoft program that connects Windows machines over a peer-to-peer network. Workgroup allows these machines to share files, internet access, printers and other resources over the network. Peer-to-peer networking removes the need for a server for authentication.

Main competitors to Active Directory

Other directory services on the market that provide similar functionality to AD include Red Hat Directory Server, Apache Directory and OpenLDAP.

Red Hat Directory Server manages user access to multiple systems in Unix environments. Similar to AD, Red Hat Directory Server includes user ID and certificate-based authentication to restrict access to data in the directory.

Apache Directory is an open source project that runs on Java and operates on any LDAP server, including systems on Windows, macOS and Linux. Apache Directory includes a schema browser and an LDAP editor/browser. Apache Directory supports Eclipse plug-ins.

OpenLDAP is a Windows-based open source LDAP directory. OpenLDAP enables users to browse, search and edit objects in an LDAP server. OpenLDAP also features copying, moving and deleting of trees in the directory, as well as enabling schema browsing, password management, LDAP SSL support, and more.

MEF targets multivendor interoperability for network services

MEF this week touted its progress in multivendor interoperability by announcing its active software-defined WAN implementation project. Three SD-WAN vendors — Riverbed Technology, Nuage Networks from Nokia and VMware’s VeloCloud — are leading the MEF project, focusing on multivendor SD-WAN use cases. Software development services provider Amartus is also participating with the SD-WAN vendors.

MEF — a Los Angeles-based association, with more than 200 members — launched its multivendor SD-WAN implementation project last year in an attempt to standardize services across multiple providers and technologies. But multivendor interoperability has numerous aspects, according to Joe Ruffles, global standards architect at Riverbed, based in San Francisco, and co-leader of the SD-WAN implementation project. Companies merge; they need to partner with somebody to increase geographic reach, or they want basic interoperability and service chaining, he said.

The implementation project allows member vendors to get their hands dirty, while actively testing and proving out proposed SD-WAN interoperability issues, Ruffles said. Each vendor uses MEF’s cloud-based dev-test platform, MEFnet, to develop its respective SD-WAN technology. They then interconnect and orchestrate those SD-WAN implementations using MEF’s Presto API, which is part of MEF’s Lifecycle Service Orchestration (LSO) framework.

The Presto API communicates with orchestration and management to help service providers manage multiple SD-WAN implementations with a single orchestrator. Additionally, it helps create better multivendor interoperability among SD-WAN controllers and edge devices, according to Ralph Santitoro, head of SDN, network functions virtualization and SD-WAN at Fujitsu and MEF distinguished fellow.

“Member companies can get together and connect their appliances or run software in the environment and actually do things,” Santitoro said. “They can actually prove out different topics or items that are important to them or the industry.”

Other MEF members can build from the existing SD-WAN implementation project or suggest additional projects and issues, Ruffles said. “It’s not so much a phase as it is continuous, depending on who has an issue and who’s available to work on it,” he added.

Standardized specs lead to better automation processes

The SD-WAN implementation project work benefits more than its current participants, according to Santitoro. By “playing in the sandbox,” members can feed the knowledge learned from the testing environment into MEF’s work on SD-WAN specifications. For example, participants can more accurately define SD-WAN requirements, capabilities, architecture and what’s needed for multivendor interoperability.

“We learn by hand what has to be done, and then we use that information to make changes or additions to the API,” Ruffles said.

In addition to the SD-WAN specs, MEF this week published specs for retail and wholesale Ethernet services, subscriber and operator Layer 1 services, and IP services. These services — especially IP services — have historically been defined in various ways, Santitoro said, which can impede automation. To combat the discrepancies, MEF is defining the fundamentals of IP services and their attributes, which will then help define and build broader services.

“We’ll create things like the VPN [virtual private network] service, internet access service, private cloud access service and operator wholesale services — particularly the IP-VPN case,” said David Ball, MEF’s services committee co-chair and editor of the MEF IP services project.

These definitions and specs will then be fed into MEF’s LSO architecture to help establish a standard vocabulary, so SD-WAN buyers and sellers understand what they need or get with particular services, Santitoro said. Further, defining services and their requirements helps create standardized processes for orchestration and automation, he added.

“Automation is really about consistency and being able to create a model of a service, so services are deployed, designed and implemented in a similar fashion,” he said.

Razor Blade Pro 17″ 4k Touch Screen – Intel® Core™ i7-7820HK – 32gb RAM

Hi,

Used to be active on this forum a little bit many years ago, nice to see its still going strong. Bought this in the summer last year. Used it a handful of times, if that. I just haven’t had the use of it that I was expecting, mainly because I have since discovered I just prefer gaming on a desktop much more.

Product details:

– 17.3” 4K Touch Display with NVIDIA® G-SYNC™
– Overclocked Quad-Core 7th Gen Intel® Core™ i7-7820HK
– 32GB RAM
– 500gb SSD storage

Product is available here for…

Razor Blade Pro 17″ 4k Touch Screen – Intel® Core™ i7-7820HK – 32gb RAM