Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2014-10-01) TroubleShooting Federation/SSO To Windows Azure AD And Office 365

Posted by Jorge on 2014-10-01


When setting up DirSync And Federation between your on-premise AD and Windows Azure AD to support identity sync and SSO, the most important attribute to make sure everything works are the immutableID and the userPrincipalName.

-

Paul Williams from msresource.net has written a great number of blog posts about this, touching all kinds of related stuff. See the following blog posts:

-

With regards to the implementation I used the string version of the objectGUID (AD) as the immutableID (sourceAnchor in AAD)) and the UPN as the userPrincipalName (AAD). I achieved that by leveraging FIM with the AAD connector. Because of that I also had to implement slighty different claims rules in ADFS for Azure AD/Office 365. The rules in my ADFS v2.0 looked like:

@RuleName = "Identity Claims – objectGUID (Base64) To objectGUID (String)"
c:[Type == "
http://temp.org/identity/claims/adObjectGuidBase64org"]
=> add(store = "String Processing Store", types = ("http://temp.org/identity/claims/adObjectGuidString"), query = "fromBase64GuidtoStringGuid", param = c.Value);

@RuleName = "Identity Claims – upn To UPN"
c:[Type == "
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(Type = "http://schemas.xmlsoap.org/claims/UPN", Value = c.Value);

@RuleName = "Identity Claims – objectGUID (String) To ImmutableID"
c:[Type == "
http://temp.org/identity/claims/adObjectGuidString"]
=> issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

@RuleName = "Identity Claims – ImmutableID To Name ID"
c:[Type == "
http://schemas.xmlsoap.org/claims/UPN"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

-

I swear everything was working, until some day I started to get the following errors:

….when navigating to: https://outlook.office365.com/owa/

image

Figure 1: Error When Using Federated Logon And Navigating To Office 365 Portal

-

….when navigating to: https://manage.windowsazure.com/default.aspx

image

Figure 2: Error When Using Federated Logon And Navigating To Azure AD Management Portal

-

….when navigating to: https://portal.office.com/

image

Figure 3: Error When Using Federated Logon And Navigating To Office 365 Management Portal

-

By giving the correlation ID to someone at Microsoft that is able to check it in the system logs, they most likely will be able to tell you what would be wrong. In this case unfortunately I as not able to do that. The logs on my system did not given me any clue!

As I have another ADFS v3.0 system in my environment, I therefore decided to configure that ADFS instance with all default values for DirSync and federation. After configuring all this, I was able to access Azure AD and Office 365 through federated logon on my ADFS v3.0 box, but still not on my ADFS v2.0.

-

After comparing the federation trusts between  ADFS v2.0 and Azure AD, and between ADFS v3.0 and Azure AD I saw the following difference:

image

Figure 4: Signature Hash Algorithm On The RP Trust On ADFS v3.0 For Azure AD/Office 365 (Default Config) – WORKING

-

image

Figure 5: Signature Hash Algorithm On The RP Trust On ADFS v2.0 For Azure AD/Office 365 (Custom Config) – NOT WORKING

-

For whatever reason, in the past I had changed the signature hash algorithm on the RP Trust On ADFS v2.0 For Azure AD/Office 365 AND I had forgotten about it. It took me some time to find this one, but by just changing the signature hash algorithm on the RP Trust On ADFS v2.0 For Azure AD/Office 365 from SHA-256 to SHA-1, everything started to work again! Yiiihhaaaaaa!

-

PS: this has NOTHING to do between the usage of ADFS v2.0 and ADFS v3.0. This was a configuration mistaken I made when playing around in the test/demo environment

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Azure AD Sync, DirSync, DirSync, Federation Trusts, Office 365, SSO, Transform Rules, Windows Azure Active Directory | Leave a Comment »

(2014-09-29) Default Claims Rules In ADFS To Support SSO Through Federation With Azure AD/Office 365

Posted by Jorge on 2014-09-29


Just for reference I posting the default claims rules in ADFS to support SSO through federation with Azure AD/Office 365.

@RuleName = "Identity Claims – Windows Account Name To UPN, ImmitableID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN","http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

@RuleName = "Identity Claims – ImmitableID To Name ID"
c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Azure AD / Office 365, Transform Rules | Leave a Comment »

(2014-09-27) FIM Portals Die After Installing Rollup Package (Build 4.1.3599.0) For FIM 2010 R2

Posted by Jorge on 2014-09-27


Beginning this month, Microsoft released the latest rollup package, build 4.1.3599.0, for FIM 2010 R2. A few days ago I decided to install that rollup package in my test/demo environment. Before installing the rollup package everything worked as I had used it. Yesterday I wanted to use the FIM Portal again and I was confronted with the following error:

image

Figure 1: Error Shown When Accessing The FIM Portal

-

The error above already tells you what’s wrong. If you have not seen it yet, check out the red line (line 167) and the line below that (line 168). They’re almost the same except for the version number. It appears the installation of the rollup package added a new line for its new version, but did not remove the line containing the previous version (Build 4.1.3559.0). Basically the solution is to remove all lines with the previous version manually.

-

Navigate to the folder containing the WEB.CONFIG for the FIM Portal website and create a backup copy of it. Then open it and search for all occurrences of 3559, assuming the previous build was Build 4.1.3559.0, otherwise search for the correct build number if applicable. I found the following duplicates:

<assemblies>
  <add assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  <add assembly="Microsoft.Web.CommandUI, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add assembly="Microsoft.SharePoint.Search, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add assembly="Microsoft.IdentityManagement.WebUI.Controls, Version=4.1.3559.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  <add assembly="Microsoft.IdentityManagement.WebUI.Controls, Version=4.1.3599.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  <add assembly="Microsoft.ResourceManagement, Version=4.1.3559.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  <add assembly="Microsoft.ResourceManagement, Version=4.1.3599.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</assemblies>

-

AND

-

<controls>
  <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  <add tagPrefix="IdentityManagement" namespace="Microsoft.IdentityManagement.WebUI.Controls" assembly="Microsoft.IdentityManagement.WebUI.Controls, Version=4.1.3559.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  <add tagPrefix="IdentityManagement" namespace="Microsoft.IdentityManagement.WebUI.Controls" assembly="Microsoft.IdentityManagement.WebUI.Controls, Version=4.1.3599.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  <add tagPrefix="IdentityManagement" namespace="Microsoft.IdentityManagement.WebUI.Controls" assembly="Microsoft.IdentityManagement.WFExtensionInterfaces, Version=4.1.3559.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  <add tagPrefix="IdentityManagement" namespace="Microsoft.IdentityManagement.WebUI.Controls" assembly="Microsoft.IdentityManagement.WFExtensionInterfaces, Version=4.1.3599.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</controls>
-

All yellow marked lines need to be removed. After that save the WEB.CONFIG, and try again accessing the FIM Portal

image

Figure 2: Working FIM Portal Again

-

Now make sure to also check the FIM Registration Portal and the FIM Reset Portal. In my case I had found, the websites were duplicated. The solution to that is to stop the new duplicate sites if applicable, delete/remove them and start the previous sites again. The duplicate site is the website with the _X appended to the name of the site.

-

After fixing all this, everything is working again. Remember that you may need to check all FIM Portal servers if you have more than one.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, Troubleshooting, Updates | Leave a Comment »

(2014-09-25) Changing The Service Account And/Or Security Groups For Azure AD Sync Services

Posted by Jorge on 2014-09-25


If you used the default configuration, you will end up with a local service account (e.g. AAD_fb304599ae39) for the Azure AD Sync Service and local security groups will be used (ADSyncAdmins, ADSyncOperators, ADSyncBrowse and ADSyncPasswordSet). This blog post helps you change either one, local service account or local security groups, or both to use domain objects. This blog post assumes you want to change both the service account and the security groups. In that case perform all steps. If you only want to change either one, then only perform the corresponding steps.

-

Step 1: Create the new Azure AD Sync Service service account in AD

Example: ADCORP\SVC_R1_AADSyncSvc

-

Step 2: Create the new Azure AD Sync Service security groups in AD

Example: ADCORP\AADSyncAdmins

Example: ADCORP\AADSyncOperators

Example: ADCORP\AADSyncBrowse

Example: ADCORP\AADSyncPasswordSet

-

Step 3: Establish correct memberships

Example: ADCORP\AADSyncAdmins <– make the Azure AD Sync Service service account in AD and any AD based user/admin account that fully manage the AAD Sync Service a member of this group

QUESTION: do you know which other group needed to be created in FIM, but is not needed anymore in AADSync?

-

Step 4: Configure the new Azure AD Sync Service service account in AD with the correct user rights on the server with Azure AD Sync Service installed

Give the new Azure AD Sync Service service account in AD the following user rights on the server with Azure AD Sync Service installed

“Deny logon as a batch job”

“Deny logon locally”

“Deny logon through Terminal Services”

“Deny access to this computer from the network”

image

Figure 1: Required User Rights For The New Azure AD Sync Service Service Account In AD

-

If you do not know the password of the current Azure AD Sync Service Service Account stop the "Microsoft Azure AD Sync (ADSync)" service, reset the password of the current Azure AD Sync Service Service Account, reenter credentials for the "Microsoft Azure AD Sync (ADSync)" service and start the "Microsoft Azure AD Sync (ADSync)" service.

image

Figure 2: Resetting The Password Of The Current (Local) Azure AD Sync Service Service Account

-

image

Figure 3: Re-Entering Credentials For The "Microsoft Azure AD Sync (ADSync)" Service

-

When changing the Azure AD Sync Service Service Account, the new Azure AD Sync Service Service Account must be configured with the encryption keys securing the secret data in the database. To be able to do that you must export the keyset, if not already available.

image

Figure 4: Exporting The KeySet Using The Azure ADSync Encryption Key Management Wizard

-

image

Figure 5: Providing The Credentials Of The Current (Local) Azure AD Sync Service Service Account

-

The default folder is: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Azure AD Sync\" and make sure a existing keyset does not already exist with the same filename

image

Figure 6: Providing The Path Of The Encryption File

-

image

Figure 7: Configuration Summary

-

image

Figure 8: Configuration Result

-

Now it is time to start the change install

image

Figure 9: Starting The Change Install For Microsoft Azure AD Sync

-

image

Figure 10: Microsoft Azure AD Sync Maintenance Wizard – Welcome Page

-

image

Figure 11: Microsoft Azure AD Sync Maintenance Wizard – Maintenance Options Page

-

image

Figure 12: Microsoft Azure AD Sync Maintenance Wizard – Features Page

-

image

Figure 13: Microsoft Azure AD Sync Maintenance Wizard – Azure AD Sync Service Service Account Credentials Page

-

image

Figure 14: Microsoft Azure AD Sync Maintenance Wizard – Azure AD Sync Service Security Groups Page

-

image

Figure 15: Microsoft Azure AD Sync Maintenance Wizard – Initiating Install Page

-

If you did not configure the Azure AD Sync Service Service Account with the user rights as shown in figure 1, you will get the following warning.

image

Figure 16: Warning About Azure AD Sync Service Service Account Not Being Configured In Secure Manner

-

If you get the following error, make sure to check this blog post AFTER the wizard has finished!!!

image

Figure 17: Warning About Azure AD Sync Setup Not Being Able To Configure WMI Permissions On A Non-Existent Namespace

-

image

Figure 18: Restoring The Keyset For The New Azure AD Sync Service Service Account

-

image

Figure 19: Change Install Of Microsoft Azure AD Sync Setup Finished

-

And you’re done!

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »

(2014-09-23) Upgrading Azure AD Sync From The Beta Version To RTM

Posted by Jorge on 2014-09-23


In this blog post I will show you how to upgrade from the beta version of the Azure AD Sync Service to its RTM version. The method I’m showing here is most likely one of the ways of accomplishing this. Here I’m uninstalling the beta version and installing the RTM version. Most likely it is also possible to just perform a software upgrade by installing the RTM version on top of the beta version. I do not like software upgrades as you might always end up or keep stuff from the previous version which I do not want!

-

Because the installation of the Azure AD Sync Service also creates the local service account you must first determine the scenario and also do some preparations

-

If you are already using a domain based service account, then it is very likely you already know the password of that service account. If you are using the default local service account, then you need to reset its password. That is most likely needed because you do not know it as it was set by the installation. To determine which account type you are using use the services MMC and check the account listed in the "Log On As" for the "Microsoft Azure AD Sync" service. You are using a local service account if its listing starts with ".\AAD_"

If you are using a local service account perform this step, other wise skip this step.

Before resetting the password of the local service account, stop the "Microsoft Azure AD Sync" service first.

image

Figure 1: Using The Services MMC To Stop The "Microsoft Azure AD Sync" Service

-

Start the Computer Management MMC and target the local service account that starts with ".\AAD_"

image

Figure 2: Resetting The Password Of The Current (Local) Azure AD Sync Service Service Account

-

Then using the services MMC respecify the new password of the local service account. After doing that start the "Microsoft Azure AD Sync" Service again.

image

Figure 3: Re-Entering Credentials For The "Microsoft Azure AD Sync (ADSync)" Service

-

The Azure AD Sync Service wizard will create a new local Azure AD Sync Service Service Account, and that account must be configured with the encryption keys securing the secret data in the database. To be able to do that you must export the keyset first, if not already available.

image

Figure 4: Exporting The KeySet Using The Azure ADSync Encryption Key Management Wizard

-

image

Figure 5: Providing The Credentials Of The Current (Local) Azure AD Sync Service Service Account

-

The default folder is: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Azure AD Sync\" and make sure a existing keyset does not already exist with the same filename

image

Figure 6: Providing The Path Of The Encryption File

-

image

Figure 7: Configuration Summary

-

image

Figure 8: Configuration Result

-

When you look in Programs And Features you will find the following software components, highlighted in yellow, that are part of the Azure AD Sync Service

image

Figure 9: Software Components That Are Part Of The Azure AD Sync Service

-

You may ask yourself, which one should be uninstalled first and in which order? One thing is certain, and that’s my experience, you will get into all kinds of errors during the uninstall and during the install of the new version. There it is very important to use the correct steps!

To uninstall everything in one go without errors you should uninstall the component called "Microsoft Azure AD Connection Tool"

image

Figure 10: Uninstalling The Main Component Of The Azure AD Sync Service

-

image

Figure 11: The Uninstall Wizard Of The Main Component Of The Azure AD Sync Service

-

When the uninstall has finished you can start the new installation by execution "MicrosoftAzureADConnectionTool.exe"

image

Figure 12: The Install Wizard Of The Main Component Of The Azure AD Sync Service

-

As soon as you see the screen above, CANCEL the installation by clicking the cross in the upper right corner. If you do not cancel the installation, it will be installed with all defaults, including SQL express.

After cancelling the installation, open a command prompt window and navigate to the folder "C:\Program Files\Microsoft Azure AD Connection Tool". You will need to execute "DirectorySyncTool.exe". It supports the following options:

DirectorySyncTool.exe /sqlserver <FQDN SQL Server> /sqlserverinstance <Custom SQL Instance Name If Applicable> /serviceAccountDomain <NetBIOS Domain Name Of Service Account> /serviceAccountName <sAMAccountName Of Service Account> /serviceAccountPassword <Password Of Service Account>

-

If this case I’m accepting all defaults accept that I want to use SQL server instead of SQL Express. To do that I execute the following command:

DirectorySyncTool.exe /sqlserver R1FSMBSV0.ADCORP.LAB /sqlserverinstance <Custom SQL Instance Name If Applicable>

REMARK: the SQL instance name should only be specified if it concerns a custom SQL instance. When using the default SQL instance name, do not use that parameter.

If you want to use the default SQL partition, then don’t specify this parameter.

image

Figure 13: Installing The Azure AD Sync Service And Using A SQL Server With The Default Instance Name

-

image

Figure 14: The Install Wizard Of The Main Component Of The Azure AD Sync Service

-

Agreeing with the license terms and clicking "Install" will install everything, while at the same time detecting the database of the previous version. When it uses the existing database, the remaining configuration options such as credentials, matching rules, etc. will be skipped as that is already in the database.

-

The installation has created a new local service account and to restore the keyset, or in other words reactivate the previous database, you to know the password of the service account in use.

Start the Computer Management MMC and target the local service account that starts with ".\AAD_"

image

Figure 15: Resetting The Password Of The Current (Local) Azure AD Sync Service Service Account

-

Then using the services MMC respecify the new password of the local service account. After doing that start the "Microsoft Azure AD Sync" Service again.

image

Figure 16: Re-Entering Credentials For The "Microsoft Azure AD Sync (ADSync)" Service

-

When starting the "Microsoft Azure AD Sync" Service without having restored the keyset, you will see the following errors.

image

Figure 17: Error Immediately Shown When Starting The Service Without Restoring The Keyset

-

image

Figure 18: Additional Info In The Application Event Log When Starting The Service Without Restoring The Keyset

-

The correct way to solve this is by reactivate the database for that you need to use the MIISACTIVATE tool in the folder "C:\Program Files\Microsoft Azure AD Sync\Bin".

image

Figure 19: Parameters Supported By The MIIS (!) Warn Standby Activation utility

-

image

Figure20: Reactivating The Existing Database For The New Azure AD Sync Service Engine

-

image

Figure 21: Warning About Making Sure the Previous Azure AD Sync Service Engine Is Offline

-

image

Figure22: Prompting For The Password Of The (Local) Azure AD Sync Service Service Account

-

image

Figure 23: Confirmation That Reactivation Was Successful

-

When checking you will find out the "Microsoft Azure AD Sync (ADSync)" Service is running already. Reactivation will do that.

-

Like the installation creates a new local Azure AD Sync Service Service Account, it also creates new Azure AD Sync Service security groups. To make sure you will be able to use the Azure AD Sync Service Engine from a permissions perspective you may need to logoff and logon again!

-

Additional information:

-

And you’re done!

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »

(2014-09-21) Change Install Of The Azure AD Sync Service Throws WMI Namespace Error

Posted by Jorge on 2014-09-21


When performing a CHANGE install of the Azure AD Sync Service you may get the following error.

image

Figure 1: Error Thrown By The Azure AD Sync Setup Wizard Not Being Able To Configure Permissions On A Non-Existing Namespace

-

Error 25050. The Microsoft Azure AD Sync Setup wizard cannot set Windows Management Instrumentation (WMI) permissions. Ensure you have the correct permissions for this operation, and then try running this wizard again. To run WMI remotely, you must manually set the remote enable permissions. Invalid namespace.

-

The solution to the problem was already covered in this WIKI page, but unfortunately it is not complete.

When everything is OK, the "MicrosoftIdentityIntegrationServer" namespace does exist.

image

Figure 2: The "MicrosoftIdentityIntegrationServer" Namespace Does Exist When Everything Is OK

-

When everything is not OK, the "MicrosoftIdentityIntegrationServer" namespace does not exist! Duh!

image

Figure 3: The "MicrosoftIdentityIntegrationServer" Namespace Does Not Exist When Everything Is Not OK

-

Open a command prompt window and navigate to the folder "C:\Program Files\Microsoft Azure AD Sync\Bin". The execute: mofcomp mmswmi.mof

image

Figure 4: Reregistering The "MicrosoftIdentityIntegrationServer" Namespace

-

To make sure everything is really OK, check the namespace is configured with Azure AD Sync Service security groups. All Azure AD Sync Service security groups should have the4 same permissions as shown below

image

Figure 5: Permissions On The "MicrosoftIdentityIntegrationServer" Namespace For The Azure AD Sync Service security groups

-

In addition to the steps above, start the Component Services MMC, navigate to Component Services –> Computers –> My Computer, right-click My Computer and select Properties

image

Figure 6: Component Services MMC

-

Click on the "COM Security" TAB

image

Figure 7: "COM Security" TAB And The Parts For Which Permissions Need To Be Configured

-

If you changed the Azure AD Sync Service security groups, then make sure to REMOVE all old Azure AD Sync Service security groups in all three parts

image

Figure 8: Previous Azure AD Sync Service security groups

-

Make sure to configure the exact same permissions for all Azure AD Sync Service security groups as shown in the picture below

image

Figure 9: Access Permissions – Security Limits For Azure AD Sync Service security groups

-

Make sure to configure the exact same permissions for all Azure AD Sync Service security groups as shown in the picture below

image

Figure 10: Access Permissions – Default Security For Azure AD Sync Service security groups

-

Make sure to configure the exact same permissions for all Azure AD Sync Service security groups as shown in the picture below

image

Figure 11: Launch And Activation Permissions – Security Limits For Azure AD Sync Service security groups

-

And you’re done!

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »

(2014-09-19) Checking The Health Of Your DC After Promotion

Posted by Jorge on 2014-09-19


You have promoted your brand new DC. How do you know it is functioning correctly?

-

There are a few number of things you can do to determine its health. All the tests below were done on a W2K12R2 DC.

-

[1] Check inbound and outbound AD replication

To determine this, execute: REPADMIN /SHOWREPL /REPSTO

Make sure all last attempts are really recent, and at least within the tombstone lifetime of the AD forest

image

Figure 1: Last Attempts For Inbound AD Replication

-

image

Figure 2: Last Attempts For Outbound AD Replication

-

To check the replication latency/convergence also see: (2014-02-16) Testing Active Directory Replication Latency/Convergence Through PowerShell (Update 3)

-

[2] If the DC is a GC, check it has finished the build of the GC partitions and it is advertising itself as such

To determine this, execute: Get-WinEvent -LogName "Directory Service" | ?{$_.Id -eq 1119} | FL

image

Figure 3: The DC Now Advertising As A GC

-

[3] Check the SYSVOL has been initialized and finished initial replication

To determine this, execute: Get-WinEvent -LogName "DFS Replication" | ?{$_.Id -eq 4604} | FL

image

Figure 4: The DC Reporting SYSVOL Has Been Initialized And Performed Initial Replication

-

In addition, check the NETLOGON and SYSVOL shares are in place.

To determine this, execute: NET SHARE

image

Figure 5: The NETLOGON And SYSVOL Published

-

To check the replication latency/convergence also see: (2014-02-17) Testing SYSVOL Replication Latency/Convergence Through PowerShell (Update 3)

-

[4] Check Event Logs

The following event logs will help determine the health of the DC. Check the events with warnings or errors and resolve anything that needs to be resolved

Event Logs:

  • Directory Service
  • DFS Replication
  • File Replication Service
  • DNS Server
  • Application
  • System

[5] Run DCDIAG

To do this, execute: DCDIAG /C /D /V

image

Figure 6: DCDIAG Verbose Output

-

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server…
   * Verifying that the local machine C1FSRWDC1, is a Directory Server.
   Home Server = C1FSRWDC1
   * Connecting to directory service on server C1FSRWDC1.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),…….
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=BRANCH01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=BRANCH02,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=DMZ,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),…….
   The previous call succeeded….
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=R1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=C1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=R1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 4 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
  
   Testing server: DTCNTR01\C1FSRWDC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ……………………. C1FSRWDC1 passed test Connectivity

Doing primary tests
  
   Testing server: DTCNTR01\C1FSRWDC1
      Starting test: Advertising
         The DC C1FSRWDC1 is advertising itself as a DC and having a DS.
         The DC C1FSRWDC1 is advertising as an LDAP server
         The DC C1FSRWDC1 is advertising as having a writeable directory
         The DC C1FSRWDC1 is advertising as a Key Distribution Center
         The DC C1FSRWDC1 is advertising as a time server
         The DS C1FSRWDC1 is advertising as a GC.
         ……………………. C1FSRWDC1 passed test Advertising
      Starting test: CheckSecurityError
         * Dr Auth:  Beginning security errors check!
         Found KDC C1FSRWDC1 for domain CHILD.ADCORP.LAB in site DTCNTR01
         Checking machine account for DC C1FSRWDC1 on DC C1FSRWDC1.
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :LDAP/227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/227b8ded-a71a-44a7-80d3-184f44f49957/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :GC/C1FSRWDC1.CHILD.ADCORP.LAB/ADCORP.LAB
         [C1FSRWDC1] No security related replication errors were found on this
         DC!  To target the connection to a specific source DC use
         /ReplSource:<DC>.
         ……………………. C1FSRWDC1 passed test CheckSecurityError
      Starting test: CutoffServers
         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ……………………. C1FSRWDC1 passed test CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         Skip the test because the server is running DFSR.
         ……………………. C1FSRWDC1 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An error event occurred.  EventID: 0xC00004B2
            Time Generated: 08/07/2014   01:27:17
            Event String:
            The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
            
            Additional Information:
            Error: 1355 (The specified domain either does not exist or could not be contacted.)
         An error event occurred.  EventID: 0xC00004B2
            Time Generated: 08/07/2014   01:44:39
            Event String:
            The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
            
            Additional Information:
            Error: 1355 (The specified domain either does not exist or could not be contacted.)
         A warning event occurred.  EventID: 0x80001780
            Time Generated: 08/07/2014   01:59:24
            Event String:
            The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.
            
            Additional Information:
            Object Category: msDFSR-LocalSettings
            Object DN: CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
            Error: 2 (The system cannot find the file specified.)
            Domain Controller: C1FSRWDC2.CHILD.ADCORP.LAB
            Polling Cycle: 60
         A warning event occurred.  EventID: 0x80001A94
            Time Generated: 08/07/2014   01:59:24
            Event String:
            The DFS Replication service has detected that no connections are configured for replication group Domain System Volume. No data is being replicated for this replication group.
            
            Additional Information:
            Replication Group ID: 1CED6656-CE5C-43B6-9F18-288417F99AF5
            Member ID: D840EF8E-56EC-47CF-B19D-87CFA2C8BABB
         A warning event occurred.  EventID: 0x80001206
            Time Generated: 08/07/2014   01:59:25
            Event String:
            The DFS Replication service initialized SYSVOL at local path D:\AD\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner C1FSRWDC2.CHILD.ADCORP.LAB. If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
            
            Additional Information:
            Replicated Folder Name: SYSVOL Share
            Replicated Folder ID: E59797D1-0652-4D1F-8ACF-4AB0D2DA8632
            Replication Group Name: Domain System Volume
            Replication Group ID: 1CED6656-CE5C-43B6-9F18-288417F99AF5
            Member ID: D840EF8E-56EC-47CF-B19D-87CFA2C8BABB
            Read-Only: 0
         ……………………. C1FSRWDC1 failed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service’s SYSVOL is ready
         ……………………. C1FSRWDC1 passed test SysVolCheck
      Starting test: FrsSysVol
         * The File Replication Service SYSVOL ready test
         File Replication Service’s SYSVOL is ready
         ……………………. C1FSRWDC1 passed test FrsSysVol
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ……………………. C1FSRWDC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=R1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role Domain Owner = CN=NTDS Settings,CN=R1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role PDC Owner = CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role Rid Owner = CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         ……………………. C1FSRWDC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC C1FSRWDC1 on DC C1FSRWDC1.
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :LDAP/227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/227b8ded-a71a-44a7-80d3-184f44f49957/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :GC/C1FSRWDC1.CHILD.ADCORP.LAB/ADCORP.LAB
         ……………………. C1FSRWDC1 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC’s on DC C1FSRWDC1.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=ADCORP,DC=LAB
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=CHILD,DC=ADCORP,DC=LAB
            (Domain,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=ADCORP,DC=LAB
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=ADCORP,DC=LAB
            (Domain,Version 3)
         ……………………. C1FSRWDC1 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\C1FSRWDC1\netlogon
         Verified share \\C1FSRWDC1\sysvol
         ……………………. C1FSRWDC1 passed test NetLogons
      Starting test: ObjectsReplicated
         C1FSRWDC1 is in domain DC=CHILD,DC=ADCORP,DC=LAB
         Checking for CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB in domain DC=CHILD,DC=ADCORP,DC=LAB on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB in domain CN=Configuration,DC=ADCORP,DC=LAB on 1 servers
            Object is up-to-date on all servers.
         ……………………. C1FSRWDC1 passed test ObjectsReplicated
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test because /testdomain: was
         not entered
         ……………………. C1FSRWDC1 passed test OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=ADCORP,DC=LAB
               Latency information for 25 entries in the vector were ignored.
                  25 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB
               Latency information for 25 entries in the vector were ignored.
                  25 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=ADCORP,DC=LAB
               Latency information for 25 entries in the vector were ignored.
                  25 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=ADCORP,DC=LAB
               Latency information for 16 entries in the vector were ignored.
                  15 were retired Invocations.  1 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB
               Latency information for 12 entries in the vector were ignored.
                  12 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=CHILD,DC=ADCORP,DC=LAB
               Latency information for 12 entries in the vector were ignored.
                  12 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
         ……………………. C1FSRWDC1 passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 30607 to 1073741823
         * C1FSRWDC1.CHILD.ADCORP.LAB is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 30107 to 30606
         * rIDPreviousAllocationPool is 30107 to 30606
         * rIDNextRID: 30107
         ……………………. C1FSRWDC1 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ……………………. C1FSRWDC1 passed test Services
      Starting test: SystemLog
         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ……………………. C1FSRWDC1 passed test SystemLog
      Starting test: Topology
         * Configuration Topology Integrity Check
         * Analyzing the connection topology for DC=ForestDnsZones,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ……………………. C1FSRWDC1 passed test Topology
      Starting test: VerifyEnterpriseReferences
         ……………………. C1FSRWDC1 passed test
         VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB and
         backlink on
         CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         are correct.
         The system object reference (serverReferenceBL)
         CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB
         and backlink on
         CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         are correct.
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB
         and backlink on
         CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB are
         correct.
         ……………………. C1FSRWDC1 passed test VerifyReferences
      Starting test: VerifyReplicas
         ……………………. C1FSRWDC1 passed test VerifyReplicas
  
      Starting test: DNS
        
         DNS Tests are running and not hung. Please wait a few minutes…
         See DNS test in enterprise tests section for results
         ……………………. C1FSRWDC1 passed test DNS
  
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ……………………. ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. ForestDnsZones passed test
         CrossRefValidation
  
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ……………………. DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. DomainDnsZones passed test
         CrossRefValidation
  
   Running partition tests on : CHILD
      Starting test: CheckSDRefDom
         ……………………. CHILD passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. CHILD passed test CrossRefValidation
  
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ……………………. Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. Schema passed test CrossRefValidation
  
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ……………………. Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. Configuration passed test CrossRefValidation
  
   Running enterprise tests on : ADCORP.LAB
      Starting test: DNS
         Test results for domain controllers:
           
            DC: C1FSRWDC1.CHILD.ADCORP.LAB
            Domain: CHILD.ADCORP.LAB
           
                 
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
                 
               TEST: Basic (Basc)
                  The OS
                  Microsoft Windows Server 2012 R2 Datacenter (Service Pack level: 0.0)
                  is supported.
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter [00000010] Intel(R) PRO/1000 MT Network Connection:
                     MAC address is 00:0C:29:9E:4E:46
                     IP Address is static
                     IP address: 10.1.1.11
                     DNS servers:
                        10.1.1.11 (C1FSRWDC1) [Valid]
                        10.1.1.1 (<name unavailable>) [Valid]
                        127.0.0.1 (C1FSRWDC1) [Valid]
                  The A host record(s) for this DC was found
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found primary
                  Root zone on this DC/DNS server was not found
                 
               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     10.1.1.254 (<name unavailable>) [Invalid (unreachable)]
                     Error: All forwarders in the forwarder list are invalid.
                  Root hint Information:
                     Name: a.root-servers.net. IP: 198.41.0.4 [Invalid (unreachable)]
                     Name: b.root-servers.net. IP: 128.9.0.107 [Invalid (unreachable)]
                     Name: c.root-servers.net. IP: 192.33.4.12 [Invalid (unreachable)]
                     Name: d.root-servers.net. IP: 128.8.10.90 [Invalid (unreachable)]
                     Name: e.root-servers.net. IP: 192.203.230.10 [Invalid (unreachable)]
                     Name: f.root-servers.net. IP: 192.5.5.241 [Invalid (unreachable)]
                     Name: g.root-servers.net. IP: 192.112.36.4 [Invalid (unreachable)]
                     Name: h.root-servers.net. IP: 128.63.2.53 [Invalid (unreachable)]
                     Name: i.root-servers.net. IP: 192.36.148.17 [Invalid (unreachable)]
                     Name: j.root-servers.net. IP: 192.58.128.30 [Invalid (unreachable)]
                     Name: k.root-servers.net. IP: 193.0.14.129 [Invalid (unreachable)]
                     Name: l.root-servers.net. IP: 198.32.64.12 [Invalid (unreachable)]
                     Name: m.root-servers.net. IP: 202.12.27.33 [Invalid (unreachable)]
                  Error: Both root hints and forwarders are not configured or
                  broken. Please make sure at least one of them works.
                 
               TEST: Delegations (Del)
                  No delegations were found in this zone on this DNS server
                 
               TEST: Dynamic update (Dyn)
                  Test record dcdiag-test-record added successfully in zone CHILD.ADCORP.LAB
                  Test record dcdiag-test-record deleted successfully in zone CHILD.ADCORP.LAB
                 
               TEST: Records registration (RReg)
                  Network Adapter
                  [00000010] Intel(R) PRO/1000 MT Network Connection:
                     Matching CNAME record found at DNS server 10.1.1.11:
                     227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     C1FSRWDC1.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.d38f52d2-f045-485a-af19-105ca6d9683f.domains._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._udp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kpasswd._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.gc._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _gc._tcp.DTCNTR01._sites.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.pdc._msdcs.CHILD.ADCORP.LAB

                     Matching CNAME record found at DNS server 10.1.1.1:
                     227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.1:
                     C1FSRWDC1.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.d38f52d2-f045-485a-af19-105ca6d9683f.domains._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._udp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kpasswd._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.gc._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.1:
                     gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _gc._tcp.DTCNTR01._sites.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.DTCNTR01._sites.gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.pdc._msdcs.CHILD.ADCORP.LAB

                     Matching CNAME record found at DNS server 10.1.1.11:
                     227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     C1FSRWDC1.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.d38f52d2-f045-485a-af19-105ca6d9683f.domains._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._udp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kpasswd._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.gc._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _gc._tcp.DTCNTR01._sites.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.pdc._msdcs.CHILD.ADCORP.LAB

        
         Summary of test results for DNS servers used by the above domain
         controllers:
        
            DNS server: 10.1.1.254 (<name unavailable>)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.1.1.254               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 10.1.1.254
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 128.63.2.53
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 128.8.10.90
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 128.9.0.107
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.112.36.4
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.203.230.10
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.33.4.12
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.36.148.17
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.5.5.241
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.58.128.30
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 193.0.14.129
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 198.32.64.12
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 198.41.0.4
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 202.12.27.33
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
              
            DNS server: 10.1.1.1 (<name unavailable>)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
              
            DNS server: 10.1.1.11 (C1FSRWDC1)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
              
         Summary of DNS test results:
        
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: CHILD.ADCORP.LAB
               C1FSRWDC1                    PASS PASS FAIL PASS PASS PASS n/a 
        
         ……………………. ADCORP.LAB failed test DNS
      Starting test: LocatorCheck
         GC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         PDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Preferred Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         KDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         ……………………. ADCORP.LAB passed test LocatorCheck
      Starting test: FsmoCheck
         GC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         PDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Preferred Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         KDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         ……………………. ADCORP.LAB passed test FsmoCheck
      Starting test: Intersite
         Skipping site BRANCH01, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site BRANCH02, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site DMZ, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site DTCNTR01, this site is outside the scope provided by the
         command line arguments provided.
         ……………………. ADCORP.LAB passed test Intersite

-

Additional Information:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Promotion/Demotion, Replication, SYSVOL | Leave a Comment »

(2014-09-17) Finding Conflicting Objects In Your AD

Posted by Jorge on 2014-09-17


You might have seen it in your own AD or in somebody else’s AD, conflicting/duplicate objects. Those objects are exactly same objects that were created on different RWDCs at nearly the same time. After replication kicks and those conflicting/duplicate objects replicate to other RWDCs, AD replication needs to apply its own conflict resolution mechanism to ensure every object is and remains unique.

So, let’s say you create the object "CN=TestObject,OU=MyOU,DC=DOMAIN,DC=COM" on 2 different RWDCs at (nearly) the same time. After AD replication has converged you will see the following objects:

  1. "CN=TestObjectACNF:4862d44c-76ab-41b7-bac8-8682900e661b,OU=MyOU,DC=DOMAIN,DC=COM"
  2. "CN=TestObject,OU=MyOU,DC=DOMAIN,DC=COM"

-

[1] is the first created object and [2] was the last created object. The last object created is always the one that does not have ACNF:<objectGUID> in its CN/RDN. AD puts ACNF:<objectGUID> in the CN/RDN telling us it is a CONflict object and making sure it is unique in the container where also the other object is in.

-

The following PowerShell script helps you finding these objects in your AD forest. Based upon the information of the objects you need to determine yourself which of the two objects should be removed and which one can remain in AD.

-

# Clear The Screen Clear-Host # Checking Number Of Arguments $numArgs = $args.count $arg0 = $args[0] # Discovering A GC Retrieving Its DNS HostName $dnsHostNameGC = (Get-ADDomainController -Service GlobalCatalog -Discover:$true).HostName[0] $gcHostPort = $dnsHostNameGC + ":3268" $dsContextDC = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer",$dnsHostNameGC) $dc = [System.DirectoryServices.ActiveDirectory.DomainController]::GetDomainController($dsContextDC) # General Execution Of Script If ($numArgs -eq 0) { $listOfConflictingObjects = Get-ADObject -server $gcHostPort -LDAPFilter '(name=*CNF:*)' } If ($numArgs -eq 1) { If ($arg0.ToLower() -eq "computer") { $listOfConflictingObjects = Get-ADComputer -server $gcHostPort -LDAPFilter '(name=*CNF:*)' -Properties pwdLastSet } If ($arg0.ToLower() -eq "user") { $listOfConflictingObjects = Get-ADUser -server $gcHostPort -LDAPFilter '(name=*CNF:*)' -Properties pwdLastSet } } If ($listOfConflictingObjects -ne $null) { $listOfDuplicates = @() $listOfConflictingObjects | %{ $objCNF = $_ $dnCNFobj = $objCNF.DistinguishedName $classCNFobj = $_.ObjectClass $guidCNFobj = $_.ObjectGUID If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $sAMAccountCNFobj = $_.SamAccountName $pwdLastSetCNFobj = $_.pwdLastSet If ($pwdLastSetCNFobj -ne $null){ $pwdLastSetCNFobj = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($pwdLastSetCNFobj))) -Format "yyyy-MM-dd HH:mm:ss" } Else { $pwdLastSetCNFobj = "---" } } $objCNFMetadata = $dc.GetReplicationMetadata($dnCNFobj) $objCNFOrigSrv = $objCNFMetadata | %{($_.objectclass).OriginatingServer} $objCNFOrigTime = $objCNFMetadata | %{($_.objectclass).LastOriginatingChangeTime} $dnORGobj = $dnCNFobj.Substring(0,$dnCNFobj.IndexOf("\")) + $dnCNFobj.Substring($dnCNFobj.IndexOf(",")) If ($numArgs -eq 0) { $objORG = Get-ADObject -server $gcHostPort -Identity $dnORGobj } If ($numArgs -eq 1) { If ($arg0.ToLower() -eq "computer") { $objORG = Get-ADComputer -server $gcHostPort -Identity $dnORGobj -Properties pwdLastSet } If ($arg0.ToLower() -eq "user") { $objORG = Get-ADUser -server $gcHostPort -Identity $dnORGobj -Properties pwdLastSet } } $dnORGobj = $null $classORGobj = $null $guidORGobj = $null $sAMAccountORGobj = $null $pwdLastSetORGobj = $null $objORGMetadata = $null If ($objORG -ne $null) { $dnORGobj = $objORG.DistinguishedName $classORGobj = $objORG.ObjectClass $guidORGobj = $objORG.ObjectGUID If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $sAMAccountORGobj = $objORG.SamAccountName $pwdLastSetORGobj = $objORG.pwdLastSet If ($pwdLastSetORGobj -ne $null){ $pwdLastSetORGobj = Get-Date -Date ([DateTime]::FromFileTime([Int64]::Parse($pwdLastSetORGobj))) -Format "yyyy-MM-dd HH:mm:ss" } Else { $pwdLastSetORGobj = "---" } } $objORGMetadata = $dc.GetReplicationMetadata($dnORGobj) $objORGOrigSrv = $objORGMetadata | %{($_.objectclass).OriginatingServer} $objORGOrigTime = $objORGMetadata | %{($_.objectclass).LastOriginatingChangeTime} } Else { $dnORGobj = "Does Not Exit" $classORGobj = "Does Not Exit" $guidORGobj = "Does Not Exit" If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $sAMAccountORGobj = "Does Not Exit" $pwdLastSetORGobj = "Does Not Exit" } $objORGOrigSrv = "Does Not Exit" $objORGOrigTime = "Does Not Exit" } If ($numArgs -eq 0) { $adObj = "" | Select "> > >DN (CNF)..........","objectClass (CNF)......","objectGUID (CNF).......","Originating DC (CNF)...","Originating Time (CNF).","> > >DN (ORG)..........","objectClass (ORG)......","objectGUID (ORG).......","Originating DC (ORG)...","Originating Time (ORG)." } If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $adObj = "" | Select "> > >DN (CNF)..........","objectClass (CNF)......","objectGUID (CNF).......","Account Name (CNF).....","PWD Last Set (CNF).....","Originating DC (CNF)...","Originating Time (CNF).","> > >DN (ORG)..........","objectClass (ORG)......","objectGUID (ORG).......","Account Name (ORG).....","PWD Last Set (ORG).....","Originating DC (ORG)...","Originating Time (ORG)." } $adObj."> > >DN (CNF).........." = $dnCNFobj $adObj."objectClass (CNF)......" = $classCNFobj $adObj."objectGUID (CNF)......." = $guidCNFobj If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $adObj."Account Name (CNF)....." = $sAMAccountCNFobj $adObj."PWD Last Set (CNF)....." = $pwdLastSetCNFobj } $adObj."Originating DC (CNF)..." = $objCNFOrigSrv $adObj."Originating Time (CNF)." = $objCNFOrigTime $adObj."> > >DN (ORG).........." = $dnORGobj $adObj."objectClass (ORG)......" = $classORGobj $adObj."objectGUID (ORG)......." = $guidORGobj If ($numArgs -eq 1 -And ($arg0.ToLower() -eq "computer" -Or $arg0.ToLower() -eq "user")) { $adObj."Account Name (ORG)....." = $sAMAccountORGobj $adObj."PWD Last Set (ORG)....." = $pwdLastSetORGobj } $adObj."Originating DC (ORG)..." = $objORGOrigSrv $adObj."Originating Time (ORG)." = $objORGOrigTime $listOfDuplicates += $adObj } Write-Host "" If ($numArgs -eq 0) { Write-Host "LIST OF DUPLICATE/CONFLICTING OBJECTS IN THE AD FOREST" -Foregroundcolor Cyan } If ($numArgs -eq 1 -And $arg0.ToLower() -eq "computer") { Write-Host "LIST OF DUPLICATE/CONFLICTING COMPUTER OBJECTS IN THE AD FOREST" -Foregroundcolor Cyan } If ($numArgs -eq 1 -And $arg0.ToLower() -eq "user") { Write-Host "LIST OF DUPLICATE/CONFLICTING USER OBJECTS IN THE AD FOREST" -Foregroundcolor Cyan } $listOfDuplicates | FL } Else { Write-Host "NO DUPLICATE/CONFLICTING OBJECTS DETECTED IN THE AD FOREST" -Foregroundcolor Green }

-

The following is an example result when executing the script as: .\Retrieve-List-Of-Conflicting-Objects.ps1

image

Figure 1: Detecting Conflicting/Duplicate Objects In The AD Forest

-

The following is an example result when executing the script as: .\Retrieve-List-Of-Conflicting-Objects.ps1 computer

image

Figure 2: Detecting Conflicting/Duplicate Computer Objects In The AD Forest

-

The following is an example result when executing the script as: .\Retrieve-List-Of-Conflicting-Objects.ps1 user

image

Figure 3: Detecting Conflicting/Duplicate User Objects In The AD Forest

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Conflicting Objects, PowerShell, Tooling/Scripting | Leave a Comment »

(2014-09-16) Azure Active Directory Sync Services Has Reached General Availability

Posted by Jorge on 2014-09-16


Azure Active Directory Sync has reached general availability!

-

Features currently supported in this release:

  • Active Directory and Exchange multi-forest environments can be extended now to the cloud
  • Control over which attributes are synchronized based on desired cloud services.
  • Selection of accounts to be synchronized through domains, OUs, etc.
  • Ability to set up the connection to AD with minimal Windows Server AD privileges.
  • Setup synchronization rules by mapping attributes and controlling how the values flow to the cloud.
  • Preview AAD Premium password change and reset to AD on-premises.

-

Read all about it through the following links:

-

Use the following link to actually download it:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »

(2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

Posted by Jorge on 2014-09-15


PowerShell Code to check if the SACL of each OU in the AD domain is in canonical order or not.

Also see this blog post.

-

# Clear The Screen Clear-Host # Get The UI Config $uiConfig = (Get-Host).UI.RawUI $uiConfig.ForegroundColor = "Yellow" # Import The Required Module Import-Module ActiveDirectory #Get The RootDSE Info $rootDSE = Get-ADRootDSE # Get List Of OUs In AD Domain $listOfOUsToProcess = Get-ADOrganizationalUnit -Filter * | %{$_.DistinguishedName} # Process Each OU $OUsWithSACLInCanonicalOrder = @() $OUsWithSACLNOTInCanonicalOrder = @() $listOfOUsToProcess | %{ $ou = $_ $ouDrivePath = $("AD:\" + $ou) $aclOU = Get-Acl $ouDrivePath -Audit If ($aclOU.AreAuditRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO Have The SACL In Canonical Order" $ouObj."List Of OUs That DO Have The SACL In Canonical Order" = $ou $OUsWithSACLInCanonicalOrder += $ouObj } If (!$aclOU.AreAuditRulesCanonical) { $ouObj = "" | Select "List Of OUs That DO NOT Have The SACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The SACL In Canonical Order" = $ou $OUsWithSACLNOTInCanonicalOrder += $ouObj } } $uiConfig.ForegroundColor = "Red" If ($OUsWithSACLNOTInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO NOT Have The SACL In Canonical Order" $ouObj."List Of OUs That DO NOT Have The SACL In Canonical Order" = "+++ NONE +++" $OUsWithSACLNOTInCanonicalOrder += $ouObj } $OUsWithSACLNOTInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Green" If ($OUsWithSACLInCanonicalOrder.Count -eq 0) { $ouObj = "" | Select "List Of OUs That DO Have The SACL In Canonical Order" $ouObj."List Of OUs That DO Have The SACL In Canonical Order" = "+++ NONE +++" $OUsWithSACLInCanonicalOrder += $ouObj } $OUsWithSACLInCanonicalOrder | FT -Autosize $uiConfig.ForegroundColor = "Yellow"

-

SNAGHTML322d8c92

Figure 1: Checking The Canonical Order Of The SACL On All OUs In The AD Domain Through PowerShell

-

Get the PowerShell code from here.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Auditing, PowerShell, Tooling/Scripting | Leave a Comment »

 
%d bloggers like this: