Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2016-06-28) Quick Learning Guide For PowerShell

Posted by Jorge on 2016-06-28


Have you ever wanted to have a quick learning guide about PowerShell, then have a look at the following:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in PowerShell | Leave a Comment »

(2016-06-24) Quick Learning Guide For A Public Key Infrastructure (PKI)

Posted by Jorge on 2016-06-24


Have you ever wanted to have a quick learning guide about a Public Key Infrastructure (PKI), then have a look at the following:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Learning Guide | 1 Comment »

(2016-06-16) A Change In Group Policy Processing After The Security Update MS16-072

Posted by Jorge on 2016-06-16


The Security Update MS16-072 changes the way how user GPOs are being processed. If you do not meet pre-requisites, make sure you do before applying the security update!

This applies to every Windows version starting from Windows Server 2008 and Windows Vista and higher!

More about this:

Symptoms

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

Cause

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.

Script

If you want to script this have a look at:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Group Policy Objects | Leave a Comment »

(2016-06-09) Azure AD Connect v1.1.189.0 Has Been Released

Posted by Jorge on 2016-06-09


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.1.189.0

Released: 2016 June

New features:

  • N.A.

Fixed issues and improvements:

  • Azure AD Connect can now be installed on a FIPS compliant server.
  • Fixed an issue where a NetBIOS name could not be resolved to the FQDN in the Active Directory Connector.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2016-06-06) Required Ports For ADFS And WAP

Posted by Jorge on 2016-06-06


Ports Required For ADFS:

  • Any client on internal network – to – any ADFS server : port 443
    • due to accessing ADFS for token issuance

    Any client on external network – to – any WAP server : port 443

    • due to accessing ADFS for token issuance, using the WAP as intermediairy
  • Any connected application server on the internal (RPs/SPs) – to – any ADFS server : port 443
    • due to requests and metadata exchange
  • Any connected application server on the external (RPs/SPs) – to – any WAP server : port 443
    • due to requests and metadata exchange
  • Any connected identity provider server on the internal network (CPs/IdPs) – to – any ADFS server : port 443
    • due to requests and metadata exchange
  • Any connected identity provider server on the external network (CPs/IdPs) – to – any WAP server : port 443
    • due to requests and metadata exchange
  • Load Balancer – to – any ADFS server : port 80
    • due to probe URL for monitoring availability

    Load Balancer – to – any WAP server : port 80

    • due to probe URL for monitoring availability
  • Any WAP server – to – any ADFS server : port 443
    • due to any communication regarding the federation service
  • Any WAP server – to – any ADFS server : port 49443
    • due to certificate based authentication, only really required in ADFS 2012 R2, ADFS 2016 can also use 443 if needed
  • Any ADFS server – to – any ADFS server : port 80

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Ports | Leave a Comment »

(2016-06-02) Required Port(s) For WID Replication In ADFS To Work Properly

Posted by Jorge on 2016-06-02


If you are running ADFS with WID and you see the following event IDs, the required ports between the secondary ADFS server(s) and the primary ADFS server are not open.

image

Figure 1: First Error Regarding The WID Replication Error

There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.

Additional Data

Master Name : R1FSRWDC1.IAMTEC.NET
Endpoint Uri :
http://r1fsrwdc1.iamtec.net/adfs/services/policystoretransfer
Exception details:
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at
http://r1fsrwdc1.iamtec.net/adfs/services/policystoretransfer that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.1.1.1:80
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   — End of inner exception stack trace —
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
   — End of inner exception stack trace —

Server stack trace:
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetHeaders()
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync(Boolean syncAll)
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync()

And you will also see:

image

Figure 2: Second Error Regarding The WID Replication Error

There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.

Additional data

Exception details:
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at
http://r1fsrwdc1.iamtec.net/adfs/services/policystoretransfer that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.1.1.1:80
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   — End of inner exception stack trace —
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
   — End of inner exception stack trace —

Server stack trace:
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetHeaders()
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync(Boolean syncAll)
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync()
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.DoSyncDirect()
   at Microsoft.IdentityServer.Service.Synchronization.SyncBackgroundTask.Run(Object context)

User Action
Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.

As you may know, by default every secondary ADFS server will pull information form the primary ADFS every 5 minutes. Any secondary ADFS server will connect to the primary ADFS server over port 80 for WID replication. See the details in the error message above. When using WID make sure that any ADFS server can contact any other ADFS server for WID replication to work. This is needed is you ever transfer the primary role to another ADFS server.

Also see:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID, Ports | Leave a Comment »

(2016-05-29) FIM PowerShell CMDlets Have Been Updated

Posted by Jorge on 2016-05-29


Brain Desmond has updated the FIM PowerShell Modules on Codeplex.

Download:

Documentation:

Significant number of enhancements and fixes, including:

New Cmdlets

  • New-FimEmailTemplate
  • New-FimWorkflowDefinition
  • New-FimManagementPolicyRule
  • New-FimSearchScope
  • New-FimNavigationBarLink
  • Get-FimSynchronizationRuleDependencyTree

Enhancements

  • Add Manual Members Support to New-FimSet
  • Add PassThru Switch Schema Cmdlets
  • AllowAuthorizationException switch on New-FimImportObject
  • Add Mode to Get-FimRequestParameter
  • Support null values for New-FimImportChange
  • Support Constants in Sync Rules in Get-ExportAttributeFlow

Bugs Fixed

  • 1850: FimSyncPowerShellModule Should Not Export Internal Functions
  • 1851: Create-ImportFileFromCSEntry Uses an Unapproved Verb
  • 1852: Update Help Text in FimSyncPowerShellModule to use Approved Names, Domains
  • 1885: Objects Emitted by Module Should have a Custom Type Name
  • 1886: Change New-FimImportChange, New-FimImportObject to use ValidateSet
  • 1888: Decorate New-FimSchemaAttribute with Cmdlet Attributes
  • 1889: Decorate New-FimSchemaObject with Parameter Attributes
  • 1939: Improve PSSnapin Load Error Handling
  • 1941: Update Comment Based Help
  • 1894: New-FimImportChange Does Not Support Numeric Inputs
  • 1896: New-FimImportChange Should Support Guid Values
  • 1897: Hide Progress Bar on Module Calls
  • 1948: Fix ‘DateTime’ $DataType casing on New-FimSchemaAttribute
  • 1951: Output Correct Data Type from New-FimSchemaBinding
  • 1968: SynchronizationRuleParameters typing issue
  • 1973: E2E attribute flow: constant sync rule values
  • 1982: Fixed a bug with OSR-Expression export flows. Added the following info to the output:
    • Allow nulls
    • Initial flow only
    • Is existence test
  • 1991: Get-MetaverseSchema Does Not Triage Boolean Attributes Correctly
  • 1997: If the msidmOutboundIsFilterBased is false, no value are submit to FIM and when you edit the SR with the form, you get a change for this attribute (no intial value to false)
  • 2083: Missing Error Handling in New-FimImportObject

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, PowerShell, Tooling/Scripting, Tools, Tools | Leave a Comment »

(2016-05-25) LithNet FIM Sync PowerShell CMDlets

Posted by Jorge on 2016-05-25


Ryan Newington  (Twitter and Blog), yet again wrote and created an impressive PowerShell module to manage the FIM/MIM Sync Engine. Many stuff to manage the FIM/MIM Sync Engine that was not yet possible through PowerShell, is now possible!!!

Lithnet FIM/MIM Synchronization Service PowerShell Module

DISCLAIMER

WARNING: USE THIS TOOL AT YOUR OWN RISK

This tool is provided for testing and diagnostic purposes and is intended for use in development and test environments. Any problems that arise from the use of the tool are not supported by the developers or by Microsoft.

The PowerShell module exposes functionality using a combination of

Supported WMI interfaces
Wrapping existing PowerShell modules
Wrapping existing executables
Libraries that the synchronization client UI uses to interface with the sync engine itself. These libraries are undocumented APIs.

The module does NOT interface with the sync engine database in any way.

It does not provide any mechanism to alter the internal configuration of the sync engine, unless an executable or documented API is available for that.

The developers make no warranties as to the suitability of these tools for use in your environment, nor will we be liable for any financial or other damages arising from the use of these tools.

image

Figure 1: The List Of PowerShell CMDlets In The Lithnet PowerShell Module For FIM/MIM Sync

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) Sync, PowerShell, Tools | Leave a Comment »

(2016-05-20) Azure AD Connect Configuration Documenter

Posted by Jorge on 2016-05-20


Have you ever wanted to document your Azure AD Connect Configuration? Yes? Well wait no longer! This is really a very interesting tool!

The AAD Connect configuration documenter is a tool to generate HTML based documentation of an Azure AD Connect installation. Currently, the documentation is only limited to the Azure AD Connect sync configuration. Another interesting part is that you can click through the configuration!

The goal of this project is to:

  • To enable quick understanding of the synchronization configuration and "how it happens"!
  • To build confidence in getting things right when making changes to the default configuration!!
  • To know what was changed when you applied a new build / configuration of Azure AD Connect or added/updated custom sync rules!!!

Prerequisites:

  1. .NET Framework 4.5 to be able to run the tool
  2. A fair understanding of MIIS 2003 / ILM 2007 / FIM 2010 / MIM 2016 sync engine technical concepts to be able to understand the report.

I (Jorge) have provide a sample report so that you can see how it looks like. Click here for the sample report.

How to use the tool:

  • Download the latest release from the releases tab under the Code tab tab, UNBLOCK the downloaded zip file and extract the zip file to an empty local folder on a machine which has .NET Framework 4.5 installed.
    • This will extract the Documenter application binaries along with the sample data files for "Contoso".
    • Make sure that the tool runs by double-clicking on the cmd file AzureADConnectSyncDocumenter.cmd.
  • Export the Server Configuration of your pilot / test Azure AD Connect sync server by running Get-ADSyncServerConfiguration cmdlet defined in ADSync module shipped with Azure AD Connect.

Import-Module ADSync 
Get-ADSyncServerConfiguration -Path "<CompletePathToOutputFolder>"

  • Copy the configuration export files produced in the previous step to a folder under the "Data" directory of the Documenter tool.
    • e.g. the "Pilot" configuration files for the customer "Contoso" are provided as a sample under the "Data\Contoso\Pilot" folder.
  • If you want to document the changes from a specific baseline, export the server configuration of your baseline / production Azure AD Connect server and copy the output to a folder under the Documenter "Data" directory.
    • e.g. the "Production" configuration files for the customer "Contoso" are provided as a sample under the "Data\Contoso\Production" folder.
  • Edit AzureADConnectSyncDocumenter.cmd for the values of "Pilot" and "Production" directories.
  • If you don’t have a baseline / production config, specify the same path as the "Pilot" config.
  • Run the updated batch file. Upon successful execution, the generated report will be found in the Documenter "Report" folder.

I (Jorge) have provide a sample report so that you can see how it looks like. Click here for the sample report.

You can get the Azure AD Connect Documenter from here

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Documenter, Windows Azure Active Directory | Leave a Comment »

(2016-05-16) Azure AD Connect Health Throws An Error During Azure AD Connect Install

Posted by Jorge on 2016-05-16


During the installation of Azure AD connect you might experience and see the following during the installation/configuration of the “Azure AD Connect Health Agent for Sync”

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object

image

Figure 1: Azure AD Connect Health For Sync Crashing

The installation of “Azure AD Connect Health Agent for Sync” crashed, it tried to find a solution, and in the end I was allowed to close the program. This happened about 3 times or so. Then the regular azure AD Connect installation continued. The Sync Engine is working perfectly afterwards without any issues.

It may appear the “Azure AD Connect Health Agent for Sync” installation has failed. Au contraire! The installation of “Azure AD Connect Health Agent for Sync” succeeded, but its registration is actually failing!

With Azure AD Connect two components require internet access. A third, the Azure AD PowerShell CMDlets if installed in addition manually, also requires internet access.

If you are using direct connections you only need to open up the correct firewall ports to specific URLs/IP addresses.

If you are using a proxy server to connect through, the proxy server must be configured to allow all three components to target the proxy server for internet access to specific URLs/IP addresses

For authentication and access, both the Azure AD PowerShell CMDlets and Azure AD Connect Sync Engine requires access to the following URLs:
(Details –>
Office 365 URLs and IP address ranges)

  • *.microsoftonline.com (port 443)
  • *.windows.net(port 443)
  • secure.aadcdn.microsoftonline-p.com (port 443)
  • mscrl.microsoft.com (port 80)

For authentication and access, the Azure AD Connect Health Agent requires access to the following URLs:
(Details –>
Office 365 URLs and IP address ranges and Azure AD Connect Health Agent Installation)

  • *.blob.core.windows.net (port 443)
  • *.queue.core.windows.net (port 443)
  • *.table.core.windows.net(port 443)
  • *.servicebus.windows.net (port: 5671 recommended, if 5671 is blocked, the agent falls back to 443)
  • *.adhybridhealth.azure.com(port 443)
  • policykeyservice.dc.ad.msft.net (port 443)
  • login.windows.net (port 443)
  • login.microsoftonline.com (port 443)
  • secure.aadcdn.microsoftonline-p.com (port 443)
  • management.azure.com (port 443)

All the three components have their way of configuring proxy settings. However, you can only configure two of those components before the installations. The third one also requires internet access prior to the installation, but you can only configure the proxy settings after the installation of the Azure AD Connect Health Agent. Kinda of a chicken and the egg scenario. This is the reason why the above error occurs.

Prior to the installation of the Azure AD PowerShell CMDlets configure the proxy as follows:

NETSH.EXE WINHTTP SHOW PROXY

NETSH.EXE WINHTTP SET PROXY PROXY-SERVER="<PROXYSERVER>:<PORT>" BYPASS-LIST="<wildcard domain 1>;<wildcard domain 1>;<local>"

NETSH.EXE WINHTTP SHOW PROXY

REMARK: Because you might use PowerShell to connect to internal resources, make sure to configure all top level domains in your internal network in the bypass-list. For every internal domain configure it as shown between the double quotes “*.domain.com”. If these proxy settings are configure PowerShell will use them. if you do not configure the internal domains in the bypass list you might experience connection issues as explained in this blog post.

Prior to the installation of the Azure AD Connect configure the proxy as follows:

Edit the file “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config” and configure the following section at the end of the file, just before the </configuration> line

    <system.net>

        <defaultProxy>

            <proxy

                usesystemdefault="true"

                proxyaddress="="<PROXYSERVER>:<PORT>"

                bypassonlocal="true"

            />

            <bypasslist>

                <add address="<regular expression for internal top level domain Azure AD Connect is connecting to>" />

            </bypasslist>

        </defaultProxy>

    </system.net>

REMARK: For every internal domain (*.domain.com) Azure AD Connect is connecting to configure it as shown between the double quotes “.*\.domain\.com$”.

Now start the Azure AD Connect installation, configure what needs to be configured. At some point in time, if internet access needs to go through a proxy and it is a tightly controlled proxy, you most likely will experience what is shown in figure 1. The Azure AD Connect Health Agent installation will try crash three times in total. After the installation of Azure AD connect successfully finishes, you need to manually register the Azure AD Connect Health Agent.

If you execute the following commands for the Azure AD Connect Health Agent

$azureUserName="<USERNAME>"

$azurePassword='<PASSWORD>’

$azureSecurePassword = ConvertTo-SecureString $azurePassword -AsPlainText -Force

$azureCreds = New-Object System.Management.Automation.PSCredential $azureUserName, $azureSecurePassword

Register-AzureADConnectHealthSyncAgent -Credential $azureCreds

…without first configuring the proxy settings for Azure AD Connect Health, you will see:

Click [Close Program]

image

Figure 2: First Crashing Occurrence After Registering Azure AD Connect Health Agent Manually

Click [Close Program]

image

Figure 3: Second Crashing Occurrence After Registering Azure AD Connect Health Agent Manually

Click [Close Program]

image

Figure 4: Third Crashing Occurrence After Registering Azure AD Connect Health Agent Manually

Click [Close Program]

image

Figure 5: Notification The Azure AD Connect Health Agent Registration Failed

In the Application Event Log you will something similar to the following 3 times:

Application: Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.NullReferenceException
Stack:
   at Microsoft.Identity.Health.Common.ETWTraceListener.Write(System.Object)
   at System.Diagnostics.TraceSource.TraceEvent(System.Diagnostics.TraceEventType, Int32, System.String)
   at Microsoft.Online.Reporting.MonitoringAgent.AgentTrace.LogEvent(Int32, System.Diagnostics.EventLogEntryType, System.String, System.String, System.Object[])
   at Microsoft.Online.Reporting.MonitoringAgent.AgentTrace.LogError(Int32, System.String, System.String, System.Object[])
   at Microsoft.Online.Reporting.MonitoringAgent.Startup.Program.Main(System.String[])

Faulting application name: Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe, version: 1.1.28.2, time stamp: 0x55e8976e
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00007ffcbd764169
Faulting process id: 0x1618
Faulting application start time: 0x01d1aa7df40424dd
Faulting application path: C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe
Faulting module path: unknown
Report Id: 36758953-1671-11e6-80d4-001dd8b72864
Faulting package full name:
Faulting package-relative application ID:

Fault bucket 129024325829, type 5
Event Name: CLR20r3
Response: Not available
Cab Id: 0

Problem signature:
P1: 4IQPNWPJFYKLTMQR4N2HHQMZN041TJWC
P2: 1.1.28.2
P3: 55e8976e
P4: Microsoft.Identity.AadConnect.Health.AadSync.Utils
P5: 2.6.107.0
P6: 56b4f9ab
P7: 163
P8: 1e
P9: System.NullReferenceException
P10:

Attached files:
C:\Users\XXXX\AppData\Local\Temp\WERC02B.tmp.WERInternalMetadata.xml

These files may be available here:
C:\Users\XXXX\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_4IQPNWPJFYKLTMQR_468cf53638b6fdf68ca8c15c4fe379c96dbec3_eb61a0cf_5903cc60

Analysis symbol:
Rechecking for solution: 0
Report Id: 36758953-1671-11e6-80d4-001dd8b72864
Report Status: 0
Hashed bucket: b10faeb2a429840ab102a724bbd62245

Now, the correct way to do this right for the Azure AD Connect Health Agent is by executing the following commands…

Get-AzureAdConnectHealthProxySettings

If you used NETSH earlier to configure WinHTTP proxy settings, now use –> Set-AzureAdConnectHealthProxySettings -ImportFromWinHttp

If you DID NOT used NETSH earlier to configure WinHTTP proxy settings, now use –> Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress <PROXYSERVER>:<PORT>

Get-AzureAdConnectHealthProxySettings

$azureUserName="<USERNAME>"

$azurePassword='<PASSWORD>’

$azureSecurePassword = ConvertTo-SecureString $azurePassword -AsPlainText -Force

$azureCreds = New-Object System.Management.Automation.PSCredential $azureUserName, $azureSecurePassword

Register-AzureADConnectHealthSyncAgent -Credential $azureCreds

You should now see something similar to:

image

Figure 6: Notification The Azure AD Connect Health Agent Registration Was Successful

You should be good now! Smile

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Azure AD Connect Health, Windows Azure Active Directory | Leave a Comment »

 
%d bloggers like this: