Jorge&#039;s Quest For Knowledge!

1.5.29.0 / 1.5.22.0

Released: 4/23/2020 / 4/20/2020

Released for download.

–

–

–

Functional changes ADSyncAutoUpgrade

N.A.

–

Fixed issues:

From v1.5.29.0: This hotfix build fixes an issue introduced in build 1.5.20.0 where a tenant administrator with MFA was not able to enable DSSO
From v1.5.22.0: This hotfix build fixes an issue in build 1.5.20.0 if you have cloned the In from AD – Group Join rule and have not cloned the In from AD – Group Common rule.

–

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! ~~I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version~~.

–

Cheers,
Jorge

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2020-04-10) Azure AD Connect v1.5.20.0 Has Been Released

Posted by Jorge on 2020-04-10

Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.

Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.

Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.

Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

–

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

–

IMPORTANT: N.A.

–

1.5.20.0

Released: 4/9/2020

Released for download. Not available for auto-upgrade

–

–

–

Functional changes ADSyncAutoUpgrade

N.A.

–

Fixed issues:

This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filtering feature enabled and use mS-DS-ConsistencyGuid as the source anchor.

–

Cheers,
Jorge

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2020-04-04) Azure AD Connect v1.5.18.0 Has Been Released

Posted by Jorge on 2020-04-04

Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.

Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.

Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.

Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

–

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

–

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.38.0. I noticed that it triggered a Full Import on the AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

–

1.5.18.0

Released: 4/2/2020

Released for download. Not available for auto-upgrade

–

–

Azure AD Connect: Version release history

–

Functional changes ADSyncAutoUpgrade

Added support for the mS-DS-ConsistencyGuid feature for group objects. This allows you to move groups between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed, e.g. when an AD server is rebuilt after a calamity. For more information see Moving groups between forests.
The mS-DS-ConsistencyGuid attribute is automatically set on al synced groups and you do not have to do anything to enable this feature.
Removed the Get-ADSyncRunProfile because it is no longer in use.
Changed the warning you see when attempting to use an Enterprise Admin or Domain Admin account for the AD DS connector account to provide more context.
Added a new cmdlet to remove objects from the connector space the old CSDelete.exe tool is removed, and it is replaced with the new Remove-ADSyncCSObject cmdlet. The Remove-ADSyncCSObject cmdlet takes a CsObject as input. This object can be retrieved by using the Get-ADSyncCSObject cmdlet.

–

Fixed issues

Fixed a bug in the group writeback forest/OU selector on rerunning the Azure AD Connect wizard after disabling the feature.
Introduced a new error page that will be displayed if the required DCOM registry values are missing with a new help link. Information is also written to log files.
Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account has not propagated across all service replicas before attempted use.
Fixed a bug in the sync errors compression utility that was not handling surrogate characters correctly.
Fixed a bug in the auto upgrade which left the server in the scheduler suspended state.

–

Cheers,
Jorge

Posted in Azure AD Connect, Windows Azure Active Directory | 1 Comment »

(2020-03-30) Resetting The Password Of The Special Purpose KrbTgt Account For Azure AD

Posted by Jorge on 2020-03-30

To reset the password of krbtgt accounts in the AD domain I have written a script that helps you with that.

More information can be found through the following links:

–

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs

–

With the passwordless investments made by Microsoft, a preview currently is available to also use passwordless authentication using security keys against the on-premises AD. You can read more about it through the following link:

Enable passwordless security key sign-in to on-premises resources with Azure Active Directory (preview)

–

To achieve the goal of passwordless authentication using security keys against AD, a special krbtgt account (‘Krbtgt_AzureAD’) is created in every single AD domain where that is required. That krbtgt account is very similar to a krbtgt account for an RODC and represents Azure AD for a specific AD domain. Like any other krbtgt account, that krbtgt account also requires to have its password reset and keys rotated. Very important to note here, is the password reset should not be done like any other regular password reset, but instead a special procedure should be followed. The PowerShell script that I mention above DOES NOT impact that special krbtgt account. Including with other updates, I will update the PowerShell script to warn you if it finds that special krbtgt account in the AD domain, and also include the method and steps to officially reset the password and rotate the keys.

–

To officially officially reset the password and rotate the keys, use the following steps:

Go to an Azure AD Connect server (v1.4.32.0 or later)
Open a PowerShell Command Prompt window
In that window execute the following commands:

# Import The PowerShell Module For Azure AD Kerberos Server
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1"

# AD Domain FQDN To Target
$adDdomainFQDN = Read-Host "AD Domain FQDN To Target"

# AD Domain/Enterprise Admin Credentials
$adDomainAdminAccount = Read-Host "AD Admin Account"
$adDomainAdminPassword = Read-Host "AD Admin Account Password" -AsSecureString
$secureAdDomainAdminPassword = ConvertTo-SecureString $adDomainAdminPassword -AsPlainText -Force
$adDomainAdminCreds = New-Object System.Management.Automation.PSCredential $adDomainAdminAccount, $secureAdDomainAdminPassword

# Azure AD Global Admin Credentials
$aadDomainAdminAccount = Read-Host "Azure AD Admin Account"
$aadDomainAdminPassword = Read-Host "Azure AD Admin Account Password" -AsSecureString
[string]$aadDomainAdminPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($aadDomainAdminPassword))
$secureAadDomainAdminPassword = ConvertTo-SecureString $aadDomainAdminPassword -AsPlainText -Force
$aadDomainAdminCreds = New-Object System.Management.Automation.PSCredential $aadDomainAdminAccount, $secureAadDomainAdminPassword

# Check the CURRENT status of the Azure AD Kerberos Server object in Active Directory
Get-AzureADKerberosServer -Domain $adDdomainFQDN -DomainCredential $adDomainAdminCreds -CloudCredential $aadDomainAdminCreds

# Reset the password and rotate the keys
Set-AzureADKerberosServer -Domain $adDdomainFQDN -DomainCredential $adDomainAdminCreds -CloudCredential $aadDomainAdminCreds -RotateServerKey

# Check the NEW status of the Azure AD Kerberos Server object in Active Directory
Get-AzureADKerberosServer -Domain $adDdomainFQDN -DomainCredential $adDomainAdminCreds -CloudCredential $aadDomainAdminCreds

REMARKS:

For AD, domain or enterprise admin credentials are required
For AAD, global admin credentials are required (accounts with MFA are supported!)
Make sure the ‘KeyVersion’ value matches the ‘CloudKeyVersion’ value and the ‘KeyUpdatedOn’ value matches the ‘CloudKeyUpdatedOn’ value!

–

Figure 1A: The Popup You Will Get When The AAD Global Admin Account Is MFA Enabled Or Is Targeted Through Conditional Access For MFA

–

Figure 1B: The Popup You Will Get When The AAD Global Admin Account Is MFA Enabled Or Is Targeted Through Conditional Access For MFA

–

Figure 2: When Having The Correct Version Of Azure AD Connect And The KrbTgt Account Does Not Yet Exist

–

Figure 3: The Initial Creation Of The KrbTgt Account For Azure AD

–

Figure 4: How The KrbTgt Account Looks Like Under The Hood

–

Figure 5A: The Placeholder RODC Computer Account For The KrbTgt Account

–

Figure 5B: The Placeholder RODC Computer Account For The KrbTgt Account

–

Figure 6: Result After Resetting The Password Of The KrbTgt Account Like Any Other KrbTgt Account (DO NOT Do This!)

–

Fixing regular reset: Set-AzureADKerberosServer -Domain <AD Domain FQDN> -DomainCredential <AD Domain Admin Creds> -CloudCredential <AAD Global Admin Creds> –RotateServerKey

Official reset: Set-AzureADKerberosServer -Domain <AD Domain FQDN> -DomainCredential <AD Domain Admin Creds> -CloudCredential <AAD Global Admin Creds> -RotateServerKey

Figure 7: Fixing A Regular Reset And Officially Resetting The Passwords

–

Figure 8: Too Frequent (Within 24 Hours) Password Resets Generates A Warning

–

Set-AzureADKerberosServer : You must wait 24 hours in between rolling the Azure AD Kerberos Server keys. Rolling keys too frequently may result in service disruption. You may use the Force option to ignore this warning.
At line:1 char:1
+ Set-AzureADKerberosServer -Domain $adDomainFQDN -DomainCredential $ad …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-AzureADKerberosServer], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.AzureAD.Kdc.Management.SetAzureADKerberosServer

–

Have fun!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Azure AD Connect, Kerberos AuthN, KrbTgt Account, Passwordless, Passwordless, Passwords, Passwords, Windows Azure Active Directory | Leave a Comment »

(2020-01-30) Deprecation Of Azure AD Connect Versions

Posted by Jorge on 2020-01-30

Starting on November 1st, 2020, Microsoft will begin implementing a deprecation process whereby versions of Azure AD Connect that were released more than 18 months ago will be deprecated. At that time Microsoft will begin this process by deprecating all releases of Azure AD Connect with version 1.1.751.0 (which was released on 4/12/2018) and older, and Microsoft will proceed to evaluate the deprecation of older versions of Azure AD Connect every time a new version releases.

–

You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience. If you run a deprecated version of Azure AD Connect you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements, and if you require support Microsoft may not be able to provide you with the level of service your organization needs.

If you have enabled Azure AD Connect for sync you will soon automatically begin receiving Health notifications that warn you about upcoming deprecations when you are running one of the older versions.

Please refer to this article to learn more about how to upgrade Azure AD Connect to the latest version

–

In other words: if you are still running the old stuff, start planning to get rid of it! There is NO excuse! Smile

–

–

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-12-12) Delivered Session About “Moving Towards Passwordless Concept”

Posted by Jorge on 2019-12-12

Delivered session @DetronICT, invited by @ThierryVos about "Moving Towards Passwordless Concept" (preso and demos). About 30 tech enthusiasts listened until bitter end. Thanks for the invitation, and until a next time! Reward afterwards? Enjoying some beers together!

Figure 1: Initial Slide – Title/SubTitle

–

Figure 2: Introducing Me

–

Figure 3: The Agenda

–

Figure 4: The Agenda With Demos

– Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Active Directory Federation Services (ADFS), Azure AD / Office 365, Azure AD Connect, Azure AD Identity Protection, Azure AD MFA Adapter, Azure AD Password Protection, Conferences, Field Experiences, Group Policy Objects, Last Logon Information, Microsoft Authenticator App, Multi-Factor AuthN, MVP, Password Expiration Notification, Password-Less, Passwords, Passwords, Self-Service Password Reset, SSO, SYSVOL, Tooling/Scripting, Windows Azure Active Directory | 1 Comment »

(2019-12-10) Azure AD Connect v1.4.38.0 Has Been Released

Posted by Jorge on 2019-12-10

Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.

Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.

Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.

Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

–

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

–

IMPORTANT: N.A.

–

1.4.38.0

Released: 12/6/2019

Released for download. Not available for auto-upgrade

–

–

–

New Features And Improvements

We updated Password Hash Sync for Azure AD Domain Services to properly account for padding in Kerberos hashes. This will provide a performance improvement during password synchronization from AAD to Azure AD Domain Services.
We added support for reliable sessions between the authentication agent and service bus.
This release enforces TLS 1.2 for communication between authentication agent and cloud services.
We added a DNS cache for websocket connections between authentication agent and cloud services.
We added the ability to target specific agent from cloud to test for agent connectivity.

–

Fixed issues

Release 1.4.18.0 had a bug where the PowerShell cmdlet for DSSO was using the login windows credentials instead of the admin credentialss provided while running ps. As a result of which it was not possible to enable DSSO in multiple forest through the AADConnect user interface.
A fix was made to enable DSSO simultaneously in all forest through the AADConnect user interface

–

Cheers,
Jorge

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-11-10) Azure AD Connect v1.4.32.0 Has Been Released

Posted by Jorge on 2019-11-10

Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.

Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.

Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.

Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

–

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

–

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.3.21.0. I noticed that it triggered a Full Import on both the AD and AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.18.0. I noticed that it triggered a Delta Import on both the AD and AAD MA/Connector, but it triggered a Full Sync on the AD MA/Connector and a Delta Sync on the AAD MA/Connector. Since the full sync may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

IMPORTANT: Due to an internal schema change in this release of Azure AD Connect, if you manage ADFS trust relationship configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version 1.1.183.57 or higher.

–

1.4.32.0

Released: 11/08/2019

Released for download. Not available for auto-upgrade

–

–