Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Azure AD Connect’ Category

(2020-05-08) Upgrading Azure AD Connect – Some Tips

Posted by Jorge on 2020-05-08


These are some tips I would like to share with you when upgrading Azure AD Connect

[1] Before the upgrade I always export the global configuration and sync rules of Azure AD Connect through a PowerShell script I wrote to a folder

[2] During upgrade, I  ALWAYS UNcheck the following. Why? I like to have the opportunity to check things before any sync cycle starts

image

Figure 1: “Ready To Configure” In The Azure AD Connect Upgrade Wizard

[3] After the upgrade I always check the global configuration options to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare

Azure AD Connect Wizard –> Configure –> View current configuration

image

Figure 2: Global Configuration Of Azure AD Connect

[4A] After the upgrade I always check the selected forests/domains/OUs to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare or have documentation describing what should be configured

Azure AD Connect Wizard –> Configure –> Customize Synchronization Options

In this screen I really want to make sure everything is as it should be! For every connected directory I always expand every AD domain to be sure only required OUs are selected and nothing else. This only applies if you have selected AD domains and OUs that need to be synched. The check is very simple. For every AD domain, expand and then collapse again. Look at the difference in figure 3 and 4

image

Figure 2: Domain And OU Filtering – BEFORE Expanding

image

Figure 3: Domain And OU Filtering – AFTER Expanding And Collapsing

[4B] After the upgrade I always check the Optional Features, Azure AD Apps, Azure AD Attributes and Directory Extensions to see if anything is different compared to before the upgrade. You either need to have a good memory or create screenshots before the upgrade to be able to compare or have documentation describing what should be configured. I always close/cancel the wizard by clicking on the cross in the upper right corner

[5] After the upgrade I always export the global configuration and sync rules of Azure AD Connect through a PowerShell script I wrote to a folder

[6] After the upgrade I always compare the global configuration exported before the upgrade and the global configuration after the upgrade. This is done through a PowerShell script I wrote

[7] After the upgrade I always compare the sync rules exported before the upgrade and the sync rules after the upgrade. This is done through a PowerShell script I wrote

[8] After the upgrade I always check the “Application Event Log” for any “weirdness” whatever that may be

[9] After the upgrade I always check the most recent log files in the folder “C:\ProgramData\AADConnect” to see what happened during the AAD Connect upgrade and to see if there is any weirdness

[10] And when everything is OK, I reenable the sync schedule and manually start of a sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | 2 Comments »

(2020-05-08) Azure AD Connect v1.5.29.0 (And v1.5.22.0) Have Been Released

Posted by Jorge on 2020-05-08


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

 

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.5.20.0. I noticed that it triggered a Full Synchronization on the AD MA/Connector(s). Since the full syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

Azure AD Connect: Version Release History

1.5.29.0 / 1.5.22.0

Released: 4/23/2020 / 4/20/2020

Released for download.

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Functional changes ADSyncAutoUpgrade

    • N.A.

    Fixed issues:

    • From v1.5.29.0: This hotfix build fixes an issue introduced in build 1.5.20.0 where a tenant administrator with MFA was not able to enable DSSO
    • From v1.5.22.0: This hotfix build fixes an issue in build 1.5.20.0 if you have cloned the In from AD – Group Join rule and have not cloned the In from AD – Group Common rule.

    I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

    Cheers,
    Jorge

    ————————————————————————————————————————————————————-
    This posting is provided "AS IS" with no warranties and confers no rights!
    Always evaluate/test everything yourself first before using/implementing this in production!
    This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
    DISCLAIMER:
    https://jorgequestforknowledge.wordpress.com/disclaimer/
    ————————————————————————————————————————————————————-
    ########################### Jorge’s Quest For Knowledge ##########################
    ####################
    http://JorgeQuestForKnowledge.wordpress.com/ ###################
    ————————————————————————————————————————————————————-

    Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

    (2020-04-10) Azure AD Connect v1.5.20.0 Has Been Released

    Posted by Jorge on 2020-04-10


    Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

    • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
    • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
    • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
    • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

    Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

    Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

    IMPORTANT: N.A.

    Azure AD Connect: Version Release History

    1.5.20.0

    Released: 4/9/2020

    Released for download. Not available for auto-upgrade

    Prerequisites for Azure AD Connect

    More information about Azure AD Connect

    Functional changes ADSyncAutoUpgrade

      • N.A.

      Fixed issues:

      • This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filtering feature enabled and use mS-DS-ConsistencyGuid as the source anchor.

      I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

      Cheers,
      Jorge

      ————————————————————————————————————————————————————-
      This posting is provided "AS IS" with no warranties and confers no rights!
      Always evaluate/test everything yourself first before using/implementing this in production!
      This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
      DISCLAIMER:
      https://jorgequestforknowledge.wordpress.com/disclaimer/
      ————————————————————————————————————————————————————-
      ########################### Jorge’s Quest For Knowledge ##########################
      ####################
      http://JorgeQuestForKnowledge.wordpress.com/ ###################
      ————————————————————————————————————————————————————-

      Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

      (2020-04-04) Azure AD Connect v1.5.18.0 Has Been Released

      Posted by Jorge on 2020-04-04


      Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

      • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
      • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
      • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
      • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

      Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

      Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

      IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.38.0. I noticed that it triggered a Full Import on the AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

      Azure AD Connect: Version Release History

      1.5.18.0

      Released: 4/2/2020

      Released for download. Not available for auto-upgrade

      Prerequisites for Azure AD Connect

      More information about Azure AD Connect

      Functional changes ADSyncAutoUpgrade

        • Added support for the mS-DS-ConsistencyGuid feature for group objects. This allows you to move groups between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed, e.g. when an AD server is rebuilt after a calamity. For more information see Moving groups between forests.
        • The mS-DS-ConsistencyGuid attribute is automatically set on al synced groups and you do not have to do anything to enable this feature.
        • Removed the Get-ADSyncRunProfile because it is no longer in use.
        • Changed the warning you see when attempting to use an Enterprise Admin or Domain Admin account for the AD DS connector account to provide more context.
        • Added a new cmdlet to remove objects from the connector space the old CSDelete.exe tool is removed, and it is replaced with the new Remove-ADSyncCSObject cmdlet. The Remove-ADSyncCSObject cmdlet takes a CsObject as input. This object can be retrieved by using the Get-ADSyncCSObject cmdlet.

        Fixed issues

        • Fixed a bug in the group writeback forest/OU selector on rerunning the Azure AD Connect wizard after disabling the feature.
        • Introduced a new error page that will be displayed if the required DCOM registry values are missing with a new help link. Information is also written to log files.
        • Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account has not propagated across all service replicas before attempted use.
        • Fixed a bug in the sync errors compression utility that was not handling surrogate characters correctly.
        • Fixed a bug in the auto upgrade which left the server in the scheduler suspended state.

        I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

        Cheers,
        Jorge

        ————————————————————————————————————————————————————-
        This posting is provided "AS IS" with no warranties and confers no rights!
        Always evaluate/test everything yourself first before using/implementing this in production!
        This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
        DISCLAIMER:
        https://jorgequestforknowledge.wordpress.com/disclaimer/
        ————————————————————————————————————————————————————-
        ########################### Jorge’s Quest For Knowledge ##########################
        ####################
        http://JorgeQuestForKnowledge.wordpress.com/ ###################
        ————————————————————————————————————————————————————-

        Posted in Azure AD Connect, Windows Azure Active Directory | 1 Comment »

        (2020-01-30) Deprecation Of Azure AD Connect Versions

        Posted by Jorge on 2020-01-30


        Starting on November 1st, 2020, Microsoft will begin implementing a deprecation process whereby versions of Azure AD Connect that were released more than 18 months ago will be deprecated. At that time Microsoft will begin this process by deprecating all releases of Azure AD Connect with version 1.1.751.0 (which was released on 4/12/2018) and older, and Microsoft will proceed to evaluate the deprecation of older versions of Azure AD Connect every time a new version releases.

        You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience. If you run a deprecated version of Azure AD Connect you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements, and if you require support Microsoft may not be able to provide you with the level of service your organization needs.

        If you have enabled Azure AD Connect for sync you will soon automatically begin receiving Health notifications that warn you about upcoming deprecations when you are running one of the older versions.

        Please refer to this article to learn more about how to upgrade Azure AD Connect to the latest version

        In other words: if you are still running the old stuff, start planning to get rid of it! There is NO excuse! Smile

        Azure AD Connect: Version release history

        ————————————————————————————————————————————————————-
        This posting is provided "AS IS" with no warranties and confers no rights!
        Always evaluate/test everything yourself first before using/implementing this in production!
        This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
        DISCLAIMER:
        https://jorgequestforknowledge.wordpress.com/disclaimer/
        ————————————————————————————————————————————————————-
        ########################### Jorge’s Quest For Knowledge ##########################
        ####################
        http://JorgeQuestForKnowledge.wordpress.com/ ###################
        ————————————————————————————————————————————————————-

        Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

        (2019-12-12) Delivered Session About “Moving Towards Passwordless Concept”

        Posted by Jorge on 2019-12-12


        Delivered session @DetronICT, invited by @ThierryVos about "Moving Towards Passwordless Concept" (preso and demos). About 30 tech enthusiasts listened until bitter end. Thanks for the invitation, and until a next time! Reward afterwards? Enjoying some beers together!

        image

        Figure 1: Initial Slide – Title/SubTitle

        image

        Figure 2: Introducing Me

        image

        Figure 3: The Agenda

        image

        Figure 4: The Agenda With Demos

        Cheers,

        Jorge

        ————————————————————————————————————————————————————-
        This posting is provided "AS IS" with no warranties and confers no rights!
        Always evaluate/test everything yourself first before using/implementing this in production!
        This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
        DISCLAIMER:
        https://jorgequestforknowledge.wordpress.com/disclaimer/
        ————————————————————————————————————————————————————-
        ########################### Jorge’s Quest For Knowledge ##########################
        ####################
        http://JorgeQuestForKnowledge.wordpress.com/ ###################
        ————————————————————————————————————————————————————-

        Posted in Active Directory Domain Services (ADDS), Active Directory Federation Services (ADFS), Azure AD / Office 365, Azure AD Connect, Azure AD Identity Protection, Azure AD MFA Adapter, Azure AD Password Protection, Conferences, Field Experiences, Group Policy Objects, Last Logon Information, Microsoft Authenticator App, Multi-Factor AuthN, MVP, Password Expiration Notification, Password-Less, Passwords, Passwords, Self-Service Password Reset, SSO, SYSVOL, Tooling/Scripting, Windows Azure Active Directory | 1 Comment »

        (2019-12-10) Azure AD Connect v1.4.38.0 Has Been Released

        Posted by Jorge on 2019-12-10


        Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

        • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
        • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
        • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
        • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

        Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

        Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

        IMPORTANT: N.A.

        Azure AD Connect: Version Release History

        1.4.38.0

        Released: 12/6/2019

        Released for download. Not available for auto-upgrade

        Prerequisites for Azure AD Connect

        More information about Azure AD Connect

        New Features And Improvements

          • We updated Password Hash Sync for Azure AD Domain Services to properly account for padding in Kerberos hashes. This will provide a performance improvement during password synchronization from AAD to Azure AD Domain  Services.
          • We added support for reliable sessions between the authentication agent and service bus.
          • This release enforces TLS 1.2 for communication between authentication agent and cloud services.
          • We added a DNS cache for websocket connections between authentication agent and cloud services.
          • We added the ability to target specific agent from cloud to test for agent connectivity.

          Fixed issues

          • Release 1.4.18.0 had a bug where the PowerShell cmdlet for DSSO was using the login windows credentials instead of the admin credentialss provided while running ps. As a result of which it was not possible to enable DSSO in multiple forest through the AADConnect user interface.
          • A fix was made to enable DSSO simultaneously in all forest through the AADConnect user interface

          I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

          Cheers,
          Jorge

          ————————————————————————————————————————————————————-
          This posting is provided "AS IS" with no warranties and confers no rights!
          Always evaluate/test everything yourself first before using/implementing this in production!
          This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
          DISCLAIMER:
          https://jorgequestforknowledge.wordpress.com/disclaimer/
          ————————————————————————————————————————————————————-
          ########################### Jorge’s Quest For Knowledge ##########################
          ####################
          http://JorgeQuestForKnowledge.wordpress.com/ ###################
          ————————————————————————————————————————————————————-

          Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

          (2019-11-10) Azure AD Connect v1.4.32.0 Has Been Released

          Posted by Jorge on 2019-11-10


          Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

          • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
          • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
          • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
          • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

          Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

          Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

          IMPORTANT: In one environment I upgraded from Azure AD Connect 1.3.21.0. I noticed that it triggered a Full Import on both the AD and AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

          IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.18.0. I noticed that it triggered a Delta Import on both the AD and AAD MA/Connector, but it triggered a Full Sync on the AD MA/Connector and a Delta Sync on the AAD MA/Connector. Since the full sync may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

          IMPORTANT: Due to an internal schema change in this release of Azure AD Connect, if you manage ADFS trust relationship configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version 1.1.183.57 or higher.

          Azure AD Connect: Version Release History

          1.4.32.0

          Released: 11/08/2019

          Released for download. Not available for auto-upgrade

          Prerequisites for Azure AD Connect

          More information about Azure AD Connect

          New Features And Improvements

          • N.A.

          Fixed issues

          • This version fixes an issue with existing Hybrid Azure AD joined devices. This release contains a new device sync rule that corrects this issue (Updated sync rule: “In from AD – Computer Join”). Note that this rule change may cause deletion of obsolete devices from Azure AD. This is not a cause for concern, as these device objects are not used by Azure AD during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised to allow the deletions to go through. How to allow deletes to flow when they exceed the deletion threshold

          I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

          Cheers,
          Jorge

          ————————————————————————————————————————————————————-
          This posting is provided "AS IS" with no warranties and confers no rights!
          Always evaluate/test everything yourself first before using/implementing this in production!
          This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
          DISCLAIMER:
          https://jorgequestforknowledge.wordpress.com/disclaimer/
          ————————————————————————————————————————————————————-
          ########################### Jorge’s Quest For Knowledge ##########################
          ####################
          http://JorgeQuestForKnowledge.wordpress.com/ ###################
          ————————————————————————————————————————————————————-

          Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

          (2019-10-08) Synched Computers/Devices Being Cleaned Up From Azure AD

          Posted by Jorge on 2019-10-08


          Starting with version 1.4.18.0 and higher of Azure AD Connect, you may see some or all of their Windows devices disappear from Azure AD after upgrade to that version and executing a sync cycle. This is not a cause for concern, as these device identities are not used by Azure AD during conditional access authorization. This change won’t delete any Windows devices that were correctly registered with Azure AD for Hybrid Azure AD Join.

          If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow the deletions to go through. How To: allow deletes to flow when they exceed the deletion threshold

          Nevertheless you may want to analyze the deletion first. You can read the following blog post to see how you could do that: (2019-10-06) Examining Pending Export Deletions In Azure AD Connect

          More information about this can be found through Understanding Azure AD Connect 1.4.xx.x and device disappearance

          To verify which devices in your AD are candidates to be deleted in Azure AD, you can use the following PowerShell script: Export Hybrid Azure AD join computer certificates report

          This script generates a report about certificates stored in Active Directory Computer objects, specifically, certificates issued by the Hybrid Azure AD join feature. It checks the certificates present in the UserCertificate property of a Computer object in AD and, for each non-expired certificate present, validates if the certificate was issued for the Hybrid Azure AD join feature (i.e. Subject Name matches CN={ObjectGUID}). Before, Azure AD Connect would synchronize to Azure AD any Computer that contained at least one valid certificate but starting on Azure AD Connect version 1.4, the synchronization engine can identify Hybrid Azure AD join certificates and will ‘cloudfilter’ the computer object from synchronizing to Azure AD unless there’s a valid Hybrid Azure AD join certificate. Azure AD Devices that were already synchronized to AD but do not have a valid Hybrid Azure AD join certificate will be deleted by the sync engine as these will be filtered from being synched to Azure AD (CloudFiltered=TRUE).

          Now this script works great! But….unfortunately it does not work correctly with an AD forest where you may have multiple AD domains. Besides that, there is a cosmetic issue. So, let’s start with the easy part!

          The script allows you to specify the distinguished name of a single object or the distinguished name of an OU. However, if you want to query the complete AD domain instead of just a single OU, you may think that’s not possible. Nope, that’s still possible. The original writer of the script chose to name the variable “DN” for just a single object (computer) and “OU” when query for computers in an OU. This last one may mislead due to its chosen name. Nevertheless, instead of the DN of an OU, you can also specify the DN of a container or the DN of a domain.

          In a single AD domain environment, this will work flawlessly. However, in a multiple AD domain environment it may not. Due to historic reasons many companies may still have AD forests with multiple AD domains for which it is not cost effective to consolidate. For example, if you have the AD forest COMPANY.COM, with the following AD domains: COMPANY.COM, CHILD1.COMPANY.COM and CHILD2.COMPANY.COM. If you are COMPANY.COM and you need to query for objects in CHILD1.COMPANY.COM through PowerShell while not specifying the server variable (as in this script), it will throw an error due to a so called redirection. To query for an object from another AD domain you need to also target a DC from that same AD domain. If you need to query multiple AD domains you will be dancing all over the place! Sometimes, there is no other way, but in this case there is! And what if you want to query the complete AD forest while having multiple AD domains? You can always query every individual AD domain, but wouldn’t it be nice to just perform a single AD query that targets the complete AD forest? That is also possible!

          When querying AD, especially when having an AD forest with multiple AD domains you always need to think about: (1) is all the data in my LDAP filter in the global catalog or not?, and (2) is the data that I’m looking for in the global catalog?

          Then you need to ask yourself: “where to start searching?”. The closer to the objects you want, the better!

          Rest assured! All domains objects are in the global catalog! The question is: “which attribute values of those objects are also replicated to the global catalog?”

          Any attribute that has the property “isMemberOfPartialAttributeSet” set to “TRUE” also replicates its value(s) to all global catalogs in the AD forest. To find all the attributes in the AD schema for which its value(s) replicate to the global catalog, you can have a look at the following blog post (2015-01-05) Finding Attributes Marked As Members Of Partial Attribute Set (PAS). It has examples with ADFIND, PowerShell and ADSI.

          Now looking at this script, the attribute of interest is “userCertificate”.

          To see if an attribute value replicates to the global catalog, you can use:

          Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(lDAPDisplayName=<LDAP DisplayName>))" –Property lDAPDisplayName,isMemberOfPartialAttributeSet

          To see if the “userCertificate” attribute value replicates to the global catalog, you can use:

          Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(lDAPDisplayName=userCertificate))" –Property lDAPDisplayName,isMemberOfPartialAttributeSet

          image

          Figure 1: Partial Schema Info Of The “userCertificate” Attribute

          Or you could visit https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/f9e923d6-c512-4beb-b963-afd695cea8ac, which will show you

          image

          Figure 2: AD Schema Definition Of The “userCertificate” Attribute

          Guess what?! It does replicate to the global catalog! So, in this case the answer to both questions above is “YES”, therefore we can use the global catalog to perform this query

          When you need to query the AD forest, you could start searching in the forest root AD domain and hopefully the client you are using supports Referral Chasing. If it does not, it may throw an error telling you it does not support it, or it just does not do anything. Wouldn’t it be nice to have something represent the AD forest? well, there is something like that, which is called a Phantom Root and it is specified by just 2 quotes and you can only use it when querying against the Global Catalog!

          Now for all this to work, some adjustments are needed in the original script! I’ll guide you through that to get a new working script.

          First things first. Download the PowerShell script: Export Hybrid Azure AD join computer certificates report 

          Replace…

          .EXAMPLE
             .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com’
          .EXAMPLE
             .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -OU ‘OU=SYNC,DC=Fabrikam,DC=com’ -Filename "MyHybridAzureADjoinReport.csv" -Verbose

          …with

          .EXAMPLE
              Looking at a specific computer

             .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com’
          .EXAMPLE
              Looking at computer objects within a specific OU
             
             .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘OU=SYNC,DC=Fabrikam,DC=com’ -Filename "MyHybridAzureADjoinReport.csv" -Verbose
          .EXAMPLE
              Looking at computer objects within a specific AD domain
             
             .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘DC=child,DC=Fabrikam,DC=com’ -Filename "MyHybridAzureADjoinReport.csv" -Verbose
          .EXAMPLE
              Looking at computer objects within a specific AD forest
             
             .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN PhantomRoot -Filename "MyHybridAzureADjoinReport.csv" -Verbose

          Replace…

          Param
          (
              # Computer DistinguishedName
              [Parameter(ParameterSetName=’SingleObject’,
                         Mandatory=$true,
                          ValueFromPipelineByPropertyName=$true,
                         Position=0)]
              [String]
              $DN,

              # AD OrganizationalUnit
              [Parameter(ParameterSetName=’MultipleObjects’,
                         Mandatory=$true,
                         ValueFromPipelineByPropertyName=$true,
                         Position=0)]
              [String]
              $OU,

              # Output CSV filename (optional)
              [Parameter(Mandatory=$false,
                          ValueFromPipelineByPropertyName=$false,
                         Position=1)]
              [String]
              $Filename

          )

          …with

          Param
          (
              # DistinguishedName of computer, OU, or domain
              [Parameter(Mandatory=$true,
                         ValueFromPipelineByPropertyName=$true,
                         Position=0)]
              [String]
              $DN,

              # Output CSV filename (optional)
              [Parameter(Mandatory=$false,
                          ValueFromPipelineByPropertyName=$false,
                         Position=1)]
              [String]
              $Filename
          )

          Replace…

          # Read AD object(s)
          If ($PSCmdlet.ParameterSetName -eq ‘SingleObject’)
          {
              $directoryObjs = @(Get-ADObject $DN -Properties UserCertificate)
               Write-Verbose "Starting report for a single object ‘$DN’"
          }
          Else
          {
              $directoryObjs = Get-ADObject -Filter { ObjectClass -like ‘computer’ } -SearchBase $OU -Properties UserCertificate
              Write-Verbose "Starting report for $($directoryObjs.Count) computer objects in OU ‘$OU’"
          }

          …with

          # Retrieve Object Type Of DN
          If ($DN -ne "PhantomRoot")
          {
              $objectType = (Get-ADObject -LDAPFilter "(distinguishedname=$DN)").objectClass # Do not use Get-ADObject $DN as it will throw an error if the object does not exist (even with ErrorAction defined)!
          }
          Else
          {
              $objectType = "forestDNS" # Madeup, not for real!
              $DN = ""
          }

             
          # Read AD object(s)
          If ($objectType -eq "computer")
          {
              $domainFQDN = $($DN.SubString($DN.IndexOf(",DC=") + 1)).Replace(",DC=",".").Replace("DC=","")
              $directoryObjs = @(Get-ADObject $DN -Properties userCertificate -Server $domainFQDN)
          }
          ElseIf ($objectType -eq "domainDNS" -Or $objectType -eq "organizationalUnit" -Or $objectType -eq "container" -Or $objectType -eq "forestDNS")
          {
              $gcFQDN = $(Get-ADDomainController -Discover -Service GlobalCatalog).HostName[0]
              $directoryObjs = Get-ADObject -Filter { ObjectClass -like ‘computer’ } -SearchBase $DN -Properties userCertificate -Server $gcFQDN`:3268
          }
          Else{
              Write-Host "Specified DN ‘$DN’" -Foregroundcolor Red
              Write-Host "Incorrect object type of specified DN or DN does not exist!" -Foregroundcolor Red
              Write-Host "Aborting Script…" -Foregroundcolor Red
             
              EXIT
          }

          UPDATE 2019-10-12: or get the updated version of the script from here

          Hopefully this works for you in your AD environment!

          Cheers,

          Jorge

          ————————————————————————————————————————————————————-
          This posting is provided "AS IS" with no warranties and confers no rights!
          Always evaluate/test everything yourself first before using/implementing this in production!
          This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
          DISCLAIMER:
          https://jorgequestforknowledge.wordpress.com/disclaimer/
          ————————————————————————————————————————————————————-
          ########################### Jorge’s Quest For Knowledge ##########################
          ####################
          http://JorgeQuestForKnowledge.wordpress.com/ ###################
          ————————————————————————————————————————————————————-

          Posted in Active Directory Users And Computers, AD Queries, Azure AD Connect, Azure AD Join, Conditional Access, Windows Azure Active Directory, Windows Client, Windows Server | Leave a Comment »

           
          %d bloggers like this: