Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Azure AD Password Protection’ Category

(2018-10-26) Running The Azure AD Password Protection Summary Report May Generate An Error

Posted by Jorge on 2018-10-26


When on one of the Azure AD Password Protection Proxy servers, you can generate an Azure AD Password Protection Summary report through one of the following commands:

Targeting a specific DC:

Get-AzureADPasswordProtectionSummaryReport -DomainController <RWDC FQDN>

Targeting all DCs in a specific AD Domain:

Get-AzureADPasswordProtectionSummaryReport -Domain <AD DOMAIN FQDN>

Targeting all DCs in a specific AD Forest:

Get-AzureADPasswordProtectionSummaryReport -Forest <AD FOREST FQDN>

Targeting all DCs in the local AD Forest:

Get-AzureADPasswordProtectionSummaryReport

So, whatever your targeted scope is, if all DCs have have the Azure AD Password Protection DC Agent installed, they will also have the corresponding event logs, which are:

Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"}

image

Figure 1: All The Azure AD Password Protection DC Agent Event Logs On An RWDC

….and for completeness on the Azure AD Password Protection Proxy servers

Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"}

image

Figure 2: All The Azure AD Password Protection Proxy Event Logs On The Proxy Servers

However, if you see errors similar to the one below…

image

Figure 2: Error When Generating The Azure AD Password Protection Summary Report Against Targeted DCs

…then the targeted event logs are missing. And of the events logs are missing, then the Azure AD Password Protection DC Agent is most likely not installed on the RWDC.

Solution? Install the Azure AD Password Protection DC Agent on the RWDC that throws the error.

Please be aware that querying for DCs that have the Service Connection Point (SCP) registered in AD, may not be accurate. Why? If you installed the Azure AD Password Protection DC Agent and then uninstall it, for whatever reason, the SCP for that RWDC is not cleaned during the uninstall. Also be aware that if you force removed any DC and did not clean up its metadata, you will be trying to reach an RWDC that does not exist anymore when running the summary report.

Although more intense, the most accurate way is checking for any of the following:

  • If the Azure AD Password Protection DC Agent is installed (against every RWDC –> Get-WmiObject -Class win32_product -Filter "Name like ‘Azure AD Password Protection DC Agent’")
  • If the Azure AD Password Protection DC Agent service is installed (against every RWDC –> Get-Service AzureADPasswordProtectionDCAgent)
  • If the Azure AD Password Protection DC Agent is installed (against every RWDC –> Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"})

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Posted in Azure AD Password Protection, Windows Azure Active Directory | Leave a Comment »

(2018-10-25) When Installing The Azure AD Password Protection DC Agent Generates An Error

Posted by Jorge on 2018-10-25


If you are installing the Azure AD Password Protection DC Agent on an RWDC and you receive the following error….

image

Figure 1: An Error The Azure AD Password Protection DC Agent Setup Wizard Ended Prematurely

….execute the AADPwdProtection\AzureADPasswordProtectionDCAgent.msi with the following options

MSIEXEC /i AzureADPasswordProtectionDCAgent.msi /log AzureADPasswordProtectionDCAgent.log

After it errors again, open the log file and search for the word ERROR. When you do, you will most likely find why it errors. If it has the same cause as I had, you will see something similar to the following:

Dumping MSI properties of interest:
  ‘INSTALLDIR’ = ‘C:\Program Files\Azure AD Password Protection DC Agent\’
  ‘Installed’ = ”
  ‘INSTALLLEVEL’ = ‘1’
  ‘ProductCode’ = ‘{67E66797-A45C-4C3C-B481-554F9F427227}’
  ‘ProductID’ = ”
  ‘ProductName’ = ‘Azure AD Password Protection DC Agent’
  ‘ProductState’ = ‘-1’
  ‘ProductVersion’ = ‘1.2.10.0’
  ‘ProgramFiles64Folder’ = ‘C:\Program Files\’
  ‘Remove’ = ”
  ‘UPGRADINGPRODUCTCODE’ = ”
  ‘BPL_NONUPGRADEABLEAPPFOUND’ = ”
  ‘BPL_STATEMIGRATIONFOLDER’ = ”
Done with MSI property dump
CheckForNonUpgradeableApps – opened Uninstall key with 9 subkeys
CheckForNonUpgradeableApps – a nonupgradeable app was found ‘Azure AD Password Protection DC Agent’ – ‘1.1.10.3’
CustomAction BPL_CheckForNonUpgradeableApps returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 16:30:01: BPL_CheckForNonUpgradeableApps. Return value 3.
Action ended 16:30:01: INSTALL. Return value 3.


In plain English this means you are trying to install a newer version on top of an version that cannot be upgraded. Check the versions. The old version here was installed by means months ago when I participated in the public preview. Today I wanted to install the officially released version and had forgotten the old version was still installed.

The solution here? Uninstall the old version first and install the newer version. After both the uninstall and the install a reboot of the RWDC is required.

To determine if a version is already installed and if yes to uninstall it, execute the following commands:

WMIC PRODUCT GET NAME | FIND /I "Azure AD Password Protection DC Agent"

WMIC PRODUCT WHERE NAME="Azure AD Password Protection DC Agent" CALL UNINSTALL

….and if you are a PowerShell junky, you can also use the following for the uninstall

$product = Get-WmiObject -Class win32_product -Filter "Name like ‘Azure AD Password Protection DC Agent’"

$product

$product.Uninstall() # WARNING: Reboot is immediate, no mercy and no questions asked!!!

After the uninstall and reboot, install the newest AzureADPasswordProtectionDCAgent.msi available from Microsoft

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Password Protection, Windows Azure Active Directory | Leave a Comment »

 
%d bloggers like this: