Thursday, September 21, 2023
Saturday, September 17, 2022
Please use Active Directory Group Managed Service Accounts!
This post handles the justification and design for a gMSA. It is also an appeal to Microsoft to increase the number of their services that support gMSAs. (specifically SharePoint. If you are looking for a quick step by step how to use a gMSA, please click here.
What is a gMSA?
We have all noticed that Active Directory automatically synchronizes a password between AD and a Computer. The default is 30 days.
A Managed Service Account that uses the same system for synchronizing the password of a Service Account.
Why use a gMSA?
It rolls the passwords for the service account automatically, thus ensuring that security standards are met.
How does a gMSA work?
A gmsa is both a user account and a computer account.This enables it to use the same mechanism for rolling passwords as a computer account.Rolling is done according to a 30 day schedule and can be set in the registry, it is not based on the usual domain group policy.
The password is generated by the Key Distribution Service.
The password is generated by the Key Distribution Service.
What should Microsoft do?
At present, for Exchange Server we have to roll the passwords manually. This is because of a depedency on Windows Cluster Services.
SharePoint has its own "Managed Accounts" where it rolls the password.One can schedule how often the password is rolled, there are also options to make sure it is rolled before password policies are enforced and to have an email notification before a password change.
References:
https://community.spiceworks.com/topic/151704-how-often-should-i-change-passwords-for-servers-firewalls-etc
https://www.stigviewer.com/stig/windows_2008_member_server/2018-03-07/finding/V-14271
https://itconnect.uw.edu/wares/msinf/ous/guide/gmsa/
Tuesday, September 13, 2022
Recipe - Using a Managed Service Account with Windows 2019
1. On the domain controller make sure you have installed the AD module feature and then
New-ADServiceAccount -Name msasql -DNSHostName msasql.adatum.com
-PrincipalsAllowedToRetrieveManagedPassword "Domain Computers"
-Enabled $True
If you require a SPN you can also use the -ServicePrincipalName parameter.
Replace "Domain Computers" with the computers that are going to run the service using the managed service account. If you are creating a group MSA then this would be the name of the group.
If you get "access denied" or a missing key message, then try this first:
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
2. On the domain controller add the new service account as the service account for the server where it will be used:
Add-ADComputerServiceAccount -Identity lon-exch -ServiceAccount msasql
The -Identity is the server, the -ServiceAccount is the MSA
3. Go to the computer where you will use the managed account. Make sure you have installed the AD Power Shell feature and then
Install-ADServiceAccount -Identity msasql
4. Go to the SQL Configuration and change the appropriate service to use this account.
Make sure you use a dollar sign e.g. adatum\msasql$ and that the password fields are blank.
If you need to roll the password use:
References:
https://blogs.technet.microsoft.com/askds/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-Troubleshooting/
https://serverfault.com/questions/503823/set-dns-host-name-for-managed-service-account
https://trevorsullivan.net/2012/10/15/powershell-creating-active-directory-managed-service-accounts/
https://docs.microsoft.com/en-us/powershell/module/activedirectory/reset-adserviceaccountpassword?view=winserver2012-ps
https://serverfault.com/questions/503823/set-dns-host-name-for-managed-service-account
https://trevorsullivan.net/2012/10/15/powershell-creating-active-directory-managed-service-accounts/
https://docs.microsoft.com/en-us/powershell/module/activedirectory/reset-adserviceaccountpassword?view=winserver2012-ps
Monday, January 3, 2022
Monday, November 29, 2021
How To change font size in SQL Server Management Studio.
1. Click Tools, then Options
2. Select Fonts and Colors (under Environment). Under Show settings for: select Text Editor and change the size.
3. The font size is changed in the Query window.
4. Select Tools, then Options. Select Fonts and Colors (under Environment). Under Show settings for: select Environment and change the font and then the size.
5. The font size is now changed in the Object Explorer.
Note also the Zoom dropdown in the query window.
Thursday, September 23, 2021
Wednesday, September 1, 2021
Errata for MOC 20742 Identity with Windows 2016
Lab 4 In Mod04EX4Fix.ps1 make sure TestSite is spelled correctly, not as Test-Site
Lab 10 Certificate adfs.adatum.com is expired. Recreate.
1. In the IIS console, in the central pane, double-click Server Certificates.
2. In the Actions pane, click Create Domain Certificate.
3. On the Distinguished Name Properties page, complete the following fields, and then click Next:
o Common name: adfs.adatum.com
o Organization: Adatum
o Organizational unit: IT
o City/locality: Seattle
o State/province: WA
o Country
o region: US
4. On the Online Certification Authority page, click Select, click AdatumCA, and then click OK.
5. In the Friendly name text box, type adfs.adatum.com, and then click Finish.
Lab 12
The steps for creating and Office 365 trial subscription have changed. Please use the following steps:
1. On LON-CL1, download, install and open Google chrome.
2. Open the https://products.office.com/en-us/business/office-365-enterprise-e5-business-software URL, and then click the Free trial link.
3. On the Thank you for choosing Office 365 E5 page, enter a current working email address that has not been used as an Office 365 account
|
|
You should be asked to create a new account. If this message does not appear, use a different email address. |
4. Select Set up account.
5.
On the
Tell us about yourself page, complete the following fields and then select
Next:
First name: Your first name
Last Name: Your last name
Business phone number: A phone number you that can receive SMS messages for
account confirmation
Company name: Adatum
Your company size: 250-999
Country or region: United States
6. On the Tell us about yourself page, select Text me, confirm the phone number listed, and then select Send verification code.
7. In the Enter your verification code field, type the 6-digit code sent to your mobile device and then select Verify.
8. On the Create your business identity page, type Adatumyyxxxxx (for example, Adatum091976) in the yourbusiness text box, select Check availability, and then select Next.
9. In the Name field, type the user name of your choice in the User name text box, choose a password and type it in the New password and Confirm password text boxes, and then select Sign up.
10. On the Save this info. You’ll need it later page, ensure that you save your Microsoft Online user ID data, and then click Go to setup.
|
|
Your user ID will be in the format: username@Adatumyyxxxxx.onmicrosoft.com. Ensure that you write it down because you will use this account as a global admin account for your Azure AD tenant.
|
11. On the Personalize your sign-in and email page, select Exit and continue later.
12. Ensure that the Office 365 portal opens.
Task 2: Verify the Azure AD tenant and add a domain
1. On LON-CL1, in the browser window, open a new tab, and then go to https://portal.azure.com.
2. In the Azure portal, in the left navigation pane, click Azure Active Directory.
3. In the MANAGE options list, click Custom Domain names.
4. Verify that you can see your adatumyyxxxxx.onmicrosoft.com domain that you created in the previous task.
5. Click Add Custom Domain.
6. In the Custom Domain name pane, type Adatum.com in the Custom Domain name text box, and then click Add Domain.
7. On the page to verify domain, do not press verify, review the content, and then close the Adatum.com window.
8. Leave the Azure portal open.
Exercise 2: Configuring directory synchronization
Task 1: Configure a synchronization account
1. On LON-CL1, in the Azure portal, in the left navigation pane, click Azure Active Directory and then users.
2. Click All users. You will see only your account.
3. Click New user.
4. In the User pane, type SYNC in the Name text box.
5. Type sync@adatumyyxxxx.onmicrosoft.com (where adatumyyxxxx.onmicrosoft.com is your domain name that was defined in Exercise 1, task 1) in the User name text box.
6. Click Directory role.
7. In the Directory role pane, click Global administrator, and then click Ok.
8. Click Show Password. Copy the password shown in the text box to Notepad.
9. Click Create.
10. Open a new InPrivate Window.
11. In the new browser window, go to https://portal.azure.com.
12. Sign in as sync@adatumyyxxxx.onmicrosoft.com with the temporary password that you copied in step 8.
13. On the Update your password page, type your temporary password in the Current password text box, and then type a new password in the New password and Confirm password text boxes. Click Update password and sign in. Document the password for the SYNC account.
14. Verify that the Azure portal opens. Close the Edge window. Keep the browser, where you are signed in with your account, open.
Task 2: Install and configure Azure AD Connect
1. On LON-SVR1, sign in as Adatum\Administrator.
2. Open the browser, and then go to https://portal.azure.com.
3. On the Microsoft Azure page, sign in with the global administrative credentials that you created in Exercise 1, Task 1.
4. In the Microsoft Azure portal, open a new tab with https://aka.ms/d8a60i.
5. click Download, open
6. When prompted to run or save the file, click Run.
7. Install TLS with Powershell
8. Restart.
9. In the Microsoft Azure Active Directory Connect Wizard, on the Welcome to Azure AD Connect page, select I agree to the license terms and privacy notice, and then click Continue.
10. On the Express Settings page, click Use express settings.
11. On the Connect to Azure AD page, in the USERNAME text box, type the SYNC account user name. In the PASSWORD text box, type the password that you assigned to the SYNC account, and then click Next.
12. On the Connect to AD DS page, in the USERNAME text box, type Adatum\administrator. In the PASSWORD box, type Pa55w.rd, and then click Next.
13. On the Azure AD sign-in configuration page, select Continue without any verified domains, and then click Next.
14. On the Ready to configure page, click Install, and when the configuration is complete, click Exit.
15. Now, the synchronization of objects from your local Active Directory Domain Services (AD DS) and Microsoft Azure Active Directory (Azure AD) begins. You must wait approximately 5-10 minutes for this process to complete.
16. Close the browser window on LON-SVR1.
Subscribe to:
Posts (Atom)