Not so much of a blog post but more of an FYI to let you know that these reference architecture for Azure Identity Management (and other parts of Azure) exist.
Microsoft’s regularly release performance tuning guides for Windows Server, this guide for Windows Server 2016 organises performance and tuning guidance across three tuning categories:
|Server Hardware||Server Role||Server Subsystem|
|Hardware performance considerations||Active Directory Servers||Cache and memory management|
|Hardware power considerations||File Servers||Networking subsystem|
|Hyper-V Servers||Storage Spaces Direct|
|Remote Desktop Services||Software Defined Networking (SDN)|
|Windows Server Containers|
Recently I faced an issue with Azure AD Connect.
A Windows Server 2012 R2 box with direct access to the internet with Azure AD Connect installed and running under the context of a service account.
As Azure AD Connect was running in the context of a service account, it wanted to utilise a proxy server to connect to the internet as it is WPAD aware.
The error message given was:
“An error occurred executing Configure AAD Sync task: user_realm_discovery_failed: User Realm Discovery Failed”
The trace log file also reported:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: user_realm_discovery_failed: User realm discovery failed —> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.
All the solutions (AADConnect Troubleshooting) I found on the internet pointed me at configuring the machine.config (C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config) with the required proxy server settings, but in my scenario I did not want to utilise a proxy server.
To resolve the issue I added the syntax below to the machine.config file which resolved the issue.
As always test in your environment before deploying into production.
AADConnect Troubleshooting – https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnect-troubleshoot-connectivity/ (Accessed 16/05/2016)
Azure Active Directory Connect (AADConnect) is the tool that connects your on-premises Active Directory to Azure Active Directory.
At the end of the setup there is a rather unhelpful message asking you to run
Translated to English this means. (also see Update 20/07/2016)
AdConnectorAccount: your AAD connector account.
AzureADCredentials: your credentials for Azure.
This must be run from a computer that has the Active Directory module for Windows PowerShell and the AD DS Snap-Ins and Command-Line Tools installed.
Failure to have both options installed will result in two errors:
The first error is obvious.
The second is not quite so obvious, a dsacls.exe error is generated as the command line tooling is not installed.
This summary stems from a brief conversation within a peer circle. A parallax perspective on the issue of passwords.
Most IT organisations have an IT Security policy, which defines the required password parameters for an organisation. Active Directory provides a method to enforce the password parameters, from their complexity and length to the frequency that they must be changed.
Once a company’s password policy is understood and required parameters are known, internally bad practice can set in and this is not necessarily limited to the end users, IT can equally be at fault. For example the service desk may create all new user or service accounts with the same common password. Password1234$$ or Welcome2015!
So what has this got to do with hacking your own Active Directory?
Using one of the numerous Active Directory password cracking tools on the internet, you can analyse (crack the easy ones) the passwords stored in Active Directory and produce a list of the most common passwords.
These common passwords can then be cross referenced to their owners and with a little bit of mathematics, it is possible to deduce that perhaps with 10 passwords, 70 % of all systems can be accessed, not only is this a rather frightening metric, but this is reality and one attack vector for anyone with access to a domain controller.
This is not a simple problem to fix with the current architecture of Active Directory, but with small process changes and education around the use of common passwords the percentage of systems that could be accessed or compromised may be reduced.
The Microsoft MVP summit was held last week (3rd – 7th November) in Redmond, where I had the good fortune to spend the week with members of various Microsoft product teams that are responsible for what we commonly know as Active Directory. I can genuinely say that in technology terms I have not been this interested in the future of Windows since I did my first Windows Server 2000 course (MOC 1561) back in 1999.
The MVP Summit content is mostly under NDA and I have always respected the NDA and with this in mind all I will say is that over the next few months I will be reading and learning as much as I can on the following areas of Microsoft technology.
I would also recommend that you start to start to think about the concept of Active Directory being an identity provider and that in the future it will all be about managing identities and not solely about managing the technologies that deliver them.
Food for thought, think about what type of identities your business will support, business only or perhaps personal too? What is an identity? What is a personal identity? Who owns the identity? (I will follow up on this concept with another post).
In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015.
See KB http://support.microsoft.com/kb/328889
If a user exceeds the hard limit of 1015 group memberships they probably will not be able to logon.
A quick visual method to see a user’s nested group memberships expanded, is to run the command:
dsget user “CN=Mark Parris,OU=Administration,DC=clickclicknext,DC=com” -memberof -expand
If this command returns a short list of groups then the membership of too many groups is probably not an issue, but if the command returns a scrolling list of group memberships then we need to utilise NTDSUTIL. NTDSUTIL has within it a command that you may not even know is there, unless you have this specific issue.
The command is group membership evaluation
At an elevated command prompt.
group membership evaluation
set account DC nameOfDC
set global catalog nameOfDC
set resource dc nameOfDC
run clickclicknext.com mark.parris
clickclicknext.com is the fqdn of your domain and mark.parris is the username.
The output of this command is a .tsv file and will be found in the path of the prompt (run it from C:\Temp it will be in C:\Temp), this file can be renamed to a .csv.
The report produces a lot of interesting information in a tabular format.
The report will have these column headings.
SID in token
SID History Count
Active Directory Domain Controller Queried
Group Owner SID
Member WhenChanged (UTC)
GroupType WhenChanged (UTC)
One Level MemberOf Count
Total MemberOf Count
Depth From User
Closest Parent OU
From the column heading, there are specific columns with timestamps, if these are then sorted upon, it will tell you what group or groups were modified most recently, these changes then need to be understood and reversed or perhaps other legacy group memberships identified and removed.
As I review and update my old consulting notes I have decided to publishing them.
These are by no means definitive and are intended as an ‘aide memoire’.
Associated Post: MaxTokenSize – Change of recommendation from Microsoft