Azure Migrate

With more and more enterprise organizations moving to the cloud every day, it can get confusing to map requirements and costings when moving from an on-premise environment. The Azure Migrate Service allows us to very quickly get hard data on what our azure footprint will look like. In this blog I will go through the basic end-to-end configuration of the Azure Migrate Service on a vCenter 6.5 environment.

Setup

I have built an ESXi 6.5 host managed by a vCenter 6.5 virtual appliance for the purpose of this demo. On this host I have added a Windows 2008R2 VM named ‘CloudBound’. This is the machine I am planning to migrate to Azure using the Azure Migrate Service.

1.png

First, lets get our migration project setup in the Azure portal. We log in to our subscription and create a new Migration Project

2.png

3.png

When the migration project is created, open it up by clicking “Discover & Assess” to begin the process.

4.png

In the next window, let’s kick things off by selecting the “Discover Machines” option to discover our on-prem environment.

5.png

We are presented with several steps. The first step logically is to download the collector appliance which will allow us to discover and assess our vCenter environment. The collector appliance comes in .OVA format and there are options for a one-time discovery or continuous. For the purposes of the lab, lets do a one time discovery. Download the One-time discovery OVA file and deploy it to your vSphere environment.

6.png

7.png

8.png

9.png

This import will take a few minutes so let’s grab some tea and come back to it.

 

Configuring the Collector Appliance

Now that the collector is deployed, let’s log on to the console and begin configuration.

10.png

First we carefully read and accept the license terms and give the collector an admin password.

We can then log into the connector VM and run the “Run Connector” utility on the desktop. We could also browse to the connector remotely if we wanted.

Let the prerequisite wizard finish getting everything ready and then we can start configuration. We need to make sure the connector has network and internet connectivity, for this lab I’ve allowed it to use DHCP.

11.png

When the prerequisite installer completes, we are prompted for vCenter credentials, specify the credentials and click ‘Connect’.

12.png

We may receive a message about enabling utilization history for disks, for this demo we can ignore this but in production I would recommend having it enabled. We now select the host/cluster we want to assess and hit continue.

Now we can go back to our Azure Portal to copy the [project ID and Project Key into our appliance then hit ‘Connect’.

13.png

Once the connection is successful, we can click continue to kick off the data collection. This may take some time so time for another break!

 

Viewing the Assessment

Now that the collector has finished and uploaded the data, we can create an assessment. (When the assessment finishes on the collector, it may take some time for the machines to appear in the Azure Portal)

Open up the Migration Project and select ‘Create Assessment’.

14.png

Here we will create a new migration group and include out ‘CloudBound’ Server.

15.png

When the assessment is created, navigate to the “Assessments” blade to view it. You’ll notice that the confidence rating isn’t great, in my demo its set to “Not Applicable”, this rating is based on several factors such as how many data points are available for a given VM. I create my Windows 2008R2 server today so Azure will not have a whole lot of data to work with.

16.png

Select the assessment to view the migration recommendations. Here we can see the readiness summary and cost estimates for our migration group. We can edit the properties of the group to change our requirements for things like the desired location and storage type.

17.png

18.png

In the Azure Readiness Blade we can see the recommendations for each VM along with the suggested migration tool. Here we can export out our assessment to prepare the data for review. Clicking on a VM will give us some statistics about the VM.

19.png

20.png

The cost details blade will give us a breakdown of the cost estimates per VM.

21.png

Finally, we can also the Microsoft Monitoring Agent and dependency agent to map out dependencies within a group. As this environment only has a single server, there isn’t much to show but adding that on top of the assessment we carried out can provide us with real, dependable data and help prepare for migration.

22.png

And that’s it, we have configured the Azure Migrate Service to assess our on-premise vCenter environment and have some nice reports to show the benefits of moving our workloads to Azure.

Update to Microsoft Teams PowerShell Module (v 0.9.5)

Microsoft have recently released a much-needed updated version of the Microsoft Teams PowerShell module. The updated module brings a lot of much needed functionality that previously would have required workaround to programmatically access the Teams config. While the module is not quite there yet, it’s good to have these improvements available.

To install the module, first remove the old version by launching an administrative PowerShell window and using the command “Uninstall-Module MicrosoftTeams”.

Next, download the updated module by running “Install-Module MicrosoftTeams”

Let’s look at the command in the module, the list of commands is pretty similar to before however we can see the version number is now 0.9.5.

teams1.png

Using Connect-MicrosoftTeams to connect to the service, we can test out the new functionality of the “Get-Team” cmdlet.

2.png

Now we see the major change. The “Get-Team” cmdlet now lists ALL teams in the organization rather than just the teams we are a member of! From a pure reporting point of view this is an amazing improvement. Now I can retire all my workaround scripts using different methods of determining Teams vs groups etc. We can easily stay in the Teams module to look up a team and enumerate the members.

As I mentioned above, the module is not as fleshed out as I’d like it to be just yet but seeing these improvements regularly will have it there in no time.

Send Azure AD Audit and Sign-In Logs to Azure Log analytics

Microsoft have recently announced the availability of Azure Log analytics for Azure AD sign-in and audit logging. This is a really cool feature, especially for large organizations where there will be a lot of traffic to audit. In this post I will go through the basic setup.

Prerequisites:

  • Azure AD Global Admin
  • Azure Subscription

Log onto the Azure portal page and select Azure Active Directory > Diagnostic settings -> Add diagnostic setting

Select the option to “Turn on diagnostics” if it is not already turned on and configure Azure AD Diagnostics. Select the option to “Send to Log analytics” and click “Configure” to create a new OMS workspace. Choose to send either Audit logs, Sign-In Logs or both to Log analytics.

1.png

2.png

 

Click ‘Save’ to finalize the setup.

Wait for 15 minutes or so for the data to begin sending to Log Analytics. (Time to grab some tea)

When you’ve finished your tea, select Azure Active Directory  > Monitoring > Logs to view your new Log analytics workspace.

We can see in the default query that the configuration itself is showing up in the logs:

 

3.png

Now lets generate some sign in traffic by logging in as a user. After logging in, wait for 5 or so minutes for the log to show up.

After a couple of minutes, we can see sign in logs in our default query.

5.png

Using Log analytics, we can configure custom queries and set alerts and actions on pretty much anything that happens in Azure AD. This is an extremely powerful tool for organizations to leverage to enhance security, governance and automation across the platform.

Implementing Privileged Access Management on Server 2016/2019: Part 4 – Finalize Configuration and Test PAM Requests

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

Implementing Privileged Access Management on Server 2016/2019: Part 2 – Installing and Configuring SharePoint Server 2016 for Microsoft identity Manager

Implementing Privileged Access Management on Server 2016/2019: Part 3 – Deploying the MIM/PAM Server

It’s been a few weeks since the last post in this series due to an issue with my lab environment. In this final post, we will go through the last configuration pieces and test our PAM installation!

 

Prerequisites:

* Ensure that the priv domain is accessible from the corporate domain and resolves in DNS. You’ll remember in part 1 of this series we set up a DNS delegation for the priv domain in our corporate domain. Verify this is functional by performing a ping or NS lookup against the priv domain FQDN from the corp domain.

 

Set up management policy rules in MIM Portal

In the MIM Portal, open the “Management Policy Rules” Page, search and select the management policy rule “User management: Users can read attributes of their own” and uncheck the “Policy is disabled” checkbox, then click ‘OK’ and “Submit”

MIMPortal.png

mimportal2.png

mimportaL3.png

Next ensure Windows firewall is allowing TCP ports 5725, 5726, 8086 and 8090. In my lab I have disabled the Windows Firewall on the MIM server.

Set up a Sample Web Application for the MIM PAM REST API

First download the contents of  the Identity Management samples files and unpack the contents of the folder “identity-management-samples-master\Privileged-Access-Management-Portal\src” to the directory “C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management Portal” of the MIM Server. You will need to create this directory as it doesn’t exist by default.

Now create a new web site for the sample portal, open an administrative PowerShell window and run the below command:

New-WebSite -Name “MIM Privileged Access Management Example Portal” -Port 8090   -PhysicalPath “C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management Portal\”

To allow the new web application to redirect users to the MIM PAM REST API, open the web.config file in the directory “C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management REST API” and add the below entries in the <system.webServer> section. This can be added just under the “<validation validateIntegratedModeConfiguration=”false” />” entry. Ensure to take a backup of the original file before editing.

<httpProtocol>

<customHeaders>

<add name=”Access-Control-Allow-Credentials” value=”true”  />

<add name=”Access-Control-Allow-Headers” value=”content-type” />

<add name=”Access-Control-Allow-Origin” value=”http://<MIM Server Name>:8090″ />

</customHeaders>

</httpProtocol>

 

Next open the file “C:\Program Files\Microsoft Forefront Identity Manager\2010\Privileged Access Management Portal\js\utils.js.” and change the value for the PAM API URL “pamRespApiUrl” to ‘http://<PAMServerFQDN>:8086/api/pamresources’ (eg. http://mim.priv.lab.corp.net:8086/api/pamresources)

After replacing the values above, perform an IISReset.

Browsing to ‘http://<PAMServerFQDN>:8086/api/pamresources/pamroles/’ should now initiate a download of the pamroles.json file.

 

Establish a PAM Trust

Log on to the MIM server and run the following powershell commands to establish a new PAM trust from the server

$ca = get-credential

New-PAMTrust -SourceForest “lab.corp.net” -Credentials $ca

Log onto the PRIV Domain Controller and run the following commands from an administrative command prompt to modify the trust settings for the corporate domain admin account.

 

netdom trust lab.corp.net /domain:priv.lab.corp.net /enablesidhistory:yes /usero:lab\adminseanmc /passwordo: <password>

 

netdom trust lab.corp.net /domain:priv.lab.corp.net /quarantine:no /usero:lab\adminseanmc /passwordo: <password>

 

netdom trust lab.corp.net /domain:priv.lab.corp.net /enablepimtrust:yes /usero:lab\adminseanmc /passwordo:<password>

 

Prepare an Admin Workstation

On an admin workstation, mount the MIM2016 install files and copy the “Add-ins and extensions” directory to the local machine. Run the appropriate ‘Setup.exe’ to install the MIM PAM requester cmdlets.

The only software we need to install is the ‘PAM Client’

PAMClient.png

At the next page, enter the FQDN of the PAM server.

pamclient2.png

Click ‘Finish’ on the next window and when the installer completes, reboot the workstation.

 

Delegate read access to the priv domain

On the corp domain controller, open Active directory Users and Computers, right click the top level of the domain and select ‘Delegate Control…’

delegate.png

On the ‘Users or Groups’ page, select the ‘Locations’ option and change to the priv domain.

delegate1.png

Delegate2.png

Add ‘priv\domain admins’ and ‘priv\mimmonitor’ to the object field then click ‘check Names’ and when prompted, enter the password for the priv domain administrator and click ‘OK’

Delegate3.png

delegate4.png

Click ‘Next’. On the ‘Tasks to Delegate page, select the option to delegate the ‘Read all user information’ task and click ‘next’ and ‘finish’ to complete the delegation

delegate5.png

delegate6.png

Next Create a security group for auditing purposes on the CORP domain with the below PowerShell commands (The group name should be the NetBIOS name of your corporate domain followed by ‘$$$’):

import-module activedirectory

New-ADGroup –name ‘LAB$$$’ –GroupCategory Security –GroupScope DomainLocal –SamAccountName ‘LAB$$$’

Start the PAM services if they are not already started

Use the below commands in an administrative command prompt on the MIM server to start the PAM services:

net start “PAM Component service”

net start “PAM Monitoring service”

Create privileged Accounts, Groups and Roles

To create privileged accounts for our admins, lets first create an account in the corp domain that we will want to add to PAM. I’ve create the below user ‘LAB\Clint.Eastwood’ in my corporate domain.

priv.png

Now lets create a corresponding account in the PRIV domain for the user. Log on to the MIM server and open an administrative PowerShell (ISE) Window.

Run the below Powershell commands to create a new PAM user and user object in the PRIV domain to represent our CORP domain user, this will also maintain the user SID which is key to the PAM process. Below we can see both user accounts have an identical ObjectSID value.

Import-Module MIMPAM

Import-Module ActiveDirectory

 

$PAMUser = New-PAMUser –SourceDomain lab.corp.net –SourceAccountName clint.eastwood

$SecurePassword = ConvertTo-SecureString “Password2018” –asplaintext –force

Set-ADAccountPassword –identity priv.clint.eastwood –NewPassword $SecurePassword

Set-ADUser –identity priv.clint.eastwood –Enabled 1

priv1.png

Now let’s select an administrative group to test with. For demo purposes I have created a “Password Admins” group and delegated out password reset access to the group. Run the below PowerShell commands in the same window that we used to create the user account to add the group to PAM and to set up a new role containing the group and adding our user to the role. When prompted, enter the credentials for the admin of the CORP forest.

$credentials = get-credential

$PAMGroup = New-PAMGroup –SourceGroupName “Password Management” –SourceDomain lab.corp.net –SourceDC dc2019.lab.corp.net –Credentials $credentials

$PAMRole = New-PAMRole –DisplayName “LAB Password Admins Role” –Privileges $PAMGroup –Candidates $PAMUser

Elevating a users access with PIM

Now that everything is configured and ready, lets try to request the Password Admins role.

First lets try to reset a users password using the priv.clint.eastwood account. We can do this by opening an MMC console as priv.clint.eastwood on our corporate workstation and trying a password reset.

To open an MMC as priv.clint.eastwood, log onto the CORP PC using the regular clint.eastwood account and run:

runas /user:Priv.clint.eastwood@priv.lab.corp.net mmc

We get an access denied error when we attempt a password reset.

access.png

Now let’s request the role we want, open a PowerShell window as priv.clint.eastwood using the run command:

runas /user:Priv.clint.eastwood@priv.lab.corp.net powershell

And then request the role as below:

request.png

We can also use the PAM Sample Portal to request this role:

requestportal.png

Now the user is in the “priv\LAB.Password admins” group. Relaunch an MMC console as the user priv\priv.clint.eastwood and retry a password reset. This time our password reset is successful.

request3.png

That is the basic configuration of PAM using MIM 2016. From here we can configure approval, TTLs and customize the web portal from the Example portal template.

Setting up PAM is a lengthy process and the past four posts and I found that a lot of the resources online were confusing  so I hope this series of posts proves helpful in configuring PAM for Windows Server 2016/2019.

Implementing Privileged Access Management on Server 2016/2019: Part 3 – Deploying the MIM/PAM Server

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

Implementing Privileged Access Management on Server 2016/2019: Part 2 – Installing and Configuring SharePoint Server 2016 for Microsoft identity Manager

In part three of this blog series, I will go through the steps to deploy the MIM/PAM server to host the MIM Synchronization Service and Portal.

*As I am using a lab environment I have chosen to install MIM, SQL and SharePoint on the same server but in production they would need to be planned and scaled out correctly.

 

Server Configuration

First install the required Windows features by running the following PowerShell commands:

## Install Prereqs

import-module ServerManager

Install-WindowsFeature Web-WebServer, Net-Framework-Features,rsat-ad-powershell,Web-Mgmt-Tools,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –includeallsubfeature

Once the features are installed successfully, we need to define the local security policy. To do this open the Local Security Policy (secpol.exe) and make the following changes:

In the policy Local Policies > User Rights Assignment > Log on as a service

Add priv\MIMonitor, priv\MIMService, priv\SharePoint, priv\MIMComponent and priv\SQLServer

In the policy Local Policies > User Rights Assignment > Deny access to this computer from the network

Add priv\mimmonitor, priv\MIMService and priv\mimcomponent

In the policy Local Policies > User Rights Assignment > Deny log on locally

Add priv\mimmonitor, priv\MIMService and priv\mimcomponent

Configure local security policy and local admins

Close the local security policy window and open “Computer Management”. Navigate to “Local Users and Groups -> Groups -> Administrators”  and add priv\MIMAdmin and priv\SharePoint as local admins on the server.

localadmins.png

 

IIS Config

To configure IIS for Windows Authentication, run the below PowerShell commands:

iisreset /STOP

C:\Windows\System32\inetsrv\appcmd.exe unlock config /section:windowsAuthentication -commit:apphost

iisreset /START

 

Installing the Synchronization Service

Mount the MIM 2016 ISO and run the “FIMSplash.htm” page in the root folder to open the splash page.

syncservice.png

Follow through the wizard, accepting the terms and conditions and specify your SQL instance. In my lab I am using a local default SQL instance

sync1.png

Specify your MIMSync service account details

sync2.png

Update the group names to be created if you like

sync3.png

On the next page you can allow the installer to open the required firewall ports on the server for you

sync4.png

Finally click install and wait for the synchronization service to finish installing. At the end you will be prompted to save the encryption key locally. Save this key and keep it safe.

When the install completes click finish and you will be prompted to log off the server to update group membership.

sync5.png

 

Install MIM Service and Portal

After logging back on to the server, open up “FIMSplash.htm” again and this time run the “Service and Portal” installer.

portal1.png

Follow through the Wizard, accepting the license terms and opting in or out of the Customer Experience Program until you get to the Custom Setup page. At this page, select the options to install the MIM Service, Privileged Access Management and MIM Portal Roles and click next.

portal2.png

Select the SQL settings and click next. Again, in my lab I am using a local SQL instance.

portal3.png

Select a mail server to use, you can also optionally use Exchange Online or if there is no Exchange server in place enter “localhost” as the server name and deselect the top two options.

portal4.png

Create a new self-signed cert or use an existing certificate.

portal5.png

Enter the service account details for the MIMService.

portal6.png

Enter the details of the synchronization service.

portal7.png

Enter the name of the local server for the MIM Service Server Address.

portal9.png

Enter the name of the SharePoint Site Collection we created in part 2 of this blog to host the MIM Portal.

portal10.png

We are not using the Password Registration Portal so leave the next page blank.

portal11.png

Check the boxes to open the appropriate firewall ports and to allow authenticated users to access the MIM Portal site.

portal12.png

Leave the REST API Hostname blank and set the port to 8086.

portal13.png

Enter the account details of the SharePoint service account for the PAM REST API.

portal14.png

Enter the MIMComponent service account details for the PAM Component Service.

portal15.png

Enter the MIMMonitor service account details for the PAM Monitoring Service.

portal16.png

If you are using the other components on another server enter the details here, if not, click next.

portal17.png

Finally, click Install

 

When the installer finishes, reboot the system and log back on. Browse to your MIM Portal URL configured in Part 2 and you should see the MIM Portal page has been configured successfully.

portal18.png

 

Now the MAM Portal and Service are successfully installed. In the next and final post in this series, I will finalize and test the PAM configuration!

 

Implementing Privileged Access Management on Server 2016/2019: Part 2 – Installing and Configuring SharePoint Server 2016 for Microsoft identity Manager

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

This is the second post in a series which will go through setting up Privileged Access Management on Server 2016/2019. in this post we will configure the SharePoint component of Microsoft Identity Manager.

*As I am using a lab environment I have chosen to install MIM, SQL and SharePoint on the same server but in production they would need to be planned and scaled out correctly.

 

Prerequisites:

  • I have installed SQL Server 2016 locally on the MIM/SharePoint server. a SQL instance will be required for both SharePoint and MIM
  • The PAM/MIM/SharePoint server should be joined to the priv domain

Installing SharePoint Server 2016

First download the SharePoint Server 2016 ISO and mount it. Open an administrative command prompt and navigate to the source files for the installation. From here run the prerequisite installer with the command:

.\prerequisiteinstaller.exe

prereqs.png

Follow the on screen prompts to install the required prerequisites, roles and features. when this finishes, the server will restart.

Next, open an administrative command prompt and navigate to the source files again. Run the setup using the command:

.\setup.exe

Follow the on screen prompts to enter your product key and install SharePoint Server 2016 as below:

setup.exe.png

 

setup.exe2.png

When the installer finishes, you should be prompted to run the SharePoint Products Configuration Wizard.

setup.exe3.png

Follow the screenshots below to configure SharePoint 2016 and create a new farm:

configwizard1.png

Specify a service account with access to your SQL instance

configwizard3.png

For my lab I will install a single server farm

configwizard4.png

 

configwizard5.png

 

configwizard6.png

 

When the configuration wizard finishes, you will be taken to the SharePoint Central Admin Page.

CentralAdmin.png

 

Now that the farm is set up, we can configure the MIM web app and Site Collection.

Set up Web App and Site Collection

Create two AD Service Accounts named priv\MIMPool  and priv\MIMInstall to use during the setup.

Also set up a DNS A record for your MIM Site Collection pointing to the SharePoint Server such as mim.priv.lab.corp.net.

 

Next, configure the MIMPool account as an SP Managed Service Account with the below commands:

*Note: in the below script blocks, I have marked in bold entries that you may need to change to match your environment

##Enter the credentials of the priv\MIMPool account

$ManagedServiceAccount = get-credential

## Create the SP Managed Service Account Entry

New-SPManagedAccount $ManagedServiceAccount

$dbManagedAccount = Get-SPManagedAccount -Identity $ManagedServiceAccount.username

## Create a new web application

New-SpWebApplication -Name “MIM Portal” -ApplicationPool “MIMAppPool” -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod “Kerberos” -Port 80 -URL http://mim.priv.lab.corp.net

spwebapp.png

Create a new site for MIM with the below commands:

$t = Get-SPWebTemplate -compatibilityLevel 15 -Identity “STS#1”

$w = Get-SPWebApplication http://mim.priv.lab.corp.net/

New-SPSite -Url $w.Url -Template $t -OwnerAlias priv\miminstall -CompatibilityLevel 15 -Name “MIM Portal”

$s = SpSite($w.Url)

create site.png

Run ‘$s.CompatibilityLevel’ to ensure the compatibility level of the new site is “15”

 

Disable the SP Timer Job “Health Analysis Job (Hourly, Microsoft SharePoint Foundation Timer, All Servers)” with the commands below:

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;

$contentService.ViewStateOnServer = $false;

$contentService.Update();

Get-SPTimerJob hourly-all-sptimerservice-health-analysis-job | disable-SPTimerJob

 

Now that the site is set up, navigate to it and log in with the MIMInstall user credentials to verify it was created as expected. If you get an error logging in, follow one of the fixes here. When you are logged in successfully, you should see an empty site as below:

login.png

site.png

Finally add the site created to the local intranet zone on the server and restart the server:

localintranet.png

We have now Successfully configured SharePoint for MIM. In a following blog I will continue the MIM/PAM setup process.

Microsoft Teams Meeting Settings

This week Microsoft are rolling out the Meeting Settings configuration to the Microsoft Teams & Skype for business Admin Center in Office 365! This configuration page will allow admins to define teams meeting settings such as Email Invitation URLs and Network and QoS configuration. This allows us to very easily mark real-time media traffic packets for QoS natively, rather than utilizing TCP port and network configuration. We can also define the Port ranges which will be used for different types of traffic.

View the Microsoft Teams & Skype for business Admin Center  at https://admin.teams.microsoft.com

Teams Meeting Options.png

Implementing Privileged Access Management on Server 2016/2019: Part 1 – Setting up the Privileged Domain

In many companies, users with admin accounts for different services are trusted to only use their admin privileges when there is a requirement that needs to be met. We rely on logging to track changes and many companies very rarely review logs until an issue is discovered elsewhere. As IT Admins, we get stuck between giving our staff the access to let them carry out their job and enforcing governance and change control procedures.

Privileged Access Management (PAM) is an often overlooked technology which allows us to apply that level of governance, while not creating overly complex and drawn out processes that prevent our staff from carrying out their job effectively. This is accomplished by applying a ‘Just In time’ access model. For example, when a member of the helpdesk needs to perform a password reset, they can request this access for the required amount of time, providing justification for the request. This can then be approved automatically, or follow a simple predefined approval process.

PAM is a part of Microsoft Identity Manager (MIM) 2016 and starting with Windows Server 2016, it becomes even easier to implement. This blog is part one of my “Implementing Privileged Access Management on Server 2016/2019” post and here I will step through how to prepare for a MIM installation, Create the Privileged AD DS domain required and prepare the corporate Domain.

 

Server Requirements:

  • An existing corporate domain of functional level 2016
  • One Windows Server 2016 Server to host the MIM application
  • One Windows Server 2016 Server to host the privileged domain

Note: MIM 2016 can be licensed by Office 365 EM+S licensing so if you have implemented Privileged Identity Management in Office 365, you can extend that environment to your on premise environment.

 

Configuring the Corporate Domain

For this blog I have created a lab domain called lab.corp.net. I will use this existing domain and prepare it for the PAM implementation.

first log onto your corporate Domain Controller(s). For PAM to work we need to enable RPC access to the SAM database. On the Corporate DC, open an administrative Powershell window anmd run the below command to add in the registry key to enable this:

New-ItemProperty –Path HKLM:SYSTEM\CurrentControlSet\Control\Lsa –Name TcpipClientSupport –PropertyType DWORD –Value 1

 

Next we need to enable the AD Optional Feature for PAM is it is not already enabled. In the same window as above, enter the below commands to enable the feature.

Import-Module ActiveDirectory

Enable-ADOptionalFeature “Privileged Access Management Feature” -Scope ForestOrConfigurationset

Now we configure the auditing policies in the Default Domain Controller GPO. Make the below additions to the policy:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit account Management

Audit account management policy

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit directory Service access

Audit Directory Service access

That’s all the configuration for our corporate domain, next we will create and configure the privileged domain.

Configuring the Privileged Domain

Create a new Windows Server 2016 Server with GUI. Log on to the server and as before, enable RPC access to the SAM DB with the below command:

New-ItemProperty –Path HKLM:SYSTEM\CurrentControlSet\Control\Lsa –Name TcpipClientSupport –PropertyType DWORD –Value 1

Now let’s install the new domain. First we add the server manager module and install the AD-DS and DNS roles

#Install ADDS and DNS Features

import-module ServerManager

 

Install-WindowsFeature AD-Domain-Services,DNS –restart –IncludeAllSubFeature -IncludeManagementTools

After the Server restarts, we create our priv forest with the below commands. We are creating a delegation on DNS to our corporate domain, when prompted for credentials, enter your corporate domain credentials.

#Create Priv forest

$ca= get-credential

Install-ADDSForest –DomainMode 7 –ForestMode 7 –DomainName priv.lab.corp.net –DomainNetbiosName priv –Force –CreateDNSDelegation –DNSDelegationCredential $ca

Build Priv forest

 

Next we create the required service accounts and groups. Be sure to change all passwords after creation and keep track of them!

import-module activedirectory

 

$sp = ConvertTo-SecureString “Password01” –asplaintext –force

 

New-ADUser –SamAccountName MIMMA –name MIMMA

 

Set-ADAccountPassword –identity MIMMA –NewPassword $sp

 

Set-ADUser –identity MIMMA –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMMonitor –name MIMMonitor -DisplayName MIMMonitor

 

Set-ADAccountPassword –identity MIMMonitor –NewPassword $sp

 

Set-ADUser –identity MIMMonitor –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMComponent –name MIMComponent -DisplayName MIMComponent

 

Set-ADAccountPassword –identity MIMComponent –NewPassword $sp

 

Set-ADUser –identity MIMComponent –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMSync –name MIMSync

 

Set-ADAccountPassword –identity MIMSync –NewPassword $sp

 

Set-ADUser –identity MIMSync –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName MIMService –name MIMService

 

Set-ADAccountPassword –identity MIMService –NewPassword $sp

 

Set-ADUser –identity MIMService –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName SharePoint –name SharePoint

 

Set-ADAccountPassword –identity SharePoint –NewPassword $sp

 

Set-ADUser –identity SharePoint –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName SqlServer –name SqlServer

 

Set-ADAccountPassword –identity SqlServer –NewPassword $sp

 

Set-ADUser –identity SqlServer –Enabled 1 –PasswordNeverExpires 1

 

New-ADUser –SamAccountName BackupAdmin –name BackupAdmin

 

Set-ADAccountPassword –identity BackupAdmin –NewPassword $sp

 

Set-ADUser –identity BackupAdmin –Enabled 1 -PasswordNeverExpires 1

 

New-ADUser -SamAccountName MIMAdmin -name MIMAdmin

 

Set-ADAccountPassword –identity MIMAdmin  -NewPassword $sp

 

Set-ADUser -identity MIMAdmin -Enabled 1 -PasswordNeverExpires 1

 

Add-ADGroupMember “Domain Admins” SharePoint

 

Add-ADGroupMember “Domain Admins” MIMService

 

Now that our users are created, we configure the auditing and security policies on the Priv domain through Group Policy.

Add the below policies on the Default Domain Controller Policy:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Account Management

Audit account management policy

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Directory Service Access

Audit Directory Service access

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy > Maximum lifetime for a user ticket

Maximum kerberos ticket

Click OK on the popup

POPUPMaximum kerberos ticket

 

 

Next we configure the Default Domain policy to restrict our service accounts as below:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User rights assignment > Deny log on as a batch job

Add: priv\mimcomponent; priv\mimmonitor; priv\mimservice

Deny log on as a batch job

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User rights assignment > Deny log on through Remote Desktop Services

Add: priv\mimcomponent; priv\mimmonitor; priv\mimservice

Deny log on as a rds

 

Now that our logging and security policies are done, we create a DNS forwarder so our Priv Domain can forward requests to our Corp domain. Replace 10.0.0.4 with the DNS server(s) in your Corp domain

Add-DnsServerConditionalForwarderZone –name “lab.corp.net” –masterservers 10.0.0.4

add-dnsforwarder

 

Add the appropriate Service Principal Names for the MIMservice:

setspn -S http/pamsrv.priv.lab.corp.net PRIV\SharePoint

setspn -S http/pamsrv PRIV\SharePoint

setspn -S FIMService/pamsrv.priv.lab.corp.net PRIV\MIMService

setspn -S FIMService/pamsrv PRIV\MIMService

 

The next step is to delegate Control in AD to our service accounts in AD Users and Computers. In ADUC right click your domain and click ‘Delegate Control’

1

In the Delegation of control Wizard, add the users: MIMComponent, MIMMonitor and MIMService.

2

select ‘Create, delete, and manage user accounts and Modify the membership of a group’ and click next and finish

create,delete and manage

 

Run the delegation Wizard again and select the MIMAdmin user. Select the option to ‘Create a custom task to delegate’

3

Sselect to delegate ‘this folder, existing objects in this folder and creation of new objects in this folder’

4

In the ‘General’ section, select the following attributes and then click next and finish:

  • Read
  • Write
  • Create all Child Objects
  • Delete all Child Objects
  • Read All Properties
  • Write All Properties
  • Migrate SID History

 

5

Delegate once more to MIMAdmin, creating a custom task to delegate as before and this time select ‘Only the following objects in the folder’ and tick ‘User Objects’ and click next.

6

Grant the ‘Change Password’ and ‘Reset Password’ Rights.

7

Next we need to allow permissions to MIM Admins and MIMService on the container “Configuration -> Services -> Shadow Principal Configuration”. Do this by opening ADSIEdit and connecting to the Configuration naming context. Navigate to the container and right click to set permissions for the MIMService and any other MIM Admins for write, create all child objects and delete all child objects  permission

ADSI

adsi2

The final step is to add the MIMService and MIMComponent accounts to the ACL for the ‘Admin SD Holder’ object to ensure they can update admin groups and to add the MIMadmin account to create and update authentication policy. To do this open an admin command prompt and run the below commands (Replace the domain structure top match your own). When finished restart both the Corp DC and the Priv DC.

dsacls “CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:RPWPRCWD;;msDS-AuthNPolicy /i:s

dsacls “CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:CCDC;msDS-AuthNPolicy

dsacls “CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:RPWPRCWD;;msDS-AuthNPolicySilo /i:s

dsacls “CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=configuration,DC=priv,DC=lab,DC=corp,DC=net” /g mimadmin:CCDC;msDS-AuthNPolicySilo

dsacls “cn=adminsdholder,cn=system,dc=priv,dc=lab,dc=corp,dc=net” /G priv\mimservice:WP;”member”

dsacls “cn=adminsdholder,cn=system,dc=priv, dc=lab,dc=corp,dc=net” /G priv\mimcomponent:WP;”member”

 

Now our Priv DC is finally configured! That’s the end of this part of the blog series. In the next post, I will go through installing and Configuring MIM for PAM.

Install Exchange Server 2019 (Preview) on Windows Server 2016 Core

One of the interesting features of Exchange Server 2019 is the ability to install it on Windows Server Core. This brings all the security and performance benefits of running Server Core to Exchange Deployments. In this post, I will go through the installation steps for Exchange Server 2019 on Windows Server 2016 Core.

 

Required Downloads:

First we copy our Exchange 2019 ISO and Prereqs folder to our target core server. We can do this through file explorer on another server or by using the ‘Copy-Item’ PowerShell command.

21

Next, install the minimum prerequisite roles onto the target server. The full list of required roles can be automatically added a part of the installation process. The minimum required roles are the Windows Server Media Foundation and Remote Server Administrator Tools for Active Directory Domain Services Roles.

Install-WindowsFeature Server-Media-Foundation, RSAT-ADDS

Now we install the prerequisite software listed above in the ‘Required Downloads’ section.

Microsoft .NET Framework 4.7.1 for Windows 10 Version 1607 and Windows Server 2016 for x64 (KB4033393):

3

Microsoft .NET Framework 4.7.1 for Windows 10 Version 1607 and Windows Server 2016 for x64 (KB4033393):

4

So far the install is very similar to past Exchange installs however we would usually download and install the Unified Communications Managed API 4.0 Runtime. As the UCMA 4.0 depends on certain dll files that do not come with Windows Sever Core, we do not download the files. Instead we use the installer which is made available on the Exchange 2019 install media.

First lets use the ‘Mount-DiskImage’ command to mount our Exchange install media.

5

 

No let’s change to the \UCMARedist\ directory in the install media and run ‘Setup.exe’

6

With all the prerequisites installed, now we can begin the Exchange Server Installation. This is the first Exchange 2019 server in the organization so we need to prepare the Schema using the /PS or /PrepareSchema flag for Setup.exe in the root of the installation media.

.\Setup.Exe /IAcceptExchangeServerLicenseTerms /ps

7

 

Once the Schema is Extended we will prepare AD and define the Organization name.

.\Setup.Exe /IAcceptExchangeServerLicenseTerms /preparead /organizationname:exchangelab

8

 

Finally, we can run the full Exchange Server 2019 Setup and specify we would like to install the required Windows components during setup.

.\Setup.exe /mode:install /IAcceptExchangeServerLicenseTerms /roles:m /InstallWindowsComponents

9

Once the installation completes and the server reboots, log on to the server and open the Exchange Management Shell using the ‘LaunchEMS’ command to begin configuring your new Exchange Environment.

11.png

 

 

Exchange Server 2019 Preview

Last week Microsoft announced the release of Exchange Server 2019 – Preview. This is the first version of Exchange to be compatible with Windows Server Core. Other new features include a revamped search service leveraging Bing search and improvements to the Exchange Online Hybrid functionality along with further performance optimizations to the database engine. Updates to the Outlook web client will also bring the user experience more in line with the current Exchange Online offering.

The Preview is available to download here  and I will be posting an install demo here in the next couple of days.