Monthly Archives: April 2014

Mystery with ADFS and GMSA.

One great thing with ADFS 3.0 is that it supports Group Managed Service Account (GMSA) which makes it easier and more secure to manage service accounts.

But when I installed a new ADFS Farm at a customer I ran in to some troubles. I have been able to reproduce it in one of my lab environments and wanted to share the story.

We had created a KDS Root key a couple of days before and gave it time to replicate. And then we installed the first ADFS server in the farm and all worked well using the GMSA account that was created during the setup.

But when we installed the next ADFS server we got some problems using the GMSA account, actually I got a couple of errors:

There were no SPNs set on the following service account ‘LABB\adfs$’. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.

The user name or password is incorrect

Unable to determine the Service SPN. There were no SPNs set on the following service account ‘LABB\adfs$’. Specify the service account used to configure the other Federation Servers in the farm, or set host SPN for the farm on the service account.

Unable to retrieve configuration from the primary server. The user name or password is incorrect Continue reading

rodcprep DNS application partition error.

Got some errors when I tried to run adprep /rodcprep stating that the adprep could not contact a replica for the NDNC DomainDNSZones and ForestDNSZones.

Adprep could not contact a replica for partition DC=DomainDnsZones,DC=corp,DC=secid,DC=se
Adprep failed the operation on partition DC=DomainDnsZones,DC=corp,DC=secid,DC=se Skipping to next partition.

Adprep failed the operation on partition DC=ForestDnsZones,DC=corp,DC=secid,DC=se Skipping to next partition.
Adprep completed with errors. Not all partitions are updated.

In my case it was because a Domain Controller recently had crashed and they were forced to do a metadata cleanup and seize the FSMO roles to a new DC. Continue reading

IdFix

This is a great tools that was released a couple of months ago. It could be a good idea to run idFix in the startup of the project to find and eliminate possible problems as soon as possible.

http://www.microsoft.com/en-us/download/details.aspx?id=36832

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Office 365. IdFix is intended for the Active Directory administrators responsible for DirSync with the Office 365 service.

AD Remote Management.

Got a question a couple of days ago about how to install the Active Directory PowerShell module on a machine that doesn’t have the ADDS role. That’s pretty basic, but in some cases there could be some better options so I decided to write a post.

I will start with a short walkthrough of installting RSAT and then go in to PowerShell Remoting. Continue reading

AdminSDHolder – pitfalls and misunderstandings

In Active Directory default, a set of High-Privileged accounts and groups is created when you create your domain. They are often called Protected Groups/Users.

From the beginning at Windows 2000 Server there were four protected groups:

Administrators
Domain Admins
Enterprise Admins
Schema Admins

In Windows 2000 SP4 and Windows 2003 Server they added a bunch of Groups and two user accounts:

Administrator
Krbtgt
Backup Operators
Cert Publishers (removed in Windows 2003 Server SP1)
Domain Controllers
Print Operators
Replicator
Server Operators
Account Operators

And in Windows 2008 Server they added:

Read-Only Domain Controllers

And one last thing, in a hotfix for Windows 2000/2003 Server the ability to remove a few groups as protected groups was enabled:

Account Operators
Server Operators
Print Operators
Backup Operators

This is done with the help of the dsHeuristic attribute flag.

http://support.microsoft.com/?id=817433

So, what is so special to know about protected groups except that they have high privileges and the most of them should almost never be used?

Those who have a delegated Organizational Unit structure may have noticed that every hour the specific delegated rights disappear for some of the admins and create a headache. This is what this post is all about. The AdminSDHolder, SDProp and adminCount misunderstandings.

Continue reading

Fileservers and UAC

This is an old one but still I see it everywhere on fileservers.

When you’re about to modify an ACL on a folder or share do you recognize this picture:

aclrights

From a Windows Vista/2008 Server and later you probably also recognize this picture:

donthavepermissions

-Well of course I want access permanently, I’m one of the file share admins.

Click Continue!

Well that’s one of the reasons why your security tab is bloated and over time could be quite big and have a lots of unknown accounts.

Let’s break this down…

Continue reading

ACL, DACL, SACL and the ACE

In this post will try to describe what ACLs and all its components is and how they are used.

In Windows you can delegate access to different kinds of Securable Objects. A Securable Object has a Security Descriptor (SD). The SD helps control the access to the object, it contains information of the owner, what to be audited and granted access in what way. It contains the actual ACL which sets the security permissions. In Active Directory all objects has a Security Descriptor.

Continue reading

Security Principal and the SID

Hello Me, and others that might stumble over this some day. This is a short description of Security Principals and their SIDs.

In Windows we work with Security Principals. A Security Principal is a user, group, computer or a service that is stored as objects in Active Directory for central management or in the computers local Security Account Manager (SAM) database.

Continue reading