Mentoring, the step I needed in my career

Mentoring

As a consultant, trainer, blogger and author, I feel it’s my responsibility to help people who are ambitious like I am. It’s mutually beneficial to help people to achieve more, as it helps me identify the steps I didn’t take, the shortcuts I took, the views I lacked and any privileges I enjoyed.

At a certain point in my career, I acknowledged that the most effective way for me to learn more, was to teach more. I became a Microsoft-certified trainer (MCT) and have taught courses to various groups of people throughout the years, including colleagues, people at customers and people from the competition. It helped me improve my understanding, as different ways of consuming knowledge resulted in different questions that had me thinking of the products, technologies and strategies differently, too. It increases the value of my career.

Fifteen years ago, in a tactical role, I started mentoring people.

 

Dave Stork

Steve DorkI guess you all remember Dave Stork (or his alter ego; Steve Dork) He attended one of my trainings on Microsoft Exchange 2003 and just couldn’t get a passing grade for the exam. While training another group of colleagues, I asked him to setup Exchange Server, and then I tore it down in several ways, including opening the Exchange database with Notepad and replacing several characters half way with my name, then saving it and rebooting the box. He passed his third time around.

Jokingly, I started referring to Dave as ‘the colleague with the most experience in the Microsoft Exchange Server exam’. It prompted his Exchange Server Pro career, he started blogging here, became a Microsoft MVP on July 1st, 2014 and published a book.

I’ve moved on to different employers since then.

Barbara Forbes

Barbara ForbesSome time ago, I was contacted by another one of my former colleagues: Barbara Forbes. Barbara was part of an earlier training course I ran to make people pass the Microsoft Certified Systems Administrator (MCSA) exams. She reached a tipping point in her career as a consultant and trainer and wanted to achieve more.

We onboarded her to SCCT a year ago, where I started pushing her outside of her comfort zone every now and then. She started blogging. She started presenting. She was awarded Microsoft MVP on March 1st, 2020.

I deliberately didn’t nominate Barbara for the MVP award, as I feel it affects my personal integrity. Instead, many others nominated and re-nominated her for the MVP award. She has earned it, although it was never our end goal to get this award; It’s a means to get the feedback we all need to improve further and to increase the value of our careers.

To me, mentoring is about building a safe environment to step out of comfort zones, building a consistent flow of positive experiences and honest feedback. I started mentoring not knowing how to do it, and sometimes I still feel I have no theoretical clue. Perhaps following my gut instincts while mentoring makes it worthwhile for everybody.

Early in my career I was mentored by Thijs ‘ebbo’ Ebbers and Matthijs ‘kers’ Kerssemakers. When I needed kicks in the butt, I got them from Eward Driehuis.

John Craddock, Andy Malone, Brian Svidergol, Deji Akomolafe and other people I looked up to as my heroes are good friend now with whom I can have in-depth discussions with. These days, Raymond Comvalius, Carlo ‘knabbel’ Schaeffer, Harro ‘babbel’ Borghardt, and Bas Arkesteijn are my go-to people for inspiration and feedback.

0  

The recording and slides of the Active Directory Best Practices webinar is now available

Veeam Active Directory Best Practices

Last week, I presented two webinars with Veeam’s Andrey Zhelezko, technical product analyst at Veeam Software, on Active Directory Best Practices in terms of administration and disaster recovery.

With 1849 and 2217 registered attendees for the European and North American webinar, respectively, these GoToWebinar sessions were solid Active Directory knowledge transfer successes.

The recording and slides of this webinar are now available here.
The duration of the recording is 1:03:15.

Microsoft Active Directory is the basis for every Microsoft‑oriented networking environment. However, it’s not always a solid basis. With thousands of network environments under their belts, Sander Berkouwer (Microsoft MVP) and Veeam’s Andrey Zhelezko know their Active Directory.

This webinar included the following best practices:

  • Protecting and (automatically) expiring passwords
  • Leveraging the Protected Users group and other protections
  • Using the Active Directory Recycle Bin
  • Putting Veeam Backup & Replication™ to good use

After watching this webinar, you’ll know about the nitty gritty details of the new security features in the past years for Active Directory, the exact line where the Active Directory Recycle Bin stops and how Veeam provides better backups and restores.

0  

On-premises Identity updates & fixes for February 2020

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for February 2020:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4537764 February 11, 2020

The February 11 update for Windows Server 2016 (KB4537764), updating the OS build number to 14393.3504 is a security update.

It addresses an Active Directory Elevation of Privilege vulnerability (CVE-2020-0665), reported by Dirk-Jan Mollema. The discovered vulnerability exists in the way Active Directory handles information for domains in a transitively trusted forest. To exploit this vulnerability, an attacker would first need to compromise a transitively trusted Active Directory forest. An attacker who successfully exploited this vulnerability could obtain administrative rights on a computer in a domain which trusts the Active Directory forest under the attacker’s control. This update addresses the vulnerability by correcting how Active Directory handles information for domains in transitively trusted forests.

This update also contains a fix for a Windows Hyper-V Denial of Service Vulnerability (CVE-2020-0661). From within a virtual machine, an attacker with a privileged account on that guest operating system, could run a specially crafted application that causes a Hyper-V host to crash. As many Domain Controllers run virtually, this could possibly take down the entire networking environment.

 

KB4537806 February 25, 2020

The February 25 update for Windows Server 2016 (KB4537806), updating the OS build number to 14393.3542 is a quality update. It includes the following identity-related improvements:

  • It addresses an issue that generates an “unknown username or bad password” error when attempting to sign in. This occurs in an environment that has a Windows Server 2003-based Domain Controller and a Windows Server 2016 or later Domain Controller.
  • It addresses an issue that causes Transport Layer Security (TLS) sessions to fail with the error, “The request was aborted: Could not create SSL/TLS secure Channel.
  • It addresses an issue that prevents the Network Policy Server (NPS) accounting feature from functioning. This occurs when NPS is configured to use SQL for accounting with the new OLE (compound document) database driver (MSOLEDBSQL.dll) after switching to TLS 1.2.
  • It addresses an issue that causes Security Assertion Markup Language (SAML) errors and loss of access to third-party apps for users who do not have multi-factor authentication (MFA) enabled.
  • It addresses an issue that intermittently generates Online Certificate Status Protocol (OSCP) Responder audit events ( Event ID 5125) to indicate that a request was submitted to the OCSP Responder Service. However, there is no reference to the serial number or the domain name (DN) of the issuer of the request.
  • It addresses an issue with certificate validation that causes Internet Explorer mode in Microsoft Edge to fail.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4532619 February 11, 2020

The February 11 update for Windows Server 2019 (KB4532619), updating the OS build number to 17763.1039 is a security update.

It addresses an Active Directory Elevation of Privilege vulnerability (CVE-2020-0665), reported by Dirk-Jan Mollema. The discovered vulnerability exists in the way Active Directory handles information for domains in a transitively trusted forest. To exploit this vulnerability, an attacker would first need to compromise a transitively trusted Active Directory forest. An attacker who successfully exploited this vulnerability could obtain administrative rights on a computer in a domain which trusts the Active Directory forest under the attacker’s control. This update addresses the vulnerability by correcting how Active Directory handles information for domains in transitively trusted forests.

This update also contains a fix for a Windows Hyper-V Denial of Service Vulnerability (CVE-2020-0661). From within a virtual machine, an attacker with a privileged account on that guest operating system, could run a specially crafted application that causes a Hyper-V host to crash. As many Domain Controllers run virtually, this could possibly take down the entire networking environment.

KB4537818 February 25, 2020

The February 25 update for Windows Server 2019 (KB4537818), updating the OS build number to 17763.1075 is a quality update. It includes the following identity-related improvements:

  • It improves the accuracy of Windows Hello face authentication.
  • It addresses an issue that generates an “unknown username or bad password” error when attempting to sign in. This occurs in an environment that has a Windows Server 2003-based Domain Controller and a Windows Server 2016 or later Domain Controller.
  • It addresses an issue with sign in scripts that fail to run when a user signs in or signs out.
  • It addresses an issue that might cause Direct Access servers to use a large amount of non-paged pool memory (pooltag: NDnd).
  • It addresses an issue that prevents you from removing some local users from local built-in groups. For example, you cannot remove “Guest” from the “Guests” local group.
  • It addresses an issue that causes the Local Security Authority Subsystem Service (LSASS) to stop working and triggers a restart of the system. This issue occurs when invalid restart data is sent with a non-critical paged search control.
  • It addresses an issue that causes queries against large keys on Ntds.dit to fail with the error, “MAPI_E_NOT_ENOUGH_RESOURCES.” This issue might cause users to see limited meeting room availability because the Exchange Messaging Application Programming Interface (MAPI) cannot allocate additional memory for the meeting requests.
  • It addresses an issue that intermittently generates Online Certificate Status Protocol (OSCP) Responder audit events ( Event ID 5125) to indicate that a request was submitted to the OCSP Responder Service. However, there is no reference to the serial number or the domain name (DN) of the issuer of the request.
  • It addresses an issue with certificate validation that causes Internet Explorer mode in Microsoft Edge to fail.
0  

Pictures of Azure Saturday Belgrade

Azure Saturday Belgrade 2020

On this year’s leap day, I was invited to present a session on Azure Saturday in Belgrade, Serbia. My good friends Vladimir Stefanovic, Aleksandar Nikolic and Mustafa Toroman invited me over as one of the foreign speakers to complement the local speakers and their workshops on February 28th.

On Friday, I did some work for one of my customers. I worked  from home to finish a design. I was brought to Rotterdam Central Station and took the express train that would take me in 26 minutes to Schiphol airport in time for my Air Serbia flight to Belgrade. After un uneventful, yet full of face masks flight, I arrived safely in Belgrade and took a cab to the Belgrade Inn hotel.

The next morning, I choose to be at breakfast the earliest opportunity I had. This would allow me to meet and chat with all my friends before the event started. Surely, everybody walked in and the hotel restaurant was soon filled with chatter and laughter.

Room 208 at the Belgrade Inn (click for larger photo)Coffee at Breakfast to start the day (click for original photo)

After a short walk to the venue, we continued our discussions in the speakers room, where we prepared for the keynote and our sessions.

Azure Saturday Belgrade Speaker Badge (click for larger photo)
SuperAdmin-sponsored Badges (click for larger photo by organization)In the Speaker Room with Aleksandar Nikolic and Rolf McLaughlin (click for larger photo by organization)

At 3:45 PM, I started my 45-minute session on six of the Hybrid Identity mismangement horror stories I’ve encountered over the past couple of years. It was fun to talk about organizational challenges ranging from Azure MFA Server to FIDO2 technologies and from budgeting to security challenges.

Nooo, did he just say that?! (click for larger photo, by organization)Presenting at Azure Saturday Belgrade (click for larger photo by organization)

After my session I attended Rolf McLoughlin’s session, before we rounded up the event with a PowerShell-supported prize raffle and Thank Yous to all the attendees.

Azure Saturday Belgrade 2020's Speakers (click for larger photo by organization)
Suvobor Restaurant in downtown Belgrade (click for larger photo)Serbia, Meat Country! :-) (click for larger photo)

Then, we headed back to the hotel to freshen up and head to the Sovubar restaurant to have dinner with all the speakers and their entourages. We had some more fun discussions and drinks, before returning to the hotel.

Coffee at Kafeterija (click for larger photo)

The next morning , we headed out for coffee at Kafeterija with a smaller group of people, including Mustafa, Sasha, Aleksandar, Vladimir, Nenad and Rolf.

After that, it was time to check out and get a cab to the airport. After lunch in the lounge, I flew back and landed on Schiphol Airport in time for dinner with my family.

Serbian Flag outside Hotel Belgrade Inn (click for larger photo)Brutalist-style buildings across Belgrade (click for larger photo)Cloudy Alps on my way home (click for larger photo)

Thank you! Thumbs up

Thank you to the Azure Saturday Belgrade organization for having me as a speaker. Thank you to the sponsors of the event and the Azure Saturday global organization. And of course, a big thank you to all the attendees, especially the ones who were in my session.

0  

KnowledgeBase: You receive “The ADSync service failed to start with an unexpected error for AutoGeneratedAccount:” when installing Azure AD Connect

KnowledgeBase

Troubleshooting issues with Azure AD Connect can be a lot of fun, until you realize that new functionality throws an error that is incredibly vague.

This blogpost provides the instructions to get Azure AD Connect working for your Hybrid Identity implementation when you receive “The ADSync service failed to start with an unexpected error for AutoGeneratedAccount:” when configuring Azure AD Connect version 1.4.38.0, and up.

 

The situation

The organization wants to deploy Hybrid Identity with Azure AD Connect. The organization uses a single Active Directory domain in a single forest.

The following preparations were made:

  • The Windows Server installation intended to be used as the synchronization server was updated with the latest Windows Updates.
  • The latest version (v1.4.38.0) was downloaded and placed on the disk of the Windows Server intended to be used as the synchronization server.
  • The account to run the Azure AD Connect installer was made a member of the Enterprise Admins group in Active Directory. After the membership change, the account was signed out and used to sign in to the synchronization server.

 

The issue

You encounter the following error:

Azure AD Connect "The ADSync service failed to start with an unexpected error for AutoGeneratedAccount"

Further symptoms include:

  • The Azure AD connect log mentioned on the Azure AD Connect error page (above) mentions ‘Caught exception while installing synchronization service.’
  • The System log in Event Viewer (eventvwr.exe) features an event with ID 7045 with source Service Control Manager stating the ADSync service is installed successfully.
  • The Microsoft Azure AD Sync service (ADSync) is not visible as a service in the Services MMC Snap-in (services.msc)

 

The cause

The error is caused by the SQL Server Native Client not supporting TLS 1.2.

It seems that the version of SQL Server Native Client that comes with the installation and configuration of Azure AD Connect, in some cases, does not support TLS 1.2.

 

The solution

To successfully install and configure Azure AD Connect when you encounter “The ADSync service failed to start with an unexpected error for AutoGeneratedAccount:”, follow these steps:

  • Manually uninstall Azure AD Connect and remove all components in relation to Azure AD Connect as indicated by the uninstall wizard.
  • Download Azure AD Connect again.
  • Start the Azure AD Connect installation by double-clicking AzureADConnect.msi.
  • Do not click on Configure. Simply close the Microsoft Azure Active Directory Connect Configuration wizard at this point.

Note:
This action automatically confirms the License Agreement and privacy notice.

0  

What’s New in Azure Active Directory in February 2020

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for February 2020:

 

What’s Planned

Identity Secure Score – MFA improvement action updates

Service category: MFA
Product capability: Identity Security & Protection

To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score is removing three improvement actions centered around multi-factor authentication (MFA), and adding two.

The following improvement actions will be removed:

  • Register all users for MFA
  • Require MFA for all users
  • Require MFA for Azure AD privileged roles

The following improvement actions will be added:

  • Ensure all users can complete MFA for secure access
  • Require MFA for administrative roles

These new improvement actions will require Azure AD admins to register their organization’s users or admins for MFA across the Azure AD tenant and establishing the right set of policies that fit the organization’s needs.

The main goal is to have flexibility while ensuring all users and admins can authenticate with multiple factors or risk-based identity verification prompts. This can take the form of:

  • Setting security defaults that let Microsoft decide when to challenge users for MFA, or ;
  • Having multiple Conditional Access policies that apply scoped decisions.

Note:
As part of these improvement action updates, Baseline protection policies will no longer be included in scoring calculations.

 

What’s New

Azure AD Domain Services SKU selection

Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services

Microsoft has heard feedback that organizations using Azure Active Directory Domain Services (Azure AD DS) need more flexibility in selecting performance levels for their instances.

On February 1, 2020, Microsoft switched from a dynamic model (where Azure AD determines the performance and pricing tier based on object count) to a self-selection model.

Organizations can choose a performance tier that matches their environment. This change also allows Microsoft to enable new scenarios like Resource Forests, and Premium features like daily backups.

The object count is now unlimited for all SKUs, but Microsoft will continue to offer object count suggestions for each tier.

No immediate customer action is required.
For organizations already using Azure Active Directory Domain Services (Azure AD DS), the dynamic tier that was in use on February 1, 2020, determines their new default tier. There is no pricing or performance impact as the result of this change.

Going forward, organizations will need to evaluate performance requirements as their directory size and workload characteristics change. Switching between service tiers will continue to be a no-downtime operation, and Microsoft will no longer automatically move organizations using Azure AD DS to new tiers based on the growth of their directory.

 

New Federated Apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2020 Microsoft has added these 31 new apps with Federation support to the app gallery:

 

New provisioning connectors in the Azure AD Application Gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

Azure AD admins can now automate creating, updating, and deleting user accounts for these newly integrated apps:

 

Azure AD support for FIDO2 security keys in hybrid environments Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft is announcing the public preview of Azure AD support for FIDO2 security keys in Hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows 10 devices and get single sign-on to their on-premises and cloud resources.

Support for Hybrid environments has been the top most-requested feature from organizations on the passwordless journey, since Microsoft initially launched the public preview for FIDO2 support in Azure AD joined devices. Passwordless authentication using advanced technologies like biometrics and public/private key cryptography provide convenience and ease-of-use while being secure. With this public preview, people can now use modern authentication like FIDO2 security keys to access traditional Active Directory-integrated resources.

 

New My Account experience Generally Available

Service category: My Profile/Account
Product capability: End User Experiences

My Account, the one stop shop for all end-user account management needs, is now generally available! End users can access this new site via https://myaccount.microsoft.com, or in the header of the new My Apps experience.

1  

I’m speaking at Microsoft NetWork 10

Microsoft NetWork 10

In the last years, I have presented several times at Microsoft Bosnia and Herzegovina’s NetWork event. This year, the organization has invited me back to present at the 10th edition of Microsoft NetWork in Neum, Bosnia and Herzegovina.

 

About Microsoft NetWork 10

Micosoft’s NetWork conference is a yearly event in the city of Neum in Bosnia and Herzegovina. It offers a range of international and local speakers like Adis Jugo and myself  and local speakers like Luka Manojlovic, Marin Franković, Mustafa Toroman, Slavko Kukrika, , Nenad Trajkovski, Ljubo Brodarić and Romeo Mlinar.

Grand Hotel Neum

The event is held at the Grand Hotel, Neum between March 25 and March 27, 2020.

 

About my sessions

I’ll be presenting two 45-minute sessions in English:

Deep Dive into managing AD FS with Azure AD Connect

Azure AD Connect was meant as successor to DirSync with the added benefits of being the one-stop shop for admins to take care of hybrid cloud authentication. One of its main pillars is his ability to deploy, manage, monitor and even decommission an entire Active Directory Federation Services environment.

In this session, I’ll share my real-world tips, tricks, do’s and don’ts around Azure AD Connect, specifically tailored to the thousands of admins still running and loving AD FS.

Six horror stories of Hybrid Identity mismanagement

The Microsoft documentation provides clear-cut decisive guidance for integrating Active Directory with Azure AD. This way, Hybrid Identity should emerge. Alas, at some organizations it didn’t. Join this session to gain insights in the critical success factors that drive hybrid identity and the things that often get overlooked.

I’ll share my views on these events. Of course, this session covers how to avoid these situations yourself, so we all benefit.

 

Join us!

Register for Microsoft NetWork 10 here and join us for another awesome Microsoft NetWork event at Bosnia and Herzegovina’s coast.

0  

HOWTO: Deploy Azure AD Connect with SQL Server

This entry is part 24 of 24 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the benefits of implementing Azure AD Connect with a back-end SQL Server (cluster) as opposed to implementing it with the accompanying SQL Server Express installation.

 

Why deploy Azure AD Connect with a full-fledged Microsoft SQL Server?

There are two main reasons to deploy Azure AD Connect with a Microsoft SQL Server back-end:

SQL Server Information Security Measures

The organizations for which I’ve deployed Azure AD Connect with SQL Server chose to do so mainly because they have a strategy to centralize their Microsoft SQL databases on a highly-available Microsoft SQL cluster. This way, all the information security measures surrounding that data had to be applied only once. The same rules apply to Active Directory Federation Services (AD FS) implementations.

No database limit

By default, Azure AD Connect installs Microsoft SQL Server Express Edition. Databases for this free edition of Microsoft SQL Server are limited to 10 GB. This limit makes another case for a full-fledged Microsoft SQL Server, as it opposes a limit of 100,000 objects in scope for Azure AD Connect in the real world.

 

Drawbacks of deploying Azure AD Connect with a full-fledged Microsoft SQL Server

There are also two main drawbacks to deploying Azure AD Connect with a Microsoft SQL Server back-end (next to the increased management load of the SQL Server (cluster)):

No Automatic virtual Service Account (vSA)

In a default setup, the Azure AD Connect service runs as a virtual service account. To allow the service to connect to the SQL back-end however, a service account needs to be used.

To counter this drawback, we’ll deploy Azure AD Connect with a gMSA.
This adds a couple of requirements, like domain membership for the Windows Server installation running Azure AD Connect.

No Automatic Upgrades

However, there is also a big drawback when deploying Azure AD Connect with a Microsoft SQL Server back-end: the Automatic Upgrades feature is not supported. When you deploy Azure AD Connect with SQL Server, you’ll need to manually upgrade the Azure AD Connect installation and keep up with its support statements.

 

Getting ready

To implement Azure AD Connect with a full-fledged Microsoft SQL Server, you’ll need to meet the following requirements:

Software requirements

Download the latest version of Azure AD Connect. After downloading, place it on the hard disk of the Windows Server installation intended to run Azure AD Connect.

Requirement for gMSAs

To use group Managed Service Accounts (gMSAs), the Active Directory environment needs to adhere to the following requirements:

  • The Active Directory schema needs to run Windows Server 2012, or up.
  • At least one Domain Controller needs to run Windows Server 2012, or up.
  • The Active Directory domain needs to run the Windows Server 2008 R2 Domain Functional Level (DFL) to support automatic password and SPN management.

Note:
When using multiple Azure AD Connect installations (of which only one is not configured as Staging Mode server), you can use the same gMSA for all installations without problems.

Database requirements

In the organization, make sure there is consensus on the name for the Azure AD Connect database.

Note:
Azure AD Connect version 1.3.20.0 introduced the concept of naming databases. Before, all Azure AD Connect databases needed to be named ADSync. This caused issues with Staging Mode servers. If your organization is about to deploy multiple Azure AD Connect installations using SQL Server, name the databases properly, so it is traceable to a specific Azure AD Connect installation.

Important:
Azure AD Connect installations should never use the same SQL Server database. Deploy a separate database per Azure AD Connect installation.

System requirements for SQL Servers

For AD FS with SQL Server-based databases, have a SQL Server available on the network, that is also resolvable via DNS and reachable by the proposed AD FS server(s).

Make sure the Microsoft SQL Server is configured with a TLS certificate to be able to encrypt the data with the AD FS Servers.  Also make sure the Microsoft SQL Server installation supports TLS 1.2 by installing the required hotfixes as described in KB3135244.

Requirements for SQL Server Always On Availability

When using a Microsoft SQL Server Always On Availability (AOA) group as the back-end SQL Server, the database needs to be created and made part of the AOA group before installing Azure AD Connect.

During installation, Azure AD Connect detects whether the SQL instance provided is enabled for AOA or not. When AOA is enabled, Azure AD Connect further figures out if SQL AOA is configured to use synchronous replication or asynchronous replication.

Note:
When setting up the Availability Group Listener, it is recommended that you set the RegisterAllProvidersIP property to 0.

Privilege requirements

Per step, you’ll need the following specific permissions:

For the account that will be used to create the group Managed Service Account (gMSA):

  • Domain Administrator privileges in Active Directory.

For the account that will be used to create the database for Azure AD Connect on the SQL Server (cluster):

  • SysAdmin (sa) privileges on the Microsoft SQL Server.

For the account that will be used to install the group Managed Service Account (gMSA) on the Windows Server intended to run Azure AD Connect:

  • Local Administrator privileges on the Windows Server installations.
  • Domain user privileges in Active Directory.

For the account that will be used to run the Azure AD Connect wizard:

  • Enterprise Administrator privileges in Active Directory, through a direct membership of the Enterprise Admins group (when opting to create the Azure AD Connect service account to communicate with Active Directory automatically, otherwise, Domain Administrator privileges are sufficient).
  • Local Administrator privileges on the Windows Server installations you intend to run Azure AD Connect on. (This is a default permission that comes with the above admin privileges when the server is domain-joined)
  • db_owner privileges on the Microsoft SQL Server.

Note:
After the initial configuration of Azure AD Connect you can remove the permissions above, but they may have to be re-added for consecutive runs to reconfigure Azure AD Connect. These latter situations may be under time pressure.

For the account that will be entered in the Azure AD Connect wizard to connect to Azure AD:

  • Global Administrator privileges in the Azure AD tenant.

 

How to install Azure AD Connect with SQL Server

Deploying Azure AD Connect with a full-fledged Microsoft SQL Server consists of the following steps:

  1. Creating the gMSA
  2. Creating the database and configuring Always-on Availability
  3. Installing and configuring Azure AD Connect

Creating the gMSA

We need a group Managed Service Account (gMSA) to be used as the Azure AD Connect service account. A gMSA is the safest way to host this account from Active Directory.

When using SQL Server, the service account becomes really important, because it is not only used to run the Azure AD Connect service, but also to connect to the SQL Server backend.

Use the following lines of PowerShell on a system with the Active Directory Module for Windows PowerShell installed, while signed in with a user account that is a member of the Domain Admins group, supposing AADC01 is the hostname of the server intended to run Azure AD Connect:

Import-Module ActiveDirectory

New-ADServiceAccount AADC1gMSA -DNSHostName AADC1gMSA.domain.tld -PrincipalsAllowedToRetrieveManagedPassword “CN=AADC01,CN=Computers,DC=domain,DC=tld”

 

Creating the database and configuring Always-on Availability

On the SQL Server, perform the following steps:

  • Start Microsoft SQL Server Management Studio.
  • Connect to your server in the Connect to Server dialog screen.
  • In the left navigation pane, right-click on Databases and
    select New Database….
  • In the New Database dialog screen, enter the name for the
    database.

Create an aptly named database for Azure AD Connect in Microsoft SQL Server Management Studio (click for original screenshot)

  • Click OK to create the
    database.
  • In the left navigation pane, expand Security.
  • Right-click the logins node and select New login….
    The Login – New dialog screen opens on the General page.
  • Specify AADC1gmsa$ as the Login name:. and make sure Windows authentication is selected as the login method.
  • In the left navigation pane, click on User Mapping.
  • On the User Mapping page, select the Azure AD Connect database you created in steps 3 through 5 from the list of databases in the Users mapped to this login:.
  • In the Database role membership for: ADSyncAADC01 select db_owner.

Set db_owner permissions on the database for the Azure AD Connect service account (click for original screenshot)

  • Click OK to create the login and set the database permissions.
  • Close Microsoft SQL Server Management Studio.

If you want to add the database to an Always-On Availability group, perform this configuration before proceeding to the next step.

 

Installing and configuring Azure AD Connect

First, we need to install the Active Directory module for Windows PowerShell, as a cmdlet we need is part of this module:

Install-WindowsFeature RSAT-AD-PowerShell

Now, we can run the following lines of Windows PowerShell on the Azure AD Connect server to install the group Managed Service Account (gMSA) in an elevated PowerShell window:

Import-Module ActiveDirectory

Install-ADServiceAccount -Identity AADC1gMSA

Then, we can uninstall the Active Directory Domain Services role again:

Uninstall-WindowsFeature RSAT-AD-PowerShell

With the gMSA ready to go, we start the installation of Azure AD Connect, by double-clicking the Azure AD Connect installer (AzureADConnect.msi):

  • On the Welcome to Azure AD Connect page, select the I agree to the license terms and privacy notice option. Click Continue afterward.
  • On the Express Settings page, click Customize.
  • On the Install required components page, make the following changes:
    1. Select the User an existing SQL Server option.
      1. Enter the hostname of the Microsoft SQL Server (listener) in the SERVER NAME field, or click the Browse button.
      2. Leave the INSTANCE NAME field blank to use the default SQL Server instance.
      3. Enter the database name for Azure AD Connect you created earlier in the DATABASE NAME field.
    2. Select the Use an existing service account option.
      1. Select the Managed Service Account option.
      2. Type the name of the group Managed Service Account (gMSA) you created earlier in the SERVICE ACCOUNT NAME field. End its name with $ to indicate it is a gMSA.

Specify the SQL Server specifics and service account for Azure AD Connect (click for original screenshot)

  • Click Install.

From the User sign-in page of Azure AD Connect onward, perform the same steps as you would normally perform to configure Azure AD Connect.

 

How to retrieve the SQL Server (listener) Azure AD Connect uses

When an organization uses Azure AD Connect with a Microsoft SQL Server back-end, it is useful to find the database server used.

Perform the following steps to find the Microsoft SQL Server that holds the database for a specific Azure AD Connect installation through the Microsoft Azure Active Directory Connect wizard:

  • Sign in interactively to the Windows Server running Azure AD Connect.
  • Open Azure AD Connect from the Start Menu or Desktop.
  • On the Welcome to Azure AD Connect page, click Configure.
  • On the Additional tasks page, select the View current configuration task.
  • Click Next.
  • Scroll down on the Review Your Solution page.
  • On the last line of the configuration items, you’ll find the SQL SERVER NAME and SQL SERVER INSTANCE NAME mentioned underneath their respective headings.

SQL Server Name and SQL Server Instance Name in the Azure AD Connect Wizard (click for original screenshot)

  • Click Exit.

Alternatively, perform the following lines of Windows PowerShell to find the Microsoft SQL Server that holds the database for a specific Azure AD Connect installation, while signed in interactively to the Windows Server running Azure AD Connect:

Import-Module “C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1”

Get-ADSyncDatabaseConfiguration

This returns all the information on the database the specific Azure AD Connect installation utilizes.

 

Concluding

A full-fledged Microsoft SQL Server can be used to host the database for Azure AD Connect. I couldn’t believe there is no official documentation on how to configure Azure AD Connect to do so, so I wrote it myself.

Further reading

Move Azure AD Connect database from SQL Server Express to SQL Server
Prerequisites for Azure AD Connect
Troubleshoot SQL connectivity issues with Azure AD Connect
Field Notes: How has your Azure AD Connect been configured?
New features in AD DS in Windows Server 2012, Part 8: Group MSAs (gMSAs)
Using Azure AD Connect with a gMSA

0  

We’re sponsoring Microsoft Ignite | The Tour in Amsterdam

Microsoft Ignite | The Tour in the Amsterdam RAI

Working for a leading Microsoft partner in the Netherlands means that we owe it to our people, our community fellows and (prospective) customers to make the yearly Microsoft Ignite | The Tour event in Amsterdam a success.

This is why we’re sponsoring the Ignite | The Tour event on March 11th, 2020 and March 12th, 2020 in the Amsterdam RAI.

 

About Microsoft Ignite | The Tour Amsterdam

Microsoft Ignite The Tour brings the very best of Microsoft Ignite to Amsterdam. The tour provides technical training led by Microsoft experts and the community. You’ll learn new ways to build solutions, migrate and manage infrastructure, and connect with local industry leaders and peers.

This free two-day event features

 

About SCCT

SCCT logoSCCT is a managed cloud services provider from Leidschendam in the Netherlands with a highly-developed expertise on Microsoft Cloud solutions.

We believe the Microsoft Cloud offers added value to any organization.

Together with your organization, we select the right mix of our services to create innovative and flexible solutions to optimally contribute to your organization’s goals.

 

Will we see you there?

You can find the SCCT booth in the partner area.

I’ll be there together with all my colleagues to meet you, make sure you get your questions answered and perhaps get your IT needs fulfilled by me or one of my awesome colleagues.

1  

I’m a 2020 VMware vExpert

VMware vExpert 2020

I’m proud to announce I am a 2020 VMware vExpert.

This is my second vExpert award in a row, after I received it for the first time last year. It’s an honor to me to be a part of the team driving Active Directory virtualization on VMware vSphere with Deji Akomolafe and Matt Liebowitz.

Thank you! Thumbs up

About the VMware vExpert Program

The VMware vExpert Program is VMware’s global evangelism and advocacy program. The program is designed to put VMware’s marketing resources towards advocacy efforts.

The vExpert award is for individuals, not companies, and last for one year. Employees of both customers and partners can receive the vExpert award. View a list of all VMware vExperts in the vExpert Directory, including mine.

FURTHER READING

Video of my Active Directory session at VMworld Europe is now available 
Pictures of VMworld Europe 2019  
I’m speaking at VMware VMworld Europe 2019    
Pictures of the NLVMUG BBQ    
Domain Controller Cloning on VMware vSphere   
Active Directory Virtualization Safeguards with VM-GenerationID on VMware vSphere 
Replication considerations for Domain Controllers running on VMware vSphere   
Managing Active Directory Time Synchronization on VMware vSphere 
Sizing Domain Controllers correctly on VMware vSphere  
Why virtualize Domain Controllers?

Image by Graham Barker

0