Category Archives: Microsoft Azure

Everything about Azure and Cloud technology

Onboarding Linux Client (DEEPIN) to Microsoft Azure Threat protection ATP using ubuntu repository

Installing Microsoft Azure Threat Protection (ATP) on Linux Devices

While playing with ATP on some windows devices, I was in the mood of trying the new Deepin 20 desktop flavor which is a famous Chinese Linux OS based system.

Microsoft doesn’t indicate anywhere that installation of ATP on a Linux client is possible but Linux server is mentioned in the official ATP installation documents.

How to Install?

After I installed the Deepin OS, I was really impressed by the new beautiful Linux design so I plan to use it and have it secure with ATP.

image

Prerequisites:

  1. Configure the Linux software repository for Ubuntu and Debian
  2. Application Installation
  3. Download the onboarding Package
  4. Client Config

1-Configure the Linux software repository for Ubuntu and Debian

You will need to install the required libraries, install Gpg, apt-transport-https and update repository metadata using the following commands one by one.

  • sudo apt-get install curl

image

  • sudo apt-get install libplist-utils

image

image

  • sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-ubuntu.list
  • sudo apt-get install gpg

image

image

image

After successfully installing all the libraries, I will go ahead and install the application

2- Application Installation

From the Linux client Terminal using sudo power user run the following script

sudo apt-get install mdatp

image

Once finished, You can go back to the ATP portal and download the Linux Onboarding package on the linux server/client you want to onboard

3- Download the onboarding Package

Since I am doing a single deployment not bulk, then I will go to the Microsoft Defender Security Center’s setting page and download the Linux package from the device management section.

image

The steps for the onboarding is already mentioned on that page so after you download the script you’ll know exactly what to do next.

The file is 9kb python in size

image

Copy the file to your Linux Desktop

image

4- Client Config

From the terminal type in chmod a+x MicrosoftDefenderATPOnBoardingLinuxServer.py and hit enter

Note: python must be installed on this linux dervice.

Then type python /MicrosoftDefenderATPOnBoardingLinuxServer.py

image

This will run pretty quick and will assign your Linux server/client with your Organization ID.

To see the Organization ID type:

mdatp –health orgId

image

Few minutes later you’ll be able to see the installation completion and the status through this command

Check if WDATP is functioning as expected

mdatp –health healthy

image

Check if WDATP agent is enabled

mdatp –health realTimeProtectionEnabled

image

Let’s check on our ATP portal and see if the machine is showing there.

Note: It might take 5-15 mins to update the definitions of WDATP when onboarding.

image

Running a detection Test:

curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

image

In few seconds the file has disappeared

image

Checking for threats

mdatp –threat –list –pretty

image

Let’s see this on the ATP Portal

image

image

This is just a test malware not a real one therefore it wont harm your machine at all.

Hope this helps you with your deployments

Ref:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually

Deepin 20 Beta version

https://www.deepin.org/en/2020/04/15/deepin-20-beta/

Azure RDWEB page is blank when accessing it with authorized users

Blank page on RDWeb for users

When you have finished deploying Azure WVD machines and added those machines in the correct hosts you might fall into this error by a chance and not easily be able to understand or see it.

clip_image001[4]

During the creation of Host Pools and AppGroups you might want to create your own fancy Host pool names and app group names, This is something normal but not when you want to use Azure WVD.

What Happens?

When you create an app group name other than the ones already existing (Desktop Application Group) you have to make sure that you would type this group name into the ARM Template since while deploying the VMs and typing the template would choose the default Application Group Name.

image

Error 1

The connection to the remote PC was lost. This might be because of a network connection problem. If this keeps happening, ask your admin or tech support for help.

clip_image001[6]

clip_image002

Error 2

User is assigned to the wrong Application Group

add-RdsAppGroupUser : The specified UserPrincipalName is already assigned to a RemoteApp AppGroup in the specified HostPool.

ActivityId: feb39a7b-b74f-49d3-a100-1fc22ec66454

Powershell commands to diagnose the failure:

Get-RdsDiagnosticActivities -ActivityId feb39a7b-b74f-49d3-a100-1fc22ec66454

At line:4 char:1

+ add-RdsAppGroupUser -TenantName cagriandMoh10ly -HostPoolName WVD-Hos …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : FromStdErr: (Microsoft.RDInf…RdsAppGroupUser:AddRdsAppGroupUser) [Add-RdsAppGroupUser], RdsPowerShellException

+ FullyQualifiedErrorId : UpnAlreadyHasRemoteAppAssignment,Microsoft.RDInfra.RDPowershell.AppGroupUser.AddRdsAppGroupUser

clip_image003

Solution:

Remove the user from the other application group and add him to the one where you have your RdsSessionHost that you would like your users to access.

Connect to Azure-AD first and run the following command, Make sure you specify the AppGroupName that you want to remove your users from and the AD Group that’s relevant to those users.

foreach($UPN in (Get-AzureADGroupMember -ObjectId ((Get-AzureADGroup | Where-Object DisplayName -Like “WVDUsers”).ObjectId)).UserPrincipalName)

{

Write-Output $UPN

Remove-RdsAppGroupUser -TenantName cagriandMoh10ly -HostPoolName WVD-Host-Pool01 -AppGroupName “Desktop App Group” -UserPrincipalName $UPN

}

clip_image004

Add the Users again and see what happens

foreach($UPN in (Get-AzureADGroupMember -ObjectId ((Get-AzureADGroup | Where-Object DisplayName -Like “WVDUsers”).ObjectId)).UserPrincipalName)

{

Write-Output $UPN

Add-RdsAppGroupUser -TenantName cagriandMoh10ly -HostPoolName WVD-Host-Pool01 -AppGroupName “Desktop Application Group” -UserPrincipalName $UPN

}

clip_image005

Refresh the RDWEB Page and see if you can access your host

clip_image006

clip_image007

The same desktop came back since we are using FSLogix profile container

clip_image008

VM fails to join Domain during Azure Windows Virtual desktop deployment

Azure Windows Virtual Desktop

WVD or Azure Virtual Desktop has become popular these days during the COVID-19 Virus where everyone started working from home. Companies wanting to adapt to the situation started deploying WVD and so I started to test this feature to keep up with the technology around.

Deployment

I tried using different scenarios during the deployment of Azure WVD, I am going to list them down and explain where did I get my problem exactly.

1- Deploying using Azure Gallery VM.

2- Deploying using a VM Image (This scenario)

3- Deploying using uploaded VM.

My first deployment was using Azure Gallery and in that deployment the machine was deployed without an issue although the domain error has occurred.

In the second Scenario, When you try to use the Github link that has the ARM template

clip_image001

Error 1

{

“status”: “Failed”,

“error”: {

“code”: “ResourceDeploymentFailure”,

“message”: “The resource operation completed with terminal provisioning state ‘Failed’.”,

“details”: [

            {

“code”: “VMExtensionProvisioningError”,

“message”: “VM has reported a failure when processing extension ‘joindomain’. Error message: \”Exception(s) occured while joining Domain ‘moh10ly.local’\”\r\n\r\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot

            }

        ]

    }

}

Error 2

clip_image001[6]

{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”Conflict”,”message”:”{\r\n \”status\”: \”Failed\”,\r\n \”error\”: {\r\n \”code\”: \”ResourceDeploymentFailure\”,\r\n \”message\”: \”The resource operation completed with terminal provisioning state ‘Failed’.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”VMExtensionProvisioningError\”,\r\n \”message\”: \”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\”DSC Configuration ‘CreateHostPoolAndRegisterSessionHost’ completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service.\\nActivityId: ef602cd9-7efd-474d-bc70-ccfd340ecb08\\nPowershell commands to diagnose the failure:\\nGet-RdsDiagnosticActivities -ActivityId ef602cd9-7efd-474d-bc70-ccfd340ecb08\\n PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: WVD-Host-Pool01 Hostpool does not exist in CagriandMoh10ly Tenant The SendConfigurationApply function did not succeed.\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \”\r\n }\r\n ]\r\n }\r\n}”}]}

Solution:

Original Setting

clip_image001[10]

Change To

  1. Domain to join needs to reflect your Active Directory domain not AD Connect Public Domain.
  2. The Credentials must be for a domain user that has the privileges’ to join any PC to the domain

clip_image001[8]

The Tenant Admin UPN must reflect a user who is allowed to Create a WVD tenant

image

After this, In the Tenant Admin UPN or Application ID use one of the Tenant creator account and you’ll get the below result.

Don’t forget to change the Virtual Network’s DNS to point to your DNS Server whether it is on Azure or On-premises network which must have VPN to access if there.

clip_image001[12]

clip_image001[14]

clip_image002

https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory

https://docs.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-set-up-issues

ADFS and wAP trust breaks with 500 Internal Server error

Error code

Yesterday my colleague sent me a message informing me that ADFS is not working. When I tried to login to Office 365 Portal page with a federated domain’s user I got a 500 Internal Server Error.

When it occurs:

If you are using Office 365 with ADFS Integration in place, You might get this error when trying to authenticate your users to login to Office 365 or any of its services.

image

WAP Server

In this environment I am using WAP Proxy server behind ADFS and when installing this I configured a trust using a Public Certificate but for some reason this trust was broken.

image

Investigation and Solution:

After investigating the WAP proxy it seems it had couple of problems:

1- Could not resolve ADFS server name on WAP Server.

  • In my environment where we are using Sentinel, We have isolated the primary DC in the environment and due to this the WAP server could not reach to the DNS Server. I solved this by pointing the machine to the secondary DC and add the ADFS hostname to the host file.

2- The Web Application Proxy Service would not start.

  • The errors related to the service not starting in the event viewer were all pointing to a certificate thumbprint which didn’t even exist in the WAP’s personal store.

Event Viewer Errors

There were couple of errors related to the certificate and Service issue, Event ID 224, Event ID 12025, Event ID 7023 and Event ID 224.

The one which mostly got my attention was the 224:

The federation server proxy configuration could not be updated with the latest configuration on the federation service.

Retrieval of proxy config data from federation server using trust certificate with thumbprint failed with status code unauthorized. The remote server returned an error code 401.

clip_image001

Resolution:

From WAP server’s fire up PowerShell as an admin and list the certificate you have got on your Personal store and match the ThumbPrints of the certificate in the error to make sure it exists or not.

Even if the certificate exists you will still need to re-establish trust with ADFS to make sure WAP can connect to ADFS without an issue.

Dir Cert:\localmachine\my

This should show the certificates you have got on your store.

image

Now pick up the valid Public certificate which you want to use for the trust and use the below command to establish the trust

Install-WebApplicationProxy –CertificateThumbprint “Enter Certificate ThumbPrint here” –FederationServiceName “ADFS Public FQDN Here”

image

After few moments you should see that WAP services went back to normal and you can now login your users to Office 365 portal through ADFS.

image

clip_image001[6]

Reset Azure VM Admin password with Domain Controller installed

Active Directory Admin Password

We had a security lab on Azure with 12 machines, It included 2 DCs and 10 other machines of different OS and had RDP closed on all the machines except one machine to use.

The Password was set for something simple however it seems that someone has changed it and no one was able to access the domain controller anymore nor any of the machines.

I had another user created for backup but it seems that user was also changed.

The usual method of resetting Azure VM is going through portal or PowerShell

Resetting Via Azure Portal

When you try to reset the password from Azure Virtual machine itself. If the VM has Domain Controller it will fail to reset the password with the following error:

Failed to reset RDP configuration

VM has reported a failure when processing extension ‘enablevmaccess’. Error message: “VMAccess Extension does not support Domain Controller.” More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot

image

Through PowerShell

To reset a password, we first need to define the VM we’re working with. To do this, we can use the Get-AzureRmVm cmdlet. I’ll go ahead and assign variables to both the VM name and the resource group since we’ll need to reference those later, as well.

$vmName = 'YOURVMNAMEHERE'
$resourceGroupName = 'YOURRGHERE'
$vm = Get-AzureRmVm -Name $vmName -ResourceGroupName $resourceGroupName

Next, we’ll need some way to pass the username and password into the script. A great way to do that is through the Get-Credential cmdlet.

$credential = Get-Credential

Once the credential is saved, we can then execute the command to actually make the password change using the variables we set earlier. Notice we had to use the GetNetworkCredential() method on the pscredential object. This method will not work if the credential is retrieved from another computer or from another user account. This shouldn’t be a problem, though, since you’re likely to execute this in a single script.

$extensionParams = @{
    'VMName' = $vmName
    'Username' = $Credential.UserName
    'Password' = $Credential.GetNetworkCredential().Password
    'ResourceGroupName' = $resourceGroupName
    'Name' = 'AdminPasswordReset'
    'Location' = $vm.Location
}

$result = Set-AzureRmVMAccessExtension @extensionParams

Once this completed (hopefully successfully), the VM will need to be rebooted. We can do that by using the Restart-AzureRmVm cmdlet.

$vm | Restart-AzureRmVM

While this PowerShell script might work with a normal VM, It will not work with a DC and would result in the same error as in the portal.

Solution

The solution is to write a script which would run through the CustomScriptExtension that you can deploy from the Azure Portal on the intended VM that has the Domain Controller Deployed on it.

Once you get the script ready to change the administrator Password you can upload the script and deploy it.

Let’s get the script ready and demonstrate these steps one by one.

– On my Computer I will write a tiny script that will say

Net User domainadmin Adm!nPassw0rd1

image

– Save the file on your desktop for later use. Go to Azure Portal, Virtual Machines and select your Domain Controller.

– Go to Extensions.

– Click on Add

image

– Select Custom script Extension

image

– Click Create

– Browse the PowerShell script on your Desktop.

– Select Storage Account

– Select an existing container or create new one

– Upload the file to the container

image

image

image

image

image

Result

Once deployed, it’ll take few mins to reset the password and you don’t have to restart the server.

Through PowerShell

image

After this I was able to access the machine again using the new password in the script.

ref:

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-windows#troubleshoot-vm-extensions

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command

https://mcpmag.com/articles/2017/12/13/azure-vm-password-with-powershell.aspx

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/reset-local-password-without-agent

Upgrading Exchange Online PowerShell to V2 Module

Managing Exchange Online

If you have Exchange Online and your users are MFA enabled then you most likely will be using Exchange Online’ s ECP (Exchange Control Panel or Admin Center) to connect to Exchange Online PowerShell through the Hybrid Windows since this is the only supported way with MFA.

image

Clicking on Configure would install the PowerShell Module of Exchange Online which looks like the below screenshot.

image

New PowerShell with MFA support

If you have launched Exchange Online PowerShell today then you most likely have noticed there’s a red line stating the possibility to try the new (Preview Version) of Exchange PowerShell V2 .

Microsoft has recently released a new version of Exchange Online PowerShell Module which supports MFA and can be run directly from your computer without the need to login to Exchange Online Admin Center and download any files from there.  Check details in this link

As stated in the article, the Module is just in preview so it has some known and maybe unknown bugs as well.

How to Install it?

The installation process is pretty straightforward, Launch Windows PowerShel as an Administrator (It’s required for the installation).

Run these 4 cmdlets

Set-ExecutionPolicy RemoteSigned
Install-Module PowershellGet –Force
Update-Module PowershellGet
Install-Module -Name ExchangeOnlineManagement

image

You might get a warning that the Module you’re about to install is from an Untrusted Repository, Accept it by typing Y and hit enter

Type the following cmdlet to ensure that Exchange Online Management module is installed

Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

image

Connecting to Exchange Online

To connect to Exchange Online, Run the following cmdlet along with the new parameter –EnableErrorReporting which gives the ability to record all the cmdlets that you have run along with errors generated as well.

Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath e:\ExchOnlineLogs.txt -LogLevel All

image

image

After connecting, I am going to try and run two commands the Old Cmdlets and New Cmdlet and see the difference between them:

Get-CASMailbox -ResultSize 10
Get-EXOCasMailbox -ResultSize 10

image

The new Cmdlet has much more details, although it says that it runs faster but it took few seconds more than the old one to run (Probably first time).

image

After you run those two Cmdlets, There will be two files generated in the log directory which we have pointed the parameter to save files to.

The CSV files have details about the two cmdlets and the HTTP Method they are utilizing in order to connect along the Request and response latency.

imageimage

This new version seems to be extremely useful esp in environments where such deep details are needed for troubleshooting issues.

Stay tuned for more

Reference:

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/exchange-online-powershell-v2?view=exchange-ps

Deploy Azure Linux and Windows servers in 10 mins via cli

This is a step by step guide about deploying Linux or Windows servers on Azure via CLI.

Why Cli?

Some people prefer using Linux rather than PowerShell and it seems sometimes easier and faster to learn esp if you’re not GUI type of person.

Installation Options

If you’re working on Windows and would like to use CLI, you’ll have two options to install CLI

Option 1

Run Azure CLI installation directly from your Powershell (PowerShell needs to run from a privileged account)

Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList ‘/I AzureCLI.msi /quiet’

As soon as you run this command, it’ll take about 5 mins or less depending on the connection you have.

clip_image001

Option 2

Download the MSI file directly from MS’s link and install it on your Computer.

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest

Connect to Azure CLI from PowerShell

Run PowerShell or CMD and type the following command to connect

Az Login then hit enter

As soon as you type this, a web page will be launched asking you for your Azure Account credentials so open the session for your Cli window.

The moment you verified your account, PowerShell will list your azure plans that you have / had before.

clip_image002

If you’re going to use Linux (Ubuntu, Debian) flavor then you’d have to following the following instructions

Manual install instructions

If you don’t want to run a script as superuser or the all-in-one script fails, follow these steps to install the Azure CLI.

  1. Get packages needed for the install process:

    bash

    
    
    sudo apt-get update
    sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg
  2. Download and install the Microsoft signing key:

    bash

    
    
    curl -sL https://packages.microsoft.com/keys/microsoft.asc |
        gpg --dearmor |
        sudo tee /etc/apt/trusted.gpg.d/microsoft.asc.gpg > /dev/null
  3. Add the Azure CLI software repository:

    bash

    
    
    AZ_REPO=$(lsb_release -cs)
    echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" |
        sudo tee /etc/apt/sources.list.d/azure-cli.list
  4. Update repository information and install the

    azure-cli

    package:

    bash

    
    
    sudo apt-get update
    sudo apt-get install azure-cli

Run the Azure CLI with the

az

command. To sign in, use the az login command.

  1. Run the

    login

    command.

    Azure CLI

    Try It

    
    
    az login

    If the CLI can open your default browser, it will do so and load an Azure sign-in page.

    Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal.

  2. Sign in with your account credentials in the browser.

To learn more about different authentication methods, see Sign in with Azure CLI.

Deploying Linux (CentOS):

Creating a Resource Group for Azure Container Instances (ACI)

We will start first by creating a Resource Group for our Machine, calling it a AzureLinuxServersGroup to easily identify that this group contains our Linux Servers

az group create –name AzureLinuxServersGroup –location westeurope

clip_image001[4]

Next we will be creating a container to contain the Linux OS on the resource group which we have just created

First, How we know which Image to use and if that will be proper for our deployment?

To answer that, we will use the following command which will view the available latest edition Linux OS with different flavors.

I would like to use CentOS since its identical to RedHat and used by majority of Enterprises.

To list the Images, Enter the following command

az vm image list –output table

clip_image002[4]

Notice there are many columns, The one which we are going to use in terminal command line is the UrnAlias. It’s important to remember this.

az vm create \

–resource-group AzureLinuxServersGroup \

–name AzureCentOSWP \

–image CentOS \

–admin-username Moh10lyUser \

–generate-ssh-keys

clip_image003

Since we are using Bash, It’s a case sensitive and it complained about user having capital letters. So we’ll go ahead and use small letters

clip_image004

After running the command with small letters, it’s telling us where we can find the keys in order for us to reach and get them to use later to login to this newly created machine.

SSH key files ‘/home/moh10ly/.ssh/id_rsa’ and ‘/home/moh10ly/.ssh/id_rsa.pub’ have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.

The deployment of the machine takes about 3 mins, and it’ll be created with the default minimum resources. Let’s view

clip_image005

Our machine is ready to be accessed now

clip_image006

In order for you to get the SSH Keys, you’ll have to have a bit of knowledge

I am going to go the location mentioned previously after creating a machine and copy the keys from the bash screen into a file. Save the file and Import it into SSH client which I will be using (Bitvise in my case).

From the bash screen goto cd /

Cd /home/user/.ssh/

Cat id_rsa hit enter and copy the key and save it into notepad.

Cat id_rsa.pub and copy/save into a notepad as the public key.

clip_image007

After loading both keys, I was able to successfully login to the Server

clip_image008

clip_image009

clip_image010

Get a list of Azure VMS

az vm image list

clip_image011

Let’s List and deploy a WordPress on CentOS

To view the list of available CentOS images, we’ll use the following cli command

az vm image list -f CentOS –all

The image needs to be grabbed from dockerhub URL

cognosys:wordpress-with-centos-77-free:wordpress-with-centos-77-free:1.2019.1008

az container create –resource-group mohazbackupgroup –name mohcontainer –os-type Linux –image cognosys:wordpress-with-centos-77-free:wordpress-with-centos-77-free:1.2019.1008 –dns-name-label azmohlinux –ports 22

Create Windows Server core with IIS

az container create –resource-group mohazbackupgroup –name mohcontainer –os-type windows –image mcr.microsoft.com/windoervercore/centos –dns-name-label azmohlinux –ports 22ws/servercore/iis:nanoserver –dns-name-label azmohiis –ports 80

clip_image012

Here we go I got a machine ready (took about 5 mins)

clip_image013

azmohiis.westeurope.azurecontainer.io

To delete the container, you can write the following

az container delete –resource-group mohazbackupgroup –name mohcontainer

clip_image014

clip_image015

Stay tuned for more articles about Azure.

Error After Migrating ADFS from 2012R2 to 2016

The Story:

You might have got a request to upgrade from ADFS 2012 R2 to Windows ADFS 2016.

This process can be complicated especially if you’ll have to migrate the Database as well and it would be more of an issue when the Database is WID (Windows Internal Database) since there’s no much documentation about troubleshooting issues involving WID on ADFS.

I have got a request from a client whom have done a migration with another consultant and obviously it was not done right.

Symptoms

On Windows 2016 ADFS when trying to update the ADFS SSL certificate I get the following error:

Set-AdfsSslCertificate -ThumbPrint A7etc : PS0159 : The Operation is not supported at the current Farm Behavior Level ‘1’. Raise the farm to at least version ‘2’ before retrying.

At line:1 char:1

clip_image001

Trying to update the database from 1 to 2,3 will also fail with the following error:

Invoke-AdfsFarmBehaviorLevelRaise

image

Error:

Database upgrade cannot be performed on AdfsServer.domain.com. Error: A database for the target behavior level already exists.

Troubleshooting:

If you’re installing ADFS on WID (Windows Internal Database) you should run the following to get the database name/Connect String

On ADFS Server

Open Windows PowerShell

  1. Enter the following:
    $adfs = gwmi -Namespace root/ADFS -Class SecurityTokenService

    and hit Enter

  2. Enter the following:
    $adfs.ConfigurationDatabaseConnectionString

    and hit enter.

  3. You should see the connect string information.

image

Go to Service Console and stop ADFS Service or from Powershell type Net stop adfssrv

Run SQL Server 2017 Database Engine Tuning Advisor as an administrator

clip_image001[4]

Use the Server name as this

\\.\pipe\MICROSOFT##WID\tsql\query

As for Authentication, Use the Windows Authentication with the user you’re logged into if you know that’s a privileged user and can authenticate, If not try with a user which you’ve done the upgrade of ADFS with.

image

After authenticating, You will be able to see AdfsConfiguration , AdfsConfigurationV3 and AdfsArtifactStore. What we need to see is that AdfsConfigurationV3 has data in it and is not totally empty.

clip_image001[6]

After checking and comparing the size between V1 and V3, It appeared that V3 database is empty. So what next?

Solution

Deleting the AdfsConfigurationV3 was the first thought that hit my mind however, before deleting anything I always take a snapshot of the VM since backing up the WID is more painful and takes more time than simply backing up the VM (Checkpoint, Snapshot).

So the steps to fix this issue is

  • Taking a VM Snapshot/Checkpoint/Backup.
  • Download Microsoft SQL Server Management Studio from this link https://go.microsoft.com/fwlink/?linkid=864329
  • Install Microsoft SQL Server Management Studio on ADFS Server
  • Run MS SQL Server Management Studio as Administrator
  • In the Server Name type :

\\.\pipe\MICROSOFT##WID\tsql\query

Leave the Authentication as it is and logon.

image

  • From the SQL Object Explorer right click and Delete the AdfsConfigurationV3 and leave AdfsConfiguration Database only.

image

  • After deleting the Database, Start ADFS Service to make sure that it can load the old database without an issue.
  • Then run the cmdlet Invoke-AdfsFarmBehaviorLevelRaise and Accept by typing Y and Enter.

image

This might take about 5 minutes to finish.

image

When this process is done, You should see the following message indicating the success of the Database Upgrade.

image

To double check, We will run the cmdlet Get-AdfsFarmInformation

image

Updating Certificate

After this success, I am going to run the cmdlet below to replace the current certificate with the new one

Set-AdfsSslCertificate -Thumbprint 9b19426e17180c0b9c5d4atye53dda3bce9dbff

And here we go. It works perfectly fine

image

References:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-sql

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server

kms Server Deployment step by step Guide

So What is KMS ?

KMS stands for the abbreviation (Key Management Service) in which enterprises and big companies manage their Software, End user and Servers licenses keys through a single server (Called KMS) which automates the whole process of activation and eliminates the need for an individual or admin interfering to activate them.

Prerequisites for KMS Host:

In order to use KMS, You will need to install Server version of Microsoft Windows. This server can be installed on a Virtual machine or physical one. But still there are requirements to activate other machines.

  • Server needs to be joined to Domain to activate other machines/products.
  • VLSC (Volume License Service Center) Host Key (Can only be acquired through the VLSC portal.
  • If you’re going to activate any Office products (Office 2016/ Office 2019) then you’ll need to download the Office Volume License Pack for those products from the links attached.
  • Run the License Pack you downloaded and enter the Office Key to activate it.

After deploying Windows 2016/2019 Server you can install the role from Server manager or from PowerShell

KMS Installation

Launch powershell in Admin mode and run the following CMDLET

Install-WindowsFeature -Name VolumeActivation

image

image

Continue to the next window and add the required Features

image

The next window will let give you some information about the automation of the license activation for MS products and how KMS works.

image

There are two options of how activating licenses, One is through using a service or the other through joining server/computer to Active Directory KMS will auto activate products if their relevant KMS licenses are entered in the KMS Host server.

image

Install your Windows 2016/2019 KMS Host Server key to create AD Object for KMS

image

Choose your activation Method in order to activate the KMS server

image

If activation continues successfully you’ll be able to see KMS telling you that continuing will create an AD object . Click Yes to continue

image

We’ll wait until this finishes

image

When this works, The next window will give you a warning that Clicking Next will delete the current activation Object which is the AD object that has been previously created. Click Close since we want to keep that.

image

KMS Host Activation

To view the activation of your KMS Host, You can open CMD on the KMS Server and type

slmg.vbs –dlv

As you can see below, it’ll show summary information about the license you entered and other related info.

image

To make sure your installation has went successfully, you can launch ADSI Editor and see if the AD object has been created or not.

From CMD or Powershell type adsiedit.msc

Navigate to Configuration>Services> Microsoft SPP> You should see the Activation Objects there.

image

Activating Office 2016 / 2019

As we mentioned previously to activate office 2016 or Office 2019 you will need to download the Office License pack from the links attached previously.

– Office 2016 License Package link https://www.microsoft.com/download/details.aspx?id=49164

– Office 2019 License Package Link https://www.microsoft.com/en-us/downloads/details.aspx?id=57342

NOTE:

You should not launch Volume License Manager when activating Office products or when trying to enter a KMS License key for Office products, Instead when executing the Office Package it will launch it for you and all you have to do is Enter the Office license key and restart Microsoft Windows Client to get Office activated.

image

Verifying KMS is Working:

To check if KMS is working on the end user’s side we need to get our hands on one of those clients, restart the user’s PC and then launch one of Office apps and see if it’s activated or not. The condition for the End user is that they need to be domain joined to acquire a license from KMS server.

It gets activated right after a restart!

image

Reference

https://docs.microsoft.com/en-us/deployoffice/vlactivation/configure-a-kms-host-computer-for-office

https://docs.microsoft.com/en-us/deployoffice/vlactivation/activate-office-by-using-active-directory

Use Group Based Licensing to Activate Office 365 Users

The Story

I got a request to place users into Security Groups for management purposes, The client have already users active but many of those users have left the work place and still have E3 or E1 Licenses which they should not have since this is pricey licenses and backing up users details is the easiest and most cost effective way of handling this.

So, To start (Prerequisites):

The Group based licensing management is a new feature, Was introduced in 2019 and not many people know that it is there however, This feature doesn’t come for free as you know (Since it’s Microsoft) and you must have a license for it or at least have users with E3 licensing model. So the requirements are:

  • – Azure AD Premium P1 or Higher
  • – Office 365 E3 or Higher.
  • – EMS or Higher.

How does it work?

In order for you to get this to work  you need to make sure you have planned from where you want to manage those groups and their licenses, Online? Or On-Premises?

IF Online

If you’re going to do this online, then you need to create a group for each Licensing Model which represents the intended License and its users e.g. Office365-E1 is going to be created as a security group and dedicated to E1 License users.

Office365-E3 will also be created the same way and users of License type E3 will be added to it.

If On-Premises

If you’re going to manage those groups on-premises, Then you must have ADConnect (Azure AD Sync) tool to sync those groups after creating them.

In my case I have created those groups in the following manner:

image

After creating those groups, You will need to sync them to Office 365 using ADConnect. To force this to sync immediately fire up Powershell on Azure Connect Server and type

Start-ADSyncSyncCycle -PolicyType delta

image

image

What If I have users already assigned with License?

If you have users already assigned licenses and want to manage them using Group Based licensing then you’re going to have to get a list of all your users with their Licenses information into a CSV file and Import those users to the groups you created base on the license they have.

I created a PowerShell that would match user’s names and based on the license mentioned in the CSV file would add them to the relevant group but first you need to export Users from Office 365.

Export Users and their license from Office 365

First of all we’ll connect to Office 365 MSOL Service using Online Powershell

image

Get-MsolUser -All |Where {$_.IsLicensed -eq $true } |Select DisplayName,UsageLocation,@{n="Licenses Type";e={$_.Licenses.AccountSKUid}},SignInName,UserPrincipalName,@{n="ProxyAddresses";e={$_.ProxyAddresses}}| Export-csv -Path C:ExportlicenseUsage.csv -notype

image

So this is how my CSV look right after I exported the users, We need to do some tuning on this CSV file to clean it and get it ready for our PowerShell.

image

There are total of 6 columns in this folder, If for whatever reason you wanted to use the ProxyAddress to distinguish users feel free to keep them in the script but in my case I didn’t need them so I deleted the entire column.

So I will keep the following (Remove Spacing between License Type)

  • DisplayName
  • UsageLocation
  • LicenseType
  • SignInName
  • UserPrincipalName

The Value of the License Type is usually formatted like this “TenantName: License” and in order to make this column useful I am going to remove the Tenant name from all the cells.

Find and Replace can easily remove and clean these values for you.

image

After cleaning the column, this is how it looks

image

This should be useful for us now along with the PowerShell to add the users to their relevant groups.

On Active Directory from an elevated PowerShell

Run PowerShell ISE  from a privileged account and copy + paste this script in ISE,

$ImportedUsers = Import-csv "C:\Users\AD\Desktop\ExportlicenseUsage.csv"

Foreach ($ImportedUser in $ImportedUsers){
$License = $ImportedUser.LicensesType
$E3 = "E3-Office365"
$E1 = "E1-Office365"
$EMS = "EMS-Office365"
$Sam = $ImportedUser.SamAccountName
$ImportedUPN = $ImportedUser.UserPrincipalName

$AllUsers = Get-ADUser -Filter * -Properties *
Foreach ($User in $AllUsers)
{
$UPN = $User.UserPrincipalName

if($user.UserPrincipalName -eq $ImportedUPN -and $License -match "EMS")
{
Add-ADGroupMember -Identity $EMS -Members $Sam
Write-Host $($UPN) "User has EMS License and has been added to the Group EMS" -ForegroundColor DarkGreen -BackgroundColor White
}
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains "STANDARDPACK")
{
Add-ADGroupMember -Identity $E1 -Members $Sam
Write-Host $($UPN) "User has E1 License and has been added to the Group E1" -ForegroundColor black -BackgroundColor green
}
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains "ENTERPRISEPACK")
{
Add-ADGroupMember -Identity $E3 -Members $Sam
Write-Host $($UPN) "User has E3 License and has been added to the Group E3" -ForegroundColor Blue -BackgroundColor White
}
}
}

image

Enabling Group Based License from Azure Portal

After this script finishes, I can open Azure Portal

From Azure Active Directory > Licenses > All Products

image   image    image

I will choose the license which I want to assign to a group of which I have created on my on-premises AD

image

Click on the License (Office 365 E1)  and choose Assign from top menu

image

Make sure you select assignment options and customize the license according to the products you want your group members to use then click on Users and Groups and select the relevant Group which you’ve created (In my case it’s E1-Office365)

image

Here, The group has been assigned

image

Click assign and you should be done

image

We will do the same for E3 Users

image

image

NOTE

From now on, Removing any user from this group will revoke their license and any service connected to it, You must be very careful when removing users from this group.

Microsoft has done great job covering this thoroughly and in a great detail including Scripts to be able to do many things like grabbing users who have an inherited license from a group or manually assigned. I am writing down the references if you’re more curious into these.

References:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-assign

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-ps-examples