Event 16653 appeared to RID issue

Hi Folks,

In this post, I would like to share the issue on the Event 16653. It was one of directory services logs that you would come across in Windows Server 2012 Environment.

As you are all know, RID master FSMO role issued a domain with 500 RIDs. When each domain’s RID has slowly exhausted which exceeds to 500, it will contact the RID master to request for the RID.

so, in Windows Server 2012 / R2 environment, the event 16653 will not be appeared as the changes of registry has been made.

event-id-16653

by default, the RIDs can only issue 500 RIDs. however, this value can be modified in the registry so that the AD Administrators can make such a bulk AD object created more than 500.

The Event 16653 will be appeared when the Administrators created more than 15,000 objects. The maximum value that the RID can be issued is 15,000 RIDs.

 

 

Advertisements

Secure Virtual Domain Controller using BitLocker Encryption

Hi, today’s topic is about securing virtual domain controller using BitLocker Encryption.

Virtual domain controller is sometimes at critical risk where the VHD folders can be copied and placed to another. Of course nowadays, by using BitLocker Encryption might be useful and one factor to secure our production environment.

hyper-nomdc

Moreover, the very best friend comes out with BitLocker encryption on more enhancing technology is the Trust Platform Module (TPM) where you can find in the BIOS motherboard itself.

In my lab environment, I run my host hyper-V in my lenovo thinkpad. To secure the virtual domain controller is by enabling the BitLocker Encryption on the host of the virtual machine.

Simple to do:

  1. I enable the TPM / security chip at the bios setup. I am very fortunate the Lenovo has the tools to check. You may download it here. You can here the setting is Active. that’s mean the TPM is enabled.
    tpm-is-active
  2. After that, you need to add features BitLocker encryption at the host hyper-v. you may need to restart the server.
    enable-bitlocker
  3. On control panel, you manage your bitlocker on which volume drive you need to turn on. on the screenshot below, I turn on the bitlocker on my operating system. because the virtual machine folders are located at default. you may relocate your virtual machine folder in different drive and you turn on the bitlocker on the drive that you locate the VM VHD/VHDX files.
    bitcontrolpanel

Secure Your Infrastructure with Least Privileges

Hi,

I would like to post this topic on securing you infrastructure with some least privileges based on server requirement. Everybody love to make some more easy and full privileges to some extent. but have you cross to your mind to secure your infrastructure.

I believe that by using Windows Environment, Active Directory is the most famous service where system admin like to centralize. I agree with that. And the highest privileges in AD environment are Domain Admins for every child domains and Enterprise Admins for Forest and Child domains.

Of course, in lab environment system admin like to use domain admins and enterprise admin even myself. However, in production zone, I would not suggest to have so much domain users given or attached with those domain admins enterprise admins. It was quite and most scary.

In the attachment, I did summarize some of all privileges based on the services required.

For example, in DHCP Server, in a AD domain environment, you may require Delegation permission to authorize to the AD for first time configuration.. Also, to manage DHCP Server, you can only have DHCP administrators without domain admins.

 

Attachment:

Requirement Privilege Document

Problem: LAPS

Hi,

I am back with similar questions being asked when they install the LAPS.

“Question: Why I still have blank password and expiration set time?”

laps blank password

Answer:

  1. First of all, Computer has to be joined domain. if the computer is not joined domain, you won’t get those two values on that attributes.
  2. Make sure that you don’t manually add the computer account at the active directory. some they claimed that they already join to the domain, but it actually create the computer account manually with the same computer name in it.
  3. LAPS was installed differently with other deployment system.
  4. LAPS was installed manually. some of computers are joined domain, but they were installed manually and unable to connect or communicate with active directory.
  5. I recommend the LAPS installation was deploying the group policy.
  6. The computers are located on different organizational unit (OU). If you have large organization, you might have many computers and other inventory that sometime hard to manage and cascade. So you may not have the LAPS install or the attributes’ value. For example, your computers was at HQ OU in Florida, you have multiple ‘HQ’ OU in New York OU and you also have HQ OU in Florida.LAPS Group policy was configured at HQ OU in New York. This lead you don’t have the password blank
  7. Local Administrator account are misconfigured. By Default, the LAPS will look into built-in account. if you configured in group policy to use specific account, make sure that you create the user account in the client computer.
  8. Make sure you have supported OS platform. Please check the link here https://technet.microsoft.com/en-us/mt227395.aspx.
  9. Please make sure that you have permission to view and proper delegation of users to view the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. Mostly, domain user would not be able to see this because this confidential attribute only managed by AD administrators.

 

Here is the example screenshot for the software deployment via group policy.

 

group policy LAPS

Connect and Integrate AD Identities On-Premise to Azure AD

In this topic, I would like to cover to connect and integrate  your existing AD accounts at home or office (premises) to Azure AD. This could benefit you to have single sign on to other applications such as office 365, dropbox, etc.

All you need is to install the Azure AD Connect Tool. you may download at this link here.

Follow this step below.

Step 1: At the welcoming wizard of Microsoft Azure Active Directory Connect, you need to check the box “I agree to the license terms and privacy notice” and click Continue

w1.JPG

 

Step 2: You may use the express setting for faster installation. This is to get you understand on how you can connect to the Azure AD. In this express setting, the wizard will automatically discover your forest. In this example is NETOVERME.

To continue, click on Express Settings

w2.JPG

 

Step 3: You need to input the Azure AD account. If you have multiple accounts in this Azure, you need to use the account which has “Global Admin” role.

In my example, I use “aliyani@example.onmicrosoft.com”. click Next to continue.

w3.JPG

 

Step 4:  Then, you will ask the admin account in your premise AD forest. click Next.

w4.JPG

 

Step 5:  Final step is to start installation.

w5.JPG

finish.jpg

 

Output Success: This is the screenshot that I captured from my Azure.

SUCCESS.jpg