Tag Archives: Active Directory

Installing Okta AD Agent 3.22 with gMSA – Blank Error Message

When attempting to install the Okta Active Directory (AD) Agent you may come across a very non-specific error message that literally tells you nothing. (see below)

Digging into the install logs in C:\Program Files (x86)\Okta\Okta AD Agent\logs sadly doesn’t get you to much further to figuring out what is going on. See a code snippit below.

026/05/17 18:11:36.625-04:00 Error -- SERVER_NAME -- Unexpected error: A specified logon session does not exist. It may already have been terminated.

2026/05/17 18:11:36.625-04:00 Error -- SERVER_NAME -- Received System.Security.SecurityException: A specified logon session does not exist. It may already have been terminated.

   at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn, SafeAccessTokenHandle& safeTokenHandle)
   at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type)
   at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName)
   at Okta.Agent.Installation.AgentCli.UserUtility.CheckSvcUserPermissions(String username)
   at Okta.Agent.Installation.AgentCli.ConfigCli.VerifySvcUser()
   at Okta.Agent.Installation.AgentCli.ConfigCli.Execute(ConfigurationScope scope, String[] args)
The Zone of the assembly that failed was:
MyComputer

Resolution:

The resolution to this issue is to remove the user that is running the installer from the Protected Users group in Active Directory. I wish Okta’s error reporting was a little more helpful and this took longer than I’d like to admit to track down.

Setting up GSS-TSIG on RHEL9 Bind Server for Active Directory Dynamic DNS Updates (DDNS)

This blog takes over from the last blog on setting up Bind9. If you haven’t already done so follow the instructions on the previous blog before following this blog.
https://paularquette.com/setting-up-bind9-dns-server-on-rhel-9-for-a-brand-new-active-directory-domain-controller/

The next steps that are needed to get GSS-TSIG working is to do the following:

Install krb5-workstation (On Bind Server)

dnf install krb5-workstation

Modify /etc/krb5.conf

[libdefaults]
default_realm = AD.TEST.LAB #UnComment

[realms]
AD.TEST.LAB = {
kdc = ad.test.lab
admin_server = ad.test.lab
}

[domain realm]
.ad.test.lab = AD.TEST.LAB
ad.test.lab = AD.TEST.LAB

Create User (On Domain Controller)

Create user account:
User Logon Name Needs To Match Server Name

Check Password Never Expires
Make sure to check the box for “This account supports Kerberos AES 256bit encryption”

Create KeyTab (On Domain Controller) (Admin Command Prompt)

ktpass -princ DNS/[email protected] -mapuser [email protected] -pass Temp1234 -out C:\Temp\bind.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

Copy bind.keytab to RHEL Bind Server

Copy to /tmp
chown named:named bind.keytab
chmod 400 bind.keytab
mv /tmp/bind.keytab /etc

Test kinit

kinit -k -t /etc/bind.keytab DNS/[email protected]
klist

Update /etc/named.conf

Add under options:
tkey-gssapi-keytab “/etc/bind.keytab”;
forwarders { 8.8.8.8; 8.8.4.4; };

Update /etc/named.rfc1912.conf

Comment Out allow-update lines

In Forward Zone Add:

update-policy {
grant * subdomain ad.test.lab. ANY;
};

In Reverse Zone Add:

update-policy {
grant * subdomain 104.1.10.in-addr.arpa. PTR;
};

Fix SELinux

/sbin/restorecon -v /etc/bind.keytab

Force Updates

Restart-Service netlogon (Will Force the DC DNS Entries)
ipconfig /registerdns (Will force A and PTR records)

Setting up Bind9 DNS Server on RHEL 9 for a brand new Active Directory Domain Controller

I installed Red Hat with my developer subscription and chose to install Bind with the GUI installation. The instructions that follow are what needs to be done to setup Bind9 in the most simplistic of forms to allow your first Domain Controller to be installed without installing AD DNS and pointing it to Bind9 instead.

RHEL9 Box:

Hostname: bind
IP: 10.1.104.5

Domain Controller:

Hostname: TestAD01.ad.test.lab
IP: 10.1.104.100

This does not include the instructions for Setting up GSS-TSIG to allow for dynamic updates. These instructions will be in a follow up post.

Configure DNS To Automatically Start

sudo systemctl enable named --now

Verify That DNS is Started

sudo systemctl status named

Configure DNS File

sudo vi /etc/named.conf
listen-on port 53 { localnets; }   #Remove 127.0.0.1
allow-query       { localnets; |;  #Remove localhost

Modify named.rfc1912.zones

sudo vi /etc/named.rfc1912.zones

Create Foward & Reverse Lookups For Zone With File Definition At Bottom of File

zone "ad.test.lab" IN {
       type master;
       file "/var/named/forward.ad.test.lab";
       allow-update { 10.1.104.100; };   #Domain Controller IP
};

zone "0.104.1.10.in-addr.arpa" IN {
       type master;
       file "/var/named/reverse.ad.test.lab";
       allow-update { 10.1.104.100; };     #Domain Controller IP
};

Verify Configuration Files Have No Issue (No News is Good News)

sudo named-checkconf

Create Forward Lookup File (Tab Delimited) [Space between bind.ad.test.lab and root.ad.test.lab]

sudo vi /var/named/forward.ad.test.lab

Create Reverse Lookup File (Tab Delimited) [Space between bind.ad.test.lab and root.ad.test.lab]

sudo vi /var/named/reverse.ad.test.lab

Run Named Checkzone

sudo named-checkzone forward.ad.test /var/named/forward.ad.test.lab
sudo named-checkzone reverse.ad.test /var/named/reverse.ad.test.lab

Restart Named Service

sudo systemctl restart named

Add Firewall Exception for Port 53

sudo firewall-cmd --permanent --add-port=53/tcp
sudo firewall-cmd --permanent --add-port=53/udp
sudo firewall-cmd --reload

Modify resolv.conf

sudo vi /etc/resolv.conf
search ad.test.lab
nameserver 10.1.104.5

After Verifying Forward & Reverse Works, Set DNS IP Config To Sustain Reboots

sudo nmtui

Walk through the GUI and change the DNS Server IP Address to point to yourself. This will make sure through reboots that resolv.conf doesn’t get overwritten back to your old settings.

Bring up a Domain Controller For the Domain

At this point you should be able to bring up a domain controller for the domain name you configured and as long as you configure it with the IP address that you allowed to update those zones you should be able to run a brand new Domain Controller without DNS.

Where we go from here

At this point the next blog will go over setting up GSS-TSIG to allow for dynamic updates from Active Directory clients.

Bringing up a new Active Directory Domain Series (Server 2022) [Part 1]

Change ms-DS-MachineAccountQuota to Zero

This attribute allows all users in the Domain to bind 10 computer objects to the Domain that they control. This could actually lead to more than 10 computer objects since every computer object is also technically a user. Best practices is to disable this setting and set it to Zero.

You can run the following command to see if your domain is currently configured as default of 10 objects:

Get-ADObject -Identity ((Get-ADDomain).distinguishedName) -Properties ms-DS-MachineAccountQuota

If you are currently set to 10 and want to fall in line with best practices you can run the following command to change this attribute to Zero:

Set-ADDomain -Identity ((Get-ADDomain).distinguishedName) -Replace @{“ms-DS-MachineAccountQuota”=”0”}

You will not be provided any feedback, you can then run the first command again to verify things are set to Zero.

Enable Recycle Bin

To enable the Recycle Bin you can run the following command (Replace DOMAIN.COM and make sure quotes copy):

Enable-ADOptionalFeature -Identity “CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=COM” -Scope ForestOrConfigurationSet -Target “DOMAIN.COM

Create Key for gMSA Accounts

When you bring up a new domain you will need to create the KDSRootKey for group managed service accounts.

Add-KdsRootKey -EffectiveImmediately

KDS root keys are stored in: CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=<forest name>;

Enable Central Store in Group Policy

Create the “PolicyDefinitions” folder in SYSVOL

Once enabled, copy the files from C:\Windows\PolicyDefinitions into this folder

Install & Configure LAPS

You can verify you have the AD Schema updated for LAPS by running:

Update-LapsADSchema

You can verify that the LAPS GPOs are in Computer Configuration > Administrative Templates > System > LAPS

Create Group Policy Security Baseline for Domain Controllers

Download the Windows Server 2022 Security Baseline from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55319

Copy these files to a Domain Controller for example in C:\Temp

Copy the files from \Templates directory into the PolicyDefinitions folder in SYSVOL

In the \Scripts directory run the .\Baseline-ADImport.ps1 file to import the GPOs

Modify the firewall rules to enforce only the rules you specify:

  1. Turn off Rule Merging for all profiles
  2. Turn on firewall log with max size 32,767 for all profiles
  3. Log dropped and successful packets for all profiles
  4. Input Firewall Rules
    • ICMP (Ping Allow)
    • TCP/UDP 53 (DNS)
    • TCP/UDP 88 (Kerberos)
    • UDP 123 (Time Service)
    • TCP/UDP 135 (RPC Mapper)
    • TCP/UDP 389 (LDAP)
    • TCP 445 (SMB)
    • TCP/UDP 464 (Kerberos Password Change)
    • TCP 636 (LDAPS)
    • TCP 3268/3269 (Global Catalog)
    • TCP 49152-65535 (RPC Dynamic Range) [Will modify this later]
    • TCP/UDP 3389 (RDP) [Locked to Trusted IPs]
    • TCP 5985/5986 (WinRM) [Locked to Trusted IPs]
    • TCP 9389 (AD Web Services) [Locked to Trusted IPs]

Manually create the firewall logs on the DCs by launching Windows Defender Firewall, Go to the Log Settings and click “OK”

Create Another GPO or Add These Settings to the Current GPO

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Print Spooler

Define this policy and set the service startup mode to Disabled

Navigate to Computer Configuration > Preferences > Windows Settings > Registry (Use Update HKLM)

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168\Enabled 0

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SSL 3.0\Server\Enabled 0

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\TLS 1.0\Server\Enabled 0

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\TLS 1.1\Server\Enabled 0

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\TLS 1.2\Server\DisabledByDefault 0

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\TLS 1.2\Server\Enabled 1

Things to check when taking over an Active Directory Domain

This blog is a work in progress but I will be keeping track of things to check when taking over an Active Directory Domain. This is not an all inclusive list but a list of common things to check.

ms-DS-MachineAccountQuota

By default in Active Directory this value is set to “10” which allows ANY user in Active Directory to bind ten machines to the domain. In the beginning stages of Active Directory maybe there was a need for this but now its just a big security risk.

Recommendation: Set this to zero

Protected Users Group

Look at highly privileged accounts and add them to the Protected Users Group if they are compatible with the protections that this group provides.

Recommendation: Add any real user accounts that are at Domain Admin or higher. (Enterprise Admins, Schema Admins, etc.)

krbtgt Account Password

Check the last time this password was changed and if it wasn’t changed in the last 180 days, change it.

Recommendation: Make sure you setup a schedule to recycle this password twice a year. This account holds two passwords so when you change the password you should change it twice, ideally 24 hours apart. That is a total of four password changes a year.

Verify SSL Certificates Exist on the Domain Controllers

Verify that valid certificates are in place for LDAPS calls over port 636. As part of this process investigate and try to remove any traffic that is talking on LDAP port 389.

Recommendation: Use either an internal PKI or public facing certificates to make sure all ldaps traffic is talking Active Directory over a secure connection.

Check if Exchange ExtensionAttributes were installed

If “ExtensionAttribute1” -> “ExtensionAttribute15” are in the schema of User/Computer/Group objects, check to see if any of them are in use.

Recommendation: If they are try to document what they are being used for and which ones are free and able to be used.

Check the Default Computer/User Bind OU

The default container for computer objects is (CN=Computers,DC=DOMAIN,DC=COM). This container cannot have group policy applied to it and objects should be set to write to another OU that can be better managed.

Excerpt from Microsoft here: Redirect users and computers containers – Windows Server | Microsoft Learn

“In a default installation of an Active Directory domain, user, computer, and group accounts are put in CN=objectclass containers instead of a more desirable OU class container. Similarly, the accounts that were created by using earlier-version APIs are put in the CN=Users and CN=computers containers.”

“Some applications require specific security principals to be located in default containers like CN=Users or CN=Computers. Verify that your applications have such dependencies before you move them out of the CN=users and CN=computes containers.”

Recommendation: If these items can be re-directed, redirect them to a different OU and make sure proper OU security is set.

Check Tombstone Lifetime / AD Recycle Bin

If the Active Directory Recycle Bin is not enabled, enable it!

The following PowerShell code can be used to see what the current Tombstone Lifetime is:

Write-Output “Get Tombstone Setting `r”
Import-Module ActiveDirectory

$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext
$DirectoryServicesConfigPartition = Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Properties *
$TombstoneLifetime = $DirectoryServicesConfigPartition.tombstoneLifetime

Write-Output “Active Directory’s Tombstone Lifetime is set to $TombstoneLifetime days `r “

Note that no value returned means the tombstone lifetime setting is set to 60 days (default for AD forests installed with Windows 2003 or older).

Recommendation: If it is not set to 180 days, set it to 180 days. If the AD recycle bin is not enabled, enable it!

Check to see if Sysmon is installed on the Domain Controllers

Recommendation: If Sysmon is not installed, work on getting it installed and configured on the Domain Controllers at a bare minimum

Check Domain Controller Firewall Settings

This may require a conversation with your Information Security team to understand how the Firewalls are configured that sit in front of the Domain Controllers. You want to make sure the bare minimum number of ports are enabled for client traffic and that admin ports are only able to be accessed by admins.

Recommendation: Review security with Information Security Team, and enable the Windows Firewall on all Domain Controllers and manage it with Group Policy. This also acts as an East/West traffic block so if someone gets into one server on the prod network they don’t automatically have RDP access per say to another DC on the same network segment. Setup monitoring for any RDP sessions, successful ones, and failures (including firewall logs). This will verify anyone RDP’ing to the DCs is legit, and will also help track down threat actors on the network. One of the first things threat actors will try to do is see if they have RDP access to the Domain Controllers, this is good information to send to the SOC or InfoSec.

Check to see if RPC Ports are restricted

Recommendation: If RPC Ports have not been limited on the Domain Controllers, limit them to a few ports, say 100, or 1,000, and then make the associated changes to firewall rules.

Check Time Settings on the Domain Controller running PDC Emulator

Many people know that the clients that talk to the Domain Controllers have to have the correct time, but it is super important that you are pulling a correct time source for your Domain Controllers.

Recommendation: Make sure the Domain Controllers, more specifically the Domain Controller with the PDC FSMO role is pulling its time from a trusted source. It might also be worth writing a script to monitor this as well.

Verify FSMO Role Holder(s), Global Catalog Servers, & Backups

Verify who is running the FSMO roles for your Domain(s). Make all DCs a Global Catalog if you have a single-domain forest. Verify how AD is being backed up.

Recommendation: Depending on your specific situation you may not be able to run all FSMO roles on one DC. In my jobs I have been able to. This allows you to target this DC as the DC to be backed up, snapshotted, etc. If you are running a single-domain forest, make sure all DCs are a global catalog.

Check Trusts

Check to see if there are any trusts configured for the domain.

Recommendation: If there are any trusts, figure out if they are still needed, and make sure there is documentation on why these trusts are setup and when they can be unconfigured.

Check Sites & Services for IP Configuration

Check AD Sites & Services for configuration of IP ranges. Make yourself familiar with how this setup and why it is setup the way it is.

Recommendation: Take notes on if Sites & Services is being used. If it is being used understand the network ranges and why it is configured the way it is. If priority is being given, understand why.

Managing Windows Server Core Firewall with Group Policy

As I’m migrating Domain Controllers over to Server Core one of the major issues I’ve run into is managing the Windows Firewall Rules. On a GUI version of Windows Server it is very easy to see what firewall rules are applied, in core… not so much, especially if you are pushing them with GPO (Group Policy).

All of the PowerShell cmdlets and netsh advfirewall commands all seem to return the local firewall rules and not any of the Group Policy pushed firewall rules. Moreover I could not find an easy way to see what the current firewall rules are that are applied via GPO.

As I have disabled all of the built-in firewall rules as to lock down the Domain Controller Firewall Rules as tightly as possible, even with RPC open and the dynamic RPC range locked to specific ports but open the Windows Firewall MMC would not open. I was seeing no blocked traffic in the Windows Firewall Logs.

I received the following error message:

“There was an error opening the Windows Firewall with Advanced Security snap-in”

“The specified computer could not be remotely managed. Ensure that you are not trying to connect to a remote computer with an earlier version of Windows…..”

My solution to this problem was to enable the built-in Firewall Rules for Remote Firewall Management so you can use MMC console:

Windows Firewall Remote Management (RPC)
Windows Firewall Remote Management (RPC-EPMAP)

These firewall rules seem to have some special magic to them that I haven’t put my finger on yet that allow the Remote MMC Firewall snap-in to work. You can of course lock these rules down to remote IPs as well.

Monitoring Domain Controller Windows Firewall Logs (Part of Active Directory Hardening Series)

The first step before you can monitor the local DC firewall logs is to make sure you have properly setup your domain controllers to log firewall activity. If you have not already turned on firewall logging and increased the log size to the maximum you can configure that by looking at my prior post: https://paularquette.com/lock-down-your-active-directory-domain-controllers-internet-access-part-of-my-active-directory-hardening-series/

I have shared a new script on GitHub to do some basic monitoring of dropped traffic on your Domain Controllers. https://github.com/paularquette/Active-Directory/blob/main/AD_Monitor_DC_Firewall_Logs.ps1

I currently run this script every hour and I get plenty of overlap for logs. The logs roll relatively quick but not that quick. I’m also logging all allows and I may change that in the future to only log drops.

In order to see dropped traffic outbound you would have to have outgoing firewall rules in place. By default traffic is not blocked going out. You can reference my previous post linked above.

In the example below you can see I’m limiting all TCP/UDP outbound traffic on Non HTTP ports to a certain subset of IP ranges:

If this Domain Controller tries to send any NON-HTTP(s) traffic outside of the organization it will show up in the DC firewall logs.

Example of HTML Report:

If your IT Security group has the hardware firewalls super locked down you may not see much if any traffic being dropped on the local DCs, but it still isn’t a bad idea to have another layer of security around such a high profile service!

Changing vCenter Authentication [AD over LDAP(s)]

**EDIT** If you log into vcenter with an Active Directory account you should be able to modify an already existing Identity Source. I had been logging in with local administrator account.

For reference we already had our linked vCenter talking to Active Directory over LDAPS. However, we are currently in the process of migrating all of our VMs over to new hardware. When we tried to move the main Active Directory server providing authentication to vCenter, lets just say it was not happy.

Upon trying to enter into the Identity Sources and update the server(s) manually on the Identity Source that was already being used we received the following message: “Check the network settings and make sure you have network access to the identity source”.

It was not found until after doing some Googling that you have to remove your current running Identity Source in order to make changes. In other words delete the current identity source and add a “new” one in order to make the changes you want to make.

This just seems bad.

However, after doing a lot of testing in our TEST environment I could not seem to run into any snags. If you login with [email protected] and delete and then immediately re-add the identity source back with the same domain name, alias, etc, there does not seem to be any issues. All of your permissions on objects defined with AD groups will remain.

I used the method listed in this VMware KB for grabbing the certificates I needed for both the Primary and Secondary Active Directory Servers. (https://kb.vmware.com/s/article/2041378).