Active Directory Archives - Kevin Justin's Blog

Setting up PowerBI Report Server SPN

‘Setting up PowerBI Report Server SPN’ in hybrid environments when the PowerBI cloud service is not <yet> an option in an organization. This article will go through SPN commands, to secure via Kerberos authentication and/or smart card usage for Security requirements (i.e. STIG, CCRI, SOX, HIPAA, PCI, Security Scans, <insert other regulatory requirements here>). Lastly, PowerBI Report Server can be setup to run parallel to SSRS SQL instance. Refer to SPN commands below which helped me setup SmartCards authentication based on SPN setup.

Find/replace

DOMAIN

POWERBIREPORTSERVER

FQDN

svc.PowerBI.scomda

svc.PowerBI.scomdr

SPN commands to set up SQL & PowerBI

Create SPN for PowerBI Report Server

# RE: PBIRS SPN’s
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER.FQDN” “DOMAIN\svc.PowerBI.scomda”
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER” “DOMAIN\svc.PowerBI.scomda”

Create PowerBi Report Server SPN’s for OLAP

# PBIRS & MSSQL
# Remove the SPN’s for SQL on Report Server
setspn -d MSOLAPSvc.3/POWERBIREPORTSERVER POWERBIREPORTSERVER
setspn -d MSOLAPSvc.3/POWERBIREPORTSERVER.FQDN POWERBIREPORTSERVER

Create PowerBI Report Server SPN for service/gMSA account

setspn -d HTTP/POWERBIREPORTSERVER.FQDN:443 DOMAIN\svc.PowerBI.scomdr
setspn -d HTTP/POWERBIREPORTSERVER:443 DOMAIN\svc.PowerBI.scomdr

Create SQL SPN’s for SSRS reporting

SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER.FQDN” “DOMAIN\svc.PowerBI.scomda”
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER” “DOMAIN\svc.PowerBI.scomda”

Create SQL HTTP SPN’s for SSRS reporting

setspn -s HTTP/reports.FQDN DOMAIN\svc.PowerBI.scomdr
setspn -s HTTP/reports DOMAIN\svc.PowerBI.scomdr

Lastly, test authentications to PowerBI server…

Verify PBIRS (PowerBI Report Server) log file for ReportServerService_HTTP_ entries after successful auth

File PATH = D:\Program Files\Microsoft Power BI Report Server\PBIRS\LogFiles

Documentation

PowerBI with Service Principal https://powerbi.microsoft.com/en-us/blog/use-power-bi-api-with-service-principal-preview/

Configure Kerberos SSO https://learn.microsoft.com/en-us/power-bi/connect-data/service-gateway-sso-kerberos

Updated DNS2012R2 Addendum

Updated DNS2012R2 Addendum overrides. Learned a few new things with Overrides workspace views, and why Authoring pane > Management pack Objects > Overrides may not load.

When your management pack has improper overrides, expect the loading icon. This may be caused due to overrides, whether error is with target, class/rule/monitor.

Sometimes, an Object of class error gets your hopes up (pointing at a non-existent object).

Example when Overrides loads properly

When Authoring Tab Overrides view loads successfully.

If Overrides view will not load, try creating a workspace view for Overrides.

Navigation Steps:

From SCOM Console

Click on My Workspace

Right Click > New > Overrides Summary View

Select checkbox ‘with a specific override management pack’ checkbox, then the ‘specific’ link to choose management pack(s).

Select Specific Override management pack(s)

Choose unsealed management pack(s) with overrides

Can select all – OR pick a few to see what loads without errors

Click OK

If you get the loading screen and error, now begins the pack analysis.

Clicking on the ‘Show’ link points to a non-existent object

Microsoft.EnterpriseManagement.Common.ObjectNotFoundException: An object of class ManagementPackClass with ID 76e2559c-aaf4-b1ec-60cf-d40ab4102fbc was not found.

How did I know that?

Run get-SCOMClassInstance command from PowerShell or Operations Manager shell

Example output of ‘get-SCOMClassInstance -ID “76e2559c-aaf4-b1ec-60cf-d40ab4102fbc” ‘

Get-SCOMClassInstance output of the GUID listed in the console error.

Work on the Overrides of the affected XML packs, and Import.

Once corrected, the Workspace view loads successfully, finite!

Overrides Workspace view of addendum packs

Documentation

My Workspace https://learn.microsoft.com/en-us/system-center/scom/manage-web-console-my-workspace?view=sc-om-2022

Monitoring workspace https://learn.microsoft.com/en-us/system-center/scom/manage-using-monitoring-workspace?view=sc-om-2022

AD insight reports

Download the ‘AD insights pack’ for new capabilities to audit users, svc/MSA accounts, password last set, expiring, last login AD insights. Includes AD group audit alert capability.

Quick Download https://github.com/theKevinJustin/ADInsights/

AD audit

Time to provide key ‘AD insight reports’ into users and groups. Delve into different AD audit capabilities for users and groups. The pack also gathers DC Security events (rules), and lastly, on demand tasks for reports.

The question is what determines a problem?

Every domain admin has a different experience and perspective, whether cyber (hack) focused or not. Audit standards differ, from HIPAA, SOX, CCRI, STIG, etc.

Pack examples:

Users – service account naming conventions, password change frequency, expired date/time configured.

Groups – Choose your OU structure to audit WA in DA, SA in DA, WA in SA etc.

NOTE: Take caution on the OU group audit, to limit the output, as events have a size limitation

Configure ‘AD insight reports’

Now we can configure the user pack for applicable standards, like password age, last set, or AppOwners. The AppOwners is an array, so you can add whatever Application, system owners/teams in your organization. The password datasource (DS) rule runs weekly.

Configure the Password Time, last set, month, week and AppOwners to build out actionable svc/msa accounts failing audit artifacts.

Break out the regular expressions of whatever accounts each team uses, to tailor relevant data into the report alert. Find/Replace (Control-H) might be more effective, as the DS/WA repeat the logic for the on-demand task report, vs. the rule and monitor.

App Owner relevant service accounts by SamAccountName

Update patterns ID naming conventions

Tailor account names to environment to match ingested DC Security events.

Tailor the DC Security Events to account naming conventions.

Configure OU to environment

Configure OU structure to audit based on domain canonical names, groups, DC, etc.

Save file(s) and import

PKI Addendum pack

The ‘PKI Addendum pack’ is a tricky pack, due to certificate hierarchy. The decisions included are part of the three pillars – health, Security, Compliance, as well as alerting WHEN manual intervention required.

QUICK DOWNLOAD https://github.com/theKevinJustin/PKIAddendum

The PKI pack provides discoveries of the server certificate stores to then analyze certificates for validity, chain, and expiration. The v1.4.3.0 release adds some task logic and script changes that helps discover more stores, trusted root, etc.

WHAT CAPABILITIES DOES THE ‘PKI ADDENDUM PACK’ PROVIDE?

Set timeframe for certificate per organizational standards.

Break out different expiration alerts based on internal/external certificate, or by AD Client Certificate enrollment templates (to build out the manual intervention required scenario when alerts are generated).

Create groups breaking out application self-signed, PKI certificates.

Separate RDP Auth, Domain Controller, Computer, and OCSP certificates.

If this sounds interesting, and you want to dabble in XML authoring…

Download the pack from GitHub to improve PKI monitoring on Windows Servers.

Additional screenshots of addendum components

Addendum pack creates multiple groups to break out various types of certificates that have different decisions/behaviors requiring unique timing

Groups

Discoveries

Leverage dynamic groups based on server name and EnhancedKeyUsageList (EKU) list

Overrides

Change PKI pack default discoveries, lifetime threshold expirations and more

DOCUMENTATION AND LINKS

Addendum requires the PKI Certificate MP release v1.4.3.0 download

Bob’s TopQuore blog

DNS2012R2 Addendum pack

Still running Server2012R2 servers with AD DCs with AD integrated DNS?

In case you’re still running Windows Server 2012R2, here’s the ‘DNS2012R2 Addendum pack’ giving the same functionality as the version agnostic 2016+ addendum. Why? DNS is a translation method to convert names to IP’s. Can you imagine if we wanted to connect to google via IP? The number of workflows in the SCOM DNS pack (built by the DNS Product Group) makes for an astounding number of workflows running on your DC every minute. Forward and reverse lookups are a good check, verifying DNS is functioning. In a complex environment with 100’s of zones, SCOM becomes a utilization culprit for a DC’s primary missions – authenticate and resolve. This article will help you understand how the pack will add new capabilities and tune DNS monitoring to best practice.

Quick Download HTTPS://GITHUB.COM/THEKEVINJUSTIN/DNSADDENDUM2012R2/

What capabilities does the ‘DNS Addendum pack’ provide?

Count logic monitors (i.e. x events in y time, and self heal)

Daily summary report of DNS alerts broken out

Daily alert closure workflow to close out DNS rules/monitor

DNS service(s) recovery automation

Synthetic internal/external nslookup monitor (scoped to PDC emulators versus ALL DNS servers

WMI validation alert recovery to prevent false positive alerts with weird one off scenarios – one example: Security tools randomly block WMI access.

Download the ‘DNS2012R2 Addendum pack’ on GitHub to improve AD Integrated (ADI) DNS monitoring on Windows Server 2016+ (version agnostic).

Save and Import pack, then update XML for group GUIDs

Update XML

First, update XML with the GUIDs from your management group. Second, map the group DisplayName to find/replace the GUID for each group.

Get-SCOMClassInstance output for DNS2012R2 groups

Third, using Notepad++ highlight the ContextInstance GUID and hit Control-H, and paste the group GUID then click Replace All.

Fourth – Rinse and repeat for the other three groups.

Lastly, save file, move to SCOM MS, and import!

Documentation and links

DNS Pack download

DNS2012R2 addendum blog including updates

GitHub Repository https://github.com/theKevinJustin/DNSAddendum2012R2/

DNS Addendum pack

nslookup to find out IP to name or name to IP resolution.

Simply put: Leverage the ‘DNS Addendum pack’. Why? DNS is a translation method to convert names to IP’s. Can you imagine if we wanted to connect to google via IP? The amount of workflows in the SCOM DNS pack (built by the DNS Product Group) makes for an astounding number of workflows running on your DC every minute. Forward and reverse lookups are a good check, verifying DNS is functioning. In a complex environment with 100’s of zones, SCOM becomes a utilization culprit for a DC’s primary missions – authenticate and resolve. This article will help you understand how the pack will add new capabilities and tune DNS monitoring to best practice.

QUICK DOWNLOAD(S)

2016+ https://github.com/theKevinJustin/DNSAddendumAgnostic

What capabilities does the ‘DNS Addendum pack’ provide?

Count logic monitors (i.e. x events in y time, and self heal)

Daily summary report of DNS alerts broken out

DNS service(s) recovery automation

Daily alert closure workflow to close out DNS rules/monitor

Synthetic internal/external nslookup monitor (scoped to PDC emulators versus ALL DNS servers

WMI validation alert recovery to prevent false positive alerts with weird one off scenarios – one example: Security tools randomly block WMI access.

Download the DNS Addendum on GitHub and the PDF install guide, to improve AD Integrated (ADI) DNS monitoring on Windows Server 2016+ (version agnostic).

XML authoring

The pack greatly decreases alerts, workflows on your AD integrated DNS servers, and the XML authoring is an easy feat. After you import the pack, find/replace is required for two pieces.

Group GUIDs update, after installing this pack.

Find/replace the GUIDs, as they are unique to every SCOM management group, hard coding the group ID GUID is not possible.

From PowerShell, on your SCOM management server, run these commands (after DNS Addendum installed)

Use get-scomclassinstance -DisplayName “GroupNameHere” | ft Id

Find/Replace the GUID in the pack with the ID from the output above.

Discovery group regular expressions (RegEx)

##DNSServerRegEx##

Find ##DNSServerRegEx## and replace with your DNS server expressions.

Example server names: 16dns01, 19dc01,16dns02,19dc02,19dc03, etc.

RegEx = (?i)16dns0|19dc0

DNS Group discovery example of RegEx for find/replace

Save and Import & Enjoy!

ADFS Addendum pack

Do you associate StarTrek when the word federation is used inside of federation services (ADFS)?

To begin, the ‘ADFS addendum pack’ needs acknowledgement of the contributors who dealt with my many questions to better alert on AD issues! My thanks to Jason Windisch for his help and expertise with Active Directory Federation Services (ADFS). If you need more background, check the ‘why addendum pack’ post. BTW, what do you associate with the word – Federation?

Quick Download(s)

2016+ https://github.com/theKevinJustin/ADFSAddendum

Overview of capabilities

The Active Directory Federation Services ‘ADFS Addendum pack’ configures ADFS group of related classes for notification/subscription modeling. Second, the rules, service monitors, tasks, service recovery, alert cleanup, and summary reports aid consumption of real issues. Third, if you have ADFS2012R2, I have an addendum pack, but coordination necessary to get the ADFS management packs MSI (not currently available). Lastly, most environments should be 2016+, as the EOL/EOSL is quickly approaching in October!

ADFS Addendum pack creates ADFS Group AND discovery requiring server names applicable to environment.

ADFS Group discovery requires server names applicable to environment

Tailoring the pack(s) to your environment

First, the Active Directory Federation Services management packs MUST be installed for the ‘ADFS Addendum pack’ to load. 2016+ agnostic is currently supported, as the 2012,2012R2 products are near end of support.

Find/Replace the variables as needed

##ADFSSERVERNAME1##|##ADFSSERVERNAME1##|##LAB##

Save file

Workflows

First, the DataSources (DS) and WriteActions (WA) clean up alerts, create daily reports, where the WA are the on-demand tasks versions.

Data source (DS) scheduled workflows run weekdays between 0600-0700 local SCOM management server local time. The summary and team reports (run during this time) summarize key insights. NOTE: the Monday report gathers the last 72 hours, so administrators get a ‘what happened over the weekend’ view. Tuesday-Friday reports are past 24 hours. Lastly, the group policy report summarizing unique GPUpdate error output.

Monitoring

Addendum pack rules schedule data source execution, add on-demand tasks. The service monitor, and Recovery tasks add service recovery automation to bring us to the ‘manual intervention required’ alerting. There are a few monitor/rule overrides to match the health model.

Import

Download updated ‘ADFS addendum pack’ and save to your environment

Import into SCOM

Enjoy!

Documentation

ADFS 2016+ management pack download

ADDS addendum pack

Active Directory monitoring - definitely needs an addendum! — Active Directory monitoring – definitely needs an addendum!

To begin, the ‘ADDS addendum pack’ needs acknowledgement of the contributors who dealt with my many questions to better alert on AD issues! My thanks to Bob Williams, Vance Cozier, Jason Windisch for their help and expertise with Active Directory (AD/ADDS). If you need more background, check the why addendum pack post.

Quick Download(s)

2012 HTTPS://GITHUB.COM/THEKEVINJUSTIN/ADDS2012ADDENDUM/

2012R2 HTTPS://GITHUB.COM/THEKEVINJUSTIN/ADDS2012R2ADDENDUM/

2016+ https://github.com/theKevinJustin/ADDSAddendumAgnostic

Overview of capabilities

The Active Directory ADDS Addendum pack(s) change how Tier0 health, and Domain Admins consume alerts. Then, AD product team re-wrote the packs back in 2016 to PowerShell workflows. Many workflows measuring replication, health of your forest(s), at the cost of less alert noise than the 2008 packs. Third, the addendums for 2012, 2012R2, and 2016+ version agnostic should help reduce alert ‘burden’. Lastly, most environments should be 2016+, as the EOL/EOSL is quickly approaching in October!

Workflows

First, the DataSources (DS) and WriteActions (WA) clean up AD pack alerts, create daily reports, team, and AD pack summary alerts, where the WA are the on-demand tasks versions.

DataSources (DS) and WriteActions (WA) clean up AD pack alerts, create daily reports, team, and AD pack summary alerts, and the WA are the on-demand tasks versions of the DS

Monitoring

Addendum pack rules schedule data source execution, adding on-demand task alerts, including new group policy rule alerts. The Recovery tasks add service recovery automation to bring us to the ‘manual intervention required’ alerting. There are a few monitor/rule overrides to match the health model. NOTE: The 2012R2 pack is missing the component alert, as there’s less than 2 months until the platform support ends.

The component alert is a new workflow that’s helped Tier0 admins.

Basically, this is a PowerShell workflow that checks SCOM alerts for multiple DC alerts to determine DC health. I don’t change the AD critical service monitors, but simply summarize the alerts to tell you when intervention is required.

Tailoring the pack(s) to your environment

First, the Active Directory Domain Services management packs MUST be installed for the ‘ADDS Addendum pack'(s) to load. The three versions currently supported have addendums, hopefully 2012,2012R2 are planned to be decommissioned in the short term.

Update the AD summary and team reports

The AD summary and team reports for specific Tier0 servers owned by Domain Administrators, AD Team (or any other aliases the SME’s may go by) group regular expressions.

In your favorite XML editor (mine is Notepad++), open the addendum pack(s), and find/replace for the following strings:

Look for the $ADDSServerAlerts

$ADDSServerAlerts = $ADDSReportAlerts | ? { ( $_.NetBiosComputerName -like “*A1*” ) `

Save pack

Import and enjoy!

Documentation

ADDS 2012+ management pack download

ADCS Addendum packs

ADCS 'gift' certificate - don't we all wish! — ADCS ‘gift’ certificate – don’t we all wish!

If only certificates were all gift certificates! The ‘ADCS Addendum packs’ disables noisy rules, adds OCSP seed, OCSP responder and OCSP group (classes). Recovery and service monitoring and nCipher event are the main highlights reducing alerts for ADCS 2012,2012R2,2016+. My thanks to Bob Williams CSA, for the assist!

Quick Download(s)

2012 HTTPS://GITHUB.COM/THEKEVINJUSTIN/ADCS2012QAddendum

2012R2 HTTPS://GITHUB.COM/THEKEVINJUSTIN/ADCS2012R2ADDENDUM/

2016+ https://github.com/theKevinJustin/ADCS2016-Addendum

Overview of addendum capabilities

Remember the why addendum packs for guiding purpose, transform!

The ADCS Addendum packs discover OCSP (seed class), and OCSP responder registry keys installed on monitored servers.

Group discovery tailors OCSP classes, for subscription or alert tuning.

OCSP server group can be used for subscription, or alert tuning (depending on class targets)

Monitors and service recoveries keep OCSP services monitored, and only alert when manual intervention is required.

OCSP service, certsvc monitors and service recovery automations built in

Tailoring the pack(s) to your environment

First, you must have at least ONE (1) set of ADCS Active Directory Certificate Services management packs so the ‘ADCS Addendum pack’ will load. The three versions currently supported have addendums, hopefully 2012,2012R2 are planned to be decommissioned in the short term.

Second, if you don’t have OCSP in your environment, download, and then import into your environment –

ELSE

Update the ‘OCSP Responder’ server name(s) for the group regular expressions.

In your favorite XML editor (mine is Notepad++), open the addendum pack(s), and find/replace for the following strings:

CAServer##

CERTIFICATESERVERS##

Save pack

Import and enjoy!

Documentation

ADCS 2016+ version agnostic pack download

ADCS 2012/2012R2 management packs download

AD Application monitoring

Data from StarTrek the next generation - Mr. Tricorder makes me laugh! — Data from StarTrek the next generation – Mr. Tricorder makes me laugh!

‘AD Application monitoring’ > web synthetics, artificial users > android what image comes to mind? Is it a person, or a thing from a Sci-Fi movie? Perhaps Bishop from Aliens, Data from Star Trek. What does ‘AD Application monitoring’ consist of? Currently that means a CRL validity check, and ADFS web synthetic (proving that ADFS is responding). My thanks to Jason Windisch CSA, for the supplied PowerShell!

Quick Download https://github.com/theKevinJustin/ADApplications/

Tailoring the pack to your environment

The purpose of the pack is to add scheduled workflow that acts like the user, identifies if the CRL’s are about to expire. Most times, monitoring stops at ICMP ping. Most times, there’s still an outage, as the network, and servers are responding. The next layer is IIS, Apache, etc. Sometimes the network team gets involved, checking a base IIS URL is configured. Most outages aren’t network, nor IIS wasn’t running. This is why we focus on the web application responding. Does the multi-prong tactical attack make sense?

This pack delivers on-demand tasks, daily reports, and rules/monitors to reflect health. Customize the watcher node, some URL’s, save, and import into SCOM! The purpose

Assign watcher node(s)

Assign a watcher node by creating a registry key.

What does that mean? Watcher nodes are needed to provide user perspective.

Multiple site example

Issue: Users from sites 1,2,3 are having problems accessing web pages. To understand a user in site 2, leverage a server in site 2 to initiate the web request (invoke-webRequest in PowerShell).

Why: Differentiate user experience (per site). Answer the ‘did you know’ – is the application responding from this site/perspective.

Unfortunately, the watcher node concept eludes most administrators. Mastering ‘user perspective’ makes for an invaluable aid moving from reactive ‘fire fighting’ to proactively being told before users. Hopefully this explains the power where monitoring imitates user interactions for key web applications.

How: Create registry key on whatever servers you want to initiate web monitor

From PowerShell (as Admin), or Command Prompt (as admin)

reg add “HKLM\SOFTWARE\ADApplications\WatcherNode”

AD Applications regedit registry key validation

Example of XML snippet from AD Applications management pack

AD Applications Watcher Node - create specific registry key — AD Applications Watcher Node – create specific registry key

Set up CRL Validity check and ADFS synthetic

Next, configure the URL’s for the customer environment for the ‘AD Application monitoring’ management pack.

Update AD Applications module types for monitor/rules for CRL and ADFS synthetics

Configure the CRL validity check array

From your favorite XML editor (notepad++ pictured)

Find/Replace ##FQDN##, ##CRLstring##, numbers to customer environment

CRL Validity check, create your array length as needed for customer environment

Configure the ADFS synthetic request(s)

From your favorite XML editor (notepad++ pictured)

Find/Replace $server, ##FederationFQDN##, if necessary, update ADFS URL string if different (the /adfs/ls/idpiniatedsignon.aspx portion) to customer environment

Update ADFS URL for invoke-webRequest, ADFS default URL in specified example

Save pack

Import and enjoy!

Documentation

URLGenie for advanced website monitoring

PowerShell invoke-webRequest

Addendum logic blog