Windows DHCP not Updating DNS

Our 2012R2 DC’s do DHCP and DNS for our environment, but I found that our client’s DNS addresses were frequently incorrect, even though DHCP is supposed to update DNS with the correct entry.  Found this blog post that solved our problems:

http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

Note:  If you are unsure about running the dnscmd shown in the blog post, I found the commands to verify the setting before you change it, and how to revert:

Show current state:

dnscmd /info /OpenACLOnProxyUpdates

Desired state:

dnscmd /config /OpenAclOnProxyUpdates 0

Revert to default:

dnscmd /config /OpenAclOnProxyUpdates 1

WebEx and ADFS SSO

Implemented WebEx with ADFS SSO (Windows 2012R2) successfully, and found these articles helpful:

Initial Setup:

https://cisco-support.webex.com/guest/articles/en_US/Usability_FAQs/WBX63102/myr=false

https://digitalglue.wordpress.com/2014/02/11/configuring-cisco-webex-meeting-server-to-work-with-adfs-2-0/

Those guides do not go over configuring sign-out.  This can be accomplished with the WSFederation sign-out URL documented here:

http://social.technet.microsoft.com/wiki/contents/articles/1439.ad-fs-how-to-invoke-a-ws-federation-sign-out.aspx

And configuring your ADFS server with:

1.  Go to AD FS Manager – Trust Relationships – Relying Party Trusts – <your party trust> properties
2.  Under the Endpoints tab, click Add SAML…
3.  Endpoint Type = SAML Logout, Binding = POST, Trusted URL = https://myadfsserver.domainname.com/adfs/ls/?wa=wsignout1.0

ADFS MFA with Office 365

We wanted to implement MFA (multi-factor authentication) for our ADFS servers when authenticating to Office 365.  If you just want basic “MFA for all users” then the AD FS GUI will allow you to select your MFA provider and enable.  I needed a more granular policy:

Only enable MFA if the user is a member of a specific security group AND the user is coming from outside the corporate network AND it is a browser based authentication request

The third part of that policy is in place so that user’s can still use activesync or skype for business, since they do not support MFA right now.

Granular ADFS policies are set using “claims”, which can be combined together with “and” statements.  Here are the three claims I needed enabled:

Only enables MFA for a particular security group (uses the group SID)
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid&#8221;, Value == “S-1-2-46-1537777264-XXXXXXXXXXXXX”] &&

Only enables MFA for users outside the corporate network (auth requests that go through the AD FS proxy servers)
c1:[Type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork&#8221;, Value == “false”] &&

Only enables MFA for browser based requests
c2:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path&#8221;, Value =~ “(/adfs/ls)|(/adfs/oauth2)”]

To apply these claims, first enable the MFA provider using the GUI.  Open AD FS, click on “Authentication Policies” and then click “Edit Global Multi-Factor Authentication” on the left-hand side.  From there you can select your MFA provider and click “Apply”.  After this, you must use powershell.  I also used powershell variables to make the process a little cleaner.

PS C:\windows\system32> $mfarule='c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-2-46-1537777264-XXXXXXXXXXXXX"] && c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

PS C:\windows\system32> $rpt = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"

PS C:\windows\system32> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rpt –AdditionalAuthenticationRules $mfarule

And now you are done!  The following command reverts the changes made back to default:

PS C:\windows\system32> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rpt –AdditionalAuthenticationRules ''

These commands enable MFA just for Office 365 relying party (so I can have different policies per party).  If you would like to enable these settings on a global scale, use this:

Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules $mfarule

And finally, to see all your changes made:

Get-AdfsRelyingPartyTrust -Name DisplayNameofTrust

———————————————————————————————————————

These blogs were extremely helpful throughout this process:

https://doubledit.co.uk/2015/10/21/adfs-multi-factor-authentication-force-mfa-for-browser-based-access-to-office-365/

http://blog.auth360.net/2014/10/23/mfa-conditional-access-policies-in-ad-fs-2012-r2/

http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx

https://technet.microsoft.com/en-us/library/dn479343(v=wps.630).aspx

 

Active Directory Transfer Roles

If you need to transfer the Active Directory FSMO roles to a new server, these simple steps were easy to follow.  Took about 5 minutes.

http://www.techieshelp.com/how-to-transfer-fsmo-roles-graphical-and-command-line/

Duo Security – HA Radius Servers

If you are using Duo Security MFA (great solution btw), you may want high-availability for your Duo Radius servers.  Duo doesn’t currently have a “supported” solution for this, but keepalived worked great after a quick call to support.  This is also assuming you have followed Duo’s instructions to install their radius server (found HERE)

Using Ubuntu 14.04, install keepalived (basic instructions: https://raymii.org/s/tutorials/Keepalived-Simple-IP-failover-on-Ubuntu.html)

Radius server #1 config:

vrrp_instance VIP_1 {
 state MASTER
 interface eth0
 virtual_router_id 100
 priority 101
 preempt_delay 30
 advert_int 1
authentication {
 auth_type PASS
  auth_pass password
  }
virtual_ipaddress  {
10.0.0.1 dev eth0
 }
}

Radius server #2 config:

vrrp_instance VIP_1 {
 state BACKUP
 interface eth0
 virtual_router_id 100
 priority 100
 preempt_delay 30
 advert_int 1
authentication {
 auth_type PASS
  auth_pass password
  }
virtual_ipaddress  {
10.0.0.1 dev eth0
 }
}

After this was completed, keepalived was up and running, and I could ping/ssh to the VIP. BUT, Duo was not responding to radius requests on the VIP!?  After trying several different options, I called into Duo Support to see if anything could be done.  The support engineer and I discovered that the “interface=” command in authproxy.cfg could be used to bind to an IP address other than the default eth0 address.  This is what I added to the top of the authproxy.cfg:

[main]
interface=10.0.0.1

[ad_client]
...etc

After I restarted the duoauthproxy service, radius requests completed successfully using the VIP and my HA solution is complete!  Testing shows 1-second failover times between both servers with keepalived.

View the VIP assigned to eth0:

ip addr show eth0

Active Directory Health Check

Migrated a DC and wanted to do some basic AD health checks.

From the cmd prompt (domain joined pc with sufficient privileges or on the DC):

Replication Info:

repadmin /replsummary
repadmin /showrepl

Query FSMO role holders, which should confirm that they are online:

netdom query fsmo

General Server Diagnosis:

dcdiag /a /s:<DC server name>

If you want the DC’s to force sync and see if there are any issues:

repadmin /syncall

Export User List of AD Security Group

If you need to get a list of all members in an AD Security Group, open up powershell and try the following commands from a DC:

1. This command will list all the members and the OU structure they below to:
   1. dsquery group -name “GroupName” | dsget group -members
2. Add this to the command to only get the display name of the users:
   1. dsquery group -name “GroupName” | dsget group -members | dsget user -display

Updating Dell R710 Firmware

Deploying ESXi on some Dell R710 servers we had, so I wanted to update the firmware to latest and greatest.  I came across some issues updating, which is why I’m posting this.

First, I updated the iDRAC, using information from here:

http://en.community.dell.com/techcenter/systems-management/w/wiki/3206.updating-drac-firmware

Second, I couldn’t download updates using the USC/Lifecycle Controller because of the error “The updates you are trying to apply are not Dell-authorized updates”.  I was able to resolve this by updating the USC (Unified Server Configurator).  This can be easily upgraded by downloading the package and uploading it to the iDRAC update utility.  The package can be downloaded here:

http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverID=G3G5F&fileId=3093677794-SV&urlProductCode=False#

After USC is updated, you can access USC by hitting F10 on startup and navigating to Platform Update.  This will allow you to upgrade firmware on all the available devices.  Step-by-step instructions here:

http://kb.eclipseinc.com/kb/dell-firmware-update/

Active Directory Delegating Permissions

I needed to delegate permissions to helpdesk (besides making them domain admins) to create and modify users, and modify group membership.  This is slightly different from some of the built in permission groups, since we didn’t want helpdesk to delete users.  Permissions are delegated at the OU level, and remember that permissions are pushed down and inherited.

This is what I used to delegate these permissions:

1. Right click the OU, and select “Delegate Control” and click “Next”
2. Add your Security Group (I called mine Delegated Helpdesk)
3. Click “Modify the membership of a group”, then “Next” and “Finish”
4. First section done!
5. Go through steps 1 and 2 again
6. Select the button “Create a custom task to delegate” and click “Next”
7. Select the button “Only the following objects in the folder:” and select “User objects”
8. Click “Create selected objects in this folder” and click “Next”
9. Click the following permissions:
   • Read All Properties
   • Write All Properties
   • Read and write general information
   • Read and write logon information
   • Read and write phone and mail options
   • Read and write web information
   • Change password
   • Reset password
10. Click “Next” and then “Finish”
11. You are now finished.  Users in the “Delegated Helpdesk” group should be able to create and modify users, and group membership

If you ever need to revert your changes, click on Properties–>Security (requires advanced view) for the OU, and remove the permissions.

Linux Packet Capture

If you need to debug traffic going to a linux server or appliance, you can use tcpdump to generate a pcap file you can analyze in wireshark.

For example, ssh into the server, and use the following command:

tcpdump -s0 port 80 and host 192.168.1.10 -wDebugTraffic.pcap

This will capture all traffic coming into port 80 from host 192.168.1.10 and saved as file DebugTraffic.pcap

You can then use an ftp program (like WinSCP) to grab the file and analyze it in wireshark.

Here is a great resource for tcpdump commands: http://packetlife.net/media/library/12/tcpdump.pdf