Active Directory Domain Join Delegation

The trigger to write this article was a troubleshooting session with a client that had built an automation process to deploy Windows Server and RedHat Enterprise Linux virtual machines on Azure. One of the steps of the provisioning process was to join the machine to the IaaS Active Directory Domain that was deployed on Azure and for this, an Active Directory account was required.

Following the least previlege principle, the account used in the automation processes to join machines to the domain was a plain account that could indeed perform this operation. After some successfull joins however, the process started encountering errors when trying to join machines to the domain.

As it turns out, the architects and security engineers had missed the fact that plain Active Directory accounts have the ability to only join a specific number of machines to the domain. When the automation reached that number, the process started to fail.

To further troubleshoot the issue, we tried to join the ma…

Azure Instance Metadata Service

The Azure Instance Metadata service is an Azure service that provides more information about Azure Virtual Machines that is invoked from the machine itself. This way, the administrators of the machine - that in most cases have no access to the Azure Portal - are able to get more information and troubleshoot potential issues.

Let's use a linux virtual machine to get information from the metadata service!

To get the data from the service, a simple HTTP call is all that is required. However, there are a couple of things to keep in mind.

First, although we are using Automatic Private IP Addressing, we have to include the "Metadata" header so that the service won't mistake our call for a call that may be the result of a redirection.

Second, the version of the API to use must be provided in every request. To get the allowed values, simply call the service without the "api-version" parameter and it should return a list of values:

curl -H Metadata:true "http://…

Using Azure Data Lake to Archive, Audit and Analyse Log Files

When operating relatively big and complex environments, the ability to have all the operational information available as quick as possible is one of the key factors that protect you from downtime and breached SLAs and allow you to have a full view on the environment to act proactively.
There are many cloud and on premises solutions that can be of assistance but there are some cases that require a more customized approach. Don't get me wrong, Azure OMS and other solutions like it are great for maintaining the control and reporting on your services. However, there are some organizations with needs that cannot be covered by OMS, such as really long retention periods, log file formats that cannot be directly parsed, etc.
So what we need is a place to store the files and a very fast way to query them. This is where Azure Data Lake comes into play. Uploading your log files to Azure Data Lake or directly feeding the Data Lake using Azure Stream Analytics will give you the ability to ana…

Quering Active Directory using PowerShell

Active Directory query. Every Windows administrator has had the need to get a list of objects using some kind of criteria to create a report or update them in one batch.

Fortunatelly, Microsoft provides a PowerShell module to interact with Active Directory as part of the RSAT tools and this module is installed by default on the Domain Controllers. The commands in this module interact with the Domain Controller using the Active Directory Web Services.

But what if you are not logged on to a Domain Controller or you don't have RSAT installed? There is a way to query the Domain Controller and get the information you want, without the limitations of the Web Services and in a much faster way using .NET.

First, we have to create a DirectorySearcher object and configure it's LDAP filter. Calling any of the find methods will return the results for the specified filter. On the following example, I'm using FindOne() to get my account.

Keep in mind that you can configure the Directory…

Domain Controller Machine Password Reset

On my lab environment, I've configured two Active Directory sites since most enterprises have offices in more that one places. My lab however is not running 24/7 and the domain controllers in the second site are rarely turned on in order to save resources.

This leads to issues with the Active Directory replication such as the "The target principal name is incorrect" error when I execute: repadmin /syncall /AdeP. To remedy the issue, we have to reset the machine password of the domain controller that has been offline.

First off, we are going to stop and disable the Kerberos Key Distribution Center (kdc) service on the problematic domain controller, in our case DC4.

There may be some tickets in the cache so we should also clear them using klist purge

Now it's time to change the machine password of the domain controller using the command
netdom resetpwd /s:dc3 /ud:lab\administrator /pd:*
Replace the "lab\administrator" with an account on your domain with admini…

Exchange Request Tracing

I came across a very strange Exchange behavior the other day while troubleshooting a full access permission that was not working as expected.

Although a user had been granted the full mailbox permission on a shared mailbox, when he tried to open it using OWA, he got an HTTP Error 500 message and the request failed.

We'll start troubleshooting with investigating the front end IIS log files. After all, that is the first step of the request processing.

Using the user's UserPrincipalName, I've managed to find the error in the log:

As you can see, the HTML error code is "500" that indicates an internal server error similar to the one that the user encountered. This file however does not provide much information about the cause of the error so we'll take a look on the backend as well.

After each request reaches the front end Exchange layer, it is proxied to the back end but the destination server may be other that the front end server that receivced it. To find out…

DNS Query Web Interface

DNS plays one of the most important roles in IT, there's no doubt about it. Especially when you have services hosted on public clouds or accessible on the internet. When troubleshooting issues with such services the DNS configuration and propagation should always be checked since any issues there would definately have an impact on the service.

Although you can use the tools provided by your operating system such as nslookup, dig and Resolve-DNSName, it can be a bit complicated to get the right query. Fortunatelly, there are websites out there that can help you by providing a frienly user interface. The website I'm using the most is Dig Web Interface, let's take a quick tour.

This site has a minimal design, with a textbox to enter your hosts or IPs and a few options about the query and the name server to use:

Let's go through some example queries.

To search for the name servers of a zone, use the "NS" type:

As you can see, my domain is hosted on the papaki dns…