Unable to Connect to the Synchronisation Service
KB ID 0001649 Problem I’m doing some work for a client that has Azure AD Sync running, and we keep kicking each other off the server, so I thought I’d login with another account. However, when I tried to open the Synchronisation Service Manager; Unable to connect to the Synchronisation Service Some possible reasons are: 1) The service is not started. 2) Your account is not a member of the requires security group. See the...
Duo: ADSync and Enroll Users via SMS
KB ID 0001648 Problem Before you can use Duo 2FA/MFA you need to have your users enrolled. Theres a number of ways to enrol them, you can bulk email them, or manually add them. Below I’m going to Sync Duo with my Active Directory, so that if users are members of a specific AD group, they will ‘appear’ in the Duo Admin Portal. Then I’m going to enter a users mobile phone number and send them an SMS to enrol....
Duo: Migrate from LDAP to LDAPS
KB ID 0001647 Problem With the impending ‘turning off’ of cleartext LDAP queries to Windows Server, I wanted to make sure my new Duo deployments were already using LDAPS. I got LDAP deployed very quickly and easily, but making the ‘swap’ to LDAPS proved to be massively problematic. Normally I find Duo a pleasure to deploy, but their technical documentation just confused me for this and I went running up some...
Get Ready for LDAPS Channel Binding
KB ID 0001645 Problem I have written about Enabling LDAPS a long time ago, but it’s a subject that’s about to become important again, so I’ll revisit the subject. Microsoft are about to ‘enforce’ LDAPS authentication against their domain controllers, in the March 2020 round of updates. Now delayed until second half of 2020. What does that mean? Well lookups against LDAP will now need to be secure, (i.e....
Azure AD Connector: Disable ADFS Authentication
KB ID 0001643 Problem Why would you want to disable ADFS authentication? Well what if ADFS is down, or you want to revert to some other authentication method? I was in a position a few weeks ago where I needed to disable ADFS on a clients Azure AD Sync. At that time the Microsoft Tech on the phone steered us towards doing what I can only describe as a ‘forced de-federation’. This involved using Powershell and it resets the...
Azure Pass-through Authentication
KB ID 0001642 Problem I’ve never really taken the time to look at pass-through authentication, I set up Azure AAD sync, then I either use ADFS or I don’t. It was only when looking at removing ADFS, that I even looked at it as an option. How does Pass-through Authentication Work? Remote client attempts to authenticate to Office 365 (Azure Active Directory). Azure queues the request and sends it to an Azure Authentication...
Password Sync: No Recent Syncronization
KB ID 0001640 Problem I recently migrated the server that was running my Azure AD Connector. It was showing no errors post migration so I thought no more about it. A few days later I logged in to Office 365 and saw this; AAD Connect Status Azure AD Connect Password sync: no recent synchronization Solution Apparently this can suddenly happen if you are running an old version of AAD Connect. But I checked and mine was brand new,...
AAD Contains Another Object With The Same DN
KB ID 0001638 Problem I’ve seen this a few times now, I’ve had users that will not sync from Active Directory to Azure Active Directory (Office 365). When you look to see why, you will see something like; The Connector {Your-Domain}.onmicrosoft.com – AAD contains another object with the same DN which is already connected to the MV. Note: For the uninitiated, DN is Distinguished Name, and MV is MetaVerse. If you...
Connections From Machines That Don’t Map to Sites?
KB ID 0001635 Problem I was troubleshooting some replication issues for a client, and carried out a dcdiag on one of their domain controllers, and saw this; Starting test: SystemLog A warning event occurred. EventID: 0x000016AF Time Generated: xx/xx/xxxx xx:xx:xx Event String: During the past 4.21 hours there have been {xxx} connections to this Domain Controller from client machines whose IP addresses don’t map to any of the...
ADFS: Changing the Certificate
KB ID 0001634 Problem I needed to change the certificate used by an ADFS server today. I’d used a temporary self signed wildcard cert to get me up and running now I needed to replace it with a new publicly signed one. I found a number of ways of doing this INCORRECTLY, so hopefully I will save you making the same mistakes! Solution Firstly you need to import your certificate, here from a PFX file, (if you want a PFX file import...