Insufficient access rights Error Code 8344

Error Code 8344 KB ID 0001636

Problem

With Azure AD Replication, you may notice that you have the following error when you take a look at your connector status;

Error: permission-issue
Connected data source error code: 8344
Connected data  source error: Insufficient access rights to perform this operation.

Solution: Error Code 8344

Firstly ensure that the user you are running AAD sync under, has the following permissions on the ‘root’ of your local AD domain.

  • Replicating Directory Changes: Allow
  • Replicating Directory Changes All: Allow

If the problem persists it’s usually because the account that is running the AAD sync does not have the appropriate rights to the mS-DS-ConsitencyGuid attribute for the affected users in the local Active Directory. The following commands will add the appropriate rights you ALL your local users;

[box]

$accountName = "Domain-Name\User-Name" 
$ForestDN = "DC=Domain-Name,DC=Domain-Extension"
$cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'"
Invoke-Expression $cmd

[/box]

Lastly, if you have this problem on some ‘sporadic’ users, check to ensure that their individual user objects and inheritance enabled on their user object, before retrying.

 

If the problem persists use the AD Connect Troubleshooter.

Fix Error Code 8344 with AD Connect Troubleshooter

Open Azure AD Connect > Configure.

Troubleshoot > Next > Troubleshooting > Launch.

Option 4 > Note: At this point you may or may not be asked to install the RTSAT tools, if so enter Y {Enter} > Option 12 > Y {Enter} > E {Enter} > Type in the name of the connector (in the example below that’s pnl.com).

You will be prompted to authenticate with an administrative account > You will then have to accept each change, by typing A {Enter} You will need to do this SEVEN TIMES.

When complete force a full initial replication.

[box]

Start-ADSyncCycle -PolicyType Initial

[/box]

At this point go an have a cup of coffee, then come back and check Synchronisation Service Manager. You should now be error free.

Related Articles, References, Credits, or External Links

NA

AAD Contains Another Object With The Same DN

KB ID 0001638

Problem

I’ve seen this a few times now, I’ve had users that will not sync from Active Directory to Azure Active Directory (Office 365). When you look to see why, you will see something like;

The Connector {Your-Domain}.onmicrosoft.com – AAD contains another object with the same DN which is already connected to the MV.

Note: For the uninitiated, DN is Distinguished Name, and MV is MetaVerse.

If you attempt to troubleshoot the sync, you may also see something like this;

Object {Distinguished-Name} is not found in AAD Connector Space.

Solution

First we need to temporarily halt the sync;

[box]

Set-ADSyncScheduler -SyncCycleEnabled $False

[/box]

Then launch Sycronization Service Manager > Connectors > Select your AAD Connector > Delete > Delete connector space only > Yes.

Note: Whoa! it says I’m going to lose data, what are we doing? 

Well we are essentially removing all the ‘cached objects associated with this connector, I think about it like ‘flushing the cache’. I’ve never seen this operation break anything, and I’ve certainly never ‘lost’ anything.

While it’s still running, do the same with your local AD connector.

Start the sync scheduler again.

[box]

Set-ADSyncScheduler -SyncCycleEnabled $True

[/box]

Perform a Full Import on your AAD connector..

With the above still running you can repeat a Full Import on your AD Connector 

Providing the full import has finished (i.e the connector says ‘idle’) perform an Export on the AAD Connector.

Providing the full import has finished (i.e, the connector says ‘idle’) perform an Export on the Local AD Connector.

You can then force an AAD sync, and go have a coffee.

Related Articles, References, Credits, or External Links

Azure AD Connect: Correct Or Remove Duplicate Values

PowerShell: Bulk Add/Remove Users From Groups

KB ID 0001475

Problem

I had to do this a few weeks ago, so I documented it. I had a list of usernames in a CSV file and I needed to bulk-add them to a security group.

Bulk Add Group Users Solution

Firstly you will need the usernames (sAMAccountNames) in .csv format like so,  (Note: As a header Im using User-Name.) I’ve saved the file to C:\Temp on my server.

Execute the following commands;

[box]

Import-Module ActiveDirectory 

Import-Csv -Path “C:\Temp\Users-To-Add.csv” | ForEach-Object {Add-ADGroupMember -Identity “Group-Name” -Members $_.’User-Name’}

[/box]

And there’s our users;

Bulk Remove Group Users Solution

Use the following command;

[box]Import-Csv -Path “C:\Temp\Users-To-Remove.csv” | ForEach-Object {Remove-ADGroupMember -Identity “Group-Name” -Members $_.’User-Name’ -Confirm:$false}[/box]

Now if we check the group, the users have gone;

Related Articles, References, Credits, or External Links

PowerShell: Bulk Enable / Disable Users

Exchange Bulk Export / Import Mail Contacts

Bulk Export Users From One Domain, and Import Into Another

PowerShell: Add All Members of an OU to a Security Group

PowerShell: Bulk Enable / Disable Users

KB ID 0001469

Problem

I needed to work out how to bulk disable some domain users from a .CSV file this week, so I thought I’d write it up.

Disable Domain Users in Bulk from CSV

Well firstly, you need to have your users in a CSV file. For the live job I just exported all the SamAccountNames to a CSV, but here for testing I just loaded a few in manually;

Then execute the following two commands;

[box]

Import-Module ActiveDirectory 

Import-Csv -Path "C:\Temp\Users-To-Disable.csv" | ForEach-Object {Set-ADUser -Identity $_.’User-Name’ -Enabled $false}

[/box]

Let’s have a quick check, and sure enough they are disabled.

Enable Domain Users in Bulk from CSV

To re-enable them, we just need to change one word in the command, (from false to true).

[box]

Import-Module ActiveDirectory 

Import-Csv -Path "C:\Temp\Users-To-Enable.csv" | ForEach-Object {Set-ADUser -Identity $_.’User-Name’ -Enabled $true}

[/box]

A quick refresh and our users are enabled again!

Related Articles, References, Credits, or External Links

NA

AD Sites and Services: ‘Show Services Node’ Missing?

KB ID 0001448

Problem

While working on an old Exchange system this week I wanted to take a look at the ‘autodiscovery’ SCP in AD Sites and Services. Read any post, and you will se that you need to enable ‘Services Node View’ in AD sites and services. To do that you simply right click then go to View > Show Service Node. However, I didn’t get that option?


Solution

This was driving me crazy for a while, and it looks like it’s a bug in the Microsoft Management Console. If you look at the image (above) you will see Active Directory Sites and Services is selected (i.e. its blue). However it wasn’t when I ‘right clicked’.

You need to manually left click ‘Active Directory Sites and Services’ to select it.

Then once selected, right click, and then you get the correct menu.

Yes that’s annoyingly simple, and yes it took 20 minutes to find out what I was doing wrong!

Related Articles, References, Credits, or External Links

NA

Barracuda Web Filter – Not Displaying Usernames

KB ID 0001296 

Problem

I installed a Barracuda Web Filter 410 hardware appliance last week for a client on a 30 day trial. It was in ‘inline’ mode in front of their firewall and was happily logging all web activity and sites that were getting blocked. The problem was when you looked in the log this is what you saw;

With other vendors you simply need to put an agent in to fix this, and as it turns out Barracuda is no different.

Solution

I went onto the web and tried to get the agent, but you can download it straight from the appliance. (Users and Groups > Authentication Tab)

To proceed you need to add your domain controllers onto the Barracuda

Note: You will need a domain account (a simple domain user is fine, it does not need any additional rights). Here I’m connecting via 389, if you wanted to connect with LDAPS see the following article.

Windows Server 2012 – Enable LDAPS

Once you have installed the ADAgent.exe, (on each domain controller), run it and enter your domain user account, and test it connects properly.

Then add in your Barracuda device.

Note: Theres nothing else you need to do in the agent but while you are setting it up I suggest you see the logging level to debugging.

Now, before the successful logon events can be uploaded to the barracuda, the domain controllers need to have auditing enabled for;

  • Audit account logon events (success)
  • Audit logon events (success)

Set this in the ‘local security policy’ on each of the domain controllers, (administrative tools local security policy).

On the Barracuda itself  you now have to register the agent for each one you have deployed, after a few minutes they should ‘go green’ this is done on the same tab you specified the domain controllers.

You now need to wait until your users have logged off and back on again before it starts logging properly so leave it a while to slowly populate.

Related Articles, References, Credits, or External Links

Barracuda Email Security Gateway Setup and Deployment

AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 1)

KB ID 0001155

Problem

To be honest it’s probably a LOT easier to do this with Dynamic Access Policies, but hey, if you have ISE then why not use it for RADIUS, and let it deploy downloadable ACL’s to your remote clients and give them different levels of access, based on their group membership.

I’m going to keep things simple, I will have a group for admins that can access anything, and a group for users that can only RDP to internal servers.

I always assume things will break, so I’m also going to create a local user on the ISE deployment, so if Active Directory is down I will have a user account I can use to gain full access in the event of an emergency.

Solution

In production you will have plenty of users, but to test Im going to create a test user, and a test admin user.

Then put those users in an appropriate Active Directory security group, (here I’m using VPN-Users and VPN-Admins).

Now you will also need a ‘Tunnel-Group and a matching Group-Policy on the ASA to map the user groups to. That way, when a user connects they can pick the appropriate tunnel group like so;

So what I’ve done is setup AnyConnect and configured it properly, (see article below) then I’ve simply ‘cloned‘ the tunnel group, and group policy to create a VPN-ADMIN and VPN-USERS tunnel-group ,and  a group-policy. So my ASA config is as follows;

[box]

1. Show run ip local pool

Petes-ASA# show run ip local pool
ip local pool ANYCONNECT-POOL 192.168.101.1-192.168.101.254 mask 255.255.255.0
Petes-ASA# 

2. Show Group-Policy

Petes-ASA# show run group-policy
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
 wins-server none
 dns-server value 192.168.100.10
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value PNL-Profile type user
group-policy VPN-ADMINS internal
group-policy VPN-ADMINS attributes
 wins-server none
 dns-server value 192.168.100.10
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value PNL-Profile type user
group-policy VPN-USERS internal
group-policy VPN-USERS attributes
 wins-server none
 dns-server value 192.168.100.10
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value PNL-Profile type user
Petes-ASA#  

Show Tunnel Groups

Petes-ASA# show run tunnel
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable
tunnel-group VPN-ADMINS type remote-access
tunnel-group VPN-ADMINS general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy VPN-ADMINS
tunnel-group VPN-ADMINS webvpn-attributes
 group-alias VPN-ADMINS enable
tunnel-group VPN-USERS type remote-access
tunnel-group VPN-USERS general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy VPN-USERS
tunnel-group VPN-USERS webvpn-attributes
 group-alias VPN-USERS enable
Petes-ASA# 

[/box]

Create a Local Admin Group in Cisco ISE

On your Cisco ISE Deployment > Identity Management > Groups > Add.

Give the group a name and optional description > Save.

To create an admin user > Administration > Identity Management > Identities > Add.

Create the new admin user > set the password > add the user to the group you create above.

Adding Domain Groups To Cisco ISE

I’m assuming you have joined ISE toActive Directory > To check Administration > Identity Management > External Identity Sources > Ensure the domain is joined and operational.

Groups > Add.

Locate and add the groups you created above.

Add An Active Directory Identity Source Sequence

We need to authenticate against our AD, but we want it to fail back to the ISE local database, (for our local admin). To do that we use and identity source sequence. Administration > Identity Management > Identity Source Sequence > Add.

Give the sequence a name and add your AD and Internal Users.

MAKE SURE you select ‘Treat as if the user was not found and proceed to the next store in the sequence’ > Submit.

Add Cisco ASA to Cisco ISE as a RADIUS Device.

Administration > Network Resources  > Network Device Groups > All Device Types > Add.

Add a device GROUP for your ASA(s) > Submit.

Administration > Network Resources  > Network Devices > Add.

Add in the ASA > Provide its IP address, and add it to the group you created above > Set a RADIUS Shared Secret > Submit.

The shared secret must be the same on the ASA in the AAA config, like so;

[box]

Petes-ASA(config)# aaa-server Cisco-ISE protocol radius
Petes-ASA(config-aaa-server-group)# aaa-server Cisco-ISE host 192.168.100.11
Petes-ASA(config-aaa-server-host)# key 123456
Petes-ASA(config-aaa-server-host)# radius-common-pw 123456 
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)# 

[/box]

Cisco ISE Create Downloadable Access Control Lists DACL

Policy > Policy Elements > Results > Authorisation > Downloadable ACL’s > Add.

Create an ACL for our VPN-USER group, that will only allow RDP (TCP 3389) > Submit.

Repeat the process to create an ACL that allows everything, (for our VPN-ADMINS) > Submit.

Cisco ISE Create Authorisation Profiles

Policy > Policy Elements > Results > Authorisation > Authorisation Profiles > Add.

Create a profile for VPN-ADMINS > Set the correct DACL.

Set the advanced attributes > Change to RADIUS.

Class-25

Set the OU to equal the group-policy that you want the ASA to apply > Submit.

Create another profile for your VPN-USERS > Set the correct ACL.

RADIUS > Class-25 > OU set to the group-policy on your ASA for the normal users > Submit.

Cisco ISE Enable Policy Sets

Note: only available on newer versions of ISE: Administration > System > Settings > Policy Sets > Enabled > Submit.

Policy > Policy Sets  > Add.

Continue to PART TWO

Related Articles, References, Credits, or External Links

AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 2)

Cisco ASA 5500 AnyConnect Setup From Command Line

Event ID 1026

KB ID 0000134 

Problem

Event ID 1026

The DNS server was unable to create a name in memory for name “<host name>” in zone “<zone name>” in the Active Directory. This directory name is ignored. Use the DNS console to recreate the records associated with this name or check that the Active Directory is functioning properly and reload the zone. The event data contains the error. 

DNS cant be updated with the name of something thats trying to add itself to DNS.

Solution

  1. This is due to DNS nodes that have characters in them windows does not like (e.g. ! ‘ etc) you can delete them in the following way
  2. Start > run > dsa.msc
  3. View > Advanced Features
  4. Domain name > System > Microsoft DNS
  5. Note any records for reverse DNS zones that longer exist should be removed from here at this point
  6. Then locate then offending entries (they will have a type of ‘dnsnode’) and delete them.

However if you have machines on the network that are going to “re-register” themselves (e.g Apple Mac’s Firewalls and routers – then the problem will reoccur)

If the problem does reoccurs then you need to go to the DNS server and ALLOW names it does not allow by default (note this is not recommended by Microsoft) If you want to do this.

 

      • On the DNS server Start > Administrative tools > DNS
      • Right click the server name > properties > Advanced
      • Change the Name Checking section to “All Names”
      • Restart the DNS Server service (or right click the Server name > All tasks > Restart

 

Related Articles, References, Credits, or External Links

NA

Event ID 4004 and 4015

KB ID 0000133 

Problem

Event 4004 and 4015

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is “”. The event data contains the error.

and

The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is “”. The event data contains the error.

If the 4004 and 4015 events only appear at start up, you get these events because your zones are stored in AD and you only have one Domain Controller. AD cannot start with DNS, and when DNS starts, because AD has not started, DNS cannot load the zones in AD. The error goes away if you have two or more DCs with DNS installed, or if you use standard primary zones.

Solution

Add a second domain controller or Ignore the error.

Related Articles, References, Credits, or External Links

NA

Event ID 1311

KB ID 0000126 

Problem

Event ID 1311

Solution

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

Directory partition: CN=Configuration,DC=domainname,DC=co,DC=uk

There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology.

Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.

Two possible causes, either you have VPN’s connecting all the sites and there is an MTU problem OR there is a dead domain controller that the other domain controllers cannot see.

1. Install Security Update for Windows Server 2003 (KB913446)

2. Added the following DWORD values under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTCPIPParameters:

Value name: EnablePMTUBHDetect Value: 1

Value name: MTU Value: 1360

4. Open Active Directory Sites and Services – expand everything and make sure there are no domain controllers listed that no longer exist, either as servers or displayed on a replication link.

Related Articles, References, Credits, or External Links

NA