I’ve never really taken the time to look at pass-through authentication, I set up Azure AAD sync, then I either use ADFS or I don’t. It was only when looking at removing ADFS, that I even looked at it as an option.
How does Pass-through Authentication Work?
Remote client attempts to authenticate to Office 365 (Azure Active Directory).
Azure queues the request and sends it to an Azure Authentication Agent (on-prem), of which there may be many. Note: The requests will load balance.
The Azure Authentication Agents check the authentication request against the load Active Directory.
The Azure Authentication Agents sends its response back to Azure Active Directory.
The client is authenticated (or denied!)
Why is that Good?
Well you don’t need to deploy ADFS, or WAP. The agent only needs https (outbound) on the firewall Note: If you have a proxy server, theres some URL’s you need to allow. And you don’t need to wait for the default 30 minute AAD replication cycle for changes etc.
Solution
I’m assuming you already have Azure AD sync setup and running, (Simply accept ‘Express settings’ and accept all the defaults), once you have your local AD replicated to Azure, then you can switch over to pass-through authentication.
Open Azure AS Sync > Configure > Change user sign-in > Proceed to ‘User sign-in’ >pass-through authentication > Finish the wizard.
What happens is the ‘first’ Azure Authentication Agent is installed on the Azure AAD server > Force an AAD Sync > Then look in your Azure Portal > Azure Active Directory > Azure Ad Connect > Pass-through authentication > You should see your first agent.
You can select it and check its details. Note: You can download the Azure Authentication Agent software form this page for you to deploy additional Azure Authentication Agents.
The additional agents are simple to deploy, they will require you to authenticate to Azure though.
They will appear one at a time as deployed.
Related Articles, References, Credits, or External Links
I don’t think, Ive ever run the VMware Standalone Converter, without at least one error message or popup complaining about something! Today I was trying to convert a clients old Windows Server 2003 document management server, when trying to deploy the agent this happened;
Unable to connect to the network share ‘{Sever-name-or-IP} \ADMIN$’.
Solution
It’s a pretty descriptive error, can you map a drive to this machine and open a network share manually? Is the ‘server service’ running? In my case the problem was easily diagnosed;
As I wasn’t about to start enabling SMBv1 on the clients Windows 2019 server! So I simply installed the VMware Standalone converter on one of their existing 2008 members servers instead, and ran it from there.
Related Articles, References, Credits, or External Links
I still think P2V conversions are cool, and I’ve been doing them since version 3! It seems though every time I try and do one with the standalone converter though I get this error;
VMware vCenter Converter Standalone
Unable to complete installation/uninstallation of converter agent on ‘{target}’
Solution
I always spend five minutes messing with firewalls, checking remote registry services, credentials, and the fix is nearly always the same;
Locate VMware-Converter-Agent.exe in C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone, copy it to the target machine, and install it manually. Then try the conversion again.
If it gets this far, your problem is solved.
Related Articles, References, Credits, or External Links
Seems like ages since I wrote Part Two, now we are ready to actually start moving objects from one domain to another.
Solution
ADMT: Service Account Migration
Why would you want to do this first? Well this replaces any service accounts on the OLD domain machines with migrated service accounts form the NEW domain, so when the client machines, (or servers,) are migrated they’re already using the new service account, (neat eh!) Not only that, it will replace Local accounts with Domain accounts, for which you can specify a decent (secure) password.
Common Sense Check: If you are carrying this out on a server, then I’d suggest a good backup, or if it’s a VM, then at least a snapshot before you start!
Launch ADMT > Service Account Migration Wizard.
The wizard is pretty straight forward.
When prompted select the computer(s) you want to perform the service account migration upon.
Select Run pre-check > OK > It should say ‘Passed’.
Select Run pre-check and agent operation > Start > It should say ‘Successful’.
It will locate (if found) any service accounts, you can choose whether to ‘skip’ them or ‘include’ them > Next > Finish.
Now we have to do a ‘User migration’ for these users, (don’t panic we haven’t started migrating domain users yet.) But these service accounts need creating in newdomain.com
Launch a ‘User Account Migration Wizard’.
This time it will remember the domain settings, and should display your chosen service accounts.
Select the ‘Target OU” in newdomain.com > Next > Generation complex passwords > Make sure you tick ‘Migrate User SIDs to target domain’.
Because I was lazy, and didn’t manually enable auditing, ADMT will do it for me, (Note: This will create a security group in olddomain.com).
Update User Rights > I’m not excluding any attributes > Do not migrate if theres a conflict > Check and include the accounts as required > Select “Migrate all service accounts and update SCM for items marked include”.
Heed the local group warning > Finish > Hopefully it should complete without errors.
So now your computers, (still on the olddomain.com) have their services running under service accounts on newdomain.com.
ADMT Domain Group Migration
Wait, you are migrating groups before users? Yes, the ADMT database tracks who is in what groups, and they will all get put in the right groups as the users come across into the new domain.
There is a sequence for doing this though, you may or may not be aware there are three types of security groups and they HAVE TO be migrated in the correct order;
First: Universal Groups
Second: Global Groups
Third: Domain Local Groups
To locate what types of groups you have, and what they are called, run the following commands;
This is probably the easiest of all the migrations, just accept the defaults and locate your universal groups.
Select the target OU > Fix Membership of group > Migrate Group SIDs to target domain > Again I’m not excluding any attributes.
Dont migrate if theres a conflict > Finish > Hopefully they will all complete successfully.
Then repeat for the other two group types.
What about Distribution Groups? These are created by Microsoft Exchange, if you need to migrate Distribution groups then you can convert them to domain local security groups, then migrate them with ADMT. Note: You may need to fix their Email address manually, that depends on your new email deployment in newdomain.com
Common Sense Check: At this point it’s worth considering ‘user attributes’. For the uninitiated, a user attribute is a ‘setting’ that all users can have, e.g. a user-name, a telephone number, a department etc. All these are ‘user attributes‘ The attributes that users can have, are defined in the ‘Schema‘. So if you have any software that ‘extends the schema‘, this creates new attributes. The best example of this is Microsoft Exchange, which add lots of attributes. But there are third party bits of software that you may use, that do the same. For example I have client that has third party software that creates a ‘Photo’ attribute that holds the users ‘mugshot’, and another that adds employee payroll numbers. MAKE SURE that these bits of software have been installed into the target domain, if you want the attributes to migrate properly.
ADMT > User Account Migration Wizard.
Accept the defaults > Select the users you want to migrate.
Note: If you are wanting to change the username i.e. from p.long to pete.long then you can use a CSV and select ‘read objects from include file.’
Persona Management, is the VMware version of “Roaming Profiles” and “Redirected Folders” rolled into one. Though the redirected folders bit is a lot easier to set up and less problematic than the Microsoft Folder Redirection policy.
Its handy if you using floating pools but still want your users to have a persistent user interface. Having these files centrally makes them easier to backup, and the more your users can customise their desktops and settings the better their level of equipment husbandry.
Solution
Create a “Roaming Profile” Network share with the correct permissions
1. On a network accessible server, create a folder and set the SHARE permissions as follows;
Share Permissions
Everyone = Read. Domain Users = Full Control.
Note: You may also want to DISABLE Caching on this folder.
2. Stop inheritable permissions from propagating to the folders and set the security permissions as follows;
Security / NTFS Permissions
Creator Owner (Subfolders and Files Only) = Full Control. Domain Users (This folder Only) = List Folder/Read Data and Create Folders/Append Data. System (This Folder, Subfolders and files) = Full Control. Creator Owner (Subfolders and Files Only) = Full Control. Everyone = No Permissions.
Note: I’m using domain users, you might have a different security group that you want to substitute.
3. Make sure that the machines that you will be using as view targets, have the View Persona Management option selected (this is selected by default).
Here you will find the folders that can be redirected to a central location.
13. For example, here I’m redirecting the users “My Documents” folder.
14. And their “My Pictures” folder.
15. Make sure you have a pool created, and your users are have an ‘entitlement’ to them. These machines will also HAVE TO be in the OU your policy is applying to.
16. Now when your users connect to their View Desktops.
17. Their user profile will be persistent.
18. Because their settings are stored in your profile shared folder.
Note: Persona Management will store the profile in username.domainname format. The reason there is a V2 on the end of it, denotes the profile is for Windows 7 or Vista. If users swap between these OS’s and any older Windows OS’s, then they will get a separate profile for those as well. If this is the case rely on the folder redirection rather than the profile.
Related Articles, References, Credits, or External Links
While trying to deploy a Windows XP Pool yesterday, I hit upon this problem. Windows 7 works fine, but as soon as I tried to roll out a Windows XP pool, they stopped like this;
After a couple of hours, the whole operation timed out, and each machine shows as;
Status
{Date}{Time} o’clock {Time-Zone}:
Customization operation timed out
I tried to deploy the pool with both ‘quick prep’ and ‘sysprep’, but the results were the same. The replica is created, the pool creates the machines, but they DO NOT join the domain.
Solution
Despite my best efforts, I had to admit defeat and call VMware. Turns out they knew what the problem was straight away.
1. In my case the pool was going to be a linked clone pool. Go to the reference XP machine that you are using for this pool, and power it on.
2. Start > Run > appwiz.cpl {Enter}.
3. Locate and uninstall the VMware View Agent software.
6. Reboot the machine, (or the next step will fail and ask for a reboot!)
7. Reinstall the VMware View Agent.
8. Now if you are creating a linked clone pool, release the IP address > shut down the guest machine > snapshot the guest machine > recreate your pool.
Conclusion
VMware tell me that this is well documented in this kb article. But both at the time, and since, I’ve analysed the logs on the connection server, and the agent logs on the deployed machines, and found no mention of the following error,
“View Composer agent initialization state error (18): Failed to join the domain”
Hopefully this will help out someone stuck in the same position.
Related Articles, References, Credits, or External Links
While working on a badly Malware affected server the other day, I tried to resurrect the Trend Micro Security Agent. It refused to run, so I attempted to remove it. Then I could reinstall it cleanly. (I knew the password that it required for removal). However this it what happened when I tried;
Trend Micro Worry-Free Business Security Agent Setup
Unable to Uninstall
An error has stopped the removal of the Trend Micro Worry-Free Business Security Agent. No changes have been made to this computer. Please contact Trend Micro for help.
Click the button below to close this window.
Solution
This procedure was carried out on Worry-Free Business Security Version 7.
1. Download and extract this zip file, (password novirus) to your desktop.
2. Run the SA_Uninstall_2360.exe file, it will create a folder on your desktop called SA_Uninstall.
3. Open that folder and run the ‘uninstall.bat’ file.
4. Press a key when prompted, then enter ‘Y’ to reboot.
5. Post reboot, I went back to Add/Remove programs, and it was still there! however now it let me uninstall it without error.
6. I now went to the server running the Worry-Free console, and pushed out a fresh agent to this machine, updated it, and did a full manual scan.
Related Articles, References, Credits, or External Links
Not the most descriptive of errors! In fact this has got nothing to do with the busyness of the web server at all.
Solution
What’s actually happening is the RSA agent on this machine (in this case a web server) cannot communicate with the RSA Authentication Manager. In my case the web server was in a DMZ, and the RSA Authentication Manager Appliance was in another DMZ. The ports required (TCP 5500, UDP 5500, and TCP 5580). were not open from the agent to the appliance. Once I fixed that, we were up and running.
Related Articles, References, Credits, or External Links