Created
May 25, 2022 13:20
-
-
Save MauricioZa/651bd3cc0142b937781ff89243f35f50 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #------------------------------------------------------------ | |
| # Part A - Install necessary packages | |
| #------------------------------------------------------------ | |
| # NOTE (Make sure the account you are using in windows is part of local administrators) | |
| # 0) Download and unzip the One AD Active Roles Server cmdlets from : https://pwceur.sharepoint.com/:u:/r/sites/NisGlobalActiveDirectory/One%20AD%20Documents/Public/ARS%20Management%20Shell%207.4.4.zip | |
| # 1) Install x86 and x64 Visual C++ redistrubutables from the (1.Redistributables) folder. | |
| # 2) Install the x86 and x64 ADSI provider components from the (2. ActiveRoles ADSI Provider) folder. | |
| # 3) Install the x86 and x64 ARS Management Shell components from the (3. ActiveRoles Management Shell) folder. | |
| # 4) Install DotNet (necessary for the AzFilesHybrid module) https://dotnet.microsoft.com/en-us/download/dotnet-framework/thank-you/net472-web-installer | |
| # 5) Download the AzFilesHybrid module zip file from: https://github.com/Azure-Samples/azure-files-samples/releases | |
| # 6) Extract the file above to c:\temp | |
| # IMPORTANT ! | |
| # Run Powershell as *B account * to execute the instructions below | |
| # Install Active directory powershell modules. | |
| Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature | |
| # Install these modules | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| Install-Module PackageManagement | |
| Install-Module PowerShellGet | |
| # Install PowerShell modules for Azure | |
| Set-ExecutionPolicy -ExecutionPolicy RemoteSigned | |
| Install-Module -Name Az -Repository PSGallery -Force | |
| # Install PowerShell modules for Azure AD | |
| Install-Module AzureAD | |
| # Install AzFilesHybrid PowerShell modules (used for troubleshooting only) | |
| cd c:\temp | |
| ./CopyToPSPath.ps1 | |
| #------------------------------------------------------------ | |
| # Part B - Import the modules | |
| #------------------------------------------------------------ | |
| # Import AzFilesHybrid PowerShell modules (used for troubleshooting only) | |
| Import-Module AzFilesHybrid | |
| # The next two lines will import the modules that were installed in step 3 above. | |
| # If you receive an error, jus close and re-open Powershell. And Start from this line. | |
| Import-Module ActiveRolesManagementShell | |
| Import-Module ActiveRolesConfiguration | |
| # Import the Active directory powershell modules. | |
| # WARNING: Error initializing default drive: 'The server has rejected the client credentials.'. <--- Check that one | |
| # Ignore warning. <--- Check that one | |
| Import-Module ActiveDirectory | |
| # Import these modules | |
| Import-Module PackageManagement | |
| Import-Module PowerShellGet | |
| # Import PowerShell modules for Azure | |
| Import-Module Az | |
| # Import PowerShell modules for Azure AD | |
| Import-Module AzureAD | |
| #------------------------------------------------------------ | |
| # Part C - Declare variables | |
| #------------------------------------------------------------ | |
| $SubscriptionId = "" | |
| $ResourceGroupName = "" | |
| $StorageAccountName = "" #Must be 15 charatcers or less | |
| $OuDistinguishedName = "" | |
| $EncryptionType = "AES256" | |
| $OneADAccountA = Get-Credential -Message "Please Enter your OneAD GUID-A Credentials" | |
| #------------------------------------------------------------ | |
| # Part D - Create Account into AD with ARS cmdlets | |
| #------------------------------------------------------------ | |
| Connect-QADService -Service "gz-zweapppwv127.pwcglb.com" -Proxy -Credential $OneADAccountA | |
| New-QADComputer -Name $StorageAccountName -ParentContainer $OuDistinguishedName | |
| #------------------------------------------------------------ | |
| # Part E - Connect to Azure | |
| #------------------------------------------------------------ | |
| Connect-AzAccount | |
| Select-AzSubscription -SubscriptionId $SubscriptionId | |
| #------------------------------------------------------------ | |
| # Part F - Generate key | |
| #------------------------------------------------------------ | |
| New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName kerb1 | |
| $AzStorageAcc = Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -ListKerbKey | where-object{ $_.Keyname -contains "kerb1" } | |
| Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName | |
| #------------------------------------------------------------ | |
| # Part G - Connect to Azure | |
| #------------------------------------------------------------ | |
| $Computer = Get-QADComputer -Name $StorageAccountName | |
| Set-QADComputer $Computer.CanonicalName -ObjectAttributes @{ servicePrincipalName = @{ Add = "cifs/$($StorageAccountName).file.core.windows.net" } } -Description "Computer account object for Azure storage account $StorageAccountName." -Password $AzStorageAcc.Value | |
| #------------------------------------------------------------ | |
| # Part H - Enable Azure AD feature | |
| #------------------------------------------------------------ | |
| $DomainInfo = Get-ADDomain | |
| $ADDomainName = $DomainInfo.DNSRoot | |
| $ADDomainGuid = $DomainInfo.ObjectGUID.ToString() | |
| $ADDomainSID = $DomainInfo.DomainSID.Value | |
| $ADDomainNetbios = $DomainInfo.DNSRoot | |
| $ADDomainForest = $DomainInfo.Forest | |
| $ADAccountSID = $Computer.Sid.Value | |
| Set-AzStorageAccount -ResourceGroupName "$ResourceGroupName" -Name "$StorageAccountName" -ActiveDirectoryDomainName $ADDomainName -ActiveDirectoryNetBiosDomainName $ADDomainNetbios -ActiveDirectoryForestName $ADDomainForest -ActiveDirectoryDomainGuid $ADDomainGuid -ActiveDirectoryDomainSid $ADDomainSID -ActiveDirectoryAzureStorageSid $Computer.Sid.Value -EnableActiveDirectoryDomainServicesForFile $true | |
| #------------------------------------------------------------ | |
| # Part I - Enable AES256 | |
| #----------------------------------------------------------- | |
| # Set-ADComputer -Identity $StorageAccountName -Server $ADDomainName -KerberosEncryptionType AES256 -Credential $OneADAccountA | |
| Set-QADComputer -Identity $StorageAccountName -ObjectAttributes @{ 'msDS-SupportedEncryptionTypes' = 16; 'edsaDoNotRequirePassword' = $false } | |
| #------------------------------------------------------------ | |
| # Part J - Reset password after enable AES256 | |
| #----------------------------------------------------------- | |
| $KeyName = "kerb1" # Could be either the first or second kerberos key, this script assumes we're refreshing the first | |
| $KerbKeys = New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -KeyName $KeyName | |
| $KerbKey = $KerbKeys.keys | Where-Object {$_.KeyName -eq $KeyName} | Select-Object -ExpandProperty Value | |
| $NewPassword = ConvertTo-SecureString -String $KerbKey -AsPlainText -Force | |
| #Need to be executed by Jay | |
| Set-ADAccountPassword -Identity $StorageAccountName -Reset -NewPassword $NewPassword | |
| #------------------------------------------------------------ | |
| # Part K - Optional: CMDlets to troubleshoot | |
| #----------------------------------------------------------- | |
| Test-AzStorageAccountADObjectPasswordIsKerbKey -ResourceGroupName "RGName" -Name "Storage Account Name" -Verbose | |
| Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment