Tag Archive: Active Directory


My company provide SQL dba services and build system integrations. We use various VPN clients to connect in to most company networks but have always had issues using integrated windows (active directory) authentication with certain applications.

Launching an RDP session or browseing a network share works just fine, but if we want to connect SQL Server Management Studio to a server on the remote network using our domain credentials we have previously been stuck. Leading us to deviate from (what I feel is) best practice and create sql users.

When we build interfaces in Visual Studio they will normally run on client servers using active directory/domain service accounts. If we wanted to carry out any troubleshooting we could not accurately emulate the interface in Visual Studio (as the domain service account).

If our local machines were joined to the client domain we could either log on as the service account or run SSMS / VS as the network user, but otherwise we are out of luck…

…that was until we stumbled across the /netonly command line argument for runas.exe.

Apparently this whole time there has been a technique to launch an application using credentials which don’t exist locally or on the current/trusted domain! We now have some .bat files saved which launch our core applications using runas.exe with the /netonly argument. For example;

runas /netonly /user:remotedomain\remoteuser “C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio\ssms.exe”

*EDIT* Furthermore, i’ve just stumbled across ShellRunAs which will integrate into windows explorer and give you the right click option to Run As (Netonly); https://docs.microsoft.com/en-us/sysinternals/downloads/shellrunas 

runas

Advertisements

I provisioned a new Windows Server 2012 R2 VM to be used as a Domain Controller and another to be used for VMWare Update Manager and Veeam (Backup and Replication).

Assign a static IP address, and install all windows updates (this takes considerable time and numerous reboots).

Domain Controller

Follow the “wizard”. The main thing to note (as previously mentioned)- follow best practice when choosing a domain name; I’ve always gone with something.local or something.home in the past, but suffered as a result. I did a little research and found some articles suggesting best practice is to use a subdomain of an internet facing domain you own http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html. So, say you own microsoft.com, your internal domain name may be ad.microsoft.com. You configure the NETBIOS name to be whatever you like, this will be used when you logon using NETBIOS\User rather than user@ad.microsoft.com.

Now you can join the other Windows Server to the domain and configure the identity source in vCenter. This took me a little longer than anticipated; You must login as administrator@vsphere.local (not root).

Update Manager

  • Install update manager (follow the “wizard”)
  • Login to vCenter (using vSphere)
  • Ensure all virtual machines off of host
  • Scan
  • Attach (patch and upgrade baselines)
  • Remediate (check both baselines and check all patches)
  • Repeat for each host

Veeam

  • Install Veeam
  • Connect to vCenter
  • Setup Backup Repository
  • Configure Backups (I stick roughly to the default… Weekly full backup with daily incrementals, retaining 14 restore points). *I added the entire datacenter to the job, so as I add new VMs they will automatically be included in the backup job. I can then create a new datacenter to store development machines and/or anything I don’t want included in the nightly backups*
%d bloggers like this: