azure-samples / azure-files-samples Goto Github PK

https://github.com/MagicBTE/MagicBTE

The function AzFilesHybrid.Join-AzStorageAccount doesn't seem to be applying the specified $EncryptionType as parameter.
The expectation is that the same value is applied New-ADComputer as the parameter KerberosEncryptionType at this point:

It seems that wrong sequence at L774-780. Even if $path.StartsWith is "\?\unc", $path will be changed "unc" and it will not match "if ($path.StartsWith("\?\unc"))".
https://github.com/Azure-Samples/azure-files-samples/blob/master/ScanUnsupportedChars/ScanUnsupportedChars.ps1#L774-L780

I think it is better to reverse these if statements.

'Get-Domain' is not a recognized cmdlet.

Hi,
In function Test-AzStorageAccountADObjectPasswordIsKerbKey was used wrong name for netbios. This generating error with Debug-AzStorageAccountAuth, when you have different netbios name:
"---- CheckADObjectPasswordIsCorrect ----
Password for < Bad name > \ < StorageAccountName > does not match kerb1 or kerb2 of storage account: < StorageAccountName >. Please run the following
command to resync the AD password with the kerb key of the storage account and retry: Update-AzStorageAccountADObjectPas
sword. (https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-update-password)"

It is:
$userName = $domain.Name + "" + $adObj.Name
But should be:
$userName = $domain.NetBIOSName + "" + $adObj.Name

Line 762 imports the Active Directory module. Later use of cmdlets require serialized AD objects which were not available on my Windows Server 2016, PowerShell 7.1.4, with ActiveDirectory module 1.0 machine.

Specifically, the "OverwriteExistingADObject" switch triggers the use of serialized AD objects on line 2555 and 2582. Set-ADComputer **-Instance** $computerSpnMatch -ErrorAction Stop

A more clear error message warning of this condition would be helpful. Our workaround was to just delete object manually and restart.

Edit: To clarify, this is for azure-files-samples/AzFilesHybrid/AzFilesHybrid.psm1

Using the latest v0.2.1 version, I am receiving the following error when trying to create a DNS Forwarder.

Write-Error: C:\Users\ericn\Documents\PowerShell\Modules\AzFilesHybrid\0.2.1.0\AzFilesHybrid.psm1:5158
Line |
5158 | Assert-DnsForwarderArmTemplateVersion
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The template for deploying DNS forwarders in the Azure repository is a newer version than the
| AzureFilesHybrid module expects. This likely indicates that you are using an older version of the
| AzureFilesHybrid module and should upgrade. This can be done by getting the newest version of the
| module from https://github.com/Azure-Samples/azure-files-samples/releases.

Attempting to follow the directions here: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-networking-dns

During the Join of the Storage account to the domain, when the ObjectType is set to ServiceLogonAccount the AD-User Account that is created is configured with"TrustedForDelegation $true" (Line 2382 in v0.1.2.0).
This Kerberos delegation is not scope.
This is a pretty high and critical permission:
https://docs.microsoft.com/en-us/archive/blogs/pie/credential-theft-made-easy-with-kerberos-delegation

As this is not done when creating a computer account and is not mentioned in the docs when creating this manually I would like to know if this is really required and if so how it can be scoped.
If it is really required i would really not choose to use a useraccount but a computeraccount and roll oder the kerberos keys regularly.

I'm testing

sudo mount --verbose -t cifs //logvolume.file.core.windows.net/aksshare /mnt/aksshare -o vers=3.0,credentials=/etc/smbcredentials/logvolume.cred,dir_mode=0777,file_mode=0777,serverino

which fails with

me.cred,dir_mode=0777,file_mode=0777,serverino
mount.cifs kernel mount options: ip=20.150.95.8,unc=\\logvolume.file.core.windows.net\aksshare,vers=3.0,dir_mode=0777,file_mode=0777,serverino,user=logvolume,pass=********
mount error(115): Operation now in progress
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

and log messages

[ 6317.931829] CIFS: Attempting to mount \\logvolume.file.core.windows.net\aksshare
[ 6328.381224] CIFS: VFS: Error connecting to socket. Aborting operation.
[ 6328.381247] CIFS: VFS: cifs_mount failed w/return code = -115

I've installed and used this tool

sudo bash AzFileDiagnostics.sh -u //logvolume.file.core.windows.net/aksshare

and the problem is still

2022-04-30T09:18:18.768Z Checking: Check if client has any connectivity issue with storage account
2022-04-30T09:18:18.770Z Storage account FQDN is logvolume.file.core.windows.net
2022-04-30T09:18:18.772Z Getting the Iptables policies
2022-04-30T09:18:18.830Z Test the storage account IP connectivity over TCP port 445
2022-04-30T09:18:29.200Z Error: Port 445 is not reachable from this client and the error is Connection Timeout or Error happens

Looking at the source code here I see that it does

nc -v -z -w 5 logvolume.file.core.windows.net 445

and it gets a timeout

Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: TIMEOUT.

Are the credentials not yet requested in this phase of connection?
Anyway I stored them and used in the mount command, according to azure connect button's output.
Is it due to the firewall?
I've opened the tcp port in the firewall

firewall-cmd --list-ports
445/tcp 1025-65535/tcp 1025-65535/udp

I've asked the question on Microsoft Azure Q&A about storage accounts.

Can you help me with this or point me to next action I have to do?
Thanks

Hi,

I have error while running script CopyToPSPath.ps1:

• $psdFile = Import-PowerShellDataFile -Path .\AzFilesHybrid.psd1

•        ~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Import-PowerShellDataFile:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Could you please help?

When running the AzureFilesHybrid get an error:

Get-AzResourceGroup: C:\Users\admincg\Documents\PowerShell\Modules\AzFilesHybrid\0.2.3.0\AzFilesHybrid.psm1:2060
Line |
2060 | … $resourceGroupObject = Get-AzResourceGroup -Name $ResourceGroupName
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Object reference not set to an instance of an object.

Running Get-AzResourceGroup -Name "RealResourceGroupName" produces the same error.

File - AzFilesHybrid.psm1
Line - 3766
Change $domainInformation.DomainSID.Value to $domainInformation.DomainSID as it giving error.

File - AzFilesHybrid.psm1
Line - 3762
Change $azureStorageIdentity.SID.Value to $azureStorageIdentity.SID

Did some digging. Actually, your code is working fine in PS Desktop but not in PS Core.

The Az module detection log appears to be not working with Az modules > v2.x a message is logged:

Install Azure PowerShell modules This module requires Azure PowerShell ("Az" module) 2.8.0+ and Az.Storage 1.8.2-preview+. This can be installed now if you are running as an administrator.

In environments where I have the following installed:

Script 4.1.0 az
Script 2.0.0 Az.Storage

The error is non-blocking if you run the sample scripts piecemeal but it will block them if you attempt to run through in a single execution.

it would be easier to consume this module if it was published

Error importing the module AzFilesHybrid. Import failed with the following error: Orchestrator.Shared.AsyncModuleImport.ModuleImportException: An error occurred during module validation. When importing the module to an internal PowerShell session, it was not able to be loaded by PowerShell. There is likely an issue with the contents of the module that results in PowerShell's not being able to load it. Please verify that the module imports successfully in a local PowerShell session, correct any issues, and then try importing again.

Joining Active Directory with Azure Storage Account Premium (Files) results in this error

Get-AzStorageAccountADObject : AD object is of unsupported object class
organizationalUnit computer.
At C:\Logs\AzFilesHybrid.psm1:3758 char:33

This works with Storage Account V2 but not premium?

We named the OU storing the domain groups for ACL in AD the same as the storageaccount. Therefore multiple objects where returned while querying for the computer account resulting in Join-AzStorageAccountForAuth to fail.
Please change code using OrganizationalUnitDistinguishedName (and not just the name) to find the computer account. Additionally the objectclass "computer" or "user" could be added while querying...

File - AzFilesHybrid.psm1
Line - 2706
$obj = Get-ADObject -Server $Domain -Filter "Name -eq '$ADObjectName'" -ErrorAction Stop

I can provide experienced return in PM.

I've just tried to AD join a Storage Account yesterday using the latest AzFilesHybrid module and it isn't accepting the EncryptionType parameter as per the docs.

I wanted to configure AzFiles with on-premises Active Directory Domain Services authentication with the latest AzFilesHybrid module 0.2.2 and got the error that our storage account name is more than 15 chars. If've tried the paramater -ADObjectNameOverride but it didn't work.

error message:

Is there any chance that we could use our storage accounts with more than 15 chars and using AES256 or do we need to redesign the storage account names?

When I try to run command:

Join-AzStorageAccountForAuth -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -DomainAccountType ComputerAccount
Getting this error:

New-ADAccountForStorageAccount : Unable to create AD object.  Please check that you have permission to create an identity of type ComputerAccount in Active Directory location path 'XXX' for the storage account 'XXX'
At C:\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.2.0\AzFilesHybrid.psm1:4266 char:37
+ ... eOverride = New-ADAccountForStorageAccount @newParams -ErrorAction St ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-ADAccountForStorageAccount

It doesn't matter if I run this as regular user or domain admin, from domain joined computer or domain controller, with or without elevated powershell / ISE.

The powershell module 0.2.2 has two issues:
Line 3549 should be: $azureStorageSid = $azureStorageIdentity.SID
Line 3553 should be: $domainSid = $domainInformation.DomainSID
Current line have an extra '.value' in the end, that breaks the script.

The problem is present in 0.2.3 as well, in different lines.

When i try running below powershell command on Powershell command prompt:

Install-Module Az -Force -confirm:$false -AllowClobber -Scope CurrentUser

Getting Below error:

WARNING: 'Az' matched module 'Az/4.6.0' from provider: 'PowerShellGet', repository 'PSGallery'.
WARNING: 'Az' matched module 'Az/4.6.0' from provider: 'PowerShellGet', repository 'PSGallery1'.
PackageManagement\Install-Package : Unable to install, multiple modules matched 'Az'. Please specify a single
-Repository.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21

• ... $null = PackageManagement\Install-Package @PSBoundParameters

•                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidArgument: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Pa
    ckage], Exception
  • FullyQualifiedErrorId : DisambiguateForInstall,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPa
    ckage

The parameter OrganizationalUnitName looks to have an issue with spaces in the OU name.

functions are forcibly asking for AzureAD... eventhough AzureADPreview installed.

line 811, request-AzureADModule
$azureADModule = Get-Module -Name AzureAD -ListAvailable

line 4293 function Request-ConnectAzureAD
$aadModule = Get-Module | Where-Object { $_.Name -like "AzureAD" }

$storageModule = Get-Module -Name Az.Storage -ListAvailable | Where-Object { $_.Version -eq [Version]::new(1,8,2) -or $_.Version -eq [Version]::new(1,11,1) } |
Sort-Object -Property Version -Descending

...

        if ($null -eq $storageModule) {
            Remove-Module `
                    -Name Az.Storage `
                    -Force `
                    -ErrorAction SilentlyContinue
            
            try {
                Uninstall-Module `
                        -Name Az.Storage `
                        -Force `
                        -ErrorAction Stop
            } catch {
                Write-Error `
                        -Message "Unable to uninstall the GA version of the Az.Storage module in favor of the preview version (1.11.1-preview)." `
                        -ErrorAction Stop
            }

The above assumes that there is an invalid version of AZ.Storage installed. If AZ.Storage is not installed at all, we fail the uninstall and exit. Needs to handle case where no AZ.Storage module is present at all.

Hi All,

Wondering if anybody has come across the below issue? Seems to be looking for an OU called Associates? I am defo putting in the the right OU DN.

PS E:\Scripts\AzFilesHybrid> Join-AzStorageAccountForAuth -ResourceGroupName $ResourceGroupName
-Name $StorageAccountName -Domain "xxx"
-DomainAccountType "ComputerAccount" `
-OrganizationalUnitDistinguishedName "xxx"
Get-ADOrganizationalUnit: Variable: 'OrganizationalUnit' found in expression: $OrganizationalUnit is not defined.
Write-Error: C:\Users\Documents\PowerShell\Modules\AzFilesHybrid\0.1.2.0\AzFilesHybrid.psm1:3836:37
Line |
3836 | … eOverride = New-ADAccountForStorageAccount @newParams -ErrorAction St …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Could not find an organizational unit with name 'Associates' in the xxxx domain

After deploying the function app for the "Autoincrease Premium File Share Quota", the Az modeule has to be uncommented in one of the App Files. This should not be required.

Just to be clear on the intended use of this command, you're always supposed to run it twice? The instructions on Microsoft Docs (https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-update-password) seem to indicate that you just need to run the command once. However, the comment block for the command seems to indicate that you're actually supposed to rotate from kerb1 to kerb2 then back to kerb1 within the span of a "several" hours. Presumably this is achieved by running the command twice.

E.g.

Update-AzStorageAccountADObjectPassword -RotateToKerbKey kerb2 -ResourceGroupName "<your-resource-group-name-here>" -StorageAccountName "<your-storage-account-name-here>"
Start-Sleep -Seconds 14400
Update-AzStorageAccountADObjectPassword -RotateToKerbKey kerb1 -ResourceGroupName "<your-resource-group-name-here>" -StorageAccountName "<your-storage-account-name-here>"

Looks like the certificate used to sign this script has expired. This is breaking automation, please find the screenshots attached.

When i execute
Join-AzStorageAccount -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -DomainAccountType $DomainAccountType -EncryptionType $EncryptionType -OrganizationalUnitDistinguishedName $OuDistinguishedName

i receive an error
New-ADComputer : A required attribute is missing and the storage is not added
How can i fix it?

I am using the latest v0.2.3 version of AzFilesHybrid module.

When running above command on storage account I get the below error:

I have removed the CN & OU values for security reasons, but they are valid and i was able to AD join the storage account correctly with them.

Line |
13547 | $steppablePipeline.End()
| ~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot bind parameter 'Identity'. Cannot convert value "CN={},OU={},OU={}
|,OU={},OU={},DC={},DC={}" to type
| "Microsoft.ActiveDirectory.Management.ADAccount". Error: "Cannot convert the
| "CN={},OU={},OU={},OU={},OU={},DC={},DC={}" value of
| type "Deserialized.Microsoft.ActiveDirectory.Management.ADComputer" to type
| "Microsoft.ActiveDirectory.Management.ADAccount"."

Just installed newly released version 2.0, found here. Received the same error noted below and attached as when I ran version 1.3.

DNS forwarding error-02.docx

"Get-ArmTemplateObject : A parameter cannot be found that matches parameter name 'Depth'. At C:\Users\ksiadmincp\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.0.0\AzFilesHybrid.psm1:5113 char:24"

I am unable to successfully execute the cmdlet Join-AzStorageAccountForAuth.

I receive the below error message:

Add-WindowsCapability : Add-WindowsCapability failed. Error code = 0x800f0954
At C:\Users\Viaguladas\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.1.2.0\AzFilesHybrid.psm1:503 char:33

•                             Add-WindowsCapability -Online | `
  

•                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Add-WindowsCapability], COMException
  • FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand

Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.
At C:\Users\Viaguladas\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.1.2.0\AzFilesHybrid.psm1:760 char:9

•     Import-Module -Name ActiveDirectory
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ResourceUnavailable: (ActiveDirectory:String) [Import-Module], FileNotFoundException
  • FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

Add-WindowsCapability : Add-WindowsCapability failed. Error code = 0x800f0954
At C:\Users\Viaguladas\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.1.2.0\AzFilesHybrid.psm1:503 char:33

•                             Add-WindowsCapability -Online | `
  

•                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Add-WindowsCapability], COMException
  • FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand

The try / catch block for # Create the identity in Active Directory on line 2543 asserts that it exists to Give better error message when AD exception is thrown for invalid SAMAccountName length. However, it also catches the exception which is thrown when AllowReversiblePasswordEncryption is not in AD Schema / attribute doesn't exist on computer object.

We needed to remove lines 2579 and 2589 for the module to work in our environment.

Edit: To clarify, this is for azure-files-samples/AzFilesHybrid/AzFilesHybrid.psm1

I've rattled my head trying to figure out what is causing this error, as I've done this quite a few times. I initially thought it was Windows Server 2022 but regressed versions and even attempted to change Az module versions. then I tried a few different versions of the AzFilesHybrid module. It keeps producing this error. At best after digging around trying to make it work:

Get-AzStorageAccountADObject : AD object is of unsupported object class domainDNS computer.
At C:\Users<user>\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.4.0\AzFilesHybrid.psm1:3545 char:33
$azureStorageIdentity = Get-AzStorageAccountADObject
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AzStorageAccountADObject

I got to a point where, I tested the function that the error seems to come from...
Get-AzStorageAccountActiveDirectoryProperties : ActiveDirectoryProperties is not set for storage account
'storageacct' in resource group 'production'. To set the properties, please use cmdlet
Set-AzStorageAccount if the account is already associated with an Active Directory, or use cmdlet
Join-AzStorageAccountForAuth to join the account to an Active Directory
(https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable)
At C:\Users\user\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.4.0\AzFilesHybrid.psm1:2678 char:46
... DirectoryProperties = Get-AzStorageAccountActiveDirectoryProperties
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AzStorageAccountActiveDirectoryPro
perties

I'm not entirely sure what's triggering the errors. It does manage to create the computeraccount or service principle but everytime it fails to do something. I am following instructions as-per https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable#run-join-azstorageaccount

Per the documentation of Azure Files, NTLMv1 is not supported by Azure Files. As a result, the AzFileDiagnostics script checks for the presence of an appropriate value (3). If the value does not match, it returns an error and does not continue with the validation process. This seems to be in error, as modes 4 and 5 are identical to mode 3 for client machines (per https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level).

It seems like the compatibility level check should be validating if LmCompatibilityLevel is greater than or equal to 3, not just equal.

Getting the following error importing the module:

Import-Module : The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)
At line:1 char:1
+ Import-Module AzFilesHybrid
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-Module], FileLoadException
    + FullyQualifiedErrorId : System.IO.FileLoadException,Microsoft.PowerShell.Commands.ImportModuleCommand

When I try to set up DNS forwarding I get an error that I'm not running the latest version bit I'm using the 2.0 version and hadn't installed a lover version previously.

PS C:\Users\xxxxx> $ruleSet = New-AzDnsForwardingRuleSet -AzureEndpoints StorageAccountEndpoint
PS C:\Users\xxxxx> New-AzDnsForwarder `

    -DnsForwardingRuleSet $ruleSet `
    -VirtualNetworkResourceGroupName "xxxxxxxxxxx" `
    -VirtualNetworkName "xxxxxxxxxxx" `
    -VirtualNetworkSubnetName "xxxxxxxxxxxxx"

Create Azure DNS forwarders
This action will fully configure DNS forwarding end-to-end, including deploying DNS forwarders in Azure VMs and configuring on-premises DNS to forward the appropriate zones to Azure.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
Write-Error: C:\Users\xxxxx\Documents\PowerShell\Modules\AzFilesHybrid\0.2.0.0\AzFilesHybrid.psm1:4872
Line |
4872 | Assert-DnsForwarderArmTemplateVersion
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The template for deploying DNS forwarders in the Azure repository is a newer version than the AzureFilesHybrid module expects. This likely indicates that you are using an older version of the AzureFilesHybrid module and
| should upgrade. This can be done by getting the newest version of the module from https://github.com/Azure-Samples/azure-files-samples/releases.

https://github.com/MagicBTE/MagicBTE/blob/main/README.md

Hi,

I have created a test OU called 'fslogix' in my AD DS environment. Now when I provide the name of that OU as a variable (see below) I get an error - if I don't specify an OU it creates a Computer Account in the 'Domain Controllers' OU

$rg = "VOXIGEN11"
$strgacc = "vox11fslgxstrg"
$oudn = "fslogix"
$acct = "ComputerAccount"
Join-AzStorageAccountForAuth -ResourceGroupName $rg -StorageAccountName $strgacc -DomainAccountType $acct -OrganizationalUnitDistinguishedName $oudn

Error I see is :

PS C:\azfileshybrid> Join-AzStorageAccountForAuth -ResourceGroupName $rg -StorageAccountName $strgacc -DomainAccountType
$acct -OrganizationalUnitDistinguishedName $oudn
Get-ADObject : Cannot find an object with identity: 'fslogix' under: 'DC=voxigen11,DC=vox'.
At C:\azfileshybrid\AzFilesHybrid.psm1:2433 char:15

• ... $ou = Get-ADObject -Identity $OrganizationalUnitDistinguishedNa ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (fslogix:ADObject) [Get-ADObject], ADIdentityNotFoundException
  • FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M
    icrosoft.ActiveDirectory.Management.Commands.GetADObject

Any help appreciated.

Paul Lynch

File :
Line : 2533

if ($null -ne $computerSpnMatch) {
$computerSpnMatch.AllowReversiblePasswordEncryption = $false
$computerSpnMatch.Description = "Computer account object for Azure storage account $StorageAccountName."
$computerSpnMatch.Enabled = $true
Set-ADComputer -Instance $computerSpnMatch -ErrorAction Stop
}

This code is not working in powershell core (7.1) as Set-ADComputer will run as Invoke-Command internally in 5.1 for compatible mode.

Quick Fix:
Use Invoke-WinCommand -ScriptBlock { }

Should someone run Update-AzStorageAccountADObjectPassword against an incorrectly setup storage account (i.e. one partially created manually ahead of using these cmdlets) it's possible that there is no second key; thus $otherKerbKey will have a value of $null and will throw an exception on the following line:

This line appears to now be redundant anyway (i.e. the else block where it had been used is now commented out), so it should be safe to remove the above line/avoiding such issues.

I am getting the following when running Join-AzStorageAccountForAuth (latest version)

(I have replaced some of the resource names)

VERBOSE: New-ADAccountForStorageAccount: Creating a AD account under OU=AZ,DC=domain,DC=local in domain:domain.local to represent the storage account:stacc1
VERBOSE: Found storage Account 'stacc1' in Resource Group 'rg1'
VERBOSE: Found storage Account 'stacc1' in Resource Group 'rg1'
VERBOSE: Generated service principal name of cifs/stacc1.file.core.windows.net
VERBOSE: AD object name is stacc1, SamAccountName is stacc1.
New-ADComputer : The attribute syntax specified to the directory service is invalid
At C:\Program Files\WindowsPowerShell\Modules\AzFilesHybrid\0.2.4.0\AzFilesHybrid.psm1:2566 char:21
+                     New-ADComputer `
+                     ~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=stacc1,DC=domain,DC=local:String) [New-ADComputer], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8203,Microsoft.ActiveDirectory.Management.Commands.NewADComputer

I have used this before without any problems, although not sure which version that was. Does anyone know a way around this?

Fix: added -Repository "PSGallery" under Install Module section for Az.Storage in "AzFilesHybrid.psm1"
Error getting:
`This module requires Azure PowerShell ("Az" module) 2.8.0+ and Az.Storage 1.8.2-preview+. This can be installed now if you are running as an administrator.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Yes"): A
WARNING: 'Az.Storage' matched module 'Az.Storage/1.11.1-preview' from provider: 'PowerShellGet', repository 'PSGallery'.
WARNING: 'Az.Storage' matched module 'Az.Storage/1.11.1-preview' from provider: 'PowerShellGet', repository 'PSGalleryInt'.
R : Unable to install, multiple modules matched 'Az.Storage'. Please specify a single -Repository.
At line:1 char:1

• R
• ~
  • CategoryInfo : InvalidArgument: (Microsoft.Power....InstallPackage:InstallPackage) [Invoke-History], Exception
  • FullyQualifiedErrorId : DisambiguateForInstall,Microsoft.PowerShell.Commands.InvokeHistoryCommand`

My Azure Control Plane account does not have write access to Active Directory.

Is it possible to supply separate credentials for the AD operations?

Update-AzStorageAccountAuthForAES256 -ResourceGroupName $resourceGroupName -StorageAccountName $storageAccountName

Remove-ADObject: Access is denied.

Write-Error: It is not supported to create an AD object of type 'ComputerAccount' when there is already an AD object
'<suppressed>' of type 'ServiceLogonAccount'.

A 0.2.4.0 release of the AzFilesHybrid module was published already in September last year, so why did this new release (which clearly contains code changes and new functionality) not get a new version number?

That will make it more cumbersome to verify that this new version has actually been deployed where we need it to be.

Get-AzResourceGroup : 2:43:28 AM - Provided resource group does not exist.
At C:\Users\xxx\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.1.2.0\AzFilesHybrid.psm1:2062 char:36

• ... oupObject = Get-AzResourceGroup -Name $ResourceGroupName -ErrorAction ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Get-AzResourceGroup], Exception
  • FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceGroupCmdlet

Currently the parameter EnableActiveDirectoryDomainServicesForFile for cmdlet Set-AzStorageAccount is hardcoded to $true; related line.

Since some users may have set this property already it would be good if the routine either checked this first and set the flag only if required, or presented this parameter on the calling function.

PS C:\Users\IlievI\Desktop> .\ScanUnSupportedFiles.ps1 -SharePath \servername\Sharename\TestRenameSync -RenameItems -ReplacementString " " | Out-File -FilePath c:\Users\user\Desktop\TestRename.txt
Normalized Share path: \?\unc*servername\Sharename\TestRenameSync
ReplacementString not provided, using default as ''
Unsupported char code point: 129
File/Directory name contains a control char that is not supported with combination of other char
Unsupported char code point: 129
File/Directory name contains a control char that is not supported with combination of other char
Unsupported char code point: 129
File/Directory name contains a control char that is not supported with combination of other char
Unsupported char code point: 129
File/Directory name contains a control char that is not supported with combination of other char
Unsupported char code point: 129
File/Directory name contains a control char that is not supported with combination of other char
Unsupported char code point: 129
File/Directory name contains a control char that is not supported with combination of other char
Processed Item count: 1
==================== Scan Results Started =========================
Files/Directories with unsupported characters, total count: 1
========================== File Path too long start==========================================
Files/Directories having path length > 2048 chars (current limit for azure files), total count: 0
========================== File Path too long end ==========================================
Files/Directories with unsupported characters, total count: 1
Number of Files/Directories which can be fixed using this script: 1
Exception Illegal characters in path.
Failed to rename \?\unc*servername\Sharename\TestRenameSync\sd????d?yNet?.txt to
\?\unc*servername\Sharename\TestRenameSync\sddyNet.txt
Items rename table start
Items rename table end*
Items failed to rename table start**
Number of Files/Directories failed to rename: 1
Items failed to rename table end**

In general, the HybridManagement cmdlets are written for the scenario where a customer has all of their resources (storage accounts, virtual networks, etc.) deployed within a single environment. Although some customers may have environments like this, it's extremely common for customers to have more complex environments with multiple subscriptions. Our cmdlets should be useful in these environments.