none
MIM PAM in Windows Server 2016 - Basic Question RRS feed

  • Question

  • Hello All,

    Per the TechNet instructions at > https://technet.microsoft.com/en-us/library/mt345588.aspx

    The pre-requisites are founded upon the assumption that you should create and build a PRIV domain, as the approval workflow "forest".

    Is this really necessary?  Why is there not an intra-forest install/setup option?  We use a forest-empty-root > child domain where the resources and users are in context here.  For Enterprise applications that require forest wide usage, such as on-prem Exchange and LYNC we had previously done installs at forest root, but again, still the active resource and user domain in context is the child domain.

    Can anyone comment, please?

    Thanks, Richard.

    Tuesday, December 1, 2015 10:51 PM

All replies

  • Hi Richard,

    First of all, Yes that PRIV forest is currently an requirement.

    It's mainly because you can never be sure that you are currently not compromised in your current forest/domain. There might be sleeping code which some time in future a attacker will be activate. So setting up a secure seperate forest will cover this.

    Even if you are maybe sure you are not compromised a current behavior is to act like you are, so always "assume breach".

    Also with the extra forest you can handle that more secure by deactivating legacy or older auth mechs like NTLMV2 and only use kerberos, which you cannot do mostly in your "normal" forest/domain because of application.

    Also this seperate forest scenario gives you the option to support multi-forest szenarions where you have one PRIV forest for multiple "working" forests, like DEV,TEST,PROD forest or multiple PROD forests.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Wednesday, December 2, 2015 8:37 AM
  • Hi all,

    As the priv forest is mandatory, what is the best strategy when we own already a MIM server in the "corp" forest?

    Do we install a dedicated MIM for PAM or do we migrate the existing to the new forest?

    Frankly, PAM is a good idea but in term of cost, this is a pain. Did someone found a solution to make it working in the existing forest?

    Yannick

    Friday, January 22, 2016 8:22 AM
  • Hi,

    no there is no way implementing PAM in the existing corp forest, one thing is because having a seperate forest is one of the security features PAM scenario provides. You can never trust your (years old) current forest and maybe make sure it's 100% not compromised.

    Migrating current MIM makes also no sense, since you only need MIMService/PAM components but no SyncService in PAM scenario. Also you want to keep priv forest as secure and small as possible.

    So all you need in PAM forest is 2 DCs and the PAM Server with an SQL (you can maybe reuse another SQL to maybe safe some money). CALs are only needed for the admins managed in PAM (you dont have all corp users in PAM, so should not be that much, richt ?).

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Proposed as answer by YannickF Tuesday, January 26, 2016 9:39 AM
    Friday, January 22, 2016 8:32 AM
  • My initial reaction was the same -- hold up Microsoft, that's a lot of money to spin up a new forest for a product component. But, it turns out there are few requirements for PAM:  

    * Windows 2012 R2 domain controller (2+ would be smart) that make up a new, pristine forest that the existing forest(s) trust (one-way)

    * A server running the PAM component service, PAM monitoring service, and MIM Service

    * MIM PAM add-in cmdlets on a workstation in existing forest.

    The cost is definitely less than having to fight through a compromised forest.  :-) 

    Best,

    Jeff Ingalls

    Monday, January 25, 2016 4:43 PM
  • Anyway, we have no choice...

    I've been able to test PAM for AD rights (eg domain admins) and ACLs but i'm unable to authenticate in the CORP domain on a member server with the duplicated group.

    I set the source group member of the local administrators group but i receive a connection denied.

    Is this the normal behavior?

    Best regards,

    Yannick

    Thursday, January 28, 2016 8:57 AM
  • Hello,

    first of all, in the current supported 2012 R2 Domain scenario you cannot make the well-known sid groups (For example Domain Admins) a PAM group.

    If you setup the PAM scenario correctly you should have no issues, as the PAM group has the same SID as the original CORP group so you should have permissions.

    Could you maybe explain more in detail what you did ?

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Thursday, January 28, 2016 10:12 AM
  • Hello Peter and thank you for your very helpful help.

    it sounds like it was related to SID filtering and the following command solved my issue.

    netdom trust contoso.local /quarantine:no /enablesidhistory:yes /domain priv.contoso.local

    Yannick

    Thursday, January 28, 2016 1:01 PM
  • Any thoughts on how to implement a Disaster Recovery scheme for PAM? Seems like it needs to be readily available in the DR data center the moment a failure occurs...
    Wednesday, February 3, 2016 6:08 PM
  • Hello,

    there is an documentation on that you can find here: https://technet.microsoft.com/en-us/library/mt638243.aspx

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Wednesday, February 3, 2016 6:40 PM