Configure Veeam Backup for Microsoft Office 365 2.0

Scenario

• An Office 365 tenant: no hybrid, just the cloud.
• You want to back up the entire tenant to an on-premises storage, including OneDrive, SharePoint and Exchange.
• We will use Veeam Backup for Microsoft Office 365 which is free for up to 10 users and 1TB of SharePoint data.

Prerequisites

• Legacy authentication must be enabled in SharePoint Online:
• Open SharePoint admin center > access control.
• Switch Apps that don't use modern authentication to Allow.
• Please wait for 15 to 30 minutes before you proceed. It takes a while for the change to take effect. If you receive The request failed with HTTP status 401: Unauthorized during a backup, confirm this setting.

Users and permissions

Make sure you have the following user accounts configured in Microsoft 365 admin center > Users > Active users:

1. Backup account with correct permissions to SharePoint Online and Exchange Online.
• See the required permissions below.
• You can create a regular user account with the User (no admin access) role.
• Multi-factor authentication must be disabled.
• We will refer to this as backup.user.
2. Admin user.
• You must assign the Global administrator role.
• Multi-factor authentication must be disabled.
• We will refer to this as admin.user.

You fill find the required permissions here, but below is instructions for the ones we will need:

1. Open PowerShell.
   
2. Connect to Microsoft Online:
   > Connect-MsolService
   Log in as admin.user when prompted.
• If you receive 'Connect-MsolService' is not recognized, you will first need to install and import the required modules:
  > Install-Module MSOnline
> Install-Module AzureAD
> Import-Module AzureAD

3. Add the SharePoint Administrator role to backup user:
   > $role=Get-MsolRole -RoleName "SharePoint Service Administrator"
> $accountname="backup.user@tenant.onmicrosoft.com"
> Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name
• You can confirm the roles by typing:
  > Get-MsolUserRole -UserPrincipalName "backup.user@tenant.onmicrosoft.com"

4. Add the required Exchange roles to backup user:
   > $UserCredential = Get-Credential
   Log in as admin.user when prompted.
   > $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
> Import-PSSession $Session
> New-ManagementRoleAssignment –Role ApplicationImpersonation –User "backup.user@tenant.onmicrosoft.com"
> New-ManagementRoleAssignment –Role "Organization Configuration" –User "backup.user@tenant.onmicrosoft.com"
> New-ManagementRoleAssignment –Role "View-Only Configuration" –User "backup.user@tenant.onmicrosoft.com"
> New-ManagementRoleAssignment –Role "View-Only Recipients" –User "backup.user@tenant.onmicrosoft.com"
> New-ManagementRoleAssignment –Role "Mailbox Search" –User "backup.user@tenant.onmicrosoft.com"
• If you receive The command you tried to run isn't currently allowed in your organization, you will first need to enable organization customization:
  > Enable-OrganizationCustomization
• You can confirm the roles by typing:
  > Get-ManagementRoleAssignment -Role "ApplicationImpersonation"
  Change the last parameter for other roles.

The admin.user account is no longer needed if another admin account is in use. You can block it if you do not want to leave a non-multi-factor-authentication admin account around.

Configure Veeam

The backup software is fairly simple to use, so I will cover the steps more briefly.

• Install Veeam Backup for Microsoft Office 365, Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft Exchange.
• Open Veeam Backup for Microsoft Office 365 and log in with your Windows credentials (the Use Windows session authentication checkbox).
• Optional: Configure the backup repository in Infrastructure > Backup repositories.
• Add your organization in Organizations > Add Org.
• If you are using Office 365 in Germany or China, check the "Use custom Veeam application to connect to Microsoft Graph" checkbox. Otherwise, like for me, uncheck it.
• Configure a backup by right-clicking your organization and selecting "Backup".
• Follow the self-explanatory setup wizard.

Troubleshooting

• Failed to execute cmdlet: Get-OrganizationConfig
• Please double check permissions for backup.user. You will receive this error if backup user cannot read the Exchange organization configuration.

Apache with PHP7 on Ubuntu

The newly released PHP 7 has fascinated me for a while. However, a quick googling reveals only a few tutorials that show how the new PHP version is hooked up with Apache. Moreover, most of them require installing untrusted PPAs. That's something I'd avoid, so I took a different approach. This is how I got it going.

I'm using the freshly released Ubuntu 16.04 since php7 is included in Xenial's main repository. Because the PHP 7 Apache module doesn't yet seem to be available, I'm going to run PHP using its CGI SAPI instead.

First install Apache and PHP:

sudo apt-get install apache2 php7.0 php7.0-cgi

Enable actions and cgi modules in Apache:

sudo a2enmod actions
sudo a2enmod cgi

Now, add the following lines in Apache config file (usually /etc/apache2/apache2.conf in Ubuntu):

ScriptAlias /local-bin /usr/bin
AddHandler application/x-httpd-php7 php
Action application/x-httpd-php7 /local-bin/php-cgi7.0
<Directory "/usr/bin">
    Require all granted
    AllowOverride All
</Directory>

ScriptAlias tells Apache that /usr/bin directory can be used to execute scripts. AddHandler maps files with a .php extension to a MIME type of application/x-httpd-php7. Action defines that when a file with this MIME type is encountered, it should pass it to /usr/bin/php-cgi7.0. Lastly, the directory block gives all requests the permission to access the /usr/bin/ folder.

Restart Apache with sudo service apache2 restart and your web server should be ready to process PHP!

Ubuntu: auto mount DFS shares on login

This tutorial shows you how to automatically mount users' home directories on login in Ubuntu when the shares to mount are in a DFS namespace.

Before you proceed, make sure you have joined the Ubuntu workstation to Windows domain and configured WINS client by following this tutorial. DFS uses WINS by default so you need WINS feature installed in some server.

First you need to install the following packages:

sudo apt-get install libpam-mount cifs-utils keyutils

In /etc/security/pam_mount.conf.xml add a volume tag for each share you want to mount for users automatically:

<volume user="*" sgrp="residents" fstype="cifs" server="your.domain.com" 
    path="data/users/%(USER)/documents" mountpoint="~/Documents"
    options="uid=%(USER),gid=100,dir_mode=0700">
</volume>

The parameters above are:

• user: Limit the volume for specific users only. Wildcard (*) mounts the volume for all users, if no other filters are applied.
• sgrp: Limit the volume to users which are a member of the group identified by name. In my domain environment, all regular users are in a group called residents.
• fstype: The filesystem type. Use cifs here to mount NTFS shares.
• server and path: Here goes the full DFS path. If users' documents are in \\your.domain.com\Data\Users\%username%\Documents, put \\your.domain.com in server and data/users/%(USER)/documents in path. See the manpage link below to find a list of other variables.
• mountpoint: This is where the share is mounted.
• options: Here you can define some extra options. For example dir_more sets the permissions of mountpoint.

You can find more information about the config file in the manpage.

Edit or add the following line in /etc/pam.d/common-session:

session optional pam_mount.so

Edit or add tge following line in /etc/pam.d/common-auth:

auth optional pam_mount.so

Now when users log in, their documents have been automatically mounted in ~/Documents.

Join Ubuntu 14 to Active Directory

This summer I worked at my university, where I got a great change to get familiar with Linux. Naturally this got me thinking Could I deploy Ubuntu at home as well? This is how you join Ubuntu workstations to Active Directory and let users logon with their AD credentials.

First, let's install necessary packages (do not insert the line break):

apt-get install winbind samba libnss-winbind
  libpam-winbind krb5-config krb5-locales krb5-user

Windows 2000 and later uses Kerberos as its default authentication method. Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. (source: Wikipedia). Now open /etc/krb5.conf in your favorite text editor (for example sudo nano /etc/krb5.conf) to configure Kerberos settings. Append to [libdefaults] section:

       default_realm = YOUR.DOMAIN.COM
       ticket_lifetime = 24000
       default_tgs_enctypes = rc4-hmac des-cbc-md5
       default_tkt_enctypes = rc4-hmac des-cbc-md5
       permitted_enctypes = rc4-hmac des-cbc-md5
       dns_lookup_realm = true
       dns_lookup_kdc = true
       dns_fallback = yes

Append to [realms] section:

        YOUR.DOMAIN.COM = {
                kdc = your.domain.com:88
                default_domain = your.domain.com
        }

Append to [domain_realm] section:

        .your.domain.com = YOUR.DOMAIN.COM
        your.domain.com = YOUR.DOMAIN.COM

Append the following sections:

[appdefaults]

        pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
        }

[logging]

        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

Try to get a ticket from AD administrator:

kinit Administrator@YOUR.DOMAIN.COM

Enter the admin password when prompted. Next, edit /etc/samba/smb.conf:

netbios name = COMPUTER_HOSTNAME
workgroup = YOUR
security = ADS
realm = YOUR.DOMAIN.COM
encrypt passwords = yes
idmap config *:backend = rid
idmap config *:range = 5000-100000
winbind allow trusted domains = no
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes
winbind refresh tickets = yes
client ntlmv2 auth = yes

template shell = /bin/bash

wins server = WINS_SERVER_IP
name resolve order = lmhosts host wins bcast

I have a DFS that uses WINS, so I add WINS server address here. You can omit that if you don't need WINS. Remove the default workgroup that you just replaced from the file.
Edit the following files in /etc/nsswitch.conf:

passwd:         compat winbind
group:          compat winbind
hosts:          files wins mdns4_minimal [NOTFOUND=return] dns

Join the computer in domain:

net ads join -k

service winbind restart
service nmbd restart
service smbd restart

pam-auth-update

If you want that home directories are automatically created for new users, add the following file in the end of /etc/pam.d/common-account:

session required pam_mkhomedir.so skel=/etc/skel umask=0077

This gives users full access to their homes, but no access to anyone else. You also need to allow manual login for users to be able to login with their AD credentials. Add the following line in /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf:

greeter-show-manual-login=true

Now restart Ubuntu and try to login with any AD account.

Authenticate WiFi users with Active Directory

In this tutorial we are going to install a Network Policy Server which enables us to authenticate Wi-Fi users with Active Directory. We will configure a Wi-Fi AP to point to the NPS Server which allows users to log in to a wireless network with their AD credentials.

This is an old tutorial of mine, so unfortunately I don't have screenshots. The server software to use is Windows Server 2008 R2. If you already have installed Active Directory Certificate Services on your domain, skip to Create certificate for NPS.

Install AD CA

Open Server Manager, expand Roles and click Add Roles. Choose Active Directory Certificate Services. Here is an example configuration, but you can modify it to fulfill your needs. The first-level bullets represent the configuration windows you're going to see:

• Select Role Services:
• Choose Certificate Authority and Certificate Authority Web Enrollment.
• Specify Setup Type:
• Certificate Authority is going to be installed on a domain controller, so choose Enterprise.
• Specify CA Type:
• Choose Root CA. The other option is for those who want the CA certificate to be obtained from a 3rd party CA.
• Set Up Private Key:
• Choose Create a new private key.
• Configure Cryptography for CA:
• Continue with default settings, which are
• Cryptography service provider: RSA
• Key character length: 2048
• Hash algorithm: SHA1
• Leave the Allow administrator interaction when the private key is accessed by the CA checkbox unticked.
• Configure CA Name:
• Continue with default settings.
• Set Validity Period:
• This is how long your CA certificate is going to be valid. I chose 5 years.
• Configure Certificate Database:
• Continue with defaults (C:\Windows\System32\CertLog)

Now make sure your public key policies in default domain policy are correct. Open Group Policy Management and edit Default Domain Policy. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and set:

• Certificate Services Client - Auto-Enrollment:
• Enable policy
• Tick Renew expired certificated, update pending certificates, and remove revoked certificates.
• Tick Update certificates that use certificate templates.
• Certificate Path Validation Settings > Stores tab:
• Tick Define these policy settings.

Create certificate for NPS

Open Microsoft Management Console (open command prompt, type in mmc and hit enter). Add the following snap-ins (File > Add/Remove Snap-ins):

1. Certificate Authority (Local)
2. Certificate Templates
3. Certificates (Computer account)

Expand Certificate Templates and right click RAS and IAS Server and click Duplicate Template. In Duplicate Template window, choose Windows Server 2008 Enterprise.

A Properties of New Template window will pop up. In General tab, type RAS and IAS Server Template for NPS in Template display name. Tick Publish certificate in Active Directory. In Security tab, select RAS and IAS Servers from the list and tick allow for Enroll and Autoenroll. Click OK.

Expand Certificate Authority (Local), right click Certificate Templates and click New > Certificate Template to Issue. Select RAS and IAS Server Template for NPS and click OK.

Expand Certificates (Local Computer) > Personal > Certificates and find the newly created certificate according to the Certificate Template column. Right click it and go to properties. Type NPS as a friendly name.

Install NPS Role

Open Server Manager, expand Roles and click Add Roles. Choose Network Policy and Access Services. In Select Role Services window, choose Network Policy Server.

Open Network Policy and Access Services Management and on the left pane choose NPS (Local). In Standard configuration choose RADIUS server for 802.1X Wireless or Wired Connections and click Configure 802.1X link.

• Select 802.1X Connection Type:
• Choose Secure Wireless Connections and give Secure Wireless Connections as the name.
• Specify 802.1X Switches:
• Here we will add your wireless access point by clicking on Add. Enter a friendly name (e.g. wlan-livingroom) and the IP Address of the AP (e.g. 192.168.0.50).
• Tick Manual secret and create a unique secret. You will need to provide this secret to your access point.
• Configure an Authentication Method:
• Choose Microsoft: Protected EAP (PEAP). Click Configure and select the NPS certificate that we just created in Certificate issued. Make sure that the Friendly name reads NPS.
• Specify User Groups:
• Click Add and add the group of users and/or computers that are allowed to log in to Wi-Fi networks.

Configure access points

This is something you probably have to figure out by yourself. I have a couple of ZyXEL NWA1121-NI access points, where the right configuration is as follows:

• Security mode: WPA2
• Primary RADIUS server: enabled
• Primary server IP address: IP of your NPS server
• Primary server port: 1812
• Primary share secret: this is the secret you created earlier

Now you should be able to log in to the Wi-Fi with your AD credentials. Note that many devices (including Windows and Apple) need to trust the root certificate in order to join the Wi-Fi. I use Cisco Meraki to deploy the CA certificate to Apple mobile devices. If your computer is not domain-joined, you need to manually import the CA certificate to Trusted Root Certification Authorities.