Experiences with Deploying/Using AD DS 2016 PAM/JiTA

  • 58 Views
  • Last Post 3 weeks ago
cjdavis posted this 3 weeks ago

Hello, I’m currently planning for upgrading to AD DS 2016 and, since the primary driver is the new PAM/PIM/JiTA/JEA capabilities, I’d like to hear from people who are currently using these technologies.  Specifically, I’d like to hear any gotchas/caveats (or the lack of, if that’s your experience), if you use it in-prod or with a shadow forest, and if you’re using MIM 2016, PowerShell or both as management interfaces.   Other than these two blog posts, I haven’t found much deep-dive info on these technologies.  Also the blog posts seem to imply that PAM is possible without deploying a shadow forest or using MIM, but the documentation as I understand it says that both are requirements.   Side note:  If you are using the above in a forest with non-contiguous domains/namespaces (i.e. example.local and example.company.com) I would really like to hear from you. 

  Thanks in advance,   CJD  

Order By: Standard | Newest | Votes
bdesmond posted this 3 weeks ago

Hi Cynthia-

 

You don’t really need to upgrade your main forest for any of those capabilities. For the PAM/JIT function, putting it in a separate forest is the ideal scenario. This lets you secure those accounts and start with a clean, known-good state.

It is entirely possible to do this with just your main forest but the benefits are reduced quite a bit.

 

MIM is definitely not required. It provides a management layer on top of the AD functions but at the end of the day it is just making LDAP calls to AD.

 

This will work fine with your sample non-contiguous namespaces as long as name resolution works.

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132.



 

show

BrianB posted this 3 weeks ago

I am interested in the direction that everyone is taking with this as well.



 

Also, to piggy back off of this topic. I have been experimenting with a separate forest with one way trust and MIM for JIT. There are apparently two ways to go with it based upon some documentation that I have

seen to get elevated admin access in the trusting forest.

 

1.     

Using sharepoint workflow: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/configuring-mim-environment-for-pam

2.     

Using a simple Powershell call:



https://websetnet.com/windows-server-2016-set-privileged-access-management/

 

For step 1, it seems that I need to install a full blown SharePoint Farm in the bastion forest. I am not opposed, but I am not an expert in Sharepoint and don’t know the direction that MS is taking with Sharepoint

in the future.

 

For step 2, it is simple powershell, but lacks the benfits of the approval process in the SharePoint workflow.



 

Any more advice or experiences on this topic is definitely appreciated.



 

Brian Britt

 



 

 

 

 

show

bdesmond posted this 3 weeks ago

Brian-

 

The approvals for MIM PAM you can do via PowerShell or even the sample MIM PAM portal if you want. I generally avoid SharePoint for PAM and just do the PowerShell interface.

 

Thanks,


Brian

 

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132.



 

show

BrianB posted this 3 weeks ago

Thanks Brian.

 

I found some nuances with the SharePoint Foundations and Sample portal when installing Server 2016 that led me to ask our SharePoint admin who told me I needed to install Full-blown SharePoint. Since the PoSH

is a good way to achieve, I will continue with that.

 

Cynthia,

 

Do either of the links I attached help you? I had easy success following the instructions in the link:

https://websetnet.com/windows-server-2016-set-privileged-access-management/.

Not sure if this is as deep as you were looking for.

 

Brian Britt



 

show

Close