Microsoft

Blog Categories

Subscribe to RSS feed

Archives

Archive for the ‘Active Directory’ Category

What’s New in Microsoft Azure Active Directory

Azure Active Directory is a comprehensive identity and access management cloud solution. It combines core directory services, advanced identity governance, security, and application access management. Azure AD also offers developers an identity management platform to deliver access control to their applications, based on centralized policy and rules.

In the last few months there’s been significant changes to the Azure Active Directory (AAD) features and capabilities and this post will give you a taste to some of them.

Subscription Management

Easier now for large teams to share a single subscription due to increased support for up to 200 co-administrators per subscription, a big change from 10.

Administration Roles include Billing, Service, User, & Password Administrator

AzureAdminRoles

 

 

 

 

 

 

 

 

 

 

 

Read the rest of this post »

Busy Pre-Build week for Microsoft and Azure!

The Microsoft Build Conference is set to kick off next week but the company got off to an early start this week with several different announcements.

Windows Azure now generally available in China
This may not sound like a huge accomplishment worthy of being called out individually but a little known fact is that Windows Azure is the first major public cloud service that China has made available.  This opens Azure up to an enormous user base that cloud competitors Google and Amazon don’t yet have access to.

Windows Azure will soon be re-branded Microsoft Azure
In an effort to strengthen the Azure brand, Microsoft is removing “Windows” from the name.  This is the help emphasize that the Azure platform is completely open and a variety of technologies can utilize it, not just Microsoft and Windows based technology.  The name “Windows Azure” has been a source of confusion since its introduction.  People who are new to cloud computing often did not know if only technologies supported by Windows were designed to work on the Azure platform.  This name change should clear up any lingering confusion.

Office for iPad debuts along with Enterprise Mobility Suite 
On Thursday Microsoft announced a fully functional, touch friendly edition of their Office suite tailored for iPads.  This has been a long time coming as millions of iPad users have had to find other methods of editing documents on their tablets.  The entire Office suite is free to download and use to view documents and presentations.  In order to edit documents an Office 365 subscription is needed, priced at $99 a year.  This subscription also provides you with desktop versions of Office 2013 as well as an Exchange Online account.

The Enterprise Mobile Suite is aimed to bring Single Sign On to all users for a variety of devices across services.  This would allow an Android tablet, iPad or Windows 8 machine using Azure Active Directory to authenticate against Office 365, Dynamics CRM and Windows Intune  as well as a variety of already available third party products.  This allows Microsoft technologies to be at the very core of the Enterprise Cloud while allowing users to “Bring Your Own Device”.

Microsoft is sure to provide more insight into this strategy next week at the Build Conference, in addition to their future road map for Windows!

The fast and easy way to get your on-premise users into Yammer!

Does your company have a freemium Yammer environment that pre-dates your latest Enterprise Agreement?  Do you want to have the same set of users in Yammer as you do in your on-premise Active Directory?  Wonder no longer, dear readers.

We now have some recommended reading for anyone who finds themselves trying to rationalize a pre-existing Yammer environment with their SharePoint 2013 investment– or the rest of their Microsoft infrastructure.

Microsoft has just released a new TechNet posting on syncing up your Yammer users with your on-premise AD.  Check it out!

Using System Center Automation to Manage Office 365

Manage Office 365 with Microsoft System Center Service Manager, Orchestrator, PowerShell or Custom GUI.

Working with office 365 projects one of the things I come across frequently is what are some of the ways to manage Office 365 from an on premise location. Up to now there has been a very limited tool set to do simple task. DirSync is a tool offered by Microsoft to Synchronize the User Principle Names from Local Active Directory to the Office 365 cloud. Federated Services helps create a Single Sign on to the Cloud which helps the administrators to manage passwords locally. Exchange Management console has some management functionality of Office 365 mailboxes but it requires a Hybrid Deployment. Power Shell offers the most flexible on premise management abilities. Then there are some third parties out there that provide simple management tools to do things like Synchronize passwords or Migrate mailboxes. Read the rest of this post »

Using PowerShell in Windows Server 2012 to create a simple lab

I’ve been meaning to sit down and spend some time exploring the new Active Directory cmdlets that come with Windows Server 2012 so I decided to use my lab to create some test objects and populate the mailboxes with some messages.

My lab setup is very simple:

  • 1 – Windows Server 2012 domain controller
  • 1 – Exchange 2013 server (hosted on Windows 2012)
  • 1 – Windows 8 client with Office 2013

My goal was to be able to quickly create some test users and groups in a new OU structure, populate the groups with the accounts, and finally populate the mailboxes with some test messages. Here is the script I created to do that. It should be fairly straightforward to follow. There are obviously many other ways to do this. This is just one such way. I ran the script from the Exchange 2013 Management Shell after installing the Active Directory PowerShell module.

Read the rest of this post »

Why I love PowerShell…and so should you

 This blog post is meant for both the PowerShell newbie and scripter out there looking for a reason why they should start learning aptly named PowerShell or push themselves to learn a new aspect of PowerShell they’ve been meaning to try.

It’s been a few years now since PowerShell first came to be. Remember those Monad days when we first got a glimpse at what Microsoft had up their sleeve? I’ll admit I was one of the skeptical ones, deeply entrenched in VBScript, DOS batch files, AutoIT, VB.Net, etc. I thought to myself, “Great, another programming language. This will never catch on. Microsoft did what to the administrative interface?!” I just didn’t get it at first.

When Exchange 2007 hit the market I knew they were serious. Microsoft cleverly led me (although initially it felt more like ‘forced me’) to learn this new scripting language by including helpful syntax examples whenever I would use the Exchange Management Console to do simple and sometimes complex tasks:

For example, moving a mailbox:

‘contoso.com/Test/Test Account1′ | move-mailbox -TargetDatabase ‘E2K7SVR1\First Storage Group\Exchange2007DB2′

Ok. That was simple enough and looking at the code, somewhat easy to follow the logic although at the time I didn’t have any clue what the syntax rules were yet or how to do anything I was used to doing with VBScript. Ah, my cherished VBScript. Not anymore! Fast-forward a few years later. Read the rest of this post »

Office 365 Remote Move “Completed with Warning” – Part 1

I’ve seen a number of different O365 forum entries on this issue, but I wanted to pull together some thoughts on what I’ve done to resolve these errors for my customers.

Normally, a mailbox remote move operation performs a copy of the on-premise mailbox content to the Office 365 mailbox. However, If the mailbox has a condition that falls outside of “acceptable Office 365 content”, such as corrupted items, large items (>25 MB), or a mailbox is too big (>25 GB) then the remote move will inevitably go to a failed state. The on-premises mailbox continues to work, Office 365 users continue to send to the on-premises mailbox, and no one is really worse for the experience – well, if you ignore the time the mailbox was unavailable to the migrating user (assuming not Exchange 2010). Really, the loser in that scenario is the administrator who will have to address the failure conditions and then attempt another move.

Read the rest of this post »

Rejoining a Domain in Less than Two Reboots

I feel a little silly just finding out this little tip recently as I can’t count how many times I’ve had to manually re-join a Windows workstation or member server to a domain in my life. This is a pretty common procedure as various issues can sometimes cause problems with the secure channel communications between workstations and domain controllers in an Active Directory domain. Rejoining the domain reestablishes the trusted partnership and in most cases resolves the issue.

The tried-and-true process has always been to remove the workstation from the domain by temporarily moving it into a workgroup and them moving it back into the domain. This requires two reboots and if you’ve learned the hard way, a new local Administrator account with a known-password just in case ;)

In a recent training class we were using multiple Virtual PC images in the test labs and a few of the guests were having problems logging into the domain. The instructors had a sidebar in the materials that mentioned if this happened to remove/rejoin the domain by using a process that I had never seen, but works in a single reboot!

It’s quite simple: basically just change the Domain name field to use the Active Directory’s other domain naming context. Meaning if the DNS value is currently entered in the setting field, then change it to the NETBIOS value, or vice-versa. This will force Windows to believe it is connecting to a new domain and allow the process to happen in a single reboot.

So, in this example I have a workstation JDSPC02 that is a member of the lab.schertz.local AD domain. The DNS name of ‘lab.schertz.local’ is currently used as shown below in the Computer Name Changes window:

image

I know that the NETBIOS domain name for the same AD domain is simply ‘LAB’ so I replaced the value to ‘LAB’.

image

All too easy:

image

Let it be said that I have no idea if this is a supported or even recommended action, but it’s worked fine each time I’ve tested it.

Oh great PDC Emulator in thy forest, what time is it?

Recently I was working with a client that had a unique view on how to configure their Windows forest for time services. If you aren’t aware, Microsoft has designed a comprehensive time distribution service called w32time in Windows 2000 and later. It is designed to keep all computers in the forest within five minutes of each other. This is to support Kerberos authentication, which requires minimal clock skew between servers.
W32time is NOT designed to be accurate to the nanosecond, and may not meet the accuracy requirements in some special environments. If your company has auditing requirements which rely on sub-second accuracy for your servers, third party solutions will be required. But for the vast majority of users, w32time is just fine.
So how does Microsoft recommend you configure w32time in a forest? Very simple. Configure your forest root PDC emulator to sync its time from a trusted source, such as a dedicated internal NTP appliance based on GPS signals. You could also sync with trusted internet based time sources if you can’t buy a dedicated appliance.
Windows will then use a defined method of syncing time, involving other PDC emulators and domain controllers. For a great article on all the gory details, see this link on TechNet.
But I’m not here to extol the virtues of w32time. I’m here to address a few discussion points which came up with my client. I developed a FAQ for some of their questions.
1. Does a forest need accurate time, synchronized time, or both?
Answer: For Kerberos to function only synchronized time is required, not accurate time. The whole forest could be hours off of NTP time, but Kerberos would function since time sync, not time accuracy, is required. Your business may have time accuracy requirements, but Windows itself does not.
2. Do services such as Exchange 2007, OCS 2007, MOSS 2007, SQL 2005/2008, or Operations Manager 2007 require more precise time than w32time can provide?
Answer: No, these services rely on Kerberos which w32time was designed to support. No elaborate time sync configuration is required.
3. What happens if a member server is unable to contact a DC for an extended period?
Answer: All of the services above will cease to function very shortly after they lose DC connectivity. These services rely on AD for authentication and group membership and will not function without it. Time is the last thing I would be concerned about it they lost DC connectivity. A server can likely operate weeks or months without a time sync and not drift more than five minutes. Services such as Exchange won’t last a minute without a local DC.
4. Can a computer be configured to use the Windows time service and fall back to manual sources if all DCs are unavailable?
Answer: Yes. However, as mentioned above, if DCs cannot be contacted then Kerberos will not function so the time difference between the server and the unreachable DCs is irrelevant because your important service will have died. The additional manual configuration is not worth the effort, IMHO.
5. Can the w32time time service be tweaked for more accurate time?
Answer: Yes, w32time has numerous registry keys that control various parameters. See this link for full details. Be careful when tweaking the settings, even if you think you know the consequences.
6. If my company requires strict time sync, less than 20 second skew across the forest, do I need a third party NTP client?
Answer: Yes. W32time is designed for a maximum of five minute skew, but often does much better. Typically 20 second or less skew is maintained, but not guaranteed. To guarantee accuracy a precise third-party NTP client is required for all servers.
7. How about workgroup computers?
Answer: Workgroup computer DO need to be manually configured for time sync. See the links above for manually configuring the w32time service.
8. Is the w32time service reliable?
Answer: Yes. I’ve never seen an instance where the w32time service failed when it has been properly configured and DCs are healthy. W32time is very reliable and just works; No over-engineering required. If DCs are in such an unhealthy state that time sync is broken, you have other major issues at hand that need attention. Again, servers can likely maintain a less than five minute skew for weeks or months without any time source.
9. Does Windows Server 2008 have any new w32time settings that I should be aware of?
Answer: Yes. Microsoft changed a couple of default settings for the w32time service which you can use in your 2003 forest. MaxPosPhaseCorrection and MaxNegPhaseCorrection are now set to 172,800 (48 hours). These values limit the possible wild swings in time should the external time source be compromised or a DC have its time manually reconfigured. These settings can be configured via GPO.
10. How do I reset a server which was configured for manual time sync to use the Windows domain time hierarchy?
Answer: w32tm /config /syncfromflags:domhier /reliable:no /update
11. Should I sync various parts of my forest to different time sources?
Answer: No. All parts of the forest should use a single time source since you want to guarantee time sync. Syncing servers to different time sources is asking for trouble and can lead to complications. Unless you are using a third-party NTP client, use the simple Microsoft recommended best practices of just syncing your forest root PDC emulator and leave the rest up to w32time.
For example, syncing your servers to their local router’s NTP service would not be advised, even if all routers were configured to sync from a trusted source.

Random Client-Side Kerberos issues with PerformancePoint Scorecards

After recently deploying PerformancePoint Scorecards within SharePoint, we’ve noticed some client computers (end-users) could not connect to these scorecards. As an example, we have had a filter on the scorecard that would produce an error of: “No Selections available. Contact your system administrator for assistance. Contact the administrator for more details.” The scorecard also continued to say “Updating…”, after seeing this error on the filter.

While continue to diagnose this issue, we noticed that certain computers could access the scorecards, while other computers could not. In fact, we were able to determine that it really wasn’t necessarily a user, but a machine coupled with a user issue. After doing some research on Kerberos, we noticed that some users did not have the “@domain.com” field entered, within Active Directory. For whatever reason, this field was left blank for some users.

After populating this field, we made one other change that impacted how the machine connected to the network. We noticed that some workstations would not pass Kerberos tickets. It was discovered that these machines were logging on with cached credentials. The reason why they were logging on with cached credentials was due to the fact that the networking services did not initialize right away for these machines. We made a group policy change that enforced the computer to wait for the networking services, before authentication occurred.

After making these two changes the scorecards, once not available, were now accessible from any workstation and any user that was authorized to view them.