Microsoft

Blog Categories

Subscribe to RSS feed

Archives

Archive for the ‘Active Directory’ Category

Busy Pre-Build week for Microsoft and Azure!

The Microsoft Build Conference is set to kick off next week but the company got off to an early start this week with several different announcements.

Windows Azure now generally available in China
This may not sound like a huge accomplishment worthy of being called out individually but a little known fact is that Windows Azure is the first major public cloud service that China has made available.  This opens Azure up to an enormous user base that cloud competitors Google and Amazon don’t yet have access to.

Windows Azure will soon be re-branded Microsoft Azure
In an effort to strengthen the Azure brand, Microsoft is removing “Windows” from the name.  This is the help emphasize that the Azure platform is completely open and a variety of technologies can utilize it, not just Microsoft and Windows based technology.  The name “Windows Azure” has been a source of confusion since its introduction.  People who are new to cloud computing often did not know if only technologies supported by Windows were designed to work on the Azure platform.  This name change should clear up any lingering confusion.

Office for iPad debuts along with Enterprise Mobility Suite 
On Thursday Microsoft announced a fully functional, touch friendly edition of their Office suite tailored for iPads.  This has been a long time coming as millions of iPad users have had to find other methods of editing documents on their tablets.  The entire Office suite is free to download and use to view documents and presentations.  In order to edit documents an Office 365 subscription is needed, priced at $99 a year.  This subscription also provides you with desktop versions of Office 2013 as well as an Exchange Online account.

The Enterprise Mobile Suite is aimed to bring Single Sign On to all users for a variety of devices across services.  This would allow an Android tablet, iPad or Windows 8 machine using Azure Active Directory to authenticate against Office 365, Dynamics CRM and Windows Intune  as well as a variety of already available third party products.  This allows Microsoft technologies to be at the very core of the Enterprise Cloud while allowing users to “Bring Your Own Device”.

Microsoft is sure to provide more insight into this strategy next week at the Build Conference, in addition to their future road map for Windows!

The fast and easy way to get your on-premise users into Yammer!

Does your company have a freemium Yammer environment that pre-dates your latest Enterprise Agreement?  Do you want to have the same set of users in Yammer as you do in your on-premise Active Directory?  Wonder no longer, dear readers.

We now have some recommended reading for anyone who finds themselves trying to rationalize a pre-existing Yammer environment with their SharePoint 2013 investment– or the rest of their Microsoft infrastructure.

Microsoft has just released a new TechNet posting on syncing up your Yammer users with your on-premise AD.  Check it out!

Using System Center Automation to Manage Office 365

Manage Office 365 with Microsoft System Center Service Manager, Orchestrator, PowerShell or Custom GUI.

Working with office 365 projects one of the things I come across frequently is what are some of the ways to manage Office 365 from an on premise location. Up to now there has been a very limited tool set to do simple task. DirSync is a tool offered by Microsoft to Synchronize the User Principle Names from Local Active Directory to the Office 365 cloud. Federated Services helps create a Single Sign on to the Cloud which helps the administrators to manage passwords locally. Exchange Management console has some management functionality of Office 365 mailboxes but it requires a Hybrid Deployment. Power Shell offers the most flexible on premise management abilities. Then there are some third parties out there that provide simple management tools to do things like Synchronize passwords or Migrate mailboxes. Read the rest of this post »

Using PowerShell in Windows Server 2012 to create a simple lab

I’ve been meaning to sit down and spend some time exploring the new Active Directory cmdlets that come with Windows Server 2012 so I decided to use my lab to create some test objects and populate the mailboxes with some messages.

My lab setup is very simple:

  • 1 – Windows Server 2012 domain controller
  • 1 – Exchange 2013 server (hosted on Windows 2012)
  • 1 – Windows 8 client with Office 2013

My goal was to be able to quickly create some test users and groups in a new OU structure, populate the groups with the accounts, and finally populate the mailboxes with some test messages. Here is the script I created to do that. It should be fairly straightforward to follow. There are obviously many other ways to do this. This is just one such way. I ran the script from the Exchange 2013 Management Shell after installing the Active Directory PowerShell module.

Read the rest of this post »

Why I love PowerShell…and so should you

 This blog post is meant for both the PowerShell newbie and scripter out there looking for a reason why they should start learning aptly named PowerShell or push themselves to learn a new aspect of PowerShell they’ve been meaning to try.

It’s been a few years now since PowerShell first came to be. Remember those Monad days when we first got a glimpse at what Microsoft had up their sleeve? I’ll admit I was one of the skeptical ones, deeply entrenched in VBScript, DOS batch files, AutoIT, VB.Net, etc. I thought to myself, “Great, another programming language. This will never catch on. Microsoft did what to the administrative interface?!” I just didn’t get it at first.

When Exchange 2007 hit the market I knew they were serious. Microsoft cleverly led me (although initially it felt more like ‘forced me’) to learn this new scripting language by including helpful syntax examples whenever I would use the Exchange Management Console to do simple and sometimes complex tasks:

For example, moving a mailbox:

‘contoso.com/Test/Test Account1′ | move-mailbox -TargetDatabase ‘E2K7SVR1\First Storage Group\Exchange2007DB2′

Ok. That was simple enough and looking at the code, somewhat easy to follow the logic although at the time I didn’t have any clue what the syntax rules were yet or how to do anything I was used to doing with VBScript. Ah, my cherished VBScript. Not anymore! Fast-forward a few years later. Read the rest of this post »

Office 365 Remote Move “Completed with Warning” – Part 1

I’ve seen a number of different O365 forum entries on this issue, but I wanted to pull together some thoughts on what I’ve done to resolve these errors for my customers.

Normally, a mailbox remote move operation performs a copy of the on-premise mailbox content to the Office 365 mailbox. However, If the mailbox has a condition that falls outside of “acceptable Office 365 content”, such as corrupted items, large items (>25 MB), or a mailbox is too big (>25 GB) then the remote move will inevitably go to a failed state. The on-premises mailbox continues to work, Office 365 users continue to send to the on-premises mailbox, and no one is really worse for the experience – well, if you ignore the time the mailbox was unavailable to the migrating user (assuming not Exchange 2010). Really, the loser in that scenario is the administrator who will have to address the failure conditions and then attempt another move.

Read the rest of this post »

Rejoining a Domain in Less than Two Reboots

I feel a little silly just finding out this little tip recently as I can’t count how many times I’ve had to manually re-join a Windows workstation or member server to a domain in my life. This is a pretty common procedure as various issues can sometimes cause problems with the secure channel communications between workstations and domain controllers in an Active Directory domain. Rejoining the domain reestablishes the trusted partnership and in most cases resolves the issue.

The tried-and-true process has always been to remove the workstation from the domain by temporarily moving it into a workgroup and them moving it back into the domain. This requires two reboots and if you’ve learned the hard way, a new local Administrator account with a known-password just in case ;)

In a recent training class we were using multiple Virtual PC images in the test labs and a few of the guests were having problems logging into the domain. The instructors had a sidebar in the materials that mentioned if this happened to remove/rejoin the domain by using a process that I had never seen, but works in a single reboot!

It’s quite simple: basically just change the Domain name field to use the Active Directory’s other domain naming context. Meaning if the DNS value is currently entered in the setting field, then change it to the NETBIOS value, or vice-versa. This will force Windows to believe it is connecting to a new domain and allow the process to happen in a single reboot.

So, in this example I have a workstation JDSPC02 that is a member of the lab.schertz.local AD domain. The DNS name of ‘lab.schertz.local’ is currently used as shown below in the Computer Name Changes window:

image

I know that the NETBIOS domain name for the same AD domain is simply ‘LAB’ so I replaced the value to ‘LAB’.

image

All too easy:

image

Let it be said that I have no idea if this is a supported or even recommended action, but it’s worked fine each time I’ve tested it.

Oh great PDC Emulator in thy forest, what time is it?

Recently I was working with a client that had a unique view on how to configure their Windows forest for time services. If you aren’t aware, Microsoft has designed a comprehensive time distribution service called w32time in Windows 2000 and later. It is designed to keep all computers in the forest within five minutes of each other. This is to support Kerberos authentication, which requires minimal clock skew between servers.
W32time is NOT designed to be accurate to the nanosecond, and may not meet the accuracy requirements in some special environments. If your company has auditing requirements which rely on sub-second accuracy for your servers, third party solutions will be required. But for the vast majority of users, w32time is just fine.
So how does Microsoft recommend you configure w32time in a forest? Very simple. Configure your forest root PDC emulator to sync its time from a trusted source, such as a dedicated internal NTP appliance based on GPS signals. You could also sync with trusted internet based time sources if you can’t buy a dedicated appliance.
Windows will then use a defined method of syncing time, involving other PDC emulators and domain controllers. For a great article on all the gory details, see this link on TechNet.
But I’m not here to extol the virtues of w32time. I’m here to address a few discussion points which came up with my client. I developed a FAQ for some of their questions.
1. Does a forest need accurate time, synchronized time, or both?
Answer: For Kerberos to function only synchronized time is required, not accurate time. The whole forest could be hours off of NTP time, but Kerberos would function since time sync, not time accuracy, is required. Your business may have time accuracy requirements, but Windows itself does not.
2. Do services such as Exchange 2007, OCS 2007, MOSS 2007, SQL 2005/2008, or Operations Manager 2007 require more precise time than w32time can provide?
Answer: No, these services rely on Kerberos which w32time was designed to support. No elaborate time sync configuration is required.
3. What happens if a member server is unable to contact a DC for an extended period?
Answer: All of the services above will cease to function very shortly after they lose DC connectivity. These services rely on AD for authentication and group membership and will not function without it. Time is the last thing I would be concerned about it they lost DC connectivity. A server can likely operate weeks or months without a time sync and not drift more than five minutes. Services such as Exchange won’t last a minute without a local DC.
4. Can a computer be configured to use the Windows time service and fall back to manual sources if all DCs are unavailable?
Answer: Yes. However, as mentioned above, if DCs cannot be contacted then Kerberos will not function so the time difference between the server and the unreachable DCs is irrelevant because your important service will have died. The additional manual configuration is not worth the effort, IMHO.
5. Can the w32time time service be tweaked for more accurate time?
Answer: Yes, w32time has numerous registry keys that control various parameters. See this link for full details. Be careful when tweaking the settings, even if you think you know the consequences.
6. If my company requires strict time sync, less than 20 second skew across the forest, do I need a third party NTP client?
Answer: Yes. W32time is designed for a maximum of five minute skew, but often does much better. Typically 20 second or less skew is maintained, but not guaranteed. To guarantee accuracy a precise third-party NTP client is required for all servers.
7. How about workgroup computers?
Answer: Workgroup computer DO need to be manually configured for time sync. See the links above for manually configuring the w32time service.
8. Is the w32time service reliable?
Answer: Yes. I’ve never seen an instance where the w32time service failed when it has been properly configured and DCs are healthy. W32time is very reliable and just works; No over-engineering required. If DCs are in such an unhealthy state that time sync is broken, you have other major issues at hand that need attention. Again, servers can likely maintain a less than five minute skew for weeks or months without any time source.
9. Does Windows Server 2008 have any new w32time settings that I should be aware of?
Answer: Yes. Microsoft changed a couple of default settings for the w32time service which you can use in your 2003 forest. MaxPosPhaseCorrection and MaxNegPhaseCorrection are now set to 172,800 (48 hours). These values limit the possible wild swings in time should the external time source be compromised or a DC have its time manually reconfigured. These settings can be configured via GPO.
10. How do I reset a server which was configured for manual time sync to use the Windows domain time hierarchy?
Answer: w32tm /config /syncfromflags:domhier /reliable:no /update
11. Should I sync various parts of my forest to different time sources?
Answer: No. All parts of the forest should use a single time source since you want to guarantee time sync. Syncing servers to different time sources is asking for trouble and can lead to complications. Unless you are using a third-party NTP client, use the simple Microsoft recommended best practices of just syncing your forest root PDC emulator and leave the rest up to w32time.
For example, syncing your servers to their local router’s NTP service would not be advised, even if all routers were configured to sync from a trusted source.

Random Client-Side Kerberos issues with PerformancePoint Scorecards

After recently deploying PerformancePoint Scorecards within SharePoint, we’ve noticed some client computers (end-users) could not connect to these scorecards. As an example, we have had a filter on the scorecard that would produce an error of: “No Selections available. Contact your system administrator for assistance. Contact the administrator for more details.” The scorecard also continued to say “Updating…”, after seeing this error on the filter.

While continue to diagnose this issue, we noticed that certain computers could access the scorecards, while other computers could not. In fact, we were able to determine that it really wasn’t necessarily a user, but a machine coupled with a user issue. After doing some research on Kerberos, we noticed that some users did not have the “@domain.com” field entered, within Active Directory. For whatever reason, this field was left blank for some users.

After populating this field, we made one other change that impacted how the machine connected to the network. We noticed that some workstations would not pass Kerberos tickets. It was discovered that these machines were logging on with cached credentials. The reason why they were logging on with cached credentials was due to the fact that the networking services did not initialize right away for these machines. We made a group policy change that enforced the computer to wait for the networking services, before authentication occurred.

After making these two changes the scorecards, once not available, were now accessible from any workstation and any user that was authorized to view them.

Attach custom forms to a Content Type: Part 1

My wife owns baskets; many baskets: baskets of every size and shape for every imaginable purpose. The purpose of some is purely decorative, but others serve much more pragmatic purposes: a variety of small ones to hold jelly, candy, or candle jars; a large flat one to dump the mail and other unsorted pamphlets and papers, one to hold coins, another to hold knick knacks, four on the pantry hold sugar, flour, coffee beans, and some other unknown white substance; small ones for holding recipes and others for index cards, although I have no idea what the difference is. They adorn the cabinets, shelves, tables; every nook and cranny in the house: there is even a 55 gallon plastic trunk filled with baskets.

In SharePoint, our baskets are content types. Content Types hold a variety of functionality, and like my wife’s baskets, can come in many shapes and sizes; and serve many purposes. Recently, I was reminded how content types can hold custom new and edit forms such that the user will get the customized form when adding an item to a list that uses said content type. This reminder prompted me to formulate a four part series to cover the topic of adding such custom forms to a content type.

Project Setup and Content Type Feature

In this part of the series, I will walk through the procedure for creating a Visual Studio project and the content type that will act as the "basket" for our custom forms. Although, I have recently started using the Visual Studio Extensions for WSS 1.2, I will do things the manual way in this series so that we may look at the nuts and bolts of things: So that although you merely wish to know the time, I will tell you how to build the watch.

The content type that I will create is one that will be useful for tracking character sheets for the world’s most popular role-playing game (as opposed to the world’s best role-playing game or the world’s coolest role-playing game). The goal is to include a new and edit form that can be styled to look like the character sheet used in the game rather than the default SharePoint table view of the fields.

Setup the Visual Studio Project

Begin by creating a Visual Studio Class project. Once open, you may either delete the class1.cs file or rename it to one of the form’s code behind classes. Next create the TEMPLATE directory and the necessary subfolders to implement the content type as a feature in SharePoint. At this point, I usually add the xml and aspx files to the appropriate folders, as well as the class files, but I have not yet added any code to them.

Create the Feature

After creating the framework for the content type feature, start by creating the feature definition in the Feature.xml file. The ID value is a guid that has been stripped of the curly braces. The other information in the Feature file describes the information that will appear in the Site Settings area of the target SharePoint site. The Scope determines where in Site Settings you will find the feature; Web scope are located in the Web features section, Site scope are located in the Site Collection features section, and Farm scope are located in Central Admin. Finally, the ElementManifest points to the xml file that defines the content type and site columns.

Create Content Type

Creating the content type is a straight forward process with the exception of the ID field which I have written about in a previous post. In this example, I am creating the custom site columns in the same xml file as the content type. In that past, I have implemented custom site columns in their own features. Regardless of the approach, the content type FieldRefs section needs the IDs and names of any site columns that it will use.

One interesting this that I am doing with this content type is to rename the built-in Title site column. This is the field in the list that usually has the hyperlink to the details page. In this case, I want to use the Title field but I want it to show the caption "character name" rather than the caption of "title." Therefore, I add the Title FieldRef and add the DisplayName attribute.

In Part II

In the next article, I will discuss how to create the custom pages that we are including in our content type.

EndNote

Recently, Safari Bookshelf added Scott Hillier’s WSS and MOSS Development video to their library. After watching this series, I modified my implementation of this technique to match Scott Hillier’s technique. I highly recommend this video for two reasons; first it offers a more in depth analysis of this topic and is on video; second, the series comes with some utilities and shortcuts that are more than worth the price of the videos.

More detail on adding custom information to content types is also available at the MSDN library. This section of the MSDN library provides detailed technical information about the FormTemplates and FormUrls sections utilized in the content type definition.