Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for July 2019:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4507459 July 16, 2019

The July 16, 2019 update for Windows Server 2016 (KB4507459) updating the OS Build number to 14393.3115 includes the following Identity-related fixes:

• It addresses an issue that may prevent the Netlogon service from establishing a secure channel and reports the error, “0xC000007A – ERROR_PROC_NOT_FOUND.”
• It addresses an issue that may prevent some applications from running as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installing KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.
• It addresses an issue that prevents Microsoft Application Virtualization (App-V) scripting from working if you run it when you’re not connected to a domain controller (DC). App-V scripting also fails when you run it in an environment that only contains Microsoft Azure Active Directory.

Unfortunately, it also introduces a known issue:

• Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of this update. Devices that are domain controllers or domain members are both affected.

KB4507460 July 9, 2019

The July 9, 2019 update for Windows Server 2016 (KB4507460) updating the OS Build number to 14393.3085 provides protections against a variant (CVE-2019-1125) of the Spectre Variant 1 speculative execution side channel vulnerability, along with other security updates.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4505658 July 22, 2019

The July 22, 2019 update for Windows Server 2019 (KB4505658) updating the OS Build number to 17763.652 includes the following Identity-related fixes:

• It addresses an issue that prevents the Windows Event Log service from processing notifications that the log is full. This causes issues with some Event Log behaviors such as archiving the log when it reaches a maximum file size and you’ve configured the “Archive the log when full, do not overwrite events” setting. Additionally, the Local Security Authority (LSA) cannot handle CrashOnAuditFail scenarios when the Security Log is full, and events cannot be written.
• It addresses an issue that prevents a system from recognizing a Microsoft account or Azure Active Directory account until the user signs out and signs in again.
• It addresses an issue that may prevent the Netlogon service from establishing a secure channel and reports the error, “0xC000007A – ERROR_PROC_NOT_FOUND.”
• It addresses an issue that may cause authentication to fail when using Windows Hello for Business on a server running Windows Server 2016 with the Server Core option installed.
• It addresses an issue that doesn’t update the personal identification number (PIN) policy (minimum length, required digits, special characters, and so on) for Windows Hello for Business when a PIN already exists on the machine.
• It reinforces the Certificate Revocation List (CRL) on Internet Key Exchange version 2 (IKEv2) machines for certificate-based virtual private network (VPN) connections, such as Device Tunnel, in an Always On VPN deployment.
• It addresses an issue that prevents Microsoft Application Virtualization (App-V) scripting from working if you run it when you’re not connected to a domain controller (DC). App-V scripting also fails when you run it in an environment that only contains Microsoft Azure Active Directory.
• It addresses an issue that exhausts User Datagram Protocol (UDP) ports on several hundred machines in a forest when there is very high Domain Controller Locator traffic. As a result, servers stop responding.

KB4507469 July 9, 2019

The July 9, 2019 update for Windows Server 2019 (KB4507469) updating the OS Build number to 17763.615 provides protections against a variant (CVE-2019-1125) of the Spectre Variant 1 speculative execution side channel vulnerability, along with other security updates.

The post On-premises Microsoft Identity-related updates and fixes for July 2019 appeared first on The things that are better left unspoken.

On Thursday evening October 3rd, 2019, I’ll deliver a 55-minute presentation together with Raymond Comvalius for the Dutch Windows Azure User Group (WAZUG) on Password-less authentication.

About WAZUG.nl

The Dutch Windows Azure User Group (WAZUG) was founded in 2010 by a group of enthusiasts to inform and inspire developers, architects and consultants for Microsoft’s cloud application platform: Azure.

WAZUG organizes events roughly every month. They invite speakers to talk about technology, but also about reference cases. It’s also an ideal way to meet like-minded people and network. Meetings, food and drinks are always free to attendees.

WAZUG, these days, is run by Iwan Bel, Erwyn van der Meer, Edward Bakker and Steef-Jan Wiggers.

About WAZUG.nl 60

Meeting 60 is organized with the help of Ordina, a Dutch IT services provider in terms of managed ICT services, IT solutions and software engineering. They invited us over at their headquarters in Nieuwegein, the Netherlands.

In contrast to earlier WAZUG.nl meetings, WAZUG.nl 60 has an IT Pro focus.

The evening kicks off at 6PM with dinner. After a short welcoming ceremony, Raymond and I will present for 55 minutes. After a short break, a second session is presented. After the second session, there’s room and time for drinks up until 9:15PM.

About our presentation

Between 6:35PM and 7:30PM, we’ll deliver a 55-minute session on Password-less:

Password-less; day-to-day passwords be gone!

Microsoft’s marketing machine is abuzz to promote the latest and greatest for identity and access management: Password-less.

Raymond and I will show the ins and outs of Windows Hello for Business, Single Sign-on, Azure Active Directory and FIDO2. By leveraging these technologies, we can protect end-users from the troubles surrounding leaked, cracked, phished and eavesdropped credentials.

Looking under the hood, we make clear how password-less answers the question on how to deal with day-to-day passwords and finally brings light to the long dark tunnel we’ve stepped into when we embraced passwords in the mainframe-era.

Join us!

Join us for free.
If you haven’t yet, sign up to the Dutch Windows Azure User Group using a Microsoft account, and then register for this WAZUG event.

The post I’m co-presenting at WAZUG NL 60 appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at best practices to handle Windows activation on non-domain-joined Web Application Proxy servers.

Note:
This blogpost assumes you’re running Web Application Proxies as non-domain-joined Server Core Windows Server 2016 installations.

If your Web Application Proxy servers are domain-joined, you can use Active Directory-based activation to take care of Windows activation. However, this option can’t be used for Web Application Proxy servers that are non-domain-joined and/or placed on a perimeter network (also commonly referred to as a DMZ network).

Why look at Windows Activation for Web Application Proxies

Hybrid Identity deployments are often long and costly implementations. As they are built using on-premises systems, they are intended to provide the functionality for the full duration of the economic lifetime of these systems (4-5 years).

Having activated Windows Server installations throughout the Hybrid Identity implementation is important.

Possible negative impact (What could go wrong?)

When Windows Server is not properly activated, recurring notifications will be shown.

Technically, functionality will not be reduced on non-activated Windows Servers, when installed with Volume License (VL) installation media. Windows Server 2016 will reboot every hour, disable certain services and show EventID 5074 on installations performed with Evaluation media.

More importantly, non-activated servers typically point to a rather casual attitude towards licensing. From a business continuity perspective it would make since to strictly adhere to the product use rights. Through audits, license incompliance might be discovered and measures may be taken, not just financially.

Four solutions for Windows Activation

There are four solutions to activate non-domain-joined Web Application Proxies:

1. Activate using KMS Hosts
2. Activate using Host-based Activation (for Hyper-V virtual machines only)
3. Activate using MAK and an Internet connection
4. Activate using MAK and the phone

How to do it

To activate non-domain-joined Web Application Proxy servers, perform these actions, per scenario:

Activate using KMS Hosts

Note:
This method will not work with Web Application Proxies that are installed using retail media.

Key Management Services (KMS) is a way to manage Windows Activation centrally for a networking infrastructure. Installations of Windows Server 2016 with Volume License (VL) media are the first installations of a released Microsoft Windows Server product that are not configured by default with a KMS client key since a long time (as opposed to Windows Server 2008, 2008 R2, 2012 and 2012 R2). Therefore, in the KMS scenario, the following requirements need to be met:

1. A working KMS host
2. Ideally: DNS-based name resolution for each of the Web Application Proxies to locate KMS.
3. Network connectivity from each of the Web Application Proxies to the KMS host
4. A KMS-based Volume License activation key (GVLK) entered as the product key in each Web Application Proxy, followed by the activation command.

If you haven’t already configured a KMS host, see the Microsoft documentation on Deploy KMS Activation for steps to set multiple of these servers up.

Note:
KMS Hosts running Windows Server 2008 R2, or earlier versions of Windows Server cannot be used as KMS hosts to activate Windows Server 2016 and beyond.

By default, KMS uses DNS SRV records to locate KMS hosts. Multiple SRV records allow for high-availability of the KMS functionality. However, one KMS can be assigned to a Web Application Proxy using the following command line:

slmgr.vbs /skms KMSHostOrIPAddress:1688

If using an IPv6 address to denote the KMS host, specify the address using square brackets. TCP 1688 is used by default for KMS hosts, but this port can be changed.

To test discovery of KMS hosts through DNS on Web Application Proxies, use the following line of Windows PowerShell on each of the Web Application Proxies:

Resolve-DnsName -Name _vlmcs._tcp -Type SRV -DNSonly

Note:
The Resolve-DnsName cmdlet will return a maximum of 25 records from DNS servers.

To test network connectivity between the Web Application Proxy and the KMS Host, perform the following line of Windows PowerShell on each of the Web Application Proxies:

Test-NetConnection -ComputerName KMSHostOrIPAddress -Port 1688

TCP 1688 is used by default for KMS hosts, but this port can be changed.

Activate each Web Application Proxy, by running the following two command lines on each server:

slmgr.vbs /ipk <PRODU-CTKEY-4WIND-NWSSE-RVERS>

slmgr.vbs /ato

Change the above product key for the specific product license key for the Operating System SKU that was used to install the Web Application Proxy servers. It differs between Standard Edition and Datacenter Edition. All GVLKs can be found in the Microsoft Documentation on KMS client setup keys.

Alternatively, KMS GVLKs can be configured centrally and Web Application Proxy servers can be activated centrally using the Volume Activation Management Tool (VAMT).

Activate using Host-based Activation (for Hyper-V virtual machines only)

Note:
This method will not work with Web Application Proxies that are installed using retail media.

When your Web Application Proxy hosts run as virtual machines on top of Hyper-V, you can take advantage of the Automatic Virtual Machine Activation (AVMA) feature.

To use this feature, the Hyper-V hosts that run the virtualized Web Application Proxies need to:

1. Run Windows Server 2012 R2, or up
2. Run the Datacenter Edition of Windows Server
3. Be properly activated themselves

When you meet these requirements, every virtual machine deployed to these Hyper-V hosts will be activated automatically, when they are configured with the Windows Server 2016 GVLK. When you use volume license media to install the Windows Server 2016-based Web Application Proxies, there is no additional required action.

Activate using MAK and an Internet connection

Another Volume License activation method for Windows Serer 2016 is to use Multiple Activation Keys (MAKs). The default activation method for MAKs is over the Internet to Microsoft’s datacenters.

This activation method requires access to the Internet addresses mentioned in Microsoft KnowledgeBase article 921471 to avoid error 0x8004FE33.

Activate each Web Application Proxy, by running the following two command lines on each server to enter the MAK:

slmgr.vbs /ipk <PRODU-CTKEY-4WIND-NWSSE-RVERS>

slmgr.vbs /ato

Alternatively, MAKs can be configured centrally and Web Application Proxy servers can be activated centrally using the Volume Activation Management Tool (VAMT). When VAMT is used for MAK Proxy Activation, only the device running VAMT needs an Internet connection.

Activate using MAK and the phone

When an Internet connection is out of the question on the perimeter network, phone activation is still available.

Obtain the Windows Server installation ID, using the following command line:

slmgr.vbs /dti

Write it down.

Run the following command line on the Web Application Proxy to show phone number information:

notepad.exe C:\Windows\system32\SPPUI\Phone.inf

Write down the nearest or most convenient number from the document.

Close the Notepad window.

Call the phone number and follow the prompts to obtain the confirmation ID.

Apply the confirmation ID (without the hyphens) using the following command line:

slmgr.vbs /atp VeryLongStringThatRepresentsTheConfirmationID

Testing proper activation

Check proper activation using the following command line:

slmgr.vbs /dlv

Concluding

Make sure Web Application Proxies remain functional beyond the default trial period, by activating their Windows Server installations.

Further reading

Product Activation Changes and Impacts on Windows Server 2008
Windows 2016 Server mysterious shutdown issues
KMS client setup keys
Windows activation or validation fails with error code 0x8004FE33
KMS and MAK Activation Scenarios for Volume Activation
Windows Server 2016 Volume Activation Tips
Activating Windows Server 2016

The post HOWTO: Handle Windows Activation on non-domain-joined Web Application Proxies appeared first on The things that are better left unspoken.

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for August 2019:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4512495 August 17, 2019

The August 17, 2019 update for Windows Server 2016 (KB4512495) updating the OS Build number to 14393.3181 includes the following Identity-related fixes:

• It addresses an issue that prevents some users from receiving a TTL value when they are added as members of Shadow Principals. This occurs for users who have distinguished names (DN) that contain an escape character. The TTL value is now added as expected.
• It addresses an issue that may break the domain trust when the Recycle Bin is configured on the domain that carries the trust.

KB4512517 August 13, 2019

The August 13, 2019 update for Windows Server 2016 (KB4512517) updating the OS Build number to 14393.3144 plugs RDP vulnerabilities that are rated ‘Critical’. It includes the following Identity-related fixes:

• It addresses an issue that may prevent devices from starting up or cause them to continue restarting if they are connected to a domain that is configured to use MIT Kerberos realms. Domain controllers and domain members are both affected.

This is the issue that was introduced with KB4507459, dated July 16, 2019.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4512534 August 17, 2019

The August 17, 2019 non-security update for Windows Server 2019 (KB4512534) updating the OS Build number to 17763.720 includes the following Identity-related fixes:

• It addresses an issue that causes a workstation to stop working when you sign in using an updated user principal name (UPN) (for example, changing UserN@contoso.com to User.Name@contoso.com).
• It addresses an issue that prevents some users from receiving a TTL value when they are added as members of Shadow Principals. This occurs for users who have distinguished names (DN) that contain an escape character. The TTL value is now added as expected.
• It addresses an issue that may break the domain trust when the Recycle Bin is configured on the domain that carries the trust.

KB4511553 August 13, 2019

The August 13, 2019 update for Windows Server 2019 (KB4511553) updating the OS Build number to 17763.638

plugs RDP vulnerabilities that are rated ‘Critical’. It includes the following Identity-related fixes:

• It addresses an issue that may prevent devices from starting up or cause them to continue restarting if they are connected to a domain that is configured to use MIT Kerberos realms. Domain controllers and domain members are both affected.

The post On-premises Microsoft Identity-related updates and fixes for August 2019 appeared first on The things that are better left unspoken.

After detailing Active Directory Virtualization Safeguards with VM-GenerationID in part 5 of this series on Virtualizing Domain Controllers on vSphere, it’s time to talk about the second Active Directory Domain Services feature that is enabled through the VM-GenerationID technology: Domain Controller cloning.

About Domain Controller cloning

Microsoft recommends not re-using Domain Controllers for other roles. When sticking with this recommended practice, Domain Controllers running the same Windows Server version in your environment are 99% identical.

In many large organizations, however, deploying an additional Domain Controller, even a virtual one, is a change that might span weeks. After the initial installation and promotion, multiple agents, additional software and tweaks need to be performed to make it a full family member of the Domain Controllers OU.

By leveraging the values for the VM-GenerationID in vRAM and in the Active Directory database (not replicated), a Domain Controller can see when its virtual hard disk is being re-used for another Domain Controller.

When properly prepared, the essential files for Domain Controller cloning, then, instruct the virtual Domain Controller to clone. Specifically, only the situation in which you want a Domain Controller to clone, will lead to cloning. All other situations will lead to booting into Directory Services Restore Mode (DSRM).

​Domain Controller cloning enables fast, safer Domain Controller provisioning through clone operations. These operations include regular VM cloning and manual VMDK copy operations.

Note:
VMware Converter’s Hot cloning feature is not supported with Domain Controller cloning. The ‘cloning’ name overlay is purely coincidental.

Situations where Domain Controller cloning isn’t beneficial

There are a couple of situations where Domain Controller Cloning isn’t beneficial:

• When you want to promote a Domain Controller in a remote location with limited bandwidth. When the remote location features a virtualization host and a VM template for the desired Windows Server version, it’s more beneficial to perform an Install from Media (IfM) installation. This is especially true when copying over the virtual hard disk of a cloneable Domain Controller might take longer to transfer than 60 days (the pre-Windows Server 2003 SP1 tombstone lifetime period).
• When the agents and the software you install on Domain Controllers to make them fully functional isn’t cloneable and, thus, breaks Domain Controller cloning.

Requirements

The list of requirements to allow Domain Controller cloning starts with the requirements for VM-GenerationID, as shared earlier:

1. VMware vSphere needs to run version 5.0 update 2, or up.
2. VMware tools need to be installed and running on virtual Domain Controllers, ideally with a version that matches the VMware vSphere version.
3. The virtual Domain Controller needs to run Windows Server 2012, or up.
4. The Virtual Machine hardware version needs to be version 7, or up.

On top of these requirements, Domain Controller cloning adds additional requirements:

• At least one Windows Server 2012-based Domain Controller (or a newer version of Windows Server) needs to be configured to host the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role. This change should be replicated to all Domain Controllers in affected Active Directory sites.
• The Domain Controller holding the RID Master FMSO role needs to be available during the cloning process.
• DNS needs to be available during the cloning process.
• The reference Domain Controller cannot be a Read-only Domain Controller.
• The reference Domain Controller needs to be a member of the Cloneable Domain Controllers security group in Active Directory or needs to be granted the DS-Clone-Domain-Controller extended right.
• The reference Domain Controller cannot be assigned Managed Service Accounts (MSAs), unless these accounts are group Managed Service Accounts (gMSAs).
• A CustomDCCloneAllowList.xml and DCCloneConfig.xml file needs to be available to the cloned Domain Controller in the root of a removable drive or in the folder of the Active Directory database (by default: C:\Windows\NTDS)
• Applications that are incompatible with cloning should be uninstalled or added to CustomDCCloneAllowList.xml.

To be able to clone a Virtual Machine in vSphere, you must have the following privileges within the vSphere infrastructure:

• Virtual machine .Provisioning.Clone virtual machine permissions on the virtual machine you are cloning.
• Virtual machine .Inventory.Create from existing permissions on the datacenter or virtual machine folder.
• Virtual machine.Configuration.Add new disk permissions on the datacenter or virtual machine folder.
• Resource.Assign virtual machine to resource pool permissions on the destination host, cluster, or resource pool.
• Datastore.Allocate space permissions on the destination datastore or datastore folder.
• Network.Assign network permissions on the network to which the virtual machine will be assigned.
• Virtual machine .Provisioning.Read customization specifications permissions on the root vCenter Server if you are customizing the guest operating system.

Recommended practices

Having performed Domain Controller cloning in large environment and in many demos, please adhere to these practices:

• Leave the Cloneable Domain Controllers security group in Active Directory  empty in-between clone operations.
• Inventory and validate all software and agents, services and applications on the reference Domain Controller before cloning.

Note:
VMware Tools is validated and works with Domain Controller cloning.

• Always shutdown the reference Domain Controller prior to cloning.
• Ensure that the reference Domain Controller holds no Flexible Single Master Operations (FSMO) role.

When creating many clones from one reference Domain Controller, please:

• Don’t use -CloneComputerName or -Static -IPv4Address in the  dccloneconfig.xml file, as this results in clones with the same hostname and/or IPv4 address.
• Ensure that the Dynamic Host Configuration Protocol (DHCP) service is functional in the infrastructure. The information specified in DcCloneConfig.xml should be unique. When a duplicate or invalid computer name is specified, when an IP address conflict is detected, when IP and DNS information is left out and there is no DHCP Server on the network, when only one WINS Server address is specified or when a typo is made in the Active Directory site name, Domain Controller Cloning will halt.
• Don’t turn on the reference Domain Controller, until all mass cloning operations have finished. Alternatively, convert the first clone to a template and deploy new Domain Controllers from this template, but remember that this template is only re-useable for the duration of the Tombstone Lifetime.

How to clone a Domain Controller on vSphere

Perform these steps to clone a reference Domain Controller that is running as a virtual machine on VMware vSphere, resulting in a cloned Domain Controller, also running as a virtual machine on VMware vSphere:

1. Add the reference Domain Controller to the Cloneable Domain Controllers group

To add the reference Domain Controller to the Cloneable Domain Controllers security group, use the following PowerShell one-liner:

Add-ADGroupMember -Identity “Cloneable Domain Controllers” -Members “cn=dc01,ou=Domain Controllers,dc=domain,dc=tld”

Note:
You can run the above command on the reference Domain Controller when signed in, from another Domain Controller or any domain-joined device with the Active Directory Module for Windows PowerShell installed that you’re signed into with credentials that allow management of the security group. In the latter two cases, make sure the change is replicated throughout the Domain Controllers holding the PDCe FSMO role and the RID Master Role and the reference Domain Controller.

2. Resolve Service Principal Name (SPN) issues

run Get-ADServiceAccount on the reference Domain Controller, to get the list of Service Principal Names in use. To remove the Service accounts automatically, use the following PowerShell one-liner:

Get-ADServiceAccount –filter:“*” | Remove-ADServiceAccount 

3. Resolve problems with non-cloneable applications, agents and services

You would typically run the Get-ADDCCloningExcludedApplicationList PowerShell Cmdlet to get a list of the programs and services blocking successful Domain Controller Cloning. The following PowerShell one-liner can be used to automatically create the CustomDCCloneAllowList.xml file in C:\Windows\NTDS:

Get-ADDCCloningExcludedApplicationList -GenerateXml -Path C:\Windows\NTDS -Force

4. Create the DCCloneConfig file

At this stage, run the New-ADDCCloningConfigFile PowerShell Cmdlet. You do not need to specify any parameters if you don’t want to.

When you don’t add any parameters, this Cmdlet will create the cleanest of DCCloneConfig.xml files in the Active Directory database path. This specific file will use the following Domain Controller Cloning configuration:

• The target Domain Controller will be assigned IP-addresses through DHCP.
• The target Domain Controller name will be automatically generated.
• The target Domain Controller will be assigned the same Active Directory site as the reference Domain Controller.

If you want to specify a host name, Active Directory site or IP addressing information, a sample PowerShell one-liner would look like:

New-ADDCCloneConfigFile –CloneComputerName “DC02” –SiteName “ADSite01” -Static –IPv4Address “10.0.1.2” –IPv4SubnetMask “255.255.255.0” -IPv4DefaultGateway “10.0.1.1” -IPv4DNSResolver “10.0.0.2”

5. Shut down the reference Domain Controller

Now, shut down the Domain Controller, from within Windows Server. For instance, with the following PowerShell one-liner:

Stop-Computer

6. Clone the reference Domain Controller from vCenter

Perform these steps to clone the reference Domain Controller:

• Open and log into the VMware vSphere or or vSphere Web Client.
• Locate the virtual machine you wish to clone in the inventory.
• Right-click the virtual machine and select Clone and then Clone to Virtual Machine from the context menu.
• On the Select a name and folder page, enter a unique name for the clone Domain Controller and select a deployment location.
• Click Next.
• On the Select a compute resource page, select the host, cluster, resource pool, or vApp where the clone Domain Controller will run.
• Click Next.
• On the Select storage page, select the datastore or datastore cluster in which to store the template configuration files and all of the virtual disks.
• Click Next.
• On the Select deploy options page, do not select additional customization options for the clone Domain Controller.
• On the Ready to complete page, review the virtual machine settings and click Finish.

After the clone operation succeeds, the clone Domain Controller appears in the inventory. Start it.

Start the reference Domain Controller when cloning completes, or use it as a template Domain Controller for the period that is maximized by the Active Directory Tombstone Lifetime.

Concluding

Domain Controller Cloning is useful when you want to create a replica Domain Controller fast.

Of course, you can use it to quickly create an extra Domain Controller when the current Domain Controllers are burdened, but you can also use it as a Disaster Recovery method. More on that in the next blogpost in this series.

Related Microsoft KnowledgeBase Articles

2742844 Domain controller cloning fails, server boots in DSRM
2742908 After cloning domain controller, “no logon servers available”
2742927 New-AdDcCloneConfig error “Index was out of range”
2747974 Domain controller cloning event 2224 gives incorrect guidance
2742959 Domain controller cloning error 8437
2743278 Domain controller cloning error 0x80041005
2742916 Domain controller cloning fails with error 8610
2742970 DC cloning fails with no DSRM, duplicate source and clone computer
2745013 New-AdDcCloneConfigFile error “the server is not operational”
2742874 DC cloning does not recreate all service principal names
2742836 Extra DHCP leases after cloning domain controllers

Related VMware KnowledgeBase Articles

1027865 Cloning virtual machines in vCenter Server

The post Domain Controller Cloning on VMware vSphere appeared first on The things that are better left unspoken.

On Monday, I visited the BBQ organized by the Dutch chapter of the VMware User Group (NLVMUG).

The NLVMUG BBQ was held at Beach Club Down Under in Nieuwegein.

This year’s NLVMUG BBQ is conveniently scheduled after VMworld US (just two weeks ago) and well before VMworld Europe. Naturally, both the VMworld Europe event, and NLVMUG’s own User Conference (March 19th, 2020 in De Fabrique in Utrecht).

The Dutch chapter of the VMware User Group (NLVMUG) organizes events for people who work with VMware products and solutions in the Netherlands. As a chapter, members of the NLVMUG also benefit from the larger VMUG umbrella.

NLVMUG is run by ITQ’s Dennis Hoegen Dijkhof and my former-colleague Joep Piscaer. Both fellow-vExperts.

Of course, on my way out, I snuck a pair of NLVMUG socks and other goodies in my bag. VMUG SWAG is awesome!

I enjoyed wonderful food, excellent friends and insightful discussions.

Thank you, NLVMUG!

The post Pictures of the NLVMUG BBQ appeared first on The things that are better left unspoken.

It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the first version in the 1.4 branch of Azure AD Connect: v1.4.x.0

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

Highlights

The headline for this release is the refinement of the AD FS management tasks:

• Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (Previously, only the “Update AD FS SSL certificate” task was available for all sign-ins.)
• Removed token-signing certificates from the “Reset Azure AD and AD FS trust” task and added a separate sub-task to update these certificates.
• Added a new federation management task called “Manage certificates” which has sub-tasks to update the SSL or token-signing certificates for the AD FS farm.
• Added a new federation management sub-task called “Specify primary server” which allows administrators to specify a new primary server for the AD FS farm.
• Added a new federation management task called “Manage servers” which has sub-tasks to deploy an AD FS server, deploy a Web Application Proxy server, and specify primary server.
• Added a new federation management task called “View federation configuration” that displays the current AD FS settings. (Because of this addition, AD FS settings have been removed from the “Review your solution” page.)

What’s New

However, this release of Azure AD Connect contains many more new features and improvements:

• New troubleshooting tooling helps troubleshoot the following scenarios:
• “user not syncing”
• “group not syncing”
• “group member not syncing”
• Support for national clouds in the Azure AD Connect troubleshooting script
• The deprecated WMI endpoints for MIIS_Service have now been removed. Any WMI operations should now be done via the Windows PowerShell cmdlets.
• Security improvement by resetting constrained delegation on AZUREADSSOACC object
• When adding and/or editing a synchronization rule, if there are any attributes used in the rule that are in the connector schema but not added to the connector, the attributes are automatically added to the connector. The same is true for the object type the rule affects. If anything is added to the connector, the connector will be marked for full import on the next synchronization cycle.
• Using an account that is a member of the Enterprise admins or Domain admins security group as the connector account is no longer supported.
• In the Synchronization Manager, a full sync is run when a synchronization rule is created, edited and/or deleted. A popup appears on any rule change, notifying the admin if full import or full sync is going to be run.
• New mitigation steps for password errors to the ‘connectors > properties > connectivity’ page
• New deprecation warning for the sync service manager on the connector properties page. This warning notifies the admin that changes should be made through the Azure Active Directory Connect wizard.
• New error definition for issues with a user’s password policy.
• Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when the domain and/or OU of the entered group is already filtered out and keep the admin from moving forward until the issue is resolved.
• Admins can no longer create a connector for Active Directory Domain Services or Azure Active Directory in the old User Interface.
• Fixed accessibility of custom UI controls in the Sync Service Manager
• New warning when changing the sign-in method from federation to Password Hash Synchronization (PHS) or Pass-through Authentication (PTA), that all Azure AD domains and users will be converted to managed authentication.

What’s Fixed

The following issues in Azure AD Connect have been resolved:

• Resolved a synchronization error issue for the scenario where a user object taking over its corresponding contact object has a self-reference (e.g. user is their own manager).
• Help popups now show on keyboard focus.
• For automatic upgrades, if any conflicting app is running from 6 hours, kill it and continue with upgrade.
• Limit the number of attributes a customer can select to 100 per object when selecting directory extensions. This will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes per object.
• Fixed a bug to make the Active Directory Connectivity script more robust
• Fixed a bug to make Azure AD Connect install on a machine using an existing Named Pipes WCF service more robust.
• Improved diagnostics and troubleshooting around group policies that do not allow the ADSync service to start when initially installed.
• Fixed a bug where the display name for a Windows computer was written incorrectly.
• Fix a bug where the OS type for a Windows computer was written incorrectly.
• Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which only works for Windows-10 devices.
• Added several new (internal) cmdlets to the ADSync PowerShell module.

Version information

This is version 1.4.x.0 of Azure AD Connect.
The first release in the 1.4 branch for Azure AD Connect was made available for download on September 10, 2019.

The post Azure AD Connect version 1.4 introduces refined AD FS Management Capabilities appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at best practices to handle Windows activation on non-domain-joined Web Application Proxy servers.

Note:
This blogpost assumes you’re running Web Application Proxies as non-domain-joined Server Core Windows Server 2016 installations.

If your Web Application Proxy servers are domain-joined, you can use Group Policy and Windows Server Update Services (WSUS) to take care of Windows Update. However, this option can’t be used for Web Application Proxy servers that are non-domain-joined and/or placed on a perimeter network (also commonly referred to as a DMZ network).

Why look at Windows Update for Web Application Proxies

Every software has bugs. It’s still a human job to produce code. Developers, testers and even quality assurance people also work on Monday mornings. We all make mistakes. It’s how we deal with failure, that defines us.

Microsoft software has bugs. Bugs may be innocent, or they may lead to serious problems like remote code execution, elevation of privilege, information disclosure, security feature bypasses, denial of service, spoofing and/or tampering. However, the way Microsoft handles fixing these bugs, stands out. In 2003, Microsoft started with a repetitive predictable and reported way of announcing and releasing updates to its software, including Windows, Windows Server, Office, Visual Studio, SQL Server, Exchange Server and many others: Patch Tuesday.

Below is a graphical representation of the problems solved in the September 10, 2019 update:

In recent years, Microsoft has split up the security updates from the quality improvement updates. Now, the second Tuesday of each month brings security updates. Quality updates are also released on Tuesday, but usually a week or two weeks after the security updates.

Web Application Proxies need the free updates Microsoft distributes.

Possible negative impact (What could go wrong?)

When Web Application Proxies do not install Windows Updates, they may remain vulnerable for common problems. While many admins think that a proper firewall rule prevents these attacks, some attacks operate at a higher layer than most firewalls operate; When the firewall allows TCP 443, it doesn’t merely allow the proper traffic for the Web Application Proxy. Similarly, next-generation firewalls and web application firewalls may inspect the flow of https traffic between the Internet and Web Application Proxies but may not detect the newest threats.

When Windows Servers do not install Windows Updates, their functionality may break, as fixes to the role are not added to the Operating System. This holds strongly for Windows Server 2012 R2-based Web Application Proxies, as the role was first introduced in this version and many updates were made to the role in the first year.

When Windows Servers do not install Windows Updates, they may lack new security features and settings. Updates to Root Certification Authorities (CAs), time zone updates and cipher suite updates are common updates that add to the information security baseline. The Extranet Smart Account Lockout feature in AD FS was distributed with a Windows Update to Windows Server 2016.

Four solutions for Windows Updates

There are four solutions to apply Windows Updates to non-domain-joined Web Application Proxies:

1. Configure to use Windows Update on the web
2. Configure to use your organization’s WSUS implementation
3. Manually install Windows updates
4. Use an update solution

How to do it

To apply Windows Updates to non-domain-joined Web Application Proxies, perform these actions, per scenario:

Configure to use Windows Update on the web

Microsoft offers a standardized method for downloading Windows updates from its webservers. This method is built-in, even in Server Core.

For this scenario, the following requirements need to be met:

• Each Web Application Proxy needs to be able to communicate to the following URLs using TCP 443 and TCP80, respectively:
  • http://download.windowsupdate.com
  • http://*.download.windowsupdate.com
  • http://download.microsoft.com
  • https://*.update.microsoft.com
  • http://*.update.microsoft.com
  • https://update.microsoft.com
  • http://update.microsoft.com
  • http://*.windowsupdate.com
  • http://*.windowsupdate.microsoft.com
  • http://windowsupdate.microsoft.com
  • https://*.windowsupdate.microsoft.com
  • http://ntservicepack.microsoft.com
  • http://wustat.windows.com
• Each Web Application Proxy needs to be able to verify the communication certificates and update signatures, by allowing access to the Certification Authorities (CAs) used.
• DNS-based name resolution to the Internet for each Web Application Proxy.
• An account with local administrator privileges on each Web Application Proxy.

Configuring automatic updates

Perform the following steps to configure a Server Core installation to use Windows Update on the web:

1. Sign in with an account with local administrator privileges.
2. Run sconfig.cmd.
   The Server Configuration utility starts.
3. Enter the number 5, followed by pressing the Enter key on the keyboard to enter the Windows Update Settings sub menu.
4. Press A for Automatic updates, followed by pressing Enter on the keyboard.
5. In the Update Settings dialog screen, click OK.

The Web Application Proxy will check for and install updates every day at 3:00 AM. The settings take effect immediately. No reboot is required. Repeat the above steps on each Web Application Proxy.

Configure to use your organization’s WSUS implementation

Windows Server Update Services (WSUS) enables admins to deploy the latest Microsoft product updates with full manageability of the distribution of updates in their networks.

Note:
WSUS can be deployed in a disconnected scenario, where updates and metadata are exported on one WSUS server and imported on another disconnected WSUS server. This scenario makes WSUS useable in highly-restricted perimeter networks, too.

For this scenario, the following requirements need to be met:

• A fully functional WSUS server needs to be implemented and synchronized with Microsoft Update.
• DNS-based name resolution to the Internet for each Web Application
  Proxy.
• An account with local administrator privileges on each Web Application
  Proxy.

Where the WSUS server addresses are commonly deployed using Group Policy, Web Application Proxies are typically not domain-joined. The following lines of Windows PowerShell ass the registry settings to point a Web Application Proxy to a WSUS server

Stop-Service -Name wuauserv

$Path = “HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate”

$WSUSAddress = “WSUSSERVER”

New-ItemProperty -Path $SChannelRegPath -Name DisableWindowsUpdateAccess `
–Value 1 -PropertyType DWORD

New-ItemProperty -Path $SChannelRegPath -Name WUServer `
-Value $WSUSAddress -PropertyType String

New-ItemProperty -Path $SChannelRegPath -Name WUStatusServer `
-Value $WSUSAddress -PropertyType String

New-ItemProperty -Path $SChannelRegPath+”\AU” -Name AUOptions `
-Value 5 -PropertyType DWORD

New-ItemProperty -Path $SChannelRegPath+”\AU” -Name NoAutoUpdate `
-Value 0 -PropertyType DWORD

New-ItemProperty -Path $SChannelRegPath+”\AU” -Name UseWUServer `
-Value 1 -PropertyType DWORD

Start-Service -Name wuauserv

The Windows Update client is now configured with Automatic Updates and polls the WSUS server for approved updates every 22 hours minus a random offset.

Repeat the above steps on the other Web Application Proxies.

Manually install Windows updates

In either of both scenarios, admins can manually check for updates and install updates.

For this scenario, the requirements need to be met for the previous scenarios, but most importantly an account with local administrator privileges on each Web Application Proxy is needed.

Perform these steps:

1. Sign in with an account with local administrator privileges.
2. Run sconfig.cmd.
   The Server Configuration utility starts.
3. Enter the number 6, followed by pressing the Enter key on the keyboard.
4. Choose between Search for (A)ll Updates or (R)ecommended Updates only by pressing either A or R on the keyboard, followed by pressing Enter on the keyboard.
5. Then, select between (A)ll updates, (N)o updates or (S)elect a single update, by pressing A, N or S on the keyboard, followed by pressing Enter on the keyboard.
6. Press Yes in the Restart Required dialog screen to restart the Web Application Proxy.

Repeat the above steps on the other Web Application Proxies.

Use an Update solution

3rd party patching solution might offer functionality to update Web Application Proxies. However, I would like to share a really simple solution: WSUSOffline.net,

Using “WSUS Offline Update”, you can update any computer running Microsoft Windows and Office safely, quickly and without an Internet connection, for free.

Especially its option to create an ISO file, that you can easily mount on virtual machines makes it a fast solution to update hosts in the perimeter network.

Checking which updates are installed

Throughout the lifetime of a Web Application Proxy, you might need to troubleshoot Windows Updates. It might help when you are trying to figure out whether an update is installed and the server needs rebooting or whether an update is not installed. (in which case you probably won’t need to reboot) The command to use is:

wmic.exe qfe list

Concluding

It’s your choice to create media to manually update your Web Application Proxies, or let them download updates from the Internet or WSUS Servers automatically. However, please remember to implement something to keep the systems in your Hybrid Identity implementation up to date.

Further reading

Windows Update troubleshooting
Fix Windows Update errors
Registry keys for configuring Automatic Updates & WSUS
WSUS Offline Update
How To: Remove WSUS Settings and Restore Windows Update Defaults
Configure a Server Core installation of Windows Server 2016, with Sconfig.cmd
How to Patch Windows Server Core 2016

The post HOWTO: Handle Windows Update on non-domain-joined Web Application Proxies appeared first on The things that are better left unspoken.

Raymond, Erwin, Martijn, Tom and I have dedicated time to organize a yearly Dutch event. We want to share the latest in our industry, without the marketing talk and without the corporate bullshit other events bring. In my utterly biased opinion¹, there’s only one organization in the Netherlands, that can pull that off.

Last year we organized the ‘Roast the Cloud’ event for KNVI members. The year before, we organized the ‘Windows as a Service’ event. It was a lot of fun! This year, we have further improved upon the formula, added some more fun elements and are back for another year.

About KNVI

The Dutch Professional Association of Information and IT Professionals (KNVI) is an independent platform for sharing professional knowledge and expanding the personal networks of ICT Pros, information professionals, students and employers who want to keep their employees up to date.

KNVI organizes multiple meetings per month, publishes AG Connect both online and in print, and offers discounts to its members, like the discount to my Active Directory Administration Cookbook.

KNVI is a merged organization of several professional associations, including the Dutch Networking User Group (Ngi-NGN) and the Dutch Association for Documentary Information and Organization Administration (SOD).

About the KNVI IT Infra Event of the Year

On Thursday October 10, 2019, we’ll transform the Carlton President Hotel in Maarssen Dutch into Walhalla for IT Professionals. We have speakers delivering nine 30-minute sessions in three blocks:

1. Managing IT, the new reality
   We’ll talk about DevOps as a way to manage teamwork and to manage servers. we’ll also talk about Mobile Device Management to manage devices beyond Windows-based devices.
2. Do away with legacy
   Many admins still manage their environments like it’s 2005. Typically, this means still imaging devices (with Altiris or Ghost, probably), without benefiting from cloud services, and Windows AutoPilot and experiencing increasing numbers of incidents with passwords. That’s why we’ll talk about Windows AutoPilot, Azure AD DS and Password-less.
3. The future of IT
   In our third block of sessions, we’ll look ahead to what’s happening in IT from an infrastructure point of view. Software-defined, privacy and quantum are the three keywords for this block of sessions.

After these session, we’ll ask the speakers back to the stage to discuss what regrettable moves to avoid and what recommended practices to embrace in the near future.

For immediate answers and discussions, we’ll have speakers in the ‘red room’ available, instead of hiding in a speaker room…

About my session

I’m not just involved in the planning and preparations for the event, I’m also actively presenting a session, together with Raymond Comvalius:

Password-less, or how to get rid of passwords for day-to-day IT Use

2:20PM – 3:05PM Dutch

81% of all hacks last year can be attributed to weak, leaked and standard passwords. Multi-factor authentication reduces these situation by 99,9%, but people don’t seem to like to hassle of it. If only we could live without passwords…

You can! In this session, Raymond and I look at Windows Hello for Business, Active Directory Federation Services (AD FS) and FIDO2 as the solution for end-users to no longer work with passwords and, in the process, work more securely than they do now.

Join us!

Register here. Dutch

One of the things we’ve learned last year is that many people wanted to join the event, but either didn’t have the money to join or didn’t want a KNVI membership.

As an IT Pro, you can join the event for € 99.
No strings attached. No nagging marketing afterwards. No privacy issues.
No membership.

Of course, as a member of KNVI, you can join the event for free, anyway.
There’s room for 150 people for this event. We haven’t filled all our seats, yet.

• ¹ I was a member of the board of the KNVI Special Interest Group (SIG) IT Infra.

The post I’m co-organizing the KNVI IT Infra Day of the Year appeared first on The things that are better left unspoken.

Roughly a year ago, we saw the release of Microsoft’s Azure Multi-Factor Authentication (MFA) Server, version 8.0.1.1. Last week, Microsoft released another minor version, dubbed version 8.0.2.2 that addresses a couple of issues you might experience with version 8.0.1.1.

What’s New

Fixed issue with AD Sync send email when user enabled state changes

In the Add Synchronization Item window, the option to send email for Only New Users is enabled by default:

However, an issue prevented sending the e-mail message when the Enabled state changed. This issue has been fixed.

Fixed upgrade issue with User Tags

In some scenarios, user tags did not survive Azure MFA Server upgrades.
This issue is now fixed in Azure MFA Server version 8.0.2.2.

Added Kosovo (+383) country code

Former Yugoslavia obtained its +38 code in the 1964 CCITT/ITU Blue Book. However, on October 1, 1993, this country code, was divided into +381 (Serbia), +382 (Montenegro), +385 (Croatia), +386 (Slovenia), +387 (Bosnia and Herzegovina), +389 (Macedonia) when Yugoslavia broke up. At that time, +380, +383 and +388 were not assigned.

+383 was assigned to Kosovo*, after Republic of Serbia and Kosovo reached an agreement in August 2015. Now, the +383 country code can also be used with Azure Multi-Factor Authentication Server.

Note:
Ukraine received the +380 country code in 1995, as it left the Russian Federation in 1991. This effectuated its split from the +7 country code. +388 is assigned to groups of countries. The European Telephony Numbering Space (ETNS) embraced +388 3 for Europe-wide services.

Added One-Time Bypass audit logging

In previous versions of Azure Multi-Factor Authentication Server, the MultiFactorAuth service did not log one-time bypasses. Starting with version 8.0.2.2, one-time bypasses are logged to MultiFactorAuthSvc.log.

Web Service SDK performance improvements

Azure MFA Server’s Web Service SDK offers access to the database and MFA functionality to the AD FS MFA Adapter (when installed), User Portal (when installed) and with third-party applications (when used). Performance improvements on this central communications hub to the back-end means these front-end services work faster, too.

Other minor bug fixes

While the above fixes could be classified as minor fixes, the team reports that they’ve fixed other minor issues in Azure Multi-Factor Authentication (MFA) Server as well.

Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading the User Portal or AD FS adapter. Read the guidance in the How to Upgrade section in this blogpost for more information.

Download

You can download Azure Multi-Factor Authentication Server 8.0.2.2 here.
The download weighs 128.4 MB.

Version information

This is version 8.0.2.2 of Azure Multi-Factor Authentication (MFA) Server.
It was signed off on September 9, 2019.

The post Azure Multi-Factor Authentication Server 8.0.2.2 was released appeared first on The things that are better left unspoken.

Office 365 is the cloud service most organizations use. Some of them are not be aware Azure Active Directory lives underneath their cloud service or behind the ‘Microsoft Office 365 Identity Platform’ Relying Party Trust (RPT) in Active Directory Federation Services (AD FS). That’s why I’ll present on NCComms’ Office 365 and SharePoint Connect 2019 – Community Edition in Haarlem on October 11, 2019.

About Office 365 and SharePoint Connect

The Office 365 and SharePoint Connect conference presents news and announcements from Microsoft Ignite as well as deeper dives into the key topics across Office 365, SharePoint, Azure, OneDrive and Teams. Speakers also include material on wider industry trends such as AI.

Learn how you can move yourself and your company forward with the expert speakers who share their experience, knowledge, and best practices, plus real-world project insights. PLUS – You also have the chance to find out more from the experts who bring you the very latest “What’s new” straight after Microsoft Ignite.

The Office 365 and SharePoint Connect 2018 conference returns to the Netherlands for the ninth year, this year. Speakers for this year’s Office 365 and SharePoint Connect include Adis Jugo, Donald Hessing, Jussi Roine, Luise Freese, Sjoukje Zaal and many others.

About my session

I’ll present one 45-minute session on:

A Life without passwords; dream or reality?

Room D, Friday October 11, 2019 3PM – 3:45PM

The early days of multi-user IT brought us passwords. However, we can safely conclude password-based authentication doesn’t cut it anymore. Recent research showed 81% of hacking-related breaches leveraged either stolen or weak passwords and 20% of support costs for enterprise IT departments are about forgotten passwords… Nobody loves multi-factor authentication either, because it’s complicated to implement and difficult to use.

“Users should never have to deal with passwords in their day-to-day lives.”
– Sander Berkouwer 

Join Sander Berkouwer, tenfold Microsoft MVP, in this engaging session on going password-less in your infrastructure. Learn the end-to-end solution, based on open standards, Microsoft technologies and the Microsoft Cloud that allows your organization(s) to minimize password usage and simplify credential management, so user credentials cannot be cracked, breached, or phished anymore.

Warning:
Be ready to start feeling the love from end-users again, for they no longer have to use technology that sucks…

Join us!

Join some of the very best independent experts from around the world, and Microsoft, as they come together at Office 365 & SharePoint Connect this October in the beautiful city of Haarlem, Netherlands.

Register here.

The post I’m speaking at Office 365 and SharePoint Connect 2019 – Community Edition appeared first on The things that are better left unspoken.

On September 10, 2019, Microsoft signed off on the first build of Azure AD Connect in the 1.4 version branch. Currently, this version is only available for organizations that have the Automatic Upgrade feature enabled. In the What’s Fixed section of the release notes for this version, Microsoft stated that:

Fixed a bug where non-Windows 10 computers were syncing unexpectedly.

The situation

Previously, Windows down-level computers joined to on-premises Active Directory Domain Services environments were incorrectly synchronized to Azure AD under some circumstances.

As an example of these circumstances, the userCertificate attribute value for Windows down-level devices in Active Directory is populated. But such devices in Azure AD always remained in the pending state because these Windows versions were not designed to be registered with Azure AD via Azure AD Connect.

The issue

Starting with version 1.4.x.0 of Azure AD Connect:

• Azure AD Connect stops synchronizing Windows down-level computers to Azure AD
• Azure AD Connect removes the previously incorrectly synchronized Windows down-level devices from Azure AD.
• Azure AD Connect might run into the Export Deletion Threshold.

Note:
If admins see the deletes of down-level Computer/Device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow these deletes to go through.

Some Azure AD admins may see some or all of their Windows down-level devices disappear from Azure AD.

However, Azure AD Connect will not delete any Windows down-level devices that were correctly registered with Azure AD by using the Workplace Join for non-Windows 10 computers package. Those devices will continue to work as expected for the purposes of device-based Conditional Access.

The cause

Microsoft is cleaning up device objects in Azure AD tenants, that add no value.

This is not a cause for concern, as these device identities were never actually used by Azure AD during Conditional Access authorization.

The solution

To get their Windows down-level devices registered correctly and ensure that such devices can fully participate in device-based conditional access, the devices need to Hybrid Azure AD Join, correctly.

Concluding

Changes in Azure AD Connect functionality to allow for increased security levels (in this case by removing stale and non-functional objects) may have an impact on the way Azure AD Connect behaves in your organization.

Further reading

KnowledgeBase: Azure AD Connect 1.3.20.0 enables Auto Upgrades in AD FS Scenarios 
KnowledgeBase: Azure AD Connect upgrade is not reflected in the Office 365 Portal  
Azure AD Connect 1.4 introduces refined AD FS Management Capabilities 
Azure AD Connect 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000)
HOWTO: Enforce Azure AD Connect to use TLS 1.2 only

The post KnowledgeBase: Azure AD Connect v1.4 deletes incorrectly synchronized objects for non-Windows 10 devices appeared first on The things that are better left unspoken.

I’m presenting at SharePoint Saturday Belgium.

About SharePoint Saturday Events

SPS Events is an all-volunteer organization that provides the tools and knowledge needed for groups and event leaders to organize and host SharePoint Saturday Events. SharePoint Saturday Events (SPS Events) are free one-day events held in different cities around the world, featuring sessions from influential and respected SharePoint professionals.

The SharePoint Saturday concept took shape in 2008, with the first SharePoint Saturday event held in early 2009. It grew from speakers who were speaking at Code Camps and SQL Saturdays on SharePoint topics who felt there was enough need in the SharePoint community to warrant their own dedicated events.

About SharePoint Saturday Belgium

On Saturday October 19, 2019, SPS Events hosts its second SharePoint Saturday Belgium event, filled with lots of  great sessions, interesting sponsors and of course, a famous SharePint at the end of the day.

What’s new with Microsoft SharePoint, Office 365, and Azure? Interested visitors will learn all about this on Saturday, October 19, at BluePoint Brussels.

SharePoint Saturday Belgium is organized by BIWUG.

About my session

I’ll present a 50-minute session:

Seven ways Identity enriches your Office 365 and Azure experience

Saturday October 19, 2019, 11:40AM – 12:30PM, Room 4

Azure and Office 365 rely on Azure Active Directory as their identity store.

As tenfold MVP, I know a lot about identity. My experience with numerous organizations, ranging from enterprises to small business, have taught me that good identity is important to embracing cloud services.

I’ll show you seven ways identity enriches the experience you, your colleagues and your customers have when using Azure and Office 365, in my typical humorous but straight to the point style.

Join us!

Join some of the very best independent experts from around the world, and Microsoft, as they come together at SharePoint Saturday Belgium this October.

Register here.

The post I’m speaking at SharePoint Saturday Brussels 2019 appeared first on The things that are better left unspoken.

Last week, on September 24, 25 and 26, I hosted three 60-minute webinars with Netwrix on my three favorite chapters in my Active Directory Administration Cookbook.

Over 1800 people have registered for these webinars. Now, a mere two working days after the last webinars, the Netwrix team has done everyone a huge favor by already placing the three video recordings online for everyone to watch:

https://www.netwrix.com/ad_admin_cookbook_nemea

Enjoy!

Simply press the red Watch now buttons and enjoy!
The slides are also available for you to download, although these webinars were mostly demos-only.

Note:
These webinars and their videos are offered free of charge, thanks to the sponsoring by Netwrix. By accessing the webinars, full-length videos and slides you agree to their privacy policy.

About Netwrix

Netwrix is a private IT security software company. They offer IT auditing solutions for systems and applications across your IT infrastructure. Netwrix  specializes in change, configuration and access auditing software with its Netwrix Auditor solution. Netwrix is a partner of Microsoft, VMware, EMC, NetApp and HP ArcSight.

If you’ve worked in highly-secure highly-regulated IT environments, you’re probably familiar with the Netwrix brand, because their Active Directory auditing solution is one of the best out there.

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post The videos of my Netwrix webinars are now available appeared first on The things that are better left unspoken.

After meeting the people behind Professional Development Systems at several events in my region, we started talking about presenting a session at their flagship event: AppManagEvent. This year, it’s time to get going with it!

About AppManagEvent

AppManagEvent is the annual industry event around application management. The event provides its visitors a status update and a future update on the leading technology, tools, strategies, insights and trends around Application Management.

The 14th edition takes place on Friday October 11, 2019, with themes like Deployment, Security, Application Virtualization, MSIX, Win10 migration, Identity Management, IT Infra and much more.  It’s one day with great speakers, tech content, solution vendors in a professional atmosphere and at the Media Plaza at Jaarbeurs Utrecht in the “Supernova” area.

About my session

I will present a 45-minute session:

Identity, the solid base for your organization’s future

10:15 – 11AM

Recent IT disasters have proven that there’s no such thing as a safe network. Firewalls continue to lose their value. Munchhausen by proxy has got a whole new meaning. However, a new perimeter has arisen, focusing on the individuals in your organization and their behavior, but with extensive auditing and near-real time mitigating measures: Identity.

Frowned upon as mere ‘accounts’ in the old days, identity, and most importantly, hybrid identity with both Active Directory and Azure AD, offers all the richness needed to meet today’s needs head-on; One solution for cloud and on-premises? Off course. Multi-factor authentication? Built-in. Access based on device health and location? No problem. Attribute-based access control? Solved. Automated and delegated access reviews? Done. Self-service problem solving? Yes, shift left with confidence.

Join us!

There is still time to register for AppManagEvent 2019. Ticket sales stops on October 10 noon CEST. Tickets are available for € 125 per ticket.

Register here.

The post I’m speaking at AppManagEvent 2019 appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for September 2019:

What’s Planned

My Profile is re-naming and integrating with the Microsoft Office account page

Service category: My Profile/Account
Product capability: Collaboration

Starting in October, the My Profile experience will become My Account. As part of that change, everywhere that currently reads My Profile changes to My Account.

On top of the naming change and some design improvements, the updated experience will offer additional integration with the Microsoft Office account page. Specifically, you’ll be able to access Office installations and subscriptions from the Overview Account page, along with Office-related contact preferences from the Privacy page.

What’s New

Bulk manage groups and members using CSV files in the Azure AD portal Public Preview

Service category: Group Management
Product capability: Collaboration

Microsoft is pleased to announce public preview availability of the bulk group management experiences in the Azure AD portal. Admins can now use a CSV file and the Azure AD portal to manage groups and member lists, including:

• Adding or removing members from a group.
• Downloading the list of groups from the directory.
• Downloading the list of group members for a specific group.

Dynamic consent is now supported through a new admin consent endpoint

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft has created a new admin consent endpoint to support dynamic consent, which is helpful for apps that want to use the dynamic consent model on the Microsoft Identity platform.

New Azure AD Global Reader role

Service category: RBAC
Product capability: Access Control

The Global Reader role is the read-only counterpart to Global Administrator. Users in this role can read settings and administrative information across Microsoft 365 services, but can’t take management actions.

Microsoft has created the Global Reader role to help reduce the number of Global Administrators in organizations. Because Global Administrator accounts are powerful and vulnerable to attack, Microsoft recommends:

• that organizations have fewer than five Global Administrators.
• using the Global Reader role for planning, audits, or investigations.
• using the Global Reader role in combination with other limited administrator roles, like Exchange Administrator, to help get work done without requiring the Global Administrator role.

The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Compliance Center, Azure AD Admin Center, and the Device Management Admin Center.

Access an on-premises Report Server from your Power BI Mobile app using Azure Active Directory Application Proxy

Service category: App Proxy
Product capability: Access Control

New integration between the Power BI mobile app and Azure AD Application Proxy allows you to securely sign in to the Power BI mobile app and view any of your organization’s reports hosted on the on-premises Power BI Report Server.

For information about the Power BI Mobile app, including where to download the app, see the Power BI site.

What’s Changed

New version of the AzureADPreview PowerShell module is available

Service category: Other
Product capability: Directory

New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including:

• Add-AzureADMSFeatureRolloutPolicyDirectoryObject
• Get-AzureADMSFeatureRolloutPolicy
• New-AzureADMSFeatureRolloutPolicy
• Remove-AzureADMSFeatureRolloutPolicy
• Remove-AzureADMSFeatureRolloutPolicyDirectoryObject
• Set-AzureADMSFeatureRolloutPolicy

The post What’s New in Azure Active Directory for September 2019 appeared first on The things that are better left unspoken.

Last Thursday, Raymond and I presented on password-less authentication for the Dutch Microsoft Azure User Group (WAZUG.nl) at Ordina’s Headquartes in Nieuwegein, the Netherlands.

After the splendid dinner, when the entire group gathered for the elevators to get to the 11th floor, we were already there, enjoying the views over Utrecht, set up and even recording a short interview with Iwan Bel from the WAZUG.nl user group.

After the meal and a short introduction by Ordina, it was our task to share our knowledge and experiences with passwords, multi-factor authentication and password-less authentication using Azure Active Directory and FIDO 2.0-based security keys.

After our presentation and a short break, Xander Gijtenbeek and John Bruin from Ordina’s new Mtech division shared their experiences with Application Insights, coupled with a Google AIY Projects Vision kit.

After that, we enjoyed drinks at the bar.

Thank you!

I had a lot of fun.

The post Pictures of WAZUG.nl 60 appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at properly securing relying party trusts on AD FS servers in terms of the signature hash algorithm.

Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Server Core Windows Server 2016 installations.

Why look at the signature hash algorithm for AD FS Relying Party Trusts

Active Directory Federation Services (AD FS) signs its tokens to relying party trusts, like Azure Active Directory to ensure that they cannot be tampered with.

This signature can be based on SHA1 or SHA256. Azure Active Directory supports tokens signed with an SHA256 algorithm since October 2016, and recommends setting the token-signing algorithm to SHA256 for the highest level of security.

Reasons why

Federation servers require token-signing certificates to prevent attackers from altering or counterfeiting security tokens in an attempt to gain unauthorized access to federated resources.

The private/public key pairing that is used with token-signing certificates is the most important validation mechanism of any federated partnership because these keys verify that a security token was issued by a valid partner federation server and that the token was not modified during transit.

It would be a shame if information could be created that would unlock the information encrypted through a collision attack, but that’s exactly what Google announced on February 2017 for SHA1 certificates after two years of research in collaboration with the CWI Institute in Amsterdam.

This collision attack urges to move from SHA1 to safer alternatives, such as SHA256.

Possible negative impact (What could go wrong?)

If changing the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 goes wrong, the functionality of the relying party trust becomes unavailable, in other words; access to the application or all applications connected to the platform on the other side of the relying party trust becomes unavailable.

If the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 change goes wrong for the ‘Microsoft Office 365 Identity Platform’ relying party trust, then access to popular functionality like Exchange Online, SharePoint Online, Teams, PowerBI and Dynamics 365 is lost and needs to be rebuild.

Getting Ready

To change the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256, make sure to meet the following requirements:

System requirements

Make sure the AD FS servers are installed with the latest cumulative Windows Updates.

Privilege requirements

Make sure to sign in with an account that has privileges to create and/or change and link Group Policy objects to the Organizational Unit (OU) in which the AD FS servers reside.

Who to communicate to

As the AD FS servers operate as part of a chain, notify all stakeholders in the chain. This means sending a heads-up to the rest of the Active Directory team and the teams that are responsible for Azure AD, Office 365 and cloud applications. It’s also a good idea to talk to the people responsible for backups, restores and disaster recovery.

Important:
It is especially important to communicate to the teams that are responsible for the functionality connected through AD FS, as you must use the same algorithm for the AD FS RPT as the service provider on the other side of the RPT is expecting, SHA-1 or SHA-256, to generate the hash.

One of the challenges you can easily avoid through communications is that multiple persons and/or teams make changes to the configuration. When it breaks, you don’t want to roll-back a bunch of changes, just the one that broke it. Make sure you have the proper freeze/unfreeze moments to achieve that.

How to do it

To get an overview of the AD FS RPTs that do not use SHA256 as the AD FS token-signing hash algorithm, run the following line of Windows PowerShell when logged on with an account that has local administrative privileges on the Primary AD FS server:

Get-AdfsRelyingPartyTrust | select Name,SignatureAlgorithm

This will provide the names of the RPTs and their SignatureAlgorithm properties.

You can change the AD FS token-signing hash algorithm for an AD FS relying party using the following lines of Windows PowerShell when logged on with an account that has local administrative privileges on the Primary AD FS server:

$RPT = ‘Microsoft Office 365 Identity Platform’

Set-AdfsRelyingPartyTrust -TargetName $RPT –SignatureAlgorithm `
‘http://www.w3.org/2001/04/xmldsig-more#rsa-sha256′

Roll-back

To roll back the change, run the following lines of PowerShell when logged on with an account that has local administrative privileges on the Primary AD FS server:

$RPT = ‘Microsoft Office 365 Identity Platform’

Set-AdfsRelyingPartyTrust -TargetName $RPT –SignatureAlgorithm `
‘http://www.w3.org/2000/09/xmldsig#rsa-sha1‘

Concluding

Changing the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 from SHA1 provides a much smaller risk of collisions and therefore increases information security.

Make sure the service providers offering functionality through AD FS relying party trusts support SHA256 as the token-signing hash algorithm before changing it to avoid (temporary) loss of functionality.

Further reading

Change signature hash algorithm for Office 365 relying party trust
Token-Signing Certificates
Configuring the AD FS Token Signing and -Decrypting Certs for a longer lifetime

The post HOWTO: Change the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 appeared first on The things that are better left unspoken.

I’m pleased to announce that I will be delivering a 4-hour workshop with Deji Akomolafe, Staff Solutions Architect at VMware, at VMware VMworld Europe 2019 in Barcelona on October 7th, 2019.

About VMware VMworld

VMworld is a global conference for virtualization and cloud computing, hosted by VMware. It is the largest virtualization-specific event. Each year, there is a VMworld US and a VMworld Europe event, addressing VMware’s two main target geographies.

VMworld Europe 2018 is hosted at the Fira Gran Via Convention Center in Barcelona, Spain from Monday November 4, 2019 to Thursday November 7, 2019.

About our session

I’ll make one main appearance during VMware VMworld Europe 2019, besides the obvious parties and gatherings.

Architecting and Implementing Microsoft Active Directory on VMware

BCA2161TE, level 300, October 7 10:30AM – 2:30PM

Active Directory Domain Services (AD DS) allows organizations to deploy a scalable and secure directory service for managing users, resources, and applications. Although virtualizing domain controllers has been a simple and supported operation for many years, many organizations have been reluctant to do so.

Organizations struggle to understand how to properly navigate and avoid the pitfalls (such as synchronization, convergence, security, time management, availability, and data integrity) inherent in virtualizing a production, enterprise-level AD DS infrastructure. Even when they have virtualized their domain controllers, admins still worry about the security, safety, and integrity of their ADDS infrastructure.

This session will discuss and demonstrate considerations and practices for optimally and securely virtualizing AD infrastructure.

Join us!

Join me while I take the stage with Deji.
Make your mark and register for VMware VMworld Europe 2019.

The post I’m speaking at VMware VMworld Europe 2019 appeared first on The things that are better left unspoken.

After many months of preparations, we ran the KNVI IT Infra Day of the Year last Thursday. Raymond, Erwin, Tom and I organized a day filled with a total of eleven sessions with topics for today’s IT Pros that want more out of life and their careers.

Tom kicked off the day with a warm welcome to the attendees. It marked the start of the ‘What’s New’ block of sessions. Peter Daalmans presented a 30-minute session on Mobile Device Management. My colleague Barbara Forbes presented a 30-minute session on Azure DevOps and Jeff Wouters presented on treating servers like cattle, not cats.

After a short break, Tom introduced the ‘Get rid of legacy’ block of sessions. Raymond Comvalius presented a 30-minute session on AutoPilot to get rid of imaging. Erwin Derksen presented a 30-minute session on Azure AD DS to get rid of legacy LDAP stores and Active Directory on-premises.

Then, Raymond and I presented a 30-minute session on password-less, as a way to get rid of passwords and to transition into a brave new world with stronger authentication, based on a 4-layer security model. As part of the session, we demoed Azure AD Join using the Authenticator App and the OneDrive Personal Vault.

After lunch, Tom kicked off the block of sessions where we make sure we don’t miss today’s big issues. Ronald Potharst presented on Software-defined Networking (SDN). Harold van de Kamp presented on privacy in Microsoft 365. Guido Steusel presented on what to expect in IT in the near future.

After another short break, Twan Paes presented the TeamPerformance loop. As organizers we took the stage again and rounded up our experiences with the event and we asked the attendees what they picked up during the day.

After that, of course, we had drinks at the restaurant of the Carlton President Hotel.

Thank you!

Thank you to all the attendees. Your feedback is invaluable. Thank you to the Carlton President Hotel and MOS Events for helping us organize this meetup. Until next year!

The post Pictures of the 2019 KNVI IT Infra Day of the Year appeared first on The things that are better left unspoken.