Yearly Archives: 2013

[Tutorial] Upgrading from ADFS 2.0 (Server 2008 R2) to ADFS 3 (Server 2012 R2)

Scenario: You want to upgrade your ADFS 2.0 or 2.1 farm using WID (Windows Internal Database) from Server 2008 R2 to Server 2012 R2. In this scenario, I have 2 ADFS servers (one as the primary and a second for failover purposes), and 2 ADFS Proxy servers (for load balancing/failover purposes).

NOTE: Prior to writing this article I had only found limited documentation provided by Microsoft on a proper upgrade path for this. Since then, it apperas that tools had been included with the Server 2012 installation media which will greatly cutdown on the number of steps needed as well as provide as little downtime as possible. I would highly recommend giving this article a read before proceeding with my article: http://blogs.technet.com/b/askpfeplat/archive/2014/03/31/how-to-build-your-adfs-lab-part4-upgrading-to-server-2012-r2.aspx

My article should still work, but it is definitely not the most efficient way to do an upgrade as pointed out in the technet article above. My guide essentially goes over cutting over to a completely new ADFS deployment "an upgrade", side-by-side to your production environment. As pointed out below, you cannot add a Server 2012 R2 machine to a Server 2008 R2 ADFS farm as documented in their earlier help articles.

Tutorial

Login to one of your slave ADFS nodes (secondary server) running Server 2008 R2
Remove the node from your load balancer
Stop the AD FS 2.0 Windows Service
Click Start -> Administrative Tools -> Internet Information Services (IIS) Manager
Select your server and double click on Server Certificates
Right click on your certificate and select Export...
Export the certificate to your desktop, type in a password to protect the exported certificate/private key, and select OK
Copy the pfx (exported certificate/private key) to your local machine; we will import this on our new server later.
Disjoin the ADFS machine from the domain
Turn the ADFS machine off and retire it
Create a new Server 2012 R2 machine with the same name and IP as your Server 2008 R2 ADFS machine
While the new ADFS machine is being created, login to one of your ADFS proxy servers
Remove the proxy from your load balancer
Stop the AD FS 2.0 Windows Service
Turn the machine off and retire it
Create a new Server 2012 R2 machine with the same name and IP as your Server 2008 R2 ADFS Proxy machine
While the new ADFS proxy machine is being created, login to your new ADFS Server 2012 R2 machine.
Open up Server Manage and select Manage -> Add Roles and Features
On the Before You Begin screen, click Next >
Select Role-based or feature-based installation and click Next >
Select your server and click Next >
Check Active Directory Federation Services and click Next >
Click Next > on Features
Click Next > on AD FS
Click Install
Click on the Configure the federation service on this server. link once the installation has completed successfully.
Check Create the first federation server in a federation server farm on the Welcome screen for the Active Directory Federation Services Configuration Wizard and then click Next >
1. Please see my notes below on why we did not check Create the first federation server in a federation server farm.
Click Next > on the Connect to AD DS step
Copy the .pfx file we exported from the ADFS server earlier to the new ADFS server
On the Specify Service Properties screen, click on the Import... button
Select your certificate and click Open
Type in the password to the exported certificate and click OK
Type in a Federation Service Display Name that will be shown to your users when they login to the ADFS service (this can be anything), and click Next >
On the Specify Service Account screen, click the Select... button
Type in the name of your service account you wish to use for ADFS, click the Check Names button to verify you don't have any typos, and click OK
Type in the password for the ADFS service account and click Next >
Click Next > on the Specify Configuration Database
1. Note: I choose to continue to use WID, you can switch to SQL if you would like now, however that is outside of the scope of this document.
Click Next > on the Review Options screen
Click the Configure button once all the prerequsite checks have passed successfully
Click Close once the server has successfully been configured
Open up Internet Explorer on the new ADFS machine and navigate to https://localhost/adfs/ls/IdpInitiatedSignon.aspx to ensure the service is properly running
1. Note: you should receive an invalid ssl certificate error; that is OK, we will switch the DNS records over once we are ready to transition from our old farm to the new one.
Next, login to your Server 2008 R2 primary ADFS server and recreate the federation trusts on the new Server 2012 R2 primary ADFS server
1. Start -> Administrative Tools -> AD FS 2.0 Management; select Trust Relationships -> Relying Party Trusts
2. Recreate all the rules/trusts from your original ADFS server on your new Server 2012 R2 ADFS machine
  1. Note: If you are recreating rules for Office 365, you will need to wait until you switch over our new Server 2012 R2 environment to production. The reason is when you setup the new ADFS instance, some of the certificates will change causing a certificate mismatch/preventing your users from logging in. You will need to make sure you follow the following steps when resetting up the Office 365 trust to ensure your users don't receive "Error 80041317": http://support.microsoft.com/kb/2647020/en-us
Login to your new ADFS Proxy server
Import your SSL cerficate from your old ADFS server (from step 8) onto the server's Local Machine certificate store
1. Right click on Start and select Run
2. Type MMC and click OK
3. Click File -> Add/Remove Snap-in...
4. Select Certificates and click Add >
5. Select Computer account and click Next >
6. Select Finish
7. Click OK on the Add or Remove Snap-ins screen
8. Expand Certificates (Local Computer), select Personal, and right click, select All Tasks -> Import...
9. Click Next on the Certificate Import Wizard
10. Click the Browse... button
11. Select your certificate and click Open
  1. Note: You may need to click on the dropdown box in the bottom right and select All Files for your pfx file to show up.
12. Click Next on the File to Import screen
13. Type in the password to the pfx file, check Mark this key as exportable, and click Next
14. Ensure Place all certificates in the following store shows Personal and click Next
15. Click Finish
16. Click OK on the Certificate Import Wizard successful dialog box
Edit the hosts file to point your DNS record to your new ADFS server
1. Open Notepad as an Administrator
2. Open the following file: C:\Windows\System32\drivers\etc\hosts
3. Add in your DNS entry and point to your new ADFS server
4. Save the file
  1. Note: We will come back to this later and update it to point to our load balancer once we switch over everything. For now, this lets us test our new deployment while switching things over.
Open up Server Manager
Click Manage -> Add Roles and Features
Click Next > on the Before you begin screen
Select Role-based or feature based installation and click Next >
Select your server and click Next >
Check Remote Access on the Server Roles screen
Click Next > on the Features screen
Click Next > on the Remote Access screen
Check Web Application Proxy
ClickAdd Features on the Add Roles and Features Wizard dialog box
Click Next > on the Roles Services screen
Click Install on the Confirmation screen
Click on the Open the Web Application Proxy Wizard link once the installation succeeds
Click Next > on the Welcome screen
Type in the FQDN to your ADFS server, the credentials of an account with local admin privileges, and then click Next >
Select your certificate on the AD FS Proxy Certificate screen and click Next >
Click Configure on the Confirmation screen
Click Close once the Web Application Proxy has been successfully configured.
After you click close a new window should open. On the Remote Access Management Console, select Publish
1. Note: This step only needs to be done once. It will replicate to all other proxy servers when you set those up at a later time.
Click Next > on the Welcome screen
Select Pass-through and click Next >
Enter in a name, external URL, and internal URL for your federated server (mine were both the same since I use split-dns). Click Next >
Click Close
Add the new Server 2012 R2 ADFS machine to your load balancer and remove your Server 2008 R2 machine.
Add the new Server 2012 R2 ADFS Proxy machine to your load balancer and remove your Server 2008 R2 proxy machine.
Update the hosts file on your Server 2012 R2 proxy machine to point to your load balanced Server 2012 R2 ADFS environment
Retire your Server 2008 R2 ADFS environment
1. Disjoin the ADFS proxy server from the domain and recycle the machine
2. Open up PowerShell as an Administrator
3. Execute the following commands:
  1. Add-PsSnapin Microsoft.Adfs.Powershell
    Get-AdfsProperties
4. Stop the service on your Server 2008 R2 ADFS machine running the old ADFS farm
5. Execute the following command to remove the ADFS Farm info from AD (substituting in the information from the Get-AdfsProperties command):
  1. $delme = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=484e24a8-5726-4186-8e24-825b77920798,CN=ADFS,CN=Microsoft,CN=Program Data,DC=mydomain,DC=local")
    $delme.DeleteTree()
6. Disjoin the ADFS machine from the domain and recycle the machine
Add a new Server 2012 R2 machine and WAP machine to your new ADFS environment for redudnancy (same steps as above, except in Step 27, you will select Add a federation server to federation server farm

Notes: Here is the upgrade compatibility matrix for upgrading ADFS from a specific version to Server 2012: http://technet.microsoft.com/en-us/library/jj647765.aspx

Why did I not check Add a federation server to a federation server farm on the Welcome screen for the Active Directory Federation Services Configuration Wizard?

The reason behind not checking this is I believe Microsoft has a bug in their discovery tool in adding another machine to a farm running ADFS 3.0. When adding a Server 2012 R2 machine to a farm with only Server 2008 R2 machines running ADFS 2.0, you will receive the following error:

The primary federation server was contacted successfully, but the configuration data was not valid. Ensure that the primary federation server is running Windows Server 2012 R2 or later. Unable to retrieve configuration from the primary server. The primary federation server was contacted successfully, but the configuration data was not valid. Ensure that the primary federation server is running Windows Server 2012 R2 or later. Prerequisites Check Completed One or more prerequisites failed. Please fix these issues and click "Rerun prerequisites check"

Symptom: You receive the following error while setting up the WAP (proxy) server:

An error occurred when attempting to establish a trust relationship with the federation service. Error: Not Found

Resolution: Make sure you update the DNS records of your ADFS deployment to point to your new ADFS server. Both the ADFS proxy and ADFS server must be running the same OS version (in this case, Server 2012 R2).

[Tutorial] Rooting and Installing Cyanogenmod 11 (Android 4.4 KitKat) w/ Google Apps on the Droid RAZR Maxx

61 Replies

Here are my notes on rooting and installing Cyanogenmod 11 (Android 4.4 KitKat) on my Motorola RAZR Maxx. This guide follows almost the exact same steps as my previous guide found here: http://jackstromberg.com/2013/09/tutorial-rooting-and-installing-cyanogenmod-10-2-w-google-apps-on-the-droid-razr-maxx/

If you followed my previous tutorial and are trying to upgrade to Cyanogenmod 11, follow this guide starting at step 18. If you receive Error Status 6 when installing new Cyanogenmod version, please see the notes at the bottom of this guide.

By reading this, you are agreeing that I take no responsibility for what you do with your phone, nor will send me angry emails saying I janked your phone.

Enable USB debugging
1. Settings->Developer Options->Enable Developer options at the top-> (Hit ok on the notification asking for Allow development settings)->Check USB debugging (Click OK on the Allow USB debugging? dialog).
Download a copy of latest build of Cyanogenmod
1. http://wiki.cyanogenmod.org/w/Spyder_Info
2. I am going to live on the edge and install a nightly to get to 11. If you don't want bugs, use a stable version (As of right now (12/21/2013), Cyanogenmod has not officially released a stable version of Cyanogenmod 11 for the Droid RAZR Maxx).
3. Notes: I found a pretty sweet page that lists the nightly changes to the rom. If you are curious, you can view the nightly changes here: http://www.cmxlog.com/11/spyder/
Download a copy of Google Apps
1. http://wiki.cyanogenmod.org/w/Gapps
2. By default, Cyanogenmod cannot ship with Google Apps due to legality reasons, so these will need to be installed manually. Without these, you will not have Google Play, Music, Maps, etc. In this case, grab a copy of gApps for 11. If you don't have a program to download torrent files, you will need to download the gApps package from the AFH link provided on the cyanogenmod page.
Download a copy of RazrBlade, which we will use to exploit the phone and gain root access:
1. For Windows: http://cmw.cmfs.me/razrblade/razr_blade_win.zip
2. For Mac: http://cmw.cmfs.me/razrblade/razr_blade_mac.zip
3. For Linux: http://cmw.cmfs.me/razrblade/razr_blade_linux.zip
Extract the files of the razr_blade_XXX.zip archive.
If you are running windows, download a copy of the Motorola drivers to connect your phone.
1. Motorola x86 drivers: http://goo.im/devs/Hashcode/moto_root/Motorola_End_User_Driver_Installation_5.9.0_32bit.msi
  Motorola x64 drivers: http://www.adbtoolkit.com/drivers/applications/motorola/Motorola_End_User_Driver_Installation_5.9.0_64bit.msi
Run through the Motorola driver installation if you are running windows.
Plug your phone in to your machine
Navigate back to the files you extracted, right click Run.bat, run as Administrator
1. If you are on Linux, execute RootLinux.sh and if you are on Mac OS, execute RootMac.sh
Press any key to continue
Once your phone has completed phase one (which ends up with a reboot of the phone), complete the following tasks on your phone
1. Click Apps->SmartActions->Get Started->Next->Battery Saver->Save->Home button
Press any key to continue with "Phase two"
1. Your phone will reboot again
2. Phase four will start
3. Your phone will reboot again
After phase four completes, you should be notified the phone has been rooted.
1. Notes: I received some permission errors the first time I ran through this (as shown in the picture above). I ended up rebooting the phone, making sure I had the latest version of SmartActions and then reran the batch file. After that, I was able to successfully get the Superuser program (which we talk about next) to run.
Next, grab a copy of Superuser.apk (included inside the razr_blade zip file) and copy it over to the SD card.
At this time, copy over the cyanogenmod zipped file you downloaded earlier. Throw it on the root of your SD card.
Copy over the gApps zip file we downloaded earlier and throw that on the root of your SD card as well.
Disconnect the phone from the computer and install the SuperUser application. Apps->Files->SD Card->Superuser.apk, Install, Open. If it asks to update, go ahead and allow it to update the binaries.
Next, grab a copy of SafeStrap. We will use this as the bootstrap to flash your phone to Cyanogenmod as well as provide an easy way to switch between different ROMs.
1. https://goo.im/devs/Hashcode/spyder/safestrap/Safestrap-Spyder-3.73.apk
Copy the file over to your phone
Apps->Files->SD card->Safestrap-Spyder-3.73.apk->Package installer->Install->Open
Hit Ok when prompted for superuser privileges, and then select Agree.
Once inside the Safestrap application, click Install Recovery.
1. Once installed, you should see the Recovery State say Installed
Reboot your phone
When you see the Safestrap splash screen, hit the Menu button on your phone.
Once you have hit the Menu button, there will be a brief delay where you screen goes black and then redirects you to one with a couple of big buttons. Push the button labeled Boot Options.
Push the ROM-Slot-1 button.
Select the size of your data store and then hit Activate.
1. Note: This is the amount of space in the partition for Cyanogenmod operating system and associated apps. If you plan to only use the one slot, I would set the slot to 3GB. If you are going to be using multiple ROM slots and space was is an issue you might want to lower the allocation.
Once it is done doing its shindig, hit the back button twice to get to the screen that shows Boot Options, Install, Backup, Restore, Mount, Wipe, Advanced, and Reboot.
Push the Install button.
1. Note, if the Install button is Red, you are going to override your stock ROM. Make sure that you have activated ROM-Slot-1 before proceeding.
Scroll down and select the Cyanogenmod zip file you copied to the SD card earlier.
Swipe the "Swipe to Confirm Flash" area to begin flashing your phone with Cyanogenmod.
Once done, it should say Successful in blue text. Hit the Wipe cache/dalvik button.
1. Swipe the Swipe to Wipe area (lol)
Hit the Back button.
Hit the Reboot System button.
At this point, you should be greeted by the Cyanogenmod welcome screen upon boot. I opted out of the Cyangenmod account and decided to continue on.
Next, we need to install Google Apps on the phone. To do this, reboot the phone and press the Menu button when you see the SafeStrap splash screen.
1. Note: Google Apps are totally optional. If you want to roll with Stock Cyanogenmod and manually install apps via their APK files for ultra security, that is totally cool.
2. Note 2: If you receive an error saying "unable to mount '/osh' gapps", simply ignore the error and boot back into Cyanogenmod. I received this error, but all the Google Apps seemed to have installed just fine.
Hit the Install button.
Select the gApps zip file from your SD card
Swipe the Swipe to Confirm Flash area
Once the apps have been successfully installed, hit the Wipe cache/dalvik button.
Swipe the Swipe to Wipe area
Hit the Back button
Hit the Reboot System button
Once you are greeted by a "Allow Google's location service to collect anonymous location data." prompt, you will know you have successfully installed the Google apps! 😛

That should do it! Enjoy Cyanogenmod 11! 🙂

Notes:

If you receive the following error when trying to install the Cyanogenmod 11 package:

Finding update package...
Opening update package...
Installing update...
E: Error in /sdcard-ext/cm-11-2013-12-21-NIGHTLY-spyder.zip (Status 6)
Error flashing zip '/sdcard-ext/cm-11-2013-12-21-NIGHTLY-spyder.zip'

Please make sure you have upgraded to the latest version of SafeStrap. SafeStrap v3.65 or higher must be installed for Cyanogenmod 11 to properly install. As a heads up, you will need to open the SafeStrap app and press the Install Recovery button to actually get SafeStrap to upgrade to the latest version. Simply upgrading the SafeStrap apk file will NOT complete the upgrade.

P.S. Here is the official Cyanogenmod info page for the Motorola Droid RAZR/RAZR MAXX (CDMA)
http://wiki.cyanogenmod.org/w/Spyder_Info

[Error] You must have Microsoft Online Services Sign-In Assistant version 7.0 or greater installed on this computer

1 Reply

Symptom: When trying to install the Microsoft Online Services Sign-In Assistant (Windows Azure Active Directory Module for Windows PowerShell) to manage Office 365 or Windows Azure, you receive the following error:

In order to install Windows Azure Active Directory Module for Windows PowerShell, you must have Microsoft Online Services Sign-In Assistant version 7.0 or greater installed on this computer.

Solution: Try installing the latest version of the Microsoft Online SErvices Sign-In Assistant.

Microsoft Online Services Sign-In Assistant (IDCRL7) – 32 bit version
Microsoft Online Services Sign-In Assistant (IDCRL7) – 64 bit version

If you still receive the error after installing the Sign-In Assistant, make sure you are using the latest installer for the Microsoft Online Services Module for Windows Powershell.

Microsoft Online Services Module for Windows PowerShell (32-bit version)
Microsoft Online Services Module for Windows PowerShell (64-bit version)

If you still receive the error after trying both installers, try installing the Beta version of the Windows Azure Active Directory Module for Windows PowerShell.

Microsoft Online Services Sign-In Assistant for IT Professionals BETA

Notes: The first time I saw this issue was running Windows 8.1 on my Surface Pro 2. I did not seem to see this issue on Windows 7.

[Error] Enable-CsUser : Specified SIP domain is not vaild. Specify a valid SIP domain and then try again.

2 Replies

Issue: When trying to enable a new user for Lync, you receive the following error; both within PowerShell and the Web GUI.

Enable-CsUser : Specified SIP domain is not vaild. Specify a valid SIP domain and then try again.

When executing: Enable-CsUser -Identity "DOMAIN\Jack.Stromberg.Admin" -RegistrarPool "lyncpool.mydomain.local" -SipAddressType "emailaddress" -SipDomain "mydomain.com"

Solution: Most of the time this turns out to be a typo in the -SipDomain parameter or the user's email address set inside of Active Directory. Once you verify that you do not have any typos in the user's email address/SipDomain parameter, the user should be able to be added successfully. If neither work, you can specify the SipAddressType to be the user's SamAccountName rather than email address.

[Tutorial] Configuring Direct Access on Server 2012 R2

17 Replies

This tutorial will cover deployment of Windows Server 2012 R2's latest version of DirectAccess. While there are multiple ways to configure Direct Access, I tried to pull together what I believe are the best/recommended practices and what I believe would be a common deployment between organizations. If you have any thoughts/feedback on how to improve this deployment, please leave a comment below.

Before beginning, if you are curious what DirectAccess is, here is a brief overview of what it is and what it will allow us to accomplish.

DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet. DirectAccess was introduced in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 "Enterprise" edition clients.
http://en.wikipedia.org/wiki/DirectAccess

Prerequisites

Domain Admin rights to complete the tutorial below
Windows Server 2012 R2 machine
- Two network cards - One in your internal network, the other in your DMZ
- Joined to your domain
- Latest Windows Updates
  (seriously, apply these, there are updates released specifically for DirectAccess)
DMZ
PKI Setup (Public Key Infrastructure to issue self-signed certificates)
- Custom template setup for issuing servers with an intended purpose of Server Authentication
- Certificate auto-enrollment has been configured
Active Directory Security Group designated with Computer Objects allowed to use DirectAccess

Login to your Server 2012 R2 server we will be using for installing the Direct Access
Ensure all windows updates have been applied.
Open up Server Manager
Select Manage -> Add Roles and Features
Click Next > on the Before you Begin step
Ensure Role-based or feature-based installation is checked and click Next >
Select Next > on the Select destination server step
Check Remote Access and click Next >
Click Next > on the Select Features step
Click Next > on the Remote Access step
Check DirectAccess and VPN (RAS)
Click the Add Features button on the dialog box that prompts
Check DirectAccess and VPN (RAS) and then click Next >
Click Next > on the Web Server Role (IIS) page
Click Next > on the Role Services page
Check the Restart the destination server automatically if required checkbox and click Yes on the dialog box.
Click Install
Click Close when the install has completed
Back in Server Manager, click on Tools -> Remote Access Management (You can ignore the warning icon, the Open the Getting Started Wizard will only do a quick setup of DirectAccess. We want to do a full deployment).

Here is what the quick deployment looks like. Don't click on this.
On the Remote Access Management Console, click on DirectAccess and VPN on the top left and then click on the Run the Remote Access Setup Wizard.
On the Configure Remote Access window, select Deploy DirectAccess only
Click on the Configure... button for Step 1: Remote Clients
Select Deploy full DirectAccess for client access and remote management and click Next >
Click on the Add... button
Select the security group inside of Active Directory that will contain computer objects allowed to use DirectAccess and click OK
Optionally, uncheck or check Enable DirectAccess for mobile computers only as well as Use force tunneling and click Next >
1. If Enable DirectAccess for mobile computers is checked, WMI will query the machine to determine if it is a laptop/tablet. If WMI determines the machine is not a "mobile device", the group policy object will not be applied to those machines in the security group. In short, if checked, DirectAccess will not be applied to computers that are desktops or VMs placed inside the security group.
2. If Use force tunneling is checked, computers will always use the direct access server when remote. For example, if the user surfs the web to a public website like jackstromberg.com, the traffic will go through the DirectAccess tunnel and back to the machine, rather than directly to the ISP. Generally, this is used for strict compliance environments that want all network traffic to flow through a central gateway.
Double click on the Resource | Type row
1. What this step is trying to do is find a resource on the internal network that the client can "ping" to ensure the DirectAccess client has successfully connected to the internal network.
Select whether you want the client to verify it has connected to the internal network via a HTTP response or network ping, optionally click the validate button to test the connection, and then click Add
1. You may want to add a couple resources for failover testing purposes, however it isn't recommended to list every resource on your internal network.
Enter in your Helpdesk email address and DirectAccess connection name (this name will show up as the name of the connection a user would use), and check Allow DirectAccess clients to use local name resolution and click Finish.
1. Based on what I could find, checking Allow DirectAccess clients to use local name resolution will allow the DirectAccess client to use the DNS server published by DHCP on the physical network they are connected to. In the event the Network Location server is unavailable, the client would then use the local DNS server for name resolution; allowing the client to at least access some things via DNS.
Click on Configure... next to Step 2: Remote Access Server
On the Remote Access Server Setup page, select Behind an edge device (with two network adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect back to your environment, and then click Next >
1. NOTE: By default, your domain's FQDN will be used, so if you have a .local domain, you will want to switch this to your actual .com, .net, .org, .whatever.
2. As an additional side note, hereis some information from the following KB article on what the differences are between each of the topologies. From what I gather, using the dual NIC configuration is Microsoft's best practice from a security standpoint.
  - Two adapters—With two network adapters, Remote Access can be configured with one network adapter connected directly to the Internet, and the other is connected to the internal network. Or alternatively the server is installed behind an edge device such as a firewall or a router. In this configuration one network adapter is connected to the perimeter network, the other is connected to the internal network.
  - Single network adapter—In this configuration the Remote Access server is installed behind an edge device such as a firewall or a router. The network adapter is connected to the internal network.
On the Network Adapters step, select your External (DMZ) and Internal (LAN) adapters.
Leave the Remote Access Setup screen open and right click on Start button and select Run
Type mmc and select OK
Click File -> Add/Remove Snap-in...
Select Certificates and click Add >
Select Computer account and click Next >
Ensure Local Computer is selected and click Finish
Click OK on the Add or Remove Snap-ins machine
Expand Certificates (Local Computer) -> Personal -> Certificates, right click on Certificates and select Request New Certificate...
Click Next on the Before You Begin screen
Click Next on the Select Certificate Enrollment Policy
Select your template that will support server authentication and click More information is required to enroll for this certificate. Click here to configure settings.
1. Note: The WebServers enrollment policy is not something out of the box configured by Microsoft. You will need to manually login to your certificate authority, duplicate the Web Servers template with the settings you wish, ensure your usergroup can Enroll for a certificate, and then publish it to AD.
On the Subject tab, enter the following values (substituting in your company's information):
Common name: da.mydomain.com
Country: US
Locality: Honolulu
Organization: My Company
Organization Unit: Information Technology
State: Hawaii
On the Private Key tab, expand Key options and check Make private key exportable. Click Apply when done.
Click Enroll.
Click Finish.
Go back to the Remote Access Setup screen and click Browse...
Select your da.mydomain.com certificate we just created and click OK.
Click Next >
Check Use computer certificates and check Use an intermediate certificate and then click Browse...
Select the certificate authority that will be issuing the client certificates and click click OK
Optionally, you may enable Enable Windows 7 client computers to connect via DirectAccess as well as Enforce corporate compliance for DirectAccess clients with NAP. Note: Configuring these two options are not covered in the scope of this tutorial. Click Finish when done.
Click on Configure... next to Step 3: Infrastructure Servers
On the Remote Access Setup screen, check The network location server is deployed on a remote web server (recommended), type in the website address to the Network Location Server, and click Next >
1. So for whatever reason, there aren't many articles explaining what exactly the network location server is and how to set it up. From what I gather, the Network Location Server is merely a server with a website running on it that the client can contact to ensure it has reached the internal network. The webpage can be the default IIS webpage; just ensure the website is NOT accessible externally.
Specify any additional DNS servers you wish to use for name resolution, ensure Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended) is checked and click Next >
Check Configure DirectAccess clients with DNS client suffix search list, ensure your local domain's suffix has been added, and click Next >
Click Finish on the Management page.
Click the Configure.... button on Step 4: Application Servers
Check Do not extend authentication to application servers and click Finish
Click Finish... on the Remote Access Management Console page
Click Apply on the Remote Access Review page
Click Close once direct access has successfully finished deploying
Login to one of your Windows 8.X Enterprise machines that is inside of your DirectAccess Compuers security group and run a gpupdate from command line to pull down the latest group policy.
At this point, you should now be able to login to your network via DirectAccess!

NOTES:

Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment. Once you click on the link, in the bottom left corner, you will find two steps to some good KB articles: http://technet.microsoft.com/en-us/library/jj134262.aspx

Here is another article from Microsoft with a more indepth explanation about where to place the Network Location Server: http://technet.microsoft.com/en-us/library/ee382275(v=ws.10).aspx

Office 365 - Single Sign-On for SharePoint, Skydrive, CRM, etc. via Smart Links

12 Replies

Update: I have released a smart link generator to have these items created automatically, please find this here: http://jackstromberg.com/o365-smart-linksso-link-generator/

Synopsis: One of the biggest problems I have seen with Office 365 is ease in accessibility to all of the Office365 resources. As pointed out on many of the Microsoft forums, SharePoint, CRM, Skydrive, etc. do not automatically complete a single-sign on request when browsing the website.

Problem: When a user browses https://mydomain.sharepoint.com for example, the user is prompted to enter in their email address. What a user expects is that they should automatically be logged in and see sharepoint when navigating to https://mydomain.sharepoint.com Additionally, for whatever reason, users cannot remember the website address to https://mydomain.sharepoint.com Instead, they want to do something like http://sharepoint.mydomain.com

Solution: Create name branded "fancy URLs" that will complete an idp claim to give the user a true SSO experience.

http://owa.mydomain.com
http://sharepoint.mydomain.com
http://skydrive.mydomain.com
http://crm.mydomain.com

Solution:

Open up Internet Explorer
Navigate to https://mydomain.sharepoint.com
Press F12 to open up the developer tools console (I am running IE 11, the console looks way different than previous versions of IE)
Scroll down and select the icon that looks like a little WiFi antenna
Click the green play button
Type in your email address as you would to login to sharepoint ([email protected])
You should be redirected to your ADFS server and inside the network console, you should see a link like https://sts.mydomain.com/adfs/ls/?.................. Copy this link into notepad.
Remove the extra stuff from the debug console
Before

After
Remove everything from cbcxt=..... to wa=wsignin1.0
Remove the ct%3D1386214464%26 and bk%3D1386214464%26 parameters
Next, open up another new notepad document named index.html and paste the following text into it
1. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>CRM</title>
  <meta http-equiv="refresh" content="0; url=https://sts.mydomain.com link goes here" /></head>
  
  <body>
  
  </body>
  </html>
Replace https://sts.mydomain.com link goes here with your new smart link and save the document.
Upload the index.html file to one of your your webservers
Create a new A record called sharepoint.mydomain.com pointing to your webserver
Now when a user browses http://sharepoint.mydomain.com, the user will automatically be redirected to your secure ADFS Proxy and authenticate automatically.

You will need to repeat the steps above for each of the Office 365 products your company uses. The federated addresses do change, so you will have to follow all of the steps over again for each Smart Link you wish to create.

NOTES:

Here is an official article on creating smart links: http://community.office365.com/en-us/wikis/sso/using-smart-links-or-idp-initiated-authentication-with-office-365.aspx

Server 2012 R2 - Missing Group Policy - Internet Explorer Maintenance

14 Replies

Symptom: When navigating to User Configuration - Policies - Windows Settings via Group Policy Management Editor, Internet Explorer Maintenance is missing from the list of configurable policies.

Explanation: Internet Explorer 10 (which is installed by Default on Server 2012 R2) deprecates Internet Explorer Maintenance (IEM) in favor of a more robust tool called Group Policy Preferences. As you can see in the following Microsoft KB article, a link to the Internet Explorer Maintenance policy alternatives can be found here: http://technet.microsoft.com/library/hh846772.aspx

Solution: Remove the old Internet Explorer Maintenance policies and switch over to use Preferences to manage your domain machines. This tutorial will not go into using Preferences, however it will go over removing the Internet Explorer Maintenance policies from your GPO. Since I went ahead and upgraded our environment to Server 2012 R2 I ended up having to configure a new Server 2008 R2 machine. If someone has an easier solution, please let me know in the comments below.

Login to any member machine of the domain that is running Server 2008 R2 or earlier and does not contain Internet Explorer 10 or greater
Open up Server Manager
Install Group Policy Management if it is not installed
1. Select Features and click Add Features
2. Select Group Policy Management and click Next >
3. Click Install
4. Click Close
Select Features- > Group Policy management -> Expand your forest -> Expand Domains -> Select your domain -> Right click and Edit... one of your policies
Expand User Configuration -> Policies -> Software Settings -> Windows Settings and select Internet Explorer Maintenance.
Right click on Internet Explorer Maintenance and select Reset Browser Settings
Click Yes on the Internet Explorer Maintenance dialog box
If all went well, you should now see all of the deprecated Internet Explorer Maintenance policies removed from your Group Policy Object.
Before

After

Notes:
Official KB on installed Group Policy Manager: http://technet.microsoft.com/en-us/library/cc725932.aspx

Official KB article on replacements for Internet Explorer Maintenance: http://technet.microsoft.com/en-us/library/jj890998.aspx

Forum post showing frustration over this: http://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance?forum=winserver8gen

Yammer and Office 365 Enterprise

Error: DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

4 Replies

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Error
DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.

What does this mean?

If you have the DHCP service installed on your domain controller without a service account configured, by default, DNS registrations from DHCP clients will be prevented from being registered and will log event 1056 in event viewer.

Solution: Complete the following steps below to change the credentials of the service account used for DHCP.

Before beginning, make sure you have a service account you can use to set the DHCP Server to run as. This account should be a domain account (not a local account) and should not have any fancy privileges (standard user account, not an administrator).
Open up Server Manager
Click Tools and select DHCP
Expand your DHCP server and right click on the IPv4 service and select Properties
Select the Advanced tab and then click the Credentials... button
Enter in the User name, domain, password, and confirmation password to the user and click OK
Click OK on the IPv4 Properties screen
Repeat this step on each of the DHCP servers in your domain. It is recommended to use the same service account on each of the machines.

Notes: The official KB article from Microsoft on this subject can be found here: http://technet.microsoft.com/en-us/library/ee941181(v=ws.10).aspx
Another very good Technet article written by karammasri on this subject can be found here: http://blogs.technet.com/b/stdqry/archive/2012/04/03/dhcp-server-in-dcs-and-dns-registrations.aspx

Warning: Short file name creation should be disabled

2 Replies

Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.

Severity: Warning
Short file name creation should be disabled

What is short file name creation?

Back in the good ol' days of windows, filenames were limited to a format of 8 characters for the name, a period, and then 3 characters for a file extension. The filename was limited by FAT formatted partitions. Unless running very old legacy applications, this can be safely turned off to help with performance.

Solution: Complete the following steps below to disable short file name creation.

Open up an elevated powershell console
Execute the following command
1. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name NtfsDisable8dot3NameCreation -Value 1
Optionally, you can open up registry viewer and confirm the value has been changed.

Notes: An official KB article from Microsoft on this topic can be found here: http://technet.microsoft.com/en-us/library/ff633453(v=ws.10).aspx

Jack Stromberg

A site about stuff