Monthly Archives: December 2013

[Tutorial] Upgrading from ADFS 2.0 (Server 2008 R2) to ADFS 3 (Server 2012 R2)

Scenario: You want to upgrade your ADFS 2.0 or 2.1 farm using WID (Windows Internal Database) from Server 2008 R2 to Server 2012 R2.  In this scenario, I have 2 ADFS servers (one as the primary and a second for failover purposes), and 2 ADFS Proxy servers (for load balancing/failover purposes).

NOTE: Prior to writing this article I had only found limited documentation provided by Microsoft on a proper upgrade path for this.  Since then, it apperas that tools had been included with the Server 2012 installation media which will greatly cutdown on the number of steps needed as well as provide as little downtime as possible.  I would highly recommend giving this article a read before proceeding with my article: http://blogs.technet.com/b/askpfeplat/archive/2014/03/31/how-to-build-your-adfs-lab-part4-upgrading-to-server-2012-r2.aspx

My article should still work, but it is definitely not the most efficient way to do an upgrade as pointed out in the technet article above.  My guide essentially goes over cutting over to a completely new ADFS deployment “an upgrade”, side-by-side to your production environment. As pointed out below, you cannot add a Server 2012 R2 machine to a Server 2008 R2 ADFS farm as documented in their earlier help articles.

Tutorial

  1. Login to one of your slave ADFS nodes (secondary server) running Server 2008 R2
  2. Remove the node from your load balancer
  3. Stop the AD FS 2.0 Windows Service
  4. Click Start -> Administrative Tools -> Internet Information Services (IIS) Manager Server 2008 R2 - Start - Administrative Tools - Internet Information Services IIS Manager
  5. Select your server and double click on Server Certificates Internet Information Services IIS Manager - Server Home
  6. Right click on your certificate and select Export… Internet Information Services IIS Manager - Export Certificate
  7. Export the certificate to your desktop, type in a password to protect the exported certificate/private key, and select OK
    Export Certificate Properties
  8. Copy the pfx (exported certificate/private key) to your local machine; we will import this on our new server later.
  9. Disjoin the ADFS machine from the domain
  10. Turn the ADFS machine off and retire it
  11. Create a new Server 2012 R2 machine with the same name and IP as your Server 2008 R2 ADFS machine
  12. While the new ADFS machine is being created, login to one of your ADFS proxy servers
  13. Remove the proxy from your load balancer
  14. Stop the AD FS 2.0 Windows Service
  15. Turn the machine off and retire it
  16. Create a new Server 2012 R2 machine with the same name and IP as your Server 2008 R2 ADFS Proxy machine
  17. While the new ADFS proxy machine is being created, login to your new ADFS Server 2012 R2 machine.
  18. Open up Server Manage and select Manage -> Add Roles and Features Server 2012 - Manage - Add Roles and Features
  19. On the Before You Begin screen, click Next > Add Roles and Features Wizard - Before you begin
  20. Select Role-based or feature-based installation and click Next > Add Roles and Features Wizard - Select installation type
  21. Select your server and click Next > Add Roles and Features Wizard - Select destination server
  22. Check Active Directory Federation Services and click Next > Add Roles and Features Wizard - Server Roles - Active Directory Federation Services
  23. Click Next > on Features Add Roles and Features Wizard - Features - Default
  24. Click Next > on AD FS Add Roles and Features Wizard - AD FS
  25. Click Install Add Roles and Features Wizard - Confirmation - Active Directory Federation Services
  26. Click on the Configure the federation service on this server. link once the installation has completed successfully. Add Roles and Features Wizard - Results - Configure the federation service on this server
  27. Check Create the first federation server in a federation server farm on the Welcome screen for the Active Directory Federation Services Configuration Wizard and then click Next > Active Directory Federation Services Configuration Wizard - Welcome
    1. Please see my notes below on why we did not check Create the first federation server in a federation server farm.
  28. Click Next > on the Connect to AD DS step
    Active-Directory-Federation-Services-Configuration-Wizard-Connect-to-AD-DS
  29. Copy the .pfx file we exported from the ADFS server earlier to the new ADFS server
  30. On the Specify Service Properties screen, click on the Import… button Active Directory Federation Services Configuration Wizard - Specify Service Properties - Import
  31. Select your certificate and click Open Select Certificate
  32. Type in the password to the exported certificate and click OK Enter certificate password
  33. Type in a Federation Service Display Name that will be shown to your users when they login to the ADFS service (this can be anything), and click Next > Active Directory Federation Services Configuration Wizard - Specify Service Properties - Federation Service Display Name
  34. On the Specify Service Account screen, click the Select… button Active Directory Federation Services Configuration Wizard - Specify Service Properties - Use an existing domain user account or group Management Service Account
  35. Type in the name of your service account you wish to use for ADFS, click the Check Names button to verify you don’t have any typos, and click OK Active Directory Federation Services Configuration Wizard - Specify Service Properties - Select User or Service Account
  36. Type in the password for the ADFS service account and click Next > Active Directory Federation Services Configuration Wizard - Specify Service Properties - Use an existing domain user account or group Management Service Account - Username password
  37. Click Next > on the Specify Configuration Database Active Directory Federation Services Configuration Wizard - Specify Database - Create a database on this server using Windows Internal Database
    1. Note: I choose to continue to use WID, you can switch to SQL if you would like now, however that is outside of the scope of this document.
  38. Click Next > on the Review Options screen Active Directory Federation Services Configuration Wizard - Review Options
  39. Click the Configure button once all the prerequsite checks have passed successfully Active Directory Federation Services Configuration Wizard - Pre-requisite Checks
  40. Click Close once the server has successfully been configured Active Directory Federation Services Configuration Wizard - Results
  41. Open up Internet Explorer on the new ADFS machine and navigate to https://localhost/adfs/ls/IdpInitiatedSignon.aspx to ensure the service is properly running AD FS 3 Test
    1. Note: you should receive an invalid ssl certificate error; that is OK, we will switch the DNS records over once we are ready to transition from our old farm to the new one.
  42. Next, login to your Server 2008 R2 primary ADFS server and recreate the federation trusts on the new Server 2012 R2 primary ADFS server
    1. Start -> Administrative Tools -> AD FS 2.0 Management; select Trust Relationships -> Relying Party Trusts
    2. Recreate all the rules/trusts from your original ADFS server on your new Server 2012 R2 ADFS machine
      1. Note: If you are recreating rules for Office 365, you will need to wait until you switch over our new Server 2012 R2 environment to production.  The reason is when you setup the new ADFS instance, some of the certificates will change causing a certificate mismatch/preventing your users from logging in.  You will need to make sure you follow the following steps when resetting up the Office 365 trust to ensure your users don’t receive “Error 80041317”: http://support.microsoft.com/kb/2647020/en-us
  43. Login to your new ADFS Proxy server
  44. Import your SSL cerficate from your old ADFS server (from step 8) onto the server’s Local Machine certificate store
    1. Right click on Start and select Run
      Server 2012 - Start - Run
    2. Type MMC and click OK
      Server 2012 - Run - mmc
    3. Click File -> Add/Remove Snap-in…
      Server 2012 - mmc - Add Remove Snap-In
    4. Select Certificates and click Add > Add or Remote Snap-ins - Certificates
    5. Select Computer account and click Next > Certificates snap-in - Computer Account
    6. Select Finish Certificates snap-in - Select Computer
    7. Click OK on the Add or Remove Snap-ins screen Add or Remove Snap-ins - Certificates - Local Computer
    8. Expand Certificates (Local Computer), select Personal, and right click, select All Tasks -> Import… Server 2012 - Certificates (Local Computer) - Personal - Import
    9. Click Next on the Certificate Import Wizard Certificate Import Wizard - Welcome
    10. Click the Browse… button Certificate Import Wizard - Browse
    11. Select your certificate and click Open Select Certificate
      1. Note: You may need to click on the dropdown box in the bottom right and select All Files for your pfx file to show up.
    12. Click Next on the File to Import screen Certificate Import Wizard - File to Import
    13. Type in the password to the pfx file, check Mark this key as exportable, and click Next Certificate Import Wizard - Private key protection
    14. Ensure Place all certificates in the following store shows Personal and click Next Certificate Import Wizard - Certificate Store
    15. Click Finish Certificate Import Wizard - Completing the Certificate Import Wizard
    16. Click OK on the Certificate Import Wizard successful dialog boxCertificate Import Wizard - Successful
  45. Edit the hosts file to point your DNS record to your new ADFS server
    1. Open Notepad as an Administrator Server 2012 - Notepad - Administrator
    2. Open the following file: C:\Windows\System32\drivers\etc\hosts Server 2012 - Hosts file
    3. Add in your DNS entry and point to your new ADFS server hosts file - adfs manual entry
    4. Save the file
      1. Note: We will come back to this later and update it to point to our load balancer once we switch over everything.  For now, this lets us test our new deployment while switching things over.
  46. Open up Server Manager
    Server 2012 R2 - Server Manager
  47. Click Manage -> Add Roles and Features
    Server 2012 - Manage - Add Roles and Features
  48. Click Next > on the Before you begin screen Add Roles and Features Wizard - Before you begin
  49. Select Role-based or feature based installation and click Next > Add Roles and Features Wizard - Select installation type
  50. Select your server and click Next > Add Roles and Features Wizard - Select destination server
  51. Check Remote Access on the Server Roles screen Add Roles and Features Wizard - Remote Access
  52. Click Next > on the Features screen Add Roles and Features Wizard - Features - Default
  53. Click Next > on the Remote Access screen
  54. Check Web Application Proxy
  55. ClickAdd Features on the Add Roles and Features Wizard dialog boxAdd Roles and Features Wizard - Web Application Proxy
  56. Click Next > on the Roles Services screen Add Roles and Features Wizard - Role Services - Web Application Proxy
  57. Click Install on the Confirmation screen Add Roles and Features Wizard - Confirmation - Web Application Proxy
  58. Click on the Open the Web Application Proxy Wizard link once the installation succeeds Add Roles and Features Wizard - Confirmation - Web Application Proxy - Open the Web Application Proxy Wizard
  59. Click Next > on the Welcome screen Web Application Proxy Configuration Wizard - Welcome
  60. Type in the FQDN to your ADFS server, the credentials of an account with local admin privileges, and then click Next >Web-Application-Proxy-Configuration-Wizard-Federation-Server
  61. Select your certificate on the AD FS Proxy Certificate screen and click Next >
    Web-Application-Proxy-Configuration-Wizard-AD-FS-Proxy-Certificate
  62. Click Configure on the Confirmation screen Web Application Proxy Configuration Wizard - Confirmation
  63. Click Close once the Web Application Proxy has been successfully configured.Web-Application-Proxy-Configuration-Wizard-Results
  64. After you click close a new window should open.  On the Remote Access Management Console, select Publish
    1. Note: This step only needs to be done once.  It will replicate to all other proxy servers when you set those up at a later time.
      Remote Access Management Console - Publish
  65. Click Next > on the Welcome screen
    Publish New Application Wizard - Welcome
  66. Select Pass-through and click Next >
    Publish New Application Wizard - Preauthentication
  67. Enter in a name, external URL, and internal URL for your federated server (mine were both the same since I use split-dns).  Click Next >
    Publish New Application Wizard - Publishing Settings
  68. Click Close
    Publish New Application Wizard - Results
  69. Add the new Server 2012 R2 ADFS machine to your load balancer and remove your Server 2008 R2 machine.
  70. Add the new Server 2012 R2 ADFS Proxy machine to your load balancer and remove your Server 2008 R2 proxy machine.
  71. Update the hosts file on your Server 2012 R2 proxy machine to point to your load balanced Server 2012 R2 ADFS environment
  72. Retire your Server 2008 R2 ADFS environment
    1. Disjoin the ADFS proxy server from the domain and recycle the machine
    2. Open up PowerShell as an Administrator
      Elevated Powershell
    3. Execute the following commands:
      1. Add-PsSnapin Microsoft.Adfs.Powershell
        Get-AdfsProperties
        get-adfsproperties certificatesharingcontainer
    4. Stop the service on your Server 2008 R2 ADFS machine running the old ADFS farm
    5. Execute the following command to remove the ADFS Farm info from AD (substituting in the information from the Get-AdfsProperties command):
      1. $delme = New-Object System.DirectoryServices.DirectoryEntry(“LDAP://CN=484e24a8-5726-4186-8e24-825b77920798,CN=ADFS,CN=Microsoft,CN=Program Data,DC=mydomain,DC=local“)
        $delme.DeleteTree()
        PowerShell DeleteTree
    6. Disjoin the ADFS machine from the domain and recycle the machine
  73. Add a new Server 2012 R2 machine and WAP machine to your new ADFS environment for redudnancy (same steps as above, except in Step 27, you will select Add a federation server to federation server farm

Notes: Here is the upgrade compatibility matrix for upgrading ADFS from a specific version to Server 2012: http://technet.microsoft.com/en-us/library/jj647765.aspx

Why did I not check Add a federation server to a federation server farm on the Welcome screen for the Active Directory Federation Services Configuration Wizard?

The reason behind not checking this is I believe Microsoft has a bug in their discovery tool in adding another machine to a farm running ADFS 3.0.  When adding a Server 2012 R2 machine to a farm with only Server 2008 R2 machines running ADFS 2.0, you will receive the following error:

The primary federation server was contacted successfully, but the configuration data was not valid. Ensure that the primary federation server is running Windows Server 2012 R2 or later. Unable to retrieve configuration from the primary server. The primary federation server was contacted successfully, but the configuration data was not valid. Ensure that the primary federation server is running Windows Server 2012 R2 or later. Prerequisites Check Completed One or more prerequisites failed.  Please fix these issues and click “Rerun prerequisites check” The primary federation server was contacted successfully, but the configuration data was not valid. Ensure that the primary federation server is running Windows Server 2012 R2 or later

Symptom: You receive the following error while setting up the WAP (proxy) server:

An error occurred when attempting to establish a trust relationship with the federation service. Error: Not Found An error occurred when attempting to establish a trust relationship with the federation service Error Not Found

Resolution: Make sure you update the DNS records of your ADFS deployment to point to your new ADFS server.  Both the ADFS proxy and ADFS server must be running the same OS version (in this case, Server 2012 R2).

[Tutorial] Rooting and Installing Cyanogenmod 11 (Android 4.4 KitKat) w/ Google Apps on the Droid RAZR Maxx

Here are my notes on rooting and installing Cyanogenmod 11 (Android 4.4 KitKat) on my Motorola RAZR Maxx.  This guide follows almost the exact same steps as my previous guide found here: http://jackstromberg.com/2013/09/tutorial-rooting-and-installing-cyanogenmod-10-2-w-google-apps-on-the-droid-razr-maxx/

If you followed my previous tutorial and are trying to upgrade to Cyanogenmod 11, follow this guide starting at step 18.  If you receive Error Status 6 when installing new Cyanogenmod version, please see the notes at the bottom of this guide.

By reading this, you are agreeing that I take no responsibility for what you do with your phone, nor will send me angry emails saying I janked your phone.

  1. Enable USB debugging
    1. Settings->Developer Options->Enable Developer options at the top-> (Hit ok on the notification asking for Allow development settings)->Check USB debugging (Click OK on the Allow USB debugging? dialog).
  2. Download a copy of latest build of Cyanogenmod
    1. http://wiki.cyanogenmod.org/w/Spyder_Info
    2. I am going to live on the edge and install a nightly to get to 11.  If you don’t want bugs, use a stable version (As of right now (12/21/2013), Cyanogenmod has not officially released a stable version of Cyanogenmod 11 for the Droid RAZR Maxx).
    3. Notes: I found a pretty sweet page that lists the nightly changes to the rom.  If you are curious, you can view the nightly changes here: http://www.cmxlog.com/11/spyder/
  3. Download a copy of Google Apps
    1. http://wiki.cyanogenmod.org/w/Gapps
    2. By default, Cyanogenmod cannot ship with Google Apps due to legality reasons, so these will need to be installed manually.  Without these, you will not have Google Play, Music, Maps, etc.  In this case, grab a copy of gApps for 11.  If you don’t have a program to download torrent files, you will need to download the gApps package from the AFH link provided on the cyanogenmod page.
  4. Download a copy of RazrBlade, which we will use to exploit the phone and gain root access:
    1. For Windows: http://cmw.cmfs.me/razrblade/razr_blade_win.zip
    2. For Mac: http://cmw.cmfs.me/razrblade/razr_blade_mac.zip
    3. For Linux: http://cmw.cmfs.me/razrblade/razr_blade_linux.zip
  5. Extract the files of the razr_blade_XXX.zip archive.
  6. If you are running windows, download a copy of the Motorola drivers to connect your phone.
    1. Motorola x86 drivers: http://goo.im/devs/Hashcode/moto_root/Motorola_End_User_Driver_Installation_5.9.0_32bit.msi
      Motorola x64 drivers: http://www.adbtoolkit.com/drivers/applications/motorola/Motorola_End_User_Driver_Installation_5.9.0_64bit.msi
  7. Run through the Motorola driver installation if you are running windows.
  8. Plug your phone in to your machine
  9. Navigate back to the files you extracted, right click Run.bat, run as Administrator
    1. If you are on Linux, execute RootLinux.sh and if you are on Mac OS, execute RootMac.sh
  10. Press any key to continue
    Razr Blade - Phase 1
  11. Once your phone has completed phase one (which ends up with a reboot of the phone), complete the following tasks on your phone
    1. Click Apps->SmartActions->Get Started->Next->Battery Saver->Save->Home button
  12. Press any key to continue with “Phase two”
    Razr Blade - Phase 2

    1. Your phone will reboot again
    2. Phase four will start
    3. Your phone will reboot again
  13. After phase four completes, you should be notified the phone has been rooted.
    1. Phase 3 & 4
      Notes: I received some permission errors the first time I ran through this (as shown in the picture above).  I ended up rebooting the phone, making sure I had the latest version of SmartActions and then reran the batch file.  After that, I was able to successfully get the Superuser program (which we talk about next) to run.
  14. Next, grab a copy of Superuser.apk (included inside the razr_blade zip file) and copy it over to the SD card.
  15. At this time, copy over the cyanogenmod zipped file you downloaded earlier.  Throw it on the root of your SD card.
  16. Copy over the gApps zip file we downloaded earlier and throw that on the root of your SD card as well.
  17. Disconnect the phone from the computer and install the SuperUser application.  Apps->Files->SD Card->Superuser.apk, Install, Open.  If it asks to update, go ahead and allow it to update the binaries.
  18. Next, grab a copy of SafeStrap.  We will use this as the bootstrap to flash your phone to Cyanogenmod as well as provide an easy way to switch between different ROMs.
    1. https://goo.im/devs/Hashcode/spyder/safestrap/Safestrap-Spyder-3.73.apk
  19. Copy the file over to your phone
  20. Apps->Files->SD card->Safestrap-Spyder-3.73.apk->Package installer->Install->Open
  21. Hit Ok when prompted for superuser privileges, and then select Agree.
  22. Once inside the Safestrap application, click Install Recovery.
    1. Once installed, you should see the Recovery State say Installed
  23. Reboot your phone
  24. When you see the Safestrap splash screen, hit the Menu button on your phone.
  25. Once you have hit the Menu button, there will be a brief delay where you screen goes black and then redirects you to one with a couple of big buttons.  Push the button labeled Boot Options.
  26. Push the ROM-Slot-1 button.
  27. Select the size of your data store and then hit Activate.
    1. Note: This is the amount of space in the partition for Cyanogenmod operating system and associated apps. If you plan to only use the one slot, I would set the slot to 3GB. If you are going to be using multiple ROM slots and space was is an issue you might want to lower the allocation.
  28. Once it is done doing its shindig, hit the back button twice to get to the screen that shows Boot Options, Install, Backup, Restore, Mount, Wipe, Advanced, and Reboot.
  29. Push the Install button.
    1. Note, if the Install button is Red, you are going to override your stock ROM.  Make sure that you have activated ROM-Slot-1 before proceeding.
  30. Scroll down and select the Cyanogenmod zip file you copied to the SD card earlier.
  31. Swipe the “Swipe to Confirm Flash” area to begin flashing your phone with Cyanogenmod.
  32. Once done, it should say Successful in blue text.  Hit the Wipe cache/dalvik button.
    1. Swipe the Swipe to Wipe area (lol)
  33. Hit the Back button.
  34. Hit the Reboot System button.
  35. At this point, you should be greeted by the Cyanogenmod welcome screen upon boot.  I opted out of the Cyangenmod account and decided to continue on.
  36. Next, we need to install Google Apps on the phone.  To do this, reboot the phone and press the Menu button when you see the SafeStrap splash screen.
    1. Note: Google Apps are totally optional.  If you want to roll with Stock Cyanogenmod and manually install apps via their APK files for ultra security, that is totally cool.
    2. Note 2: If you receive an error saying “unable to mount ‘/osh’ gapps”, simply ignore the error and boot back into Cyanogenmod.  I received this error, but all the Google Apps seemed to have installed just fine.
  37. Hit the Install button.
  38. Select the gApps zip file from your SD card
  39. Swipe the Swipe to Confirm Flash area
  40. Once the apps have been successfully installed, hit the Wipe cache/dalvik button.
  41. Swipe the Swipe to Wipe area
  42. Hit the Back button
  43. Hit the Reboot System button
  44. Once you are greeted by a “Allow Google’s location service to collect anonymous location data.” prompt, you will know you have successfully installed the Google apps! 😛

That should do it!  Enjoy Cyanogenmod 11! 🙂

Notes:

If you receive the following error when trying to install the Cyanogenmod 11 package:

Finding update package…
Opening update package…
Installing update…
E: Error in /sdcard-ext/cm-11-2013-12-21-NIGHTLY-spyder.zip (Status 6)
Error flashing zip ‘/sdcard-ext/cm-11-2013-12-21-NIGHTLY-spyder.zip’

Please make sure you have upgraded to the latest version of SafeStrap.  SafeStrap v3.65 or higher must be installed for Cyanogenmod 11 to properly install.  As a heads up, you will need to open the SafeStrap app and press the Install Recovery button to actually get SafeStrap to upgrade to the latest version.  Simply upgrading the SafeStrap apk file will NOT complete the upgrade.

P.S. Here is the official Cyanogenmod info page for the Motorola Droid RAZR/RAZR MAXX (CDMA)
http://wiki.cyanogenmod.org/w/Spyder_Info

[Error] Enable-CsUser : Specified SIP domain is not vaild. Specify a valid SIP domain and then try again.

Issue: When trying to enable a new user for Lync, you receive the following error; both within PowerShell and the Web GUI.

Enable-CsUser : Specified SIP domain is not vaild. Specify a valid SIP domain and then try again.
Specified SIP domain is not valid - cscp

When executing: Enable-CsUser -Identity “DOMAIN\Jack.Stromberg.Admin” -RegistrarPool “lyncpool.mydomain.local” -SipAddressType “emailaddress” -SipDomain “mydomain.com”
Specified SIP domain is not valid - lync server management shell

Solution: Most of the time this turns out to be a typo in the -SipDomain parameter or the user’s email address set inside of Active Directory.  Once you verify that you do not have any typos in the user’s email address/SipDomain parameter, the user should be able to be added successfully.  If neither work, you can specify the SipAddressType to be the user’s SamAccountName rather than email address.

[Tutorial] Configuring Direct Access on Server 2012 R2

This tutorial will cover deployment of Windows Server 2012 R2’s latest version of DirectAccess.  While there are multiple ways to configure Direct Access, I tried to pull together what I believe are the best/recommended practices and what I believe would be a common deployment between organizations.  If you have any thoughts/feedback on how to improve this deployment, please leave a comment below.

Before beginning, if you are curious what DirectAccess is, here is a brief overview of what it is and what it will allow us to accomplish.

DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet. DirectAccess was introduced in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 “Enterprise” edition clients.
http://en.wikipedia.org/wiki/DirectAccess

Prerequisites

  • Domain Admin rights to complete the tutorial below
  • Windows Server 2012 R2 machine
    • Two network cards – One in your internal network, the other in your DMZ
    • Joined to your domain
    • Latest Windows Updates
      (seriously, apply these, there are updates released specifically for DirectAccess)
  • DMZ
  • PKI Setup (Public Key Infrastructure to issue self-signed certificates)
    • Custom template setup for issuing servers with an intended purpose of Server Authentication
    • Certificate auto-enrollment has been configured
  • Active Directory Security Group designated with Computer Objects allowed to use DirectAccess
  1. Login to your Server 2012 R2 server we will be using for installing the Direct Access
  2. Ensure all windows updates have been applied.
    Latest Windows Updates
  3. Open up Server Manager
    Server 2012 R2 - Server Manager
  4. Select Manage -> Add Roles and Features
    Server 2012 - Manage - Add Roles and Features
  5. Click Next > on the Before you Begin step
    Add Roles and Features Wizard - Before you begin
  6. Ensure Role-based or feature-based installation is checked and click Next >
    Add Roles and Features Wizard - Select installation type
  7. Select Next > on the Select destination server step
    Add Roles and Features Wizard - Select destination server
  8. Check Remote Access and click Next >Add Roles and Features Wizard - Server Roles - Remote Access
  9. Click Next > on the Select Features step
    Add Roles and Features Wizard - Server Roles - Features
  10. Click Next > on the Remote Access step
    Add Roles and Features Wizard - Remote Access
  11. Check DirectAccess and VPN (RAS)
    Add Roles and Features Wizard - Remote Access
  12. Click the Add Features button on the dialog box that prompts
    Add Roles and Features Wizard - Remote Access - Add Features
  13. Check DirectAccess and VPN (RAS) and then click Next >
    Add Roles and Features Wizard - Remote Access - Select role services
  14. Click Next > on the Web Server Role (IIS) page
    Add Roles and Features Wizard - Web Server Roll IIS
  15. Click Next > on the Role Services page
    Add Roles and Features Wizard - Web Server Roll IIS - Roll Services
  16. Check the Restart the destination server automatically if required checkbox and click Yes on the dialog box.
    Add Roles and Features Wizard - Confirm installation selections
    Add Roles and Features Wizard - Restart is required dialog
  17. Click Install
    Add Roles and Features Wizard - Confirm installation selections - Restart the destination server automatically if required
  18. Click Close when the install has completed
    Add Roles and Features Wizard - Results
  19. Back in Server Manager, click on Tools -> Remote Access Management (You can ignore the warning icon, the Open the Getting Started Wizard will only do a quick setup of DirectAccess.  We want to do a full deployment).
    Server Manager - Tools - Remote Access Management
    Here is what the quick deployment looks like.  Don’t click on this. Server Manager - Post-Deployment Configuration - DirectAccess
  20. On the Remote Access Management Console, click on DirectAccess and VPN on the top left and then click on the Run the Remote Access Setup Wizard.
    Remote Access Management Console - DirectAccess and VPN
  21. On the Configure Remote Access window, select Deploy DirectAccess only
    Configure Remote Access - Deploy DirectAccess Only
  22. Click on the Configure… button for Step 1: Remote Clients
    Remote Access Management Console - DirectAccess and VPN - Step 1 Remote Clients
  23. Select Deploy full DirectAccess for client access and remote management and click Next >
  24. Remote Access Setup - Deploy full DirectAccess for client access and remote managment
  25. Click on the Add… button
  26. Remote Access Setup - Select one or more security grups containing client computers that will be enabled for DirectAccess
  27. Select the security group inside of Active Directory that will contain computer objects allowed to use DirectAccess and click OK
    Remote-Access-Setup-Select-Groups
  28. Optionally, uncheck or check Enable DirectAccess for mobile computers only as well as Use force tunneling and click Next >
    1. If Enable DirectAccess for mobile computers is checked, WMI will query the machine to determine if it is a laptop/tablet.  If WMI determines the machine is not a “mobile device”, the group policy object will not be applied to those machines in the security group.  In short, if checked, DirectAccess will not be applied to computers that are desktops or VMs placed inside the security group.
    2. If Use force tunneling is checked, computers will always use the direct access server when remote.  For example, if the user surfs the web to a public website like jackstromberg.com, the traffic will go through the DirectAccess tunnel and back to the machine, rather than directly to the ISP.  Generally, this is used for strict compliance environments that want all network traffic to flow through a central gateway.
    3. Remote Access Setup - Select Groups - Next
  29. Double click on the Resource | Type row
    1. What this step is trying to do is find a resource on the internal network that the client can “ping” to ensure the DirectAccess client has successfully connected to the internal network.
      Remote Access Setup - Network Connectivity Assistant - Resource Type
  30. Select whether you want the client to verify it has connected to the internal network via a HTTP response or network ping, optionally click the validate button to test the connection, and then click Add
    1. You may want to add a couple resources for failover testing purposes, however it isn’t recommended to list every resource on your internal network.
      Remote Access Setup - Network Connectivity Assistant - Configure Corporate Resources for NCA
  31. Enter in your Helpdesk email address and DirectAccess connection name (this name will show up as the name of the connection a user would use), and check Allow DirectAccess clients to use local name resolution and click Finish.
    1. Based on what I could find, checking Allow DirectAccess clients to use local name resolution will allow the DirectAccess client to use the DNS server published by DHCP on the physical network they are connected to.  In the event the Network Location server is unavailable, the client would then use the local DNS server for name resolution; allowing the client to at least access some things via DNS.
      Remote Access Setup - Network Connectivity Assistant - Helpdesk email address - DirectAccess connection name
  32. Click on Configure… next to Step 2: Remote Access Server
    Remote Access Management Console - DirectAccess and VPN - Step 2 Remote Access Server
  33. On the Remote Access Server Setup page, select Behind an edge device (with two network adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect back to your environment, and then click Next >
    1. NOTE: By default, your domain’s FQDN will be used, so if you have a .local domain, you will want to switch this to your actual .com, .net, .org, .whatever.
    2. As an additional side note, hereis some information from the following KB article on what the differences are between each of the topologies.  From what I gather, using the dual NIC configuration is Microsoft’s best practice from a security standpoint.
      • Two adapters—With two network adapters, Remote Access can be configured with one network adapter connected directly to the Internet, and the other is connected to the internal network. Or alternatively the server is installed behind an edge device such as a firewall or a router. In this configuration one network adapter is connected to the perimeter network, the other is connected to the internal network.
      • Single network adapter—In this configuration the Remote Access server is installed behind an edge device such as a firewall or a router. The network adapter is connected to the internal network.

    Remote Access Server Setup - Network Topology

  34. On the Network Adapters step, select your External (DMZ) and Internal (LAN) adapters.Remote Access Server Setup - Network Adapters - External Internal
  35. Leave the Remote Access Setup screen open and right click on Start button and select Run
    Server 2012 - Run
  36.  Type mmc and select OK
    Server 2012 - Run - mmc
  37. Click File -> Add/Remove Snap-in…
    mmc - File - Add-Remove Snap-in
  38. Select Certificates and click Add >
    Add or Remote Snap-ins - Certificates
  39. Select Computer account and click Next >
    Certificates snap-in - Computer Account
  40. Ensure Local Computer is selected and click Finish
    Certificates snap-in - Select Computer
  41. Click OK on the Add or Remove Snap-ins machine
    Add or Remove Snap-ins - Certificates - Local Computer
  42. Expand Certificates (Local Computer) -> Personal -> Certificates, right click on Certificates and select Request New Certificate…
    Certificates - All Tasks - Request new certificate
  43. Click Next on the Before You Begin screen
    Certificate Enrollment - Before You Begin
  44. Click Next on the Select Certificate Enrollment Policy
    Certificate Enrollment - Select Certificate Enrollment Policy
  45. Select your template that will support server authentication and click More information is required to enroll for this certificate.  Click here to configure settings.
    Certificate Enrollment - Request Certificates

    1. Note: The WebServers enrollment policy is not something out of the box configured by Microsoft.  You will need to manually login to your certificate authority, duplicate the Web Servers template with the settings you wish, ensure your usergroup can Enroll for a certificate, and then publish it to AD.
  46. On the Subject tab, enter the following values (substituting in your company’s information):
    Common name: da.mydomain.com
    Country: US
    Locality: Honolulu
    Organization: My Company
    Organization Unit: Information Technology
    State: Hawaii
    Certificate Enrollment - Certificate Properties - Subject Tab
  47. On the Private Key tab, expand Key options and check Make private key exportable.  Click Apply when done.
    Certificate Enrollment - Certificate Properties - Private Key Tab
  48. Click Enroll.
    Certificate Enrollment - Request Certificates - Enroll
  49. Click Finish.
    Certificate Enrollment - Certificate Installation Results
  50. Go back to the Remote Access Setup screen and click Browse…
    Remote Access Server Setup - Network Adapters - External Internal
  51. Select your da.mydomain.com certificate we just created and click OK.
    Remote Access Setup - Select a certificate
  52. Click Next >
    Remote Access Setup - Network Adapters - External Internal Certificate
  53. Check Use computer certificates and check Use an intermediate certificate and then click Browse…
    Remote Access Setup - Authentication - Active Directory Credentials
  54. Select the certificate authority that will be issuing the client certificates and click click OK
    Remote Access Setup - Authentication - Select a certificate
  55. Optionally, you may enable Enable Windows 7 client computers to connect via DirectAccess as well as Enforce corporate compliance for DirectAccess clients with NAP.  Note: Configuring these two options are not covered in the scope of this tutorial.  Click Finish when done.
    Remote Access Setup - Authentication - Finish
  56. Click on Configure… next to Step 3: Infrastructure Servers
    Remote Access Management Console - DirectAccess and VPN - Step 3 Infrastructure Servers
  57. On the Remote Access Setup screen, check The network location server is deployed on a remote web server (recommended), type in the website address to the Network Location Server, and click Next >
    1. So for whatever reason, there aren’t many articles explaining what exactly the network location server is and how to set it up.  From what I gather, the Network Location Server is merely a server with a website running on it that the client can contact to ensure it has reached the internal network.  The webpage can be the default IIS webpage; just ensure the website is NOT accessible externally.
      Remote Access Setup - Network Location Server
  58. Specify any additional DNS servers you wish to use for name resolution, ensure Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended) is checked and click Next >
    Remote Access Setup - Infrastructure Server Setup - DNS
  59. Check Configure DirectAccess clients with DNS client suffix search list, ensure your local domain’s suffix has been added, and click Next >
    Remote Access Setup - DNS Suffix Search List
  60. Click Finish on the Management page.
    Remote Access Setup - Management
  61. Click the Configure…. button on Step 4: Application Servers
    Remote Access Management Console - Step 4 Application Servers
  62. Check Do not extend authentication to application servers and click Finish
    Remote Access Setup - Do not extend authentication to application servers
  63. Click Finish… on the Remote Access Management Console page
    Remote Access Management Console - Finish
  64. Click Apply on the Remote Access Review page
    Remote Access Review - Summary of Remote Access configuration settings
  65. Click Close once direct access has successfully finished deploying
    Apply Remote Access Setup Wizard Settings - The configuration was applied successfully
  66. Login to one of your Windows 8.X Enterprise machines that is inside of your DirectAccess Compuers security group and run a gpupdate from command line to pull down the latest group policy.
  67. At this point, you should now be able to login to your network via DirectAccess!

NOTES:

Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment.  Once you click on the link, in the bottom left corner, you will find two steps to some good KB articles: http://technet.microsoft.com/en-us/library/jj134262.aspx

Here is another article from Microsoft with a more indepth explanation about where to place the Network Location Server: http://technet.microsoft.com/en-us/library/ee382275(v=ws.10).aspx

Office 365 – Single Sign-On for SharePoint, Skydrive, CRM, etc. via Smart Links

Update: I have released a smart link generator to have these items created automatically, please find this here: http://jackstromberg.com/o365-smart-linksso-link-generator/

Synopsis: One of the biggest problems I have seen with Office 365 is ease in accessibility to all of the Office365 resources.  As pointed out on many of the Microsoft forums, SharePoint, CRM, Skydrive, etc. do not automatically complete a single-sign on request when browsing the website.

Problem: When a user browses https://mydomain.sharepoint.com for example, the user is prompted to enter in their email address.  What a user expects is that they should automatically be logged in and see sharepoint when navigating to https://mydomain.sharepoint.com  Additionally, for whatever reason, users cannot remember the website address to https://mydomain.sharepoint.com  Instead, they want to do something like http://sharepoint.mydomain.com

Solution: Create name branded “fancy URLs” that will complete an idp claim to give the user a true SSO experience.

  • http://owa.mydomain.com
  • http://sharepoint.mydomain.com
  • http://skydrive.mydomain.com
  • http://crm.mydomain.com

Solution:

  1. Open up Internet Explorer
  2. Navigate to https://mydomain.sharepoint.com
    Sign into Office 365
  3. Press F12 to open up the developer tools console (I am running IE 11, the console looks way different than previous versions of IE)
    Sign into Office 365 - Developer Console
  4. Scroll down and select the icon that looks like a little WiFi antenna
    Sign into Office 365 - Developer Console - Network
  5. Click the green play button
    Sign into Office 365 - Developer Console - Network - Start Capture
  6. Type in your email address as you would to login to sharepoint ([email protected])
  7. You should be redirected to your ADFS server and inside the network console, you should see a link like https://sts.mydomain.com/adfs/ls/?………………  Copy this link into notepad.
    Office 365 - Federated URL
  8. Remove the extra stuff from the debug console
    Before
    Office 365 - Federated URL - Notepad

    After
    Office 365 - Federated URL - Cleaned - Notepad
  9. Remove everything from cbcxt=….. to wa=wsignin1.0
    Office 365 - Federated URL - cbcxt removed
  10. Remove the ct%3D1386214464%26 and bk%3D1386214464%26 parameters
    Office 365 - Federated URL - ct and bk removed
  11. Next, open up another new notepad document named index.html and paste the following text into it
    1. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
      <title>CRM</title>
      <meta http-equiv=”refresh” content=”0; url=https://sts.mydomain.com link goes here” /></head>

      <body>

      </body>
      </html>
      Redirect to URL template

  12. Replace https://sts.mydomain.com link goes here with your new smart link and save the document.
    Redirect to federated URL
  13. Upload the index.html file to one of your your webservers
  14. Create a new A record called sharepoint.mydomain.com pointing to your webserver
  15. Now when a user browses http://sharepoint.mydomain.com, the user will automatically be redirected to your secure ADFS Proxy and authenticate automatically.

You will need to repeat the steps above for each of the Office 365 products your company uses.  The federated addresses do change, so you will have to follow all of the steps over again for each Smart Link you wish to create.

NOTES:

Here is an official article on creating smart links: http://community.office365.com/en-us/wikis/sso/using-smart-links-or-idp-initiated-authentication-with-office-365.aspx

Server 2012 R2 – Missing Group Policy – Internet Explorer Maintenance

Symptom: When navigating to User Configuration – Policies – Windows Settings via Group Policy Management Editor, Internet Explorer Maintenance is missing from the list of configurable policies.

Server 2012 - Group Policy Management Editor - User Configuration - Policies - Windows Settings

Explanation: Internet Explorer 10 (which is installed by Default on Server 2012 R2) deprecates Internet Explorer Maintenance (IEM) in favor of a more robust tool called Group Policy Preferences.  As you can see in the following Microsoft KB article, a link to the Internet Explorer Maintenance policy alternatives can be found here: http://technet.microsoft.com/library/hh846772.aspx

Solution: Remove the old Internet Explorer Maintenance policies and switch over to use Preferences to manage your domain machines.  This tutorial will not go into using Preferences, however it will go over removing the Internet Explorer Maintenance policies from your GPO.  Since I went ahead and upgraded our environment to Server 2012 R2 I ended up having to configure a new Server 2008 R2 machine.  If someone has an easier solution, please let me know in the comments below.

  1. Login to any member machine of the domain that is running Server 2008 R2 or earlier and does not contain Internet Explorer 10 or greater
  2. Open up Server Manager
    Server Manager
  3. Install Group Policy Management if it is not installed
    1. Select Features and click Add Features
      Server Manager 2008 R2 - Add Features
    2. Select Group Policy Management and click Next >
      Server 2008 R2 - Add Features Wizard - Group Policy Management
    3. Click Install
      Server 2008 R2 - Add Features Wizard - Group Policy Management - Install
    4. Click Close
      Server 2008 R2 - Add Features Wizard - Group Policy Management - Close
  4. Select Features– > Group Policy management -> Expand your forest -> Expand Domains -> Select your domain -> Right click and Edit… one of your policies
    Server Manager 2008 R2 - Features - Group Policy Management - Edit GPO
  5. Expand User Configuration -> Policies -> Software Settings -> Windows Settings and select Internet Explorer Maintenance.
  6. Right click on Internet Explorer Maintenance and select Reset Browser Settings
    Group Policy Management Editor - User Configuration - Policies - Windows Settings - Internet Explorer Maintenance - Reset Browser Settings
  7. Click Yes on the Internet Explorer Maintenance dialog box
    Internet Explorer Maintenance Dialog Box
  8. If all went well, you should now see all of the deprecated Internet Explorer Maintenance policies removed from your Group Policy Object.
    Before
    Group Policy Management - Before
    After
    Group Policy Management - After

Notes:
Official KB on installed Group Policy Manager: http://technet.microsoft.com/en-us/library/cc725932.aspx

Official KB article on replacements for Internet Explorer Maintenance: http://technet.microsoft.com/en-us/library/jj890998.aspx

Forum post showing frustration over this: http://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance?forum=winserver8gen