Notes about setting up AD FS for Hosted Exchange in Office 365

I've been learning about Active Directory Federation for Office 365's Hosted Exchange.  Here are some links and notes about the process that I don't want to forget.

Where to sign-up: Exchange Online account ($4/month/mailbox).

Instructions on how to configure DirSync to sync a single OU.

The excellent tutorial that I followed to setup AD FS w/ O365.

A discussion of the 3 sign-in models for Office 365.

A discussion of whether to use SQL or WID for ADFS authentication to O365.

Should you use O365?  Yes!

How to test AD FS functionality: https://adfs.trimideas.com/adfs/ls/idpinitiatedsignon.htm

Introduction to Azure multi-factor authentication for Office 365 (it's free!).

The AD FS Proxy appears to fetch configuration information from the AD FS farm once per minute.

This guy says the Web Application Proxy can route requests to different servers via hostname!

Here's how to configure extranet lockout with AD FS 3.0.  You can only configure this on the primary ADFS server...and I think it pushes the configuration out to the web proxy, but haven't validated that thought.

Here's how to customize the logo on the AD FS sign-in page.


How to prevent rogue DHCP servers with DHCP snooping in an HP Procurve switch

This is cool.  I'm using an HP Procurve 2530 switch, running firmware YA.15.16.  These switches, by the way, come with a lifetime next-business-day warranty.

To learn how to configure this feature, I went to HP's support lookup tool, typed in J9777A, looked up the manuals, went into the general reference area, then opened the HP Switch Software Access Security Guide for YA/YB.15.16.

Here are the commands to run:
dhcp-snooping (this enables the feature)
dhcp-snooping trust 8 (this permits a DHCP server to operate on port 8)
dhcp-snooping vlan 1 (this enables the feature on the default VLAN of 1)

Here's a screenshot pre-DHCP-snooping (two DHCP servers respond to the request):

Here's a screenshot with DHCP replies permitted only on port 8 (server is

Here's a screenshot with DHCP replies permitted only on port 1 (server is

The switch also keeps track of what IP address(es) and MAC address(es) are connected to each untrusted port - show dhcp-snooping binding.  If you see a bunch of IP addresses on a port, that could indicate someone has added a downstream switch.

It appears (per this post) that if you have multiple HP switches, you'd want to use no dhcp-snooping option 82.


Storage Spaces - an update

Today I noticed that the StorageSpaces event log is full of dire notifications:

So I tried to move my virtual machines to another host (so I could safely work on the StorageSpace), but was told "Virtual machine migration operation failed at migration source.  Failed to establish a connection with host. No credentials are available in the security package" even though I'd long-since configured constrained delegation with these commands from AidanFinn:

$HostName = "host1"
$HostFQDN = "$HostName.demo.internal"
Get-ADComputer host2| Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="Microsoft Virtual System Migration Service/$HostFQDN", "Microsoft Virtual System Migration Service/$HostName", "cifs/$HostFQDN", "cifs/$HostName"}

Restarting the NETLOGON service on the source Hyper-V server fixed this.

With my virtual machines moved off, I wanted to remove (from the pool) the physical disk that StorageSpaces reported an I/O error on (to run Seagate diagnostics on it)...but because a virtual disk which used that physical disk was in a degraded state, the Server Manager wouldn't let me do that.

In a production environment, you might just pull out the suspected bad drive and put in a new drive, but here I really want to run the Seagate diagnostics on the drive while it was still in the computer case (you could say I'm lazy)...so I deleted the virtual disk, removed the physical drive from the storage space, launched the Seagate diagnostic tool (it was able to see the drive) and started the "Fix All - Long" test (link) which took 3.5 hours and reported the drive as good, so I added the physical disk back into the Storage Space and recreated the virtual disk and volume on it.

Upon trying to move virtual machines back to this host, I got the same error message as above!  In fact, I couldn't even RDP into the VM host by hostname...although doing so by IP address worked.  The solution to both problems was to configure the NIC with an online DNS server.

In the process of re-learning Storage Spaces a bit, I found this nice overview of the technology and this in-depth explanation of how to replace a failed disk.

OK, so life is back to normal.  In the future, I want an email alert when Storage Spaces writes an error or warning into its Windows event log...here are the scripts:

Function Send-Email($EmailSubject, $EmailBody)
$Username = "jeremy@comcast.net"
$Password = ConvertTo-SecureString 'MyPassword' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $Username, $Password

Send-MailMessage -from VM-HOST1<jeremy@comcast.net> -to jeremy@mydomain.com -subject $EmailSubject -body $EmailBody -smtpserver smtp.comcast.net -port 587 -usessl -Credential $cred

#Import the function above
. "C:\Email.ps1"

$MyFilter = @{LogName='Microsoft-Windows-StorageSpaces-Driver/Operational';Level=1,2,3;StartTime=(Get-Date).AddMinutes(-5)}

Get-WinEvent -FilterHashTable $MyFilter | ForEach-Object {

    $EmailSubject = "Storage Spaces " + $_.LevelDisplayName + " (" + $_.ID + ")"
    $EmailBody = $_.Message
    Send-Email $EmailSubject $EmailBody

$T = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5)
$T.RepetitionInterval = (New-TimeSpan -Minutes 5)
$T.RepetitionDuration = (New-TimeSpan -Days 3650)

$A = New-ScheduledTaskAction -execute "Powershell.exe" -argument "-nologo -noprofile -noninteractive -ExecutionPolicy Bypass -File C:\Monitor-StorageSpaces.ps1"
Register-ScheduledTask -TaskName "Monitor Storage Spaces (setup by Jeremy)" -Trigger $T -Action $A -User "NT AUTHORITY\SYSTEM" -RunLevel 1


Misc notes

Beginning on Wednesday night and continuing today, I’ve been working on my home lab setup.  Here are things I’ve been learning.

– You can’t set a “default domain” for email addresses in Office 365 if you’re using AD FS.  Instead, you’re supposed to define a user’s primary email address in the on-prem Active Directory and let Dirsync send it up to the cloud.

– So I set the correct email address for my account in Active Directory, went to bed, woke up the next morning and wondered “Why hasn’t it been updated in O365?”!  Well, for one, the “Forefront Identity Manager Synchronization Service” was stopped on the box that has DirSync installed…so I started it…and then wondered why the status screen had so many “stopped-extension-dll-exception” lines…that was because the username was incorrect for the O365 account that DirSync was trying to use…fixed that…then I *thought* I was executing some manual syncs, but actually wasn’t – here’s the correct sequence of syncs when DirSync is working properly:

– The AD FS sign-on page wasn’t loading after I’d been tinkering with Failover Clustering…found that the AD FS service had been set to manual!  Fixed that.

– Glanced at a current sFlow report from the switch and thought “Why is my laptop sending so much UDP traffic to”!  It turns out that Windows enables SNMP on TCP/IP printer ports so it can see if they’re online or offline…however, you then wind up with this chatty behavior…so I turned off SNMP on all my TCP/IP printer ports.

– Spent a bunch of time tinkering with IGMP multicast in both the NLB cluster for ADFS and inside the HP switch…found it to be temperamental and essentially worthless when I tested it by pulling the plug on a node.  Switched back to basic multicast on a dedicated VLAN…which works great.

– Placed the wireless network on its own VLAN and isolated it with Sonicwall firewall rules…added a rule to allow my laptop’s IP address to pass through to the LAN…created a DHCP reservation for the MAC address of my laptop.

– My laptop’s clock (a domain workstation) had drifted several minutes behind, so I logged into a domain controller and followed instructions to run (syntax of w32tm):

w32tm /config /manualpeerlist:0.us.pool.ntp.org /syncfromflags:MANUAL
w32tm /config /update
w32tm /resync

…this worked fine on the domain controller, but when I ran w32tm /resync on my laptop, there was no change to the clock…why?!  Well, I had assumed that I knew which server is the PDC on my network, but I assumed wrong…by going to ADUC…right-click on the domain at the top, click Operations Masters…I realized that my *other* domain controller is the PDC, and that’s what domain workstations are going to check for their time…so I corrected its time with the commands above and then ran w32tm /resync on my laptop successfully.

11/21/2014 -

Last Wednesday night Dustin or Kalen told me about “NetFlow” which is a traffic reporting tool baked into Cisco hardware.  HP invented a similar traffic reporting tool called “sFlow” which doesn’t report every single packet: its advocates describe this as a more “scalable” approach, its detractors state that this reduces precision.  Anyway, I have a shiny new HP switch on my hands and am eager to learn this sFlow stuff!

This blog post introduces sFlow by comparing it to jelly beans.  This sflow.org essay describes the math behind sampling.  On the switch, I need to configure a “sampling rate” and a “polling interval”.  The sampling rate refers to the switch telling you what 1 packet out of every X packets is; the polling interval is (maybe?) how often that data is pushed to a collector server.

To configure sFlow on my Procurve switch, I found a PDF file called “Traffic monitoring on ProCurve switches with sFlow and InMon Traffic Sentinel”.

sFlow is more efficient than SNMP.  Here’s a guide to sampling rates.

SSH’d to the switch’s IP with Putty and logged in with “admin” and no password.  The HP CLI includes tab-completion and instantly shows command options when you append a ? to any valid command.

First, wanted to enable sFlow:

sflow 1 destination 192.168.x.x
sflow 1 sampling all 50 (the lowest allowed value in packets)
sflow 1 polling all 20 (the lowest allowed value in seconds)

…then set the date/time:

time 11/21/2014 17:28
time timezone -480
(for Pacific Standard)

Lastly, saved the running configuration to the startup configuration:

write memory

To view all the sFlow data coming out of the switch, you need software.  In an enterprise, I think I’d like to try “Traffic Sentinel”.  Tonight, I tried out Plixer’s Scrutinizer, but found it too resource intensive and slow.  By contrast, the free Java-based sFlowTrend by inMon works well.  One way of viewing the traffic on your switch(s) is with a “network circle” and that made me wonder why my computer was connecting to interesting hostnames ending in 1e100.net.  Here’s why.

11/20/2014 -

This evening I received a Sonicwall TZ 105 ($193).  Created a MySonicwall.com account which let me immediately register the device, but it took several minutes before I could login to the web portal to download firmware.  It appears that I’m licensed to download firmware updates for only 90 days.  Applied latest firmware to the Sonicwall (5.9.6).

Applied latest firmware to the HP Procurve switch (YA.15.16), downloaded from here.

8/25/2014 -

Recent projects at work:
  • Migrated a metal-roofing company’s email to Office 365 (10 users) and virtualized their servers onto new hardware.  Installed Veeam with High-Rely drives.
  • Migrated a concrete washout company’s email to Office 365 (28 users).
  • Installed a Bluesocket wireless access point for a winery (it was plagued by so many delays that I bought flowers for the manager as an apology).
  • Moved the servers of a company that monitors vibrations for the Alaskan Way Viaduct.
  • Troubleshot dropped VoIP calls for an Alaskan seafood company.
  • Audited Microsoft licensing compliance at a flooring company.
  • Upgraded Asterisk to fix poor call quality for a property management client.
  • Setup an automatically-deployed SSL VPN for a satellite company.


Exploring Microsoft's "Azure" - setting up an IPsec VPN.

I need to explore Microsoft's Azure cloud services.  Azure offers on-demand SSTP VPN access and/or always-on IPsec VPN access for $27/month.  I want the latter.  At my work, we'd use a Sonicwall router for the IPsec VPN, but I'd like to test this out on a lower budget.  The Cisco RV110 ($67) would work, but then I realized it could be done for free with the pfSense open source firewall software.

Step one was to buy a USB-to-Ethernet adapter that has drivers for Hyper-V Server 2012 R2 ($12).  The setup.exe ran just fine on the Hyper-V server.  Created a virtual "external" Hyper-V switch, not shared with the management OS, single-root SR-IOV enabled, for the WAN.  Used "Legacy NICs" for compatibility purposes...they top out at 100Mbps, which is fine for my 15/5Mbps cable link.

The pfSense's setup wizard is case sensitive if you enable MAC address spoofing and type in a MAC (it wants lower case).  If you go this route, also enable MAC spoofing on the Hyper-V NIC.

The pfSense WAN interface had a hard time obtaining a DHCP lease from the cable modem.  Eventually I rebooted the cable modem (again) and then traffic started flowing.

Enabling DHCP on the LAN interface unexpectedly disabled access to the web GUI (couldn't even ping the LAN interface), so rebooted the pfSense and it still didn't work.  Needed to choose option 8 at the console (shell access) and typed ifconfig de1 down...then ifconfig de1 up...that fixed it...then I was able to access the web GUI and saw the WAN interface had no IP, so clicked the "Renew" button and then it got its DHCP lease OK from the cable modem.

OK, now I had reached the point where I'd have been 5 minutes after bringing home a router from the store!

To setup the IPsec VPN link, followed this outstanding tutorial.  However, I didn't follow it exactly - I enabled dynamic routing in the Azure gateway...and that's not compatible with pfSense...so deleted the gateway and recreated it with static routing per the tutorial...connected OK now.  Lastly, edited the firewall rules in pfSense to allow all traffic in/out of the VPN.

I'd spun up a domain controller in Azure and now assigned a static IP address to it....which promptly disabled my access because you're not allowed to do that in Azure - every virtual machine must have a DHCP lease in Azure.  Oops! 

There's no console access to Azure virtual machines as of this writing (October, 2014), so if you can't RDP into your virtual machine, here are your options (I used option 1):

1. Delete the VM, retaining the VHD(s).  Recreate it with the original VHD(s).
2. Use Powershell to download the VHD, boot it in a local Hyper-V session, fix it, upload it.

I've learned what the DNS section of each virtual network is for - because your virtual machines must use DHCP assigned addresses...and you don't have access to the Azure DHCP server, this is where you specify the DNS server(s) that you want the Azure DHCP server to issue to your virtual machines.  You can type in any DNS server that you want.


Windows Server 2008 R2 Std -> Hyper-V Server 2012 R2

A couple of years ago, I installed Server 2008 R2 Standard on a host with 48GB of RAM, not noticing that the OS was limited to 32GB.  I also made the error of creating two RAID1 arrays instead of a single RAID10 array, unnecessarily complicating the allocation of disk space.

It would've been smart to measure performance for a before/after comparison, but I didn't think of that in this case.

First, I brought in a small server running Hyper-V 2012 R2 on an SSD with two SATA drives in a Storage Spaces configuration, and 16GB of RAM.  When I powered off and tried to export the VMs from the production host to the temp host, it failed with this error because exporting uses the local SYSTEM account (i.e. the computer account) and there seems to be no way to authorize a remote computer account on an SMB share in a non-domain environment...and besides, I learned that it wouldn't have worked anyway because you can't import a VM into 2012 R2 if it was exported by 2008 R2, due to changes in the WMI namespace...instead, the author suggests stopping the Virtual Machine Management service on the source host and then copy/pasting the the VM files into your destination server where they can be imported in-place.  So I did.  The VM files are about 1.1TB collectively.

I was managing Hyper-V 2012 R2 from a Windows 8.1 client running in Virtual Box with a NAT'd network connection that indirectly used the Windows 7 host's VPN connection, and received this error:

Switching to bridged networking with a VPN connection on the Windows 8.1 client fixed that.

Next, received this error:

It was fixed by editing DCOM permissions on the Windows 8.1 client per http://blog.mpecsinc.ca/2009/06/hyper-v-error-access-denied-unable-to.html

Which folder to select when importing virtual machines?  The one called "Virtual Machines".

The import process ensures that you have a valid amount of RAM allocated to a VM and prompts to attach the VM to a virtual switch, if the old/new switches are named differently.

When installing the integration components, it upgrades them automatically:

If you're curious: how many CPUs a guest OS can have on Hyper-V 2012 R2.

Yay!  The VMs were working OK on Hyper-V 2012. 

Next, used the Dell Lifecycle Controller via iDrac to update firmware on the production host via ftp.us.dell.com.  The BIOS update didn't take at first, so applied it later.  One power supply stopped working after the update, so a courier brought me a replacement unit 2 hours later.  FYI, firmware updates to the power supplies will cause the server to power-off.

Dell's driver download website is offline today.  I tried ftp.us.dell.com/Browse_For_Drivers, but the files were all a couple of years old.  This server has Broadcom NICs, which need to have "Virtual Machine Queues" disabled.  However, you can't do that with Device Manager on Hyper-V Server 2012 R2 because Device Manager is not present locally and does not work remotely.  The solution (because Dell's driver website was offline) was to download the administration software directly from Broadcom's site (thanks to a forum post for this idea), unzip it, run setup.exe, then run "c:\Program Files\Broadcom\BACS\bacs.exe" and disable Virtual Machine Queues.

Robocopy'd the VM files back to the production server, imported them, and was all set.


Difficulty taking ownership

Problem: you're a domain admin, you've completely disabled UAC, and still cannot take ownership of a folder:


Open Computer Management and close the session that has it open:

Credit: community.spiceworks.com


Deploy an SSTP VPN with certificate-based authentication via group policy


Remote users need a reliable and easy-to-use VPN link to the company network, using 100% Microsoft software.  The environment is Server 2012 R2 and Windows 7/8.


  • Server Manager: install "Network Policy and Access Services" and "Remote Access".
  • Launch the "Getting Started Wizard" on the installation results screen.  
  • Choose "Deploy VPN Only" - the RRAS console appears.
  • Right-click the server, choose "Configure and enable..."...Custom Configuration...VPN Only.
  • Right-click the server, Properties, security tab, assign a certificate from a public certificate authority (because for SSTP, the client must be able to access the associated CRL).  I used the IIS Manager to create a certificate request and filled it at www.namecheap.com for $11.

  • Left-click, then right-click on "Remote Access Logging..." to launch a simplified view of the Network Policy Server.

  • Create a network connection policy.  Here's an example:

  • Forward port 443 in your firewall to your VPN server.
I assume that your users are auto-enrolling for a "user certificate", so now you're ready to automatically deploy a SSTP VPN connection to your workstations.  Use the CMAK - "Connection Manager Administration Kit" - it's installed along with the "Remote Access" role.

Here's a tutorial I made to help you with the CMAK options:

Video was made with ActivePresenter.


Storage Spaces

In Server 2012 R2, there's a feature called Storage Spaces, which lets you abstract your physical storage by pooling physical disks into a single massive entity, on which you create virtual drives that are striped or mirrored across the physical disks according to your wishes.  These virtual drives are not VHD files: their descriptions are written directly to disk, allowing a disk from a storage spaces pool to be imported into a new server in a disaster recovery scenario.

In the process of learning about this, I was impressed by the disk throughput of the $330 Seagate SAS 4TB ST4000NM0023 in a client's server.  I would need this $370 SAS to PCIe adapter if I wanted to try SAS disks at home.

Storage Spaces FAQ from Microsoft.

I'm not aware of a built-in notification feature with Storage Spaces, so I assembled a Powershell script which checks two event logs every minute for a warning or error and emails me if one is found. 
  • I did try attaching a task to an event, but when two events were logged simultaneously, I only got an email about one of 'em.
  • The script below was designed to work with Comcast at my residence, which required using a Comcast SMTP server with SSL and SMTP authentication.  Feel free to tweak it for yourself.
  • If no errors or warnings are found, the script writes an entry into the Application log to show that it is running.
  • A level 1 event is "critical"; a level 2 event is an "error".

If you're running this on Hyper-V Server 2012 R2, you need to create the scheduled task from a command line, so here's a Powershell script for that:

  • Run level of "1" means highest privileges; "0" would mean limited privileges.
  • This script creates a task that runs "C:\CheckLogs.ps1"
  • The last three lines exist simply to document who is responsible for the task.


Using a smart card for Windows domain login

The goals of this post are 1) Push out a trusted root CA certificate via group policy; 2) Enable certificate auto-enrollment for users; 3) Test domain sign-in via a smart card.  I'd also like to test smart cards with my employer's web-based ticketing system, but that can be done later.

Step 1 - Setup JQR-DC1 as the domain controller and certificate authority.  First, let's review the available certificate services:

The Certificate Authority is what you need to issue certificates in the first place.

The Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service work allow non-domain joined computers and devices enroll for a certificate via HTTPS (e.g. cross forest scenarios).

The Certification Authority Web Enrollment lets you request certificates and more through a web interface instead of via the MMC snap-in.  It's a convenient way to go.

The Network Device Enrollment Service allows devices to obtain a certificate from your CA using the Simple Certificate Enrollment Protocol.  Sonicwall routers can do this - I'd like to try that out.

The Online Responder appears to be an alternative to the CRL (certificate revocation list) in that a computer can check via HTTP whether a cert is valid or not.  I'm not entirely clear on the pros/cons of using it with smart cards.

Skimmed an overview of smart cards from Microsoft and this handy forum post.  Got it working!  Here are the steps:
  • Duplicate the Enrollment Agent certificate template
  • Duplicate the Smartcard Logon template.  
    • Under the "Request Handling" tab, set the purpose to "Signature and smartcard logon".
    • Under the "Cryptography" tab, set the Provider to "Microsoft Base Smart Card Crypto Provider".
    • Under "Issuance Requirements", set the number of authorized signatures to 1.
  • Enable both certificate templates on the CA.
  • Log into a domain-joined Windows 7 workstation as the domain Administrator; open certmgr.msc.
  • Request an enrollment agent certificate.
  • Connect the smart card reader and card.  Drivers for Gemalto cards are installed automatically via Windows Update.  That's the other nice thing about Gemalto cards - the middleware for them is baked right into Windows.

  •  Enroll in a smart card logon certificate on behalf of the chosen user account.

  • It will prompt you for a PIN.  The default Gemalto PIN is 0000.  You can change this later by pressing Ctrl + Alt + Del, just like the password for your domain user account.

All set.  You may sign in to Windows with this smart card + PIN now.

Now, the next annoyance that I noticed is that when I lock the console, I'm required to press Ctrl + Alt + Del to unlock it again (now that it's domain joined), so I enabled a group policy to disable this behavior so frequent console locks remain practical.

I didn't try it out, but supposedly you can put other certificates on a Gemalto smart card with the Gemalto Minidriver Manager.

InstructionsDownload link.

OK, pushing trusted root certificate authorities via group policy is super easy:

...and lastly, you can enable certificate auto-enrollment with two steps:

1) Enable it in group policy:

2) Duplicate the certificate template that you're interested in and enable auto-enrollment for the appropriate group of users.

Be aware that by default, certificates have a maximum lifetime of two years.  How to change:

1. certutil -getreg ca\ValidityPeriod              - this should show "Years"
2. certutil -getreg ca\ValidityPeriodUnits    - this should show "2"
3. certutil -setreg ca\validityperiodunits 6  - this sets it to 6 years, or whatever you prefer


Windows Anytime Upgrade

So I have Windows 7 Home Premium on my laptop.  I'd like to upgrade to Ultimate for BitLocker.

Before doing so, it's a good idea to record the product key for your current edition of Windows, in case you ever want to roll-back.  I used ProduKey, exported the report as HTML, and printed it.

Checked the Windows lifecycle fact sheet and found that Windows 7 will be in extended support until 1/14/2020.  For reference, here's a list of Windows 7 Upgrade Paths.

BitLocker FAQ on Windows 7


Yes - you can enable BitLocker on Hyper-V Server 2012 R2

Followed steps from this blog to get the job done.  Also learned you *can* save the BitLocker startup keys for multiple computers on one USB drive (per the Microsoft BitLocker FAQ).

1. Run the Powershell command Install-WindowsFeature bitlocker

2. My server core was joined to a no-longer-existent domain, and the sconfig.cmd utility wouldn't let me dis-join it!  So, I ran netdom remove /d:domain hostname /force

3.Edited the registry to allow BitLocker to work w/out a TPM.

4. Ran through the following three commands

More about smart cards

Today I ordered a $15 smart card reader / writer.  However, Amazon doesn't sell the smart cards to go with it.  What card should I buy?  I'd learned from a phone call that I should not get a "memory card" (although I'm not sure what they are used for currently); instead I need a "microprocessor card" (comparison here).  Why didn't I find SmartCardBasics sooner?!  See also "Smart Card Concepts" from Microsoft.

I was interested in the $7-per-piece price from CardLogix, but you need a minimum order of 10 cards.  So I was interested in a smart card from Gemalto's online store, read this summary of their cards, settled on the .NET card for $26...and then realized the S&H is $30 'cause they're in France.  Ouch.  So I called a California-based Gemalto distributor named Envoy Data and spoke with two people there who were very helpful.  They agreed to sell me a single card for $23 + $12 S&H.  They also suggested that I check out vSEC:CMS from Versetile Security for managing certificates and that I also consider products by "Active Identity".


Certificates, Workplace Join, and UPN suffix routing between forests

I was recently asked what could cause a DNS zone that you've just signed with DNSSec to stop replicating to a secondary server.  I still don't know the answer to that, but I have learned that the replication interval of a non-AD integrated zone is defined by the "refresh interval" value in its SOA record.

That said, you can also click the "Notify" button under the Zone Transfer tab and basically enable the pushing of real time DNS updates to a non-AD integrated DNS server this way.  One guy describes using a secondary DNS zone as a backup for just the DNS records in an AD-integrated zone.

Next, I decided to learn about registering devices through "Workplace Join".  Here's a scenario where you'd want it: you've implemented "dynamic access control" on your file server(s) and are using device claims to provide seamless second factor authentication.  Your problem is that 'till now, only Windows 8 supported those device claims.  Workplace Join extends support for device claims (essentially a device certificate) to Windows 7 Pro/Enterprise/Ultimate, Apple IOS devices, and Android devices.  By default, it includes persistent SSO for 7 days.

First, renamed one of my domain member servers via Rename-Computer -NewName "adfs1" -ComputerName "dac-server2" -domaincredential mydomain\myuser, followed by Restart-Computer dac-server2 -force.  Now I was ready for step 4 in this tutorial.  Skipped step 5, as the AD FS wizard is happy to create a Globally Managed Service Account (GMSA) for you.

Uh-oh, got stuck on certificates...here's what I learned...

You need to request a "Web Server" certificate for the AD FS server.  After learning this, I duplicated the "Web Server" template, enabled domain computers to enroll for it, and published the template.  I also checked the box to require CA admin approval, just for fun.

So after returning to the AD FS server, I requested a web server certificate and it announced that my request was pending:

No problem - I ambled back to the CA and approved it.  But now what?  The answer is to enable a group policy setting:

Like this:

So you can right-click on "Certificates" and retrieve your issued certificate!  I learned this here.

OK, back to the tutorial...

I finished it up and ran into a problem with Workplace Join on my iPhone, so I'm stepping away from that project for now.  No sense in banging my head on a newly introduced feature which might get patched or updated in the near future.


Excursion into storage: it appears that Open Filer is something to avoid.  Nextenta Community Edition is not supported in a production environment.  Which brings me back to FreeNAS.  I plan to work with iSCSI for now, as Windows likes it...someday I'd like to learn NFS for VMware.

Based on the forum reading from tonight, ZFS (the filesystem used by FreeNAS) works best if your RAID controller presents a JBOD and lets ZFS manage the RAID level.


OK, I need to get Server 2012 certified, then I'll move on to learning storage technologies!

Workplace Join requires a forest functional level of 2012 R2.

So I was wondering...if a person authenticates to their computer with a smart card and you need to halt their access...how do you do that?  Well, perhaps through the Certificate Authority snap-in, by revoking their certificate.  I want to get some hands-on experience with this, so I read about certificates, then found a $15 reader, then wanted to buy a $13 smart card, but the shopping cart link is broken and a TechNet thread suggests that Gemalto cards might be better anyway.  Also found instructions for getting started with smart cards.  Well, the Gemalto cards are about $25 each and I'm not at all sure that they can be read and written to through the card reader above, so will not pursue this any further for now.  I am curious as to what the $20 Gemalto software does.  Also, found a good reseller of smart cards and their readers - txsystems.com.  OK, that ends my research for today into smart cards.

With the recent demise of TrueCrypt, I want to learn BitLocker - I'd like to try it out with a TPM and with a smart card...and try out enforcing a console lock timeout of 5 minutes.

Next up: UPN suffix routing between forests - what is it and how do you do it?

First, a UPN is a way to uniquely identify a user account in a forest.  It's often the user's email address, but is not required to be a valid DNS name.  Reasons for using it instead of the downlevel-logon format DOMAIN\USER include: 1) simplifying usernames in a deep domain structure; 2) simplifying usernames in a hard to remember domain name; 3) you've renamed the company or organization - changing a UPN suffix is vastly easier than renaming a domain.

UPN suffix routing refers to how authentication requests are transmitted between forests that trust each other (reference).  First, you need to setup the forest trusts.  Before you can do that, you need to configure conditional DNS forwarding on both servers.

If you only do conditional forwarding on one server, you'll get this error:

According to this forum, you can also get this error if you have two servers with the same name in different domains on the same subnet.

OK, so I have forest trusts in place.  How can I efficiently test user authentication between forests?  With a Powershell function from a forum:

Function Test-ADAuthentication {
    (new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null

PS C:\> Test-ADAuthentication "dom\myusername" "mypassword"
PS C:\>

Sweet!  This function validates an outgoing trust from where it is run to the target domain/forest.

I have three forests: forest1.local, forest2.local, and dac.local.  The first two each have a two-way transitive trust to dac.local; note that forest1 and forest2 do not trust each.  So I added a child domain to forest1.local (child.forest1.local) and found that UPN suffix routing did not immediately work - so I clicked on the "Validate" button in the forest trust and that asked if I wanted to update the name suffix routing info, so I said yes, and then all was well.

Next I disabled routing for the child.forest1.local name suffix, but that didn't take effect immediately, so I flushed the DNS cache via the MMC console and then it took effect.

Next I added an "external" trust between dac.local and child.forest1.local and tested it OK.  When I deleted it, it kept on working until I restarted the Active Directory Domain Services service (which also restarted four other services: Kerberos Key Distribution Center, Intersite Messaging, DNS Server, DFS Replication).

Explicit UPN suffix routing works with forest trusts, but an external trust only supports implicit UPN (i.e. user@domain.xyz) suffixes (link).

In the FSRM - if you try to delete a local classification that is reference by a rule, you'll be told:

If you delete a classification property that is used by files, that's OK - they will simply lose that particular classification property.

Server 2012 introduced the ability to manually classify files/folders.


Prepping to get hands-on experience with high availability

I currently have a small VM host with a 1TB HDD, 16GB of RAM, and a 3.3GHz CPU.  Today I ordered a second (almost identical) computer.  Last night I setup FreeNAS running from a 2GB USB flash drive on an old Pentium 4 PC with a 320GB HDD.  Today, configured it as an iSCSI target, to serve as a CSV (cluster shared volume) for my high availability education.

FreeNAS Quick Start Guide

 FreeNAS iSCSI documentation

I'd like to see if Jumbo Frames helps me out (with this $18 switch), but will have to wait on that for now.  I'd also like to use a pure SSD environment, which would let me saturate a 3Gb network link to my poor-man's SAN.  The point of all this is to be able to get MCSE 2012 certified.

How to enable Jumbo Frames in Server Core

I've learned that the GPT partitioning style supports drives over 4TB and more than 4 partitions (if you care about partitions anymore).


Monitoring (fragment)

I've been assigned to stabilize and document the IT infrastructure of a company with 35 workstations and several servers.  A 100Mbps wireless bridge connects two buildings.  Users in building 2 complain of slow network performance.  A monitoring system is needed.

My boss likes Zabbix; I tried it, but got lost in textual config files and endless customization options.

Today, I installed PRTG Network Monitor and like it a lot.  It gives you 10 sensors for free; 100 sensors cost a one-time $440 fee.  The only problem is the free version's fastest interval is 60 sec - the paid version's is 30 sec.  I'm looking for a 3 - 5 sec interval - from a free tool.

Solarwinds Bandwidth Monitor doesn't offer logging.
Flowalyzer offers logging, but it doesn't work.
STP works, but its internal math seemed wrong - due to my own error at the time.
...which brought me to the (yep, text-only) MRTG.

I needed to identify the correct OID to monitor: Flowalyzer provided this, and I found a list of Proxim OIDs at this link.

Misc Notes:
- To start the WinPcap driver, run "net start npf"
http://support.microsoft.com/kb/314053 - TCP Window size - bigger is better on slow networks
http://www.mikrotik.com/thedude - haven't tried it out yet.
https://www.untangle.com/store/web-filter.html - I'd like to try it out.


File classification + dynamic access control

This evening's study topic was file classification + dynamic access control.  The files that I want to classify are about dating, finances, travel plans, and correspondence.

Installed the FSRM to let me configure classification properties and rules for files.  Tried to make a property that would flag all files containing the names of several different women with the "dating" property, but you can't do that - you need a separate rule for each piece of text that you're searching on.  Bummer.

I think Microsoft wants me to classify entire folders with the FRSM - just like I would've done with an Active Directory security group - and then control access via DAC instead of security groups.  OK, makes sense.

The classification is stored in a file's NTFS alternate data stream, so the classification will stay with the file as long as that file lives on an NTFS formatted volume.  I can't find any GUI-based way to remove all file classifications, so I guess you'd need to copy your files to a FAT32 or ReFS volume in order to wipe out their classification attribute(s).

For Dynamic Access Control, be aware that Windows 8 supports device claims, while Windows 7 only supports user claims (I think the file server queries the domain controller for user claims on Windows 7, since I think Windows 7 doesn't directly support user claims).

TrueCrypt containers mounted as a drive letter do not support volume shadow copy.  However, an entire drive that is encrypted with TrueCrypt does support volume shadow copy.

After installing FSRM on a 2012 R2 server and enabling VSS (volume shadow copy) on a couple of VHD files that I'd created and mounted, I noticed that 600MB was immediately allocated by the OS (although not written, since the empty and thin-provisioned 2GB VHD file remained at 30MB on the host system).  Disabling VSS did not recover the disk space.  I'm thoroughly puzzled as to its cause.

Here's a link to How NOT to go overboard with classification.  Here's a link to an overview that mentions a deployment tool from Microsoft.

Now, the classification properties that you define inside the FSRM are local to that file server.  If you want consistency across multiple file servers, or you want to control access with these properties (just like NTFS or share permissions) then you need Dynamic Access Control, configured from the new Active Directory Administrative Center.  There, you define forest-wide resource properties for files/folders and/or "claims" that describe users by department, location, etc - attributes pulled from their Active Directory account details.  You can then make a rule that requires a user claim to match a resource property, package that up in a "central access policy" which gets deployed in a GPO and then you can manually apply that central access policy to the shares on your file server(s).

Experimenting with DAC:
- Enabled the built-in "Department" resource property.  This immediately became visible in the FSRM as a classification that is "global" in scope.  You can't edit it in the FSRM, because it's managed by the ADAC.
- A "Central Access Policy" exists solely to let you deploy one or more "Central Access Rules" to your file servers via group policy, instead of manually defining these rules on each shared folder of each file server...now you can simply point & click to enable the rule(s) on each shared folder of each file server.
- Central Access Policies become available for first application on a file server as soon as they are refreshed by group policy.
- Changes to Central Access Rules are effective immediately on all file shares that reference them. 

This is a cool way to manage file permissions!


Auto-answer (intercom) for extension-to-extension calls with FreePBX and Digium phones

You have a VoIP phone system running the FreePBX distribution of Asterisk with Digium phones connected to it.  Your client says "I want interoffice phone calls to be intercom style - no ringing".  Here's how to accomplish that.

First, enable it on a per-extension basis in FreePBX.

Second, install Webmin and edit the FreePBX database to change the intercom signal from "Ring-Answer" to "Intercom" (to eliminate a preliminary ring and only have a "beep" sound).

Hyper-V 2012 R2

Installed Microsoft's free Hyper-V 2012 R2 product tonight.  It boots into what resembles "Safe Mode with Command Prompt" and supports Remote Desktop.  Disabled its firewall by running
netsh advfirewall set allprofiles state off and also had to disable the firewall on my Windows 7 laptop for the free 5Nine Manager for Hyper-V to work correctly.

Ran Install-WindowsFeature FS-Fileserver to enable the default file share of \\server\c$