Certificates, Workplace Join, and UPN suffix routing between forests

I was recently asked what could cause a DNS zone that you've just signed with DNSSec to stop replicating to a secondary server.  I still don't know the answer to that, but I have learned that the replication interval of a non-AD integrated zone is defined by the "refresh interval" value in its SOA record.

That said, you can also click the "Notify" button under the Zone Transfer tab and basically enable the pushing of real time DNS updates to a non-AD integrated DNS server this way.  One guy describes using a secondary DNS zone as a backup for just the DNS records in an AD-integrated zone.

Next, I decided to learn about registering devices through "Workplace Join".  Here's a scenario where you'd want it: you've implemented "dynamic access control" on your file server(s) and are using device claims to provide seamless second factor authentication.  Your problem is that 'till now, only Windows 8 supported those device claims.  Workplace Join extends support for device claims (essentially a device certificate) to Windows 7 Pro/Enterprise/Ultimate, Apple IOS devices, and Android devices.  By default, it includes persistent SSO for 7 days.

First, renamed one of my domain member servers via Rename-Computer -NewName "adfs1" -ComputerName "dac-server2" -domaincredential mydomain\myuser, followed by Restart-Computer dac-server2 -force.  Now I was ready for step 4 in this tutorial.  Skipped step 5, as the AD FS wizard is happy to create a Globally Managed Service Account (GMSA) for you.

Uh-oh, got stuck on certificates...here's what I learned...

You need to request a "Web Server" certificate for the AD FS server.  After learning this, I duplicated the "Web Server" template, enabled domain computers to enroll for it, and published the template.  I also checked the box to require CA admin approval, just for fun.

So after returning to the AD FS server, I requested a web server certificate and it announced that my request was pending:

No problem - I ambled back to the CA and approved it.  But now what?  The answer is to enable a group policy setting:

Like this:

So you can right-click on "Certificates" and retrieve your issued certificate!  I learned this here.

OK, back to the tutorial...

I finished it up and ran into a problem with Workplace Join on my iPhone, so I'm stepping away from that project for now.  No sense in banging my head on a newly introduced feature which might get patched or updated in the near future.


Excursion into storage: it appears that Open Filer is something to avoid.  Nextenta Community Edition is not supported in a production environment.  Which brings me back to FreeNAS.  I plan to work with iSCSI for now, as Windows likes it...someday I'd like to learn NFS for VMware.

Based on the forum reading from tonight, ZFS (the filesystem used by FreeNAS) works best if your RAID controller presents a JBOD and lets ZFS manage the RAID level.


OK, I need to get Server 2012 certified, then I'll move on to learning storage technologies!

Workplace Join requires a forest functional level of 2012 R2.

So I was wondering...if a person authenticates to their computer with a smart card and you need to halt their access...how do you do that?  Well, perhaps through the Certificate Authority snap-in, by revoking their certificate.  I want to get some hands-on experience with this, so I read about certificates, then found a $15 reader, then wanted to buy a $13 smart card, but the shopping cart link is broken and a TechNet thread suggests that Gemalto cards might be better anyway.  Also found instructions for getting started with smart cards.  Well, the Gemalto cards are about $25 each and I'm not at all sure that they can be read and written to through the card reader above, so will not pursue this any further for now.  I am curious as to what the $20 Gemalto software does.  Also, found a good reseller of smart cards and their readers - txsystems.com.  OK, that ends my research for today into smart cards.

With the recent demise of TrueCrypt, I want to learn BitLocker - I'd like to try it out with a TPM and with a smart card...and try out enforcing a console lock timeout of 5 minutes.

Next up: UPN suffix routing between forests - what is it and how do you do it?

First, a UPN is a way to uniquely identify a user account in a forest.  It's often the user's email address, but is not required to be a valid DNS name.  Reasons for using it instead of the downlevel-logon format DOMAIN\USER include: 1) simplifying usernames in a deep domain structure; 2) simplifying usernames in a hard to remember domain name; 3) you've renamed the company or organization - changing a UPN suffix is vastly easier than renaming a domain.

UPN suffix routing refers to how authentication requests are transmitted between forests that trust each other (reference).  First, you need to setup the forest trusts.  Before you can do that, you need to configure conditional DNS forwarding on both servers.

If you only do conditional forwarding on one server, you'll get this error:

According to this forum, you can also get this error if you have two servers with the same name in different domains on the same subnet.

OK, so I have forest trusts in place.  How can I efficiently test user authentication between forests?  With a Powershell function from a forum:

Function Test-ADAuthentication {
    (new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null

PS C:\> Test-ADAuthentication "dom\myusername" "mypassword"
PS C:\>

Sweet!  This function validates an outgoing trust from where it is run to the target domain/forest.

I have three forests: forest1.local, forest2.local, and dac.local.  The first two each have a two-way transitive trust to dac.local; note that forest1 and forest2 do not trust each.  So I added a child domain to forest1.local (child.forest1.local) and found that UPN suffix routing did not immediately work - so I clicked on the "Validate" button in the forest trust and that asked if I wanted to update the name suffix routing info, so I said yes, and then all was well.

Next I disabled routing for the child.forest1.local name suffix, but that didn't take effect immediately, so I flushed the DNS cache via the MMC console and then it took effect.

Next I added an "external" trust between dac.local and child.forest1.local and tested it OK.  When I deleted it, it kept on working until I restarted the Active Directory Domain Services service (which also restarted four other services: Kerberos Key Distribution Center, Intersite Messaging, DNS Server, DFS Replication).

Explicit UPN suffix routing works with forest trusts, but an external trust only supports implicit UPN (i.e. user@domain.xyz) suffixes (link).

In the FSRM - if you try to delete a local classification that is reference by a rule, you'll be told:

If you delete a classification property that is used by files, that's OK - they will simply lose that particular classification property.

Server 2012 introduced the ability to manually classify files/folders.