Saturday, October 4, 2014

Windows Azure AD with your Active Directory

I've just watched a Microsoft jump-start video on how to integrate Windows Azure AD (AAD) with your on-premise AD infrastructure. By doing so, your users can experience seamless authentication experience between public Windows Azure (e.g. Office 365, Sharepoint online etc) and on-premise network. Here is the link: AD to Windows Azure AD.
In summary, there are 3 possible options:
1) No integration. Users logon to Azure and on-premise AD separately with different sets of credential.
2) Directory sync (DirSync) only: On-premise AD user accounts and password hashes are synced to Azure. Users logon to both using same set of credential. No Single Sign-On (SSO) between AD and AAD. In other words, users have to authenticate twice, even though they may use the same set of user ids and passwords.
3) AD Federation (ADFS with DirSync): AD user objects (but no password hash) are synced to Azure. Establish one-way federated trust (i.e. Azure trusts your AD). This option supports SSO and even smart card authentication.

Wednesday, September 3, 2014

Active directory or sysvol is not accessible on this domain controller or an object is missing

I saw this error message on Group Policy Management when I did a status check on the AD replication. All domain controllers were stuck with replication in progress with their respective Sysvol "inaccessible" against the PDC emulator. I couldn't find any error events on "DFS Replication" at all - the replication just got stuck in progress.

When this happens, follow the steps on How to perform an authoritative synchronization of DFSR-replicated SYSVOL.

Thursday, August 28, 2014

Trying out Lync 2013 Deployment

I did my first test deployment for Lync 2013 - a Skype-like application for Intranet. For quick step-by-step installation, I've followed this guide: How to Install Lync Server 2013 Std. Edition on Windows Server 2012

As installing Lync server requires modifying the AD forest, I've decided to make it cross-forest i.e. Lync on resource forest. It has similar concept of Linked Mailbox in Exchange i.e. disabled user account on resource forest that map to the actual user SID on user forest. To do so, I've followed this guide: User Enabling in Resource Forest

If you do not have an Exchange server on resource forest, you can simply just (on resource forest):

  1. Create a new disabled user account with same email address as the user.
  2. Copy the objectSID attribute from the User Forest account to the msRTCSIP-OriginatorSID attribute of the disabled account. You can simply do so using the "AD Users and Computers" console by enabling "Advanced Features" on the "View" menu.

Thursday, May 15, 2014

Virtualised Domain Controllers Replication Issues

I noticed virtualised domain controllers often have issues replicating new settings in Group Policy Objects. This warning message was also observed:

Error: 9036 (Paused for backup or restore)
After reading this Technet article on backing up virtual domain controller, I realised the cause was due to the snapshot back at Hyper-V level. The only supported backup method is running the backup job at the guest VM level. Since then, I've stopped backing up domain controllers at Hyper-V host level and disabled the backup integration services at VM configuration.

Monday, May 12, 2014

WS2012 Domain Controllers stop replication after Power Outage

We had some power outage and noticed newer Group Policy Objects (GPOs) weren't replicated across the AD. After running dcdiag /a diagnostic command, we noticed DRS-R event errors on some WS2012 Domain Controllers. After doing some research, we realised that WS2012 stopped auto-replication by default.

To enable it back, configure this setting on the registry and restart the affected DCs.

  1. Set HKLM\System\CurrentControlSet\Services\DFSR\Parameters\StopReplicationOnAutoRecovery registry key to a DWORD value of 0.
  2. On evelvated command prompt, run wmic /namespace:\\root\microsoftdfs path dfsrmachineconfig set StopReplicationOnAutoRecovery = FALSE

Thursday, May 8, 2014

Verify Domain Controller Certificate for Smartcard Logon

To enable user smartcard logon, all domain controllers must be enrolled with KDC enabled certificates. The correct cert template to deploy is Domain Controller Authentication. If you enrolled the domain controllers with wrong certs, you might encounter this error event on the domain controllers:
This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.
To resolve, you'll have to delete the invalid cert and request for a new valid cert. To verify after enrolling domain controller certificates, run this command:
certutil -dcinfo verify
Reference: Event ID 19 — KDC Certificate Availability

Wednesday, April 9, 2014

Rebuilding WID Database for WSUS in Windows Server 2012

If you're using Windows Internal Database (WID) for WSUS in WS2012 and you think you've screwed the configuration, you can force the WSUS to rebuild its contents and database.

Steps:
  1. Remove WSUS and WID roles from server manager. Reboot server.
  2. Go to C:\Windows\WID\Data
  3. Move both "SUSDB.mdf" and "SUSDB_log.ldf" to another temp folder
  4. Re-install WSUS server role again