Last month, Microsoft released a KnowledgeBase article for Active Directory Certificate Services running on Windows Server 2008 R2 with Service Pack 1 and Windows Server 2012.
This KnowledgeBase article doesn’t apply to Windows Server 2012 R2, although the same issue exists as in Windows Server 2008 R2 and Windows Server 2012.
When you configure a server running Windows Server 2008 R2 with Service Pack 1 or Windows Server 2012 as a Certification Authority (CA), you have the option to also configure it as an Online Responder.
The Online Responder is installed as the Online Responder Service (OSCP), an additional Server Role feature for the Active Directory Certificate Services (AD CS) Server Role. The Server Role is available in both Server with a GUI and Server Core installations.
The Online Responder is an alternative to the way Certificate Revocation Lists (CRLs) are used to check the status of a certificate, issued by a Certification Authority (CA).
When you enable auditing for requests to the Online Responder, it will log event ID 5125 in the Security log of the server, running the Online Responder Service.
Enabling auditing for the Online Responder Service
To enable request auditing for the Online Responder, you will need to audit object access on the server level. Perform these steps:
Open the Local Group Policy Editor (gpedit.msc) to adit the local Group Policy for a server running the Online Responder Service, or start the Group Policy Management Console (gpmc.msc) to create a domain-based Group Policy Object (GPO) targeting (an Organizational Unit, containing) servers, running the Online Responder Service.
Under (Policies,) Computer Configuration, expand Windows Settings, Security Settings, and Local Policies, and then click Audit Policy.
Double-click the Audit object access policy.
Select the Success and Failure check boxes, and click OK.
Then, perform these steps to enable auditing for the Online Responder:
- Open Online Responder Management (ocsp.msc), and select the Online Responder in the left pane.
- Right-click on the Online Responder and select Responder Properties from the Action menu, or click Responder Properties in the Action pane on the right.
- Click the Audit tab
- Select the Requests submitted to the Online Reponder audit option, and then click OK.
By default, Event ID 5125 will contain the following information:
However, this information does not meet the basic requirement of the Common Criteria for Information Technology Security Evaluation. The Common Criteria for Information Technology Security Evaluation is an international standard (ISO/IEC 15408) for computer security certification.
KnowledgeBase article 2891347 contains a hotfix for this issue.
After you install this hotfix, the audit event ID 5125 contains certificate serial number, issuer CA name, and revocation status. The event ID 5125 is logged resembling the following:
A request was submitted to OCSP Responder Service.
Certificate Serial Number: 61342231000000000007
Issuer CA Name: CN=ocsp-audit-CA, DC=test, DC=mydomain, DC=com
Revocation Status: Good/Revoked/Unknown/Empty String
When you want more useful auditing information on requests submitted to the Online Responder Service on Windows Server 2008 R2 with Service Pack 1 or Windows Server 2012, install this hotfix.
Related KnowledgeBase articles
2891347 A hotfix is available that records more information in event ID 5125 for an OCSP response in Windows Server 2012 and Windows Server 2008 R2 SP1
Audit Online Responder Operations
AD CS Online Responder Service
Implementing an OCSP responder: Part I - Introducing OCSP
Implementing an OCSP responder: Part II Preparing Certificate Authorities
Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs
Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs
Implementing an OCSP Responder: Part V High Availability
Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy
Today I received an e-mail message titled
“Congratulations 2014 Microsoft MVP!”
This means I’ve been renewed for the fifth time. 2014 will be my sixth consecutive year as a Microsoft Most Valuable Professional (MVP) in the Directory Services area, as I’ve been awarded on January 1, in 2009, 2010, 2011, 2012 and 2013 before.
As the calendar year 2013 comes to an end, today, it’s perhaps the perfect time to update all those who haven’t been able to keep up with the blog, but still want to know what went on this year.
You’ll find my month-by-month personal highlights below, easily digestible within five minutes and including both my speaker and booth babe gigs for 2013 and a tiny little peek into the jobs I performed as a professional for my employer.
On January 1, 2013, around 4 PM, I received the much anticipated message from Microsoft, awarding me as a Microsoft Most Valuable Professional (MVP) for the 5th time. Since the MVP Award is a yearly award, I’ll be waiting anxiously for the message tomorrow, to see if I made it to my 6th year and thus be invited back to Redmond in 2014…
Between Christmas 2012 and February 15, I did a series of interviews for the Microsoft Virtual Academy (MVA). It was fun to get their perspectives on this Microsoft initiative, that has already touched a million and a half lives.
The second week of February was reserved for the MVP Summit; my yearly opportunity to chat with the people behind Windows Server and System Center.
Somehow, I ended up lunching with a couple of Windows IT Pro Expert MVPs at Snoqualmie Falls on Thursday and visiting Canada on Friday…
My speaking season started late. On March 6, 2013 I performed a 1-hour session on Virtualization-safe(r) Active Directory and Domain Controller Cloning during the Dutch TechDays.
During the TechDays my employer launched the ICT Expert Talks channel. It was fun to work with them to launch it and build upon it throughout the year.
In April, Dave and I presented on Exchange ActiveSync once again. ActiveSync was ahead of its time, and I gained a lot of BYO-related feedback from these sessions.
In May, I presented at the UK VMUG London meeting. Luckily, I had a chance to meet up with my niece and, finally, meet her partner.
On May 30, 2013, I attended an unofficial Surface launch in Amsterdam. During this event, organized by the Marketing department of Microsoft Netherlands, I won the first official Dutch Surface Pro!
The first week of June marked TechEd North America in New Orleans, for which I was selected to staff the ‘People-centric IT’ Microsoft booth. I had a blast at the event and the spare day we had in Louisiana:
In June, I signed an ad deal with STEALTHbits to celebrate my 7 years of blogging.
On June 20, Adnan and I visited the Belgian Community Day. We met up with our Belgian friends and colleagues and attended sessions we weren’t able to attend during TechEd or didn’t made the cut for TechEd and other international events, but are presented by the best experts in our region.
The last week of June had TechEd Europe written all over it. Madrid is a stunning place to be and Maarten, Chris and I made the best of our time there, including a visit to the Bull fights at Las Ventas.
In July, I delivered my 9th class, guiding 7 colleagues to their MCSA certifications. A half year’s work resulted in yet another batch of highly motivated and skilled colleagues, ready to take on new challenges at customers.
On July 30, 2013 I finally negotiated my new job at OGD. While I’ve been with them for 13 years, I haven’t had a manager for the last five years. Now I do. And I am their Microsoft Technology Lead. The function is comparable to a CTO position, but only for about 80% of the business.
We ended up in Egypt during the big riots. Luckily we chose a Red Sea resort in Sharm el-Sheikh instead of Hurghada…
As part of my continuing effort to support IT Pro communities throughout Europe, I attended the MVP ‘Transform the Datacentre’ event at the Microsoft London Office on September 10th. The office at Cardinal Place is located around the corner of Buckingham Palace, so at lunch time we went over there.
Also, It was fun to sit down after the event with David Allen and Simon Skinner and hear what they’re doing in the UK.
In October, Raymond and I presented our BYO Essentials sessions for the first times. This is the topic that we are presenting on for 2014 and have provided to the TechEd organization for consideration. We presented on this topic at the Experts Live 2013 event too, just as the Nordic Infrastructure Conference, scheduled in two weeks.
In November, I wrote a BYO Roadmap for the market leader in lifting, transporting, installing and decommissioning large and heavy structures in the petrochemical and mining industries. They are located only 5 miles from my home…
This December, I visited a large Dutch critical infrastructure provider and gave them some practical Active Directory advice in relation to ISO 27001.
In between this job, I visited Greece for the European ITPRO|DEV Connections.
On December 31, 2013 I concluded my own series of Microsoft exams, as part of the job description I agreed upon late July. I’m now a MCSA | Windows 8, MCSA | Windows Server 2012, MCSE | Desktop Infrastructure and MCSE | Server Infrastructure.
Thank you for a wonderful 2013!
Six months ago, I wrote on 10 Things you need to be aware of before deploying Dynamic Access Control. As point 8, I told that the Active Directory Migration Tool (ADMT) does not support cross-forest migrating Dynamic Access Control (DAC).
As an Active Directory admin, ADMT, obviously, would be the first tool to look you can cross-forest migrate user accounts, groups and group memberships with it. Unfortunately, you cannot migrate Dynamic Access Control between Active Directory forests with it. The Data Classification Toolkit (DCT), however, can. It is PowerShell only.
About the Data Classification Toolkit (DCT)
The Data Classification Toolkit (DCT) is a free solutions accelerator from Microsoft. The latest version, Microsoft Data Classification Toolkit for Windows Server 2012, or version 2.1 supports Dynamic Access Control.
The Data Classification Toolkit for Windows Server 2012 works in conjunction with Windows Server 2008 R2 File Classification Infrastructure (FCI) and Dynamic Access Control in Windows Server 2012 to help IT pros gain insight into stored information, enforce access policies, and configure access policies for files based on claims.
Migrating Dynamic Access Control
So, in an Active Directory environment with multiple Domain Controllers, that you want to migrate stuff from, you might have Dynamic Access Control configured, this means you would have created:
- Resource properties
- Property lists
- Central access rules
- Central access policies
Additionally, you would have pushed resource properties to your file servers and deployed the central access policies through Group Policy. Of course, you’ve classified data and have enjoyed using Dynamic Access Control.
When you haven’t actually used file classification with Dynamic Access Control, you might not have any need to migrate the information from your Active Directory forest when you migrate to a new Active Directory forest…
Now, the above four types of information in Active Directory can be migrated with the Data Classification Toolkit, although you might have thought that you needed the Active Directory Migration Tool (ADMT) to do this.
To cross-forest migrate Group Policy Objects (GPOs), you can use the Group Policy Management Console (GPMC) or other solutions, like the BackupGPO.wsf and ImportGPO.wsf scripts from the Group Policy Management Console sample scripts download.
The process to migrating the Dynamic Access Control configuration cross-forest is through export and import. This adds to the flexibility of the solution, since you don’t need to set up a trust or worry about network connectivity or time synchronization (unless you want to).
One down side of using the Data Classification Toolkit to importing and exporting the Dynamic Access Control configuration for a cross-forest migration, is that it is only available through PowerShell.
Download the Data Classification Toolkit
The Data Classification Toolkit for Windows Server 2012 is available as a free download from the Microsoft Download Center. Download it here.
Installing the Data Classification Toolkit
After you downloaded the Data Classification Toolkit, install it on a server in the source domain by double-clicking Microsoft Data Classification Toolkit.msi.
Click on Next in the Welcome screen.
Select the I accept the terms in the License Agreement option and, then, click Next.
Change… the location where you want to install the Microsoft Data Classification Toolkit or click Next regardless when you accept the default location in the 32bit Program Files folder.
Click Finish in the Completed the Microsoft Data Classification Toolkit for Windows Server 2012 Setup Wizard.
Exporting the Claims Configuration
As part of the Data Classification Toolkit installation, on the server where you’ve installed it, a Tools folder will be created underneath the installation path. In a default installation, this folder will be:
C:\Program Files (x86)\Microsoft\Data Classification Toolkit\Tools
In this folder you will find two PowerShell scripts:
We’ll use the first script to export the Claims Configuration from the source Active Directory environment. Start PowerShell from the taskbar or Start Screen. Then type the following commands:
Export-ClaimsConfiguration -file C:\DAC.xml
-server DC1.sourcedomain.tld -IncludeCentralAccessPolicies
Where C:\ClaimsExport\ClaimConfig.xml is the file to which you want to export the Dynamic Access Control (DAC) Configuration for the source Active Directory environment and where DC1.domain.tld is a Domain Controller in the source domain.
The server needs to be a Global Catalog in the source domain.
The script will export dependent data types, unless you willingly specify the
Now, you will have an XML-based file with the Dynamic Access Control configuration:
Importing the Claims Configuration
Now, to import the Dynamic Access Control (DAC) Configuration in the target domain, we’ll need the XML file. Also, we’ll need the Import-ClaimsConfiguration.ps1 script from the Data Classification Toolkit folder.
We can execute the command from the migration PC in the source Active Directory environment, or from any domain-joined Windows Server 2012-based server in the target Active Directory environment.
On another server, don’t forget to run Set-ExecutionPolicy unrestricted, since both scripts are unsigned, although they originate from within Microsoft.
Within PowerShell, combine the two files within the following PowerShell command:
Import-ClaimsConfiguration.ps1 -file C:\DAC.xml -server DC1.targetdomain.tld -ProtectedFromAccidentalDeletion
It’s easy, when you know how.
10 Things you need to be aware of before deploying Dynamic Access Control
New features in AD DS in Windows Server 2012, Part 20: Dynamic Access Control (DAC)
Common Challenges when Managing Active Directory Domain Services, Part 2: Unnecessary Complexity and Token Bloat
Data Classification Toolkit
Group Policy Management Console Sample Scripts
PowerShell – Data Classification Toolkit for Windows Server 2012
TechNet Library - Data Classification Toolkit
Important Information about the Data Classification Toolkit
TechNet Blogs - The Data Classification Toolkit for Windows Server 2012 is now available!
TechNet Blogs - Data Classification Toolkit for Windows Server 2008 R2-Now Available
TechNet Blogs - Data Classification Toolkit for Windows Server 2008 R2
Data Classification Toolkit for Windows Server 2008 R2
Data Classification Toolkit for Windows Server 2012
How to Use Microsoft’s Data Classification Toolkit
Microsoft Solution Accelerators for the Datacenter and Private Cloud Module 6 Part 1
Thanks to Nir Ben-Zvi for the tip.
Earlier this month, I visited Greece with my buddy Microspecialist to both speak at ITPRO/DEV Connections in Athens, Greece.
We flew to Greece from Amsterdam on Friday afternoon on the 6th of December and returned on Sunday evening, December 8, 2013. We stayed two nights at the Holiday Inn in Spata and spend two full days at the event, held at the Metropolitan Expo, next to Athens Elefterios Venizelos International Airport. All that, geographically, is on the other side of Mount Hymettus separating Athens and Piraeus and its Airport.
It was a great event! Look for yourselves
In August, Microsoft released MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (Important). Its accompanying hotfixes, were labeled KnowledgeBase article 2843638 and KnowledgeBase article 2843639.
Last month, Microsoft released a KnowledgeBase article describing an update to these patches to fix five specific issues. It is labeled KnowledgeBase article 2896713.
For Active Directory Federation Services (AD FS) servers running Windows Server 2008 and Windows Server 2008 R2, the issues occur after you have security update 2843638 installed. For For Active Directory Federation Services (AD FS) servers running Windows Server 2012, the issues occur after you have security update 2843639 installed.
When a Single Sign-On (SSO) token grows too large, the user cannot authenticate with the server. Generally, a large Single Sign-On (SSO) token is caused by a user being a member of many groups.
Tickets vs. tokens
Although Microsoft refers to tokens in terms of Active Directory Federation Services (AD FS), they, technically, speak of SAML-based or OAuth-based tickets. These are significantly different to Kerberos-baed tokens in terms of layout and contents. We refer to tokens, though, because of the way these tickets are signed and compressed and, therefore, act as tokens. Apparently, with the same drawbacks.
Assume that you deploy Active Directory Federation Services (AD FS) as an Identity Provider (IdP) for a federation provider. Or, assume that you deploy For Active Directory Federation Services (AD FS) as a Security Token Service (STS) that works as combined Identity Provider (IdP) and federation provider for a token-aware application.
If there is a failure in the trust relationship (for example, the relying party trust is disabled), users keep seeing the sign-in page instead of an error message when they try to perform authentication.
If you disable the Single Sign-On (SSO) option on an Active Directory Federation Services (AD FS) server, authentication requests to the Active Directory Federation Services (AD FS) server fail.
When a passive authentication request to an Active Directory Federation Services (AD FS) server requires fresh authentication, the authentication fails, and the server keeps asking for credentials.
A claims-aware application may request fresh authentication by using the wfresh=0 parameter for the WS-Fed mechanisms. The application may instead use the ForceAuthN=true parameter for the SAMLP mechanisms.
For customized Active Directory Federation Services (AD FS) 2.0 deployments, customizations added after the SignIn() call in the FormsSignin.aspx.cs page code are not executed.
A supported hotfix is available from Microsoft as part of KnowledgeBase article 2896713.
However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the issues described above.
This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If you install this update on Active Directory Federation Services (AD FS) STS servers, you must also install the update on Active Directory Federation Services (AD FS) proxy servers. We recommend that you upgrade all the Active Directory Federation Services (AD FS) STS servers before you upgrade the Active Directory Federation Services (AD FS) proxy servers so that you do not have to bring down all servers in a server farm from an Active Directory Federation Services (AD FS) functionality point of view.
There is a known issue with passive HTTP basic authentication after you install this update. We recommend that you migrate the environment to forms-based authentication before you install this update.
You do not have to restart the Active Directory Federation Services (ADFS) server after you apply this update.
To apply this update, you must be running one of the following operating systems:
- Windows Server 2008 with ServicePack 2
- Windows Server 2008 R2 with ServicePack 1
- Windows Server 2012
When you are experiencing any of the above issues, install the hotfix from KnowledgeBase article 2896713.
MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (Important)
Related KnowledgeBase articles
2896713 Update is available to fix several issues after you install security update 2843638 on an AD FS server
2843638 Description of the security update for Active Directory Federation Services 2.0
2843639 Description of the security update for Active Directory Federation Services 2.0
Last month, Microsoft released a KnowledgeBase article regarding BitLocker Network Unlock. Basically, Windows 8-based and Windows Server 2012-based client computers sometimes may not receive or use the Network Unlock Protector feature, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
About BitLocker Network Unlock
A new feature in BitLocker Drive Encryption in Windows 8 and Windows Server 2012 is BitLocker Network Unlock. This feature allows for automatic unlock of the Operating System drive when a Windows 8 Pro, Windows 8 Enterprise, Windows Server 2012 Standard or Windows Server 2012 Datacenter machine is booted while connected to the corporate network. This feature allows for desktops and servers to be secure, but not burdening the user with security protocol.
This feature requires the client hardware to have a DHCP driver implemented in its UEFI 2.3.1 firmware. To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a BIOS Compatibility Mode or Legacy Mode enabled.
On a Windows 8-based client computer or Windows Server 2012-based server, you are prompted to enter the BitLocker PIN to start Windows. This occurs even though the computer is connected through an Ethernet cable to the physical corporate Local Area Network (LAN) and the BitLocker Network Unlock feature is enabled and implemented.
Windows 8-based and Windows Server 2012-based client computers sometimes may not receive or use the Network Unlock Protector feature, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
Any message that is received by a DHCP server that includes a DHCP message option type 51 is assumed to have been sent by a DHCP client. Messages that do not have the DHCP Message Type option are assumed to have been sent by a BOOTP client. Windows Server-based DHCP/BOOTP servers will return packets based on the protocol it thinks is in use by the client, accordingly.
When looking at BitLocker Network Unlock, the first two packets sent by the BitLocker Network Unlock client have the message type option. These DHCP DISCOVER\REQUEST requests are DHCP protocol based.
The DHCP request (that is, the third request) that is sent by client does not have the Message Type option. This means that the request is considered BOOTP protocol based.
According to RFC 951, a DHCP server that supports BOOTP clients must interact with BOOTP clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (That is, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.)
The server marks a binding for a BOOTP client as BOUND after the server sends the BOOTP BOOTREPLY message. A non-DHCP client will not send a DHCPREQUEST message, nor will that client expect a DHCPACK message.
DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions.
This means that as long as a DHCP server supports BOOTP clients, the DHCP server will reply to BOOTP requests.
If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
To resolve this issue, turn off the BOOTP option on the DHCP server:
- Log on to the DHCP server or WDS Server in the network using an account with sufficient privileges to modify scopes.
- Start the DHCP management console by either pressing Win + R and specifying dhcpmgmt.msc as the command to run, followed by OK, or picking DHCP from the tools menu within Server Manager, or picking DHCP from the Administrative Tools folder from the Start Screen.
- In the left pane, drill down to the IPv4 DHCP scope of the network from which the affected machines get their IPv4 addressing.
- Right-click the IPv4 scope and select Properties from the context menu.
- On the Advanced tab, change the DHCP option from DHCP and BOOTP or Both to DHCP.
BOOTP can mess up your BitLocker Network Unlock deployment. Although disabling BOOTP is the resolution in this case, take care of proper IPv4 addressing for older devices that may still require or prefer BOOTP (by placing them on a different subnet; these devices won’t be able to run BitLocker Network Unlock, anyway).
Related knowledgebase articles
2891694 A Windows 8-based client computer does not use the BitLocker Network Unlock feature
928202 How to use the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool to view recovery passwords for Windows Vista
BitLocker: How to enable Network Unlock
BitLocker Frequently Asked Questions (FAQ)
What's New in BitLocker
Windows Trusted Platform Module Management Step-by-Step Guide
Microsoft has released a KnowledgeBase article, in which they describe an issue you might encounter in a multi-domain environment, resulting in a loss of the secure channel between the domains and a long time for the secure channel to become reestablished.
In KnowledgeBase article 2860157, Microsoft describes the situation where you have multiple domains in one or more forests that have Windows Server 2012-based Active Directory Domain Controllers and you have at least one direct trust relationship between the domains.
On the Domain Controllers, you set the value for the RestrictRemoteClients registry key to 2 and the value for the EnableAuthEpResolution registry key to 1.
These two registry key settings can be placed in
HKLM\ Software\Policies\Microsoft\Windows NT\RPC
They help secure RPC Endpoint Mapper:
- The RestrictRemoteClients registry key modifies the behavior of all RPC interfaces on the system. By default, the RestrictRemoteClients registry key prevents remote anonymous access to RPC interfaces on the system, with some exceptions. With the setting defined as 2, all remote anonymous calls are rejected by the RPC runtime with no exemptions. When this value is set, a system cannot receive remote anonymous calls using RPC.
- After you enable RestrictRemoteClients with the above value, the RPC Endpoint Mapper interface will not be accessible anonymously. This is a significant security improvement, but it changes the task of resolving an endpoint. Currently, an RPC client that attempts to make a call using a dynamic endpoint will first query the RPC Endpoint Mapper on the server to determine what endpoint it should connect to. This query is performed anonymously, even if the RPC client call itself is performed using RPC security. Anonymous calls to the RPC Endpoint Mapper interface will fail on Windows Servers (since Windows Server 2003 with ServicePack 1) if the RestrictRemoteClients key is set to 1 or higher. This makes it necessary to modify the RPC client runtime to perform an authenticated query to the Endpoint Mapper. If the EnableAuthEpResolution key is set, the RPC client runtime will use NTLM to authenticate to the endpoint mapper. This authenticated query will take place only if the actual RPC client call uses RPC authentication.
These registry settings have been part of the Threats and Countermeasures guides since the Windows XP and Windows Server 2003 era.
In this situation, the secure channel between the Active Directory domains is lost when you perform cross-domain NT LAN Manager (NTLM) authentication. Also, there is a long delay before the secure channel is reestablished. You may also receive unexpected credential prompts and the following Error event:
Log Name: System
Event ID: 5816
Netlogon has failed an authentication request of account username in domain user domain FQDN. The request timed out before it could be sent to domain controller directly trusted domain controller FQDN in domain directly trusted domain name. This is the first failure. If the problem continues, consolidated events will be logged about every event log frequency in minutes. Please see http://support.microsoft.com/kb/2654097 for more information.
This issue occurs because the Netlogon secure channel is a special case for RPC Endpoint Mapper. It can be used to authenticate RPC Endpoint Mapper itself. In some cases, the Netlogon secure channel is not honored, and this causes a deadlock that takes time to resolve.
A supported hotfix is available from Microsoft, that replaces Rpcrt4.dll. You can apply this hotfix on Domain Controllers running Windows Server 2012.
You might need to restart the computer after you apply this hotfix. This hotfix does not replace a previously released hotfix.
I suggest that you apply this hotfix to all Windows Server 2012-based Active Directory Domain Controllers in your environment.
Related KnowledgeBase articles
2860157 Lost secure channel takes a long time to be reestablished when RPC Endpoint Mapper is secured on Windows Server 2012 Domain Controllers
2654097 New event log entries that track NTLM authentication delays and failures in Windows Server 2008 R2 are available
RPC Interface Restriction
Threats and Countermeasures - Security Settings in Windows Server 2008 and Vista
Threats and Countermeasures - Security Setting in Windows Server 2003 and XP
In the past few weeks, Raymond and I have presented on Bring Your Own (BYO) and Enterprise Mobile Management (EMM).
You might recall the announcement of our session for NGN’s and NGi’s first joined event Mobiel Werken 2013. Also, our two sessions at Experts Live 2013 were fun.
Now, Raymond and I have planned our first English set of sessions at the 2014 Nordic Infrastructure Conference – Cloud Edition.
About the Nordic Infrastructure Conference
The Nordic Infrastructure Conference (NICConf) is a premier event for IT Pros, offering broad technical education on Microsoft and 3rd party products, tools and services. This two-day event will focus on deep dives and practical knowledge.
NICConf will be hosted for the third time on January 16th and January 17th, 2014. It’s location will be the Oslo Spektrum in the heart of Oslo, Norway.
NIC attracts the top speakers on its topics, Cloud Services, Systems Management, Server and Client, Unified Communications and Virtualization. No wonder, you’ll run into Alex de Jong, Sami Laiho, Andy Malone, Brian Desmond, Johan Arwidmark, Morgan Simonsen, Scott Schnoll, John Craddock, Peter de Tender, Mikael Nyström, Aleksander Nikolic, Mike Reseller, Magnus Björk and Paula Januszkiewicz.
About our sessions
During NIC 2014, I will be cohosting two sessions in the Server and Client track, together with Raymond Comvalius (Windows IT Pro MVP). Part 1 of these sessions between 9 AM and 10 AM on Friday January 17th, 2014. Part 2 is scheduled for 1:40 PM – 2:40 PM. Both sessions will run for 1 hour with plenty of opportunities to ask questions.
Our sessions are titled Bring Your Own Device Essentials with Windows technologies and focus on the new BYO and Identity capabilities found in Windows 8.1 and Windows Server 2012 R2. As part of the session, Raymond and I will convince our audience on the practical use cases of claims-based authentication, multi-factor authentication, the web application proxy, workplace join and work folders where you would open the network infrastructure up to the outside world, but, at the same time, still remain in control…
These two presentations are already referred to as the ‘Big BYO Show’ by many and have gathered rave reviews. Now, it’s time for us to conquer the English-speaking world.
Don’t miss out on NIC! Register here.
I will be speaking at NGNs and NGIs shared BYO Event
I’ll be speaking at Experts Live 2013
Nordic Infrastructure Conference – Cloud Edition
As Gartner advices to upgrade to Windows 8.1 when you’ve deployed Windows 8 throughout your organization, it’s useful to look at the way Windows 8.1 impacts your current networking infrastructure, your deployment methods and your management philosophies.
Although, I’ve already covered a big Group Policy change earlier in this series. (Part 10: Group Policy Caching), I haven’t mentioned another big change in the way Group Policy is processed in Windows 8.1 in regards to previous Windows versions: Delayed Group Policy Logon Scripts.
Fellow-MVP Darren Mar-Elia wrote an extensive article on What’s New for Group Policy in Windows 8.1 on Petri.co.il. In it, Darren reiterates the Group Policy Caching feature, but also touches on a Windows 8.1 feature I hadn’t seen yet. Yesterday, Darren also posted on his blog about the Group Policy Logon Scripts Delays. It’s the first post I’ve seen him write with exclamation marks in the title, so I paid attention…
Allow me to quote Darren:
If you are using Group Policy-based logon scripts today to map drives or printers, set up registry or environment variables, etc., when you migrate your client machines to Windows 8.1, those logon scripts won’t run until FIVE MINUTES after logon has started.
For the reason why Microsoft made this change, Darren writes:
Ultimately logon scripts can be the biggest culprit of slow user logons in many environments, so what Microsoft attempted to do here is reduce that contention by delaying the running of logon scripts.
Luckily, fixing it is also very straightforward.
You can change the default through a Group Policy setting labeled Configure Logon Script Delay, located in Computer Configuration, Policies, Administrative Templates, System, Group Policy.
By default, Logon Script Delay is Not Configured, resulting in the default Logon Script Delay time of five minutes. You can configure this Group Policy setting as Disabled , which will result in logon scripts running immediately after logon on devices with computer accounts targeted by the Group Policy Object (GPO).
You can also configure it as Enabled and you can specify a value, indicating the minutes to wait before processing logon scripts after logon. Enter 0 to disable Logon Script Delay.
There is a reason why most organizations adopt the Group Policy Preferences to map drives and perform other environmental setup steps; Logon scripts are the way of the dodo.
If you haven’t made the transition to Group Policy Preferences, then your migration to Windows 8.1 would be a good time. If you can’t, disable Logon Script Delay for devices running Windows 8.1 and up.
Is your organization ready for Windows 8.1? Part 1, Overview
Is your organization ready for Windows 8.1? Part 2, The best hardware for the job
Is your organization ready for Windows 8.1? Part 3, Start Button and Boot to Desktop
Is your organization ready for Windows 8.1? Part 4, Automatic App Updates
Is your organization ready for Windows 8.1? Part 5, Managing SkyDrive
Is your organization ready for Windows 8.1? Part 6, Start Screen Layout Management
Is your organization ready for Windows 8.1? Part 7, Managing Start Screen Theming
Is your organization ready for Windows 8.1? Part 8, Start Screen App Pinning
Is your organization ready for Windows 8.1? Part 9, Disable help tips in The New Interface
Is your organization ready for Windows 8.1? Part 10, Group Policy Caching
Is your organization ready for Windows 8.1? Part 11, IE Enhanced Protected Mode
Is your organization ready for Windows 8.1? Part 12, Assigned Access
Is your organization ready for Windows 8.1? Part 13, Quiet hours
Warning!!!–Group Policy Logon Scripts Delays in Windows 8.1
What’s New for Group Policy in Windows 8.1
Logon script delayed by 5 minutes (300 seconds)
Best Practice: How to schedule a delayed start logon script with Group Policy
Creating logon scripts
Troubleshooting Logon Script Problems
Windows 8.1 / Server 2012 R2 Gruppenrichtlinien: Anmeldeskripte (Logon Scripts) werden nicht oder nur stark verzögert angewendet.
Run logon scripts synchronously
In my previous post in this series, I explained how to convince your boss to attend the tech conferences, that help you to make the most out of your job. Of course, not every tech conference helps you to be 25% more efficient.
So, here’s a list of Microsoft tech conferences you should aim at in the Western Europe region:
When you’re looking for a session-packed, Microsoft-oriented event with international speakers and the full width of Microsoft infrastructure technologies, the Microsoft TechEd events should be your first choice. TechEds can be found all over the globe, but some regions do not have annual TechEd events. TechEd North America (May/June), TechEd Europe (May/June), TechEd Australia (August/September) and TechEd New Zealand (August/September) have a good track record.
When you’re already into devops, you’ll find TechEd events also offer developer-oriented sessions.
The next Microsoft TechEd event is planned for May 12th to May 15th 2014 in Houston, TX.
On region-based budgets, Microsoft offices around the globe offer TechDays events. Depending on their budgets, though, these events may or may not offer international speakers. This might prove to be a plus when you’re looking for an event in your own language.
Reasons to choose TechDays over TechEd events are locality, relevancy, and the smaller crowds. Typically TechDays crowds are counted in ‘hundreds’, where TechEd events get rated into ‘thousands’.
IT Pro / Dev Connections
The IT Pro / Dev Connections events evolved from the various Connections events, like Exchange Connections, Windows Connections, SQL Server Connections and Dev Connections. Stepping into the void, left behind by the cancellation of the Quest Expert Conferences (TEC/DEC), these events are gaining traction fast.
As the name suggests, you’ll find both IT Pro and Developer sessions at these events. This is great when you’re already into devops.
The next IT Pro / Dev Connections event is scheduled for December 7th and December 8th in Athens, Greece. I will be one of the speakers there.
Nordic Infrastructure Conference (NIC)
Western European brings us the Scandinavia-based Nordic Infrastructure Conference (NIC). Organized in the cold winter months in Oslo, this event features all of the (in)famous European security experts, presenting their new sessions, before the larger TechEd audiences gets to enjoy them. The next NIC is planned for January 16th and January 17th, 2014 in Oslo.
Microsoft Exchange Conference (MEC)
When Microsoft Exchange is your thing, then MEC is the event to book. This is the place to meet the Microsoft Exchange Product Team and get their valuable insights in where Microsoft is heading with Microsoft Exchange. MEC is on the roster for March 31st through April 2nd in Austin, TX.
Although Microsoft Lync is a technology that allows you to communicate efficiently over great distances, the Lync Conference is a great resource to network with Lync experts and people from the Lync Product Team. The next Lync Conf is scheduled for February 18th through February 20th, 2014 in Las Vegas, NV.
Events from User Groups and other communities
There are hundreds of user groups and other communities all over the world, organizing low-cost high-focus events on a regular basis. You can find Microsoft-oriented communities and their events on technicalcommunity.com.
These smaller scale events are really good networking opportunities and allow you to discuss issues with people that might even end up helping you on site.
Yesterday, speakers from the Hyper-V.nu, System Center User Group, Windows Azure User Group, Dutch PowerShell User Group, PASS (SQL) and the Windows Management User Group delivered the Experts Live 2013 event with over 30 sessions in 6 tracks. The closing keynote featured André Kuipers, the famous Dutchman who has flown two space missions and has been in space for over six months.
My employer was also present at this event with its ICT Expert Talks booth, interviewing speakers on their session subjects. You might remember this setup from the 2013 Dutch TechDays.
You can watch all the 5 - 10 minute interviews for that day (17 in total) on the ICT Expert Talks YouTube channel. Both Martijn Vinke (our head of Marketing and Communications) and Raymond Comvalius interviewed speakers and, of course, André Kuipers.
Luckily, there was some time in the busy ICT Expert Talks schedule for an interview between Raymond and me:
After a brief introduction where I help Raymond with my MVP area of expertise (I’m not an Active Directory MVP, but a fivefold Directory Services MVP), Raymond’s first question is on the relationship between Active Directory and Bring-Your-Own.
Since most people refer to Active Directory as Active Directory Domain Services, I think that there’s little relationship between them, except for the new msDS-Device object class in the Windows Server 2012 R2 schema. However, when you look at Active Directory Certificate Services, Active Directory Federation Services and the Azure Active Directory, you’ll see that these are three products, truly enabling Bring-Your-Own with their sexy new features.
Raymond and me then speculate on the future of Azure Active Directory. We both feel it’s going to be big, but we’ll just have to see where it goes… I’ll be the first, though, to acknowledge the power of Azure Active Directory and its Single Sign-on (SSO) capabilities: I feel Directory Services are the base layer of cloud computing.
Raymond then refers to the Web Application Proxy in Windows Server 2012 R2. I think this technology is really cool… although Raymond couldn’t get it to work during the demo in our two sessions. It’s an integrated ADFS proxy and a reverse proxy with pre-auth, making it possible to give employees and partners access to applications and services inside the network, without fumbling with DirectAccess and VPN connections. It’s not there yet, but it is coming together. Then, it might even be the successor to the Threat Management Gateway (TMG).
I’ll be speaking at Experts Live 2013
Behind the scenes of the ICT Expert Talks
Pictures of the Dutch 2013 TechDays
Travelling to tech conferences can be exhausting, but also very rewarding in terms of gaining knowledge, networking with peers, team building and the overall sense of adventure.
In the last six parts of this series, I’ve given you tips on booking, packing and coping with Jetlag. Now, it’s time to take a step back and cover how you can actually convince your boss to send you to a tech conference, like TechEd, VMworld, MEC or LyncConf.
Tips to convince your boss
In the end, every organization is about making money, breaking even or provide as much value as it can. Let’s put this lesson in economy to the test: As an IT Pro in Western Europe, you would make somewhere between EUR 30,000 and EUR 60,000 a year. Since your employer needs to adhere to regulations, you actually cost him somewhere around 1.2x that figure.
Now let’s tally the total cost of a tech event; it’s the trip, a few nights in an hotel, some transfers, some meals, the ticket to the event and, of course, the time you spend at the conference. It’s safe to say that the direct costs are close to 3x the ticket price of the conference, assuming you would take full advantage of the meals, discounts and services offered during the event. With an early bird price of EUR 1,995 excluding VAT, the total direct costs would be in the neighborhood of EUR 6,000 per person.
Now, depending on the business your employer is in, the VAT on the ticket price is not an issue.
This factor can be closer to 2.5, when room sharing is applied.
So, depending on what you make the total of direct and indirect costs for a week of tech conference is 10% to 20% on top of what you already cost your employer.
Now, for this 10% to 20%, your employer gets a more skilled, more networked, more experienced employee, that may deliver more efficient solutions to your organizations problems:
- You get to ask questions to the industry’s most knowledgeable persons.
- You gain knowledge on how to get the most out of your (customer’s) current technology and investments.
- You gain knowledge on new products, that you may apply to build better solutions for your organization and/or your customer(s).
- You get acquainted with people that you may ask questions any time.
- You can get certified on technologies with significant discounts on exam prices and reduction of preparation time.
Your employer does not get a 10% or 20% more efficient employee; your effectiveness as an IT Pro grows by at least 25%. And that’s just effectiveness… how about your feeling of happiness and acknowledgement.
In times of crisis…
When you present the above numbers, many bosses will reply how the current economic situation doesn’t allow him to spend more money. While this may be true, there isn’t a better time to invest in people than during economic downturn. Think about it:
- Since less people get invested in, tech conferences can’t charge the full premium price; They’ll risk not selling out. Ticket prices for tech conferences are typically lower in times of economic downturn.
- In slow markets, tech companies need to put more appealing features in newly introduced products to trigger adoption. Tech conferences in the same timeframe as the launch of such new products are among the most effective in terms of gaining knowledge on new features and/or products that can make the difference for your organization and/or its customer(s).
- Since less people typically show up at tech conferences during economic downturn, you get to spend more quality time with the speakers, IT influencers, industry experts and booth personnel.
- Since your competitors stick with saying no to their employees, their business isn’t going anywhere. By investing in its people now, your organization will be ready to go when the economy takes a turn.
- … and when business does pick up, you won’t have time to travel to tech conferences, since your boss doesn’t want to sell no to its organization or (potential) customer(s).
The happy few
Now, another scenario might be that your employer selects some of your co-workers to attend the tech conference you covet. This might get you down and you might feel unappreciated. Instead, interpret it as a motivational lesson. Stick to your plan, express your needs and wishes and ask what you might do to get into the group of the happy few. You might be surprised just how fulfilling working towards a goal can be… or switching employers.
Speaking of which… did you know that most employers typically spend a years salary on finding the right person for a job and get that person up to speed in it? You can easily convert showing up at the right time at the right place into a ticket for a tech conference.
The truly effective IT Pro is a happy IT Pro.
Tips for Travelling to Tech Conferences, Part 1
Tips for Travelling to Tech Conferences, Part 2
Tips for Travelling to Tech Conferences, Part 3
Tips for Travelling to Tech Conferences, Part 4
Tips for Travelling to Tech Conferences, Part 5
Tips for Travelling to Tech Conferences, Part 6
On December 18, 2013, I will be hosting two webinars on backing up and restoring virtualized Active Directory Domain Controllers with Veeam’s Backup & Replication (B&R) v7.
The session at 10 AM CET will be delivered in Dutch.
The session at 1 PM CET will be delivered in English.
What are these sessions about?
As I’ve stated here before, Active Directory Domain Controllers are notorious for being challenging things to back up, restore and virtualize. So much so, in fact, that Microsoft has discouraged people from virtualizing Active Directory Domain Controllers and still advises against performing non-Active Directory-aware backups.
In this webinar, I will introduce you to host-based backups and shadow copies for Active Directory Domain Controllers. I will break down the known problems and challenges involved with these types of backups and restores. Based on how Domain Controllers handle restores, I will then show you how you can identity if your host-based backup and restore solution is an Active Directory-aware backup and restore solution, so you can adhere to Microsoft’s best practices.
The buttons below allow you to register for the session in your preferred language:
| || |
December 18, 2013
10 AM CET
December 18, 2013
1 PM CET
Best of all? These webinars are free.
See you there!
If you’re interested in particular technology, you might find yourself travelling between continents while passing multiple time zones to attend certain tech conferences and/or manufacturers. For the past years, I’ve been flying through nine time zones twice a year and will be flying through twelve for the first time next year (if my schedule permits).
According to Wikipedia a recovery rate of one day per time zone crossed is a suggested guideline for adjusting to Jetlag, but this is no good to us when we’re only in town for a week…
Below are my tips to cope with jetlag with a far more efficient recovery rate, although you won’t be able to guess the time of day during your stay:
Tips for coping with Jetlag
Know your body
Some people have problems when travelling East. Others have problems when they’re travelling West. Some people adjust well to time zone differences, while others don’t.
Knowing your body, in these cases, makes all the difference when coping with Jetlag. When your body magically adjusts to large time zone differences, you won’t need any of these tips. When you have severe problems adjusting, don’t just rely on the tips below, but also make a visit to your GP and get additional medication (that don’t collide with any other medication already prescribed).
Your body performs routine functions during the day at certain intervals. Knowing these functions, especially the ones performed by your liver will help you cope more efficiently.
Eat and drink wisely
To this purpose, eat and drink wisely.
Prior to flying to your destination, you can already start working on coping with Jetlag. When flying West, you could already avoid eating heavy breakfasts. When flying East, try to eat some additional snacks after 9 PM. Just don’t overdo it. It’s more important to get 8 hours of sleep in the days prior to your departure than to have your eating adjusted.
Knowing about carbs is beneficial when you’re coping with Jetlag. Foods with high amounts of fast carbs (like potatoes, rice, and pasta) will help you get sleepy, while foods without carbs (like cheese, eggs, meats) won’t. Eating low-carb breakfasts and lunches will help you lengthen your days when flying West.
Get into the rhythm
During your flight, the flight crew helps you to get into the rhythm of your destination. Meals will be served at convenient times and cabin lights will be dimmed for your convenience, when appropriate.
At your destination get into the same rhythm as the locals. Eat when they eat, and sleep when they sleep. After all, you won’t be able to eat in restaurants in the Mediterranean area outside of the normal eating hours (after 10 PM) or get shopping done during Siesta. (between 2 PM - 5 PM)
Adjust your clocks
Adjust the time zone on the devices you use. Since we check the time on our mobile phones these days, this should be the first device to adjust. Adjusting the clock will help you get into the rhythm and fool your unconscious: you won’t be calculating time back to your original time zone and, thus, won’t be reminded of the time zone you left behind.
Harness the power of Outlook
Microsoft Outlook has excellent time zone management for your appointments with time zone support and its dual time zone display.
When you create an appointment, you can use the Time Zones toggle switch on the Appointment ribbon. This will enable the time zone fields to the right of appointment times. By default, time zones are turned off, so they don’t clutter the interface.
Dual time zone support is awesome, but requires a little more work. To turn it on, go to Options under File, select Calendar in the right pane and then scroll down to Time Zones. Add a second time zone. Now when you view the calendar in a day planner format, you’ll see two time scales displayed.
Sunlight heals even the most stubborn Jetlag. So, get outside during the day. The most efficient time to do so is at sunset, because this triggers your body to create melatonin, nature’s natural sleep medicine.
Use your time efficiently
You can’t avoid Jetlag altogether. As far as attitudes go , though, you can look at Jetlag as both positive and negative. I choose the first: whenever I’m sleepless in Seattle at 2 AM, I take the time to get some mail done, get some blogging and/or research done and, of course, get to the gym to kickstart the day.
Every negative has a positive.
Tips for Travelling to Tech Conferences, Part 1
Tips for Travelling to Tech Conferences, Part 2
Tips for Travelling to Tech Conferences, Part 3
Tips for Travelling to Tech Conferences, Part 4
Tips for Travelling to Tech Conferences, Part 5