Disclaimer: The opinions expressed on this blog is a personal opinion and and do not express the opinion of my employer, Microsoft, Winsec or any other party.

Sources for #AADSync starters

Wed 29 Oct 2014 Leave a comment

I’ve collected some interesting base resources for getting started with AAD Sync at : http://aka.ms/aadsyncstarter

Feel free to comment or suggest other resources to be added.

#AADSync v1.0.0470.1023 released, with new features

Wed 29 Oct 2014 Leave a comment

Few days ago Microsoft launched a new release of the Azure AD Sync tool.

As mentioned in the AAD Sync Version Release History, this build adds the following features:

  • Password synchronization from multiple on-premise AD to AAD
  • Localized installation UI to all Windows Server languages

Get an overview and comparison for Directory Integration with Azure AD here .

  1. Azure Active Directory Synchronization Tool (DirSync)
  2. Azure Active Directory Synchronization Services (AAD Sync)
  3. Forefront Identity Manager 2010 R2

The download location for AADSync (http://aka.ms/AADSyncDownload) has not changed, but has been updated with the new version.

Overview:

New #FIM2010 hotfix rollup (build 1.0.419.911) is available for a PowerShell connector issue

Sun 26 Oct 2014 Leave a comment

From source: http://support.microsoft.com/kb/3008179

“A hotfix rollup package (build 1.0.419.911) is available for Microsoft Forefront Identity Manager 2010 R2. This hotfix rollup package resolves a PowerShell connector issue and adds one feature and new functionality. These additions are described in the “More Information” section. /../

Issues that are fixed

This update fixes the following issues that were not previously documented in the Microsoft Knowledge Base: Creating a PowerShell connector without using an LDAP DN style fails because of an issue in the default template.

Features that are added

This update adds support for Windows PowerShell 4.0. /../”
Categories: Security

Note-to-self: @JsQForKnowledge – FIM Portals Die After Installing Rollup Package (Build 4.1.3599.0)

Wed 22 Oct 2014 Leave a comment

Source: http://jorgequestforknowledge.wordpress.com/2014/09/27/fim-portals-die-after-installing-rollup-package-build-4-1-3599-0-for-fim-2010-r2/

@JsQForKnowledge (aka Jorge de Almeida Pinto) posted an interesting fix on his blog to get FIM 2010 R2 back up and running after the 3599 fix broke the portal.

Note-to-self*: “What you do not have is a production environment.”

Tue 21 Oct 2014 Leave a comment

Every now and then (most likely during a FIM Health check at a customer) the same type of discussion gets back on the table again….
It always links back to the massive amount of fime and budget cost to copy the development environment to start a production environment.
Oh sorry, it’s the other way around (or not)… ;)

A while ago I got the links below, forwarded by one of my colleagues in security.

My side note to the stuff below:
– FIM Hotfixes DO have an impact on key FIM components, like FIM application, FIM databases hosted on SQL. So be prepared: PLEASE DO run the tests on a DEV/TEST environments, with a similar security setup as production.

- Make sure you have a  backup of all critical FIM components. I see to many FIM customers that think a FIM Server snapshot and a FIM DB SQL Backup is enough. IT IS NOT. Don’t forget about single component backup FIM Service and FIM Sync server configuration export, MA config backup , MV config backup, config file export, client software backup and more…

- Carefully test your FIM setup. Gradually, step-by-step, BEFORE you even think “PRODUCTION BIG BANG”.

Dev and Test Domains do not belong in your Production forest!
Source and credits: http://blog.joeware.net/2013/02/20/2674/

Quote: “/../ If you do not have a formal Dev/Test environment, meaning an entirely separate forest or forests, then in actuality, you have no production environment regardless of what you want to call it – you only have a lab environment and well, don’t expect production availability and stability out of a test/lab environment.

For those in the know, they realize I am paraphrasing something said by one of the father’s of Active Directory – Mr. AD – Don Hacherl on the ActiveDir Org list (Friday, February 20, 2009 4:08 PM) /../

Link to quote of Don Hacherl, see below.

Highly Available Active Directory
Source and credits: http://blog.joeware.net/2009/03/11/1623/

Quote to remember: “We are, I believe, all humans, humans make mistakes, failure to take that into account in the first place is just one more failure to add onto the list of items you are reviewing when performing the failure analysis. These types of mistakes made to the directory will quickly (you wanted low convergence times right?) replicate around your entire domain/forest. You accidently delete all users in an OU and soon they will be gone from all DCs.Good updates going bad… I think many of us, especially those of us have been in this business a long while, have seen this happen. Something worked great in the lab and out in production something goes left instead of right and you are standing there going WTF[1]? And those without a production environment at all… Well they really are likely to have an issue. What do I mean when I say you don’t have a production environment???/../”

Both refer to the quote of the century by DonH:
“From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Don Hacherl
Sent: Friday, February 20, 2009 4:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Newbie QuestionI have to make a comment here, as I’ve heard this too many times. You do, in fact, have a lab environment. What you do not have is a production environment.

DonH”

Allow me to post another quote of the century from the same thread, by my well respected friend Jorge de Almeida Pinto.
Don’t know if he likes quoting:
“Sorry, but not having a test environment and not making time for it is BS. “

Rest my case.

(*) Using my blog once again as an external memory assistant.

Reviewed for you: The latest #FIM2010 learning on your media player, video course by Kent Nordström

Wed 8 Oct 2014 Leave a comment

Quite a while ago I had the privilege of reviewing the draft of the latest publication on Enterprise Identity Management with Microsoft Forefront Identity Manager 2010 (R2). It has been published during my vacation, needed to find some time to visit the final version.
And, it’s not a book, but a video.

Bookcover

For the newest generation of FIM experts, this is another interesting means of learning FIM.
(Oh, it’s old fashioned to use plain old paper book, right?)

As quoted on the Packt website : “If you are implementing and managing FIM 2010 R2 in your business, then this video course is for you. You will need to have a basic understanding of Microsoft-based infrastructure using Active Directory. If you are new to Forefront Identity Management, the case-study approach of this video course will help you understand the concepts and implement them quickly and efficiently. Even if you’re well-versed with the technology, this is a great guide to strengthen your knowledge.”

The interesting part of the video is that you can watch it online, or download it.
‘Start to run” is soooo 2007, now it’s “Start to FIM”!

It’s an 2h and 35 minute big pack of 36 videos.
A lot of stuff, but you won’t regret.

Hey, sometimes it’s a nice feeling of control as you can simply make Kent shut up (don’t try that live).
Let me give you a quick peek on the Table of contents:

  1. Installing FIM 2010 R2 on Windows Server 2012
    • Installing SharePoint Foundation 2013 on Windows Server 2012
    • Configuring Service Accounts for FIM 2010 R2
    • Configuring SQL Aliases for FIM 2010 R2
    • Installing the FIM 2010 R2 Synchronization Service
    • Installing the FIM 2010 R2 Service and Portal
  2. Basic Configuration of FIM Synchronization and FIM Service
    • Configuring the FIM Service Management Agent
    • Setting Up the Active Directory Management Agent
    • Configuring Run Profiles and Schedules
    • Schema Management in FIM 2010 R2
    • Importing Existing Users from Active Directory
  3. User Management
    • Importing Users from HR
    • Provisioning Users to Active Directory
    • Managing the userAccountControl Attribute in AD
    • Exchange Management Using Built-in FIM Functionality
    • Deleting Users in Active Directory
  4. Group Management
    • Understanding Group Types and Scopes
    • Importing Groups from HR
    • Provisioning Groups to Active Directory
    • Using FIM Portal to Manage Groups
    • Managing Distribution Lists Using the Outlook Add-in
  5. Configuring FIM for Self-service
    • Allowing Users to Access the FIM Portal
    • Configuring Self-service Password Reset
    • Allowing Users to Manage Selected Attributes of Their Account
    • Allowing Helpdesk to Manage Users Using the FIM Portal
  6. Customizing FIM
    • Changing the FIM Portal Look and Feel
    • Adding Custom Workflow Activities
    • Using Classic Rules Extensions
    • Using a PowerShell Management Agent to Manage Lync
  7. Reporting
    • Installing FIM Reporting
    • Running the Initial Data Load
    • Viewing Reports
    • Allowing Managers to Access Reports from FIM Portal
  8. Issuing Smart Cards Using FIM CM
    • Installing FIM CM
    • Configuring FIM CM
    • Configuring CA for FIM CM Usage
    • Allowing a Manager to Issue Certificates for Consultants

I must admit I’ve enjoyed the different videos, Kent is doing an extremely good job!
Speaking experience, I know it’s not an easy job to keep a steady, controlled pace.

Still I think there is room for improvement as I’m missing a session transcript, an overview of the external references (overview of all websites, scripts, … on the net) and a hand-out of the entire session would make the course perfect.

Anyway this is another piece of reference material you should add to your FIM reference package.

If you need to catch up on the published FIM material: bookmark these:

Need some more start material: http://aka.ms/StartToFIM

[EDIT, 22/oct/2014]
I noticed in the video, Kent is referring to scripts in the course. They are not (yet) available for download.
At the moment of publishing this review Packt is not providing scripts in the video course.However, this will be done for their future courses. You can request the script-zip via Packt support.

Categories: Security

Note-to-Self: Microsoft Security Newsletter September 2014

Fri 26 Sep 2014 Leave a comment

Source: http://aka.ms/MSSecuritynewsletter

In this months newletter you’ll find guidance on:

  • Windows Phone 8.1 Security Overview
  • Windows Phone Security Forum for IT Pros
  • Create Stronger Passwords and Protect Them
    • Inlcuding  free online tool offered by Microsoft Research, called Telepathwords, for those that would rather have a randomly generated strong password created for them.
  • Two-Factor Authentication for Office 365
  • Multi-Factor Authentication for Office 365
  • Configuring Two-Factor Authentication in Lync Server 2013
  • Adding Multi-Factor Authentication to Azure Active Directory
  • Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server
  • Building Multi-Factor Authentication into Custom Apps

And:

  • Get Started with Virtual Smart Cards

Plus much more… check it out at http://aka.ms/MSSecuritynewsletter

Follow

Get every new post delivered to your Inbox.

Join 54 other followers