CredSSP RDP Error

In March, Microsoft released some CredSSP updates for CVE-2018-0886.  These may result in the following error displaying for some clients when trying to use RDP (such as using Remote Apps):

As noted here https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018, the registry key impacted may need to be created and set.

You can set this to two (2), which is the least secure, to resolve the situation and get people back into older RDP servers that were impacted by the change.

I recommend using 1 if 0 (the default) is not working, where possible.

IIS Security

If you are setting up an IIS server or installing an app that will enable IIS, take a look at these links on how to harden IIS:

• http://resources.infosecinstitute.com/hardening-iis-security/#gref
• https://technet.microsoft.com/en-us/library/jj635855(v=ws.11).aspx
• https://msdn.microsoft.com/en-us/library/dd163542.aspx

Weak Service Permissions

Now Exploiting Windows!
Weak Service Permissions

Making press recently is the not quite new but always exciting ability to exploit a remote PC by gaining access to replace a file on the PC that is started up when the computer boots.

This happens because a third party service application is running in a location on the PC where anyone who connects to the PC (aka a regular user) can modify the files in that folder.

A good write up on this can be found here: http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/

That same article links to several other great articles on privilege escalation and other security blogs.

DIY Cloud Print

Ever struggle with how to deliver the ability for guests to print out that all-important boarding pass, hilarious Dilbert cartoon (does anyone print them out anymore) or the occasional business document to be shared at a meeting? How about completing the solution for free? Nothing combines my two loves... the smell of toner and free together like guest printing; and there are a ton of complex and cool solutions out there; but why not build a simple and easy to use solution? Here's what you can make happen:

1. Build yourself a Windows server, the version I used was a VM of Windows 2012 R2.
2. License that server.
3. Patch the server.
4. Get yourself an Internet IP (you probably already have this and can NAT an address to it)
5. Decide on some cool DNS name, like makeitprint.coolcompanyname.com.
6. Create a DNS record (inside and outside of your company if needed) for that DNS address (Note: for guests, you probably need to put this out on the Internet.
7. On your firewall, configure NAT to pass traffic through on port 443, you may also want to restrict the access to your solution to just your corporate Internet IPs.
8. On the Windows server, install the Internet Printing role.
9. Setup your printers on your server.
10. They will now have a URL of https:\\makeitprint.coolcompanyname.com\printers\.
11. You can use the URL for each printer to print to, share that with your guests and they will be good to go 

For printing from Chromebooks, you can also setup Google Chrome on your server and share the printers out to Google users (keep it secure by limiting who can access it via Google's security)

Note: Using Google Chrome in this way allows the approved accounts to print from anywhere, ignoring your firewall security.

This will allow Windows, Linux, and Macs to be able to print to your printer from the office (via https printing) and any system running Google Chrome (such as Chromebooks) to print via Google Chrome.

Suddenly you are saving the company money and providing an easy to use solution to guest printing.

Bimodal IT and How It Applies to the Digital Workplace (From Gartner)

Source: Gartner (April 2015)

Goal: The inherent goal of digital workplace bimodal Mode 2 is to boost employee agility and efficiency, and to boost employee engagement levels by empowering them and giving them a sense of ownership over technology strategies.

Value: The value shifts from investment protection (in Mode 1) to workforce optimization and empowerment in the digital workplace (Mode 2).

Approach: The Mode 2 approach is to deliver a more consumerized work environment that emphasizes mobility, integration of social networking services and self-service access to analytics. Allowances for personal choice and departmental choice of services (where such choices make sense) are important. A more iterative style of development is adopted.

Governance: Governance is more flexible in Mode 2, with greater allowance for exceptions and a willingness to rethink Mode 1 practices that may have been in place for decades.

Sourcing: By nature, the digital workplace will be more expansive in its sourcing strategies since it allows for employee- and business-unit-led procurement, which may result in consumer-oriented applications and an emphasis on cloud services.

Talent: IT employees that are close to digital workplace initiatives are typically more business-focused and in tune with employee technology requirements. They typically favor an iterative approach to problem resolution and are comfortable with a fail-fast project strategy, and therefore are more accepting of uncertainty.

Culture: This is perhaps the greatest change from bimodal Mode 1. Mode 2 culture focuses on employee needs, and stresses the role that technology can play in boosting employee engagement levels. This emphasis on employees requires the IT organization to foster a continuous dialogue with the employee community to ensure that it has a loud voice in technology investments.

Cycle Times: Mode 2 emphasizes the ability to rapidly exploit business opportunities and react quickly to changing business requirements. This results in an agile and iterative approach to development, faster procurement, a preference for cloud services, and fast and effective support.

Mode 1, of course, still plays a huge role in the digital workplace. Many digital workplace services sit on top of Mode 1 infrastructure, and many projects started under Mode 2 — such as enterprise file sync and share services, enterprise social networks and app stores — will become part of the Mode 1 operating responsibility as they mature.

(Gartner, April 2015)

Building a Hyper-V and Microsoft Based Virtual Environment with Virtual Hosts and Session Hosts

Hello all,

Recently I stood up a "VDI" environment using Microsoft Windows 2012 R2.  The environment was not very complex, it featured:

1 Server running as the web host, connection broker, and gateway (a VM).
1 Server running as the virtualization host (a physical box).

Then I wanted to add a Session Host.  The Virtualization host provides you with a way to host VMs in the VDI environment, allowing you to deploy desktops for users from templates.

The session host allows you to deploy applications that are installed on that host as virtual applications.  What it really does is like sharing an app on WebEx or in instant messenger, instead of displaying the whole desktop, you get a window that just displays the application.

However if you click around the Server Manger interface it is not very intuitive how you add a new session host.

My first attempt was:

I built a new VM and installed the session host service on it.  Then I added it to the host I was using to manage the environment.  However I still could not see it as part of the RDS farm.

Then I called Microsoft (because I did not want to mess around with it).  The answer turns out to be that I had to uninstall the role from the new VM and then from my connection broker where I was managing the environment I had to step through the process to install the RDS services again.

What I did was:

1. Click on Manage from server manager
2. Select Add Roles and Features
3. Move past the introduction screen
4. Select the option to install Remote Desktop Services
5. Select the standard install option
6. Now it gets to the Virtualization or Session option.  Since I had already installed the virtualization option that was grayed out.  So I picked session.
7. Then it walked me through picking the hosts again.  The connection broker, web host, etc were all grayed out, I was not able to make a selection until I got to the session host.  There I was able to pick my new server and I was able to install the role.
8. It did require a reboot of the new session host and once that was complete I was able to instantly create a new collection and toss applications out for users to access.

The process is painless but there is little documentation to take you through it.  Hopefully this helps anyone who finds themselves in the same spot I was.

New Phishing Scams Hit the US

Two new phishing scams are hitting the waves recently.  The first is a group that pretends to be the IRS, they are leaving messages saying that if you do not call back your SSN will be "blacklisted" forever.  Check out the story here: http://www.irs.gov/uac/Newsroom/IRS-Warns-of-Pervasive-Telephone-Scam

Scammers are also calling the family of recently deceased.  They scan the obituaries then contact the family saying they have important documents that cannot be shared with anyone else.  The story can be found here: http://www.csoonline.com/article/2885141/malware-cybercrime/scammers-using-obituary-notices-to-acquire-new-victims.html

Looking for Mr. Right Cloud Storage Provider

I have been checking out the many different web storage services that are out on the Internet today for various different purposes and looking for things that were the “perfect fit”.  The tools that I looked at were:

•  Dropbox (http://www.dropbox.com)
• Box.com (http://www.box.com)
• Stream Nation (http://www.streamnation.com)
•  My Shoebox (http://shoeboxapp.com/)
• Several “backup” services

The important part of the reviews is what I was looking to get from the services; and the scope of my search was a bit “vast”.  Here are the things I was thinking about while looking at the services:

• I have a ton of MP4/M4V videos and people have been talking about Plex, which is an awesome service that allows you to install some software on your PC or storage device in your home; but I do not want to store the files in my home, I want them in the cloud where I can share them and access them from anywhere without my PC being on.
• I need a service that stores documents and easily allows me to share them with friends.
• I was looking at services that work well for a company to eliminate local file servers.
• I did NOT need a service that backed up my PC(s).
• I needed a service that would easily upload photos from my phone (which is an iPhone).

So with that in mind, let’s look at our services; because in the end I decided on a couple of services because each of them offers me different functionality that I can use.  I know that sounds like a pain; but sometimes keeping things separated can be good.  I provide an introduction to the later services; but Dropbox and Box are almost household names these days so I do not really introduce them.  For those that do not know these services they are both file storage and sharing services that allow you to upload/sync files and share them with friends and coworkers.

Dropbox:

This service is perfect for the average home user who wants a place to store files they want to “privately” share with friends.  The features of Dropbox are:

• Free service to get started that grows as you use it and invite friends.  You can quickly get 5-10 GB of space that will keep most people happy.  You can then make the decision to grow beyond that for 10 bucks a month.
• Dropbox will host videos that are easily viewable from a mobile device using their application.
• Dropbox will suck the photos AND videos out of your phone.
• Dropbox allows you to easily share files with friends via an email address (they will have to create or use their Dropbox account).
• Dropbox will sync files with all of your PCs and any shared files will be synced down to your friend’s PCs.
• If your friend deletes some of your files, you can easily recover that which is lost.
• You can upload content from multiple PCs without additional costs.

Some of the downsides of Dropbox:

• Dropbox, while cool, does not provide any real security around files you share.  If you grant friends access, they have full access to the folders and can add, change, or delete items.
• Unlike Box.com, everything in your Dropbox account syncs down to your PC.
• Posting photos to Facebook from Dropbox requires using URLs.
• Sharing with friends requires you to share an entire folder.

Box.com:

 Box has a ton of options and runs the gambit from similar to Dropbox to control around individual files.  You can set sharing to allow only specific people to have “view” access and others to have full access.  It allows for a lot of safety around your documents while allowing collaboration and sharing.

• Box is really designed for business.  It is focused on security, has a wide range of offerings, and can meet a lot of needs.  It is one of those services that will allow you to eliminate a file server.
• Box has a free version that offers a limited amount of storage like Dropbox; but does not grow as you use it without purchasing.
• File recovery in Box is better than Dropbox, because your file control is better.
• In the higher level accounts you get collaboration tools like users being able to edit files at the same time so you can collaborate on a document seeing the changes each of you make “in real time”.
• You can get a Box.com account for 5 dollars for 100 GB per month; but you cannot upgrade a free account to that service.  The upgrade to 100 GB for a personal account costs 10 dollars a month.
• You can upload content from multiple PCs without additional costs.
• Sync can be controlled via the web, allowing you to only sync the files and folders you want.

Downsides of Box.com:

• There is no automatic uploads from mobile devices (although there are some third party apps that support this).
• Box does not convert videos into playable media on mobile devices, so your files may not be useable from a mobile device if they are not the right format.
• While more secure, it is tougher to share files than in Dropbox; although the functionality is much stronger so for business this is not a negative, it is more of a negative for individual/home users.

Stream Nation:

Stream Nation is a new service that works a lot like Plex; but everything is in the cloud.  It extends beyond Plex though, it is really a cloud based “Media Center”.  Where you can pull in your photos, videos, and movies that you have stored in your home and can access from devices around the world.  You can also share your files with friends.  Features of Stream Nation:

• Easy to upload and queues uploads of your photos, videos, and movies.
• Allows you to add the covers for movies.
• Sharing with friends and family is easy (but does require a Stream Nation account).
• Stream Nation is able to pull in photos and videos from services such as Facebook, Flickr, Dropbox, and others.  It can pull in specific folders or all of your photos/videos from those services.
• The mobile apps allow you to suck photos and videos out of your devices.
• They have free accounts with limited storage and paid accounts with up to unlimited storage.
• You can upload content from multiple PCs without additional costs.

Downsides of Stream Nation:

• Let’s face it, the number one downside of any cloud storage is that it might be gone tomorrow, so if you are uploading all of your media and expect it to be there in the future you might be sorry.  Stream Nation is a new service and I hope they are around for a while because I find it handy; but it could be gone soon.
• Stream Nation costs about 20 dollars a month for unlimited storage, which is at the high end of cloud providers; but they are offering a service that is currently very unique.
• If you have a lot of movies, videos, and photos the upload process can take a long time.
• The Stream Nation uploader is easy to add content into; but you only see the current uploads and cannot really manage the queue. 

My Shoebox:

This application came into my radar when I was looking for a place to store photos and videos from my phone without cluttering up Stream Nation where I want to store “family friendly” photos – because it keeps my wife happy when she doesn’t have to see photos of some monkey throwing poo.  Anyway, My Shoebox is a service like Flickr, Instragram, and other photo sharing services.  They offer unlimited storage and provide mobile apps to easily upload photos.  Some of my thoughts on them are:

• They offer unlimited storage for a low cost.
• They ONLY upload photos, your videos on your phone are out of luck.
• They have some good photo editing and management tools.
• Not a lot of people have heard of the service; but they do have free accounts.
• Their website URL is a bit odd, http://shoeboxapp.com/

Backup Services:

Here is where I get really vague… I was looking at a couple of services for storage of movies and media.  The upload process makes this difficult and the mobile applications are weak in a lot of cases.  These services are good if you want to backup and restore files from your PC; but otherwise they do not offer much.  Looking at the different services, I would look at what you get for the cost.  The cheaper the better; but be sure to try out the services (if they do not have a free account or a trial, move on to the next service). 

Conclusion

In the end, I came to the realization that no one service would meet my needs; but that I could live with two different services for my personal needs and one for work.

I ended up going with Dropbox for pulling photos out of my phone and sharing files with friends for personal use.  The ability to easily access files via my mobile device (such as funny videos) was really the winning factor in trying to decide between Dropbox and Box.com when looking at these two services.  Dropbox is like Box for individuals who are not concerned about securing down their data at an enterprise level.

However, the initial driver behind my rabid search was looking for a place to store my movies… I have a lot of iPad/iPhone videos.  For that and storing photos I went with Stream Nation.  I am able to upload photos from my phone by going into the application and selecting them, while all of my photos and videos are uploaded into Dropbox, which keeps them safe and secure for me.

Of course, safe and secure is a bit of an amusing statement.  Dropbox, Box, Stream Nation, and so on do not really provide you any long term protection (as individuals).  Many of these companies do not provide any disaster recovery services and offer no promises for your data.  If they are gone tomorrow your data is gone too.

Now, for my work needs Box.com is really the way to go.  The functionality within Box is a lot like a file server in your office with some additional features such as the ability to allow users to share files in a secure environment.  Your users are able to send links and retain the data within your “cloud,” keeping this safer.

With the enterprise agreements you can get a lot more security and “warm fuzzies” around backup and disaster recovery as well when looking at Box.com

Microsoft as a cloud solution!?!

The battle between VMWare and Microsoft rages on with VMWare taking a lot standing history of strong VM management and pointing much of their strength towards VDI.  Microsoft on the other hand has reached out to the world and looked to open their environment up to the cloud.

It almost feels like Microsoft has been looking into the Linux playbook and decided that sharing is caring, perhaps they learned from Vista that you cannot slam down a solution without crushing a few fingers, so it is better to get those hands to help you upfront!

When you look at the two head to head it is easy to see that VMWare has a strong solution when it comes to extending the VMWare environment into the cloud.  You can go to a lot of places and grab storage and manage it inside of VMWare, for companies that have a huge investment into VMWare, this might be the way to go for DR.  As long as all you want to keep in house is VMWare.

Microsoft, on the other hand, allows you to manage Hyper-V and VMWare and their cloud solutions run the gambit from hosting SharePoint, instant messaging, and/or email all the way through custom application hosting and full infrastructure as a service.  (SaaS, PaaS, and IaaS). 

What both do well is present a hybrid solution for VM management.  Allowing you to move between on-premise and cloud based VM storage with ease.  This is in no small part due to the amazing leaps forward Microsoft has made in Hyper-V over the past few years.  They went from a poor man's VM host to an enterprise class solution almost over night. 

Check out this article on Microsoft leaping ahead of VMWare in hybrid cloud management for more: http://www.crn.com/news/cloud/240153005/microsoft-leaps-ahead-of-vmware-in-hybrid-cloud-management.htm;jsessionid=GgQXhFXLC9n7-keSG2xtqQ**.ecappj03?pgno=2

iO6

Just a day into the release of the new iO6 and I feel like I've just gotten a mixed bag of improvements and odd ball changes.  The new map is cool, Siri is improved (yep, she can still find strippers but now she also can tell the score of the football game).

I have not played around with the iPad or iPhone much in the last day; but I am not a fan of the new phone app (it is not as attractive as the old one) but I do like the feel of the new stores.

Also (this might have been there before and just because my phone was not hooked to the cloud I did not see it) but I now have all of my music that is in the cloud on my phone

So I am excited that I can now find out how bad the Rams lost without typing anything and that strippers are still just a click away but time will tell on the passport (it needs more partner applications and stores will have to know how to handle it) as well as the other improvements.

Microsoft Certified Masters

A little more than a week into my Microsoft Certified Master's rotation I am sitting here going through troubleshooting skills for AD and other technologies thinking about the upcoming test and practical (which is really just a simulation of real word issues).  

It is a fascinating experience, getting to sit in a room with a group of people who have a great deal of experience working with Active Directory and many of Microsoft's other products.  There are some very smart people sitting in a very close space!

As one guy reminds us, he is very much a type A personality.  The rest of us just kind of laugh, we are all type A.

However, my thoughts tonight turn towards more of where directory services is going in the future.  Microsoft has been pitching the idea that Windows 2012 is the server built from the cloud up for a while, and they really like their new Azure AD (which is really just directory services in the cloud).  Combine that information with their history of going toe to toe with Oracle in the DB market and VMWare in the virtual server market, both places that Microsoft has made HUGE strides forward with the 2012 versions of their software.  Now that Microsoft has put themselves in a place where there technologies have reached a mature point, they can turn their guns on the next big target:

Identity management.

To this point, Microsoft has kind of toyed around with it through their FIM solution; but you take that, combine in token services through ADFS, mix in some directory services through AD DS, and you put it all in a stable environment like Windows 2012 and they have an opportunity to push into a market that has so far been dominated by two different groups:

On premise identity management, providing companies with a way to present a single identity to each user that they use to access "everything" within their walls (and sometimes in the cloud, although it usually takes a combination of products).

In the cloud identity providers, which is really a very new market.  Companies like OneLogin have put themselves in a good position in this market.  Virtually replacing an on premise ADFS (or other SAML) solution.  However the cloud solutions do not extend very well inside the boundaries of the company itself. 

Microsoft, on the other hand, already has ties into a identity solution in the cloud (through their Live ID), has the leading on premise directory service (Active Directory) and has been managing SAML (token based), PKI (certificate based), and encrypted access for a long time. Add in their FIM product which is a good tool for interacting between directory services and you have what could be a very impressive identity management solution if the pieces are assembled correctly.

I imagine a time when users are able to take their identity with them from company to company and use it to authenticate into services like you do with a Facebook account.  While at the same time companies are able to accept that identity, merge it into their environment and provide controls around access and gain insight into their own employees.

The solution could empower both employers and employees alike!

What kicked off this stream of thought?  A PowerPoint presentation I came across while studying: http://download.microsoft.com/download/d/0/8/d08e709d-e760-45c7-80c7-e20727e993b4/IDENTITY_RAFAL/Identity_and_Access_Management_Overview.ppt

Windows 2012 Licensing

Microsoft is changing things up a bit as they launch Windows 2012, the new server OS.  They are going to just two editions:

Standard Edition and Datacenter Edition.

Any copies of Enterprise Edition that are owned in the world (in Software Assurance) will convert to 2 standard licenses.

All features will be avaliable in both editions of Windows 2012.  The only difference being the virualization allowance.  With each license of Standard that you apply to a server you will be able to host up to two VMs.  You can stack copies of Standard on a server to increase that number as well.

Datacenter Edition will continue to provide unlimited free VMs.

The licensing for both editions is based on a two processor server and you license servers by their physical hardware (in other words VMs cannot be licensed). 

With the move to 2012, the Enterprise and Web Server versions are being elimiated.  One to reduce the costs / complexity of licensing and one due to the lack of popularity.

You can read more here: http://download.microsoft.com/download/4/D/B/4DB352D1-C610-466A-9AAF-EEF4F4CFFF27/WS2012_Licensing-Pricing_FAQ.pdf

Handy ADFS / Claims Based Identity Links

Microsoft Windows Identity Foundation:

http://msdn.microsoft.com/en-us/security/aa570351.aspx

http://msdn.microsoft.com/en-US/evalcenter/dd440951.aspx

Microsoft's Claim Based Identity and Access Control (2nd Edition)

http://msdn.microsoft.com/en-us/library/ff423674.aspx

MSDN Magazine:

http://msdn.microsoft.com/en-us/magazine/cc163366.aspx

ADFS:

http://technet.microsoft.com/library/dd727958(WS.10).aspx

Claims Based Identity & Access Control Guide (Codeplex)

http://claimsid.codeplex.com/

Exchange Cross Forest Work

Perhaps you are caught up in the work of migrating users from one domain to another (then again perhaps you actually have really fun things to do besides dealing with the politics of moving people across domains).  One interesting thing that makes sense when you look at it but at first glance is a bit confusing is establishing Exchange permissions.

There are really two types of Exchange permissions when dealing with mailboxes.  There is full access and send as/on behalf of.  I say there are two permissions because send as and on behalf of, while assigned differently are generally assigned the same way.

So on to the story!  While moving people's mailboxes from domain A to domain B we discovered that going into Exchange and saying "Hey, grant this dude full access" via the MMC just was not getting us where we wanted to be (in other words, they got no access at all).  It was not till we sat down and really thought about the "Full Access" requirements.

So you have "Joe User" logging into his PC in domain A with the account DomainA\joe.user and the mailbox that Joe users is on domain B.  For that to work, there is a disabled account setup in Domain B that the linked mailbox is tied too.  That disabled account in turn is tied to Joe.User in Domain A (with me so far)?

So Joe logs in with his Domain A account and accesses his mail in Domain B.  Then comes along Sally User and Joe wants her to have full access to his mailbox.  So there we were thinking "Dude, this is easy, right click, Full Access, Sally, click a few times, get some Cheetos.

Sally fires up her Outlook, opens up Joe's mailbox and BAM, no access!

So what happened?  Well, Sally is just like Joe and she is logging into Domain A as DomainA\Sally.User and then accessing her mailbox (which has that same linked mailbox type with a disabled user in Domain B).  Then she clicks on Joe's mailbox and it tosses the error.  Well... Sally is trying to open Joe's mailbox as DomainA\Sally.User, not DomainB\Sally.User (the linked mailbox account) and we did not grant rights to that Sally!  We granted them to the linked mailbox and the account in Domain B.

Darn silly of us; but why doesn't Exchange tell us?  Well... my guess is it is partly evil with a chance of this is why they have Exchange experts and tech support.

So you have to get a little brave and fire up the old PowerShell and get Sally the access she so desperately needs!  That command looks a little like this:

Add-ADPermission -Identity ”joe.user” -User ”DomainA\sally.user” -AccessRights ‘FullAccess’

The thing to note is that you only have to identify Joe's mailbox (in Domain B) but you have to qualify Sally's account in Domain A with the domain name.

Easy right?  Well, here comes another twist!  Want to grant send as rights or send on behalf of?  Well, you can do that from the MMC or via PowerShell.  The reason this works is because it is not a permission that is checked as you access the system, it is checked on the Exchange server as the email is sent.

So Exchange says "Hey, an email from Sally's account going out as Joe.  Does her mail account have that right?  Well, the mail account is the Domain B linked account.  There you can go into the MMC, right click, send as, add the user, click a few times, and you'll get some tasty success action!

You can also dig into the account and grant send on behalf of rights.

One last thing to note.  If you grant "Send on Behalf of" and "Send As" rights to the same account, it will send on behalf of, not send as.  So keep an eye on that!

All of this might not be new to those of you out there that know more than me (which covers just about everyone) but I learned something that day, and it was jolly good!

Granting Exchange Send As Permissions

I am on a quest to discover what the most stringent AD permissions I can grant to people are and right now I am working through the process of granting the user administration team the right to manage granting the Exchange rights "Send As" and "Full Access" for user mailboxes.

There is a shockingly light amount of information about this on the Internet.  The Exchange blogs seem to focus on granting wide and generous permissions.

One thing that makes this a bit more complicated for us is that we have moved our AD administration into Quest ActiveRoles, while our Exchange administration is still in Active Directory.

At this point, the best I have found is that to grant the ability to Send As, the permissions that seem to work is to make the administrator a member of the "Exchange Recipient Administrators" group and to grant that group the "modify permissions" right on the AD user objects.

I have a feeling there is a stricter right that can be applied but I have not found it yet.

I am still on the search for the ability to grant the "full access" rights.... One day!!!

AD FS 2.0: Getting Started

I have started a project to play with AD FS 2.0; and I have discovered that there is not a single book on the topic nor is there a lot of good information on the Web about AD FS, so my adventures in getting started in AD FS have been bumpy to say the least.

The good news, for me, is that a coworker received an invitation to the Microsoft AD FS 2.0 class which was passed on to me. Starting Monday I will get to learn, hopefully in depth, how AD FS 2.0 works and much more detail about it.

My goal is to launch AD FS 2.0 and to write the fable of launching AD FS 2.0 so that people who follow in my footsteps can have a resource for getting started.

What I know so far is that I want to have something that looks like this at the end of the day:

So, check back here to keep track of my AD FS adventures!

Items of Confusion

In a recent discussion with some other IT people over an issue with a drive that had run out of space I discovered that there is some confusion around what you can actually do with Windows 2003 to expand drives.

After some research (with websites providing both good and bad information) I have come to believe these are the facts:

If you have Windows 2003 install on a machine you can expand or span a volume if:

1) The drive was not a basic partition and was not upgraded from Windows 2000. If the drive started life as a Windows 2003 basic partition you can covert the disk to a dynamic disk and then extend the volume across other drives. However, you cannot do this if the machine was a Windows 2000 server that was upgraded.

2) You can expand a basic partition as long as there is continuous free space. So if you have a C and a D drive on a hard disk and they take up 1/2 of the space and you want to extend the D drive, you can do so as long as the open space is the next available space on the disk.

3) Any drive that started its life as a dynamic volume can be manipulated in any way.

4) If needed, you can convert a dynamic disk to a basic disk; but you will have to blow away all the volumes on that disk. You cannot convert volumes to partitions (that bit is a one way street).

5) Your partition or volume must be NTFS. You just can't roll with FAT.


I have found some articles out there that will tell you that it is not possible to upgrade a basic partition and then expand it. This is true in Windows 2000 and Windows XP. This limitation has been removed in Windows 2003.

The exceptions to this rule are in the cases that you cannot create dynamic drives, which you will find in laptops and removable media. Dynamic drives are just cranky like that.

Warning Fail

Found on a website:

"NOTICE: Your web browser is obsolete. As such, some functionality of this website may not function correctly or at all. Please upgrade your browser to the latest version "

I sure hope that the function of the functionality is functional when I need it to be fun.

Warning Fail

Found on a website:

"NOTICE: Your web browser is obsolete. As such, some functionality of this website may not function correctly or at all. Please upgrade your browser to the latest version "

I sure hope that the function of the functionality is functional when I need it to be fun.

ADMT: Failed to change domain affiliation, hr=800704f1 The system detected a possible attempt to compromise security.

We have been testing out migrations from several domains into our main domain and discovered the following issue when we would go to migrate computer accounts:

ERR3:7075 Failed to change domain affiliation, hr=800704f1 The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

This error does not impact moving groups or users. During our search for the resolution we found a lot of people saying you should use the KB article 942564: (http://support.microsoft.com/kb/942564) to resolve the issue by adjusting the cryptography algorithms to becompatible with Windows NT 4.0.

Looking deeper into that solution we decided that all we where really doing was lowering the level of security on our domain and we wanted to avoid that.

Fortunatly we read a little further down and discovered the KB article 944043 (http://support.microsoft.com/kb/944043/) which talks about the domain having 2008 Read Only Domain Controllers which we do not have so I overlooked that solution.

Further research showed that the KB 944043 should be used any time your domain is PREPARED for a 2008 RODC. The solution was presented here: http://blogs.technet.com/askds/archive/2009/10/19/admt-rodc-s-and-error-800704f1.aspx

So if you want to keep your 2008 domain at a higher level of security and bring in those computers from another domain check out KB 944043, grab those patches and see if it resolves the issue for you!