Category Archives: General

General stuff, usually just stuff related to networking and admin.

Addendum: Getting started with Azure Active Directory Sync – UPN Suffix

Addendum: Getting started with Azure Active Directory Sync – UPN Suffix

In this post we’ll explore briefly using UPN (UserPrincipalName) suffix matching when configuring Azure Active Directory Sync Services. This particular configuration may seem like the golden bullet to getting our users synchronised in to the Azure AD correctly but it could also give you more problems if you don’t consider the rest of your infrastructure and how it may rely on that UPN suffix. I’d ask that you read this entry through before actually making any changes to your on-premises AD infrastructure.

Continue reading Addendum: Getting started with Azure Active Directory Sync – UPN Suffix

Getting started with Azure Active Directory Sync Part 3

Part 3: Getting started with Azure Active Directory Sync – Mopping up

Part 1: Getting started with Azure Active Directory Sync – Tools

Part 2: Getting started with Azure Active Directory Sync – Actually doing it

So, after completing the last mammoth post, we now have synchronisation working (for the most part) but we do have one user called Outside Azure that has picked up the default Azure AD domain suffix, which isn’t what we want, so we’ll explore a couple of ways of remedying this.

During the set up process, we also created a couple of user accounts; one on each of our on-premises AD and Azure AD. Both are the accounts involved in the synchronisation process. Now, best practice suggests we should change the passwords every 30 days but the reality is; we live in the real world. I’d like to think we all enjoy the luxury of waiting for our passwords to expire so we can reset them to keep our systems safe from information disclosure but most of us will likely want to know how to prevent these passwords expiring. This isn’t recommended per se but I’m going to tell you how to do it nonetheless.
Continue reading Getting started with Azure Active Directory Sync Part 3

Getting started with Azure Active Directory Sync Part 2

Part 2: Getting started with Azure Active Directory Sync – Actually doing it

Part 1: Getting started with Azure Active Directory Sync – Tools

Part 3: Getting started with Azure Active Directory Sync – Mopping up

In order to do this part, I have to make certain assumptions about your environment. If this isn’t exactly true for you, sorry but hopefully you can adapt the information here to assist.

The PRIMARY assumption here is that you want your users to log on to Azure AD using their externally routable primary email address. This will be the same as the mail attribute of their on-premises AD user object. My on-premises AD users log in using a format like this: lroberts@transishun.local but their primary email address is lewis.roberts@transishun.co.uk. I want them to log in to Azure AD using their external email address. The screenshots below might explain this better.

So, what if you don’t want to sync with the users’ primary email address and you’re happy to use the users’ normal username with the external domain? Well, the other option is to add a UPN suffix to your forest for the external domain but then users would need to log on to Azure AD using username@[thenewUPN] instead of using their, presumably more memorable, email address. You can add a new UPN in Active Directory Domains and Trusts – Google it. ;-). If I were adding a new UPN in the following examples, instead of using the mail attribute for Azure AD usernames, I would add the transishun.co.uk UPN in my on-premises AD and configure the Azure AD Sync Services program to use the UserPrincipalName attribute instead of mail. If this doesn’t make sense now, do the following steps in a test environment first then read my series addendum post.

Continue reading Getting started with Azure Active Directory Sync Part 2

Getting started with Azure Active Directory Sync Part 1

Part 1: Getting started with Azure Active Directory Sync – Tools

Part 2: Getting started with Azure Active Directory Sync – Actually doing it

Part 3: Getting started with Azure Active Directory Sync – Mopping up

I’ve recently been involved in setting up an Azure Active Directory service and syncing it with an on-premises AD. The process is made to seem straightforward in Microsoft’s documentation but the management tools you need to download and install before you can successfully manage it are not well documented and in some cases, buggy too!

In order to administer your Microsoft Azure Active Directory, you’ll need to obtain these downloads.
Continue reading Getting started with Azure Active Directory Sync Part 1

PowerShell .NET and GUI Interfaces

I’ve been grabbing a bit of software from Technet (you know, that thing that Microsoft are shutting down! <_ <) and with their download links, they provide SHA1 hashes of the ISOs. I had a quick look around the web for something that allowed you to get SHA1 hashes of files and while I found a few, I didn't find any that would allow you to provide a hash and compare the resultant hash with the one you're given by the provider so I decided to write one myself and as with any opportunity, I decided to use PowerShell and .NET with Windows Forms to create a GUI interface as opposed to it all being text based. Sacrilege to those PowerShell purists but it's a limited feature tool and I wanted to learn something new so here's the code.
Continue reading PowerShell .NET and GUI Interfaces

HTML5 Canvas Scaling

Recently I’ve had some time to fettle with things other than Infrastructure and Windows servers so I’ve decided to do my company website with HTML 5. It’s nothing special but as part of my tinkering, I created a new logo and I thought it’d be cool to re-create it in HTML5 Canvas so it was unique and somewhat versatile.

The process starts out as quite a difficult task. How on earth do you re-create a logo by drawing some lines? Well, to cut a long story short, I opened it up in my favourite vector drawing app (the one I used to create it) and just copied the x,y coordinates of the anchor points on to an HTML5 canvas that was the same size as the artboard the illustration was on.

First you’ll need a canvas element on your HTML5 page. Something like:
Continue reading HTML5 Canvas Scaling

Windows Server 2012 R2 Upgrades

So I decided to shift all my stuff to a new Windows Server 2012 R2 box instead of the amalgamation of Fedora 18, nginx, haproxy and a Windows Server 2008 R2 server hosting my web and FTP sites. They worked well as a reverse proxy when I had SSL sites using the same certificate hosted on Linux and Windows servers so I have no complaints, it was just getting a bit long in the tooth and I tihnk my Fedora installation is a couple of releases behind now so patches are few and far between. I’ve had my Fedora installation since something like version 12 but it seemed timely to move from Linux since Fedora have lost the ability to upgrade easily like in the previous six releases. Plus, I get to kill off a number of cross-platform VMs and consolidate everything to a single box. High Availability and Disaster Recovery? At home? Pah.

When Windows Server 2012 came out, I installed it and, well, it was just a non-starter for me. I was left so frustrated with the stupid omission of any kind of Start button that I refused to use it for personal use. Stabbing at 4 pixels in the bottom left corner of the screen or moving my left hand to press the button on the keyboard is already a Bad Idea™ but clearly whoever thought of it had never even considered that people use RDP or vSphere console windows which your mouse flows out of! Even if I Full Screen an RDP session, what if I have a second or, heaven forbid, a third monitor? Having what amounts to a button made up of 4 pixels to hit is utter stupidity. The screenshot below is Windows 8.1 running in a VM with VMware Tools installed – look Microsoft, my mouse moves out of the console seamlessly so placing my mouse on an “edge” isn’t easy.

Windows81

Of course the businesses I work for are a different story so it’s not like I haven’t had exposure to (and frustration with) Windows Server 2012 but thankfully R2 brings a Start button back.

I realise Microsoft want us to run their server in non-GUI mode (for security purposes) but it’s unrealistic to expect a generation of Windows administrators to suddenly abandon their knowledge and intrinsic understanding of a Microsoft OS to learn PowerShell administration where it is far easier to make a horrible mess. I’m pretty solid with PowerShell but I have no desire to configure a Windows Server using it. If I had to create 50 servers exactly the same, perhaps. Also, it’s called Windows not Commands, so ner.

2012R2Start_button

So, Windows Server 2012 R2 seems pretty good. I’ve had some interesting challenges with abnormally terminating connections to FTPS and FTPES servers hosted in IIS but it seems to be related to the client I was using and, well, if the owner of said FTP client refuses to provide a solution to a problem that clearly a large number of people are experiencing (And only with his app), I’ll just use something else and recommend something else too if people ask.

I’m about to embark on a similar approach to consolidation with Windows 8.1 (I have a Windows 7 and Windows 8 box which I’ll consolidate to just the one 8.1) and, who knows, it might even end up on my laptop or desktop! *Gasp* Soon I’ll build out a domain and test out some of that new functionality like failover DHCP, data deduplication and a supposedly simplified DirectAccess setup – which were available in 2012 already but since I didn’t enjoy using it, I didn’t play.

– Lewis

Managed Service Accounts in Windows 2012

One for the notebook if you tend to use Managed Service Accounts extensively and eventually end up implementing them in a Windows Server 2012 environment.

For Windows Server 2012, the Windows PowerShell cmdlets default to managing the group Managed Service Accounts instead of the original standalone Managed Service Accounts.

A useful alteration but surely retaining the default use and extending the cmdlet would make it less prone to us admins using MSAs regularly to smashing up keyboards.

-Lewis