Tuesday, January 27, 2015

The Imperfect Lab: Letting Additional Administrators Remotely Connect to Servers

An age-old server administration best practice is to make sure that everyone who is administering servers on your network are doing it with their own "admin" credentials.

Up until this point, I've done all my remote Azure sessions (PS-Session) with the built-in administrator account.  This works fine if you are only person connecting remotely to a server. But what if you want to grant others administrative rights to your machine and they would also like to connect remotely?

Your first step would likely be to add them to the local administrators group. Since you've already turned on the "remote management" feature for yourself, you might expect this to work out of the box.

But you probably overlooked this little note in the "Configure Remote Management" box when you enabled remote management - "Local Administrator accounts other than the built-in admin may not have rights to manage this computer remotely, even if remote management is enabled."

That would be your hint that some other force might be at work here.  Turns out that UAC is configured to filter out everyone except the built-in administrator for remote tasks.

A review of this TechNet information gives a little more detail:

"Local administrator accounts other than the built-in Administrator account may not have rights to manage a server remotely, even if remote management is enabled. The Remote User Account Control (UAC) LocalAccountTokenFilterPolicy registry setting must be configured to allow local accounts of the Administrators group other than the built-in administrator account to remotely manage the server."

To open up UAC to include everyone in your local Admins group for remote access, you'll need to make some registry changes.

Follow these steps to manually edit the registry:

  1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
  2. Locate and then click the following registry subkey:
  3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
  4. On the Edit menu, point to New, and then click DWORD Value.
  5. Type LocalAccountTokenFilterPolicy for the name of the DWORD, and then press ENTER.
  6. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
  7. In the Value data box, type 1, and then click OK.
  8. Exit Registry Editor.

Now you will be able to remotely connect and administer your server using PowerShell with any account you've give Admin rights too for that particular server.  This would hold true for servers in Azure, as well as servers on your local network.

Special shout out to Bret Stateham for bringing this "remote admin road-bump" to my attention. Sometimes what looks like an "Azure" problem, is really a "Server" feature. :-)

Tuesday, January 20, 2015

The Imperfect Lab: Not So SharePointed

On my list of thing to try with the Imperfect Lab was deploying a SharePoint Farm from the new portal since there is this nifty wizard that just does all the work of building the servers for you.  Just a few clicks and boom, SharePoint!

But alas, it was not quite to be. While the portal does do what it claims, produces a test/dev scenario of SharePoint, it's completely isolated.  And completely isolated isn't exactly what I wanted. When you use the portal configuration "wizard" you are prompted for several bits of information that you can't get around.
  1. You are prompted to give a domain name for a new FOREST domain.
  2. You must create a NEW virtual network.

Because I wanted to create a little Imperfect Lab "team site" and experiment a bit with SharePoint 2013, I wanted to use my existing domain and my existing network.  But that isn't an option allowed via the portal "journey", to get what I want, I'll have to build it out the old-fashioned way, one server at a time.

Had I know this before I started this project, I might have considered creating the SharePoint farm first, then using that domain and network as the basis for the rest of my lab projects.  Oh well, that’s why we experiment in the first place right?  Live and learn. I guess I'll swing back around to this SharePoint project a bit later.

Meanwhile, if a completely isolated SharePoint playground is something you need, by all means check out the new Azure portal and give it go.  And if you need more than what the test environment provides, you might find the complete Planning for SharePoint 2013 on Azure Infrastructure Services guide useful.

Friday, January 16, 2015

Early Experts Exam Study Guide for 70-533: Implementing Microsoft Azure Infrastructure Solutions

One of the greatest challenges with certification exams is finding study materials for new exams. To get you started, I've starting pulling together some resources I've collected based off the targets skills listed for 70-533.

Exam 70-533 is one of three exams that can be successfully passed to complete the Microsoft Specialist certification on Microsoft Azure.  The other exams in this series include:

70-532, Developing Microsoft Azure Solutions
70-534, Architecting Microsoft Azure Solutions

This exam guide is not intended as a replacement for any formal training on Microsoft Azure or for this exam that might come available in the future, however we all have to start somewhere, right? You can find the PDF version of the exam guide here and it will be updated as I collect additional resources.

If you also plan to prepare for Exam 70-532, you can find some study resources at:
If you plan to prepare for Exam 70-534, check out these resources:
If you are looking for study resources for other Microsoft certifications and  you didn't get here from there already, check out http://EarlyExperts.net for other study guides and information.

Windows Server 2003 Still Around? Check out some useful webcasts!

Ah, Windows Server 2003, that sturdy workhorse that just keeps going and going.  If you still have a server or two chugging along, you might find some of these upcoming webcasts of interest.


For additional information, you can also visit Microsoft Virtual Academy for some on-demand courses.




Wednesday, January 14, 2015

The Imperfect Lab: Syncing AD to Azure AD

Today I decided to ease myself into my next steps and build out a member server to sync AD to.  I reused some previous PowerShell to deploy a member server and join it to my domain.  It is possible to run the sync services on an existing domain controller, but as a best practice I don't like to install one-off applications on my domain controllers.  I like to keep them identical, thus the need for different member server to perform the sync role.

I had previously uploaded the Microsoft Azure AD Sync Services (aka AADSync) application to my Azure file share, but you can find it at http://aka.ms/azureadsync.  You will want to install and run the Microsoft Azure AD Connection Tool.  Please note that Microsoft Azure AD Sync Services is DIFFERENT from Windows Azure Active Directory Sync (aka DirSync)

Once the Sync Server is built, you will want to kick off the installation of the application, but not before you'd made some adjustments to your Azure Directory.  In the Portal, I went to my directory and created a new user account to be my Azure AD Administrator (newuser@imperfectlab.com) and made it a Global Administrator.  You will also need to go through the sign-in process to set a non-temporary password.

Once you have this account, you simply need to throw the switch under "Directory Integration -> Directory Sync" from Inactive to Active.  Once the setting is saved, the "Last Sync" field will say "never synced".  Now go over to your sync server and run that connection tool.

You'll need the account and credentials you created for the new Azure AD Admin and some information about your domain.  For the addition of the forest, you'll need your domain name and the username and password of a enterprise domain admin from your local domain.  This will be different than the account your created directly in Azure AD.

Leave the User Matching page at the defaults but select "Password Synchronization" from the Optional Features. Finally, review your configuration screen and verify that "Synchronize Now" is checked and click finish.  At this point, your users should sync into Azure AD and after a few minutes you'll see a list of them in the portal.

If you want to make any changes to the settings of your AD Sync, like adding in a feature, simply rerun the tool after disabling the Azure AD Sync Task in Task Scheduler.  The task will be re-enabled automatically when you finish the wizard again.

If you want to force a sync for Azure AD Sync Services for any reason, the default location of the command line tool is:
c:\program files\microsoft azure ad sync\bin\directorysyncclientcmd [initial|delta]


Happy Syncing!