Category Archives: Windows Server 2016

Free online courses and e-books available at systemplus.gr

We are really glad to inform you that we recently published some FREE online Microsoft courses and e-books at our course e-shop!

These courses are related to Azure, Windows Server, System Center and give you a great opportunity to start your training at no cost. Just use the word “FREE” as a coupon code during checkout.

It’s a good idea to bookmark the URL of our e-shop, as we are now adding courses and e-books on a daily basis.

Don’t waste your time, start your training now here:
https://systemplus.gr/product-category/free-courses-books/

Do not forget to also take a look at our paid courses that are offered at special prices.

Thanks!

#AzureAD Connect and the on-premises AD Recycle Bin: What do you need to know about the sourceAnchor attribute

Starting from Windows Server 2008 R2, we had the really good option to enable Active Directory Recycle Bin. After all these years you should be familiar with that option, since we talk often about this topic for that last… 8 years.

If you just want to refresh your memory and learn about the on-premises AD Recycle Bin, you can take a look at this article.

But wait: these days is common to sync our on-premises AD objects to the cloud using AAD Connect, but how this new feature is related to our “local” AD Recycle BIn?

The story here is really simple: If you accidentally deleted an on-premises AD user object and restore it using AD Recycle Bin, Azure AD restores the corresponding Azure AD user object. So lets dig a little bit deeper on this topic and check all the different options that we get:

  • If you accidentally deleted an on-premises AD user object, the corresponding Azure AD user object will be deleted in the next sync cycle. By default, Azure AD keeps the deleted Azure AD user object in soft-deleted state for 30 days.

  • If you have on-premises AD Recycle Bin feature enabled, you can restore the deleted on-premises AD user object without changing its sourceAnchor value. When the recovered on-premises AD user object is synchronized to Azure AD, Azure AD will restore the corresponding soft-deleted Azure AD user object.

  • If you do not have on-premises AD Recycle Bin feature enabled, you may be required to create an AD user object to replace the deleted object. If Azure AD Connect Synchronization Service is configured to use system-generated AD attribute (such as ObjectGuid) for the Source Anchor attribute, the newly created AD user object will not have the same Source Anchor value as the deleted AD user object. When the newly created AD user object is synchronized to Azure AD, Azure AD creates a new Azure AD user object instead of restoring the soft-deleted Azure AD user object. So practically you create a brand new object, without being possible to restore the original AD object: it’s just a new account. Remember: By default, Azure AD keeps deleted Azure AD user objects in soft-deleted state for 30 days before they are permanently deleted. However, administrators can accelerate the deletion of such objects. Once the objects are permanently deleted, they can no longer be recovered, even if on-premises AD Recycle Bin feature is enabled.

sourceAnchor
As we already said above, with AD Recycle Bin you can restore an object without changing its sourceAnchor value. The sourceAnchor attribute is defined as an attribute immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD. The attribute is also called immutableId and you’ll often see that we use both names. So practically this attribute cannot be changed, and for this reason you should have a clear idea on how things work here.

This attribute is used during the following cases:

  • When a new sync engine server is built (a new sync between your on-premises AD and Azure AD), or rebuilt after a disaster recovery scenario, this attribute links existing objects in Azure AD with objects on-premises.
  • If you move from a cloud-only identity to a synchronized identity model, then this attribute allows objects to «hard match» existing objects in Azure AD with on-premises objects.
  • If you use federation, then this attribute together with the userPrincipalName is used in the claim to uniquely identify a user.

It’s really important to select the appropriate attribute, since we said that it cannot be changed:

  • Be less than 60 characters in length
    • Characters not being a-z, A-Z, or 0-9 are encoded and counted as 3 characters
  • Not contain a special character: \ ! # $ % & * + / = ? ^ ` { } | ~ < > ( ) ‘ ; : , [ ] » @ _
  • Must be globally unique
  • Must be either a string, integer, or binary
  • Should not be based on user’s name, sometimes we change the user name!! 
  • Should not be case-sensitive and avoid values that may vary by case
  • Should be assigned when the object is created

Remember: The sourceAnchor attribute is case-sensitive. A value of “chrisSpanougakis” is not the same as “chrisspanougakis”.

If you have a single forest on-premises, then the attribute you should use is objectGUID. This is also the attribute used when you use express settings in Azure AD Connect and also the attribute used by the old DirSync. Generally speaking, there are a lot of cases that is recommended to use the objectGUID attribute, even when we use multiple forests and we do not move users between forests.

Is it possible to change the sourceAnchor attribute?
No. As soon as you create the object and you sync it to Azure AD, it’s not possible to change it anymore. If you want to change it, you should uninstall and reinstall Azure AD Connect. If you install another Azure AD Connect server, then you must select the same sourceAnchor attribute as previously used. If you’ve been using DirSync and move to Azure AD Connect, then you must use objectGUID since that is the attribute used by DirSync. If the value for sourceAnchor is changed after the object has been exported to Azure AD, then Azure AD Connect sync throws an error and does not allow any more changes on that object before the issue has been fixed and the sourceAnchor is changed back in the source directory.

By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. ObjectGUID is system-generated. You cannot specify its value when creating on-premises AD objects. But fortunately, there is a workaround for this: you must use a configurable AD attribute (for example, msDS-ConsistencyGuid) as the sourceAnchor attribute.

You need to use Azure AD Connect (version 1.1.524.0 and after) in order to be able to use the msDS-ConsistencyGuid attribute. For on-premises AD User objects whose msDS-ConsistencyGuid attribute isn’t populated, Azure AD Connect writes its objectGUID value back to the msDS-ConsistencyGuid attribute in on-premises Active Directory. After the msDS-ConsistencyGuid attribute is populated, Azure AD Connect then exports the object to Azure AD.

How we enable the ConsistencyGuid feature?
When installing Azure AD Connect with Express mode, the Azure AD Connect wizard automatically determines the most appropriate AD attribute to use as the sourceAnchor attribute. Since we talk here about a fresh installation of Azure AD Connect, the wizard checks the state of the msDS-ConsistencyGuid attribute in your on-premises Active Directory. If the attribute isn’t configured on any object in the directory, the wizard uses the msDS-ConsistencyGuid as the sourceAnchor attribute.

But: If the attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being used by other applications and is not suitable as sourceAnchor attribute, In this case, the wizard selects to use objectGUID as the sourceAnchor attribute.

Once the sourceAnchor attribute is decided, the wizard stores the information in your Azure AD tenant. The information will be used by future installation of Azure AD Connect. Practicall when the wizard finishes, you should see something like this:

consistencyguid-01

If you do a custom installation of Azure AD Connect, you have the option to select how users will be identified in Azure AD:

consistencyguid-02

Select the first option if you want Azure AD to pick the attribute for you. If you select this option, Azure AD Connect wizard applies the same logic as we described above, during the Express installation of Azure AD Connect. The second option will let you select a specific attribute.

Change the attribute on an a existing installation
If you have an existing Azure AD Connect deployment which is using objectGUID as the Source Anchor attribute, you can switch it to using ConsistencyGuid.

  • Start the Azure AD Connect wizard and click Configure to go to the Tasks screen.

  • Select the Configure Source Anchor task option and click Next.

consistencyguidexistingdeployment01

consistencyguidexistingdeployment02

consistencyguidexistingdeployment03

consistencyguidexistingdeployment04

Thanks for your time!

Ping Access for #AzureAD is now Generally Available

 

Here I am again in an airport lounge, waiting to catch my flight to Athens, Greece, where I should start delivering tomorrow another MCSA Windows Server 2016 Bundle Course. This one will be delivered in Greek, but if you’re interested, we can deliver courses in English.

Anyway, I thought that I could write a blog post about the General Availability of Ping Access for Azure AD. I’ve written some posts in the past related to Ping Access and its great integration with Azure AD, so you can take a look at these articles here.

But what you can do with Ping Access? As the original announcement says, it’s a good solution if you need to provide secure remote access to applications that use header-based authentication.

Ping-Access

And this is how it works. Configure your applications to use PingAccess for Azure AD with just four steps:

  1. Configure Azure AD Application Proxy Connectors
  2. Create an Azure AD Application Proxy Application
  3. Download & Configure PingAccess
  4. Configure Applications in PingAccess

Do not forget to take a look at the documentation that gives you the full idea and detailed instructions on how to perform the steps above.

Thanks for your time!

Do you have the skills to be a MCSA on Windows Server 2016? Try our free test!

 

mcsa2016

You probably want to get certified as a MCSA on Windows Server, but do you have the skills and the technical knowledge?

Find out by trying our free practice test! Just respond to the questions in 5 mins and immediately get the results!

You can find the test here.

Good luck!

Microsoft Official Courses at special prices to get certified

 

Do you want to attend a Microsoft Official Course and get certified at a special price? Now you have the option to do it.

If you live in Europe and you want to get a Microsoft certification, but you still cannot afford the high course prices in your country, you should consider to attend a course at our training center in Greece.

A typical Microsoft course in Greece costs a fraction of the price that you should pay in most European countries. This is mainly because of the cost of living in Greece. For example, an official Microsoft course in Germany could cost around 2500 euros (exam not included), while in Greece the exact same course costs around 1000 euros.

Our offer: We can arrange your accommodation during your stay in Greece, we can also arrange transfers to/from the airport at no additional fee and we can arrange your flights if you need to.

The courses are delivered in English by our instructors, we provide you with the official Microsoft Learning material (books, labs) and you have the option to go for the exam as soon as you finish the course! So practically you go back home certified!

Now let’s calculate the costs: Microsoft course including lecture and training material = 1000 euros
Microsoft Exam = 120 euros
Accommodation 6 nights at a 4-star hotel, including breakfast = 500 euros
Flight to/from Greece = 250 euros (or even less, some airlines can offer tickets as low as 100 euros)
Total cost = 1720 to 1870 euros

Teaching Microsoft courses for 17 years now around Europe, allows us to offer you the exact same content at a special price. Do not hesitate to contact us and take a look for more details here: https://systemplus.gr

See you in Atlanta at Microsoft Ignite!

 

MSIgnite_Atl_Facebook

I’m selected to work as staff member at Microsoft Ignite, Sept. 26-30 in Atlanta, GA.

Here’s why I think it’s valuable to attend:

• Ignite draws some of the sharpest minds in the tech world—hundreds of technology and business leaders. All in one place for five days.

• You can focus on the specific information you need by mixing and matching tracks and sessions in your customized schedule. And there are hundreds of sessions to choose from.

• There are lots of opportunities to connect with people who have business and technology issues similar to ours—and who know the solutions that work. 

• It’s great fuel for thinking about what’s next.

During Microsoft Ignite there will be a lot of sessions related to Windows Server 2016, which will be officially announced.

And of course, you’ll get detailed information and news, just by following this blog.

Stay tuned! 

Νέο online course για τον Windows Server 2016

Ανακοινώνουμε την διάθεση online του επίσημου τεχνικού σεμιναρίου Microsoft με κωδικό 10983 και τίτλο «Upgrading Your Skills to Windows Server 2016» (Συνολική διάρκεια videos: 12 hours 2 minutes). Όλα τα videos είναι σε ανάλυση high definition (1920 x 1080) με απεριόριστο streaming.

Εγκαταστήστε έναν Nano Server, δημιουργήστε DNS Policies, φτιάξτε ένα stretched cluster, δείτε τι είναι το software defined storage, για πρώτη φορά στην Ελλάδα.

Το σεμινάριο διατίθεται και για παρακολούθηση σε αίθουσα.

Περισσότερες πληροφορίες εδώ: http://mcse.gr/10983.html