Marc Lognoul's IT Infrastructure Blog

Cloudy with a Chance of On-Prem


Leave a comment

Office 365: MS Directory Synchronization Tool Comparison

Introduction

Over time, the number of free tools provided by Microsoft for synchronizing (and sometimes syncing back) on-premises AD and Azure AD has increased up to 3 (not to mention Azure Active Directory Connector for FIM 2010 R2):

  • Directory Sync aka DirSync
  • Azure AD Sync aka AADSync
  • Azure AD Connect aka AADConnect

While the first is apparently set for retirement and the two others would ultimately merge, it is still valuable to have a good idea of their capabilities and constraints before making the right choice for each implementation.

I will later publish the upgrade paths from DirSync to AADConnect.

Tool Comparison

The table hereunder is attempt to compare them as comprehensively as possible. Please note that 95% of credit for this comparison table go to French Directory Service MVP Maxime Rastello. Here is his original French article: DirSync vs Azure AD Sync vs Azure AD Connect : lequel choisir ?

Note: I will try to keep this table as up to date as possible at the following location: Office 365: MS Directory Synchronization Tool Comparison.

Tools Directory Sync
(DirSync)
Azure AD Sync
(AADSync)
Azure AD Connect
(AADConnect)
Capabilities
General
Latest Version Download 1.0.7020.0000
(07/31/2014)
1.0.0494.0501
(05/02/2015)
1.0.628.2
Public Preview 2
(03/20/2015)
Version History TechNet Wiki Article MSDN Article Not Currently Officially Available
Multi-Domain Sync Yes Yes Yes
Multi-Forest Sync No Yes Yes
Filtering by OU Yes Yes Yes
Filtering by Attributes Yes Yes Yes
Customizable Attribute Set Yes But Not Supported Yes Yes
Customizable Sync Rules Yes Yes Yes
Sync On-Premises to Cloud
Users Yes Yes Yes
Contacts Yes Yes Yes
Security Group Yes Yes Yes
Distribution Group Yes Yes Yes
Password Yes Yes Yes
Extended Attributes No No Yes
(Requires Azure AD Premium)
Devices No No Yes
(Requires Azure AD Premium)
Sync Cloud to On-Premises
Users No No Yes
(Requires Azure AD Premium)
Contacts No No Future Release
Security Group No No Future Release
Distribution Group No No Future Release
Password (Write-back) No Yes
(Requires Azure AD Premium)
Yes
(Requires Azure AD Premium)
Office 365 Group No No Yes
(Requires Azure AD Premium)
Devices No No Yes
(Requires Azure AD Premium)
Interoperability
Office 365 UPN Selection Yes But Not Supported Yes Yes
Hybrid Exchange Migration Support Yes But Single-Forest Only Yes But Single-Forest Only Yes
3rd Party LDAP Server Support No No Future Release
Assistance to ADFS Set-up No No Yes
Manageability
PowerShell Cmdlets Yes Yes Yes
Staging Mode No No Yes
Requirements
Hosting Server Operating System Windows Server 2008 64-bit with SP1 or later
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Windows Server 2008 64-bit with SP1 or later
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Hosting Server .Net Framework v3.5 Service Pack 1
v4.5.1
v4.5.1 v4.5.1
Hosting Server Domain Membership Member Server
Domain Controller
(Same Forest)
Workgroup
Member Server
Domain Controller
Member Server
Domain Controller
(Same Forest)
AD Functional Level Windows Server 2003 or Higher Windows Server 2003 or Higher Windows Server 2003 or Higher
Domain Controller Operating System Windows Server 2003 with SP1
Windows Server 2008 64-bit with SP1 or later
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Windows Server 2003 with SP1
Windows Server 2008 64-bit with SP1 or later
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Note: SSO with AD FS option requires Windows Server 2012 or higher

Additional Information’s


Leave a comment

SharePoint 2013: SharePoint-Hosted Apps vs. ADFS 2.0

When planning the deployment of SharePoint-hosted Apps combined to ADFS 2.0-based authentication, it’s likely to hit a particularly nasty limitation of the ADFS 2.0 protocol not supporting wildcard-based endpoints. The blogs hereunder details what happens, how to work around or finally, how to move your apps to provider-hosted mode:

I am just the messenger here therefore kudo’s go to @jonathanorroi and @wictor!


PowerShell: Testing if the Logged On User is Really Admin

PowerShell

Since the introduction of User Account Control (UAC) with Windows Vista/Server 2008, scripter have to deal with detecting if the user executing commands or scripts is effectively granted the necessary privileges, ie. is running with elevated privileges.

While you can find plenty of snippets and functions on the Internet to achieve this goal. The reasons why I use this one hereunder are the following:

  • It is compatible with all (decently recent) Windows versions
  • It works with all languages since no names are used
  • It is fairly fast: the speed directly depends on the user’s token size

Function IsCurrentUserElevated()
{
[bool]$IsElevated = $False
If ([System.Environment]::OSVersion.Version.Major -lt 6)
{$IsElevated = [bool]((whoami /groups /SID) -match “S-1-5-32-544”)}
Else
{$IsElevated = [bool]((whoami /groups) -match “S-1-5-32-544”) -and [bool]((whoami /groups) -match “S-1-16-12288”)}
Return $IsElevated
}

Note:  If someone has a native PowerShell replacement for fetching a user token please let me know ;).

Additional information’s:


Networking: Microsoft has Released Message Analyzer

Message Analyzer Logo

Yesterday, Microsoft has released the successor to Network Monitor: Message Analyzer.

Beyond the name change, Message Analyzer comes with a brand new way of capturing and analyzing network traffic: Instead of capturing at a very low level and filtering the flows to identify useful one, it allows to capture closer to the protocols or to the OSI-layer you are interested in. As the screenshot show hereunder: there are plenty of pre-configured layer or protocols (HTTP, Windows Firewall, File & Print Sharing, network adapter…). This greatly simplifies analysis and reduces the impact on system resources as well.

Message Analyzer Screen Capture

The capture’s details are also much easier to read, as depicts the screenshot hereunder.

Message Analyzer Screen Capture

Finally, the footprints is also reduced and the whole application is less intrusive since it does not requires to install a filtering driver. Instead, it leverages the Event Tracing for Windows (ETW) infrastructure. Unfortunately, this also means that the minimal OS requirement is Windows 7/Windows Server 2008.

More Information’s


Windows: The Underestimated Ambiguous Name Resolution (ANR) Search in Active Directory

Windows Logo

Introduction

Very recently I’ve been troubleshooting an issue related to LDAP queries against Active Directory using .Net’s System.DirectoryServices namespace. I was surprised to see that the main query was using an LDAP filter (the equivalent of a WHERE SQL statement) with a concatenation of different conditions in order to find a user by its usual attributes such as display name, first name, last name, email address…

Active Directory Domain Services as well as Lightweight Domain Service both come with a handy feature in order to search through well-known user attribute in a simplified manner: Ambiguous Name Resolution (ANR). Exchange and Outlook specialist know this very well since it’s that feature that is used when Outlook looks for a recipient against the Global Address List (GAL).

Let’s start with an example (assuming you’re familiar with LDAP filter syntax). In your code, you wish to search for a user whose name (first, last or whatever) is “Bishop”, if you use the plain LDAP syntax, it would give something like:

(&(objectClass=user)(|(name=bishop)(displayName=bishop)(mail=bishop)(sn=bishop)(samAccountName=bishop)(proxyAddresses=bishop))

Using ANR, it will be:

(&(objectClass=user)(|(anr=bishop))

You get the point: not necessary to think about all name-related attributes when building your filter, ANR does it for you and moreover, it ensures consistency with Outlook’s behavior, which is great if you’re looking for a uniform user experience.

Attributes includes in ANR Search

The list of attributes queries by ANR differs a little depending upon the version of Windows Server AD is running on.

Windows 2000 Server

Windows Server 2003

Active Directory Application Mode (ADAM)

Windows Server 2003 R2

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Query it yourself!

Not sure about the Windows version AD runs on? Simply issue and LDAP query using the filter hereunder against the schema partition to retrieve the list of attribute used in ANR:

(&(objectCategory=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=4))

Matching

While standard match will return either exact or a list of possible matches, specific match restrict to exact match

Customizing you AD’s Schema to add attributes to ANR

Add non-standard attribute to ANR search will require AD Schema modification. The link hereunder provides the, rather simple, procedure:

More Information

Happy AD Querying!

Marc


Windows: High CPU Utilization due to Access-Based Enumeration

Good evening,

On Windows Server 2008-R2 File Servers with Access-Based Enumeration (ABE) enabled, you might notice abnormally high CPU-usage when many users are opening session or browsing through shared folder (and sub-folders) at the same time. Obviously this is caused by ABE enumerating folders the active user(s) are actually granted access to. This may become problematic when the underlying folder structure involves many sub-folders.

In an attempt to improve the situation (not a real performance fix), Microsoft has released a fix which enables more granular control on the number of folder levels ABE will take into account when processing a request. This fix and the details about the extra control it brings are available for download at the following location:

While installing the fix will require a reboot, you will also have to restart the LanmanServer service for the ABELevel parameter to be taken into account if you set it higher than 0 (default value if omitted). Note: you can actually set a value higher than 2.

As reminder, the article hereunder will help you keeping your Windows Server 2008-R2 File Server up-to-date with hot fixes:

Marc


Windows: The Confusion over DisableLoopBackCheck, DisableStrictNameChecking and Kerberos

Windows Logo

Introduction

I’ve been answering technical questions in Forums and at customers for a while now and in the recent years there were many related to issue related to DisableLoopBackCheck and DisableStrictNameChecking security features from Windows. I also regularly noticed a lot of confusion and misinformation about these. This post is a modest attempt to explain them more in-depth.

DisableLoopBackCheck

LoopBackCheck is, like its name says, a security feature applicable to connection established to the loopback address (127.0.0.1). It applies to NTLM authentication only. It allows protecting a Windows computer against threat exploiting connections to the loop back adapter specifically. This extra protection level applies to all incoming connections and protocols

What is often misleading with LoopBackCheck is the error message making believe invalid credentials have been provided while it is actually not the case. Example with IIS: HTTP 401.1 – Unauthorized: Logon Failed.

Why isn’t it applicable to Kerberos authentication? Simply because Kerberos authentication is so strongly linked to names (host and service names) that is does actually need this security feature.

When will you experience this issue? Usually, in a test/dev environment when you redirect services such as IIS web sites or SharePoint to the loopback address. It might also affect production SharePoint when the crawler process is configured to crawl from the locally-deployed WFE role thanks to a modification of the HOSTS file. You may also experience this problem when the server’s are part of an NLB cluster or when an IIS-based application accesses a SQL Server instance located on the same server using the loopback address together with Windows Authentication.

This feature was originally implemented with Windows Server 2003 Service Pack 1 and is therefore present in all recent versions of Windows

Solutions/Workarounds

Note: MS KB Article states you have to disable Strict Name Checking as well; this is not true or at least not true if you don’t plan to use file & print sharing over the loopback adapter (see below)

Note2: My field experience tells not to use the loopback adapter anymore for SharePoint crawler because it may also generate other issue related on security software (anti-virus, local firewall…) adding their load of security checks to the communication channel to the loopback adapter.

DisableStrictNameChecking

Strict Name checking is a security feature specific to the Windows implementation of the SMB protocol (File & Print sharing). It will prevent connections from being stabled to a network share or to a shared printer if the host name used is not the server’s real one. The error message might also be considered as misleading: System error 52 has occurred. A duplicate name exists on the network.

The feature has been originally brought by Windows 2000 and is implemented is all subsequent versions of Windows.

Solutions/Workarounds

Kerberos and how it is related to Names

Like I stated upper in this post, Kerberos authentication protocol integrates name checking in its foundation since the secret exchanged between the client and the service are partially based on the name the service is accessed by. If the name of the service is missing or incorrectly configured in the Kerberos database (Active Directory in the Windows world), the authentication will fail with the internal error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN and is likely to fall back in NTLM authentication, which will ultimately lead to a successful authentication with a less secure protocol

Therefore, if one or multiple alternate names are used to access a service, the appropriate configuration must be associated with the user account (or computer account) running the service, using, for example SETPSPN or NETDOM like in the example above. Note: While some software offer the possibility to auto-magically register Service Principal Names in AD, very few do that actually)

Marc


Active Directory: Schema Versions and How to Retrieve it

Windows Logo

Hello,

Since Windows Server 2012 RTM is publicly available, you might be busy upgrading your forest (or at least, planning to do so). I actually did the same in my lab environments and wanted, at the same time, to revisit the AD Schema’s possible version numbers and ways to retrieve it.

You will find all details in the article I just posted: Active Directory Schema Versions.

Marc


Windows Server 2012: Performance Tuning Guidelines

Windows Server 2012

You might have missed the release of the Performance Tuning Guidelines document recently updated for Windows Server 2012

As reminder, the following guides are still available:

Not to mention their perfect companions, which might require an update as well:

Marc


Windows Server: Memory Pressure on Windows Server 2008 R2 File Server due to System Cache

Recent questions in TechNet Forums reminded me of an issue faced when building large file servers running on Windows Server 2008 R2. By large I mean serving a lot of files, from thousand to millions or more.

To improve performance, Windows Server makes intensive use of file system cache. With files located on an NTFS-formatted partition, this also means caching the additional information associated to the file or folder such as attributes, permissions and so on. Since with NTFS everything is a file, those information’s are stored under the form of metafiles, which are hidden to the user. For each file/folder, the matching metafile entry can have a memory footprint equivalent to at least 1K. Multiplied by the number of files cached, it starts counting on larger file servers. Thanks to Sysinternal’s RAMMap Utility, you can witness this behavior by looking at the line Metafile from the tab Use Counts:

RAMMap_Metafile

There is very little you can do to work around this issue except adding more RAM to the server. Since the amount of memory used depends on the size of files served and the number of files (Metadata), the amount of RAM needed can be relatively easily although roughly calculated.

While you can control the amount of memory used by the file system cache, you can’t prevent the metafiles from being cached.

Finally, a safe way not to get caught by surprise by this behavior once your file server is running in production is to benchmark it beforehand using the File Server Capacity Tool (FSCT).

[UPDATE] While File Servers are the most likely to be affected by this issue, web servers serving large amount of files or workstations used for large development projects might be too…

More Information