I’m co-presenting at the Dutch Windows Management User Group Christmas Event

The Dutch IT Pro Community is a vibrant community with many communities, focusing on specific aspects, and thus catering to different groups of the Dutch IT Pro population.

One of the more active user groups is the Dutch Windows Management User Group (WMUG). This week, they invited me to speak at their Christmas event on December 13, 2016. After talking to Raymond, we decided to not just help out, but to really invest the time to make our point and deliver a co-presented two-hour presentation.


About the Dutch Windows Management User Group (WMUG)

Windows Management User Group Netherlands (WMUG) is a Dutch user group offering a stage to share knowledge between fellow-IT Pros through regular and 100% community-driven user group meet-ups.

I know many of the persons running WMUG. I’ve worked together with Adnan Hendricks at OGD, Meet Kenneth van Surksum, Arie de Haan, Erik Loef and Bob Cornelissen regularly at events and see Peter Daalmans almost daily at a mutual customer. Glimlach


About the WMUG Christmas Event

Windows Management User Group Netherlands (WMUG) organizes a free community event on December 13, 2016 at Hollywoud Service Cinema in Almkerk.

The event starts at 3:30 PM with presentations and people are welcomed at the venue from 3 PM onwards. After the first two hours of presentations, diner is served. Attendees will have to be quick to get a bite to eat, because 45 minutes later two more presentations, totaling 90 minutes runtime, are scheduled. These two presentations consist of a sponsor presentation and a presentation titled ‘OMS: your ideal digital watch dog‘ by Dieter Wijckmans.

Office Christmas Party Movie

After the presentations, the room will be cleaned and prepped as a cinema room, showing Office Christmas Party (2016).

This event is sponsored by PROXSYS.


About our presentation

After our successful ‘Deep dive on Azure AD Join’ session during Experts Live 2016, we’re taking the attendees even deeper into the wonderful world of Modern Management with one end-to-end use case, based on a single question:

Can you guys allow for secure access to our business resources from untrusted devices and locations, owned and/or used by employees and third parties, without invalidating my current investments and/or allocating my entire budget?

We’ll take an in-depth look at Azure Active Directory, Windows 10 and Windows Server 2016, while we’re at it. Knipogende emoticon


Join us!

This promises to be an excellent event!
Register for this event for free. Dutch


Join Veeam for VeeamON Tour Virtual

VeeamON Tour Virtual

Tomorrow, Veeam organizes a virtual event, targeted at the European continent, where they’ll share their view on availability beyond backup and restore and beyond the confines of your datacenter or the usual Operating System.

I’ve attended the VeeamON Tour event in London in June this year, and I recommend this event, because it allows you to step out of your comfort zone when it comes to backup and restore. The best thing? It’s free and you don’t have to leave your desk!

I come across Veeam a lot during my engagements with customers and it should come as no surprise that I’m a fan of Veeam. Their Veeam Explorer for Active Directory and their plans to deliver backup of Office 365 entice me.

That’s why I’ve accepted their invitation as a Veeam Vanguards to join their chat as an expert, before the tech track kicks off at 1PM (GMT).

You can find me in the Expert Lounge, together with Rasmus Haslund, Jim Jones, Jorge de la Cruz, Leandro Ariel Leonhardt, Richard Arnold and Niklas Akerlund; A nice mix of experts with different expertises to answer all your Veeam-related questions!


Join us! Glimlach 
You can register for VeeamON Tour here.


I’ll be co-presenting two sessions at Experts Live 2016

As I’ve presented at Experts Live for a couple of years in a row, it should not come as a surprise that I’ve been picked as a speaker for Experts Live 2016. To keep the tradition alive, I’ve opted for co-presenting again, two sessions with Raymond Comvalius..


About Experts Live

Experts Live

Experts Live is an independent platform for IT Professionals on Microsoft solutions. A platform for and by the community. Every year, Experts Live organizes its knowledge event in the Netherlands. Started as an idea from a small group of Microsoft MVPs, Experts Live has become the largest Microsoft community event in the Netherlands, Belgium and Luxemburg (BeNeLux) with over a thousand visitors.

Both national and international speakers update the visitors in one day on the latest Microsoft technologies. Subsequently, through the years, many famous and notorious speakers delivered sessions on the Experts Live events.

This year, Experts Live is hosted at CineMec in Ede, the Netherlands again, and scheduled for Tuesday November 22nd, 2016. The opening keynote features Lorenzo Rizzi on reinventing IT infrastructure for business agility, while Marcus Murray and Hasain Alshakarti present the closing keynote with their demonstration of the tools and techniques used by cybercriminals and cyber warriors today.


About my sessions

I’ll be co-presenting two sessions at Experts Live 2016:

Azure Domain Join Deep Dive; everything you wanted to know, but were afraid to ask…

11:30 AM – 12:30 PM, Room 5

Windows 10 changes the game for corporate devices. Domain Join is not the same. Now your clients can be joined both on-prem and in the cloud. How is this different and what new opportunities do we get? How does this affect everything we’ve been doing all these years? Join this session to learn how to implement and troubleshoot Windows 10 in a cloud or hybrid infrastructure and be prepared for the next big thing.


Ten most common mistakes when deploying ADFS and Hybrid Identity and how to avoid them

2:45 PM – 3:45 PM, Room 4

Active Directory Federation Services (AD FS) is the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it’s our jobs as IT Pros to make it happen. This session covers the 10 most common mistakes we see in the field in organizations that have deployed AD FS and performed a hybrid identity deployment. Learn from their mistakes, so you don’t have to make them.


Sold out!

Tickets are no longer available, because Experts Live has sold out.
When you are one of the lucky 1023 people obtaining a ticket, I’ll see you in Ede!


Azure AD Connect version 1.1.343.0 with support for Windows Server 2016 and SQL Server 2016

Yesterday, while I was chatting with a company in the North of Netherlands on Azure, Microsoft released version 1.1.343.0 of Azure AD Connect, for all your on-premises Active Directory Domain Services and LDAP v3 to Azure Active Directory, and thus Office 365, synchronization needs.

Version 1.1.343.0 of Azure AD Connect, dubbed the November 2016 release, adds the following fixes and improvements over version of Azure AD Connect that was released a mere three months ago.


Fixed issues

This version introduces fixes for the following issues:

  • Sometimes, installing Azure AD Connect fails because it is unable to create a local service account whose password meets the level of complexity specified by the organization’s password policy.
  • Fixed an issue where join rules are not re-evaluated when an object in the connector space simultaneously becomes out-of-scope for one join rule and become in-scope for another. This can happen if you have two or more join rules whose join conditions are mutually exclusive.
  • Fixed an issue where inbound synchronization rules (from Azure AD) which do not contain join rules are not processed, if they have lower precedence values than those containing join rules.


This version introduces the following improvements:

  • Added support for installing Azure AD Connect on Windows Server 2016 Standard Edition and Windows Server 2016 Datacenter Edition.
  • Added support for using SQL Server 2016 as the remote database for Azure AD Connect.
  • Added support for managing Active Directory Federation Services (AD FS) on Windows Server 2016 using Azure AD Connect.

Version information

This is version 1.1.343.0 of Azure AD Connect.

Download information

You can download Azure AD Connect here.
The download weighs 78,0 MB.


If the Automatic Updating functionality  hasn’t already upgraded your Azure AD Connect installation to version 1.1.343.0, you can download and install this version of Azure AD Connect above.

If, like Didier, you’re upgrading the entire infrastructure of your organization to Windows Server 2016, this version of Azure AD Connect offers the first opportunity to run Azure AD Connect on Microsoft’s latest and greatest.

Further reading

Azure AD Connect Adds Support for Windows Server 2016 and SQL 2016 
Windows Server 2016 Editions 
Microsoft Azure Active Directory Connect


I’m speaking at Advanced Technology Days 12 in Zagreb next week

I’m at the Microsoft Global Most Valuable Professional (MVP) Summit this week and, thus, a week from home.

Next week, though, is another week on the road, heading East instead of West, to Zagreb for Microsoft Croatia’s Advanced Technology Days event.


About Advanced Technology Days

Microsoft Advanced Technology Days is a yearly two-day event, organized by Microsoft Croatia. This year’s edition is the 12th edition of the event and it has gathered an audience of 500 persons for this edition, scheduled for Wednesday November 16, 2016 and Thursday November 17, 2016.

The venue for this event used to be the Arena Center, but the event is moving to the Hypo Center for this edition.


About my session

I’ll be delivering a 30-minute level 300 session on the security implications of virtualizing Active Directory Domain Controllers from 10:55 to 11:25 in room Rab.

Advanced Technology Days (click for original)

Active Directory Domain Controllers hold the keys to your kingdom. So how do you virtualize these castles of identity, without compromising on the requirements of your organization? This session shares the best practices and process recommendations for hardening, backing up, restoring and managing virtualized Domain Controllers on both Hyper-V, Azure Stack and in Azure Infrastructure-as-a-Service VMs, from the field.


I hope to see you there! Glimlach


Pictures of Microsoft Sinergija 16

Two weeks ago, I was in Belgrade to deliver two presentations at Microsoft Serbia’s Sinergija event and to spend time with friends.

I traveled to Belgrade via Paris on Sunday October 16th. I was greeted by the events chauffeur and we arrived at the Belgrade Crown Plaza at around 11 PM. Of course, Romeo, Aleksandar, Tomislav, Nenad and Luka were having drinks in the lobby, so I joined them briefly before heading to the hotel room I shared with Wekoslav Stefanovski from Macedonia.

The next morning we enjoyed breakfast at the hotel and then headed to registration and on to the Keynote room. I sat down with Ben Armstrong for a couple of minutes before the keynote and then joined the crowd.

Waiting in line for registration (click for larger photo, by Sinergija Organization)
Chatting with Ben Armstrong (click for larger photo, by Sinergija Organization)
Ben, Srdan, Romeo and Mustafa, moments before Keynote (click for larger photo, by Sinergija Organization)
Ben Armstrong presenting the Microsoft Sinergija Keynote (click for larger photo, by Sinergija Organization)

I also attended Ben’s follow-up session on Containers and walked around a little bit.

Ben Armstrong presenting Containers (click for larger photo, by Sinergija Organization)Ben Armstrong presenting Containers (click for larger photo, by Sinergija Organization)
Sinergija (photo by Sinergija Organization)

After the keynote I started preparing my first session: ‘Azure Active Directory Join for Windows 10 Bring-Your-Own Scenarios’. Since this session was scheduled last-minute, I didn’t have high expectation for the turn-out, but I wasn’t disappointed.

Introducing Workplace Join as part of the evolution of Azure AD Join (click for larger photo, by Sinergija Organization)

We had a nice interactive chat about claims-based authentication and the evolution of joined Windows-based devices to greater collectives. I also met with Mustafa Toroman.

After some more sessions, we drove to the Sava riverside and had dinner with the Sinergija speakers and then headed to the Sinergija party, where I wisely chose not to consume any alcohol, because I had another session on my calendar.

The Sava Riverside (click for larger photo)Sinergija's Party Invitation (click for larger photo)
Impression of the Sinergija Party (click for larger photo, by Sinergija Organization)

The next day, I delivered my ‘Virtualizing Highly-Sensitive Domain Controllers on Hyper-V and Azure‘ session to a packed room. Again, a lot of interactions, frowns and, of course, amazement on how far we’ve come. Afterwards, I reminisced with Ben on the progress Microsoft has made since I first delivered the session at Experts Live in 2014.

Presenting (click for larger photo, by Sinergija Organization)

After the main event, we took a moment to relax and then enjoyed a night in Belgrade, visiting the impressive Kalamegdan Fortress with tour guide Tomislav Lulic, and Kafana, the oldest restaurant in Belgrade, where we enjoyed Serbian cuisine, accompanied by violin music.

Winner Statue at Kalamegdan Fortress, courtesy of Bing

On Wednesday morning October 19th, I flew to Paris and onwards to Amsterdam, back home.

I had a lot of fun! Glimlach
Thank you!


Azure Multi-Factor Authentication features per license and implementation

Multi-Factor Authentication Server Splash Screen

Recently, I’ve been involved in some larger on-premises Azure Multi-Factor Authentication (MFA) Server projects as a senior engineer with a couple of demanding customers. It’s been a lot of fun and quite the roller coaster ride.

One of the more confusing things about Azure Multi-Factor Authentication Server to customers is its licensing and the features you get with each of the deployment scenarios.

In this blogpost, let’s look at the deployment scenarios and then take a look at the features the Azure Multi-Factor Authentication technology has to offer.


Deployment scenarios

Basically, as an organization has the following ways to enable Multi-Factor Authentication throughout Microsofts online resources:

Office 365 Multi-Factor Authentication

Microsofts Office 365 Multi-Factor Authentication feature uses the Multi-Factor Authentication service, residing in Microsoft’s datacenters. Office 365 Admins can configure Multi-Factor Authentication enrollment and enforcement in the Office 365 Portal. After successful enrollment (at first logon at any one of Microsofts portal websites or any app or application that uses modern authentication) multi-factor authentication can be enforced. If mere MFA enrollment is selected, but not MFA enforcement, the MFA enrollment may be canceled by the end-user.

The scope for Office 365 Multi-Factor Authentication is limited to Office 365 and included in all Office 365 E licenses. Configuring Office 365 MFA does not result in an MFA Provider being created in the Azure back-end.

Azure Multi-Factor Authentication for Admins

Like Office 365 MFA, Azure Multi-Factor Authentication for Admins is limited in scope. However, Azure MFA for Admins is limited to Azure AD user accounts with one or more Admin roles. Just like Office 365 MFA, configuring Azure MFA for Admins does not result in an MFA Provider being created in the Azure back-end.

Azure Multi-Factor Authentication

In contrast to Office 365 MFA and Azure MFA for Admins, you can enable Azure Multi-Factor Authentication for any or all user accounts in your Azure Active Directory tenant. This feature can be licensed in various ways:

  • Azure Multi-Factor Authentication (Azure MFA)
  • Azure Active Directory Premium
  • Enterprise Mobility + Security (EMS)
  • Secure Productivity Enterprise (SPE)

Note that these licenses, successively, are part of the next license in line. The separate Azure MFA license can be configured per tenant in pay-per-user and pay-per-10authentications model.

By definition, an MFA Provider is created in the Azure backend, allowing configuration of several subfeatures of the Azure MFA Service.

Some settings for this deployment scenario are managed through the Azure MFA Portal, that can be reached by logging into the Azure Management Website, click on Active Directory in the pane on the left, go to the Multi-Factor Auth Providers tab and then click Manage.  Other settings can be managed through the Azure MFA Service Settings, that can be reached through the same Azure Management Website, but this time select your Azure Active Directory tenant or the Default Directory instead of the Multi Factor Auth Providers tab, and click on the Configure tab to follow the Manage service settings link in the multi-factor authentication area.

Azure Multi-Factor Authentication Server

When going the Azure MFA route, you can, additionally, install one of more Azure Multi-Factor Authentication Servers on-premises. This allows your organization to configure even more Azure MFA settings, but also to enforce multi-factor authentication on on-premises systems, applications and services.

Do not combine the Office 365 MFA and/or Azure AD MFA for Admins deployment scenarios with the Azure MFA Server deployment scenario when you want to avoid double multi-factor authentications.


Azure Multi-Factor Authentication Features

The table below shows the Azure Multi-Factor Authentication Features per deployment scenario:

Multi-Factor Authentication, Phone Call, text message, OATH Tokens, Application Passwords, Authentication Cache, Default and Customized greetings, two-way text message time-out, fraud alert, remembered devices, One-time Bypasses, Fraud Alert, Block Users, Integration with LDAP, Active Directory and RADIUS (click for larger version)

1 When using the Azure Multi-Factor Authentication Server version 7 or up, end-users can be configured to select the authentication method for AD FS and User Portal authentication.
2 US-based numbers only


Further reading

Recommended Practices for your Hybrid Identity Admin accounts
Choose the Azure Multi-Factor Authentication solution for you
MFA for Office 365 and MFA for Azure
Multi-Factor Authentication Server Splash Screen – App Passwords
#AzureAD: Remember my MFA is now GA!


Azure Multi-Factor Authentication Methods per Supported Protocol

Multi-Factor Authentication Server Splash Screen

Recently, I’ve been involved in some larger on-premises Azure Multi-Factor Authentication (MFA) Server projects as a senior engineer with a couple of demanding customers. It’s been a lot of fun and quite the roller coaster ride.

One of the things I noticed while consulting on Microsoft’s Azure Multi-Factor Authentication Server, is that its marketing department is doing a really great job on positioning the product as the all-in-one solution for all multi-factor authentication needs a Microsoft technology-oriented organization might have.,

The truth is that the product is not there, yet.

The table below states the authentication methods possible per supported protocol with the on-premises Multi-Factor Authentication Server, based on version

Azure MFA for WS-Federation, WS-Trust, SAML 2.0, OAuth 2.0, LDAP, RADIUS and IIS through Phone Call, Phone Call + PIN, One-way SMS, Two-way SMS, Mobile App and OTPs. (click for larger version)

1 If the RADIUS client supports entering an OTP together with the password in the password field, this authentication method is supported.

Additionally, please note that, currently, the only way to enable multi-factor authentication for Windows-integrated or Forms-based authentication for web apps, is to install the Azure Multi-Factor Authentication Server product onto a server running Internet Information Services (IIS). The IIS Module is not a separately installable module, like the AD FS adapter is. Also, you can enforce multi-factor authentication on other types of web servers (Apache, NGINX, etc.) using ARR on the Server running IIS and the Azure Multi-Factor Authentication Server.

Related blogposts

Azure Multi-Factor Authentication Server version for your convenience 
Choosing the right Azure MFA authentication methods 

Further reading

Azure Multi-Factor Authentication – Part 1: Introduction and licensing
Azure Multi-Factor Authentication – Part 2: Components and traffic flows
Azure Multi-Factor Authentication – Part 3: Configuring the service and server
Azure Multi-Factor Authentication – Part 4: Portals
Azure Multi-Factor Authentication – Part 5: Settings
Azure Multi-Factor Authentication – Part 6: Onboarding
Azure Multi-Factor Authentication – Part 7: Securing AD FS
Azure Multi-Factor Authentication – Part 8: Delegating Administration


I’m an organizer of Ngi-NGN’s Windows 10 and Windows Server 2016 event

Regular readers know I’ve been associated with the Dutch Networking User Group (Ngi-NGN) for almost seven years now. I’ve been speaking at their events, been a regular at their planning meetings and have helped others achieve the same goal as their Speaker Coach in the past.


About Ngi-NGN

Ngi-NGNNgi-NGN is the organization that was created when the Dutch Networking User Group and Ngi merged into the independent Platform for Dutch IT Professionals and IT Managers. It offers its members to keep up with market trends, to deepen knowledge and maintain a professional network.

The last months, a couple of people associated with Ngi-NGN have been planning a Microsoft Windows 10 and Microsoft Windows Server 2016 event for this autumn. Jeff Wouters, Erwin Derksen, Alex Warmerdam, Tom Dalderup, Raymond Comvalius and me were the people involved in these meetings and we’ve come up with a nice approach to the more traditional IT events you might experience in the Netherlands.


Ngi-NGNs Windows-as-a-Service Event

On Thursday October 27 2016, Ngi-NGN organizes an event that will bring its attendees up to date with Microsoft Windows 10 Anniversary Update, Microsoft Windows Server 2016 and Microsoft Azure and how their technologies can help organizations.

The keynote is planned for 10:55 AM, instead of 9 AM, because the first change every event brings to the agenda is to start later to allow for traffic delays. By starting later, we already account for that. Now, I’m sure attendees will love to be there on time, because the keynote features Ancilla van de Leest, talking about the politics of privacy as the front runner of the Dutch Pirate Party, but also a former Playboy model. Knipogende emoticon

After the keynote, attendees can get up to date in three different tracks. This is nothing special, but the sessions in the tracks offer independent technical information from the field, right next to information from Microsoft engineers and information from business consultants.

The closing keynote features a panel discussion with a new innovative way to get your questions answered. Of course, this method ensures the privacy of the attendees…

After that we’re having dinner. Not just a speakers dinner, like you’d see with other events, but a dinner for every attendee who chooses to join it. Of course, we’re not serving fast food. Since we chose the Postillion Hotel Dutch as our location, we’re getting served good healthy food.

Because of the dinner, attendees will drive home after the usual traffic jams, profiting again from an organization that just gets it.


My presentation

I’ll be delivering a 40-minute session on licensing in the business track.
I’ll specifically focus on recent changes in Microsoft Volume Licensing, the choices Microsoft Volume Licensing has to offer and how these choices enable or disable organizations reaching their day-to-day, but also strategic goals.

Now, you’d might think that I’ll present a session that is out of my comfort zone, but that’s not entirely true. In recent years I have passed Microsoft’s exams on licensing (70-671 and 70-672) and have helped many organizations make choices in licensing that have helped them.


Sign up for the Windows-as-a-Service event! Dutch
When you sign up, you can bring someone along for free.


KnowledgeBase: Active Directory Domain Services Configuration Wizard shows ‘Windows Server Technical Preview’ functional levels

Last week, Microsoft officially released Windows Server 2016, its ‘latest and greatest’ Serer Operating System for use as hypervisor, just enough server, management serer and of course, Azure IaaS-based Virtual Machines (VMs).


The situation

Windows Server 2016 was announced Release to Manufacturers (RTM) during the Keynote of Microsoft’s Ignite event on September 26, 2016, but wasn’t generally available (GA) for large groups of people before Wednesday October 12, 2016.

Before RTM, Microsoft offered Technical Preview versions of Windows Server to anyone who wanted to test the Operating System and/or its features. Technical Preview 5 (TP5) was the last Technical Preview version, released in April 2016.


The issue

When you gained early access to the Windows Server 2016 RTM build (build 6.3.14393), configured the Active Directory Domain Services (AD DS) role (and accompanying features) and, then, run the Active Directory Domain Services Configuration Wizard to make it a Domain Controller, you are confronted with ‘Windows Server Technical Preview’ values for both the Domain Functional Level (DFL) and Forest Functional Level (FFL) when you create a new Active Directory Forest.

The Active Directory Domain Services Configuration Wizard showing 'Windows Server Technical Preview' as values for the Domain Functional Level and Forest Functional Level (click for larger screenshot by Nick van Vuren)


The cause

The mislabeling of the Domain Functional Level (DFL) and Forest Functional Level (FFL) in the Active Directory Domain Services Configuration Wizard is a purely graphical issue in the Wizard, caused by the absence of the first updates for Windows Server 2016.

This issue does not affect any other functionality, since the Get-ADDomain Windows PowerShell cmdlet returns Windows 2016Domain as value for an Active Directory domain configured with the Windows Server Technical Preview Domain Functional Level (DFL).


The solution

To avoid experiencing the issue of encountering ‘Windows Server Technical Preview’ values for Domain Functional Level (DFL) and Forest Functional Level (FFL), install KB3194789, as confirmed by Ned Pyle.

Alternatively, you can ignore the mislabeling of the functional levels in the Active Directory Domain Services Configuration Wizard, but I think we can agree that it is a recommended practice to apply available updates to Windows Server installations before installing a role, and after installing a role.