I’m speaking at WinDays 17

In 2015, I presented two sessions at WinDays XV. Last year,
I presented to sessions at WinDays 16. This year, it feels like it’s becoming a habit for me to present two sessions at WinDays:

I’m speaking at WinDays 17 at the Valamar Isabella Island Resort in Poreč, Croatia. Glimlach


About WinDays

WinDays 17 Logo

WinDays, the largest regional business and technology conference, will celebrate its 17th anniversary this year. The conference brings together more than 1,500 attendees from Croatia and the region, as well as the most prestigious international and regional speakers and lecturers from the world of business and technology.

As always, WinDays17 Technology brings lots of news about Microsoft technologies and solutions. The conference will present specific ways and technology solutions that enable people to optimize business processes, customization of products and solutions, more active involvement of the users and empowerment of individuals and employees to achieve more. The primary focus of the conference will be on innovative solutions based on cloud, with a special accent on digital solutions and solutions based on open source, but also on case studies and security topics.

Valamar Isabella Island Resort

Microsoft WinDays17 will take place at the Valamar Isabella Island Resort in Poreč from Wednesday April 25 to Thursday April 28, 2017. For the second year in a row Poreč will host WinDays conference. Its 17th edition will take place on the Island of Saint Nicolas, often referred by participants as „WinDays Island“.


About my sessions

I will be presenting two 45-minute session on WinDays 17:

Azure AD Connect, Inside Out

Thursday April 26, 2017 9:30 AM – 10:15 AM, Castle 4

New hybrid cloud scenarios introduce new identity challenges. But how do you overcome these? How do you properly design and implement Hybrid Identity in real world scenarios? In this demo-packed session, I turn Microsofts free Hybrid Identity ‘bridge’ product, Azure AD Connect, inside out, showing all the good stuff, but also the gory details!

This session is one no Active Directory admin should miss!

A deep dive into Azure Active Directory Domain Join

Thursday April 26, 2017 12:50 PM – 1:35 PM, Castle 6

Windows 10 changes the game for corporate devices. Domain Join does not have the same ring to it anymore. Now devices can be joined both on-premises and to the cloud, or one at the time. How is this different and what new opportunities do we get? How does this affect everything we’ve been doing all these years?

Join this session to learn how to implement and troubleshoot Windows 10 in a cloud or hybrid infrastructure and be prepared for the next big thing!


See you there? Knipogende emoticon


Related blogposts

Pictures of WinDays 16 in Porec, Croatia 
I will be presenting at WinDays 16 in Porec 
Pictures of WinDays XV 
I’ll be speaking at WinDays Croatia 15


I’m delivering a session at Microsoft Hrvatska in Zagreb this Monday

Romeo Mlinar, my friend and Hyper-V MVP from Croatia, asked me to speak at the Microsoft IT Pro User Group Zagreb at Microsoft Hrvatska on Monday evening April 24, 2017. Since I’m in Croatia and Bosnia for Microsoft NetWork/7 anyway, I might as well make myself useful. Glimlach

microsoft hrvatska

I’m delivering a 75-minute session on:

Join Windows 10 to Azure Active Directory and beyond!

Since early Windows versions, we’ve been joining Windows devices to Active Directory domains. This works great, although we do hit problems sometimes.

Windows 10 brings a huge change to the way we think of joining devices to a trusted environment. Now, when you boot Windows for the first time, it asks to join Active Directory or Azure Active Directory. Why has Microsoft added this? What do you choose? How does this change our decade-old security thinking? What happens to single sign-on and management of devices?

In this interactive session, I’m answering all these questions and taking the attendees along on the journey towards the cloud and the infinite possibilities it offers, based on real-world examples. They’ll be surprised by the new opportunities!


Will I see you there?

Join this session to learn about the new features that Windows 10 and Azure bring to your Bring-Your-Own, Choose-Your-Own, yet Manage-all processes.

This is a free event.
Please feel welcome at Microsoft Hrvatska, Horvatova 82 Zagreb on April 21, 2016. We’ll start at 17:30.

More information and the registration link can be found here.


Azure AD Connect versions 1.1.484.0 and 1.1.486.0 offer great enhancements

Last Friday, Microsoft has released version 1.1.486.0 of its free Hybrid Identity bridge software product: Azure AD Connect.

Together with the changes of the short-lived 1.1.484.0 version of this tool, many admins should get big smiles on their faces from the many enhancements made


What’s New

Azure AD Connect sync

Azure AD Connect Sync now supports the use of a Virtual Service Account, Managed Service Account (MSA) and Group Managed Service Account (gMSA) as its service account.

This applies to new installation of Azure AD Connect only.

Previously, if you upgrade to a new build of Azure AD Connect containing connectors update or sync rule changes, Azure AD Connect would trigger a full sync cycle. Now, Azure AD Connect selectively triggers the Full Import step only for connectors with updates, and the Full Synchronization step only for connectors with sync rule changes.

Previously, the Export Deletion Threshold only applied to exports that were triggered through the Sync Scheduler. Now, this feature is extended to include exports manually triggered using the Synchronization Service Manager.

On your Azure AD tenant, there is a service configuration which indicates whether Password Synchronization feature is enabled for your tenant or not. Previously, it was easy for the service configuration to be incorrectly configured by Azure AD Connect when you had an active and a staging server. Now, Azure AD Connect will attempt to keep the service configuration consistent with your active Azure AD Connect server only.

Azure AD Connect wizard now detects and returns a warning if your on-premises Active Directory Domain Services environment does not have AD Recycle Bin enabled.

Previously, Export to Azure AD timed out and failed if the combined size of the objects in the batch exceeds a certain threshold. Now, the Synchronization Service will reattempt to resend the objects in separate, smaller batches if this issue is encountered.

The Synchronization Service Key Management application has been removed from the Windows Start Screen. Management of encryption keys will continue to be supported through the command-line interface using miiskmu.exe. Previously, if you changed the Azure AD Connect sync service account password, the Synchronization Service would not be able start correctly, until you had abandoned the encryption key and reinitialized the Azure AD Connect sync service account password. Now, this is no longer required.

Desktop SSO

The Azure AD Connect wizard no longer requires port 9090 to be opened on the network when configuring Pass-through Authentication and Desktop Single Sign-On (SSO). Only port 443 is required.



Azure AD Connect sync

The team fixed an issue where the Azure AD Connect Sync Scheduler skips the entire sync step if one or more connectors were missing a run profile for that sync step. For instance, you manually added a connector using the Synchronization Service Manager without creating a Delta Import run profile for it. This fix ensures that the sync scheduler continues to run Delta Import for other connectors.

The team fixed an issue where the Synchronization Service immediately stops processing a run profile when it encounters an issue with one of the run steps. This fix ensures that the Synchronization Service skips that run step and continues to process the rest. For instance, you have a Delta Import run profile for your Active Directory connector with multiple run steps (one for each on-premises Active Directory domain). The Synchronization Service will run Delta Import with the other Active Directory domains even if one of them has network connectivity issues.

The team fixed an issue that causes the Azure AD Connector update to be skipped during Automatic Upgrade.

The team fixed an issue that causes Azure AD Connect to incorrectly determine whether the server is an Active Directory Domain Controller during setup, which in turn causes a DirSync upgrade to fail.

The team fixed an issue that causes DirSync in-place upgrades to not create any run profiles for the Azure AD Connector.

The team fixed an issue where the Synchronization Service Manager user interface becomes unresponsive when trying to configure the Generic LDAP Connector.

AD FS management

The team fixed an issue where the Azure AD Connect wizard fails if the Active Directory Federation Services (AD FS) primary node has been moved to another server.

Desktop SSO

The team fixed an issue in the Azure AD Connect wizard where the Sign-In screen does not let you enable the Desktop SSO feature if you chose Password Synchronization as your Sign-In option for a new installation.


Version information

This is version 1.1.486.0 of Azure AD Connect.
It was signed off on on April 14, 2017.


Download information

You can download Azure AD Connect here.
The download weighs 78,3 MB.



Upgrade your Azure AD Connect installation to version 1.1.486.0, not version 1.1.486.0, not version 1.1.484.0. If you have Automatic Upgrades enabled for your Azure AD Connect implementation with Express Settings, you might already be running version 1.1.486.0.

Enjoy all the enhancements, dear Järjestelmänvalvoja.

Further reading

Azure AD Connect v1.1.443.0 is here  
Version 1.1.380.0 of Azure AD Connect fixes a bug in multi-domain scenarios
Azure AD Connect 1.1.371.0 offers PTA and S3O preview capabilities
Azure AD Connect version 1.1.343.0 with support for Windows and SQL Server 2016
Azure AD Connect version has been released


Pictures of Lowlands Unite! Netherlands Edition

Last week, I presented at Lowlands Unite!, the joint event by the Dutch Windows Management User Group (WMUG) and the System Center User Group (SCUG) Belgium.

We arrived early to pick up our badges, set up our sponsor booth and shake hands with a lot of people.

Speaker Badge for Lowlands Unite! Netherlands Edition (click for larger photo)

Then, we saw Daniel van Soest arrive. Just in time for his keynote:

I guess I'll never get used to Daniel with a tie ;-) (click for larger photo)Daniel keynoting Lowlands Unite! (click for larger photo)

After Daniels keynote, it was my time to present on the ten most common mistakes we see being made when people deploy AD FS and Hybrid Identity.

Proud speaker at Lowlands Unite! (click for larger photo, by Marc Westerink)
Presenting for a full room (click for larger photo, by Arjan Bakker)Presenting at Lowlands Unite! (click for larger photo, by WMUG)
Presenting with two screens (click for larger photo, by Daniel van Soest)

It was a very interactive session. Just the way I like it. Lots of questions, lots of answers and lots of laughter. Glimlach

After my session, I skipped the next session and had an elaborate lunch, together with some of the people in the session and colleagues. Eventually, everyone joined us for lunch.

Schedule for Lowlands Unite! (click for larger photo) 

With the rest of the program well underway, it was time for us to enjoy the rest of the day.

I had fun! Emoticon met brede lach


A big ‘Thank You!’ to the Dutch Windows Management User Group (WMUG), the System Center User Group (SCUG) Belgium, all the speakers and attendees for making this a great event!


I’m speaking at Microsoft Network 7

Last year, I spoke at Microsoft NetWork 6 in Neum, Bosnia and Herzegovina. This year, the organization has invited me back to present another session:


About Microsoft Network

Microsoft Network 7

Micosoft’s NetWork conference is a yearly event in the city of Neum in Bosnia and Herzegovina. It offers a range of great speakers like Adis Jugo, Aleksandar Nikolic, Srđan Stević, Luka Manojlovic, Mustafa Toroman, Slavko Kukrika, , Nenad Trajkovski and Romeo Mlinar.

The event is held at the Grand Hotel, Neum between April 19 and April 21, 2017.
On Wednesday, the conference starts with a keynote at 6PM. Thursday and Friday are packed with 45-minute sessions on both IT Pro and Developer-related topics.

Grand Hotel Neum

Its twitter hashtag is #MSNetWork.


About my session

You can find me in Sala 3 on Thursday April 20 from 5 PM till 5:45 PM. I’ll be presenting the 45-minute, level 300 version of:

Azure AD Connect, Inside Out

New hybrid cloud scenarios introduce new identity challenges. But how do you overcome these? How do you properly design and implement Hybrid Identity in real world scenarios? In this demo-packed session, I turn Microsofts free Hybrid Identity ‘bridge’ product, Azure AD Connect, inside out, showing all the good stuff, but also the gory details! This session is one no Active Directory admin should miss!


See you there?


Azure Multi-Factor Authentication Server with lots of improvements

After January’s Azure Multi-Factor Authentication Server version release, over the weekend, Microsoft released version of its on-premises Azure Multi-Factor Authentication Server with a lot of performance improvements and other fixes. 

While the changes mentioned in the change log aren’t world shocking, this release should alleviate much of the problems you might have with this product.


What’s New

AD FS adapter performance improvements

Azure Multi-Factor Authentication (MFA) Server’s Active Directory Federation Services (AD FS) adapter was put through its paces and several areas have been identified to improve its performance.

Since most organization get on the MFA Server bandwagon using the AD FS Adapter, this is very welcome.

Fix AD FS adapter to handle cultures that aren’t associated with a locale ID

Another improvement in the Active Directory Federation Services (AD FS) adapter has to do with multi-language setups.

Tags performance improvements

In organizations with multi-forest, multi-domain environments with many groups, assigning tags could be terribly slow. Using Global filters was the work around to this, but introduces other challenges,

Log request IDs to allow correlation with backend logs

With the advent of the Web Service SDK Logging feature in Azure Multi-Factor Authentication Server version, putting together the jigsaw puzzle with information from each of the logs is improved with the request ID.

Modified AD sync service to clear phone numbers that are cleared in the directory

When you use the Directory Integration feature, and clear the phone number attribute for a (group of) user(s), Azure Multi-Factor Authentication (MFA) Server would not clear it in its database. Starting this version, it does, overriding the ‘keep synchronized’ setting.

Fix for RADIUS one-way text message fallback to OATH token

Fallback methods play an important role in multi-factor authentication, so it’s good to see fixes and improvements in this area.

Fix for passwords that contain leading or trailing spaces

Even though passwords are securely interchanged for the initial handshake towards the Identity Provider (Active Directory, LDAP), in cases with passwords that contain leading or trailing spaces, things might go wrong. This is now fixed.

Change mobile app references from Azure Authenticator to Microsoft Authenticator

While one team may change things, another team might not be able to change gears that fast. After the change from Azure Authenticator to Microsoft Authenticator in last August, the Azure Multi-Factor Authentication (MFA) Server team has finally been able to change all the references in their user interfaces and admin interfaces.


Known Issues

Windows Authentication for Remote Desktop Services (RDS) is not supported for Windows Server 2012 R2.


Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading AD FS adapter.
Read the guidance in the How to Upgrade section in this blogpost for more information.



Version of the on-premises Azure Multi-Factor Authentication (MFA) Server can be downloaded via the old-fashioned Azure Management Portal or straight from the MFA Management Portal:

  1. Log on to the Azure Portal.
  2. In the column on the left that lists all the available items and services, scroll down until you reach ACTIVE DIRECTORY.
  3. In the main pane, select the default directory.
  4. Just above the list of directories, click the text MULTI-FACTOR AUTH PROVIDERS.
  5. Click the Multi-Factor Authentication Provider that you’ve configured for your organization and is marked as Active in the STATUS column.
  6. Click MANAGE in the bottom pane on the general settings for the Multi-Factor Authentication Provider.
  7. This will redirect you to your tenant view of the PhoneFactor Portal.
  8. In the main pane of the portal click on the Downloads header.
  9. Click the Download link below the list of supported platforms.

Save MultiFactorAuthenticationServerSetup.exe to a network location where you can use it from each of the Windows Servers that have Azure Multi-Factor Authentication installed.



Azure Multi-Factor Authentication Server version adds a lot of performance improvements and other fixes. 

While the changes aren’t world shocking, this release should alleviate much of the problems you might have with this product. I recommend to upgrade to this version to get rid of them.

Related blogposts

Azure Multi-Factor Authentication Server version adds Oracle LDAP Support
Azure Multi-Factor Authentication Server version for your convenience 
Azure Multi-Factor Authentication Server version is here  
Azure Multi-Factor Authentication Server reaches version


Whitepaper: What’s New in Active Directory Domain Services since Windows Server 2008 R2

WhitepaperThe last couple of months, I have actively worked together with Veeam to profile their excellent Veeam Explorer for Active Directory and to help people get more out of their current investments in on-premises Active Directory Domain Services.

One of the projects we’ve worked on is a whitepaper that details what’s new in Active Directory Domain Services since Windows Server 2008 R2, how organizations can benefit from these features and the requirements to enable and/or use each of these features.


About the whitepaper

Veeam whitepaper: What's New in Active Directory

While Active Directory (AD) has been around since Windows 2000 Server, Microsoft has continued to make adjustments and introduce features in newer Windows Server releases, especially in Windows Server 2012. What’s New in Active Directory 2016 covers different AD features and the requirements to enable them.

Scalability boundaries

Learn about two big changes made by Microsoft in Windows Server 2012, which now allow AD environments to grow more easily, and beyond the limitations encountered by AD administrators.

Deployment and migration features

Microsoft has released many improvements to make DC deployment and migration better than ever. Have you ever wondered how to prevent possible issues after a schema update? Do you know how to make your DC aware of the virtual environment to prevent data loss? Have you thought about using DC cloning so you can quickly create a replica DC for DR purposes? Have you heard about the new ways to promote a machine to DC? How about preparing an automatic update for the AD domain and a forest for new versions? Keep reading this white paper, we’ve got you covered!

Security features

In Windows Server 2012 and WS 2012 R2, a couple of features have been introduced to enable domain admins to further lock down their AD environments. One new security feature is the Flexible Authentication Secure Tunneling (FAST) or Kerberos Armoring. Start solving common security problems with Kerberos and make sure that clients will never return to less- secure legacy protocols or weaker cryptographic methods.

On top of all that security goodness, Windows Server 2016 brings Privileged Access Management (PAM) that allows admins to only have administrative privileges when they need them through auto-expiration of these privileges. Did you know that PAM is the only secure way you could actually regain control over a compromised AD environment without throwing it away?

Manageability features

Learn about Active Directory Administrative Center (dsac.exe), which was first introduced with Windows Server 2008 R2. Read about Active Directory Administrative Center’s serious overhaul in Windows Server 2012. In addition to providing Graphical User Interfaces (GUIs) to new features in Active Directory 2012, the functionality has expanded to manage features that were previously only manageable on the command line.

Mobility features

Has your organization adopted a Hybrid Identity approach towards Azure Active Directory? Your AD can help get the devices your users use into Azure Active Directory with the help of Azure AD Connect and (optionally) AD FS. These features are not just Windows 10 devices, either.


Read it

You can download the Whitepaper from Veeam after registration.
It’s a PDF file, weighing 653 KB. It was last released in March 2017.


About me

Sander BerkouwerI am an MCSA, MCSE, MCT, Microsoft Most Valuable Professional (MVP) and Veeam Vanguard. Working for SCCT, a Dutch IT services provider, I have ample experience with deploying and maintaining Microsoft technologies in hundreds of environments, ranging from four to four hundred thousand seats, both on-premises and in the cloud.


I’m speaking at Lowlands Unite! Netherlands Edition

Next week, on Tuesday April 11, 2017, I’ll be delivering a 60-minute session on the Ten most common mistakes when deploying Active Directory Federation Services (AD FS) and Hybrid Identity and how to avoid them at Lowlands Unite! Netherlands Edition.


About Lowlands Unite!

LowLands Unite! Netherlands Edition

Lowlands Unite! is the joint event by the Dutch Windows Management User Group (WMUG) and the System Center User Group (SCUG) Belgium. As you might have learned in school, the two countries are often referred to as the low lands (in terms of sea level, not mood) For the Dutch WMUG, this is the first full-day event and it’s promising to be huge! (Believe me.)

For the location, WMUG choose EndemolShine, the studios in Amsterdam where a lot of popular television formats are recorded. We’re turning this inspiring location into an excellent event location for April 11, 2017, with tasty food, great lighting, and, of course, excellent sessions.

The ten speaking slots are all filled with great sessions in the Enterprise Mobility Suite / Enterprise Client Management track and the Azure / Operations Management Suite and System Center (AOS) track. With 9 Microsoft MVPs and a Microsoft Evangelist, you’re bound to learn something.


About my session

I’m delivering one 60-minute session:

Ten most common mistakes when deploying AD FS and Hybrid Identity and how to avoid them

9:50 AM – 10:50

Active Directory Federation Services (AD FS) is the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers, like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it’s our jobs as IT Pros to make it happen.

This session covers the 10 most common mistakes we see in the field in organizations that have deployed AD FS and Hybrid Identity. Learn from their mistakes, whether you’ve already deployed AD FS and want to make your implementation more robust, or holding off deploying AD FS to not step into these pitfalls.


Join us!

Despite this event being free, this event hasn’t sold out.

This means there’s still time to join me, the other speakers, your fellow Dutch-speaking IT Pros and, of course, our sponsors, including SCCT, my current employer.

Join us!

Can’t make it on April 11? No worries.
SCUG Belgium is expected to organize a similar event in Belgium in Fall 2017. Glimlach


Pictures of the Amsterdam Microsoft Tech Summit

The past two days, the Amsterdam RAI was the venue for Microsoft’s 2016-2017 Tech Summit. I attended this event as an expert, just like many of the other Dutch Microsoft MVPs who also received an invitation to staff.

Tech Summit Banners at the Amsterdam RAI (photo from Microsoft Netherlands)
Microsoft Tech Summit banner at the Public Transportation Route (click for larger photo)The Tech Summit Entrance (photo by Carlo van Venrooij)

On Thursday May 23, I headed for the Amsterdam RAI. Expecting little, I was surprised to see broad invitations to all attendees for the 5PM – 6 PM Ask the Experts reception in Hall 10.

Ask The Experts Reception Announcement (photo by James van den Berg)

On Thursday I performed several labs on demand. It’s great to have such an opportunity during events like this.

Labs On Demand (photo by James van den Berg)

Since all presentations were being recorded and all slides are available through the Tech Community website after registration, this felt like the best way to spend my time. With the Azure Portal, Office 365 experience and Intune capabilities rapidly, I spent time doing labs in each of these areas.

Around five ‘o clock I made it back to Hall 10. The area was filling up pretty rapidly. I met with a lot of acquaintances and had wonderful conversations with a lot of people. 

MVPs at the Amsterdam Tech Summit (photo by Hassan Fadili)

All the Dutch MVPs attending the event gathered for a group picture at around 5:15 PM. At around 6 PM the fun was over and everybody headed home.

Friday May 24, I arrived at the Amsterdam RAI rather late. Friday was a beautiful day, so after the event, a couple of us went for diner in Amterdam. Beats the traffic, every time.

A beautiful Amsterdam afternoon (click for original photo)

I was home late Friday night, but very satisfied.

Thank you! Glimlach


Join me for the Amsterdam Microsoft Tech Summit

As part of a global series of events, on Thursday March 23 and Friday March 24, Microsofts hosts the Tech Summit in the Amsterdam RAI.

Since, from a global point of view, this event takes place in my backyard, I’ll be there as an Ask the Expert, together with many of my Dutch MVP peers.


About the Microsoft Tech Summit

Microsoft Tech Summit Amsterdam

Microsoft Tech Summit is a free, two-day technical training for IT professionals and developers with experts who build the cloud services across Microsoft Azure, Office 365, and Windows 10.

Whether you know your way around the cloud or just getting started, learn from over 50 technical training sessions and hands-on labs to help you build your cloud skills. Deep dive into the latest innovations covering a range of topics across Microsoft Azure and the hybrid platform including security, networking, data, storage, identity, mobile, cloud infrastructure, management, DevOps, app platform, productivity, collaboration and more.

Connect with Microsoft engineering experts from Redmond, technology partners and your industry peers who can help you get the most out of the cloud.


About Ask the Experts

Access hundreds of Microsoft engineers and tech leaders ready to help you tackle your toughest dilemmas – they’re up for the challenge.

A bunch of us will be at the event for the entire two days. Expect the usual suspects. But, it’ll get really exciting between 5PM and 6PM on March 23. This is the official Ask the Experts moment, when we’ll be joined by the speakers, drinks and finger food. Knipogende emoticon


See you there?