The videos of my Netwrix webinars are now available

Recording a webinar

Last week, on September 24, 25 and 26, I hosted three 60-minute webinars with Netwrix on my three favorite chapters in my Active Directory Administration Cookbook.

Over 1800 people have registered for these webinars. Now, a mere two working days after the last webinars, the Netwrix team has done everyone a huge favor by already placing the three video recordings online for everyone to watch:


Enjoy! Thumbs up

Simply press the red Watch now buttons and enjoy!
The slides are also available for you to download, although these webinars were mostly demos-only.

These webinars and their videos are offered free of charge, thanks to the sponsoring by Netwrix. By accessing the webinars, full-length videos and slides you agree to their privacy policy.


About Netwrix

Netwrix empowers information seNetwrix logocurity and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.


Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.


I’m speaking at SharePoint Saturday Brussels 2019

SharePoint Saturday Belgium

I’m presenting at SharePoint Saturday Belgium.


About SharePoint Saturday Events

SPS Events is an all-volunteer organization that provides the tools and knowledge needed for groups and event leaders to organize and host SharePoint Saturday Events. SharePoint Saturday Events (SPS Events) are free one-day events held in different cities around the world, featuring sessions from influential and respected SharePoint professionals.

The SharePoint Saturday concept took shape in 2008, with the first SharePoint Saturday event held in early 2009. It grew from speakers who were speaking at Code Camps and SQL Saturdays on SharePoint topics who felt there was enough need in the SharePoint community to warrant their own dedicated events.


About SharePoint Saturday Belgium

On Saturday October 19, 2019, SPS Events hosts its second SharePoint Saturday Belgium event, filled with lots of  great sessions, interesting sponsors and of course, a famous SharePint at the end of the day.

What’s new with Microsoft SharePoint, Office 365, and Azure? Interested visitors will learn all about this on Saturday, October 19, at BluePoint Brussels.

SharePoint Saturday Belgium is organized by BIWUG.


About my session

I’ll present a 50-minute session:

Seven ways Identity enriches your Office 365 and Azure experience

Saturday October 19, 2019, 11:40AM – 12:30PM, Room 4

Azure and Office 365 rely on Azure Active Directory as their identity store.

As tenfold MVP, I know a lot about identity. My experience with numerous organizations, ranging from enterprises to small business, have taught me that good identity is important to embracing cloud services.

I’ll show you seven ways identity enriches the experience you, your colleagues and your customers have when using Azure and Office 365, in my typical humorous but straight to the point style.


Join us!

Join some of the very best independent experts from around the world, and Microsoft, as they come together at SharePoint Saturday Belgium this October.

Register here.


KnowledgeBase: Azure AD Connect v1.4 deletes incorrectly synchronized objects for non-Windows 10 devices


On September 10, 2019, Microsoft signed off on the first build of Azure AD Connect in the 1.4 version branch. Currently, this version is only available for organizations that have the Automatic Upgrade feature enabled. In the What’s Fixed section of the release notes for this version, Microsoft stated that:

Fixed a bug where non-Windows 10 computers were syncing unexpectedly.


The situation

Previously, Windows down-level computers joined to on-premises Active Directory Domain Services environments were incorrectly synchronized to Azure AD under some circumstances.

As an example of these circumstances, the userCertificate attribute value for Windows down-level devices in Active Directory is populated. But such devices in Azure AD always remained in the pending state because these Windows versions were not designed to be registered with Azure AD via Azure AD Connect.


The issue

Starting with version 1.4.x.0 of Azure AD Connect:

  • Azure AD Connect stops synchronizing Windows down-level computers to Azure AD
  • Azure AD Connect removes the previously incorrectly synchronized Windows down-level devices from Azure AD.
  • Azure AD Connect might run into the Export Deletion Threshold.

If admins see the deletes of down-level Computer/Device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow these deletes to go through.

Some Azure AD admins may see some or all of their Windows down-level devices disappear from Azure AD.

However, Azure AD Connect will not delete any Windows down-level devices that were correctly registered with Azure AD by using the Workplace Join for non-Windows 10 computers package. Those devices will continue to work as expected for the purposes of device-based Conditional Access.


The cause

Microsoft is cleaning up device objects in Azure AD tenants, that add no value.

This is not a cause for concern, as these device identities were never actually used by Azure AD during Conditional Access authorization.


The solution

To get their Windows down-level devices registered correctly and ensure that such devices can fully participate in device-based conditional access, the devices need to Hybrid Azure AD Join, correctly.



Changes in Azure AD Connect functionality to allow for increased security levels (in this case by removing stale and non-functional objects) may have an impact on the way Azure AD Connect behaves in your organization.

Further reading

KnowledgeBase: Azure AD Connect enables Auto Upgrades in AD FS Scenarios 
KnowledgeBase: Azure AD Connect upgrade is not reflected in the Office 365 Portal  
Azure AD Connect 1.4 introduces refined AD FS Management Capabilities 
Azure AD Connect fixes an elevation of privilege vulnerability (CVE-2019-1000)
HOWTO: Enforce Azure AD Connect to use TLS 1.2 only


I’m speaking at Office 365 and SharePoint Connect 2019 – Community Edition

Office 365 and SharePoint Connect logo

Office 365 is the cloud service most organizations use. Some of them are not be aware Azure Active Directory lives underneath their cloud service or behind the ‘Microsoft Office 365 Identity Platform’ Relying Party Trust (RPT) in Active Directory Federation Services (AD FS). That’s why I’ll present on NCComms’ Office 365 and SharePoint Connect 2019 – Community Edition in Haarlem on October 11, 2019.


About Office 365 and SharePoint Connect

The Office 365 and SharePoint Connect conference presents news and announcements from Microsoft Ignite as well as deeper dives into the key topics across Office 365, SharePoint, Azure, OneDrive and Teams. Speakers also include material on wider industry trends such as AI.

Learn how you can move yourself and your company forward with the expert speakers who share their experience, knowledge, and best practices, plus real-world project insights. PLUS – You also have the chance to find out more from the experts who bring you the very latest “What’s new” straight after Microsoft Ignite.

The Office 365 and SharePoint Connect 2018 conference returns to the Netherlands for the ninth year, this year. Speakers for this year’s Office 365 and SharePoint Connect include Adis Jugo, Donald Hessing, Jussi Roine, Luise Freese, Sjoukje Zaal and many others.


About my session

I’ll present one 45-minute session on:

A Life without passwords; dream or reality?

Room D, Friday October 11, 2019 3PM – 3:45PM

The early days of multi-user IT brought us passwords. However, we can safely conclude password-based authentication doesn’t cut it anymore. Recent research showed 81% of hacking-related breaches leveraged either stolen or weak passwords and 20% of support costs for enterprise IT departments are about forgotten passwords… Nobody loves multi-factor authentication either, because it’s complicated to implement and difficult to use.

“Users should never have to deal with passwords in their day-to-day lives.”
Sander Berkouwer 

Join Sander Berkouwer, tenfold Microsoft MVP, in this engaging session on going password-less in your infrastructure. Learn the end-to-end solution, based on open standards, Microsoft technologies and the Microsoft Cloud that allows your organization(s) to minimize password usage and simplify credential management, so user credentials cannot be cracked, breached, or phished anymore.

Be ready to start feeling the love from end-users again, for they no longer have to use technology that sucks…


Join us!

Join some of the very best independent experts from around the world, and Microsoft, as they come together at Office 365 & SharePoint Connect this October in the beautiful city of Haarlem, Netherlands.

Register here.


Azure Multi-Factor Authentication Server was released

Microsoft Azure Multi-Factor Authentication

Roughly a year ago, we saw the release of Microsoft’s Azure Multi-Factor Authentication (MFA) Server, version Last week, Microsoft released another minor version, dubbed version that addresses a couple of issues you might experience with version


What’s New

Fixed issue with AD Sync send email when user enabled state changes

In the Add Synchronization Item window, the option to send email for Only New Users is enabled by default:

The Add Synchronization Item window in Azure MFA Server

However, an issue prevented sending the e-mail message when the Enabled state changed. This issue has been fixed.

Fixed upgrade issue with User Tags

In some scenarios, user tags did not survive Azure MFA Server upgrades.
This issue is now fixed in Azure MFA Server version

Added Kosovo (+383) country code

Former Yugoslavia obtained its +38 code in the 1964 CCITT/ITU Blue Book. However, on October 1, 1993, this country code, was divided into +381 (Serbia), +382 (Montenegro), +385 (Croatia), +386 (Slovenia), +387 (Bosnia and Herzegovina), +389 (Macedonia) when Yugoslavia broke up. At that time, +380, +383 and +388 were not assigned.

+383 was assigned to Kosovo*, after Republic of Serbia and Kosovo reached an agreement in August 2015. Now, the +383 country code can also be used with Azure Multi-Factor Authentication Server.

Ukraine received the +380 country code in 1995, as it left the Russian Federation in 1991. This effectuated its split from the +7 country code. +388 is assigned to groups of countries. The European Telephony Numbering Space (ETNS) embraced +388 3 for Europe-wide services.

Added One-Time Bypass audit logging

In previous versions of Azure Multi-Factor Authentication Server, the MultiFactorAuth service did not log one-time bypasses. Starting with version, one-time bypasses are logged to MultiFactorAuthSvc.log.

Web Service SDK performance improvements

Azure MFA Server’s Web Service SDK offers access to the database and MFA functionality to the AD FS MFA Adapter (when installed), User Portal (when installed) and with third-party applications (when used). Performance improvements on this central communications hub to the back-end means these front-end services work faster, too.

Other minor bug fixes

While the above fixes could be classified as minor fixes, the team reports that they’ve fixed other minor issues in Azure Multi-Factor Authentication (MFA) Server as well.


Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading the User Portal or AD FS adapter. Read the guidance in the How to Upgrade section in this blogpost for more information.



You can download Azure Multi-Factor Authentication Server here.
The download weighs 128.4 MB.


Version information

This is version of Azure Multi-Factor Authentication (MFA) Server.
It was signed off on September 9, 2019.


I’m co-organizing the KNVI IT Infra Day of the Year

The Conference Room at the Carlton President Hotel in Maarssen

Raymond, Erwin, Martijn, Tom and I have dedicated time to organize a yearly Dutch event. We want to share the latest in our industry, without the marketing talk and without the corporate bullshit other events bring. In my utterly biased opinion1, there’s only one organization in the Netherlands, that can pull that off.

Last year we organized the ‘Roast the Cloud’ event for KNVI members. The year before, we organized the ‘Windows as a Service’ event. It was a lot of fun! This year, we have further improved upon the formula, added some more fun elements and are back for another year.


About KNVI

KNVI logoThe Dutch Professional Association of Information and IT Professionals (KNVI) is an independent platform for sharing professional knowledge and expanding the personal networks of ICT Pros, information professionals, students and employers who want to keep their employees up to date.

KNVI organizes multiple meetings per month, publishes AG Connect both online and in print, and offers discounts to its members, like the discount to my Active Directory Administration Cookbook.

KNVI is a merged organization of several professional associations, including the Dutch Networking User Group (Ngi-NGN) and the Dutch Association for Documentary Information and Organization Administration (SOD).


About the KNVI IT Infra Event of the Year

On Thursday October 10, 2019, we’ll transform the Carlton President Hotel in Maarssen Dutch into Walhalla for IT Professionals. We have speakers delivering nine 30-minute sessions in three blocks:

  1. Managing IT, the new reality
    We’ll talk about DevOps as a way to manage teamwork and to manage servers. we’ll also talk about Mobile Device Management to manage devices beyond Windows-based devices.
  2. Do away with legacy
    Many admins still manage their environments like it’s 2005. Typically, this means still imaging devices (with Altiris or Ghost, probably), without benefiting from cloud services, and Windows AutoPilot and experiencing increasing numbers of incidents with passwords. That’s why we’ll talk about Windows AutoPilot, Azure AD DS and Password-less.
  3. The future of IT
    In our third block of sessions, we’ll look ahead to what’s happening in IT from an infrastructure point of view. Software-defined, privacy and quantum are the three keywords for this block of sessions.

After these session, we’ll ask the speakers back to the stage to discuss what regrettable moves to avoid and what recommended practices to embrace in the near future.

For immediate answers and discussions, we’ll have speakers in the ‘red room’ available, instead of hiding in a speaker room…


About my session

I’m not just involved in the planning and preparations for the event, I’m also actively presenting a session, together with Raymond Comvalius:

Password-less, or how to get rid of passwords for day-to-day IT Use

2:20PM – 3:05PM Dutch

81% of all hacks last year can be attributed to weak, leaked and standard passwords. Multi-factor authentication reduces these situation by 99,9%, but people don’t seem to like to hassle of it. If only we could live without passwords…

You can! In this session, Raymond and I look at Windows Hello for Business, Active Directory Federation Services (AD FS) and FIDO2 as the solution for end-users to no longer work with passwords and, in the process, work more securely than they do now.


Join us!

Register here. Dutch

One of the things we’ve learned last year is that many people wanted to join the event, but either didn’t have the money to join or didn’t want a KNVI membership.

As an IT Pro, you can join the event for € 99.
No strings attached. No nagging marketing afterwards. No privacy issues.
No membership.

Of course, as a member of KNVI, you can join the event for free, anyway.
There’s room for 150 people for this event. We haven’t filled all our seats, yet.

  • 1 I was a member of the board of the KNVI Special Interest Group (SIG) IT Infra.

HOWTO: Handle Windows Update on non-domain-joined Web Application Proxies

This entry is part 10 of 13 in the series Hardening Hybrid Identity

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at best practices to handle Windows activation on non-domain-joined Web Application Proxy servers.

This blogpost assumes you’re running Web Application Proxies as non-domain-joined Server Core Windows Server 2016 installations.

If your Web Application Proxy servers are domain-joined, you can use Group Policy and Windows Server Update Services (WSUS) to take care of Windows Update. However, this option can’t be used for Web Application Proxy servers that are non-domain-joined and/or placed on a perimeter network (also commonly referred to as a DMZ network).


Why look at Windows Update for Web Application Proxies

Every software has bugs. It’s still a human job to produce code. Developers, testers and even quality assurance people also work on Monday mornings. We all make mistakes. It’s how we deal with failure, that defines us.

Microsoft software has bugs. Bugs may be innocent, or they may lead to serious problems like remote code execution, elevation of privilege, information disclosure, security feature bypasses, denial of service, spoofing and/or tampering. However, the way Microsoft handles fixing these bugs, stands out. In 2003, Microsoft started with a repetitive predictable and reported way of announcing and releasing updates to its software, including Windows, Windows Server, Office, Visual Studio, SQL Server, Exchange Server and many others: Patch Tuesday.

Below is a graphical representation of the problems solved in the September 10, 2019 update:

September 2019 Patch Tuesday Analysis

In recent years, Microsoft has split up the security updates from the quality improvement updates. Now, the second Tuesday of each month brings security updates. Quality updates are also released on Tuesday, but usually a week or two weeks after the security updates.

Web Application Proxies need the free updates Microsoft distributes.

Possible negative impact (What could go wrong?)

When Web Application Proxies do not install Windows Updates, they may remain vulnerable for common problems. While many admins think that a proper firewall rule prevents these attacks, some attacks operate at a higher layer than most firewalls operate; When the firewall allows TCP 443, it doesn’t merely allow the proper traffic for the Web Application Proxy. Similarly, next-generation firewalls and web application firewalls may inspect the flow of https traffic between the Internet and Web Application Proxies but may not detect the newest threats.

When Windows Servers do not install Windows Updates, their functionality may break, as fixes to the role are not added to the Operating System. This holds strongly for Windows Server 2012 R2-based Web Application Proxies, as the role was first introduced in this version and many updates were made to the role in the first year.

When Windows Servers do not install Windows Updates, they may lack new security features and settings. Updates to Root Certification Authorities (CAs), time zone updates and cipher suite updates are common updates that add to the information security baseline. The Extranet Smart Account Lockout feature in AD FS was distributed with a Windows Update to Windows Server 2016.


Four solutions for Windows Updates

There are four solutions to apply Windows Updates to non-domain-joined Web Application Proxies:

  1. Configure to use Windows Update on the web
  2. Configure to use your organization’s WSUS implementation
  3. Manually install Windows updates
  4. Use an update solution


How to do it

To apply Windows Updates to non-domain-joined Web Application Proxies, perform these actions, per scenario:


Configure to use Windows Update on the web

Microsoft offers a standardized method for downloading Windows updates from its webservers. This method is built-in, even in Server Core.

For this scenario, the following requirements need to be met:

Configuring automatic updates

Perform the following steps to configure a Server Core installation to use Windows Update on the web:

  1. Sign in with an account with local administrator privileges.
  2. Run sconfig.cmd.
    The Server Configuration utility starts.
  3. Enter the number 5, followed by pressing the Enter key on the keyboard to enter the Windows Update Settings sub menu.
  4. Press A for Automatic updates, followed by pressing Enter on the keyboard.
  5. In the Update Settings dialog screen, click OK.

The Web Application Proxy will check for and install updates every day at 3:00 AM. The settings take effect immediately. No reboot is required. Repeat the above steps on each Web Application Proxy.


Configure to use your organization’s WSUS implementation

Windows Server Update Services (WSUS) enables admins to deploy the latest Microsoft product updates with full manageability of the distribution of updates in their networks.

WSUS can be deployed in a disconnected scenario, where updates and metadata are exported on one WSUS server and imported on another disconnected WSUS server. This scenario makes WSUS useable in highly-restricted perimeter networks, too.

For this scenario, the following requirements need to be met:

  • A fully functional WSUS server needs to be implemented and synchronized with Microsoft Update.
  • DNS-based name resolution to the Internet for each Web Application
  • An account with local administrator privileges on each Web Application

Where the WSUS server addresses are commonly deployed using Group Policy, Web Application Proxies are typically not domain-joined. The following lines of Windows PowerShell ass the registry settings to point a Web Application Proxy to a WSUS server

Stop-Service -Name wuauserv

$Path = “HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate”


New-ItemProperty -Path $SChannelRegPath -Name DisableWindowsUpdateAccess `
Value 1 -PropertyType DWORD

New-ItemProperty -Path $SChannelRegPath -Name WUServer `
-Value $WSUSAddress -PropertyType String

New-ItemProperty -Path $SChannelRegPath -Name WUStatusServer `
-Value $WSUSAddress -PropertyType String

New-ItemProperty -Path $SChannelRegPath+”\AU” -Name AUOptions `
-Value 5 -PropertyType DWORD

New-ItemProperty -Path $SChannelRegPath+”\AU” -Name NoAutoUpdate `
-Value 0 -PropertyType DWORD

New-ItemProperty -Path $SChannelRegPath+”\AU” -Name UseWUServer `
-Value 1 -PropertyType DWORD

Start-Service -Name wuauserv

The Windows Update client is now configured with Automatic Updates and polls the WSUS server for approved updates every 22 hours minus a random offset.

Repeat the above steps on the other Web Application Proxies.


Manually install Windows updates

In either of both scenarios, admins can manually check for updates and install updates.

For this scenario, the requirements need to be met for the previous scenarios, but most importantly an account with local administrator privileges on each Web Application Proxy is needed.

Perform these steps:

  1. Sign in with an account with local administrator privileges.
  2. Run sconfig.cmd.
    The Server Configuration utility starts.
  3. Enter the number 6, followed by pressing the Enter key on the keyboard.
  4. Choose between Search for (A)ll Updates or (R)ecommended Updates only by pressing either A or R on the keyboard, followed by pressing Enter on the keyboard.
  5. Then, select between (A)ll updates, (N)o updates or (S)elect a single update, by pressing A, N or S on the keyboard, followed by pressing Enter on the keyboard.Manually Install Updates on Server-core based Web Aplication Proxies using Sconfig
  6. Press Yes in the Restart Required dialog screen to restart the Web Application Proxy.

Repeat the above steps on the other Web Application Proxies.


Use an Update solution

3rd party patching solution might offer functionality to update Web Application Proxies. However, I would like to share a really simple solution:,

Using “WSUS Offline Update”, you can update any computer running Microsoft Windows and Office safely, quickly and without an Internet connection, for free.

Especially its option to create an ISO file, that you can easily mount on virtual machines makes it a fast solution to update hosts in the perimeter network.


Checking which updates are installed

Throughout the lifetime of a Web Application Proxy, you might need to troubleshoot Windows Updates. It might help when you are trying to figure out whether an update is installed and the server needs rebooting or whether an update is not installed. (in which case you probably won’t need to reboot) The command to use is:

wmic.exe qfe list



It’s your choice to create media to manually update your Web Application Proxies, or let them download updates from the Internet or WSUS Servers automatically. However, please remember to implement something to keep the systems in your Hybrid Identity implementation up to date.

Further reading

Windows Update troubleshooting
Fix Windows Update errors
Registry keys for configuring Automatic Updates & WSUS
WSUS Offline Update
How To: Remove WSUS Settings and Restore Windows Update Defaults
Configure a Server Core installation of Windows Server 2016, with Sconfig.cmd
How to Patch Windows Server Core 2016


Azure AD Connect version 1.4 introduces refined AD FS Management Capabilities

It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the first version in the 1.4 branch of Azure AD Connect: v1.4.18.0

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.



The headline for this release is the refinement of the AD FS management tasks:

  • Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (Previously, only the “Update AD FS SSL certificate” task was available for all sign-ins.)
  • Removed token-signing certificates from the “Reset Azure AD and AD FS trust” task and added a separate sub-task to update these certificates.
  • Added a new federation management task called “Manage certificates” which has sub-tasks to update the SSL or token-signing certificates for the AD FS farm.
  • Added a new federation management sub-task called “Specify primary server” which allows administrators to specify a new primary server for the AD FS farm.
  • Added a new federation management task called “Manage servers” which has sub-tasks to deploy an AD FS server, deploy a Web Application Proxy server, and specify primary server.
  • Added a new federation management task called “View federation configuration” that displays the current AD FS settings. (Because of this addition, AD FS settings have been removed from the “Review your solution” page.)


What’s New

However, this release of Azure AD Connect contains many more new features and improvements:

  • New troubleshooting tooling helps troubleshoot the following scenarios:
    • “user not syncing”
    • “group not syncing”
    • “group member not syncing”
  • Support for national clouds in the Azure AD Connect troubleshooting script
  • The deprecated WMI endpoints for MIIS_Service have now been removed. Any WMI operations should now be done via the Windows PowerShell cmdlets.
  • Security improvement by resetting constrained delegation on AZUREADSSOACC object
  • When adding and/or editing a synchronization rule, if there are any attributes used in the rule that are in the connector schema but not added to the connector, the attributes are automatically added to the connector. The same is true for the object type the rule affects. If anything is added to the connector, the connector will be marked for full import on the next synchronization cycle.
  • Using an account that is a member of the Enterprise admins or Domain admins security group as the connector account is no longer supported.
  • In the Synchronization Manager, a full sync is run when a synchronization rule is created, edited and/or deleted. A popup appears on any rule change, notifying the admin if full import or full sync is going to be run.
  • New mitigation steps for password errors to the ‘connectors > properties > connectivity’ page
  • New deprecation warning for the sync service manager on the connector properties page. This warning notifies the admin that changes should be made through the Azure Active Directory Connect wizard.
  • New error definition for issues with a user’s password policy.
  • Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when the domain and/or OU of the entered group is already filtered out and keep the admin from moving forward until the issue is resolved.
  • Admins can no longer create a connector for Active Directory Domain Services or Azure Active Directory in the old User Interface.
  • Fixed accessibility of custom UI controls in the Sync Service Manager
  • New warning when changing the sign-in method from federation to Password Hash Synchronization (PHS) or Pass-through Authentication (PTA), that all Azure AD domains and users will be converted to managed authentication.


What’s Fixed

The following issues in Azure AD Connect have been resolved:

  • Resolved a synchronization error issue for the scenario where a user object taking over its corresponding contact object has a self-reference (e.g. user is their own manager).
  • Help popups now show on keyboard focus.
  • For automatic upgrades, if any conflicting app is running from 6 hours, kill it and continue with upgrade.
  • Limit the number of attributes a customer can select to 100 per object when selecting directory extensions. This will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes per object.
  • Fixed a bug to make the Active Directory Connectivity script more robust
  • Fixed a bug to make Azure AD Connect install on a machine using an existing Named Pipes WCF service more robust.
  • Improved diagnostics and troubleshooting around group policies that do not allow the ADSync service to start when initially installed.
  • Fixed a bug where the display name for a Windows computer was written incorrectly.
  • Fix a bug where the OS type for a Windows computer was written incorrectly.
  • Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which only works for Windows-10 devices.
  • Added several new (internal) cmdlets to the ADSync PowerShell module.


Version information

This is version of Azure AD Connect.
The first release in the 1.4 branch for Azure AD Connect was made available for download on September 10, 2019.


Pictures of the NLVMUG BBQ

VMUG - VMware User Group

On Monday, I visited the BBQ organized by the Dutch chapter of the VMware User Group (NLVMUG).

NLVMUG at BeachClub Down Under (click for larger photo)

The NLVMUG BBQ was held at Beach Club Down Under in Nieuwegein.

This year’s NLVMUG BBQ is conveniently scheduled after VMworld US (just two weeks ago) and well before VMworld Europe. Naturally, both the VMworld Europe event, and NLVMUG’s own User Conference (March 19th, 2020 in De Fabrique in Utrecht).


The Dutch chapter of the VMware User Group (NLVMUG) organizes events for people who work with VMware products and solutions in the Netherlands. As a chapter, members of the NLVMUG also benefit from the larger VMUG umbrella.

NLVMUG is run by ITQ’s Dennis Hoegen Dijkhof and my former-colleague Joep Piscaer. Both fellow-vExperts.

Taking a picture with Joep (click for larger photo)

Of course, on my way out, I snuck a pair of NLVMUG socks and other goodies in my bag. VMUG SWAG is awesome!


I enjoyed wonderful food, excellent friends and insightful discussions.

Thank you, NLVMUG! Thumbs up


Domain Controller Cloning on VMware vSphere

This entry is part 6 of 6 in the series Virtualizing Domain Controllers on vSphere

Virtualizing Domain Controllers

After detailing Active Directory Virtualization Safeguards with VM-GenerationID in part 5 of this series on Virtualizing Domain Controllers on vSphere, it’s time to talk about the second Active Directory Domain Services feature that is enabled through the VM-GenerationID technology: Domain Controller cloning.


About Domain Controller cloning

Microsoft recommends not re-using Domain Controllers for other roles. When sticking with this recommended practice, Domain Controllers running the same Windows Server version in your environment are 99% identical.

In many large organizations, however, deploying an additional Domain Controller, even a virtual one, is a change that might span weeks. After the initial installation and promotion, multiple agents, additional software and tweaks need to be performed to make it a full family member of the Domain Controllers OU.

By leveraging the values for the VM-GenerationID in vRAM and in the Active Directory database (not replicated), a Domain Controller can see when its virtual hard disk is being re-used for another Domain Controller.

When properly prepared, the essential files for Domain Controller cloning, then, instruct the virtual Domain Controller to clone. Specifically, only the situation in which you want a Domain Controller to clone, will lead to cloning. All other situations will lead to booting into Directory Services Restore Mode (DSRM).

​Domain Controller cloning enables fast, safer Domain Controller provisioning through clone operations. These operations include regular VM cloning and manual VMDK copy operations.

VMware Converter’s Hot cloning feature is not supported with Domain Controller cloning. The ‘cloning’ name overlay is purely coincidental.

Situations where Domain Controller cloning isn’t beneficial

There are a couple of situations where Domain Controller Cloning isn’t beneficial:

  • When you want to promote a Domain Controller in a remote location with limited bandwidth. When the remote location features a virtualization host and a VM template for the desired Windows Server version, it’s more beneficial to perform an Install from Media (IfM) installation. This is especially true when copying over the virtual hard disk of a cloneable Domain Controller might take longer to transfer than 60 days (the pre-Windows Server 2003 SP1 tombstone lifetime period).
  • When the agents and the software you install on Domain Controllers to make them fully functional isn’t cloneable and, thus, breaks Domain Controller cloning.



The list of requirements to allow Domain Controller cloning starts with the requirements for VM-GenerationID, as shared earlier:

  1. VMware vSphere needs to run version 5.0 update 2, or up.
  2. VMware tools need to be installed and running on virtual Domain Controllers, ideally with a version that matches the VMware vSphere version.
  3. The virtual Domain Controller needs to run Windows Server 2012, or up.
  4. The Virtual Machine hardware version needs to be version 7, or up.

On top of these requirements, Domain Controller cloning adds additional requirements:

  • At least one Windows Server 2012-based Domain Controller (or a newer version of Windows Server) needs to be configured to host the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role. This change should be replicated to all Domain Controllers in affected Active Directory sites.
  • The Domain Controller holding the RID Master FMSO role needs to be available during the cloning process.
  • DNS needs to be available during the cloning process.
  • The reference Domain Controller cannot be a Read-only Domain Controller.
  • The reference Domain Controller needs to be a member of the Cloneable Domain Controllers security group in Active Directory or needs to be granted the DS-Clone-Domain-Controller extended right.
  • The reference Domain Controller cannot be assigned Managed Service Accounts (MSAs), unless these accounts are group Managed Service Accounts (gMSAs).
  • A CustomDCCloneAllowList.xml and DCCloneConfig.xml file needs to be available to the cloned Domain Controller in the root of a removable drive or in the folder of the Active Directory database (by default: C:\Windows\NTDS)
  • Applications that are incompatible with cloning should be uninstalled or added to CustomDCCloneAllowList.xml.

To be able to clone a Virtual Machine in vSphere, you must have the following privileges within the vSphere infrastructure:

  • Virtual machine .Provisioning.Clone virtual machine permissions on the virtual machine you are cloning.
  • Virtual machine .Inventory.Create from existing permissions on the datacenter or virtual machine folder.
  • Virtual machine.Configuration.Add new disk permissions on the datacenter or virtual machine folder.
  • Resource.Assign virtual machine to resource pool permissions on the destination host, cluster, or resource pool.
  • Datastore.Allocate space permissions on the destination datastore or datastore folder.
  • Network.Assign network permissions on the network to which the virtual machine will be assigned.
  • Virtual machine .Provisioning.Read customization specifications permissions on the root vCenter Server if you are customizing the guest operating system.


Recommended practices

Having performed Domain Controller cloning in large environment and in many demos, please adhere to these practices:

  • Leave the Cloneable Domain Controllers security group in Active Directory  empty in-between clone operations.
  • Inventory and validate all software and agents, services and applications on the reference Domain Controller before cloning.

VMware Tools is validated and works with Domain Controller cloning.

  • Always shutdown the reference Domain Controller prior to cloning.
  • Ensure that the reference Domain Controller holds no Flexible Single Master Operations (FSMO) role.

When creating many clones from one reference Domain Controller, please:

  • Don’t use -CloneComputerName or -Static -IPv4Address in the  dccloneconfig.xml file, as this results in clones with the same hostname and/or IPv4 address.
  • Ensure that the Dynamic Host Configuration Protocol (DHCP) service is functional in the infrastructure. The information specified in DcCloneConfig.xml should be unique. When a duplicate or invalid computer name is specified, when an IP address conflict is detected, when IP and DNS information is left out and there is no DHCP Server on the network, when only one WINS Server address is specified or when a typo is made in the Active Directory site name, Domain Controller Cloning will halt.
  • Don’t turn on the reference Domain Controller, until all mass cloning operations have finished. Alternatively, convert the first clone to a template and deploy new Domain Controllers from this template, but remember that this template is only re-useable for the duration of the Tombstone Lifetime.


How to clone a Domain Controller on vSphere

Perform these steps to clone a reference Domain Controller that is running as a virtual machine on VMware vSphere, resulting in a cloned Domain Controller, also running as a virtual machine on VMware vSphere:

1. Add the reference Domain Controller to the Cloneable Domain Controllers group

To add the reference Domain Controller to the Cloneable Domain Controllers security group, use the following PowerShell one-liner:

Add-ADGroupMember -Identity “Cloneable Domain Controllers” -Members “cn=dc01,ou=Domain Controllers,dc=domain,dc=tld”

You can run the above command on the reference Domain Controller when signed in, from another Domain Controller or any domain-joined device with the Active Directory Module for Windows PowerShell installed that you’re signed into with credentials that allow management of the security group. In the latter two cases, make sure the change is replicated throughout the Domain Controllers holding the PDCe FSMO role and the RID Master Role and the reference Domain Controller.

2. Resolve Service Principal Name (SPN) issues

run Get-ADServiceAccount on the reference Domain Controller, to get the list of Service Principal Names in use. To remove the Service accounts automatically, use the following PowerShell one-liner:

Get-ADServiceAccount –filter:“*” | Remove-ADServiceAccount 

3. Resolve problems with non-cloneable applications, agents and services

You would typically run the Get-ADDCCloningExcludedApplicationList PowerShell Cmdlet to get a list of the programs and services blocking successful Domain Controller Cloning. The following PowerShell one-liner can be used to automatically create the CustomDCCloneAllowList.xml file in C:\Windows\NTDS:

Get-ADDCCloningExcludedApplicationList -GenerateXml -Path C:\Windows\NTDS -Force

4. Create the DCCloneConfig file

At this stage, run the New-ADDCCloningConfigFile PowerShell Cmdlet. You do not need to specify any parameters if you don’t want to.

When you don’t add any parameters, this Cmdlet will create the cleanest of DCCloneConfig.xml files in the Active Directory database path. This specific file will use the following Domain Controller Cloning configuration:

  • The target Domain Controller will be assigned IP-addresses through DHCP.
  • The target Domain Controller name will be automatically generated.
  • The target Domain Controller will be assigned the same Active Directory site as the reference Domain Controller.

If you want to specify a host name, Active Directory site or IP addressing information, a sample PowerShell one-liner would look like:

New-ADDCCloneConfigFile –CloneComputerName “DC02”SiteName “ADSite01” -Static –IPv4Address “”IPv4SubnetMask “” -IPv4DefaultGateway “” -IPv4DNSResolver “”

5. Shut down the reference Domain Controller

Now, shut down the Domain Controller, from within Windows Server. For instance, with the following PowerShell one-liner:


6. Clone the reference Domain Controller from vCenter

Perform these steps to clone the reference Domain Controller:

  • Open and log into the VMware vSphere or or vSphere Web Client.
  • Locate the virtual machine you wish to clone in the inventory.Clone a Virtual Machine in vSphere
  • Right-click the virtual machine and select Clone and then Clone to Virtual Machine from the context menu.
  • On the Select a name and folder page, enter a unique name for the clone Domain Controller and select a deployment location.
  • Click Next.
  • On the Select a compute resource page, select the host, cluster, resource pool, or vApp where the clone Domain Controller will run.
  • Click Next.
  • On the Select storage page, select the datastore or datastore cluster in which to store the template configuration files and all of the virtual disks.
  • Click Next.
  • On the Select deploy options page, do not select additional customization options for the clone Domain Controller.
  • On the Ready to complete page, review the virtual machine settings and click Finish.

After the clone operation succeeds, the clone Domain Controller appears in the inventory. Start it.

Start the reference Domain Controller when cloning completes, or use it as a template Domain Controller for the period that is maximized by the Active Directory Tombstone Lifetime.



Domain Controller Cloning is useful when you want to create a replica Domain Controller fast.

Of course, you can use it to quickly create an extra Domain Controller when the current Domain Controllers are burdened, but you can also use it as a Disaster Recovery method. More on that in the next blogpost in this series.

Related Microsoft KnowledgeBase Articles

2742844 Domain controller cloning fails, server boots in DSRM
2742908 After cloning domain controller, “no logon servers available”
2742927 New-AdDcCloneConfig error “Index was out of range”
2747974 Domain controller cloning event 2224 gives incorrect guidance
2742959 Domain controller cloning error 8437
2743278 Domain controller cloning error 0x80041005
2742916 Domain controller cloning fails with error 8610
2742970 DC cloning fails with no DSRM, duplicate source and clone computer
2745013 New-AdDcCloneConfigFile error “the server is not operational”
2742874 DC cloning does not recreate all service principal names
2742836 Extra DHCP leases after cloning domain controllers

Related VMware KnowledgeBase Articles

1027865 Cloning virtual machines in vCenter Server