A topnotch site

1 Comment

Top Windows Server 2012 R2 Hyper-V Virtualization Features

Top Windows Server 2012 R2 Hyper-V Virtualization Features

1. Hybrid Cloud

Windows Azure Infrastructure-as-a-Service (IaaS) is built on the same hypervisor as Windows Server. This means that there is complete virtual machine compatibility between the private cloud, partner public clouds, and the Microsoft-owned public cloud. Customers now have to ask themselves: “Where do I want my service to run today?”

2. Compressed Live Migration

A compression engine is built into Live Migration in Windows Server 2012 R2 Hyper-V. The processor in hosts is often underused, so this engine makes use of this spare resource to compress the memory of virtual machines that are being moved before the memory pages are copied across the Live Migration network. Hyper-V will monitor the utilization of CPU resources on the host and throttle compression to prioritize guest services. Enabling Live Migration compression on networks with 10 Gbps or less without Remote Direct Memory Access (RDMA/SMB Direct) support will greatly reduce the time it takes to move virtual machines (not including storage migration).

3. SMB Direct Live Migration

Live Migration can be configured to leverage SMB Direct (Remote Direct Memory Access, orRDMA) on hosts that that NICs with support for this feature. This feature will provide hardware offloaded accelerated copy of memory pages using SMB 3.0 NICs. This can take advantage of SMB Multichannel to span multiple networks. SMB Direct Live Migration provides the fastest way to live migrate virtual machines (not including storage) from one host to another.
A crazy fact: Memory speed will be the bottleneck on a host with PCI3 support and three RDMA NICs for Live Migration!

This feature allows very interesting new architectures, especially where organizations have decided to deploy SMB 3.0 storage with support for SMB Direct. Investments in RDMA can be leveraged to move virtual machines very rapidly over these physical networks (with QoS applied for SLA). For example, Cluster Aware Updating (CAU) will be performed much more rapidly.

4. Live Resizing of VHDX

Virtual hard disks of the VHDX format that are attached to the SCSI controllers of virtual machines can be resized without shutting down the virtual machine. VHDX files can be up- and down-sized. Downsizing can only occur if there is unpartitioned space within the VHDX. This feature supports both Windows and Linux guests.

Live Resizing of VHDX files will be of huge value to those running mission critical workloads. It will also offer a new self-service elasticity feature for clouds.

5. Storage Quality of Service (QoS)

New storage metrics for IOPS have been added to WS2012 R2. With these metrics, you can determine the IOPS requirements of virtual machines and put caps on storage activity. This will limit how much physical disk activity that virtual machines can create, and therefore limit the damage that activity spikes can cause to other virtual machines and their guest services.

One of the concerns with shared storage is the possibility of a race for storage throughput. Enabling Storage QoS will limit the damage that any virtual machine or tenant can do in a cloud.

6. Live Virtual Machine Cloning

WS2012 R2 Hyper-V allows you to clone a running virtual machine. This will create an exact copy of the virtual machine that is stored in a saved state. This feature supports GenerationID. That means you can use Live Virtual Machine Cloning to create Active Directory supported clones of a virtual domain controller that is not the PDC Emulator.

This feature will be useful for situations where you need to debug a production system or you want to perform tests, such as guest OS upgrades.

7. Virtual Machine Export Improvements

You can export a virtual machine with a checkpoint (formerly known as a snapshot) and you can export a checkpoint of a virtual machine.

8. Linux Guest OS Support Enhancements

Dynamic Memory will be supported in Linux Guest OS’s on Windows Server 2012 R2 Hyper-V. This will give much better memory optimization for Linux virtual machines, and it’ll allow for much greater densities. Linux distributions with this built-in Linux Integration Services for Hyper-V HyH support are already available.

There will be support for online backup of Linux guest OSs. This is not Volume Shadow Copy Service (VSS) for Linux, and it does not give an application consistent backup. Instead, a file system consistent backup is created by freezing the file system. This feature does require an upgrade of any already deploy Linux Integration Services.

9. Shared VHDX

You can configure up to 64 virtual machines to share a single VHDX file on some shared storage (such as CSV or SMB 3.0). The VM sees the shared VHDX as a shared SAS disk with SCSI-3 persistent reservations. This is for data volumes to create guest clusters, and not for shared boot volumes. It works with down-level guest OSs, such as W2008 R2 with the WS2012 R2 Hyper-V Integration Components installed. This feature is supported by Service Templates in VMM 2012 R2.
This will drastically simplify guest clustering, where virtual machines are used to create a highly available service at the application layer. This could eliminate the need for guest attachment to physical LUNs and will be accommodating to self-service deployment within a cloud.

10. Hyper-V Replica Improvements

The default period for asynchronous replication of the Hyper-V Replica Log is every 5 minutes, but this can be changed to every 30 seconds or every 15 minutes. This allows companies to choose the allowed recovery point objective (RPO) – the maximum allowed amount of data loss in time.

Hyper-V Replica can now be extended to a third site. This is an A-B-C extension, and not an A-B/A-C extension. For example, a company might replicate virtual machines from the primary site to a local secondary site. This might be configured to hdappen every 30 seconds. Replica virtual machines in the secondary site might be replicated to a distant third site (such as a hosting company) maybe every 15 minutes. In the event of an unplanned failover, this would give an RPO of 30 seconds in the secondary site and an RPO of 15 minutes and 30 seconds in the third site.

The performance and scalability of Hyper-V Replica has been improved. Maintaining historical copies of virtual machines in the secondary site is costly (IOPS). This has been reduced, so maintaining historical copies of your replica VMs will not punish your storage in the secondary site.

11. VM Connect

The crippled virtual machine connection of the past is being replaced by a Remote Desktop experience that is built into the virtualization stack. This has no dependency on the virtual machine’s networking. By default, this feature is disabled in WS2012 R2 Hyper-V and enabled in Windows 8.1 Client Hyper-V.
Things that Remove Desktop VM Connect allow you to do include:
· Copy & paste text/images.

· Copy files to/from the client desktop.

· Do session-based USB redirection. This means you might use a USB stick to copy files. It is not a USB dongle solution.


Leave a comment

Directory synchronization for Office 365

Plan for directory synchronization for Office 365:

Depending on business needs, technical requirements, or both, directory synchronization is the most common provisioning choice for enterprise customers who are moving to Office 365. Directory synchronization allows identities to be mastered on-premises and all updates to that identity are synchronized to Office 365.

There are a couple of things to keep in mind when you plan an implementation of directory synchronization, including directory preparation, and the requirements and functionality of the Windows Azure Active Directory. Directory preparation covers quite a few areas. They include attribute updates, auditing, and planning domain controller placement. Planning requirements and functionality includes determining the permissions that are required, planning for multiforest/directory scenarios, capacity planning, and two-way synchronization.


Directory Synchronization and Source of Authority

In an Office 365 environment, source of authority refers to the location where Active Directory service objects, such as users and groups, are mastered (an original source that defines copies of an object) in a cross-premises deployment.

You can change the source of authority for an object by using one of these scenarios—activate, deactivate, or reactivate directory synchronization from within Office 365 or with Windows PowerShell. Source of authority is transferred from Office 365 to your on-premises directory service after you perform the first sync.

Domain Controller Requirements

The on-premises Active Directory forest must meet specific requirements. They include requirements for the schema master, global catalog servers, and domain controllers. It’s important to carefully read the latest requirements and ensure that your on-premises directory servers meet those requirements. 

Active Directory Cleanup

To help ensure a seamless transition to Office 365 by using synchronization, we highly recommend that you prepare your Active Directory forest before you begin your Office 365 directory synchronization deployment.

Your directory remediation efforts should focus on the following tasks:

  • Remove duplicate proxyAddress and userPrincipalName attributes.
  • Update blank and invalid userPrincipalName attributes with valid userPrincipalName attributes.
  • Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountNamedisplayNamemailproxyAddressesmailNickname, anduserPrincipalName attributes.


Active Directory Auditing


  • Your organization may want to use Active Directory auditing to capture and evaluate the events that are associated with directory synchronization, such as user creation, password reset, adding users to groups, and so on.
  • By implementing directory synchronization, auditing captures directory services logs from your Active Directory domain controllers. Note that security logging may be disabled by default; you have to understand how to enable it for your organization.


Multiforest Deployment Considerations

The Directory Sync tool synchronizes with a single sign-on (SSO) on-premises Active Directory forest. If your organization has multiple forests for authentication (logon forests) and would like to use the Directory Sync tool, we highly recommend the following:

  • Evaluate consolidating your forests. In general, there’s more overhead required to maintain multiple forests. Unless your organization has security constraints that dictate the need for separate forests, consider simplifying your on-premises environment in advance of deploying the Directory Sync tool.
  • Use only in your primary logon forest. Consider deploying Office 365 only in your primary logon forest for your initial rollout of Office 365.

About the Directory Sync tool

Directory synchronization is the synchronization of directory objects (users, groups, and contacts) from your on-premises Active Directory environment to the Office 365 directory infrastructure. The Directory Sync tool performs this synchronization. You install this tool on a dedicated computer in your on-premises environment.

When user accounts are synchronized with the Office 365 directory for the first time, they are marked as non-activated. They cannot send or receive email, and they don’t consume subscription licenses. When you’re ready to assign Office 365 subscriptions to specific users, you must select and activate them by assigning a valid license.

The Directory Sync tool is required for the following features and functionality:

  • SSO.
  • Lync coexistence.
  • Exchange hybrid deployment, including:
    • Fully shared global address list (GAL) between your on-premises Exchange environment and Exchange Online.
    • Synchronizing GAL information from different mail systems.
    • The ability to add users to and remove users from Office 365 service offerings. This requires the following:
      • Two-way synchronization must be configured during Directory Sync tool setup. By default, the Directory Sync tool writes directory information only to the cloud. When you configure two-way synchronization, you enable write-back functionality so that the Directory Sync tool copies a limited number of object attributes from the cloud, and then writes them back to your local Active Directory. Write-back is also referred to as Exchange hybrid mode in the context of Directory Sync tool configuration. More information about the attributes that are synchronized during write-back is discussed later in this topic.
      • An on-premises Exchange hybrid deployment 
    • The ability to move some user mailboxes to Office 365 while keeping other user mailboxes on-premises.
    • Safe senders and blocked senders on-premises are replicated to Exchange Online.
    • Basic delegation and send-on-behalf-of email functionality.
  • Synchronization of photos, thumbnails, conference rooms, and security groups.

Required Permissions for Installation


  • To install the Directory Sync tool, you need enterprise admin rights during only the installation process. When you’ve installed the tool, a non-privileged Active Directory account will be required. This non-privileged account is created automatically when the Directory Sync tool is being installed.


Capacity Planning


  • To implement the Directory Sync tool, you need to plan synchronization and database capacity. In most organizations, user objects make up the bulk of the synchronization payload and influence both synchronization times as well as the database sizing for your Directory Sync tool server.


Two-Way Synchronization


  • Two-way synchronization (write-back) is required if your organization plans to take advantage of Office 365 features and functionality, such as online archiving, configuring safe and blocked senders, and cloud voice mail. Write-back copies the necessary attributes from the Office 365 directory infrastructure to your on-premises Active Directory environment.



Write-Back–To Attribute

Filtering Coexistence

Writes-back on-premises filtering and online safe/blocked sender data from clients.




Online archive

Enables your organization to archive email in Office 365.


Mailbox removal

Enables your organization to move mailboxes from the cloud to your on-premises organization.

ProxyAddresses(LegacyExchangeDN) (onlineLegacyDN) as X500

Enable Unified Messaging (UM) online voice mail

Enables you to integrate UM and Lync to indicate to Lync on-premises that the user has voice mail in Office 365. (This is a new attribute. It can be used only for this integration.)



Enables users to manage other users’ mailboxes


1 Comment

What’s New in Certificate Services in Windows Server 2012?

Active Directory Certificate Services (AD CS) is an Identity and Access Control security technology that provides customization services for creating and managing public key certificates used in software security systems that employ public key technologies.

“What’s New in Certificate Services in Windows Server 2012”

Role description

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key infrastructure (PKI) certificates used in software security systems that employ public key technologies. The AD CS server role includes six role services:

  • Certification Authority (CA)
  • Web Enrollment
  • Online Responder
  • Network Device Enrollment Service
  • Certificate Enrollment Policy Web Service
  • Certificate Enrollment Web Service

New and changed functionality


  • The new and changed functionality in AD CS and PKI includes the following.

1)  Integration with Server Manager

Server Manager provides a centralized graphical user interface for installing and managing the AD CS server role and its six role services.

What value does this change add?

AD CS server role and its role services are integrated into Server Manager, which allows you to install the AD CS role service from the Manage menu using Add Roles and Features. Once the server role is added, AD CS appears in the Server Manager dashboard as one of the roles that can be managed. This provides you a central location from which you can deploy and manage AD CS and its role services. Further, the new Server Manager allows you to manage multiple servers from one location and you can see the AD CS role services installed on each server, review related events, and perform management tasks on each server. For more information on how the new Server Manager works.

What works differently?

To add the AD CS Server Role, you can use the Add Roles and Features link on the Manage menu in Server Manager. The AD CS installation flow is similar to that in the previous version, except for the division of the binary installation process and the configuration process. Previously the installation and configuration was a single wizard. In the new installation experience, you first install the binary files and then you can launch the AD CS Configuration wizard to configure the role services that have already had their binary files installed. To remove the AD CS Server Role, you can use the Remove Roles and Features link on the Manage menu.

2) Deployment and management capabilities from Windows PowerShell

All AD CS role services can be configured or have their configurations removed by using the AD CS Deployment Windows PowerShell® cmdlets. These new deployment cmdlets are described in the AD CS Deployment cmdlets Overview topic. The AD CS Administration cmdlet allows you to manage the Certification Authority role service. The new administration cmdlets are described in the AD CS Administration cmdlets Overview topic.

What value does this change add?

You can use Windows PowerShell to script deployments of any AD CS role service as well as the ability to manage the CA role service.

What works differently?

You can use either Server Manager or Windows PowerShell cmdlets to deploy the AD CS role services.

3) All AD CS role services run on any version

All Windows Server 2012 and Windows Server 2012 R2 versions allow you to install all of the AD CS role services.

What value does this change add?

Unlike previous versions, you can install AD CS roles on any version of Windows Server 2012 or Windows Server 2012 R2.

What works differently?

In Windows Server® 2008 R2 operating system the different role services (previously called components) had different operating system version requirements, as described in Active Directory Certificate Services Overview. In Windows Server 2012 or Windows Server 2012 R2, all six of the roles services work as they would on any Windows Server 2012 or Windows Server 2012 R2 version. The only difference is that you will find AD CS with all six role services available for installation on any version of Windows Server 2012 or Windows Server 2012 R2.

4) All AD CS role services can be run on Server Core

All six of the Windows Server 2012 and Windows Server 2012 R2 AD CS role services can be installed and run using the Server Core or the Minimal Server Interface installation options.

What value does this change add?

Unlike previous versions, you can now run all AD CS role services on Server Core or the Minimal Server Interface installation options in Windows Server 2012 or Windows Server 2012 R2

What works differently?

You can now easily deploy AD CS role services using Server Manager or Windows PowerShell cmdlets working locally at the computer or remotely over the network. In addition, Windows Server 2012 or Windows Server 2012 R2 provides multiple installation options that even allow you to install with a graphical user interface and later switch to a Server Core or Minimal Server Interface installation. For more information on installation options,

5) Support for key-based renewal

Certificate Enrollment Web Services is a feature that was added in Windows® 7 and Windows Server 2008 R2. This feature allows online certificate requests to come from untrusted Active Directory Domain Services (AD DS) domains or even from computers that are not joined to a domain. AD CS in Windows Server 2012 and Windows Server 2012 R2 build on the Certificate Enrollment Web Services by adding the ability to automatically renew certificates for computers that are part of untrusted AD DS domains or not joined to a domain.

What value does this change add?

Administrators no longer need to manually renew certificates for computers that are members of workgroups or possibly joined to a different AD DS domain or forest.

What works differently?

Certificate Enrollment Web Services continues to function as it did before, but now computers that are outside of the domain can renew their certificates using their existing certificate for authentication.

6) Certificate Template Compatibility

AD CS in Windows Server 2012 and Windows Server 2012 R2 include version 4 certificate templates. These templates have several differences from previous template versions. Version 4 certificate templates:

  • Support both cryptographic service providers (CSPs) and key service providers (KSPs).
  • Can be set to require renewal with the same key.
  • Are only available for use by Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.
  • Specify the minimum certification authority and certificate client operating systems that can utilize the template.

To help administrators separate what features are supported by which operating system version, the Compatibility tab was added to the certificate template properties tab.

What value does this change add?

The new version 4 certificate templates provide additional capabilities, such as enforcing renewal with the same key (available to only Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 certificate clients). The new Compatibility tab allows administrators to set different combinations of operating system versions for the certification authority and certificate clients and see only the settings that will work with those client versions.

What works differently?

The Compatibility tab appears in the Certificate Template properties user interface. This tab allows you to select the minimum certification authority and minimum certificate client operating system versions. The Compatibility tab configuration does a couple of things:

  • It marks options as unavailable in the certificate template properties depending upon the selected operating system versions of certificate client and certification authority.
  • For version 4 templates, it determines which operating system versions are able to use the template.

7)  Support for certificate renewal with same key

AD CS in Windows Server 2012 and Windows Server 2012 allow for a certificate to be configured so that it will be renewed with the same key. This allows the same assurance level of the original key to be maintained throughout its lifecycle. Windows Server 2012 and Windows Server 2012 supports generating Trusted Platform Module (TPM)-protected keys using TPM-based key storage providers (KSPs). The benefit of using TPM-based KSP is true non-exportability of keys backed up by the anti-hammering mechanism of TPMs. Administrators can configure certificate templates so that Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 to give higher priority to TPM-based KSPs for generating keys. Also, using renewal with the same key, administrators can remain assured that the key still remains on TPM after renewal.

  • What value does this change add?

                        This feature allows an administrator to enforce renewal with the same key, which can reduce administrative costs (when keys are renewed automatically) and increase key security (when keys are stored using TPM-based KSPs).

  • What works differently?

                        Clients that receive certificates from templates that are configured for renewal with the same key must renew their certificates using the same key, or renewal will fail. Also, this option is available only for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 certificate clients.

8)  Support for Internationalized Domain Names

Internationalized names are names that contain characters that cannot be represented in ASCII. AD CS in Windows Server 2012 and Windows Server 2012 R2 supports Internationalized Domain Names (IDNs) in several scenarios.

What value does this change add?

The following IDN scenarios are now supported

  • Certificate enrollment for computers using IDNs
  • Generating and submitting a certificate request with an IDN using the certreq.exe command line tool
  • Publishing Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) publishing to servers using IDNs
  • The Certificate user interface supports IDNs
  • The Certificate MMC snap-in also allows for IDNs in Certificate Properties

What works differently?

There is limited support for IDNs as previously described.

9)  Increased security enabled by default on the CA role service

When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described in MSDN article Authentication-Level Constants ( On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA. On a Windows Server 2012 or Windows Server 2012 R2 CA, this enhanced security setting is enabled by default.

What value does this change add?

The CA enforces enhanced security in the requests that are sent to it. This higher security level requires that the packets requesting a certificate are encrypted, so they cannot be intercepted and read. Without this setting enabled, anyone with access to the network can read packets sent to and from the CA using a network analyzer. This means that information could be exposed that might be considered a privacy violation, such as the names of requesting users or machines, the types of certificates for which they are enrolling, the public keys involved, and so on. Within a forest or domain, leaking these data may not be a concern for most organizations. However, if attackers gain access to the network traffic, internal company structure and activity could be gleaned, which could be used for more targeted social engineering or phishing attacks.

The commands to enable the enhanced security level of RPC_C_AUTHN_LEVEL_PKT on Windows Server®  2003, Windows Server®  2003 R2, Windows Server®  2008, or Windows Server 2008 R2 certification authorities are:

certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST 
Restart the certification authority
net stop certsvc
net start certsvc

If you still have Windows XP client computers that need to request certificates from a CA that has the setting enabled, you have two options:

  1. Upgrade the Windows XP clients to a newer operating system.
  2. Lower the security of the CA by running the following commands:

To lower CA security for compatibility with Windows XP clients

  1. certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
  2. net stop certsvc
  3. net start certsvc
  1. What works differently?
  2. Windows XP clients will not be compatible with this higher security setting enabled by default on a Windows Server 2012 or Windows Server 2012 R2 CA. If necessary, you can lower the security setting as previously described.

10)              AD DS Site Awareness for AD CS and PKI Clients

  • Certificate services in Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 can be configured to utilize Active Directory Domain Services (AD DS) sites to help optimize certificate services client requests. This functionality is not enabled by default on either certification authority (CA) or the public key infrastructure (PKI) client computers.
  • What value does this change add?
  • This change enables Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 certificate clients to locate a CA in their local AD DS site.
  • What works differently?
  • When enrolling for a template-based certificate, the client queries AD DS for the template and the CA objects. The client then uses a DsGetSiteName function call to get its own site name. For CAs with the msPKI-Site-Name attribute already set, the certificate services client determine the AD DS site link cost from the client site to each target CA site. A DsQuerySitesByCost function call is used to make this determination. The certificate services client uses the returned site costs to prioritize the CAs that allow the client the Enroll permission and support the relevant certificate template. The higher cost CAs are tried to be contacted last (only if former CAs are unavailable).

11)              Group-protected PFX format

Previously, a PKCS#12 standard (also known as PFX) format was only protected by a password that had the following limitations:

  • Difficult to automate
  • Not very secure, because usually an administrator used a weak password
  • Difficult to share among multiple users

Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 can protect certificates and associated private keys by combining an existing PFX format with a new data protection feature. This allows encrypting the contents of the PFX file with a key that belongs to a group or to an individual, instead of protecting it with a password.

What value does this change add?

By using this feature, administrators will be able to:

  • Deploy, manage, and troubleshoot certificates remotely and across server farms by using Windows PowerShell.
  • Share certificates and keys securely across server farms running Windows Server 2012 or Windows Server 2012 R2by using Windows APIs.

Earlier versions of Windows can consume this PFX because internally the operating system assigns a strong random password. The password is included in the PFX, and it is protected by a set of security identifiers (SIDs) with data protection APIs. Any user that has access to the PFX can see that password and share it with previous Windows versions.

What works differently?

A PFX file can now be protected to a security principal instead of just a password. The user interface for certificate export has been updated to allow for the selection of a security principal during export.

12)              Certificate lifecycle notifications

In Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2, certificates provide life cycle notifications in MY store from the certificate enrollment API and Windows PowerShell levels. The notifications include expiration, deletion, new, renewal, replacement, close to expiration, archive, and export. Administrators and developers can manage (view, install, copy, request, and delete) certificates and their associated private keys remotely by using Windows PowerShell. This feature allows a script or an executable to launch in response to a certificate lifecycle notification.

What value does this change add?

For an application and server-workload developers who use certificates in their product, integrating with the certificate life cycle in Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 is easy and reliable, and it can be done remotely. Developers can develop applications that reconfigure themselves any time a certificate is renewed or replaced with another certificate—by autoenrollment or by a manual or scripted action by an administrator. The investment needed to integrate with the certificate management interfaces is very small.

For an administrator who manages applications that use certificates, Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 certificates are used by those applications automatically. This occurs because applications integrate with Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 certificate notifications or when the administrator’s script is triggered by a certificate event.

What works differently?

Notifications can now be enabled to alert system administrators before certificates expire.

13)              CA private keys are included in the System State Backup image

Windows Server Backup feature can be installed on the certification authority (CA) to create a System State Backup that includes the CA private keys.

What works differently?

In Windows Server 2012 and Windows Server 2012 R2 the System State Backup feature automatically backs up the CAs private key when an administrator or backup operator uses Windows Server Backup feature to perform a System State Backup.

What works differently?

The Windows Server Backup feature now includes the CA private keys.

Leave a comment

Standard Operating Procedure for Microsoft Exchange Server 2013

Standard Operating Procedure for Microsoft Exchange Server 2013

How many IT professionals do I need to manage my Microsoft Exchange Server environment?” Unfortunately, there is no simple answer to this question. But to help you in your planning, this topic describes several major factors you must consider to calculate your optimal workforce level. This topic will help you assess the many facets of your organization so that you can make an informed decision about workforce levels.

Organizational Maturity

Essentially, organizational maturity is determined by the level to which an organization has developed its internal policies and procedures. For example, an organization with very few defined procedures for managing the messaging environment and that has no standard operating procedures for server configuration may experience more incidents and outages than another organization that has carefully documented policies about driver updates, patch installation, and server configuration.

However, organizational maturity is not restricted to the use of policies. It also includes the means by which administrators manage an environment. For example, an administrator can apply hotfixes to 10 servers by logging into each server, and then downloading and installing the hotfixes on each one in turn. This process is extremely inefficient. By contrast, one administrator using an automated patch deployment system could easily deploy hotfixes to 100 servers in a few minutes, exponentially increasing efficiency. However, that patch management solution would, itself, have to be actively managed. This requirement would demand more resources, and would have to follow specific policies and procedures to ensure a healthy, accurate solution.

Organizational maturity is built on the following principles:

  • Operational process maturity:  Typically, if you have created well-documented and repeatable operational practices, the need for constant or reactive maintenance is reduced because most tasks will be automated.
  • Experience:   The level of knowledge and relevant work experience possessed by the operations team members has a positive impact on the team’s ability to manage an enterprise messaging solution.
  • Hardware:   Efficient systems and good storage practices help maintain a high degree of user satisfaction and can greatly reduce the number of support calls or outages.
  • Reliability:   Related to hardware, reliability is a function of the combination of hardware, software, features that are in use, and the demands on the system. Often, a reliable solution is one that is chosen specifically to meet the full demands of a given workload.
  • Design:   An appropriate design of the Exchange environment increases the effectiveness of all the aforementioned principles. Conversely, a poor design can cause the hardware or staff experience to be less effective.

Infrastructure Optimization model




Systems are complex and incompatible. Most IT personnel spend their time reacting to problems and are just trying to keep things running. If there are few standards and automated tools in use, IT support is labor-intensive and expensive.


IT departments are more centralized and effective. But systems remain complex, incompatible, and expensive to maintain. Pockets of standalone systems reside in business groups.


IT and business groups develop strategies and define IT policies, which are enforced through technology. Through standards and careful engineering, applications work together with improved compatibility.


Business agility takes priority over cost savings. IT systems are highly automated, flexible, and respond quickly to changing business conditions.

For more information about Infrastructure Optimization, see Microsoft Infrastructure Optimization.

The key differentiator among the levels of the Infrastructure Optimization model is how technology is used and the standardization of systems across many levels and groups. Generally, the higher the organizational maturity level, the lower the required staffing level for managing the environment. However, technology by itself doesn’t increase an organization’s maturity level. All solutions must be managed to successfully support accuracy, efficiency, reliability, and stability. An organization’s policies should be driven by business need, and the technology should support or facilitate those policies.

Defining Roles and Assigning Tasks

Staffing levels are also heavily dependent upon the demands placed on the enterprise messaging team. These demands can vary greatly from organization to organization. An organization that asks its messaging administrators to deploy, configure, manage, and maintain only the Exchange Server 2010 systems will require fewer staff than one which asks administrators to manage Exchange, backups, messaging hygiene, mobile devices, network, storage, and virtualization technologies.

The following list includes some of the critical questions to consider when you evaluate the role of the messaging administrator in your organization:

  • Does your Exchange team have primary responsibility for the underlying Windows operating system on the servers that are running Exchange?
  • Is your Exchange team responsible for other technologies, such as Active Directory Domain Services, Microsoft SharePoint Foundation 2010, or Microsoft SQL Server?
  • Does your Exchange team manage the physical hardware of the Exchange environment, such as servers, network, and storage? Or, if your Exchange servers are virtualized, do the Exchange administrators manage the virtualization solution?
  • Does your Exchange team manage backups (tape-based or disk-based) for the Exchange servers?
  • Does your Exchange team manage the messaging hygiene infrastructure? Does your Exchange team manage non-Exchange software or hardware?
  • Does your organization separate the roles of operations and design/architecture for messaging?
  • Does your Exchange team manage network or perimeter security for messaging?
  • Does your Exchange team perform direct end-user support? If so, does the team receive all messaging-related tickets or only those that have been escalated from tier 1 and tier 2?
  • Do Exchange team members perform standard daily, weekly, monthly, quarterly, or yearly tasks? If so, what are those tasks? What additional tasks should be added to the list?
  • Are Exchange team members responsible for responding to security issues involving messaging resources?
  • Are Exchange team members asked to perform discovery searches and handle other compliance-related matters?
  • Do Exchange team members perform capacity management?

This list isn’t exhaustive. There may be critical tasks for messaging administrators in your organization that are not listed above. Additionally, there are other positions, such as operations manager, whose job description and required tasks are markedly different from those of messaging administrator. It’s important to consider all positions in the context of the entire team rather than focus on individual positions.

The following list describes the potential responsibilities assigned to roles and functions that are common to many large and medium enterprise messaging deployments. In many cases, the listed role is a subset of an existing role (for example, Director) instead of a specific position. For example, this is the case of Operations Engineers.

  • Director 
    • Provides messaging technology vision based technology capabilities and business need.
    • Coordinates activities of messaging operations and messaging system engineering.
    • Represents all aspects of the enterprise’s messaging system to internal and external sources.
  • Manager, Messaging Operations 
    • Makes sure that the messaging system is functioning at peak performance.
    • Makes sure that the messaging operations team is aware of system slowdowns and performance degradation before these problems affect users.
    • Makes sure that all messaging operations technicians and all operations analysts have the tools they need to do their jobs.
    • Represents messaging operations to users.
  • Manager, Messaging System Engineering 
    • Drives the messaging team towards constant analysis and design review with the goal of improving the messaging system’s performance.
    • Makes sure that the messaging team has the necessary tools and training to do their jobs.
    • Responds to appropriate escalations from the operations team and allocates resources to those escalations.
  • Associate Operations Analyst 
    • Installs, configures, and documents new production servers in the messaging environment.
    • Performs rudimentary troubleshooting of messaging system problems.
  • Operations Analyst 
    • Installs, configures, and documents new production servers in the messaging environment.
    • Performs all troubleshooting of messaging system problems.
    • Ensures that problems are correctly documented in the daily log.
  • Senior Operations Analyst 
    • Assists with mentoring new Operations Analysts; performs duties of the Operations Analyst when required.
    • Handles escalation issues not resolved by Operations Analyst and Technicians.
    • Makes sure that the daily log remains a useful repository of system troubleshooting information.
  • Associate Operations Engineer 
    • Works with Operations Analysts and Technicians to perform rudimentary analysis and design.
    • Brings ideas and recommendations to other members of the engineering team for further discussion.
  • Operations Engineer 
    • Works with Operations Analysts and Technicians to perform detailed analysis and design.
    • Handles initial escalations from the operations side
    • Troubleshoots and follows up on all escalations from operations team.
    • Evaluates features of released products for usability in the enterprise messaging system.
  • Senior Operations Engineer 
    • Evaluates released and unreleased messaging systems.
    • Provides detailed test plans for features to be implemented.
    • Attempts to minimize all impacts of next generation releases of message product.
    • Handles extreme escalations and interfaces with Microsoft Technical Support, if necessary.
  • Messaging Operations Technician 
    • Handles day-to-day monitoring and reporting on the messaging system.
    • Ensures that events are properly recorded in the daily log.
    • Ensures that all events that transpired during his or her shift have been recorded and reported to appropriate personnel.
    • Also handles escalation requests from standard “PC Helpdesk” department.

To increase the accuracy of any workforce staffing level calculations, it helps if you clearly define the roles of the various messaging team members and then objectively assess the demands of those roles.

Assessing Technology Impact

After your organization has defined the various roles and responsibilities, the next step is to assess the technology, and then map the desired tasks to the technical components of the solution. Often, improvements in the software may let administrators complete specific tasks much quicker than in previous versions, may enable administrators to automate common workflows, or may enable administrators to delegate specific tasks to other individuals or other teams.

Consider this example. Woodgrove Bank administrators often receive requests to restore mailboxes to retrieve mistakenly deleted items. These requests require the involvement of a messaging engineer (who has the necessary permissions to access the Exchange Server 2003 systems), as well as a backup engineer (who handles the actual restore operation). The requirement to restore deleted content will still be present after Woodgrove Bank deploys Exchange Server 2010, but if they choose to enable single item recovery for all users, the actual restoration work could be performed by a messaging administrator (who was granted the appropriate permissions via Role Based Access Control) or by a compliance administrator in the Human Resources department. Because the backup engineer is no longer involved in the restoration operation, the overall process is simpler and presumably can be completed in less time.

Exchange Server 2010 includes several features that could potentially let management reassign tasks at different levels, to different teams, or eliminate the need for the task completely. The following table describes several major features in Exchange Server 2010, together with the changes to tasks that these features may support. The features described in this table aren’t an exhaustive list. Of course, you may choose to employ these features at your discretion.


Possible changes to tasks

Database Availability Groups

By having three or more database copies, Exchange administrators can adopt a native data protection strategy, reducing the demands on the backup team.

Single Item Recovery

Eliminate the need for restoring backups simply to recover a single deleted item.

Role Based Access Control (RBAC)

Let’s administrators delegate tasks at a granular level without exposing the organization to major security risks.

PowerShell (expanded in Exchange Server 2010, also present in Exchange Server 2007)

Lets administrators automate common tasks, including many user, group, mailbox, and database maintenance tasks , via PowerShell scripts.

Multi-mailbox search

Combined with RBAC, lets administrators delegate discovery to other individuals, most likely in Human Resources.

Lets trusted individuals perform discovery against mailboxes in the environment without third-party tools.

Exchange Control Panel

Lets users manage certain aspects of their messaging experience, including distribution groups and message tracking, thus reducing the demands on the help desk.

Personal Archive

Lets administrators absorb functionality formerly provided by Personal Folders (.pst files), thus removing a common source of support calls.

Retention Policies

Lets administrators control the e-mail lifecycle (by setting a maximum e-mail message age), possibly reducing the number of compliance issues in the messaging environment.

While the above list is specific to Exchange Server 2010, the principle of matching task to technology holds true no matter which version is in use. Using the technology to its fullest lets administrators perform their duties in the most efficient manner possible, freeing their time for other tasks and reducing the demands on other teams as well.

Calculating Staffing Levels

As stated at the beginning of this topic, there is no simple formula to provide a specific recommended number of staff to manage a given Exchange organization. The range of factors is too complex and too varied. Two organizations of similar size and scope may require vastly different staffing levels based on the required duties of the administrators, the administrators’ experience managing Exchange, and the degree of automation in the environment.

The most important factor to consider when calculating staffing levels is the amount of time that is needed to perform all required tasks given the current infrastructure. It may also be appropriate to calculate the amount of time that is required to perform all desired tasks given an idealized infrastructure, if significant changes will be made to the environment which would increase the operational maturity level. The sum total of hours is then translated into a recommended staffing level, taking into account other factors including the length of the work day, the length of the work week, and the average number of vacation and sick days. The staffing level should always be rounded up to the next integer value to ensure that staffing levels exceed the required time rather than fall short.

The following sample Exchange Operations task checklist indicates the level to which tasks should be detailed before staffing levels are calculated.



In this example, the organization determined that the total number of tasks requires 9,792 hours. Given that a full-time employee works 1,635 hours, this analysis suggests that the organization requires 600 percent of a single individual—or, more appropriately, six FTEs—to manage their Exchange organization. Note that this sample task list is for the operations team only. The customer has to perform the same analysis for the engineering and help desk teams, as well.

SAMPLE – Exchange Operations Task Checklist (per location)


Est. Time (hrs)


Annual Work Effort



     Participation in next-version assessment discussions




     Feedback from operations




     SLA definitions




     Operations documentation




Exchange Administration


     Backup and Restore




     Perform regular backup




     Backup Active Directory system state




     Verify back up media




     Offsite back up media




     Change backup media regularly




     Set mailbox and message retention times on all client servers




     Defragment mailbox and public folder stores




     Verify integrity of the mailbox and public folder stores




Risk Management






     Analysis and prioritization




     Mitigation and contingency planning




Additional Work as Assigned


     New projects




     Help desk escalation support




     Review open service tickets




     On-site visit (travel time)







     Available Hours per Man Year



     Percentage of work consumed by Exchange tasks



The number of positions also depends on the complexity and size of the organization. Small organizations may combine roles or omit them entirely, while large organizations may have multiple individuals in certain roles. For example, one large financial services corporation has a messaging team which manages resources for 45,000 users on a 24 hours a day, seven days a week basis. Their messaging services staff typically includes 30-32 individuals in the positions shown in the following table (whose roles and responsibilities are defined in “Defining Roles and Assigning Tasks” earlier in this topic).

Position title

Number of staff



     Manager, Messaging Operations


          Sr. Operations Analyst


          Operations Analyst


          Assoc. Operations Analyst




     Manager, Messaging System Engineering


          Sr. Operations Engineer


          Operations Engineer


          Assoc. Operations Engineer



To determine the number of engineers, administrators, and other support personnel that are required to manage a specific Exchange environment, you must carefully gather business requirements, consider a variety of factors, and, above all, plan. You can determine your required staffing level only after you determine the needs of the user community, define the roles to fulfill those needs, assess the technology, match the technology to the roles, and then, finally, calculate the time required to perform the desired tasks. It’s an involved process, but the ultimate results should closely align the capabilities of the messaging team to the needs of the business (and users) without unnecessarily encumbering either organization or team with superfluous head count.

Leave a comment

Active Directory Federation Services Overview

AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.

In Windows Server® 2012 R2, AD FS includes a federation service role service that acts as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (consumes tokens from other identity providers and then provides security tokens to applications that trust AD FS).

The function of providing extranet access to applications and services that are secured by AD FS is now performed by a new Remote Access role service called Web Application Proxy. This is a departure from the prior versions of Windows Server in which this function was handled by an AD FS federation server proxy. Web Application Proxy is a server role designed to provide access for the AD FS-related extranet scenario and other extranet scenarios.


Practical applications

AD FS simplifies access to systems and applications by using a claims-based authentication and access authorization mechanism to maintain application security. Prior versions of AD FS were used for the following:

  • Providing your employees or customers with a web-based, SSO experience when accessing claims-based applications within your enterprise.
  • Providing your employees or customers with a web-based, SSO experience to access resources in any federation partner organization.
  • Providing your employees or customers with a Web-based, SSO experience when remote accessing internally hosted Web sites or services.
  • Providing your employees or customers with a web-based, SSO experience when accessing resources or services in the cloud.

AD FS in Windows Server® 2012 R2 adds additional practical applications for AD FS, including the following:

AD FS in Windows Server 2012

For Windows Server 2012, the AD FS server role includes the same functionality and feature set that is available in AD FS 2.0. It also includes the following list of new functionality that was not available in AD FS 2.0:

  • Improved installation experience using Server Manager – With AD FS 2.0, you had to download and install the AD FS 2.0 software to deploy your AD FS server infrastructure. However, in Windows Server 2012, you install the AD FS server role using Server Manager. Server Manager provides improved AD FS configuration wizard pages that perform server validation checks before you continue with the AD FS server role installation and will automatically list and install all the services that AD FS depends on during the AD FS server role installation.
  • Additional Windows PowerShell cmdlet tools – In addition to the Windows PowerShell based management capabilities provided in AD FS 2.0, AD FS in Windows Server 2012 and Windows Server® 2012 R2, includes new cmdlets for installing the AD FS server role and for initial configuration of the federation server and federation server proxy.

AD FS in Windows Server 2012 R2

The following sections summarize numerous changes that were made to AD FS in Windows Server® 2012 R2 in order to support newer practical applications of AD FS as well as to enhance existing functionality.

Enable users to access resources on their personal devices from anywhere

  • Workplace join that enables users to join their personal devices to corporate Active Directory and as a result gain access and seamless experiences when accessing corporate resources from these devices.
  • Pre-authentication of resources inside the corporate network that are protected by the Web Application proxy and accessed from the internet.
  • Password change to enable users to change their password from any workplace joined device when their password has expired so that they can continue to access resources.

Enhanced access control risk management tools

Managing risk is an important aspect of governance and compliance in every IT organization. There are numerous access control risk management enhancements in AD FS in Windows Server® 2012 R2, including the following:

  • Flexible controls based on network location to govern how a user authenticates to access an AD FS-secured application.
  • Flexible policy to determine if a user needs to perform multi-factor authentication based on the user’s data, device data, and network location.
  • Per-application control to ignore SSO and force the user to provide credentials every time they access a sensitive application.
  • Flexible per-application access policy based on user data, device data, or network location.
  • AD FS Extranet Lockout, which enables administrators to protect Active Directory accounts from brute force attacks from the internet.
  • Access revocation for any workplace joined device that is disabled or deleted in Active Directory.


Simplified deployment experience

Deploying AD FS in Windows Server® 2012 R2 is simplified by the following enhancements:

  • AD FS is no longer dependent on IIS. This offers enhanced performance and reduces the foot print of services, especially when AD FS is installed on Active Directory domain controllers.
  • Remote installation and configuration through Server Manager. 
  • UI support for installing AD FS with SQL Server
  • Group Managed Service Account support. This enables AD FS to be run with service accounts without managing expiring service account passwords.
  • SQL Server merge replication support when deploying AD FS across globally dispersed datacenters. 

Enhanced sign-in with AD FS experience

The following are new AD FS capabilities in Windows Server® 2012 R2 that enable administrator to customize and enhance the sign-in experience:

  • Unified customization of the AD FS service, where the changes are made once and then automatically propagated to the rest of the AD FS federation servers in a given farm. 
  • Updated sign-in pages that look modern and cater to different form factors automatically.
  • Support for automatic fallback to forms-based authentication for devices that are not joined to the corporate domain but are still used generate access requests from within the corporate network (intranet).
  • Simple controls to customize the company logo, illustration image, standard links for IT support, home page, privacy, etc. 
  • Customization of description messages in the sign-in pages.
  • Customization of web themes.
  • Home Realm Discovery (HRD) based on organizational suffix of the user for enhanced privacy of a company’s partners.
  • HRD filtering on a per-application basis to automatically pick a realm based on the application.
  • One-click error reporting for easier IT troubleshooting.
  • Customizable error messages. 
  • User authentication choice when more than one authentication provider is available.

Enable developers to build modern applications

ADFS in Windows Server 2012 now supports the OAuth Authorization Grant profile with support for refresh tokens to enable modern applications that use RESTful services. ADFS also supports issuing JWT tokens that are compact tokens that are more amenable to transmit to the resources that use the REST pattern.

Other improvements

  • Reduction of SSO cookie size with dynamic group SID hydration. This provides a more deterministic cookie size and reduces bloat when a user belongs to many security groups.
  • Access to claims that are encoded within user certificates when using certificate authentication. This can help administrators differentiate access based on what type of certificate is used.
  • Consistent client-request-id that is logged in all event logs and traces for easier troubleshooting.
  • Additional request claims, for example, IP addresses, endpoint addresses, or user agents that can be used to base policy decisions on.
  • Password expiry notification as claims that an administrator can configure to send to downstream applications to notify the user when their password is about to expire.