Windows Server 2012 – Monitor and maintain servers

Monitor Servers

Server Manager

Server Manager allows you to pull event log data, service status information, management and accessibility information, performance counter data and best practice information from servers on your local LAN, private cloud and public cloud into one management console.

The thumbnails show manageability: i.e is the server online, is it accessible, is it reporting information back to Server Manager etc. NOTE: for Server 2003 Server Manager can only query for online or offline status. Other down-level operating systems such as Server 2008 SP2 / 2008 R2 require the Windows Management Framework 3.0 components and a hotfix for performance data capture.


The data is retained for one day but can configured as you wish.


Filtering information in the dashboard


Configure Data Collector Sets (DCS)

The data collection set configuration is the same as 2008; see here for review.

Configure alerts

Alert configuration is the same as 2008; see here for review. Alerts can be configured within Server Manager too.


Monitor real-time performance

Resource monitor still exists as it did in 2008, task manager has had a overhaul, process tab now displays applications and processes and a number of tabs have links to respective tools which allow you to dig deeper.


Monitor virtual machines (VMs)

Virtual machine monitoring is a feature of failover clustering. The administrator running failover clustering must be an administrator of the guest virtual machine and the guest must have the ‘Virtual Machine Monitoring’ firewall rule enabled. PowerShell: Set-NetFirewallRule -DisplayGroup “Virtual Machine Monitoring” -Enabled True.

Monitoring is configured from within the failover clustering manager and works by monitoring services selected by the administrator. If the service fails then the cluster agent honours the settings defined within the recovery tab of the monitored service. If the service recovery action is ‘Take No Action’ then the cluster agent will raise a Event ID of 1250 from the FailoverClustering source within the system log; this can be picked up by a SCOM monitor which has diagnostic and recovery configurations.

By default Failover Clustering will restart the guest on the same host using a forced but graceful shutdown, if that does not fix the issue then the guest is restarted on another Hyper-V server.

More information here.

Monitor events

Event monitoring is still the same as 2008; see here for review.

Event logs are now integrated into Server Manager and can be aggregated to your workstation for quick analysis and remediation where necessary. The events shown in server manager are context sensitive to the role or selected servers.


Configure event subscriptions

Event subscription configuration is the same as 2008; see here for review.

Configure network monitoring

Network monitoring configuration is the same as 2008; see here for review.

Windows Server 2012 – Install and configure servers

Install Servers

Plan for server installation

Windows Server 2012 installation requirements can be found here; in summary Windows Server 2012 requires 64 bit architecture, digitally signed kernel-mode drivers, 32GB disk space (note: pagefile, hibernation file etc takes space too).

Considerations for the installation:

  • Remove any unnecessary serial devices i.e. UPS
  • Mass storage device drivers maybe required
  • Windows firewall is enabled by default

Plan for server roles

Design, deployment and management guidance for Windows Server 2012 roles can be found here.

Active Directory Certificate Services – new functionality incl. PowerShell and integration with Server Manager.

Active Directory Domain Services – support for virtualisation incl. cloning of domain controllers, streamlined deployment with prerequisite checks, simplified management incl. claims-based authorisation and under-the-hood improvements to RID, deferred index creation, AD recycle bin GUI etc.

Active Directory Federation Services – PowerShell and Server Manager integration.

Active Directory Lightweight Directory Services – No change from Server 2008.

Active Directory Rights Management Services – Changes to SQL server requirements (no longer need local administrative credentials on the SQL server; sysadmin privilege is now suffice) and integration with Server Manager.

Application Server – No change from Server 2008.

Failover Clustering – In Windows Server 2012 – improved scalability; now scales to 64 nodes and 8000 virtual machines, new management interface using Server Manager, enhancements to cluster shared volumes, support for scale-out file servers, cluster aware updating, virtual machine application monitoring and management, improved validation tests, active directory integration and quorum configuration.

In Windows Server 2012 R2 – support for guest clusters, virtual machine drain i.e. live migration virtual machines on shutdown of the Hyper-V host, virtual network health detection, improved CSV placement policies, resiliency, diagnostics and interoperability. Less dependency on ADDS, improvements to quorum incl. dynamic witness.

File and Storage Services – work folders, SMB improvements incl. SMB direct, storage spaces incl. tiered storage, distributed RAID?

In Windows Server 2012 R2 SMB sessions are now tracked per file share rather than per server allowing for redirection with the best access to the volume.

Group Policy – remote group policy update, sign-in optimisation i.e. slow link processing, new starter group policies, new PowerShell cmdlets, increased max size of registry.pol, group policy client idling (improves client computer performance).

In Windows Server 2012 R2 group policy has added support for IPv6 around printers, item-level targeting and VPN connections, group policies cached locally which are good for latent connections.

Hyper-V – loads of new features, client Hyper-V, dynamic memory, virtual machine replicas, improvements to import of virtual machines, live migration without shared storage, improved Hyper-V administrative delegation, pass-thru networking and storage adapters, virtual machine storage on file servers using SMB 3.0 and virtual NUMA.

In Windows Server 2012 R2 Hyper-V has shared virtual hard disks to complement guest failover clustering. Virtual hard disk resizing on the fly, storage QoS; set minimum and maximum IOPs per virtual machine. Live migration improvements such as compressing memory before migrating and rDMA support where applicable. New virtual hardware for Windows Server 2012 and Windows 8 and later. Clustering can detect network and storage issues and restart the virtual machine elsewhere.

Hyper-V replica now has 24 hour recovery points and now supports more than one replica.

Networking – New 802.1x protocol EAP-TTLS (Tunneled Transport Layer Security) which supports non-Microsoft RADIUS. improvements to BranchCache, Data Center Bridging support for converged network adapters, DNSSEC improvements, DHCP failover, NIC teaming, QoS and improvements to IPsec IKEv2,

Windows Server 2012 R2 support virtual receive-side scaling to utilise multiple virtual CPU cores.

Print and Document Services – Branch Office direct printing, new driver support etc.

Remote Desktop Services – improvements to sounds and video playback, virtualised GPU support (requires a SLAT processor and GPU driver which supports DX11).

Security and Protection – Dynamic access control provides central access policies to grant or deny access to files and folders across all Windows Server 2012 computers. DNSSEC, improved IPsec, security policies and policy management, Bitlocker improvements, Group Managed Service Accounts, AppLocker improvements etc.

Volume Activation – Is now a server role which automates the issuance and management of Microsoft software licenses. KMS, VAMT and MAK proxies are still available.

Web Server – Web server instances, SSL certificates stores, Server Name Indication (SSL host headers), application initialisation and dynamic IP restrictions.

Windows Deployment Services – can deploy vim, vhd and vhdx images; vhdx can be applied to volumes in a similar way to wim files. Support for ARM architecture too.

Windows Server Backup – ability to select individual virtual machines for backup and restore, support for large volumes e.g. greater than 2TB and 4 Kilobyte sectors.

Windows Server Essentials Experience – essentials experience can be installed in Windows Server 2012 Standard and Datacenter, it enables you to manage the server through a simplified dashboard, integrate with Office 365, Exchange Online, Windows Intune etc. Very much the same functionality as Small Business Server.

Windows Server Update Services – PowerShell improvements, improved security and client / server software separation.

Windows System Resource Manager – deprecated in favour of functionality provided by Hyper-V.

Plan for server upgrade

upgrade guidelines:

  • In-place upgrades from 32bit to 64 bit are not supported, nor are upgrades from one language to another and from one build type to another.
  • You cannot upgrade from a release candidate.
  • You cannot upgrade from core to full GUI and vice versa but you can configure Windows Server 2012 to utilise the full GUI or core mode after the upgrade.
  • You cannot upgrade to a lesser version i.e. Server 200x Datacenter to Server 2012 Standard.

Server Core Overview

Server core is now not an irreversible choice you can freely switch between a Gui, Minshell and core mode using PowerShell and DISM.

Install Server Core

Server core is the default choice when you install Windows Server 2012. The installation process is pretty streamlined with minimal questions asked.

Configure Features On Demand

Features on demand allows you to remove binaries from the installation which are not required e.g. if you have a web server which is a member of a domain you can safely remove the Active Directory binaries.

The best practice is to copy the WinSxs folder to a network share and assign the builtin group domain computers read share permissions.


If you need to install a role or feature where the binaries are no longer available on the local computer you can use the source share or Windows Update e.g. where Get-WindowsFeature returns an install state of Removed basically means the binaries no longer exist on the computer. The default locations used by Install-WindowsFeature are the location specified within the Gui wizard, the value of the group policy object ‘Specify settings for optional component installation and component repair’ and Windows Update. To override the above specify the source parameter.





Migrate Roles from Previous Versions of Windows Server

Server role upgrade guidelines:

  • Active Directory upgrade: see here. In summary forest functional level must be Windows Server 2003, compatible clients are Windows XP and later, verify application compatibility, a number of master roles should be accessible during the promotion of a Windows Server 2012 domain controller.
  • Active Directory Federation Services: in general guidelines suggest export AD FS configuration, perform in-place upgrade of the operating system, recreate AD FS configuration and restore AD FS service settings.
  • Active Directory Rights Management Services: In-place upgrades supported but will require the AD RMS upgrade wizard to be run to ensure consistency. NOTE: If AD RMS was installed with the Windows Internal Database (WID) then first of all the WID instance should be migrated to SQL Server. See here.
  • File and Storage services: if DFS was installed prior to the upgrade then DFS will need reinstalling.
  • Hyper-V: shutdown virtual machines and remove any existing snapshots prior to the upgrade.
  • Printer server: migrate using the Printer Migration Wizard.
  • Remote Access: the functionality provided by RRAS is now integrated into Remote Access Server (Direct Access). This role can be migrated to Windows Server 2012 by following this guide.
  • Remote Desktop Services: No migration path but you could utilise existing Server 2008 R2 session host servers by routing users through the Windows Server 2012 RD Web Access server.
  • Volume Activation Services: AD schema must be at Windows Server 2012 level to store activation objects.
  • Web Server: no change in functionality, web applications which work in IIS 7 will work in IIS 8.

Install, Use and Remove Windows Server Migration Tools

The Windows Server Migration Tools are installed on the destination server using Install-WindowsFeature Migration. To configure them browse to the migration tools directory c:\windows\system32\ServerMigrationTools\ then run smigdeploy.exe with the following parameters ‘smigdeploy.exe /package /architecture [amd64|x86] /os [WS03|WS08|WS08R2] /path [deployment folder e.g. c:\smigdeploy]’

Next copy the deployment folder to the source computer and run smigdeploy.exe to get access to the migration cmdlets Import- and Export-SmigServerSetting, Get-SmigServerFeature and Send and Receive-SmigServerData.

Once this part is complete go <a href=””>here</a&gt; to view the role migration guides.

Once the migration is complete you can remove the migration tools from Windows Server 2012 using Uninstall-WindowsFeature Migration and from Windows Server 2008 R2 and earlier using smigdeploy.exe /unregister.

Configure Servers

Configure Server Core

Common core configuration tasks are:

  • Setting an administrative password: you’re prompted to set a password after the installation is finished. To change a password use Ctrl + Alt + Del.
  • Setting an IP address: you can use sconfig.cmd or PowerShell.
    • PowerShell: Get-NetIPInterface and note the number within the IfIndex column.
    • GetNetIPInterface
    • PowerShell: New-NetIPAddress -InterfaceIndex # -IPaddress -PrefixLength ## -DefaultGateway
    • NewNetIPAddress
    • PowerShell: Set-DNSClientServerAddress -InterfaceIndex # -ServerAddresses,
    • SetDNSClientServerAddress
  • Adding the computer to the domain: run add-computer and follow the prompts or provide the information to the cmdlet.
    • AddComputer
  • To rename a computer use the rename-computer cmdlet, to get the existing computer name use hostname.
  • To activate the computer use slmgr.vbs -ato; you may need to provide a product key using -ipk.
  • To configure the Windows Firewall use Set-NetFirewallProfile, New-NetFirewallRule, Set-NewFirewallRule…more here.
  • To enable PowerShell remoting use Enable-PSRemoting

Add and Remove Server Roles and Features

Use Install-WindowsFeature and Uninstall-WindowsFeature. These commands have optional parameters such as:

  • IncludeAllSubFeature (all applicable sub features) – Install cmdlet only
  • IncludeManagementTools
  • ComputerName (if the computer is remote)
  • ConfigurationFilePath (used to specify roles and features to be installed and any configuration parameters required) – Install cmdlet only
  • LogPath (if you want the cmdlet results)
  • Remove (removes the binaries from the computer) – Uninstall cmdlet only

Convert Server Core to / from Full “Server with Gui”

The installation of server core can be converted to minshell or full GUI by running dism /mount-wim /wimfile:d:\sources\install.wim /index:4 /mountdir:c:\DVD /ReadOnly



Note: my DVD drive letter is D:\ and I created a directory on C:\ called DVD. The index number of the installation can be found by using the PowerShell cmdlet Get-WindowsImage -ImagePath d:\sources\install.wim


To install the full Gui run Install-WindowsFeature Server-Gui-Mgmt-Infra, Server-Gui-Shell -Restart -Source c:\DVD\Windows\WinSxs

If you just want the minshell leave out Server-Gui-Shell.


The -Source parameter is needed if you have installed the core mode.



on restart you’ll see ‘Configuring Windows Features’


The full GUI can be converted to core or minshell using the PowerShell cmdlet Uninstall-WindowsFeature e.g

To get to the minshell:

Uninstall-WindowsFeature Server-Gui-Shell -Restart


To get to the core mode:

Uninstall-WindowsFeature Server-Gui-Mgmt-Infra -Restart


Configure Services

The Get-Service cmdlet can be used to get the status of all services; you could pipe this output to Start-Service or Stop-Service depending on the value of the status property.

The Get-Process cmdlet can be used to return all running processes.

Office 365 – Prepare the client computer and configure remote connectivity

Client Computers

Trusted zones

Office 365 offers a number of office applications via a web browser e.g. Office 365 plans P1/E1/E2/E3/E4/K1 and K2 allow read write and read only access to office documents.

In order to get uninterrupted access it is recommended the browser be configured with the following trusted sites assignments.

Trusted sites list:

Local intranet list:

  • *
  • *
  • *
  • *

The above assignments can be configured via group policy or the IEAK. Note that when you configure the trusted browser zones via group policy the end user will be unable to make changes. If you need to implement this in an environment that has not used the ‘site to zone assignment’ group policy object before you may what to script the collection of existing trusted site configuration. See this here.

Client computer requirements

Desktop Setup – required if you’re not installing Office 365 Pro Plus.

Operating system

  • Windows 7 or later
  • Mac OS X 10.5 or later
  • Windows Server 2008 or later
  • Windows XP with SP3; support ends January 2014
  • Windows Vista with SP2; support ends January 2014


  • Office 2010 SP1
  • Office 2007 SP2
  • Office 2011 for MAC
  • Outlook 2003 (POP and IMAP); support ends April 2014
  • Lync 2010
  • Microsoft .NET framework
  • Entourage 2008 Web services addition and Office 2008 for MAC are not supported but probably will work


  • IE 8 or later
  • Firefox latest version
  • Safari 5 or later
  • Chrome latest version

The Office suite available via Office 365 can be deployed in a number of ways:

  • Download from the portal

Downloads are initiated from the portal by the end user; this will require the end user to have local administrative rights.

  • Network share

The IT Administrator downloads the installer to a network share; this will again require the end user to have local administrative rights. This option requires you download Office 365 Pro Plus using the Office Deployment Tool for Click-to-run.

Create a share on a file server e.g. net share sharename=drive:path


Download the Click-to-run tool from the Microsoft download center, extract the files to the network share created above. Then configure the configuration xml file. Microsoft documentation here.


Once the configuration is complete, download Office 365 Pro Plus using the download switch.


To install Office 365 Pro Plus you would run the command below at the client


Office 365 Pro Plus Group Policy

Administrative templates can be found here.

Office licensing considerations

Originally the Office suite provided via Office 365 had a number of restrictions e.g. the office suite used a retail SKU which prevented it being installed within a terminal services environment. The latest Office suite no longer has that limitation. See more below.


Installation and use rights here.

Configuring Remote Connectivity

Troubleshooting Remote Connectivity

As Office 365 services are cloud based, so your internet connectivity and configuration needs to be solid. To diagnose and troubleshoot Microsoft have provided the following tools:


MOSDAL is a good all round tool which collects system and network configuration, performs network diagnostics and logs information for all Microsoft Office 365 applications in use.

To use MOSDAL configure using the setup wizard then reproduce the problem; as you reproduce the problem MOSDAL will collect information, when MOSDAL is finished you can view the report. The MOSDAL report is best viewed top down, first view the summary and drill down where required to view console output, test traces and any attachments.

Remote Connectivity Analyser

browse to and select an applicable test e.g. to test Office 365 single sign-on select the Office 365 tab then select single sign-on test. Enter your credentials when prompted and click perform test.


The image above is a single sign-on test I performed whilst my Federation proxy server was offline.

Office 365 Urls and IP address ranges can be found here.

Office 365 port requirements:

Exchange / Email:

  • Outlook 20xx, Entourage 2008, Outlook 2011 for Mac and Outlook Web Access – TCP 443.
  • SMTP mail routing uses – TCP 25.
  • SMTP relay uses – TCP 587.
  • IMAP migration – TCP 143 / 993
  • POP3 – TCP 995
  • Exchange migration – TCP 433 (Staged and cutover)
  • Exchange management console and shell – TCP 443


  • SharePoint portal ( – TCP 443


  • Lync Client (Lync Online to on-premises Lync Server) – TCP 443.
  • Lync data, video and audio – PSOM/TLS 443, STUN/TCP 443, STUN/UDP 3478 and RTC/UDP 50000 – 59999

Active Directory / Federation:

  • ADFS and ADFS Proxies – TCP 443
  • Directory Sync – TCP 80 / TCP 443

Verifying service connectivity

To verify Exchange / Outlook connectivity hold down the ctrl key whilst right clicking the Outlook icon in the system tray and selecting connection status.

To verify Lync connectivity browse to your local Lync test site from the list below: NOTE: requires Java be installed.

Once connected click start test, then enter the session ID (any number greater than 0), the click ok.

To verify SharePoint connectivity simply browse to the SharePoint site.


The autodiscover service; autodiscover takes the email address and password of a user to automatically configure their Outlook profile. Autodiscover will attempt to get the users display name, connection settings for inbound and outbound connectivity, the mailbox server where the mailbox exists, Urls for free / busy, unified messaging, offline address book and outlook anywhere configuration.

Autodiscover will generally utilise a CNAME within your DNS namespace which points to You can test autodiscover using the Microsoft Remote Connectivity analyser.


Remote connectivity analyser results.


Administering Office 365 via PowerShell

This requires the Microsoft Online Services Module for PowerShell be installed. You can confirm this by opening PowerShell and typing Get-Module -ListAvailable


Once you have confirmed the module is installed import the module and connect to your Office 365 tenant.



Put the credentials into a variable $cred


Connect to the Office 365 tenant using the variable


To get a list of commands available run Get-Command -Module MSOnline


e.g. Get-MsolDomain


Administering Exchange On-line via PowerShell

Exchange On-line can be administered via remote PowerShell.

First of all create a remote session to



Import the session to get the Exchange Online cmdlets. using Import-Session $session. To get a list of commands import the session into a variable and use the ExportedCommands property to retrieve a list of commands.


Run the commands as if you were connected locally.


Staged migration from Exchange 2003 to Exchange online


The following prerequisites must be in place to carry out a staged migration.

  1. A directory sync server must be configured to synchronise on-premises users to Office 365. See here for instructions.
  2. Your Office 365 tenant organisation must have the domain of your on-premises organisation as an accepted domain i.e add the domain to Office 365 within the portal.
  3. Confirm Outlook anywhere is working on your on-premises Exchange deployment
    1. In my scenario I was migrating from Exchange 2003 and Outlook Anywhere was not configured. I used the guide here. The only comments I would make are the
    2. registry entry HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\RPC\RPCPROXY requires the NetBIOS name, internal FQDN and external FQDN (if they’re different) and NTLM authentication is required on the RPC virtual directory and within Outlooks proxy settings; these seems to be true when using Outlook 2010, I haven’t tested other clients.
    3. To confirm Outlook anywhere is working use the Microsoft Remote Connectivity analyser:
    4. OutlookAnywhere2
  4. Create an on-premisesuser who will be the migration administrator; this user can be either a domain admin or assign the user full access to the mailboxes and modify the writeProperty permission on the TargetAddress. The TargetAddress security can be modified using ADSIedit.
  5. Lower the TTL of the MX record for the domain you’re migrating.
  6. Tell the users that their mailbox is being migrated. Depending on your user base Outlook Web App may be suffice if not an autodiscover record should be created but could cause issues.
  7. Export the user account email addresses from Active Directory using csvde e.g. csvde -f c:\output.csv -r “(&(objectCategory=person)(objectClass=user)(mail=*” -l “mail”. The default header is mail but for the migration it must be emailAddress.



Create a migration end point

Login to the Exchange Administration Center and select recipients, then migration, then the plus sign and migration to Exchange On-line.


Select staged migration.


Enter the credentials of the on-premises account which has access to all mailboxes being migrated; this is either the domain admin or the user created in prerequisite step no. 4.


Specify the internal FQDN of the Exchange server and RPC proxy i.e. the public FQDN used when connecting via Outlook Anywhere.


Name the migration e.g. maybe you’re migrating users with surnames A-G then maybe Exchange2003MailboxesAtoG.


The status of the migration can be viewed from within the Exchange Admin Center.


At this point the TargetAddress attribute of the users you’re migrating is modified to


Depending on the size and number of items it may be best to plan migrations over a weekend or may be an evening would suffice e.g. in my experience a 3.8GB mailbox took around 3 hours over a 5Mb connection.

If your user would like to be able view new incoming emails straight away then point them to Outlook Web App, configure their mobile device to use Exchange On-line or configure a new Outlook profile to utilise the Exchange On-line. If you opt for a new Outlook profile a few points to remember:

  • Outlook 2010 or 2007 client needs to be at least SP1 and SP3 respectively
  • Outlook 2010 and earlier client require the desktop setup to be run; pretty sure this installation requires a reboot too.


  • An autodiscover record should exist too; existing users should not see any problems unless you  have to reconfigure their Outlook profile.

Once the migration is complete you’ll receive an email like the one below.


The migrated users’ on-premises mailbox-enabled accounts should be configured as mail-enabled accounts; Microsoft have a number of scripts to streamline this process which can be found here.

The script: ExportO365UserInfo.ps1 requires PowerShell to be installed, the synopsis of the script is as follows:

  • Create and connect to a remote session of Exchange On-line
  • Import the migrated users
  • Using the migrated users email address get the Exchange Distinguished name, cloud email address and on-premises email address
  • export the above to a csv.

The script: Exchange2003MBtoMEU.vbs requires the output of the PowerShell script above, Microsoft Exchange management tools and a FQDN of a domain controller. The synopsis of the script is as follows:

  • Import information from csv file created by the script above
  • Collect information from Active Directory
  • Adds x.500 addresses and distinguished names to a proxy list
  • Deletes the users mailbox
  • Mail enables user using information collected earlier

Once your batch is complete, delete it from the migration section of the Exchange Admin Center.

Final tasks

Switch MX to Exchange On-line; this can be viewed within the Office 365 portal. Login go to domains, select the domain, then select view DNS settings, then select View DNS records.


Upgrade to Exchange 2010 and then remove the Exchange 2003 installation. Guides on Microsoft TechNet:

Understanding upgrade from 2003 to 2010:

Removing Exchange 2003:

Office 365 – Manage identity federation by using ADFS 2.0

Configure Directory Synchronisation

Directory synchronisation must be activated within the Office 365 portal; the activation can take 24 hours to complete.

Directory Synchronisation requires:

  • A domain joined computer.
  • Enterprise administrator credentials (it uses these to create a user object in the forest root domain).
  • Global administrative rights within the Office 365 online environment.
  • Computer hardware depends on no. of objects within ADDS but as a rough guide
    • 1.6Ghz CPU
    • minimum of 4GB RAM up to 32GB RAM
    • minimum 70GB hard disk space up to 500GB hard disk space

See this post for more details on deployment and configuration of directory sync.

Configuring and Managing Identity federation using ADFS 2.0

Single sign -on requirements using AD FS 2.0

  • Single Active Directory forest
  • AD FS 2.0
  • Latest client operating system and service packs
  • Public SSL certificate
  • PowerShell 2.0

Relying party trust between federation servers and Office 365 is required the relying trust acts as a secure channel where authentication tokens can pass.

The AD FS 2.0 install wizard will check for and install all the prerequisites with the exception of Microsoft .NET Framework 3.5 SP1 on Microsoft Windows Server 2008.

The federation server(s) requires a public SSL certificate for server authentication purposes. If federation proxies are also implemented then this public certificate should also be installed on them too. The federation servers also require a x.509 token-signing certificate which by default is a self signed certificate created by AD FS and will be sufficient in most scenarios.

It goes without saying but DNS resolution and TCP/IP are fundamental to the operations of AD FS.

Network Load Balancing (NLB) is recommended too to provide fault tolerance at the federation servers and federation proxies.

AD FS Installation

See this post for more details on deployment and configuration of ADFS 2.0.

Implementing single sign-on and two-factor authentication

Office 365 can utilise two-factor authentication but requires single sign-on be implemented first.

Microsoft recommends either using SecurID or using Forefront UAG and it supported two-factor authentication providers.

Two-factor authentication is only supported by Lync, SharePoint and OWA and the computer being used must be joined to a domain.

Office 365 – Lab 2 ADDS and AD FS 2.0

Lab 2


  • Office 365 trial
    • Directory Synchronisation enabled within Office portal
    • Public domain name
    • Applicable DNS records configured
  • SSL certificate signed by a public authority
  • Active Directory domain controller
  • Windows 7 client
  • Windows Server client (x 3) – in a production environment you should have 5
    • AD FS 2.0
    • AD FS 2.0 Proxy
    • Directory Sync Server
  • Enterprise Administrator credentials
  • Global administrator credentials with Office 365
  • Delegated write access to the Program Data container within ADDS (not required if you’re installing AD FS 2.0 using domain admin credentials)


The purpose of this lab is to simulate the implementation of true single sign-on with Office 365 using an Active Directory domain. This domain will be deployed with an internal sub domain of the company’s public domain name. See here on how to build an ADDS domain with a internal sub domain.

Lab Setup

Domain Controller

The domain controller should be built as per the guide here.

DirSync Server

The directory sync server should be built as per the guide here.

Federation Server

Install Windows Server 2008 R2, assign a static IP address, give the computer a suitable name.

Computer Name: ADFS01

IP Address Gateway Primary DNS should be the IP address your DNS server is listening on. The IP Address has been bound to the network adapter for dedicated use by Federation services.


Join the computer to the domain.

Prerequisite Federation Server configuration

  • Create a internal DNS record for your federation server farm e.g.
  • Create a service account for ADFS.
  • Install IIS 7.5 with defaults selected.
  • Generate a CSR for your public domain and install the certificate.

Create DNS record for Federation

Create a DNS record on the internal DNS. You’ll need to create a new zone for the public DNS zone e.g.


I’ve used sts as the host name for my Federation Server. If you also have public records for Exchange and Lync online etc. you’ll need to replicate those here.

ADFS Service Account

Create a normal domain user account to run the Federation Service.



Install IIS

Using server manager or Windows PowerShell install IIS using the defaults. The screenshots below are verification IIS is installed.



Install SSL Certificate

Generate a CSR for the public DNS name e.g; obviously there will be content between the BEGIN and END certificate request.


Send the certificate to a certificate authority, once complete download the certificate and install it within IIS.


Install ADFS

First things first download the ADFS 2.0 installer from the Microsoft download center.


Run the installer and follow the install wizard.

Select Federation server


The installer will install the prerequisites if they haven’t already been installed.


When the installer is complete you’ll be prompted to run the configuration wizard.


Click finish then click the hyperlink below to follow the wizard.


Select the certificate SSL certificate installed earlier.


Select the user account you created earlier for the Federation service account.


When the installation and configuration is complete you’ll see lots of green ticks.


Install update rollup 1 for ADFS and reboot.


Optionally add another Federation server and configure network load balancing using Microsoft NLB or something similar. In my lab environment I didn’t but you can find more info here.

Verify ADFS is functioning by browsing to


Federation Proxy Server

Install Windows Server 2008 R2, assign a static IP address, give the computer a suitable name.

Computer Name: ADFSP01

IP Address (ideally this would be in the DMZ but in my lab I didn’t have the equipment available). The DNS servers assigned to this computer should be the public DNS servers provided by your ISP.


Do not join this computer to the domain.

Prerequisite Federation Proxy Server configuration

  • Configure the hosts file to point to the internal federation server.
  • Configure an external DNS record to point to the public address of your federation proxy.
  • Install IIS as per the installation on the Federation Server and import the  same SSL certificate; export the original to pfx first.

Configure DNS hosts file

Configure the local hosts to resolve to the internal Federation server.


Create a external DNS record

Configure a public DNS record for the which points to your Federation proxy; remember to point it to the public IP Address of the Federation proxy not the private 192.168. address.


Install IIS and SSL certificate

IIS should be installed as per the same process as the Federation server. To install the SSL certificate first export the certificate from the Federation server, ensure the export file type is a pfx file; remember the private key.

Install the pfx using the certificates MMC console ensuring you select the computer account.



Install ADFS

Copy the ADFSSetup.exe you downloaded for the Federation server installation to the Federation proxy.

Run setup and follow the install wizard.

Select Federation server proxy


Once the installation is complete click finish and update ADFS 2.0 to update rollup 1.


Configure the Federation server proxy using the configuration wizard.

Enter the Federation server when prompted and click test; if the connection is successful you’ll be prompted to enter credentials to establish a trust, use either the built-in administrator or the ADFS service account user.



To verify the Federation server proxy has been installed correctly look for event 198 in the ADFS 2.0 Eventing log.


Install the Windows Azure PowerShell modules on the Federation server; more info here.

Once the Azure modules are installed configure a trust between ADFS and Windows Azure AD using the following commands:

Provide the Office 365 credentials

$Cred = Get-Credential – this prompts you for your Office 365 credentials


Connect to Office 365

Connect-MsolService -Credential $Cred – Connect to Office 365 using the credentials specified above


Convert an existing domain or add a new one

Convert-MsolDomainToFederated -DomainName [domain name] – Converts a existing domain to a federated domain.


If the above command is successful a message similar to the one below will appear.


Verify Single sign-on

browse to

Enter your username Active Directory UPN e.g.


When you tab to the password field Microsoft Azure will attempt to contact your Federation server e.g.


If your Federation or Federation proxy URL is not in your intranet trusted sites then you’ll be prompted for authentication. If you’re using a non-domain joined computer then you’ll be prompted for your credentials by the Federation server e.g. image below.


I also verified SSO using my mobile phones ActiveSync client.


I disconnected the network from the Federation proxy server and my mobile was unable to send emails, reconnecting the network allowed emails to be sent.


Email I attempted to send whilst the Federation proxy was offline


Post Installation considerations

The token signing certificate expires every 12 months; this is a self signed certificate used by the Federation server to sign all authentication tokens it issues. When the certificate expires on the Federation server you will need to update the trust with Azure. More info here.

The Directory sync server synchronises all Active Directory accounts. If you want to only allow specific users access to cloud services then you need to customise the incoming claim. See here.

MCTS 70-646 Monitor and maintain security and policies

Monitor and maintain security and policies

May include but is not limited to: remote access, monitor and maintain NPAS, network access, server security, firewall rules and policies, authentication and authorization, data security, auditing

Which information should be protected and how sensitive is business critical

what information needs to be protected, how sensitive it the data, and is it business critical, who should be authorised to access the data, implement a workable monitoring policy.

MCTS 70-646 Monitor servers for performance evaluation and optimisation

Monitor servers for performance evaluation and optimisation

May include but is not limited to: server and service monitoring, optimization, event management, trending and baseline analysis

A baseline of a computer systems performance and reliability should be captured when a system is first deployed for a number of weeks and if applicable when month end processes run; it is advisable to define quiet, busy and business as usual periods. Baselines should be re-analysed when a computer system is changed i.e. more resource is added or a new application is deployed.

Performance Monitor

Performance monitor allows you to view real time data and data collected over a longer period using a data collector set; see data collector sets under performance monitor here for more info.

By default the real time data in performance monitor is overwritten every 140 seconds, to change this behaviour select properties > graph > scrolling type > scroll.

System diagnostic reports

These reports can be created using perfmon /report or by reviewing the reports within the performance monitor GUI.

Action Center

Monitors the computer and reports problems with security, maintenance and other related settings such as firewall, anti virus, anti spyware and windows firewall configuration.

Task Manager

Task manager can be used for viewing process utilisation.

Resource Monitor

Resource monitor is accessible from Task Manager and can be used to stop, start, suspend or resume processes and services, useful for troubleshooting and can be used to highlight CPU, memory, disk and network usage for a particular process or service.

Active Directory – Lab 1 ADDS with internal subdomain

The majority of Active Directory domains I have seen use a standalone internal domain such as .local, .internal or .company name.

When you suggest that the Active Directory domain should be a subdomain of the company’s public domain, you get the worried look that you’re exposing Active Directory to the internet… o_O.

If you take time to read Microsoft TechNet you’ll discover an article which details an internal subdomain of your public domain as the recommended way to deploy a DNS namespace, see here.

So If you’re building a new Active Directory domain then please feel free to follow the instructions details below.

Windows Server 2008 R2


  • Windows Server 2008 R2 media – download an evaluation from here
  • A static IPv4 address
  • Your internet providers DNS server IP addresses
  • A public DNS name registered with an applicable authority


Install Windows Server 2008 R2, assign a static IP address, give the computer a suitable name and then run dcpromo.

Computer Name: ADDS01

IP Address Gateway Primary DNS


Forest root domain FQDN: office.[public domain name]


Reboot when prompted

DNS Configuration

Create a reverse DNS zone for your local subnet.


Create DNS forwarders which point to your ISPs DNS servers and deselect use root hints if forwarders are unavailable; this basically passes on the recursive DNS queries to your ISP rather than your DNS server. If root hints is left ticked then should your ISPs DNS servers be unavailable then your internal DNS will perform recursive DNS queries. Just FYI recursive DNS can be vulnerable to DOS attacks, cache poisoning and other issues commonly found when a DNS server is incorrectly configured.


Remove the root hints.


Testing DNS resolution using Network Monitor

Run Network monitor and scope the display filter to the DNS protocol, click start.

Because forwarding is enabled there are only two ethernet frames.


Initial query to my ISPs DNS servers.


Response from my ISPs DNS servers.


Office 365 – Lab 1 ADDS and DirSync

Lab 1


  • Office 365 trial
    • Directory Synchronisation enabled within Office portal
    • Public domain name
    • Applicable DNS records configured
  • Windows Server with ADDS installed
  • Windows 7 client
  • Windows Server client
  • Enterprise Administrator credentials
  • Global Administrator credentials


The purpose of this lab is to simulate the implementation of DirSync with Office 365 using an Active Directory domain which has been deployed with a non-public routable DNS domain name e.g. domain.local or domain.internal.

Once DirSync is synchronised with Office 365 then I’ll look at implementing Office 2013 on the Windows 7 client logging in as a domain user and observing the effects of DirSync and the password synchronisation feature.

Lab Setup

Domain Controller

Install Windows Server 2008 R2, assign a static IP address, give the computer a suitable name and then run dcpromo.

Computer Name: ADDS01

IP Address Gateway Primary DNS


Forest root domain FQDN: office.local


The forest functional level needs to be at least Windows Server 2003.

reboot on completion.

DNS configuration

Create a reverse DNS zone for your local subnet.

Create DNS forwarders which point to your ISPs DNS servers and deselect use root hints if forwarders are unavailable.

Remove the root hints.

Active Directory configuration

Using the Domains and Trusts snapin configure a publicly routable DNS name; this UPN must match your domain defined within the Office 365 portal.


Then configure all users who will be using Office 365 to use the public DNS name for their UPN; you can multi select.


DirSync Server

Install Windows Server 2008 R2, assign a static IP address, assign a suitable name and join to the domain.

Computer Name: MSOLDS01

IP Address Gateway Primary DNS


Join the computer to the office.local domain.

Install DirSync ensuring the prerequisite software is installed e.g. Microsoft .Net Framework 4.0.

DirSync configuration

Follow the wizard entering the global administrator username and password for your Office 365 environment.


Enter the username and password of an account with Enterprise Administrator membership.


Enable password synchronisation – This enables the user to only remember one password; when the user changes their password within the on-premises ADDS the password will be synchronised within minutes.


Once you click finish you’ll be prompted to synchronise your ADDS with the cloud.


With password sync enabled the directory sync will result in the application event log recording verify Password Change Requests and Password Change Results for user accounts



You also notice event ID 650 and 651 recorded to signify that synchronisation has started and finished.

Once the directory synchronisation is complete you can verify within the Office 365 portal the last sync time and synchronised users.



Windows 7 Client

Install Windows 7, assign a suitable and name and join it to the domain. I’ve assumed DHCP is deployed so no need to configure an IP address.

Computer Name: Client01


Join the computer to the domain.

Client configuration

Logon to the client computer using your domain credentials e.g. jbloggs@UPN, login to the Office 365 portal and install Office 2013.


Open Outlook 2013 and follow the wizard, if your Active Directory properties do not have an email address defined as below then then Outlook auto-configure will not populate the Display Name, Email address etc.



Click next, If you have configured your DNS records as suggested by Microsoft e.g.


then Outlook will auto-configure itself too, you’ll be prompted for your Office 365 credentials as we are not using federated logins but because the password has been synchronised the password is the same as your Windows login credentials.


If you haven’t configured the autodiscover record correctly this step will fail; check out and select Outlook Autodiscover.


Outlook 2013 is now connected to Exchange Online