Azure AD Domain Services – A First Look


Earlier this week Microsoft announced the preview of Azure AD Domain Services (AADDS). This new functionality allows applications that are designed to run against your On Premise Active Directory to easily run in Azure (with out having to put in place domain controllers in Azure and VPN connections back to your on premise AD).

In simple terms at the click of a button you can have a ‘managed’ domain controller fully synced up with your Azure AD appear in one of your VNet’s.  You can then domain join your Azure servers in the same way you would your On Premise servers.

There are a number of steps that have to be undertaken to enable Azure AD Domain Services but Microsoft have written a great blog that steps you through the process.  You must complete all steps before attempting to join an Azure VM to the new AADDS domain.

Couple of points to note from my testing so far.

  • Azure AD Domain Services are not yet available in all regions. If you have all your Azure infrastructure running in the Australia regions you will need to create a new VNet in either the US, Europe or Asia region to be able to enable Domain Services.
  • Azure AD Domain Services uses password write back to sync passwords with Azure AD.  As with AD Connect a password reset using is generally required to generate the hashes in AD before the account can be used to authenticate against the Azure AD Domain Service.
  • Any user account that you put in to the AAD DC Administrators group will be added to the administrators group on any machines you join to the AADDS domain.
  • As Azure AD Domain Services its a managed service you can not have Domain Administrator or Enterprise Admin privileges over the AADDS domain.
  • Currently a single user and computer group policy is supported and the domain can be managed with the same tools that are used to manage on-premise AD.

Further Blog articles to come as I rebuild my Azure test environment using Azure AD Domain Services!

Have Office read your Emails and Documents back to you

First up a bit about me, I am dyslexic.

My kids know never to ask me to spell things for them (My wife warns them not to regularly).  One thing with my dyslexia which I find really annoying is that I miss out words when I am typing.  As good as spell checkers are they do not know what I was wanting to say, which means they are not that good at pointing out missing words.

The other thing spell checkers are not that good at is telling you when you have a correctly spelt word but it’s the wrong word. Usually for me that means that I have spelt it so badly that it’s something completely different!

When I was at school I was taught to leave a document for 30 min then proof read. Waiting means the brain is less likely to fill in the missing words and I am more likely to pick up mistakes.

I now have a new tool to add to my kit bag thanks to @nzregs from Microsoft!!

Use the Speak function in Microsoft Word and Outlook to read back what I have typed.

I have been trying it this week and I have been super impressed with the results.  It seems that while my brain adds missing words when I read documents, listening to Office read back my email or document, allows me to pick up almost all of the missing and incorrectly used words.

To add the speak icon to the quick access bar click on customise

Word Cust

Select ‘More commands’ and change drop down to ‘commands not in ribbon’

Word add speak to quick access

Simply highlight the text you want Office to read back and click on the speak icon.

HP Envy Ultrabook – Windows 10 Audio Fixed

I have been running Windows 10 on my HP Envy Ultrabook for the last 7 months and have always had choppy and very poor Audio that stuttered and cut in and out.  Interestingly when using VLC the audio was fine but when using IE, Edge, Groove or Films & Movies apps the audio was so bad that the applications where not usable for audio.

This evening I have hit upon a fix to my poor audio problem, by changing the default sample rate in the advanced tab of the audio output device from 16bit 44100Hz to 24bit 192000Hz.   Once I made this change youtube videos started playing correctly, Groove music was perfect and my Xbox Minecraft game even stopped crashing when loading!

To get to the default sample rate setting, right click on the speaker icon in the notification area, select playback devices, right click the playback device and select properties, click the advanced tab and increase the sample rate.

Now to see if tweaking my microphone settings will allow Cortana to hear me more clearly !

Azure AD Password Sync and Writeback – Security and Encryption 

People are often concerned regarding the risk of turning on Password Sync and Password Writeback between on premise AD and Azure AD.   This post looks to describe the password sync and password writeback processes and the encryption methods used to secure the password data in transit and at rest.

1) Password Sync to Azure AD

The password Sync agent (which is part of the Azure AD Connect tool) running on the on premises Azure AD Connect server makes an RPC call to its closest on premises DC and requests via the DC replication protocol the users password hash. The DC takes the users password hash and using an MD5 key (made up from the RPC session key and a random 128 bit salt) encrypts the password hash for transport over the wire. The DC then sends the encrypted password hash plus salt to the password sync agent over the RPC session. Note this is the same way Domain Controllers replicate password hashes.

The password sync agent then decrypts the encrypted password hash using the salt and RPC session key and immediately re-hashes the password hash to a SHA256 hashed password hash using the PBKDF2 key derivation algorithm as defined in RFC 2898.

The password sync agent then passes the hashed password hash over an SSL encrypted session to Azure AD. Azure AD then encrypts the hashed password hash using AES and stores it in its database.

2) Password Writeback

When password writeback is enabled Azure AD Connect creates a tenant specific service bus relay, protects it with a strong password and attaches to the service bus relay using TLS encryption.  Azure AD Connect also creates a public private key pair. The public key is placed in the tenant’s secret store in Azure AD and the private key stays on the on premise Azure AD Connect server.

When a password is reset in Azure AD, Azure AD encrypts the new password using the public key uploaded by Azure AD Connect and places the encrypted password on the service bus relay, Azure AD Connect picks up the encrypted password from the relay and decrypts it on the on premise Azure AD Connect server.   The Azure AD Connect server then attempts to reset the user’s password using the Active Directory DS SetPassword API.   If the password reset against the on premise AD succeeds the user is notified of the success and the resultant hashed password hash is encypted using AES and then stored in Azure AD.

If Azure AD connect is not successful in writing the password back to the on premise AD ( failing password complexity requirement for instance) or the Azure AD Connect server is down.  Azure AD will not be updated and the user attempting the password reset will be notified that the reset has not succeeded.

For further reading check out the following blogs and presentations:

DirSync & change password at log on

I have been playing around with Azure AD in preparation for speaking at TechED NZ this year; once I got DirSync up and running I found that each new account that I created in my local AD could not log on to unless I reset its password.

This puzzled me for a couple of nights….What was I doing wrong ?

It turns I was doing nothing wrong, what I was experiencing was the correct behavior when “User must change password at next log on” flag is set.  This flag is set by default when creating a new User Account using ADAC.

Unlike your local AD where staff get prompted to reset their password after logging in; when accessing staff get a user name or password  incorrect and they can click on the link to reset their password.

It would be nice if there was some way that Azure AD could prompt and say your Administrator has requested that you reset your password before you can log in 🙂

Using CertUtil to display certificates which will expire in a given date range

There are a number of articles online which give the syntax for filtering certutil’s output however they never seem to work for me with 2008 and 2008 R2 certificate servers.  The following command works for 2008 and 2008 R2 servers and filters on a date range as well as a certificate template.  I find that filtering on the certificate template as well as dates is really handy when different teams are responsible for different templates.

certutil -view -restrict "NotAfter>=01/10/2012 1:00 a.m.,NotAfter<=01/07/2013 1:00 a.m.,certificatetemplate=" -out "RequestID,NotBefore,NotAfter,CertificateTemplate,CommonName" | more 

Note this command uses the certificate template OID rather than the display name, in the certsrv MMC you can get the OID by navigating to the certificate templates node.

Microsoft Communities – Wellington Infrastructure User Group Meeting

Just a quick note to say that Tony and myself have finally got over TechED and have organised another MSCommunities Infrastructure user group meeting for Wednesday the 14/11/2012. Nathan Mercer will be presenting Windows 8 in the Enterprise, those people who follow Nathans tweets will note that it appears he may have procured him self a surface or two. There is a good chance Nathan may bring his new toys with him to the meeting so that we can all have a play.

Given the change in location for the event spaces are even more limited than normal, so if you would like to come please register using the link below. Remember registrations will close once we hit seating capacity for the venue so get in quick.—November-me.aspx

IPCONFIG /RENEW fails when MS 2012 DHCP server is in communication interrupted or partner down state

IPCONFIG /RENEW fails when 2012 DHCP server in a failover relationship is in communication interrupted or partner down state.  This behavior is by design and is the only instance Microsoft has not followed the IETF DHCP Failover draft standard.


DHCP RENEW behavior of Microsoft Server 2012 DHCP Servers when failover relationship in communication interrupted  or partner down state

“RENEW requests from the client will not be responded to. This will cause the client to move into REBIND state. If the server which owns the hash bucket assignment for this client is operational by the time the client moves into REBIND state, the REBIND request will be responded to by this server. This ensures that the client is now in transaction with the server which owns the hash bucket assignment for this client (fail back of the client).” —

The command IPCONFIG /RENEW reports a failure in this situation as the command only sends out a DHCP RENEW request.


DHCP RENEW V’s DHCP REBIND some background information

When a client gets to half way through its IP address lease it performs a DHCP RENEW.  To do this it sends a unicast packet to the issuing DHCP server and attempts to renew the lease on the currently allocated address.

If a client does not get a response to its DHCP RENEW request it will continue to use the IP address it has been allocated until it gets to 87.5% of the way though its lease, at this point it will perform a DHCP REBIND.  To do this the client sends a broadcast DHCP REQUEST out its network interface, as this is a broadcast packet all servers on the network will receive it.

TechED New Zealand 2012 – WSV302 New Networking Features in Server 2012 – PSD File

Below is the PSD file which I used in my TechED New Zealand 2012 presentation entitled “WSV302 – New Networking Features in Server 2012”, the PowerPoint can be downloaded from here .

#NIC Teaming
enter-pssession mem3
add-netlbfoteammember "T1-eth3" -team T1

#DHCP Failover
net stop "dhcp server"
enter-pssession mem1
get-dhcpserverv4failover -name dc1.srv2012.local-mem1

#start up mem4
get-dhcpserverv4lease | ft IPAddress, HostName, ServerIP, LeaseExpiryTime
set-dhcpserverv4failover dc1.srv2012.local-mem1 -PartnerDown
get-dhcpserverv4failover -name dc1.srv2012.local-mem1
net start "dhcp server"

remove-dhcpserverv4failover dc1.srv2012.local-mem1-1

Using Certificate Extensions rather than Request Attributes for Certificate Requests containing SAN’s

Using request attributes has for a long time been the only easy way of adding SAN’s to certificate requests prior to submitting them to a CA. Windows 2003 and above by default omit SAN extensions included as request attributes from issued certificates. That is unless EDITF_ATTRIBUTESUBJECTALTNAME2 has been set.

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc 

While its Ok to set this for standalone CA’s it’s a really bad idea to enable this on an enterprise CA. Enabling attribute subject alternate name 2 (EDITF_ATTRIBUTESUBJECTALTNAME2) on an enterprise CA is a global setting which is enabled for all certificates that the CA issues.

If the enterprise CA issues user certificates, other user names can be added to the certificate enrollment via the SAN attribute request and the certificate potentially used to impersonate those users on the network.


Windows 2008 / Windows Vista onwards support creating certificate requests containing a SAN using clear text certificate extensions. Clear text certificate extensions are supported by 2008 CA’s and above and are included in issued certificates.

To create a certificate request which includes SAN extensions, a request policy file must to be created and the certificate request generated using the ‘certreq’ tool.

The following is an example request policy for a web server certificate.


Signature="$Windows NT$"
Subject = ""  ; put your server name here
Exportable = FALSE   ; TRUE = Private key is exportable
KeyLength = 2048     ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1          ; Key Exchange ñ Required for encryption
KeyUsage = 0xA0      ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

RequestType = PKCS10 ; or CMC.

[Extensions] = "{text}"
_continue_ = "dns=SAMPLE&" ; put your subject alternate names here
_continue_ = ""
_continue_ = "dns=SAMPLE2&"
_continue_ = ""
CertificateTemplate = BLUEWebServer  ; This is optional 

Update the subject line of the above file with your servers FQDN, set the key length to at least 1024 and update the extensions with the additional SAN’s you want to add to the request. if your CA is an enterprise CA you should include the name of the certificate template under request attributes.


The command used to create the request is as follows

certreq -new RequestPolicy.inf certificate_request.csr


If you want to confirm the contents of the request prior to submitting it use the following command

certutil -dump certificate_request.csr


Once you get the signed certificate back you can accept it using the following command

certreq -accept certificate.cer


If you have rights to submit your request directly to the CA you can use the following commands to submit, then retrieve the certificate once the request has been approved.

certreq -submit certificate_request.csr
certreq -retrieve  #ID_from_above certificate.cer


For further reading check out the following link