70-742 Additional Notes – AD Federation Services with Device Registration

August 19, 2017 at 2:53 pm



You can add the Device Registration Service (DRS) to your Active Directory Federation Service (AD FS) configuration. DRS provides seamless second factor authentication, persistent single sign on, and conditional access to devices attempting to access your corporate resources.

Prepare your Forest

To properly implement DRS, you first should prepare your forest. To do this you must meet the following requirements:

  • You must be an Enterprise Admin
  • The forest must be at the Windows Server 2012 R2 schema or higher
  • There must be at least one Global Catalog Server in the forest root domain

Step 1 – On the Federation Server run the PowerShell command:


Step 2 – When prompted for the ServiceAccountName – enter the service account you used for AD FS

Enable DRS on a Federation Server Farm Node

One each node in the farm, run the PowerShell command:


Enable Seamless Second Factor Authentication

Use the AD FS Management Console and navigate to Authentication Policies. Select Edit Global Primary Authentication. Click Enable Device Authentication and click OK.

Update the Web Application Proxy Configuration

On the WAP server – run the PowerShell command:


When prompted, input an account with administrative credentials.

70-742 Additional Notes – The Remote Access Server Role and WAP

August 18, 2017 at 4:22 pm


The important Remote Access server role incorporates the following technologies:

  • Remote Access Service (RAS)
  • Routing
  • Web Application Proxy (WAP) 

The Web Application Proxy is the most relevant role service above for the 70-742 exam and it explicitly makes the exam blueprint.

Remember the Web Application Proxy is to provide reverse proxy functionality for Web applications that exist inside your corporate network. What this means is that it permits outside users (on any device) to access these Web applications from outside your network.

WAP pre-authenticates access to your Web applications using Active Directory Federation Services (AD FS) and can also function as an AD FS proxy.

To install this powerful service, use the Add Roles wizard and target the RAS server role – or use PowerShell as follows:

Install-RemoteAccess -VpnType SstpProxy

Some features of WAP that are new in Server 2016 include:

  • Preauthentication for HTTP Basic application publishing – this allows mobile devices to use ActiveSync with Exchange
  • Wildcard domain publishing of applications  – this simplifies integration of services like SharePoint that have many applications in a domain to be published
  • HTTP to HTTPS Redirection
  • HTTP application publishing using pass-through preauthentication
  • Remote Desktop Gateway Apps
  • Better debug logging
  • Admin Console UI improvements
  • Propagation of client IP address to backend applications



Identity with Windows Server 2016 (Exam 70-742) Intro Nugget

June 24, 2017 at 1:55 pm

Master Microsoft Windows Server 2016 70-742 with trainer Anthony Sequeira to level up your IT career. http://cbt.gg/2lzqESI

Learn how CBT Nuggets trainer Anthony Sequeira developed the topics you will enjoy in his Microsoft Windows Server 2016 70-742 course. This Nugget walks you through how to use the Hands-on Labs that go accompany the course with your CBT Nuggets subscription!

Not a subscriber? Start your free week today! http://cbt.gg/2hGDU2S
Pearson Education (InformIT)

Configure Group Policy Object (GPO) Processing

June 23, 2017 at 12:26 pm

Enjoy this Nugget on Group Policy Object Processing (GPO). This is one of the Nuggets from the CBT Nuggets course – Identity with Windows Server 2016 (Exam 70-742). This course can be found at: http://www.cbtnuggets.com/it-training/microsoft-windows-server-2016-70-742-identity-with-windows-server

InformIT (Pearson Education)

Identity with Windows Server 2016 (Exam 70-742)

June 22, 2017 at 6:00 pm


My latest course at CBT Nuggets is complete:

Identity with Windows Server 2016 (Exam 70-742) – MCSA: Windows Server 2016 Microsoft Certified Solutions Associate

This course consists of the following action-packed Nuggets (NOTE: 41 of these Nuggets feature Hands On Labs to allow you to follow along, step-by-step!)

1. Course Introduction – 8 min
2. Active Directory Overview and Install – 19 min
3. Read-Only Domain Controllers and Removing DCs – 16 min
4. Install from Media and Domain Controller Upgrades – 13 min
5. Flexible Single Master Operator Roles – 15 min
6. Configure Domain Controller Cloning – 15 min
7. Troubleshooting Active Directory Installations – 8 min
8. Create, Copy, Configure, and Delete Users and Computers – 14 min
9. Automate the Creation of Active Directory Accounts – 19 min remaining
10. More Automation and Account Management – 11 min
11. Perform Bulk Active Directory Operations – 9 min
12. Configure User Rights – 5 min
13. Implement Offline Domain Join – 12 min
14. Create, Copy, Configure, and Delete Groups and OUs – 14 min
15. Automate Groups and OUs with PowerShell – 7 min
16. Manage Group Membership Using Group Policy – 4 min
17. Group Types and Group Nesting – 22 min
18. Configure Service Accounts – 11 min
19. Group Managed Service Accounts (gMSAs) – 10 min
20. Configure Kerberos Constrained Delegation (KCD) – 4 min
21. Manage Service Principal Names (SPNs) – 8 min
22. Configure Account Policies – 12 min
23. Offline AD and Defragmentation – 7 min
24. Clean Up Metadata – 7 min
25. Backup and Restore of Active Directory – 17 min
26. Replication of Active Directory – 10 min
27. Replication and PRP for RODC – 7 min
28. Multi-Domain and Multi-Forest Active Directory – 9 min
29. Configure Domain and Forest Settings – 6 min
30. Trusts – 10 min
31. Configure Sites and Subnets – 9 min
32. Create and Manage Group Policy Objects (GPOs) – 17 min
33. Configure Group Policy Processing – 13 min
34. Configure Group Policy Settings – 15 min
35. Configure Group Policy Preferences – 5 min
36. Install a Certificate Authority – 9 min
37. Installing a Subordinate CA – 23 min
38. CA Management – 10 min
39. Manage Certificates – 11 min
40. Install and Configure Active Directory Federation Services – 13 min
41. Implement Web Application Proxy (WAP) – 8 min
42. Install and Configure Active Directory Rights Management Services – 7 min

Create and Manage Group Policy Objects (GPOs) Part 2 of 2

June 7, 2017 at 3:45 pm

Group Policy

In this second post of two of basic Group Policy management, we discuss further topics involving these critical Windows management components.

Backup, Restore, Import and Copy Group Policy Objects (GPOs)

You can perform all backup and restore operations using the Group Policy Management console, or with Windows PowerShell cmdlets.

To backup all GPOs in your domain, open the Group Policy Management console and navigate to the Group Policy Objects node. Right-click the Group Policy Objects node, and then click Back Up All. You can also backup a specific object. To backup a specific GPO, in the Group Policy Objects node, click and then right-click the specific GPO you want to back up, and then click Back Up.

To restore a GPO, right-click the appropriate GPO in the Group Policy Objects node, and then click Restore from Backup.

You can also manage your backups from the Group Policy Management console. You can use the Manage Backups option to view the settings in a backup, to delete a backup, and to restore a backup. To access the Manage Backups tool, in the Group Policy Management console right-click the Group Policy Objects node, and then click Manage Backups. In the Manage Backups dialog box select the backup you want to manage, and then click Restore, Delete, or View Settings, as required.

Although you can link the same GPO to multiple containers, including domains, it is not always best to do this. Usually, it is better to import a GPO from another domain. The import process requires that you effectively restore the settings of another GPO into a newly created, empty GPO.

The process therefore starts with you creating a backup of the source GPO. To import the settings, in the Group Policy Management console on the target domain, create a new GPO in the Group Policy Objects node Right-click the new GPO, and then click Import Settings.

You can duplicate the settings in one GPO for reuse in another. An easy way to do this is to copy a GPO. In the Group Policy Management console, in the Group Policy Objects node, right-click the source GPO, and then click Copy. You can right click the Group Policy Objects node and choose Paste in order to duplicate the settings.

Create and Configure a Migration Table

There is a Migration Table Editor available inside the Group Policy Management tool that permits you to edit UNC and security principle references that might not apply to the domain where you are importing your Group Policy Object settings into. Simply reference this saved table of entries when you are following the Import Settings Wizard.

Reset Default GPOs

There is a simple tool called dcgpofix that you can use at the command prompt to reset the default GPOs back to their default settings. Remember, there is a Default Domain GPO and a Default Domain Controllers GPO. The tool features switches so that you can pic one or the other GPO to reset instead of resetting both.

Delegate Group Policy Management

Remember that you can delegate control over GPO tasks. This is done with the Delegation tab in the Group Policy Management tool, or you can delegate GPO tasks using the Active Directory Users and Computers tool.

Detect Health Issues

You can detect problems with your GPO infrastructure using the Group Policy Management console as well. This is done using the GPO Infrastructure Status page. To view the status, use the following procedure:

1. Select the domain object, and then click the Status tab.

2. To view the current status, click Detect Now.

3. Review the information in the details pane.