Directory & Identity Session Abstracts
Following is a sampling of the sessions that will be offered at The Experts Conference Europe for Directory & Identity 2010. We will be adding additional sessions and abstracts as speakers are selected.
*All sessions will be presented in English.
Pre-Conference Workshops
Best Practices for Deploying Windows Server 2008 R2 PKI
Speaker: Brian Komar
Get ready for a hands-on best practices installation of Windows Server 2008 R2 PKI. This half-day workshop will include:
- Discussions on private key protection for offline and issuing CAs
- Planning your revocation checking infrastructure
- Deploying an offline root CA
- Deploying an online issuing CA
- Publishing PKI information to Active Directory
- Using Group Policy to facilitate certificate distribution
- Equipment for this workshop will be provided. Space is limited; register early.
Masters of Disaster – Data Recovery in Active Directory
Speaker: Jorge de Almeida Pinto , Guido Grillenmeier, Gil Kirkpatrick, Ulf B. Simon-Weidner
After replacing a failed domain controller, the most common recovery task in Active Directory involves restoring deleted or altered data. The process for recovering Active Directory data varies from version to version of Active Directory, and can be surprisingly complicated. In this workshop Jorge de Almeida Pinto, Guido Grillenmeier, and Gil Kirkpatrick will explain the way data is stored in Active Directory, how to properly recover object data from backup, how to reanimate deleted objects, and how to leverage the new Active Directory recycle bin. Equipment for this workshop will be provided. Space is limited; register early.
Keynote Sessions:
Speakers: Uday Hegde & Mark Wahl
The Experts Conference for Directory & Identity will be kicked off by Mark Wahl, Architect, Business Online Services Group, Microsoft Corporation, and Uday Hegde, Principal Group Program Manager, Identity & Access, Microsoft, as well as program management leaders representing the complete Microsoft Identity stack. Join us for a look at the future of Microsoft’s key directory and identity technologies.
Directory Services Sessions:
Active Directory’s Role in the “New” Identity Architecture
Speakers: Gil Kirkpatrick, Jackson Shaw, Uday Hegde, Mark Wahl, Dean Wells, Martin Kuppinger,
Antonio Navarro, Daniel Meyer
Changing business models, the move to cloud-based services, security requirements, and regulatory compliance are poking holes in the identity architecture of most organizations. There is an emerging consensus that enterprise identity architecture needs to move from a “push” model where identity data is moved a priori to connected systems, to a “pull” model where connected systems retrieve identity data as needed to make authentication and authorization decisions (see, e.g. The Emerging Architecture of Identity Management, The Burton Group). This shift will necessarily change the roles played by Microsoft identity technologies (ADDS, ADLDS, ADFS, and FIM) in the overall enterprise identity architecture. How should we use Microsoft identity technologies as our enterprise identity architecture evolves? How should the Microsoft identity architectures themselves evolve to meet this change in overall architecture? And what new identity technologies do we need to deploy to create an identity architecture that is secure, flexible, and inexpensive to deploy and operate?
Adding LDAP and Two-Factor Authentication to ADFS v2
Speaker: Joe Kaplan
The out of box deployment model for Active Directory Federation Services v2 only allows an enterprise to perform password-based authentication against Active Directory Domain Services. However, many organizations have important identities stored in other directories such as Active Directory Lightweight Domain Services or use various two-factor/strong authentication mechanisms such as RSA SecurID tokens or smartcards. We need tImo be able to integrate these authentication sources into our federated identity system in order to make AD FS the central hub of authentication. To make this work, AD FS allows us to integrate other custom security token services. In this session, we will explain how to use other AD FS technologies like Windows Identity Foundation to build custom security token services that extend authentication to other sources and integrate them with our AD FS v2 deployment. The session is intended for IT pros who do not necessarily have custom development skills but wish to learn the basics about how these systems are designed so that they can create specifications and work with developers and architects to get these types of systems built and deployed.
ADFS 2.0 Deep Dive
Speaker: Brian Puhl
ADFS 2.0 is deployed, and now it’s time to dig in. Come join us as we dissect the claims rule language, explore debug techniques, and try to break (and then fix) as much as we can in an hour…
A DS Geek’s Notes from the Field – Active Directory Recovery Unveiled
Speaker: Ulf Simon-Weidner
You’ve got R2 and enabled Recycle-Bin, so no other actions are necessary to prepare for an AD-Recovery? Or you haven’t yet deployed R2 (or switched to the forest-level)? Are you aware that even with today’s possibilities are not prepared for every scenario? You have to blend in certain features. You also have to manage them and adjust your processes accordingly! This session will give you an insight into experiences and practices from a field perspective about what can go wrong, what should you do to manage and look after AD in a proactive way. In this session, you’ll hear experiences from the field about Active Directory Disaster-prevention and recovery among interesting thoughts, scripts and scenarios. Think beyond and get inspired. This session will distinguish you from the Admins who keep their CV updated in case anything goes wrong to the ones who are prepared instead.
Designing/Planning AD Schema Extensions
Speaker: Brian Desmond
This session examines what makes sense in AD and what doesn’t, shows how to evaluate a proposed schema change and even helps you deal with a fear of schema changes. You’ll learn how to look for attributes that need indexing, how to secure data (such as a confidential flag), and finally, carrying out a schema change (such as LDIF files vs something else).
Extending Certificate Enrollment Beyond Your Forest with Windows Clients
Speaker: Brian Komar
Windows Server R2 introduces two new features that can help you streamline your PKI and reduce the costs associated with your PKI. The first new feature is the ability to issue certificates from a CA in a resource forest to users and computers in account forests. The session will discuss the requirements to enable cross-forest enrollment, demonstrate the configuration, and discuss migration strategies from your existing PKI. The second new feature involves the two new Role Services in Active Directory Certificate Services: Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service. These two role services open the possibility of autoenrollment of certificates to non-Windows devices (such as Linux workstations) by using HTTP as the enrollment protocol. The session also will look at how the HTTP-based enrollment works, how you define policies for enrollment, and discuss the implications of enabling HTTP-based enrollment.
Flying in the Clouds – How MSIT Manages Identity and Authorization with Cloud Services Azure,Exchange, LiveID Oh MY!
Speaker: Brian Puhl
What does an Identity Management team do as they watch applications and resources lift off into the sky? Come find out how the Microsoft IT IDM team has been leading through the adoption of Online Services (such as Exchange), integration with Live ID applications, and the mass migration of internal LOB applications to Windows Azure…while trying to maintain their sanity and security.
Fundamentals of Cloud Identity
Speaker: Pam Dingle
Federation is a foundational part of Enterprise Identity in the cloud. Before you can start federating however, you may need to come up to speed on the underlying concepts behind Federation. Pamela Dingle will take you through the basics of federation, discussing vocabulary and defining the basic roles that make up the protocols behind federation: SAML, WS-Federation, and WS-Trust. Once the basics are in place, Pamela will review the current federation landscape. If you want to start right from the beginning, this session is for you.
Hardcore Windows Troubleshooting
Speaker: Brian Desmond
In many organizations, Active Directory and Exchange support personnel are often the top of the escalation chain for Wintel support in general. In this session we’ll look at a number of scenarios that will demonstrate tried and tested troubleshooting methodologies and toolsets. Many of these scenarios are extremely frequent Wintel problems that are often also frequent PSS calls. This is a demo heavy talk – we’ll use sample applications written specifically for this session as well as data from actual customer issues to troubleshoot live.
How to Not Screw Up Your PKI Development
Speaker: Brian Komar
If you want to learn from the mistakes performed by others, this is the session for you. The session will look at the Top 10 most common deployment mistakes when deploying a PKI in your network.
Impact of Cloning and Virtualization on AD Domain Services
Speaker: Dean Wells
Customers are looking to further virtualize their environments: file servers, web servers, DNS servers, and even their domain controllers. It is clear that virtualization provides many benefits in areas such as deployment, disaster-recovery and lowering TCO. However, while virtualization offers many powerful capabilities and greatly simplifies repetitive tasks, it is a technology that must be handled with care when used in conjunction with Active Directory. In this session, we will review fundamental concepts within Active Directory and the impact of cloning & virtualization upon domain controllers, domain members and Windows in general. We will also discuss how to best leverage virtualization and how to both mitigate problems and avoid occurrences in the first place.
Inside Kerberos
Speaker: Brian Desmond and Joe Kaplan
In this session we’ll discuss how Kerberos and Active Directory integrate as well as how the various Kerberos message sequences which are critical to using AD operate. We will look at the role of the KDC, authentication requests, service tickets, service principal names, etc.
Interactive Discussion on Cloud Identity
Speakers: Robert DeLuca & Dean Wells
What does Cloud Identity mean to you? Do you want to influence the future of Microsoft’s Cloud Identity offerings? This highly interactive discussion-based session provides a unique opportunity to share real-world requirements and understand how your priorities align with the priorities of other TEC attendees. Members of Microsoft’s Identity and Access product team will be on hand to absorb your feedback first-hand and guide participants through a fast-paced discussion on a wide range of topics.
Locating Domain Controllers for AuthN and SYSVOL/NETLOGON Access
Speaker: Jorge de Almeida Pinto
This session will focus on locating Active Directory Domain Controllers for two very important processes. The first process is authenticating accounts in AD followed by the process to access data stored on the SYSVOL/NETLOGON shares such as for example GPOs and logon scripts. Each purpose uses its own mechanism to locate a domain controller to service the request made. Both processes will be explained how these work under the hood and how these interact with each other.
Operating RODCs in the DMZ – Improvements with Windows Server 2008 R2
Speaker: Guido Grillenmeier
Windows Server 2008 was the first OS that allowed us to safely deploy RODCs in the DMZ – this approach can helps you to reduce the costs of managing multiple AD forests in the DMZ and simplify overall management of the DMZ. It was and is a key reason for HP to leverage RODCs quite to the surprise of Microsoft at the time. In the meantime this solution has been embraced by Microsoft and further work has been done in R2 to improve the manageability of this solution. This session will recap where RODCs in the DMZ are a good fit in your enterprise and how the solution has become even more attractive with Windows Server 2008 R2.
Provisioning Architectures – How to Optimize it for AD and the Rest of IT
Speaker: Martin Kuppinger
In this presentation, Martin Kuppinger will discuss different architectures for identity provisioning, GRC, and IT service management from the viewpoint of Active Directory architects. Provisioning projects using the typical monolithic architectural approach often run into problems because different system environments like SAP and Active Directory have specific issues which need to be addressed with a single provisioning technology. Modern provisioning architectures can accommodate these specific needs and can help IT organizations avoid many of the organizational and “political” issues these projects can create. Martin Kuppinger will discuss in detail the pros and cons of different architectural approaches for overall IT requirements as well as for AD-specific requirements.
Upgrading Domains from Windows Server 2003 to Windows Server 2008+
Speaker: Ulf B. Simon-Weidner
In this session we will take away the fear – or make you really scared: are you fully aware what “critical” operations in AD really do? We will look at those operations and look into the details what they are doing, to distinguish whether they are critical to our environment or not. With a lot notes from the field, approaches to challenges and scenarios on how to manage the associated risks and prepare for rollback.
Virtualizing Active Directory with Hyper-V and System Center Virtual Machine Manager
Speaker: Guido Grillenmeier
This session will desribe the benefits and the risks of virtualizing AD on Hyper-V from an enterprise deployment of Hyper-V. There are various aspects of virtualization and how it may impact the operation of your AD infrastructure, that are critical to understand before making the decision either for or against virtualizing your AD domain controllers. This session will share the expericence gained from a large scale, global Hyper-V deployment, centrally managed through SCVMM, which included the partial virtualization of AD.
Forefront Identity Manager (FIM) Sessions
Advanced Workflow in FIM 2010 – One Year Later
Speaker: Jeremy Palenchar
Get ready for an in-depth look at workflows in FIM 2010. Last year, we did self-service password reset using a cell phone. One year later, a lot has been learned about workflows in FIM. We’ll revisit the password reset scenario and examine some common patterns for developing advanced workflows in FIM. Attendees will leave this session with a solid understanding of workflow in FIM 2010 and several examples of Enterprise-class workflows suitable for their environment. Tips for making your workflows manageable, flexible, and scalable will also be given.
Applying Policy Retroactively with FIM 2010
Speaker: Brad Turner
What do you do when you need to apply policy across a subset of users and can’t wait for a new request or set transition? How can you use policy to apply targeted actions or workflows to a set of users? How do you apply that Provisioning Sync Rule you worked so hard to build on all of your pre-existing AD accounts? This session will discuss the finer points of using the Run On Policy Update (ROPU) Workflow feature to solve these problems and discuss common pitfalls. Don’t get roped into a corner, add ROPU as the next tool in your FIM arsenal.
Automating FIM Deployments with Microsoft PowerShell
Speaker: Craig Martin
In a FIM deployment of any size, administrators will want to automate the management and maintenance of their servers and configuration as much as possible. Come to this interactive and demo-filled session to see real-world examples of Powershell automation and scripts that you can use to improve your FIM maintenance experience. Whether you are new to the Powershell “game” or a seasoned pro, you will find tips, tricks, and advice that you can start using right away within your environment.
Avoiding a Support Call – Lessons Learned from FIM Support Engineers
Speaker: Andreas Kjellman
Based on the insights from Microsoft customer service and support for their first six months of helping customers with their FIM 2010 deployments, learn from the top issues customers have faced, how to troubleshoot them, and how to avoid pitfalls in FIM deployment and operations.
Case Study: Building a World-Wide Certificate Management Solution
Speakers: Jorg Finkeisen & Thomas Pfeifer
Join us as we look at a global project that evolved from ILM2007 CLM to FIM2010-CM and includes CA and SQL clustering, FIMSync, much customization and many add-ins, plus additional services and interfaces. This project has turned into one of the largest FIM-CM deployments in the world.
Claims, Provisioning and the Cloud
Speakers: Mark Wahl & Andreas Kjellman
Learn how Forefront Identity Manager, Active Directory Federation Services, Windows Identity Foundation and Azure can be integrated to automatically provision users to application services in the cloud, how to configure FIM to ensure quality identity data is available to these applications, and how users can perform self-service claims management.
Developer Tools for the FIM IT Pro
Speakers: Craig Martin and Jeremy Palenchar
You’ve sat through presentations telling you how to diagnose a failing project, but how do you revive it? Turns out as an industry we are very bad at what we do, so sit in and hear tips for successfully deploying FIM projects. This session balances stodgy methodology coverage with interesting tools and techniques for deployment and test automation.
FIM 2010 Group Management, What’s Real (Notes from the field)
Speaker: Issam Andoni
FIM 2010 provides group management capabilities out of the box. On the other hand, implementing a real group management solution for the enterprise can be tricky and will require adjustments to FIM out of the box capabilities. Based on the experience gathered from the field, we will explain how you can navigate the complexity of implementing an effective group management solution leveraging FIM. In this session, we will go beyond what is provided natively in FIM to explain how you can expand it to address real customer scenarios.
FIM 2010 Performance Tuning (SQL and more)
Speaker: David Lundell
Learn how to tune FIM 2010 to make it scream. Take a look at the various architectures and what they buy you. Learn how crucial SQL is to FIM performance and what to do about it. You’ll also learn tips for workflows and the FIM web service and receive a crash course in the SQL Server Optimization.
Integrating FIM into IT Service Management
Speaker: Mark Wahl
For many IT department tasks, such as when “a new employee joins” or “a department wants to deploy and manage their own applications”, user and access provisioning are part of larger IT processes. Learn how System Center products and Forefront Identity Manager can be integrated to provide operational reporting, request tracking and consistent experiences for requesting changes to IT services.
Logging and Auditing in FIM 2010
Speakers: Jeremy Palenchar and Gil Kirkpatrick
FIM provides a rich logging and auditing architecture out of the box. However, accessing this information can be tricky. In this session, we will present a methodology and the source code necessary to extract the logging and auditing information from the FIM system and store it in a user-friendly data warehouse. The solution leverages the ILM Sync engine and SQL Reporting Services so it will be easy to integrate into any FIM solution. This session promises to take logging and auditing from boring and painful to fun and easy.
Proper Care and Feeding of Your Databases: FIM, ILM, CLM, RMS, SharePoint and OCS
Speaker: David Lundell
Without proper care and feeding of your databases (FIM Meta Directory Services, FIM Certificate Services, FIM Web Service, RMS, SharePoint and OCS logging), chaos will result. Learn to conquer the chaos as David Lundell, SQL expert and ILM/FIM MVP, teaches you appropriate backup strategies, database and index maintenance tactics, and performance optimization tricks including guidance on fillfactor settings for SharePoint. You will also receive a crash course in the SQL Transaction Log, SQL Recovery Models, Database Maintenance Plans, Index Optimization, SQL Backups, and SQL Agent Jobs.
The Evolution of the Identity Market
Speaker: Jackson Shaw
Renowned identity management expert Jackson Shaw takes a walk down memory lane highlighting the evolution of the Identity and Access Management (IAM) market. He’ll share perspectives on how IAM has changed over the years, as well as the tremendous options that are available today to bring order to the identity chaos. Learn about the players in the market including IBM, Sun/Oracle, Novell, Microsoft and Quest and the unique value they can provide. Jackson will also explore the ways in which the market is forcing change in the players.
Using DFS and GPO in ILM High Availability Scenarios
Speaker: Brad Turner
This presentation will demonstrate how ILM Architects, Engineers, and Administrators can leverage Active Directory Distributed File System (DFS) to replicate solution content between the primary ILM server and the warm-standby server as well as Group Policy Preferences to deploy scheduled tasks. Solution content is typically any of the following file information used in an ILM solution: MAData, Run Profile automation scripts, and dependent code libraries. Setup and configuration of DFS & GPO Preferences for a Windows 2008 AD environment will be covered in a live demo.
