Session Abstracts
Directory Services Pre-Conference Workshop:
Active Directory Data Recovery Workshop
Presenter: Jorge de Almeida Pinto
Since the beginning, when Active Directory was first released with Windows 2000 Server, the methods and means for object recovery in AD have evolved and improved each time a new version of Windows was released. In time, the technology made it more easy to recover objects after an accidental (mass) deletion and prevent the loss of data after recovery. This workshop consists of presentations and labs about AD object recovery in each and every Windows version starting with Windows Server 2000 up to Windows Server “8″. If you want to learn and experience everything about AD object recovery in multiple versions of Windows, then this is the right workshop for you. All equipment will be provided.
First Drive with the Windows 8 PKI Workshop
Presenter: Brian Komar
This hands-on lab will introduce you to new features found in Windows 8 for PKI. The session will involve setting up a two-tiered CA hierarchy and manage the CAs with the new PowerShell toolset. All equipment will be provided.
Directory Services Sessions:
AD Recovery: Win8 ADAC Provides a GUI, but No Tree-Undelete
Speaker: Ulf B. Simon-Weidner
Windows 8, as well as other versions, is missing important information when backing up. Cloning provides great possibilities to speed up recovery processes. USN Rollback is gone. In this session, you’ll learn how to extend the OS to be fully prepared and automate the recovery. We’ll cover extending ADAC, backup scripts, recovery scripts using the new possibilities, how to figure out and save data needed for cause-investigation. And, we’ll review how to use Win8 with downlevel DCs.
AD Replication Uncovered
Speaker: Brian Desmond
AD has been running for over a decade now, but, can you explain how the replication engine works? What exactly is happening under the covers when the topic of USN rollback or lingering objects comes about? What lead to the replication topology your DCs generated? Come learn how all these pieces fit together and just what the piles of data from repadmin means when things break down. You’ll leave this session better prepared for when replication breaks down and a greater understanding of one of the key assumed fundamentals of Active Directory.
Customizing AD FS for Fun and (Not a Lot of) Profit
Speaker: Brian Puhl
Step 1: Install AD FS
Step 2: Customize
Step 3: PROFIT!
An out-of-the-box installation of AD FS, while functional, can leave something to be desired in terms of providing the desired experience for your users, developers, and application owners. In this session, come and see how to customize every aspect of the AD FS experience, including:
- Home Realm Discovery – “Where Are You From?” never looked so good
- Small Form Factor Support – Phones, phones, get your phone emulators here!
- Moving up to “major surgery” – Custom Attribute Stores provide extreme extensibility options
Come and see some of the customizatins MSIT has made to our AD FS service, the lessons we’ve learned, and hear first-hand tales of how an Identity Architect learned to relax and love Visual Studio.
Data Loss Prevention with RMS: 2012 the Year of RMS
Speaker: Lutz Mueller-Hipper
In this session we talk about the reasons for RMS and the battle against PKI. RMS is growing up, so let’s see what we got with Mac Office, for unsupported documents formats and automatic data classification tools. We will also cover what is new with RMS in Windows 8 and RMS in the Cloud.
Deploying a Highly-Available AD FS Infrastructure: Office 365, Windows 8 and More!
Speaker: Laura E. Hunter
So you have ADFS deployed. It’s live, it’s in production, you’ve worked out all of the typos…now let’s get down to running this as a full-fledged service. As more and more applications adopt claims-based authentication, your organization’s Security Token Service infrastructure will take on new importance to your end users and management, and learning how to operate it in a highly-available manner will become as critical as maintaining HA for services such as Active Directory. In this session, come and hear how Microsoft IT has been deploying and running ADFS as a reliable, scalable service since 2006, and hear the lessons we’ve learned along the way that you can take back and apply right away. We’ll also share some “tales from the dogfood trail” as we take our production ADFS infrastructure and integrate the latest-and-greatest Microsoft operating system into the mix, all while remaining sane and (somewhat) efficient.
Evolution of Windows File-System Security
Speaker: Guido Grillenmeier
This session discusses how companies have adapted to secure shared data on Windows File-Servers and related devices over time. It will focus on which Windows and AD features are available to ensure your data stays secure, including some of those not so well known features from Win2008 and R2. The session will also discuss how to prepare for the upcoming changes in Windows 8, where Microsoft will introduce some dramatic updates to the file-system security model.
EZ PKI and PKI Housekeeping
Speaker: Lutz Mueller-Hipper
It is time to use PKI to simplify computer management, and this session will go over design recommendations and security aspects for scenarios with Wifi and VPN. Don’t just do it, do it right, and see why and how. The second part of this session will discuss user certificates in the wild, how to publish them securely with AD LDS and what needs to be done for housekeeping in Active Directory for PKI.
Finally! Integrated IP Address and Naming Service Management in Windows Server 8
Speaker: Sean Deuby
Network admins rejoice and prepare to retire your Excel address list workbooks! In Windows Server 8, Microsoft is introducing the new IPAM (IP Address Management) server role. IPAM helps you discover your network, design subnets, manage settings, track utilization, monitor health, and track changes to your network. It supports delegated administration, role-based access control, and a host of other features . Microsoft IPAM will quickly become the way all Windows admins will manage their naming services; come have a first look at how you’ll use it.
How a Major Multi-National Company Uses a Virtual Directory
Speaker: Michael Brengs
This session is a customer case study highlighting how a major multi-national company is using a virtual directory to simplify their identity management initiatives. See details of how a virtual directory is the enabling technology for deploying applications to users across hundreds of AD Forests.
Identity In The Cloud: A Primer On Securing SaaS and Active Directory’s Future
Speaker: Sean Deuby
The rise of easy-to-use SaaS applications has been described (by Laura, btw) as “the shiniest object ever dropped into the enterprise.” For those of us responsible for keeping cloud application secure, however, this raises a lot of questions. How do I make sure my users securely access these services? How do I make sure my identity and access management (IAM) environment is ready for this? What are my technology options? And though you need immediate, tactical solutions, you also need to think strategically because cloud computing is still maturing. What will AD look like in a few years? What cloud identity technologies should I be positioning my company for? Perhaps most importantly, what skills and technologies should *I* be building for my own career? Join nine-time directory service MVP and Windows IT Pro technical director Sean Deuby for a look into the future of your identity world.
Information Protection at Microsoft: A Real-World Deployment
Speaker: Laura E. Hunter
As part of the IAM and security strategies within Microsoft IT, Information Protection plays a key role in the protection of our data and resources. Using a variety of tools, including Rights Management Services, MSIT extends various levels of protection to critical data within our infrastructure. In this session, come and hear how Microsoft has deployed Rights Management Services and other Information Protection technologies, and how we are planning to extend this service to our business partners, to the cloud, and more!
Office 365 – Customizing Identity for Large Enterprises: Field Notes
Speaker: Dmitry Kazantsev
Office 365 is finally here and your customers are either excited to join the trend or waiting for better clarity. Come hear about field experiences with office 365 deployments in large commercial and public sector enterprises; Assessments, preparation phase, migration, deployment and post-deployment tasks that enterprises are facing when deploying Office 365. We’ll touch on identity management tasks, federation, and mail content migration; and we’ll talk about scale and how to manage your and your customer’s expectations.
Office 365 at MSIT – Another Year Older and What Have We Learned?
Speaker: Brian Puhl
Mailboxes, SharePoint sites, RMS protection and more! In this session, come and see how MSIT has continued to adopt Office 365, moving from our early days of dogfood into a full-fledged suite of production services. We’ll talk about progress we’ve made, and lessons we’ve learned along the way:
- Extending Authentication and Authorization services across multiple services
- Managing the user experience: Service Management as a new art form
- Identity synchronization and the laws of unintended consequences
Come and hear about our real-world experience in large-scale cloud adoption, where we’ll share some key onsiderations for moving your own organization to the Microsoft cloud.
Office 365 Active Directory Integration – Preparation and Deployment
Speaker: Brian Desmond
Deploying Office 365 with a seamless end user experience requires a multitude of steps to prepare Active Directory, synchronize (“DirSync”) with Office365, and deploy Active Directory Federation Services (ADFS). DirSync and ADFS are completely new components for many IT administrators which, like anything new, brings an added layer of complexity to the project. In this session, we’ll look at how all the pieces fit together and review best practices for integrating your existing Active Directory with Office365. We’ll walk through some common issues from actual deployments and review how to get in front of the bus and stop these issues before they happen. Finally, we’ll look at how DirSync and ADFS work so you’ll be prepared to configure and troubleshoot these services in your environment
Protecting yourself from threats to your AD – and what to do, when you’re attacked?
Speaker: Guido Grillenmeier
Not only your infrastructure architects and operations teams have gained great knowledge about the inner works of Active Directory over the past decade. The dark side doesn’t sleep either and as such malware has evolved as well and may well not only target single machines, but your whole AD. How can you limit the attack surface for your AD? Which “bad practices” are still widely used in many companies (maybe yours?) that you should address to protect yourself from common threats to your AD? This session will help answer these and many other questions on improving AD security.
Protect Your PKI Against the Attacks Used Against DigiNotar
Speaker: Brian Komar
Many customers are asking what measures they can take to protect their PKI against the attack launched against DigiNotar. This session will look at how the attacker launched his attack and what security holes need to be closed or monitored to ensure that the attack is not taking against you.
Public/Private Cloud Application Security and Single Sign On with BYOD –
Tear Down the Walls
Speaker: Lutz Mueller-Hipper
The IT business is moving rapidly to cloud based solutions. Want to know what that means to the traditional network infrastructure and how you can run an open but secured network? The session will look at all those things from an application level and authentication in enterprises with classic SSO and federation.
Putting the “A” in IAM: How MSIT Manages Enterprise Authorization
Speaker: Laura E. Hunter
With all of the attention that’s been paid to changes in the Authentication space in recent years, it can be easy to forget that “Access” can, and should, be just as important to your IAM story as “Identity.” It’s not enough to ask “Who are you?” We also need to be able to manage the answer to “Now that I know who you are, what exactly can you do?” In this talk, come and hear how MSIT manages the Authorization story at Microsoft enterprise-scale — custom tooling, dynamic access control, and XACML, oh my!
The Evolution of Object Recovery In AD – The Road To Perfection – A Technical Deep Dive (Part 1)
Speaker: Jorge de Almeida Pinto
Since the beginning, when Active Directory was first released with Windows 2000 Server, the methods and means for object recovery in AD have evolved and improved each time a new version of Windows was released. In time, the technology made it more easy to recover objects and prevent the loss of data after recovery. We will start this session with an introduction to object recovery related topics, followed by an explanation of all object recovery methods in all versions of AD after an accidental (mass) deletion, including what’s new in Windows Server 2008 R2 and in Windows Server “8″. The session will finish with recommendations around object recovery. This session consists of two parts (2x 75 min.) and will include multiple demos!
The Evolution of Object Recovery in AD – The Road To Perfection – A Technical Deep Dive (Part 2)
Speaker: Jorge de Almeida Pinto
Since the beginning, when Active Directory was first released with Windows 2000 Server, the methods and means for object recovery in AD have evolved and improved each time a new version of Windows was released. In time, the technology made it more easy to recover objects and prevent the loss of data after recovery. We will start this session with an introduction to object recovery related topics, followed by an explanation of all object recovery methods in all versions of AD after an accidental (mass) deletion, including what’s new in Windows Server 2008 R2 and in Windows Server “8″. The session will finish with recommendations around object recovery. This session consists of two parts (2x 75 min.) and will include multiple demos!
Win8 Server in the Datacenter
Speaker: Ulf B. Simon-Weidner
MS promotes Win8 Server as good for the cloud. Join us and learn why it’s even better for the Datacenter using cloud/cloning/other technologies on-prem. Learn to ease your efforts when scaling up and out, maybe even automatically. We’ll cover DCs on demand (commissioning and decommissioning) taking performance and green-IT into account.
Windows in the DMZ? Oh My!
Speaker: Dave Jones
Windows is the most attacked operating system on the planet. It also has more third party development and applications written for it than any other operating system as well as a large base of system administrators supporting it. It is technically possible to secure Windows servers to take advantage of those applications. This discussion will outline techniques for hardening Windows 2008 R2 and associated infrastructure services.
(FIM) Pre-Conference Workshop:
FIM PowerShell Workshop Workshop
Presenter: Craig Martin
FIM is a complex product used to address complex integration requirements. You are faced with deploying and maintaining a system whereby a single change can accomplish new functionality while breaking the rest of the system. The only way to reliable do this is to apply automation, and to lower the bar for developing new FIM extensions. PowerShell can be used to keep up with the requirements while at the same time ensuring service quality. This workshop teaches you how to use PowerShell for both task automation, and FIM extensibility. PowerShell makes quick work of task automation, enabling rapid development and testing of FIM deployments. Topics have been covered in FIM presentations will be extended into hands-on labs with instructor guidance and proctor assistance. You will walk away with the tools and techniques to improve the quality and functionality of your deployments. Workshop participants should have an intermediate grasp of FIM 2010, and be ready to learn about PowerShell. All equipment will be provided.
Forefront Identity Manager (FIM) Sessions:
Crouching FIM, Hidden Groups
Speaker: Kinnon McDonell
Enjoy the tale of Microsoft IT development and rollout of hidden membership distribution groups. Learn about the MPRs and code needed to coerce FIM and Exchange 2010. Watch as we discover that membership can be too well hidden. Gasp as we have a cloud strategy for all this and more. We will cover in depth the code and the fury, the AD inheritance that signified nothing, on our way to our multi-forest enterprise deployment of this feature. RCDC and ACLs will be shared, PowerShell leveraged.
How Microsoft IT Uses PowerShell for Testing Automation and Deployment of FIM
Speaker: Kinnon McDonell
The Identity and Access management team have deployed Forefront Identity Manager as a group management solution at Microsoft. Join us and learn how we have used PowerShell to automate our deployment and keep our configuration in source code control. We will explain how we test our code to be deployed to a multi forest, multi cloud environment.
FIM R2 Showdown — Classic vs. Declarative
Speaker: David Lundell
Is there room enough for both in this town? FIM 2010 R2 has two ways of accomplishing many tasks: Classic and Declarative. Attend this showdown to learn when to saddle up Classic vs when to saddle up with Declarative Sync Rules and why. Dissenting opinions politely welcomed — join the controversy! Discussion will take into account performance, ease of implementation and maintainability.
Reload, Recharge, and Mobilize! FIM Integration for iPhone/IPad and Windows Phone 7.5
Speaker: Rob Allen
RELOADED! This session builds on last year’s proof of concept using Windows Phone 7, and now will demonstrate the “FIM For Phone” application on both the iPhone/IPad and Windows Phone 7.5. This session will show how the application has progressed over the last year utilizing real world use cases and success stories. The walk-throughs will show the interoperability of the custom WCF, integration with FIM R2 Reporting, Group Requests, and Approvals in FIM 2010. Bring your iPhone/IPad and Windows Phone 7.5 devices and check out the special interaction event planned for the session!
Self-Healing Policy for FIM
Speaker: Bob Bradley
Have you written FIM policy to cover all the use cases you can think of, and yet you’re still worried you’ve missed something? Perhaps you feel like the boy with his finger in the dam … not really certain when things might just come crashing down around you? Wish you had the assurance that the “FIM Fairy” to run along behind you and make sure every event was captured, every workflow run without error, and every policy change retrospectively applied? Well such things are now possible, and you don’t even have to leave the FIM Portal to do it! In this session, learn how a simple design principle centred on a single custom class can be used to deliver self-healing policy entirely within the FIM Portal. Using the same workflows you have constructed to implement you regular FIM policy, a consistent yet imaginative approach is used to retrospectively apply policy on regular cycles to suit the occasion. Missed an event? No problem! The FIM housekeeping fairy will save you with her email notifications and data integrity checks and corrections, thereby ensuring the ongoing integrity of your FIM Portal.
Speaker: Jeremy Palenchar
FIM – Use the new ECMA to build a management agent for the Office 365 online directory’s new REST interface
Speaker: Jeremy Palenchar
Show the use of ADFS and claims to access the FIM portal using claims-based authentication to the UAG portal and Kerberos Constrained Delegation – co-present with N Appliance for UAG hardware.
Sync Service Migration Toolkit
Speaker: Carol Wapshere
Migrating MIIS or ILM to FIM Sync is not always as simple as we’d like. Un-migrateable 32-bit code, non-standard sync methods, a history of manual joins and various other worst practices can add overwhelming complexity to something that should have been straight forward.
In this session I will share the scripts and methods that I’ve use to get through a number of messy sync service migrations.
The Instant Replay MA for FIM
Speaker: Bob Bradley
Replay your FIM MA! Can’t get the FIM MA to play nice? Forced into writing workflows when for any other MA you would use an IAF? Frustrated by precedence restrictions with the FIM MA? Fret no more! This session will walk you through how to create a completely supported MA that works alongside the FIM MA, allowing you to overcome advanced flow and precedence restrictions. You will also see how, with a more advanced configuration, you can also achieve that sought-after flexibility with reference attributes. This MA is a very low-cost option (in terms of development as well as processing overhead) for providing the FIM Metaverse with an additional feed of the same data already present in an existing MA. In the special case of the FIM MA, this provides added benefits, including restoring the advanced flow rule and manual precedence options otherwise denied for the FIM MA.
