Archive for the ‘ActiveDirectory’ Category

Sharepoint On Premise Office365 and Hybrid – Pros, Cons and Comparison

Sunday, August 10th, 2014

SharePoint On Premise Office365 and Hybrid –

Pros, Cons and Comparison

On SharePoint fronts there has been so much going on with different editions and versions. I created this presentation to do a quick overview, Pros / Cons and comparison of three flavors of SharePoint:

  1. SharePoint On-Premise
  2. Office 365 SharePoint
  3. Hybrid (combination of 1 and 2)

View my presentation and email me your feedback.

Sharepoint 365 Initial Talking Points

Thursday, July 31st, 2014

Sharepoint 365 Initial Talking Points

V: 1.0

With Office 365, Microsoft introduced the SharePoint Online aka SharePoint 365 version. Recently I’ve been going through lots of information on SharePoint 365 version. I came up with few initial talking points to give a good start with the Office 365 SharePoint.

There are many things to consider when thinking of migration:

  • User experience
  • Identity management
  • Data Security
  • Feature set
  • Integration with internal systems
  • Even how you budget your dollars for next year

Suggestions:

  1. Role Based Access Control
  2. Two Factor Authentication
  3. Combine Search results from On-Premise and Office 365 SharePoint
  4. Multiple Authentication Options

a. MS Online ID        Example: faisal.masood@softvative.onmicrosoft.com
b. MS assigned Org ID AD Login Example: ADDomainfmasood
c. MS assigned Org ID ADFS Login Example: faisal.masood@softvative.onmicrosoft.com accessing partner organization’s resources

AD Integration Options:

a. Directory Sync OnlyDirSync. Runs every 3 hr and uses SQLExpress for less than 50K AD objects. For more objects, use full SQL. No Full SSO or 2FA
b. Directory Sync and SSO Suited for large orgs. Needs HA for ADFS. 2FA possible. Identities managed on-premises.

AD Integration Requirements:

a. Requires your AD forest at 2003 level
b. Use x64 bit DirSync tool. 32bit deprecated
c. For ADFS setup Win 2008 or 2012 server. Can be virtual
d. Dirsync tool can be setup with one-way or two-way sync. Two-way sync required for hybrid scenarios and can’t be switched back to one-way.
e. Use Office 365 deployment readiness tool to check your on-premises AD
f. Have the AD DC, ADFS, DirSync on seperate servers

Reference Links:

1. Steps to configure Single Sign On for Office 365
http://blogs.msdn.com/b/sharepoint__cloud/archive/2011/12/07/steps-to-configure-single-sign-in-for-office-365.aspx

2. Using multiple federated domains in Office 365 with Okta

https://community.okta.com/docs/DOC-1266

3. Microsoft Office 365 Deployment Readiness Tool

https://technet.microsoft.com/en-us/library/hh852475.aspx

4. ADFS with Office 365



5. Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0

http://support.microsoft.com/kb/2607496

6. Support for Multiple Top Level Domains

http://community.office365.com/en-us/w/sso/support-for-multiple-top-level-domains.aspx

7. 10 things you should know about Office 365 before signing up

http://www.bfcnetworks.com/blogs/alexpearce/10-things-you-should-know-about-office-365-before-signing-up/

8. Use third-party identity providers to implement single sign-on

http://technet.microsoft.com/en-us/library/jj679342.aspx

9. How To Install ADFS 2012 R2 For Office 365

http://blogs.technet.com/b/rmilne/archive/2014/04/28/how-to-install-adfs-2012-r2-for-office-365.aspx

10. Remote Authentication in SharePoint Online Using Claims-Based Authentication

http://msdn.microsoft.com/en-us/library/hh147177.aspx

11. Ignite Office 365



12 SharePoint Online Service Description

https://technet.microsoft.com/en-us/library/jj819267.aspx

13. Multi-Factor Authentication for Office 365

http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/

 

MySite Deleted by MySite Cleanup Job

Wednesday, May 21st, 2014

Version 1.5

Applied To: SharePoint 2010, 2013, 2016, SharePoint Online

Situation:

Lot of users lost their SharePoint MySite. The site got deleted and they were not able to see any data in their MySite. In some situations, users were prompted for the creation of new MySite. Most of the deleted sites were for inactive users though.

MySite Cleanup Process Chart:

I created an initial version of the following MySite Cleanup Job Process for overview.

SharePoint User Profile MySite Cleanup Job Process by Softvative Inc

Cause:

SharePoint Server has a ‘My Site Cleanup Job’ as a Timer Job. The job runs every hour. You can view the job at this location:

SharePoint Central Administration website > Monitoring > Under ‘Time Jobs’ click ‘Review Job Definitions‘ > Scroll to the bottom of the page and go to next page. Look for ‘My Site Cleanup Job‘ and click on it.

SharePoint My Site Cleanup Job

The function of My Site Cleanup job is to delete the user profile and My site of users that are queued for deletion.

Conditions that will mark the account for deletion:

The user profile and My site will be marked for deletion if any of the following conditions is met.

a. account is deleted in AD (Active Directory)
b. account is disabled in AD
c. SharePoint Profile Sync connection is modified with additional filters, deleted, recreated (e.g filter like exclude user with Department = Terminated)
d. account is moved to an AD OU that is not part of SharePoint Profile Sync

Test Scenario:

I used six test accounts with few of those having managers listed in AD account. The SharePoint Profile Sync added those to the SharePoint profile. Later I logged in as those test users and created their my sites by clicking on the link. Alternatively click username drop down on top right, choose My Site from dropdown. Then click on ‘My Content‘ link on top left.

http://mySiteHost.domain.com/_layouts/MySite.aspx

Then I deleted one, disabled two and moved to a different OU one account. That left the two out of six test accounts as untouched in AD.

Subsequent user profile run marked the accounts based on those conditions with bDeleted =1 in SQL tables. That in layman terms – the site is queued for deletion.

I got following email notification for one of the test account that was setup as my Direct Report in AD accounts properties.

The My Site of Test User 5 is scheduled for deletion in 14 days. As their manager you are now the temporary owner of their site. This temporary ownership gives you access to the site to copy any business-related information you might need. To access the site use this URL: http://mysiteHost.domain.com/personal/testuser5

After 11th day, I got same email but with deletion in 3 days.

SharePoint MySite Cleaner job then looks at the bDeleted=1 and notifies the user’s Manager if one was listed in AD, or Secondary MySite Owner if no manager was configured. It sends second notification after 11 days. After 14 days it deletes the site. In few situations, I’ve seen users were actively working in SharePoint when their My site got deleted. That happens after changes made by AD Team or SharePoint team (conditions above – Conditions that will mark the account for deletion) but after 14 days the site will be deleted even if the changes were reverted.

 

SQL Query to check SharePoint user profiles / My Sites marked for deletion:

I then used the following SQL queries to find the status. It is not a recommended method, use it at your own risk.

1. Use the following query to check the accounts that are marked for deletion. 
— Check the Sharepoint User Profile accounts that are marked for deletion
select * from [Profile DB].[dbo].[UserProfile_Full] with (nolock)
where bDeleted =1
order by PreferredName

2. SQL Query to check the Email Notification Status sent to Manager or Secondary Mysite Owner:
–Query the MysiteDeletion Email Notification status in User Profile DB in Sharepoint
select * from [Profile DB].[dbo].[MySiteDeletionStatus] with (nolock)
–where NotificationStatus = 1 — Email sent to Manager or Seconday contact that site will be deleted in 14 days
— where NotificationStatus = 2 — Email sent to Manager or Seconday contact that site will be deleted in 3 days

3. SQL Query to find the users My Site in MySite Content DB – AllWebs Table
–SQL Queries to check the users under MySite Web App / Content DB
SELECT FullUrl, Title, RequestAccessEmail 
FROM [WSS_Content_MySites].[dbo].[AllWebs]
order by FullUrl

4. SQL Query to check the users info in MySite content DB – UserInfo Table
— Another Query to check users Info under MySite Content DB / MySite Web App
select * from [WSS_Content_MySites].[dbo].[UserInfo] with (nolock)
order by tp_Login

Recommendations:

a. Make sure to test your User Profile Synchronization Connections in pre-production first.

SharePoint Central Admin > Application Management > Manage Service Applications > Click on User Profile Synchronization service application > Click ‘Configure Synchronization Connections’ under Synchronization section. Hover mouse over the connection name, click on drop down, and choose Edit to change the selection of Active Directory OU in the sync. Choose ‘Edit Connection Filters’ from the previous connection page to review / update filters.

SharePoint User Profile Service Application – Synchronization Connection

b. Partially Disable the ‘My Site Cleanup Job’ when editing Profile Sync connection. Later make sure to enable the job. My Site Cleanup Job performs some other cleanups as well like Organization Browser list, People Picker etc.

c. Make sure the ‘Secondary MySite Owner’ account listed has an email address that is monitored by the SharePoint Team or those email get forwarded to SharePoint Team to act on it.

d. Make it as part of SharePoint Governance & training that Managers should notify SharePoint Team when they get the email notification for site deletion with in 14 days.

e. Monitor / control changes done in Active Directory that will impact SharePoint users. Example like moving AD account to a different OU that is not part of share point User Profile Sync.

SharePoint Online / OneDrive for Business

OneDrive for Business stores documents under user’s mysite (part of User Profile) in SharePoint Online (Office 365). Use the following Microsoft KB article for reference:
 
OneDrive for Business retention and deletion – https://support.microsoft.com/en-us/kb/3042522
 
Use OrphanedPersonalSitesRetentionPeriod parameter of Set-SPOTenant PowerShell cmdlet to increase the value of 30 content deletion from default value of 30 days to a higher value. Email notification will still be sent notifying contents will be deleted in 30 day and 7 days. https://technet.microsoft.com/en-us/library/fp161390.aspx
 
Use IncludeOnlyPersonalSite and Limit parameters of Get-SPODeletedSite Powershell cmdlet to get the list of Personal sites (OneDrive for Business contents) that are marked for deletion. https://technet.microsoft.com/library/fp161365.aspx
 
Use SharePoint Online eDiscovery to put a hold on deletion of Mysite (OneDrive For Business) contents. Create a new site collection using eDiscovery template in your SharePoint Online Tenant if you don’t have eDiscovery site in place.
 

Note:
I’ll cover the process on how to analyse and recover the deleted MySites in situations where bulk of Mysites got deleted. That is to see which sites had data and which ones were just not actively used MySites or deleted MySites without any documents to recover. I’ll try to cover the use of PowerShell commands Get-SPDeletedSite and Restore-SPDeletedSite.

References:
1. http://blogs.msdn.com/b/kaevans/archive/2012/06/25/top-recommendations-for-managing-the-my-site-cleanup-timer-job.aspx
2. http://blogs.technet.com/b/fromthefield/archive/2013/07/25/windows-powershell-script-to-output-site-collection-information.aspx

Search Keywords:

MySite Deleted by SharePoint User Profile MySite Cleanup Job
MySite Deleted by MySite Cleanup Job
MySite Cleanup Job
User Profile Sync removed mysite
SharePoint MySite Removed
SharePoint MySite deleted
SharePoint User Profile deleted
How A User Profile is Deleted?
How A MY Site is Deleted?
My Site deletion Mystery
Process of My Site Deletion
My Site Deletion Process
Lost MySite Data
Lost SharePoint Mysite
Onedrive for Business deletion
Prevent OneDrive for Business deletion
Retain OneDrive for Business contents
Prevent SharePoint Online user site deletion
SharePoint Online mysite deletion
SharePoint eDiscovery to prevent OneDrive Deletion

MOSS MA Not Found error UserProfile Connection

Friday, April 25th, 2014
In SharePoint 2010, you want to setup User Profile Connection to Active Directory. You configure everything and click OK and it brings error message.

Issue Scenario:

  1. Go to SharePoint Central Administration website
  2. Click on ‘Manage Service Applications’ under Application Management
  3. Click on ‘User Profile Service Application’ or the name of your user profile service app
  4. On ‘Manage Profile Service’ page, click on ‘Configure Synchronization Connections’ under Synchronization section
  5. Click ‘Create New Connection’
  6. Enter the Connection Name, Forest Name, Account Name, Password, select OU levels under Containers section to sync profiles from that OU level
  7. Click OK to configure the connection

In this case, you will get error:

Error

MOSS MA Not Found
Troubleshoot Issues with Microsoft Sharepoint Foundation
Correlation ID: f8224450-ea42-742a-d8c6-5de674235e32

Date and Time: MM/DD/YYYY hh:mm:ss AM
Go back to site
MOSS MA Not Found Error
Finding the Correlation ID Error Details:
I had the following Codeplex tool deployed that helps in searching the ULS logs for the Correlation ID details. The tool is available under Central Administration website > Monitoring > Query correlation ID (under Logging section). You enter the Correlation ID from the error page, specify a date / time range and it shows the results.
That tool provided the following query result on its page. Looking at the query details, I saw the highlighted line. That section was telling that it could not connect to App Server 1 at port 5725. That server at this point was not configured for the User Profile Service. The service was setup on App Server 3.
Correlation Query Result:
Time Process Area Category Level EventID Message 
04/2/2014 10:14:38.90  w3wp.exe (SrvApp03:0x1C6C)  SharePoint Foundation  Logging Correlation Data  Medium xmnv Name=Request 
(POST:http://SrvApp03:19999/_layouts/EditDSServer.aspx?ApplicationID=abb4158a%2De70a%2D4185%2D86e2%2Df02f1c25966e) 
04/2/2014 10:14:38.90  w3wp.exe (SrvApp03:0x1C6C)  SharePoint Foundation  Logging Correlation Data  Medium xmnv Site=/ 
04/2/2014 10:14:39.97  w3wp.exe (SrvApp03:0x1C6C)  SharePoint Portal Server  User Profiles  High d3b3 LoadConnections failed trying to fill the connections list. Most likely during RetriveResources because of permissions — {1}. Available parameters: 
System.ServiceModel.EndpointNotFoundException: Could not connect to http://SrvApp01:5725/ResourceManagementService/MEX. TCP error code 10061: No connection could be made because the target machine actively refused it 10.1.0.103:5725. —> 

System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 10.1.0.103:5725 at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, 

SocketAddress socketAddress) at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& 
… 
04/2/2014 10:14:39.97* w3wp.exe (SrvApp03:0x1C6C)  SharePoint Portal Server  User Profiles  High d3b3 …socket, IPAddress& address, 

ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception) — End of inner exception stack trace — 

at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at 

System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream() — End of inner exception stack trace — Server 

stack trace: at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream() at 

System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout) at 

System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout) 

at System.ServiceModel.Channels.RequestChannel.Req… 
04/2/2014 10:14:39.97* w3wp.exe (SrvApp03:0x1C6C)  SharePoint Portal Server  User Profiles  High d3b3 …uest(Message message, 

TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at 

System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, 

Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, 

ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at 

[0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at 

System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at 

System.ServiceModel.Description.IMetad… 
04/2/2014 10:14:39.97* w3wp.exe (SrvApp03:0x1C6C)  SharePoint Portal Server  User Profiles  High d3b3 …ataExchange.Get(Message 

request) at Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier) at 

Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.RefreshSchema() at 

Microsoft.ResourceManagement.WebServices.ResourceManager.get_SchemaManager() at 

Microsoft.ResourceManagement.WebServices.ResourceManager..ctor(String typeName, LocaleAwareClientHelper localePreferences, 

ContextualSecurityToken securityToken) at Microsoft.Office.Server.UserProfiles.ConnectionManager.LoadConnections(Boolean fForUI) . 
04/2/2014 10:14:39.97  w3wp.exe (SrvApp03:0x1C6C)  SharePoint Portal Server  User Profiles  High a3xu 

ConnectionManager.LoadConnections(): Could not find MOSS MA despite being marked as fully configured, was it deleted? 
04/2/2014 10:14:40.09  w3wp.exe (SrvApp03:0x1C6C)  SharePoint Foundation  Monitoring  Medium b4ly Leaving Monitored Scope (Request 

(POST:http://SrvApp03:8000/_layouts/EditDSServer.aspx?ApplicationID=abb4158a%2De70a%2D4185%2D86e2%2Df02f1c25966e)). Execution Time=1193.10918007736 
Correlation Query Tool’s Result based on Correlation ID Error
Troubleshooting and Resolution:
  1. Looking at the query results, I saw that connection was trying to connect to first server and connection was refused. That server has been having issues and was already planned for removal from the farm. It was not running the User Profile Service.
  2. I then looked at the ‘Manage Servers in the Farm‘ page in SharePoint Central Administration > System Settings. I looked for ‘User Profile‘ service on that page to confirm which servers in the farm are running that service. It was not configured on App Server 1. I then went to ‘Manage Service Applications‘ page under Application Management in Central Administration Website. 
    SharePoint Manage Service Applications Page – Properties icon grayed out 

     Hover over the ‘User Profile Service Application‘, don’t click on the name but click on the right side of it. That will select the service application and activate the Operations Ribbon group on top. 

    SharePoint Manage Service Applications Page – Properties icon active

     

  3. Click on Properties icon in the SharePoint ribbon. That will bring the ‘Edit User Profile Service Application‘ dialog box. Scroll to the lower half of page and look under ‘Profile Synchronization Instance‘ field. It is fourth field from the bottom. In my case, it was set to the App Server 1. I changed it to the server that was actively running User Profile Service and clicked OK at the bottom.
    SharePoint – User Profile Service Application – Profile Synchronization Instance – Old Server

     

  4. Message was displayed saying ‘Profile Service Application successfully updated.’ Click ok on that dialog box to close it.
  5. I tried to configure the Profile Synchronization Connection again (Steps in Issue Scenario section above). Same error happened. I looked at the ‘Profile Synchronization Instance’ field (step 3 above), the same old App Server 1 was listed there. Not good.
  6. I started the ‘User Profile Service’ on that old App Server 1 from the Central Administration > ‘Manage Services on Server’ page for App Server 1.
    Sharepoint – Started User Profile Service from Manage Services on Server page

      

  7. I then changed the server under ‘Profile Synchronization Instance‘ to a new server that was running the User Profile Service. This time the setting stayed permanently and didn’t revert back as in last attempt.
    SharePoint – User Profile Service Application – Profile Synchronization Instance – Active Server

      

  8. I tried to configure user profile sync again. (Steps in Issue Scenario section above). It was successful this time.
Important Thing:
One important thing. I didn’t have to start the ‘Forefront Identity Manager Service‘ on the old server using Windows Services console. That service was in disabled state as before. After successfull Sync connection, I then stopped the ‘User Profile Service‘ on the App Server 1 that was started in step 6 above. I used SharePoint Central Administration website. It is not recommended to start / stop FIM service using  Windows Services console.

Sharepoint – Forefront Identity Manager Service (part of User Profile Service App) in Windows Services Console

References:
1. http://blogs.msdn.com/b/sofocle/archive/2011/06/28/user-profile-syncronization-failure-quot-moss-ma-not-found-quot.aspx
2. http://manojviduranga.wordpress.com/2013/05/18/moss-ma-not-found-when-creating-a-new-connection-to-aduser-profile-synchronization-in-sharepoint-2010/
3. http://mohamedelkassas.wordpress.com/2013/03/15/moss-ma-not-found-user-profile-syncronization-failure/
4. http://social.technet.microsoft.com/Forums/sharepoint/en-US/cf35f233-c6a9-440a-aa61-8be190782fcc/user-profile-synchronization-error-moss-ma-not-found
5. http://social.msdn.microsoft.com/Forums/en-US/81684a0f-30a0-4a29-b433-54e382666f47/user-profile-services-sync-connection-disappearing-after-a-few-days-moss-ma-not-found?forum=sharepointadminprevious

AD Search within XP

Thursday, December 4th, 2008

Active Directory Search Tool within XP

http://ist.uwaterloo.ca/security/howto/2006-12-13/

 

Use this command from Start > Run

rundll32 dsquery, OpenQueryWindow

 

Windows 2000 Server Active Directory

Monday, May 22nd, 2006

Active Directory Replication over Firewalls

Monday, May 22nd, 2006

View and Transfer AD FSMO Roles

Monday, May 22nd, 2006

How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801

How to view and transfer FSMO roles in the graphical user interface
http://support.microsoft.com/kb/255690