Wednesday, April 8, 2015

Movie Review of Home -- or how IDM could have saved the day.

Over the weekend I took one of my children to see the new animated film  Home starring Jim Parsons, Rihanna, Steve Martin and Jennifer Lopez. A group of technically superior but very cowardly aliens, called the Boov flee from their implacable enemy, the Gorgs, and decide to take over Earth, relocating all of the primitive natives (us) to Australia. Aside from the political commentary of the entire human race being placed in a reservation, the thing that most struck me was how one of the near disasters could have been averted through solid Identity Management Systems. A hapless and lonely Boov, named "Oh" invited his new neighbors to a "warming of house party." When no one showed, he sought out other acquaintances to invite and sent out an Evite ™ but he accidently did a Send All, which somehow included their implacable enemy. Great hilarity ensues as the evite will take 40 hrs to reach their enemy.

First of all the Boov can't be that superior if they don't have automated Group Management that limits their distribution lists to just those that should be in there, excluding, oh I don't know -- your enemies.

Second, the big brains of the Boov figure out that they can just sign in to "oh's" account and cancel his evite. Their Leader Captain Smek victoriously proclaims "Good thing I made everyone use the same password -- of 'password'." But Oh's password is unique. Scratch that idea. They are clearly lacking the capability for the administrator to reset a password.

Third, Oh finally figures out he needs to cancel his invite, so he attempts to log in to his evite/email account. He fails not quite remembering his password. Fortunately his second attempt succeeds. But had it failed it would have been nice if he could have availed himself of a Self Service Password Reset (SSPR) mechanism.

Finally, their recall email message capability is far better than ours. I mean if the evite took 40 hours to reach the Gorgs, then hour did the recall message reach them instantly? Usually when someone recalls a message it just causes all recipients to read it all the more carefully as they try to find out what was so bad that the sender decided to recall it. In fact if you want to ensure that people read a message attempt to recall it ;)

Wednesday, March 11, 2015

Portable 2nd Monitor for the Surface Pro 3 ( and TwoMonUSB issues)

As a road warrior, often in different settings, I am interested in a 2nd, portable monitor for my Surface Pro 3. So here was my thought process.

I tried to use TwoMonUSB to make my iPad the second monitor. At first it worked quite well. Great idea, a backup device with some apps I don't have on the surface and I can use it as a second screen. But then my Surface Pro 3 was rebooting randomly during idle times or the screen wouldn't light up after an idle timeout and then I would have to hard boot it. I was getting a bugcheck almost daily, sometimes multiple times a day. So after Refreshing the PC I decided that the $10 app approach wasn't going to work. I am not certain that it was TwoMonUSB but it seems the likely candidate.

But I need a second screen so here are the attributes that are important to me::
Weight: Not weigh me down -> less than 4 lbs
Screen Resolution: Work well with surface -> 1440 x 1080 (if possible)
Power: hopefully it will be able to work without AC available -> less than 5W typical energy consumption
Size: Big enough to see the screen  >12 inches but not so big I can't fit it in my bag <18 inches="" p="">
Price: less than $300 USD

This means that I need a DisplayLink Monitor that weighs less than 4 lbs, use USB for power and transmission of data, is at least 12 inches

Weight (lbs)
Screen Res
Power (Max) W
Power Typical (W)
Response Time (ms)
Price (USD)
Comments from reviews

<5 p="">
Works with Surface Pro 3, July 16, 2014 By Glenn Hanner 
The Surface Pro 3 will not power the monitor on its own. The USB3 port does not have enough power.


<5 p="">





Works off of Surface Pro 3 battery power
One usb
Andrew Nov 28, 2011 "Uncontrollable brightness… I contacted AOC and they confirmed that you cannot control the brightness"



Includes carry case, auto pivot


"The Surface Pro 3 … USB port doesn't put out enough power for the screen. "

Lenovo Think Vision LT1421


Bulky in back not flat

The ASUS MB168B+ (don't forget the plus) has a great screen resolution but per reviews I won't be able to use it without external power. I was torn -- maybe there would be a way to monkey with brightness settings and get it to work. But the carrying case for it was also not good and lots of folks complain about the stand and it is the most expensive of the items.

I considered the 17 inch AOC E1759FWU that has pretty good screen resolution (1600x900) but again reviews identified the issue with power.

I also considered HP's S140u but I am also concerned that the 7 W maximum power won't work and I could find many reviews, and certainly none where it was paired with the Surface Pro 3.

So I decided that I would try the 16 inch AOC E1659FWU -- I can get a second screen with pretty decent response rate that should (most reviews have said it worked) for my power constraints with the Surface Pro 3. It includes a good case and great stand and is only a little more expensive than its predecessor the AOC E1649FWU.

When all is said and done I may decide that the external power isn't as much of a constraint and go for the ASUS MB168B+ (also need to get a better stand, but that means yet more stuff to carry).

So for now I am looking forward to the arrival of the 16 inch AOC E1659FWU.

3/17/15 update: Well the AOC E1659FWU is working well, my surface pro 3 can indeed drive the power requirements, which according to the manual is 8 W, whether plugged in or on battery. However, when I plug it in through my Belkin USB hub/Ethernet adapter it won't power up without getting extra power from the USB outlet on my surface charger. Whereas plugging into two of the ports on the Belkin USB hub doesn't do it. (the screen keeps flickering on and off)
Conclusion: If I need to plug in for Ethernet or any other USB device then I must plug in for external power. But the other day I got two good hours of using the surface and the AOC on battery power and still had battery to spare.

Saturday, March 7, 2015

Escaping an AD Replication Island

On a dark and stormy night an Active Directory upgrade was underway, Windows Server 2003 domain controllers decommissioned, consolidated and replaced with Window Server 2008 R2 servers. Suddenly I got a call from those doing the upgrade, "I can't see some of the new domain controllers on the existing domain controllers, what's wrong?"

A replication island had been created and several domain controllers were trapped on it. Could we rescue them in time?

Normally AD automatically generates the replication topology. But if you turn that off then you must manually create connection objects between domain controllers. Even if that is enabled replication between sites does require site link objects to be created. With the sites and site links in place and the Knowledge Consistency Checker (KCC) enabled for generating connection objects, the KCC will automatically generate connection objects between Domain Controllers in different sites (those servers are referred to as Bridgehead servers).  Also by default all site links are transitive. However this is often turned off if some sites can't connect to others (routing or firewall configurations may be the cause, but it may be legit). However, site links still need to exist.

This scenario had the KCC enabled but site link transitivity was off and as domain controllers in several sites were decommissioned leaving some of the new sites with new domain controllers without direct site links to sites that still had active domain controllers. As I mapped out the new topology I realized that an island had been created -- four sites could talk to each other but not to the other 20 sites.

How to get off of the replication island?

Create Site links to connect the sites to each other. But when you create a site link it exists on that domain controller and needs to replicate to the other domain controllers. So how to get it to replicate when you need site links to replicate?

RepAdmin to the rescue! With repadmin /replsingleobj you can force the replication of a single object to any other domain controller even if they aren't replication partners. So after creating the new site links I needed on one of the island domain controllers --  I forced replication among the domain controllers on the island so they all new about the new site link. But the rest of the enterprise still doesn't know so I ran repadmin /replsingleobj NonIslandDC IslandDC "CN=NewIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=MyDomain,DC=rootdomain"

Then I forced the replication from that domain controller to its partners and then forced the KCC to generate a new replication topology. The island was bridged. The domain controllers were rescued.

Monday, February 2, 2015

Follow up #1 on How does Identity Management Impact the Bottom Line? Selling IDM

In my presentation last week at #OCGUS15 The Redmond Summit put on by my friends at OCG, on "How does Identity Management Impact the Bottom Line? Selling IDM" I illustrated how understanding more about Financial statements such as Profit/Loss statements as well as Balance Sheets can be helpful. So here is a link to learn more:

Among other things this is helpful to be able to articulate how your projects and programs can impact the bottom line such as how User provisioning/Deprovisioning impacts the Profit and Loss Statement:

Wednesday, January 28, 2015

Redmond Summit 2015

I am looking forward to presenting in an hour or so on "How Identity Management Impacts the bottom line."

Yesterday I had fun delivering a session on "ADFS vs Password Sync? It depends" This morning Alex Simons of Microsoft revealed a few new things that change some of my advice.
1) Soon Azure AD can do the location restriction by application for SSO. This potentially eliminates a deal breaker for some people
2) You can now run Password Sync and ADFS at the same time.

Both of which make it more likely that you will do Password Sync. The second one makes it more likely that you will run both because Password Sync can be a warm standby for failing over from ADFS.

Wednesday, December 24, 2014

'Twas the night before Christmas

'Twas the night before Christmas, when all through the internet
Not an identity was stirring, not even a Passport .NET
The user accounts requests were submitted with care
Hoping that their access would soon be there

The users were nestled all snug in their beds
While visions of being able to do their jobs danced in their heads
The servers and computers were in sleep mode
Awaiting someone to move a mouse and send the wake up code

An urgent email pinging my iPhone created a vibration
I sprang to my Surface to see what was the perturbation.
Opening up Windows 8.1, I signed in to the computer
I ran AD Users and Computers and Event Viewer

User accounts had been created and added to groups
All while I had slept after eating my soups
As I looked at my network, what should appear?
But a brand new Identity Management System so nice and clear

On Sync Engine, on Management Agent! Now MPRs and Workflows!
On Metaverse on Sync Rules!  On PowerShell and Data flows!
To the web service! To Self Service Password Resets!
Provision, Deprovision and Synchronize all the sets!

Ok, ok so maybe I am just a bit eager for the release of Microsoft Identity Manager (due out 1st half of 2015).

Friday, December 12, 2014

Speaking at 2015 Redmond Summit (Jan 27-29 '15)

I will be speaking at the 2015 Redmond Summit: Where Identity Meets Enterprise Mobility.
This summit is put on by my friends at Oxford Computer Group.

I will be speaking on Password Sync vs.  ADFS. Then the next day I will speak on the Business track about How Identity Management Impacts the Bottom Line.

See you there
January 27-29, 2015 in Redmond, WA on the Microsoft Campus

Join OCG, Microsoft, and industry experts for two and a half days of networking and talks on the latest thinking on identity and enterprise mobility. If you’re overwhelmed by devices, have a hybrid environment, wish to simplify access, or manage identity in an increasingly complex digital world then you won’t want to miss this event. Sessions will assess and look in detail at the largest release of new identity products in Microsoft’s history, including Enterprise Mobility Suite, Intune, Azure Active Directory, Hybrid Identity, and more! Discover how other organizations have tackled the same problems you face through case studies and get technical insight from Microsoft product managers and engineers. Registration is $800 per delegate. Find our more and register!