10982B 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Module 10 Presentation: 75 minutes Lab: 75 minutes After completing this module, students will be able to: Configure the Device Registration feature. Configure and troubleshoot the Work Folders feature. Configure and troubleshoot access to Microsoft OneDrive. Required materials To teach this module, you need the Microsoft Office PowerPoint file 10982B_10.pptx. Preparation tasks To prepare for this module, you should: Read all of this module’s materials. Practice performing the demonstrations and labs. Work through the Module Review and Takeaways section to determine how you will use the information to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself. This gives you an understanding of how the labs work and the concepts that each covers, so that you can provide meaningful hints to students who might have issues. Furthermore, it will help guide your lecture to ensure that you discuss the concepts that the labs cover. Troubleshooting Resource Access for Clients That Are Not Domain Members
Configuring and Troubleshooting OneDrive Access Module Overview 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Configuring and Troubleshooting OneDrive Access
Lesson 1: Configuring and Troubleshooting Device Registration 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Troubleshooting Device Registration
Overview of a BYOD Scenario 10: Troubleshooting Resource Access for Clients That Are Not Domain Members BYOD: Allows employees to use personal devices to access enterprise resources Results in more productive employees Shifts some management costs to employees BYOD challenges include providing: Security for application access Security for enterprise data Support Provide a brief overview of Bring Your Own Device (BYOD). It is likely that students are familiar with BYOD, as their organizations probably support it. Do not spend too much time on the general concept, but if time permits, ask students about their experience with BYOD.
Overview of Device Registration 10982B Overview of Device Registration 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Users can access internal websites and company apps without entering credentials each time Ask students if they access company resources only from domain-joined computers and what challenges they have when using devices that are not domain members. Additionally, ask them why they use devices that are not domain members. Introduce the Device Registration feature in the Windows 10 and Windows 8.1 operating systems, and explain its benefits. Explain that from a device enabled for Device Registration, users can access company resources that use claims-based authentication, without having to enter their credentials each time. This means that the user has a single sign-on (SSO) experience. Point out that administrators can configure authentication requirements and have granular control of apps, while allowing users to access these apps from devices on which they enable the Device Registration feature. For example, discuss how you can require additional authentication if users want to access resources from a public network, and that you can specify that they can access only claims-aware apps. Furthermore, explain that when the same user uses the same device, still with the Device Registration feature enabled, they can access additional apps on the company network. AD FS Domain controller Certification authority Web claims-aware app Registered device SSO Web Application Proxy
The Device Registration Process 10982B The Device Registration Process 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Device Registration with on-premises Device Registration Service Use the picture on the slide to describe how the Device Registration feature works. Coffee shop Device Registration Corporate firewall AD FS Web Application Proxy Home office
Registering and Enrolling Devices 10982B Registering and Enrolling Devices 10: Troubleshooting Resource Access for Clients That Are Not Domain Members To register a Windows 10 device: Open the Start menu, and then click the Settings option Open the Accounts page Navigate to Work access, and then click Connect Provide your domain credentials Describe the device-registration process for Windows 10. Mention that this process is slightly different in Windows 8.1, in which you use the Workplace Join feature for this process.
Troubleshooting Device Registration 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Verify that enterpriseregistration.upndomain.com resolves to the correct IP address Verify that the AD FS certificate is trusted and a CRL is accessible Configure the Device Registration is per user Ensure that the UPN is correct Ensure that applications must support the Workplace Join feature AD FS can allow authentication only from devices registered using Device Registration Application authentication is cached for seven days Use event logs on clients and servers for troubleshooting Use the Best Practices Analyzer for Web Application Proxy Use this topic to summarize potential troubleshooting areas for students.
Lesson 2: Configuring and Troubleshooting Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Other Considerations for Work Folders
Overview of Work Folders 10982B Overview of Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Work Folders allows users to access individual and shared data, and they can access on their own individual Work Folders Data is stored centrally on traditional file servers, and only on file servers that run Windows Server 2012 R2 or newer Users can use multiple and various devices for access, regardless of whether devices are domain-joined Data is accessible from any location with Internet connectivity, but a local copy is available without network connectivity While remaining in compliance with company policy, you can: Use features such as access control, quotas, file screening, and classification Encrypt or remotely wipe the local data copy Ask students which solution they use currently when they need to: Access data from multiple devices. Use their devices offline. Synchronize copies of the data. Introduce the Work Folders feature as a solution that allows users access to files from all of their devices, and use the slide as a reference so that you can explain the benefits of using the Work Folders feature.
Connecting Devices to Work Folders 10982B Connecting Devices to Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Each sync share is configured with allowed users Auto discovery: Is triggered by the user Connect to clients with the workfolders.domainname.com Redirects clients based on the msDS-SyncServerURL attribute in user objects URL entry: Is used when auto discovery fails Must provide users with the correct URL Group Policy can: Configure clients automatically Provide settings for the setup process Emphasize to students that clients must connect to the Work Folders server that is hosting a sync share that they have permission to use, and this needs to be the result of whichever configuration method they select.
External Connectivity to Work Folders 10982B External Connectivity to Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members If you use Web Application Proxy, you can: Require Workplace Join for devices Implement Multi-factor authentication Azure Multi-Factor Authentication uses smartphones as a second authentication factor Auto discovery is the same for internal and external clients The URL for each Work Folders server must be available through the reverse proxy Describe how external clients access Work Folders. The methods for connectivity are the same as for internal clients. The biggest difference is that Web Application Proxy can use Active Directory Federation Services (AD FS) to enhance security with Device Registration and multifactor authentication. Web Application Proxy File server HTTPS
Synchronizing Work Folders Between Devices 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Changes made on one device synchronize with other devices automatically, by default Synchronization happens every 10 minutes When conflicts occur, the device name is appended to the conflicting file Use Remote Business Data Removal to wipe data remotely on a device that is lost or stolen, or when an employee no longer works for your company Discuss how the Work Folder service synchronizes work-folder content across devices, how it resolves conflicts, and how you can remove data remotely.
Tools for Troubleshooting Access to Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Troubleshooting tools include: Server Manager (user properties in Work Folders view) Get-SyncUserStatus cmdlet Troubleshooting tools for networking You should be aware of the following issues: Network connectivity and name resolution User accounts with sync access A device must trust a Work Folders server certificate A device must comply with a sync folder device policy Users must have NTFS file-system permissions Synchronization does not happen immediately Multiple file might have similar names Ask students what potential problems can happen with Work Folders. Explain the troubleshooting tools that are available and the common issues to be aware of when using Work Folders. Use the second slide in this topic to demonstrate some of these issues. You also can involve students by showing them the error message and asking what caused it.
Other Considerations for Work Folders 10982B Other Considerations for Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Considerations for Work Folders include: Clients must trust the certificates on the Work Folders server and reverse proxy The CRL must be accessible You can implement quotas, file screening, classification, and RMS on the Work Folders server Replication conflicts result in multiple file versions You can configure synchronization to stop when: A file is larger than 10 GB There is not enough free disk space Review the Work Folders event logs when troubleshooting Use this topic to discuss additional issues that might affect deployment of Work Folders. There is a wide range of items in this topic, and you should discuss them all briefly, as they all can affect troubleshooting scenarios.
Exercise 4: Troubleshooting OneDrive for Business Lab: Troubleshooting Resource Access for Clients That Are Not Domain Members 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Exercise 4: Troubleshooting OneDrive for Business Exercise 1: Troubleshoot Device Registration The system administrators have created a new infrastructure by using Windows Server 2012 R2 to support web-based applications. AD FS has been implemented with Web Application Proxy to provide protection and authentication. One of the new features that this configuration provides is support for Device Registration. As a matter of policy, certificates for all external services are obtained from a trusted CA on the Internet. Initially, the Sales and Ordering application is using Device Registration, and it needs to be available for sales people when they work remotely. In the past, a simple reverse proxy protected the application, and it was accessible from any device. However, your organization now is using Workplace Join to enhance security so that users can access the application from known devices only. You need to review the Workplace Join implementation and create a short orientation for help-desk and desktop-support staff. Exercise 2: Troubleshooting Work Folders 1 A. Datum executives have been frustrated by using a virtual private network (VPN) to access their personal data remotely. The VPN works most of the time, but firewalls in some locations sometimes prevent them from signing in to the VPN. They also want their data available on their smartphones and tablets, which do not have VPN functionality. To provide the executives with access to personal data, you implemented Work Folders. However, at this time, there is only a single Work Folders server, although the system is designed to use auto discover and support multiple Work Folders servers. The system also uses Windows Azure Multi-Factor Authentication to enhance security from external locations. To simplify access to Work Folders data in the office, executives received a mapped drive letter to their Work Folder, which replaces their existing home folders. Data from the home folders has been copied into the Work Folder for each user. Logon Information Virtual machines: 10982B-LON-DC1 10982B-LON-CL1 10982B-LON-CL4 User name: Adatum\Administrator Password: Pa$$w0rd Estimated Time: 75 Minutes (More notes on the next slide)
10982B Lab Scenario 10: Troubleshooting Resource Access for Clients That Are Not Domain Members A. Datum Corporation has recently implemented new technologies to support BYOD for its employees. There are new implementations of Device Registration, Work Folders, and OneDrive for Business. You were the desktop-support representative who was involved in the project that implemented these new technologies.
10982B Lab Review 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Users at A. Datum have UPNs that differ from their email address. Which should the user provide when performing Device Registration? Question You are configuring Device Registration for adatum.com. What is the FQDN of the address that devices connect to when performing registration? Answer The device connects to deviceregistration.adatum.com when performing device registration. Users at A. Datum have UPNs that differ from their email address. Which should the user provide when performing Device Registration? Users should provide their UPN when performing Device Registration. However, when you remember, particularly when troubleshooting Device Registration, that users may be confused and use their email address instead. This will cause issues with Device Registration.