10982B 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Module 10 Presentation: 75 minutes Lab: 75 minutes After completing.

Slides:



Advertisements
Similar presentations
Deploying and Managing Active Directory Certificate Services
Advertisements

Implementing and Administering AD FS
Introducing Windows Server 2012 R2 Work Folders:
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
Implementing High Availability
Module 8 Implementing Backup and Recovery. Module Overview Planning Backup and Recovery Backing Up Exchange Server 2010 Restoring Exchange Server 2010.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Deploying and Managing Windows Server 2012
Overview of Access and Information Protection
Implementing Secure Shared File Access
Microsoft Windows 8.1 Enterprise: A brief overview of Microsoft Windows 8 Enhancements. Welcome!
Chapter 7: Using Windows Servers to Share Information.
Implementing Dynamic Host Configuration Protocol
Module 4: Add Client Computers and Devices to the Network.
Implementing File and Print Services
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010
Managing Active Directory Domain Services Objects
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Configuring Encryption and Advanced Auditing
Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 7: Fundamentals of Administering Windows Server 2008.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
Module 9 Configuring Messaging Policy and Compliance.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 11: Remote Access Fundamentals
Module 4 Planning and Deploying Client Access Services in Microsoft® Exchange Server 2010 Presentation: 120 minutes Lab: 90 minutes After completing.
Microsoft ® Official Course Module 3 Managing Active Directory Domain Services Objects.
Module 9 Configuring Messaging Policy and Compliance.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Module 3: Managing a Microsoft ® Windows ® Small Business Server Environment.
Module 7 Planning and Deploying Messaging Compliance.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 10: Windows Firewall and Caching Fundamentals.
Implementing a Group Policy Infrastructure
Module 3 Planning for Active Directory®
Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.
User and Device Management
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
Configuring Advanced Windows Server 2012 R2 Services Exams4sure.
MCSA Windows Server 2012 Pass Upgrading Your Skills to MCSA Windows Server 2012 Exam By The Help Of Exams4Sure Get Complete File From
Configuring Encryption and Advanced Auditing
Chapter 7: Using Windows Servers
Module 3: Enabling Access to Internet Resources
Planning and Configuring Administrative Security and Auditing
Implementing Update Management
Deploying and Configuring SSIS Packages
Troubleshooting Applications
Module 12 Maintaining Windows B 12: Maintaining Windows 10
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
Download dumps - Microsoft Real Exam Questions Dumps4download
Unit 27: Network Operating Systems
Access and Information Protection Product Overview October 2013
Getting Started.
Getting Started.
System Center Marketing
Microsoft 365 Business Technical Fundamentals Series
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Preparing for the Windows 8.1 MCSA
Microsoft Virtual Academy
Presentation transcript:

10982B 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Module 10 Presentation: 75 minutes Lab: 75 minutes After completing this module, students will be able to: Configure the Device Registration feature. Configure and troubleshoot the Work Folders feature. Configure and troubleshoot access to Microsoft OneDrive. Required materials To teach this module, you need the Microsoft Office PowerPoint file 10982B_10.pptx. Preparation tasks To prepare for this module, you should: Read all of this module’s materials. Practice performing the demonstrations and labs. Work through the Module Review and Takeaways section to determine how you will use the information to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself. This gives you an understanding of how the labs work and the concepts that each covers, so that you can provide meaningful hints to students who might have issues. Furthermore, it will help guide your lecture to ensure that you discuss the concepts that the labs cover. Troubleshooting Resource Access for Clients That Are Not Domain Members

Configuring and Troubleshooting OneDrive Access Module Overview 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Configuring and Troubleshooting OneDrive Access  

Lesson 1: Configuring and Troubleshooting Device Registration 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Troubleshooting Device Registration  

Overview of a BYOD Scenario 10: Troubleshooting Resource Access for Clients That Are Not Domain Members BYOD: Allows employees to use personal devices to access enterprise resources Results in more productive employees Shifts some management costs to employees BYOD challenges include providing: Security for application access Security for enterprise data Support Provide a brief overview of Bring Your Own Device (BYOD). It is likely that students are familiar with BYOD, as their organizations probably support it. Do not spend too much time on the general concept, but if time permits, ask students about their experience with BYOD.

Overview of Device Registration 10982B Overview of Device Registration 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Users can access internal websites and company apps without entering credentials each time Ask students if they access company resources only from domain-joined computers and what challenges they have when using devices that are not domain members. Additionally, ask them why they use devices that are not domain members. Introduce the Device Registration feature in the Windows 10 and Windows 8.1 operating systems, and explain its benefits. Explain that from a device enabled for Device Registration, users can access company resources that use claims-based authentication, without having to enter their credentials each time. This means that the user has a single sign-on (SSO) experience. Point out that administrators can configure authentication requirements and have granular control of apps, while allowing users to access these apps from devices on which they enable the Device Registration feature. For example, discuss how you can require additional authentication if users want to access resources from a public network, and that you can specify that they can access only claims-aware apps. Furthermore, explain that when the same user uses the same device, still with the Device Registration feature enabled, they can access additional apps on the company network. AD FS Domain controller Certification authority Web claims-aware app Registered device SSO Web Application Proxy

The Device Registration Process 10982B The Device Registration Process 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Device Registration with on-premises Device Registration Service Use the picture on the slide to describe how the Device Registration feature works. Coffee shop Device Registration Corporate firewall AD FS Web Application Proxy Home office

Registering and Enrolling Devices 10982B Registering and Enrolling Devices 10: Troubleshooting Resource Access for Clients That Are Not Domain Members To register a Windows 10 device: Open the Start menu, and then click the Settings option Open the Accounts page Navigate to Work access, and then click Connect Provide your domain credentials Describe the device-registration process for Windows 10. Mention that this process is slightly different in Windows 8.1, in which you use the Workplace Join feature for this process.

Troubleshooting Device Registration 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Verify that enterpriseregistration.upndomain.com resolves to the correct IP address Verify that the AD FS certificate is trusted and a CRL is accessible Configure the Device Registration is per user Ensure that the UPN is correct Ensure that applications must support the Workplace Join feature AD FS can allow authentication only from devices registered using Device Registration Application authentication is cached for seven days Use event logs on clients and servers for troubleshooting Use the Best Practices Analyzer for Web Application Proxy Use this topic to summarize potential troubleshooting areas for students.

Lesson 2: Configuring and Troubleshooting Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Other Considerations for Work Folders  

Overview of Work Folders 10982B Overview of Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Work Folders allows users to access individual and shared data, and they can access on their own individual Work Folders Data is stored centrally on traditional file servers, and only on file servers that run Windows Server 2012 R2 or newer Users can use multiple and various devices for access, regardless of whether devices are domain-joined Data is accessible from any location with Internet connectivity, but a local copy is available without network connectivity While remaining in compliance with company policy, you can: Use features such as access control, quotas, file screening, and classification Encrypt or remotely wipe the local data copy Ask students which solution they use currently when they need to: Access data from multiple devices. Use their devices offline. Synchronize copies of the data. Introduce the Work Folders feature as a solution that allows users access to files from all of their devices, and use the slide as a reference so that you can explain the benefits of using the Work Folders feature.

Connecting Devices to Work Folders 10982B Connecting Devices to Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Each sync share is configured with allowed users Auto discovery: Is triggered by the user Connect to clients with the workfolders.domainname.com Redirects clients based on the msDS-SyncServerURL attribute in user objects URL entry: Is used when auto discovery fails Must provide users with the correct URL Group Policy can: Configure clients automatically Provide settings for the setup process Emphasize to students that clients must connect to the Work Folders server that is hosting a sync share that they have permission to use, and this needs to be the result of whichever configuration method they select.

External Connectivity to Work Folders 10982B External Connectivity to Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members If you use Web Application Proxy, you can: Require Workplace Join for devices Implement Multi-factor authentication Azure Multi-Factor Authentication uses smartphones as a second authentication factor Auto discovery is the same for internal and external clients The URL for each Work Folders server must be available through the reverse proxy Describe how external clients access Work Folders. The methods for connectivity are the same as for internal clients. The biggest difference is that Web Application Proxy can use Active Directory Federation Services (AD FS) to enhance security with Device Registration and multifactor authentication. Web Application Proxy File server HTTPS

Synchronizing Work Folders Between Devices 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Changes made on one device synchronize with other devices automatically, by default Synchronization happens every 10 minutes When conflicts occur, the device name is appended to the conflicting file Use Remote Business Data Removal to wipe data remotely on a device that is lost or stolen, or when an employee no longer works for your company Discuss how the Work Folder service synchronizes work-folder content across devices, how it resolves conflicts, and how you can remove data remotely.

Tools for Troubleshooting Access to Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Troubleshooting tools include: Server Manager (user properties in Work Folders view) Get-SyncUserStatus cmdlet Troubleshooting tools for networking You should be aware of the following issues: Network connectivity and name resolution User accounts with sync access A device must trust a Work Folders server certificate A device must comply with a sync folder device policy Users must have NTFS file-system permissions Synchronization does not happen immediately Multiple file might have similar names Ask students what potential problems can happen with Work Folders. Explain the troubleshooting tools that are available and the common issues to be aware of when using Work Folders. Use the second slide in this topic to demonstrate some of these issues. You also can involve students by showing them the error message and asking what caused it.

Other Considerations for Work Folders 10982B Other Considerations for Work Folders 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Considerations for Work Folders include: Clients must trust the certificates on the Work Folders server and reverse proxy The CRL must be accessible You can implement quotas, file screening, classification, and RMS on the Work Folders server Replication conflicts result in multiple file versions You can configure synchronization to stop when: A file is larger than 10 GB There is not enough free disk space Review the Work Folders event logs when troubleshooting Use this topic to discuss additional issues that might affect deployment of Work Folders. There is a wide range of items in this topic, and you should discuss them all briefly, as they all can affect troubleshooting scenarios.

Exercise 4: Troubleshooting OneDrive for Business Lab: Troubleshooting Resource Access for Clients That Are Not Domain Members 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Exercise 4: Troubleshooting OneDrive for Business Exercise 1: Troubleshoot Device Registration The system administrators have created a new infrastructure by using Windows Server 2012 R2 to support web-based applications. AD FS has been implemented with Web Application Proxy to provide protection and authentication. One of the new features that this configuration provides is support for Device Registration. As a matter of policy, certificates for all external services are obtained from a trusted CA on the Internet. Initially, the Sales and Ordering application is using Device Registration, and it needs to be available for sales people when they work remotely. In the past, a simple reverse proxy protected the application, and it was accessible from any device. However, your organization now is using Workplace Join to enhance security so that users can access the application from known devices only. You need to review the Workplace Join implementation and create a short orientation for help-desk and desktop-support staff. Exercise 2: Troubleshooting Work Folders 1 A. Datum executives have been frustrated by using a virtual private network (VPN) to access their personal data remotely. The VPN works most of the time, but firewalls in some locations sometimes prevent them from signing in to the VPN. They also want their data available on their smartphones and tablets, which do not have VPN functionality. To provide the executives with access to personal data, you implemented Work Folders. However, at this time, there is only a single Work Folders server, although the system is designed to use auto discover and support multiple Work Folders servers. The system also uses Windows Azure Multi-Factor Authentication to enhance security from external locations. To simplify access to Work Folders data in the office, executives received a mapped drive letter to their Work Folder, which replaces their existing home folders. Data from the home folders has been copied into the Work Folder for each user. Logon Information Virtual machines: 10982B-LON-DC1 10982B-LON-CL1 10982B-LON-CL4 User name: Adatum\Administrator Password: Pa$$w0rd Estimated Time: 75 Minutes (More notes on the next slide)

10982B Lab Scenario 10: Troubleshooting Resource Access for Clients That Are Not Domain Members A. Datum Corporation has recently implemented new technologies to support BYOD for its employees. There are new implementations of Device Registration, Work Folders, and OneDrive for Business. You were the desktop-support representative who was involved in the project that implemented these new technologies.

10982B Lab Review 10: Troubleshooting Resource Access for Clients That Are Not Domain Members Users at A. Datum have UPNs that differ from their email address. Which should the user provide when performing Device Registration? Question You are configuring Device Registration for adatum.com. What is the FQDN of the address that devices connect to when performing registration? Answer The device connects to deviceregistration.adatum.com when performing device registration. Users at A. Datum have UPNs that differ from their email address. Which should the user provide when performing Device Registration? Users should provide their UPN when performing Device Registration. However, when you remember, particularly when troubleshooting Device Registration, that users may be confused and use their email address instead. This will cause issues with Device Registration.