New Microsoft Azure Active Directory Content

Note-to-self: Microsoft has published lot of new Azure Active Directory (AAD) content after //build:

Easiest way to troubleshoot DirectAccess issues – The DirectAccess Client Troubleshooting tool

Yesterday was a really great day, because Microsoft released or published the DirectAccess Client Troubleshooting tool on Microsoft Downloads.

But what’s the DirectAccess Client Troubleshooting Tool? Well, here’s a very short description:

The DirectAccess Client Troubleshooting Tool is a graphical application, based on the .NET Framework, which checks the health of a DirectAccess client by running various tests.  The following tests are currently implemented:

  • Network interfaces
  • Network location (NLS and NRPT DNS)
  • IP connectivity (6to4, Teredo, IPHTTPS, entry point in a multisite setup, DNS)
  • Windows Firewall (applied profile, Firewall outbound rules)
  • Certificates (EKU Client Authentication, trust chain for AIA and CRL)
  • IPsec infrastructure tunnel (Domain SysVol share)
  • IPsec intranet tunnel (PING and HTTP probes)

And there are more “hidden” features that I will describe in a next blog. Oh and yes, the development team of this tool is working on the next release, which will include even more awesome features! :-)

Go and crab your copy from

General Availability of Azure Active Directory, Generic LDAP, and SharePoint UPS Connectors for FIM 2010 R2

After a couple of months, the three new FIM 2010 R2 Connectors have left the RC phase and are now GA! Here’s a short overview about the three new Connectors:

Windows Azure Active Directory Connector

This Connector can be used in scenarios not supported by DirSync, for example multi-forest or non-AD. The Connector comes with sample code and configuration for a resource/account-forest scenario. For more information, please refer to the TechNet documentation:

Generic LDAP

This Connector will allow you to connect to an LDAPv3 compliant directory. It currently supports the same LDAP directories (IBM, Novell, and Oracle) we ship with FIM 2010 R2 and will over time replace the built-in LDAP Management Agents. For more information, please refer to the TechNet documentation:

SharePoint User Profile Store

This Connector will connect to the SharePoint User Profile Store and can be used as a replacement for the built-in synchronization engine which comes with SharePoint, for example in mulit-forest or non-AD scenarios. For more information, please refer to the TechNet documentation:

IPv6 Address disappeared on ISATAP Adapter

Yesterday, I worked on a DirectAccess case where the IPv6 address disappeared on one of the two ISATAP adapters on a Directaccess server. We’ve found the solution by running the following netsh command, which outputs the configuration of the specified ISATAP adapter. Oh btw, you should use the interface ID of the “internal” ISATAP adapter (there is one ISATAP adapter for each network interface):

netsh int ipv6 show int <InterfaceID>

The most interesting part of the output are the following two lines:

Forwarding                         : disabled
Advertising                        : disabled


The problem was, that both settings Forwarding and Advertising were set to disabled. However, they have to be enabled in order to work – so that an IPv6 address is set on the adapter. So after executing the command netsh interface ipv6 set interface <InterfaceID> forwarding=enabled advertise=enabled, everything worked as expected.

New Remote Access (DirectAccess) Content on TechNet

Microsoft has just published lot of new Remote Access (DirectAccess) content on TechNet, which is great news. For example, you can find now a list of all available hotfixes for Windows Server 2012, Windows 8 and Windows 7 client computers, or a list of all Product Group unsupported scenarios.

A Swiss blog about Microsoft's Security & Identity and Access Management solutions for Private and Public Clouds