How do you find the Network and Sharing Center in Windows 10?
Press the ‘Start’ button
Type ‘Control Panel’ and click the shortcut to Control Panel
Click ‘Network and Internet’ (skip this step if your ‘view by’ isn’t set to ‘category’)
Click ‘Network and Sharing Center’
Applies To: Windows 10
The Network and Sharing Center can be a bit hard to find in Windows 10, and there’s several ways to find it. The quickest way is by following the instructions above.
The Network and Sharing Center is part of the classic Windows Control panel, and being replaced by the more modern Network area of Settings:
Was stumpted on this one and had to get advice from Microsoft Support.
A single user couldn’t log in via Multi-Factor Authentication. SMS code would say it was sent, wouldn’t come through. Phone call also wouldn’t come through. Trying to set up another MFA method aka.ms/mfasetup would receive one of these errors:
You are blocked from performing this operation. Please contact your administrator for help.
We’re sorry, we ran into a problem. Please select “Next to try again.
There were zero search results for that first error word for word, which is never a good sign.
There’s several areas you can check for blocked users such as:
And of course, that’s where the user was listed. They’d had some suspicious activity (a MFA phone call they didn’t initiate) so chose the option to block future sign in attempts, as you’d hope. This also triggered an email alert to admins, and that link is where the user’s block is listed until released.
Update 27th November 2023: The below information may be a bit dated now, so please refer to the lastest official guide here: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-ban-bad-on-premises-deploy
Original Post: Microsoft have a nice way of preventing the use of bad passwords. Yes, all passwords are bad, but some are worse than others :)
Azure Active Directory Password Protection is a service that looks at password changes and blocks passwords it deems as weak. This could be from checking it’s an easy password to break using a dictionary attack, or other easily guessable variants. It leverages Microsoft online services to do so, which requires some setup and agents installed on the on-premises environment.
Microsoft’s documentation for this is detailed and fairly easy to follow, but I thought I’d do a quick rundown.
Installing the agents:
There are two agents – the ‘Azure AD Password Protection DC agent’ and the ‘Azure AD Password Protection proxy service’. Both can be downloaded here.
The ‘Azure AD Password Protection DC agent’ needs to be installed on all Domain Controllers (DCs), but the ‘Azure AD Password Protection proxy service’ only needs to be installed somewhere once. You CAN install it on a Domain Controller, and you can install it on ALL Domain Controllers, but Microsoft highlighted this as a potential security risk allowing any DC internet access. At least two installs of this is recommended for redundancy.
The ‘Azure AD Password Protection proxy service’ can’t be installed alongside (on the same server) as ‘Azure AD App Proxy Service’ – which is probably the same utility server you’d think of putting this on.
After installing the ‘Azure AD Password Protection proxy service’ you’ll need to run a few PowerShell commands to register it with global admin rights – you don’t need to create a service account for this, it’s just a one time registration process.
The commands are:
Register-AzureADPasswordProtectionProxy -AccountUpn ‘[email protected]’ (run this on each install)
Register-AzureADPasswordProtectionForest -AccountUpn ‘[email protected]’ (run this after the first install only)
Installing the ‘Azure AD Password Protection DC agent’ is easier again, but will need a reboot of the DC to start working.
Both clients automatically update themselves.
Configuring in Azure Active Directory
You’ll need to enable on-premises Azure Active Directory Password Protection on the Azure AD portal – that link should take you right to ‘Password Protection’ but it’s located under Azure Active Directory > Security > Authentication methods > Password protection.
Start with ‘Audit mode’ rather than ‘Enforced Mode’ so you can get an idea of how many users might get affected by this change, and allow you to communicate this out before forcing.
You can also add custom banned passwords which might include your company name and common terms in your business and industry, to ensure easily guessed passwords aren’t used.
Once set up, you can either read through the logs on a DC, or run this PowerShell command on each DC to see the results.:
Get-AzureADPasswordProtectionSummaryReport
You’ll need to either wait for users to change their passwords, or do some yourself and work out which DC the changes were done against. These stats will give you an idea of how many ‘failures’ were audited, so you can decide how much of a user impact enforcing the policy will be.
You could of course ship these event viewer logs to a central repository, but the service should just do it’s thing and just block users from setting a new password that’s really bad.
I currently have a Diskstation 1813+ 8 bay NAS which is doing a great job, but since Synology gave me a 1618+ to review, and the 1813+ is 7 years old, I’m migrating over to that instead. The catch is that I have 7 drives already in the 1813+ in a single SHR setup. How do I get that across to the newer 6 bay NAS? This is actually a writeup of the planned migration, rather than the success at the end… and the goal is to reduce costs. I could just buy 6 new 10TB drives and have an easy migration!
Yes, I’ve lied in bed at night thinking about this and the best approach. I have 40TB of space, ~30TB in use in a SHR setup:
If I had somewhere to just copy 30TB of data to temporarily, it’d be easy. Copy the data off, move 6 of the drives, create a new SHR, copy the data back and done. Except, I don’t have 30TB of space anywhere.
It isn’t possible to take a disk out of the SHR setup (i.e. shrining the volume size and somehow telling it to abandon one of the disks), so I can’t get a disk that way. I can however, take one disk out and break it’s redundancy while moving data. Risky, but that could give me at least the 12TB disk to use as temporary space. That’s a start.
It’s unavoidable, I’ll need to buy some more disks for temp space. I can get two external 10TB Seagate HDD for $283AU each and use those as temporary space along with the 12TB disk. That’ll get me my 30TB to copy everything off while I juggle the rest of the disks.
That leaves me with 2x 10TB and 4x6TB in the old SHR setup. There is a limitation of SHR which is worth understanding:
For SHR: The capacity of the drive you intend to add must be equal to or larger than the largest drive in the storage pool, or equal to any of the drives in the storage pool. Example: If an SHR storage pool is composed of three drives (2 TB, 1.5 TB, and 1 TB), we recommend that the newly-added drive should be at least 2 TB for a better capacity usage. You can consider adding 1.5 TB and 1 TB drives, but please note that some capacity of the 2 TB drive will remain unused.
What that means is, if I take the very slow approach of building up a SHR with just the two 10TB disks, then look to add more disks after, I can’t add a 6TB disk.
However, I can move all 6 remaining disks across and create a new SHR giving me a bit over 30TB:
Once that’s done, I can then copy all the data off the temporary 2x10TB and 1x12TB disks to the new Synology DiskStation 1618+. Great, except I want to use all four 6TB disks elsewhere and the end result would leave me with 4x10TB, 1x12TB and 1x6TB. I can’t remove the last 6TB disk without having an equal or bigger disk to replace it with, and I don’t want to but a third 10TB disk at this stage.
What I can do is set up the SHR being 1 disk short, leave out the last 6TB disk so I have 2x10TB and 3x6TB, which will give 28TB of space. Enough that I can then copy the contents of any two of the three temporary stoage disks (2x10TB and 1x12TB), and as they get cleared, add them to the SHR.
Each time I add a disk to the SHR it might take a day or two though – this process will take a while. I’ve got multiple points of failure (original SHR has no redundancy, single temporary storage disks all have no redundancy). I can only change one disk at a time.
Once I’m at 4x10TB and 1x6TB in the new SHR, I’ll have enough room to copy the 12TB of data off the spare disk, onto the SHR, then swap out the 6TB for the 12TB.
I also need to make sure for my own neatness, that the 6th bay doens’t have a drive in it at any time. Drives can’t be physically moved around in a SHR, so I don’t want to have 5 drives in a 6 bay NAS and have a ‘gap’ in the middle where there isn’t a drive. Not a dealbreaker on the move, but still :)
In summary:
Buy 2x10TB drives
Copy 20TB of the 30TB to the two drives I bought
Remove 1x12TB drive from SHR in the 1813+ NAS and break redundancy.
Copy remaining data to the 12TB drive mounted somewhere else.
Move 2x10TB and 3x6TB into the new 1618+NAS and create a SHR.
Copy the data off the 2x10TB drives to the new SHR.
Swap out one 6TB drive for a 10TB drive and repair the array.
Swap out the other 10TB drive for another 6TB drive in the array.
Copy the data on the 12TB disk onto the SHR.
Swap in the 12TB drive with the final 6TB drive.
All 6TB drives can go back in the 1813+ for other purposes
I think that’s my plan. I’ll update this post once I’m at the end of it (currently awaiting the arrival of the 2x10TB drives). Can you poke any holes in my plan?
21/07/2022 Long overdue update
The above did work, but I’ve moved a long way down the path since then. No 6TB drives to be seen, and I’ll do a new post about the updated setup – I’m now running 18TB drives! Still the same SHR and it’s nice that I’ve been able to continue to grow it without more muckarounds like the above!
