joe’s commandments for DS Admins

joe Richards has a blog post on his advice for DS Admins.

Not 10 this time but 8  commandments:

<joe Commands>

1. Do not share your credentials with anyone. Period.

2. Be scared when using the ID, you can do a lot of damage with it.

3. Have second and third thoughts before changing things.

4. When in GUI applications, if you don’t mean to change things, use CANCEL, not OK to exit dialogs.

5. You can do a lot from your normal userid, prefer to use it over the Domain Admin ID.

6. Try to solve issues without logging interactively into Domain Controllers.

7.  If you aren’t sure about something, don’t do it.

8. Ask questions. I much rather hear “I don’t know” than someone try to guess.

</joe Commands>

How not to suck at security

Got a pointer to this cheat sheet from the activedir.org newsgroup.

It is full of security truisms. Everyone should read it at least twice!

How many FSMO role holders do you have in your Forest?

I got quite a decent surprise the other day whilst I was upgrading my “home” AD forest for W2K8 DCs, as you do ;-). I know this isn’t strange to a lot of folk but I have a functional forest at home that I use to support my household and the occasional family friend that may require access through my network whilst on a visit etc. This network also includes ISA 2006 (the best firewall out there by far!), a Certificate server and an Exchange server. This network is distinct and separate from my lab environment(s) which is/are essentially a VM environment where I can test stuff and crash and burn boxes to my hearts content.

But my home AD Forest has been around for a while as the diagram below shows:

AdCreatedate 

That's approximately 7 and a half years if you look at the creationTime for the Domain Naming Context! A lot has gone on in that AD environment over the years and I most certainly didn't keep exact records. Wasn't that important an environment I guess.

Anyway, back to the jist: How many FSMO role holders do you have in a single domain Forest? I have always had a standard answer for that and it was 5. Two forest wide FSMO role holders: The Schema Master and the Domain Naming Master and Three Domain wide FSMO role holders: The PDCe, the RID master and the Infrastructure Master.

So, when my first and very old Windows 2003 DC died on me having served faithfully since it was an NT4 PDC, I seized the roles to my second Windows 2003 DC and moved in my first 2008 server and dcpromed it after running adprep /forestprep and /domainprep.

I then moved the FSMO roles back to the new Windows 2008 DC. Couple of days later, I decided, OK we might need an RODC here so lets RODCprep this environment. And that is where this story leads: adprep /rodcprep  failed with the following error:

Adprep could not contact a replica for partition DC=DomainDnsZones,DC=trucyber,DC=com
Adprep failed the operation on partition DC=DomainDnsZones,DC=trucyber,DC=com Skipping to next partition.
Adprep could not contact a replica for partition DC=ForestDnsZones,DC=trucyber,DC=com
Adprep encountered an LDAP error. Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
Adprep failed the operation on partition DC=ForestDnsZones,DC=trucyber,DC=com Skipping to next partition.
Adprep completed with errors. Not all partitions are updated.”

I knew my FSMO role holders were moved ok and functional so what was this about. A quick Google brought up KB949257

And sure enough, a check on the FSMO Role Owner for the DomainDnsZones partition confirmed it:

C:\Users\austin>dsquery * cn=Infrastructure,dc=domainDnsZones,dc=trucyber,dc=com -attr fSMORoleOwner
 

fSMORoleOwner

CN=NTDS Settings,CN=tru2k3,CN=Servers,CN=manchester,CN=Sites,CN=Configuration,DC=trucyber,DC=com

Tru2k3 was my dead DC and the FSMO role owners for non domain naming contexts (NDNC) do not move or get seized when the forest and domain roles are moved! 

Each  NDNC has an Infrastructure Master which may or may not be on the same DC holding the Domain Infrastructure Master role. KB 949257 has a script to fix the issue or you can maually edit using adsiedit.

So, to the question, how many FSMO roles in a single domain forest? The answer I now know is it depends on how many application partitions or NDNCs exist in the domain. You’ll have the 5 we all know about and an IM role for each NDNC in the domain. We live and learn.

Forefront TMG Public beta released!

Forefront Threat Management Gateway (TMG) is the advanced stateful packet and application-layer inspection firewall, virtual private network (VPN), and Web cache solution that enables you to easily maximize existing information technology (IT) investments by improving network security and performance.

This product supersedes Microsoft Internet Security and Acceleration (ISA) Server 2006 and 2004 and will only install on x64 Windows server 2008.

The public beta and release notes can be obtained here.

Enjoy!!

Hotfix to resolve problem in which a Live Communications Server 2005 forest Unprep command deletes the entire "\Microsoft\" parent container in Active Directory

http://support.microsoft.com/?kbid=960724

 

When you run the forest *Unprep* command, Live Communications

Server 2005 deletes the "\Microsoft\" parent container in the

Active Directory directory service. This hotfix resolves this

issue. After you apply this hotfix, the forest *Unprep* command

only deletes the Real-time Communications (RTC) child container.

Incorrect deletion of the Microsoft parent container can cause

data loss for products that use the Microsoft container under the

System partition. This data loss includes but is not limited to

Microsoft Certificate LifeCycle Manager 2007

Problems with BranchCache™ feature of Windows 2008 R2

I have been trying out some of the Windows 2008 R2 features and a colleague and I decided to try out the BranchCache feature. This feature is meant to be a WAN optimisation strategy for windows 7 and windows 2008 R2. Frequently used HTTP and SMB content in branch offices are cached locally and subsequent requests for the same content are served from the local cache.

There are 2 ways BranchCache can be implemented:

1. Storing the cache content on a dedicated BranchCache Server located in the branch office and

2. Peer content requests where a BranchCache server at the Main office redirects a branch office request for content previously delivered to the branch office to the contents location which is usually another workers Windows 7 PC.

At least that's the theory.

Whilst trying to setup a Lab for a BranchCache deployment, the process bombs out when trying to create the BranchCache-enabled shared network folder as shown in the diagram below:

clip_image001

 

The specific error states that: Flags for the SMB shared folder cannot be configured. The specified service does not exist as an installed service

This is confusing as the BranchCache Service is certainly installed as a service and started as shown below:

clip_image001[9]

Another key part of the process is to create hashes of the files in the shared folder using a tool called Hashgen.exe

I have been unable to find this tool on my install of Windows 2008 R2 and Google doesn't throw up any related answers.

It would be interesting to know if anyone else has come across this and how they fixed or resolved it.

RODC/PDCe dependences.

Mark Parris, on his latest blog entry mentions the removal of the dependency of the PDCe to be on a Windows 2008 DC for the deployment of RODCs in the Windows Server 2008 operations guide.

Whilst this is true for the AD upgrade of the RODC, you will still have issues if the PDCe is not on a Windows 2008 DC (especially in a single domain environment. See: Keeping the Domain on time). This is because the RODC will not be able to use a Windows 2003 DC, if this holds the PDCe role for the domain, as an authoritative time source or find an authoritative time source and time skew will occur eventually as the PDCe for the domain is used by all DCs as the Auth time source. This time skew can and will affect clients authenticating to the RODC and replication from Windows 2008 DCs to the RODC.

The work around for this is to:

1. Move the PDCe role for the domain to a Windows 2008 DC or

2. configure the RODC as a reliable time source for authenticating clients using the command: w32tm /config /reliable:yes /update

It seems to me the mention that the RODC can synchronise time with a writable Windows 2008 Domain controller assumes that DC to hold the PDCe role unless the RODC is created in a child domain which has a non-PDCe Windows 2008 DC and the Windows 2008 DC that the RODC is synchronising its time with is in the Parent Domain of the forest but that is not inferred in any of the texts I have seen.

So, my advice is, if you are installing RODCs, make sure you move the PDCe role to the writable Windows 2008 DC. It’ll make your life a lot easier!

A Weekend of Smiles!!

I guess I can say “It’s great to be alive”!!!

Was at Scotty's wedding this last weekend and boy, was it a blast and a half!!

It was great to see the old boy again after his “head-butting event” with a train about this time last year and you can tell good ‘ol Scotty is well on his way back!

I guess he has inspired me to get back to doing “what we do” and that all is well.

The geezer is truly the epitome of impossible is nothing.

Scotty

Also met some old friends at the wedding: Richard Siddaway of the UK PoSH user group was there as was Steve Lamb of MS. Mark Parris was there briefly and it was nice to finally put a face to someone I “meet” on the Internet.

One this for sure is Scotty’s Mrs, Janice, sure knows how to rig up a party!! Great fun it was for everyone who was there I’m sure.

So folks, after that long hiatus, the blogs alive again!

Should be posting voraciously from now on. I promise. :-)

Been a long time & Get well soon Scotty!

ScottyM

Yes,  it's been quite a while since I have  written on this blog! Just before TechEd in November, I think.  Quite a lot has been happening around me and slowly but surely, I'm finding some semblance of stability again. New job and having to rapidly learn a new environment and start becoming productive has been hard work. Being surrounded by some of the most helpful people I've had the pleasure to work with has made the load lighter and fun. I'll try over the next couple of weeks to regurgitate some of my highlights of the preceding 2 - 3 months.

Unfortunately, what kicks starts my post today is very sad news about my good friend and colleague, Scotty McLeod, who runs the Windows Server Team Blog. He was involved in an accident  at a London Train station on Wednesday on his way home from some work-related meeting with Quest in London. He sustained some sort of head injury and is still unconscious at the neurology intensive care of St Georges Hospital.

I can't for the life of me, make sense of it all. And the "wrongest" person this could/should happen to! We need you well Scotty!!!

I am praying for his swift recovery and ask any of you who pray or can, to please remember him and his family in yours.

Use full DNS Names and OS tags in GINA's Dropdown Dialog box

Someone on the Activedir newsgroup wanted DNS names in the logon dialog box users see rather than the NetBIOS name. I didn't initially think this was possible but the poster insisted they had seen it done before. well, 2 solutions were proffered: Jorge de Almeida Pinto came up with a custom ADM which could apply to the boxes you wanted this feature enabled on and Dean Wells provided a reg hack which did the same thing. Thought I should share both:

--------------------------------------------------------

Custom ADM

--------------------------------------------------------

; Custom ADM to change how domain names are shown in the logon box
; REMARK: these are preferences and NOT policies. As such make sure you enable viewing of preferences in the GPEditor!

CLASS MACHINE

 CATEGORY "System"

  CATEGORY "Net Logon"

   CATEGORY "Domain Name in Logon Box"

    KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

    POLICY "Show Full DNS Names At Logon"
     EXPLAIN "EXPLANATION: When enabled, the list of domains on the logon dialog will show the full DNS names (hierarchical) rather than the NETBIOS names (flat)."
     VALUENAME "DCacheShowDnsNames"
     VALUEON  NUMERIC 1
     VALUEOFF NUMERIC 0
     END POLICY

    POLICY "Show Additional Domain Information At Logon"
     EXPLAIN "EXPLANATION: When enabled, the list of domains on the logon dialog will contain brief information about each domain after the domain name."
     VALUENAME "DCacheShowDomainTags"
     VALUEON  NUMERIC 1
     VALUEOFF NUMERIC 0
    END POLICY

   END CATEGORY

  END CATEGORY

 END CATEGORY

--------------------------------------------------------

Reg Hack

--------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"DCacheShowDomainTags"=dword:00000001

"DCacheShowDnsNames"=dword:00000001

--------------------------------------------------------

Both are cosmetic changes and do not change the logon process in anyway. Just interesting to know it can be done. 

ADInsight for Active Directory

Mark Russinovich and Bruce Cogswell of Sysinternals fame have release ADInsight for Active Directory as one of the free utilities on their Microsoft Site. This tool I like to call the MRI Scan for AD. It uses DLL injection techniques into all processes to watch for WLDAP32 transactions. WLDAP32 is where Microsoft implements the LDAP API. You can see how your application talks to AD and what responses are returned. This capability can be invaluable in many application design scenarios when you can't figure out why your app's conversation with AD is spitting errors or even general troubleshooting to see "under the covers".

The Application is very similar to Regmon and Filemon in it's GUI and if you've used either before ADInsight should feel familiar.

The great thing I also see is you can Rt Click on an call sent to the directory and click on event information which takes you to an MSDN site with an explanation of the transaction. This can be an excellent learning tool as well!

ADinsight1

 

If the tool is pointed against an Active Directory where lots on calls are taking place, you can also filter events with the same flexibility available in Filemon and Regmon.

Example

The Process Filter allows the selection of processes to include or exclude there is also a transaction filter for those transactions that you want to view. This selection is made so much easier by the transaction group filter which allows the viewing of a collection of transaction e.g. connects. If a group is chosen, all applicable transactions are selected in the transactions list.

This is definitely another necessary tool in the arsenal of anyone working with Active Directory.  

Microsoft's Awesome Stats

Anyone who's been to a conference where someone from MSFT's been talking about "How Microsoft Does IT" has probably heard this or something similar but these stats are just awesome I think (Source Bink.nu):

Microsoft internal IT:

600k connected devices
10,000 Servers
3 Datacenters 1 operations center
11% is virtualized in Microsoft Datacenters
330 of 385 servers run Windows Server 2008 (RC0) plus all 85 Microsoft.com servers
11 clustered systems
30,000 users in Redmond domain (50,000 with vendors)
NAP reporting 140K clients, 90 clients deferred mode

The Redmond Active Directory domain is running in Windows Server 2008 mode since last Thursday (Nov 1st)

Microsoft Email:

6 million internal emails per day
20 Million emails from Internet
97% rejected as spam
99,999 uptime

Worldwide:

140,000 end users
550 buildings
98 countries
1/3 of the sites are connected over Internet only

2300 Line of business applications
1 single SAP instance (5 Terrabyte database)
Dynamics/MSCRM

Windows Live Services:

130,000 servers online
435 Million unique users
280 Billion pageviews daily
12 Billion emails daily
6 billion Instant Messages daily

Remote connect:

1 million VPN sessions per month
80,000 unique OWA users
Remote app portal
TS gateway 20,000 users
Direct Connect pilot

Microsoft.com figures
55,7 million unique users, #4 overall site in US
280,5 Unique users wordwide #6 site worldwide
15,000 request a sec

Burn CD's and DVDs with Powershell

Included with Microsoft Vista is a new API for scripting against optical drives; the Image Mastering API version 2 or IMAPI2. This makes it possible to retrieve information from optical storage media like CDs and DVDs and write to them.

The story around the IMAPI and what you can do with it can be found on msdn but what brought it to my attention was the Scriptcenter newsletter this week where a VB sample of how to burn CDs/DVDs using the Image Mastering API was described. Yep, if we can do it with VB there's got to be a PoSHer way to do the same thing so I gave it a go and over a couple of hours managed to get my version to work.

Who needs ISO burning tools anymore ay? Roll your own!

My modification of the script accepts one argument which is the path to the ISO file and it barfs if a wrong path is given. 

The assumption is that the CD/DVD writer is first optical drive on the system (If it's not, change the msftdiscMaster2 index used in the msftdiscrecorder2 initializedrecorder method ).

Minor error checking has been thrown in to ensure a valid path to an ISO file is provided and that the disc is blank.

---------------------------------------------------------------------------------------

param(
        [string]$path = $( throw "Please Specify path to an ISO file")
         )
# Set binary file type
Set-Variable -name adFileTypeBinary -value 1 -option Constant

# Test if path exists else fail
if (Test-Path -path $path -isValid)
{
    $isoFile = $path

    # Create disc master to burn to optical drives
    $obm = New-Object -comobject "imapi2.msftdiscMaster2"

    # Create a DiscRecorder object for the specified burning device
    $obr = New-Object -comobject "imapi2.msftdiscrecorder2"
    $obr.initializediscrecorder( $obm.item(0) )
    $dataWriter = New-Object -comobject "IMAPI2.MsftDiscFormat2Data"
    $dataWriter.Recorder = $obr
    $dataWriter.ClientName = "ISOTest1"

    # Write stream to disc using the specified recorder
    Write-Host "Writing to disc..."
    $objStream = New-Object -comobject "ADODB.Stream"
    $objStream.open()
    $objStream.type = $adFileTypeBinary
    $objStream.LoadFromFile( "$isoFile" )

    # Check disk is blank else fail
    $addr = $dataWriter.NextWritableAddress
        if ( $addr = "0"  )
            {
                $dataWriter.Write( $objStream )
                Write-Host "Done"
            }
        else
            {
                Write-Host "Cannot write to disk" }
            }

else
    {
    Write-Host "A valid ISO file was not found"
    }

---------------------------------------------------------------------------------------

The Scriptcenter site shows other examples in VB and they can all be converted to Powershell with very little effort.

Binaries for for versions of IMAPIv2 for other platforms can be obtained here:

Image Mastering API v2.0 for Windows XP

Image Mastering API v2.0 for Windows Sever 2003

Image Mastering API v2.0 for Windows XP x64 Edition

Image Mastering API v2.0 for Windows Server 2003 x64 Edition

PoSH is here to stay!

I'm sure a lot of my crew are almost getting to their wits end with my persistent harping about the capabilities of Powershell and the need for anyone involved in Windows management to get on the act now. I ain't stopping though. This is probably the single most significant change to the way we will do things in the Windows space.

During my regular cruise of my favorite blogs, I came across the entry yesterday on Dmitry's blog where he caught on the jist from Citrix that they were rewriting their APIs for the next version of Presentation Server codenamed Parra so they had Powershell interfaces!

This is another massive join to the Powershell community and it's only going to get bigger and better.

Exchange Unplugged!

ExchUnplugged

Sounds like an MTV show but t'was much better than that! Eileen Brown and her crew brought the Exchange 2007 and Unified Communications road show to Manchester in Association with BT Lynx. The day long event was held at the Museum of Science and Technology and I think the location was just perfect with the Dr Who show going on there as well :-)

Brett Johnson and Julian Datta gave awesome demos of Exch07 and Office Communication Server which all went flawlessly. Apparently, the last time they gave the demos, Brett's Shuttle, a quad core, 8Gb beast, ignited! That must have been fun.

This was the first time I had heard Brett present and I was well impressed. He kept the audience well engaged and his wit was classic!

Toy of the day was the hyper cool Microsoft Roundtable conference phone providing a 360 degree view of the conference room and a high res image of the active speaker.

My takeaways from the show were:

  1. Exchange 07 & OCS are going to change the way we communicate. Voice, Video and text can now be affordably converged on the IP protocol and with presence information, playing "phone tag" will be a thing of the past.
  2. Learn Powershell. It's the future! The Exchange servers Brett built were installed and configured using Powershell Scripts & commands. 

If you haven't been to the Exchange Roadshow, there's 2 more dates I think. Make sure you catch them if you can. Well worth it:

2nd November 2007, Warwickshire: Exchange Unplugged in association with Post CTI

5th November 2007, Glasgow: Exchange Unplugged in association with Capito

More Posts Next page »