July 2007 - Posts

Thomas Lee gives us a mention!

Thomas Lee, well known IT Evangelist, author and MVP gives me a mention in his September PC Pro article on WMI and Powershell. Nice! Enjoy the article.

Posted 29 July 2007 04:42 PM by Austin | no comments
Filed under: ,
Changes in WS08 Roles from Beta3 to the June CTP (IDS3)

A comprehensive list of the roles and features available in WS08 and the changes between the  the Beta 3 and IDS3 (build 6001) has been compiled by Jose Barreto on his blog.

Lots of features have had slight name changes but I think the most significant change is the addition of IIS Web Server Role to WS08 Server Core.  

To get a list of available roles and features on your WS08 install run the following command: ServerManagerCmd -query [-logPath <log.txt>]

Remember all the binaries for capabilities are available (but not expanded and installed) after a WS08 install. You will never need to find the source disk to add a role!

Posted 27 July 2007 07:50 AM by Austin | 1 comment(s)
Filed under: ,
sdmsoftware release GPExpert™ Scripting Toolkit for PowerShell

The sdmsoftware crew have released GPE Toolkit for the automation of Group Policy settings. I can see this PoSH based tool being an essential part of every GP admins kit. The Power and flexibility it gives for the creation of policies and ensuring the settings are exactly as in your design plans is awesome. Repeatability of policy creation and settings is also greatly enhanced. Neat stuff this!

Posted 25 July 2007 04:51 PM by Austin | no comments
Filed under: ,
Scripting Group Policy settings!

I spent this weekend playing with a beta copy of SDM Softwares' GPExpert Scripting Toolkit kindly advanced to a colleague of mine and I by Darren Mar Ellia, the CTO of SDMS.

Darren is one of the better known GPO gurus there are out there and when he sniffed on the ActiveDir.org newsgroup during one of our rants, that I worked in an environment with over 2,500 Group policy objects in AD, he offered to let us play with a beta copy.

What it essentially is is a Powershell cmdlet that allows you manage the individual settings within a Group Policy Object. 

Already, with PoSH and GPMC installed on an admin workstation, you could, with the APIs exposed by GPMC, create GPOs and  even script the production of reports to display the settings within GPOs.

See below for and example of creating a GP object in the domain example.com.

-------------example1-----------------

$gpobj = New-Object -comObject GPMgmt.gpm

$gpConstants =$gpobj.GetConstants()

$myDomain = $gpobj.GetDomain("example.com", "", $gpConstants.UseAnyDC)

$myNewGpo = $myDomain.CreateGPO()

$myNewGpo.DisplayName = "PoSH Group Policy"

-------------/example1-----------------

What could not be done with the GPMC APIs was the configuring of  the individual settings within the GPO.

The SDM GPExpert Scripting toolkit fills this gap the PoSH way! You can now extend your powers to scripting the individual settings within the GPO you just created. The example below sets the "rename Guest account" setting in the policy we created earlier called "PoSH Group Policy". 

-------------example2-----------------

$gpo = Get-SDMgpobject -gpoName "gpo://example.com/Posh Group Policy" -openByName $true;

$stng = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/ Local Policies/Security Options/Accounts: Rename guest account");

$stng.Put("Defined", $true);

$stng.Put("Value", "62150138"); #all accounts in the Domain use 8 digit usernames.

$stng.Save();

-------------/example2-----------------

I think this is awesome stuff! This will not only ensure some extra degree of reliability in the configuration of the settings of GPOs, it will also save time if these settings need to be changed in large numbers of policies. Anything that increases the automation of group policy creation and configuration, in very predictable ways, is always a good thing. And the learning curve with this is not in any way steep.

I am sure the GPExpert toolkit will be an essential part of every group policy admins "bag 'o tricks" when it's released. Excellent stuff!

Posted 22 July 2007 07:31 PM by Austin | no comments
Filed under: , ,
Directory Experts Conference coming to Europe!

Not sure how many people are aware, but the NetPro sponsored Directory Experts Conference is happening in Brussels 24th – 26th of September 2007.

This is probably the premier Identity & Access Management and Directory Services conference in the Western World! I have been to my fair share of conferences but DEC in Vegas earlier this year was simply “the bomb!”. Three days of pure techie sessions on AD and IAM. No sales pitch, some of the cleverest AD & Windows guys on the planet and all in a very friendly atmosphere. A nice tight crowd of like 700 folk all keen on AD and allied subjects. Nice!

 

I still trip on the experience of listening to Ulf Simon-Wiedner and Joe Richards haggle on the details of the inner workings of AD at 1 in the morning by the bar! Ones inebriated state of mind at the time lost the details of the discussion but the memory of the event remains clear and reminds me of how much more there is to learn and enjoy in this game. I hope Bob Bobel and his Quest crew show up! What a character! 100% fun and knowledge! 

 

Bringing the AD show to Europe can only be a good thing and with the cast Gil Kirkpatrick has lined up again it’s bound to be well worth it. The theme for the European conference is “Identity and Access Management in the Windows Server 2008 Era”.

 

I’ve booked my ticket for a second feel! J
Posted 17 July 2007 05:37 PM by Austin | 2 comment(s)
Filed under: , ,
Quest Software wins Microsoft Global ISV Partner of the year

Quest Software, at the Microsoft Partner conference held in Denver ,won the Global ISV Partner of the Year award for their adoption and use of Powershell.

Quests Active Directory cmdlets and stuff from Dmitry Sotnikovs' PowerGUI team are some of the Powershell apps coming out of the software house, and they are FREE!!.

I would like to throw a big “shout out” to Dmitry and say “Congrats dude!!” on behalf of the Powershell User Group in the UK.

You guys Rock!!

Posted 15 July 2007 09:02 AM by Austin | 1 comment(s)
Filed under: , , ,
Windows Server Team User Group’s First meeting

I was invited by my good friend Scotty McLeod to the inaugural meeting of the Windows Server Team and to give a talk on WS08 Terminal Services Gateway Server. I felt if it was going to be anything like the Powershell user group meetings we both attend, then it would be well worth it. I find these meets great opportunities to learn and share ideas with likeminded folk. And It was that. I do hope we have many more of these meets and keep them as interesting as the first one was.

My bit in it was to give a talk on the WS08 TS gateway Service role. Scotty has uploaded the presentation To the Server team site and Mark Wilson, who attended, has blogged it as well. Nice to hear folks enjoyed it as much as I did as well.

Unfortunately, Microsoft Security kicked us out at 10 pm and one of the issues I felt I did not adequately cover in my presentation were the "Gotchas" as I like to call them. As I now have a blog on the team site, I'd like to start by sorting that out and use the blog as an avenue to rant on general Windows issues and techie stuff that catch my fancy.

With regard to the TS gotchas, as most people will find out, installing the TS Gateway role is the easiest part of the process. What usually gets you stumped if you are setting it up in a lab is how well you know your certificate trust chaining, certificate signing, and general certificate configuration principles, and if you are using the AD Certificate services role on a WS08 server, the differences between a W2K or WS03 CA and a WS08 CA with respect to certificate enrolment.

In our lab scenario we had 2 WS08 servers and a vista client. 1st server was DC, DNS Server and an Enterprise root CA; 2nd server held the TS Gateway role.

First thing you notice when installing the TS Gateway role is that it expects you to have a web server cert in the computer store of the local computer.

This is where the first hurdle usually occurs.

Administrative rights are required to request a computer certificate and in Vista and WS08, IE does not use administrative rights to run. The option to store a computer certificate in the computer store was also removed from the Windows Server "Longhorn" certificate enrolment pages and the easiest way I have found is to use the cerreq.exe command line utility with an .inf file containing the particulars of the request which comply with the certificate requirements for the TS Gateway Server which are:

  • The name in the Subject line of the server certificate (certificate name, or CN) must match the DNS name that the client uses to connect to the TS Gateway server.
  • The certificate is a computer certificate.
  • The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).
  • The certificate has a corresponding private key.
  • The certificate has not expired. Microsoft recommends that the certificate be valid one year from the date of installation.
  • The certificate must be trusted on clients. That is, the public certificate of the CA that signed the TS Gateway server certificate must be located in the client's Trusted Root Certification Authorities store.

A sample .inf file that fulfils these requirements to be used for a request is:

[Version]

Signature="$Windows NT$

 

[NewRequest]

Subject = "CN=FQDN of TSGW Server" ; FQDN here

KeySpec = 1

KeyLength = 2048

Exportable = TRUE ; Indicates a private key should be included in the certificate

MachineKeySet = TRUE ; Indicates a machine certificate

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

 

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1        ; Server Authentication OID

 

For example, having saved the .inf file as SSLrequest.inf, from the TS gateway server, run from the command line, in the path of the saved file:

"Certreq –new SSLrequest.inf RequestFile.txt"

The certreq utility can be used to further submit this request file to the CA and obtain the issued certificate but from this point on, I prefer to use the certificate server web interface.

The gotcha with doing this is that with the longhorn CAs, SSL needs to be enabled on the web server hosting the certsrv page.

Once this is done, requesting the certificate, downloading it and importing it into the TS Gateway Servers computer store is pretty straightforward.

You then need to start and use the TS Gateway Manager to map the certificate to the TS Gateway Server.

 

You might also find that after you have done all this, especially if there is a greater than 20 minute interval between when you set up the TSGW IIS site and when you try to connect, the client connection fails with a "gateway server not available" error.

The fix for this is to change the idle time-out for the default application pool on the IIS server from its default of 20 minutes to 1440 minutes. This prevents the worker process from shutting down if idle.

With these out of the way, the Gateway Server should now be able to demonstrate the application of the CAPs and RAPs and allow you to continue exploring the use of NAP to assess the health of connecting client and placing the Gateway Server behind ISA.

No doubt these will be future blog topics and I hope I'll actively contribute.

 

 

 

 

Posted 14 July 2007 08:55 PM by Austin | no comments
Filed under: , ,