February 2009 - Posts

joe’s commandments for DS Admins

joe Richards has a blog post on his advice for DS Admins.

Not 10 this time but 8  commandments:

<joe Commands>

1. Do not share your credentials with anyone. Period.

2. Be scared when using the ID, you can do a lot of damage with it.

3. Have second and third thoughts before changing things.

4. When in GUI applications, if you don’t mean to change things, use CANCEL, not OK to exit dialogs.

5. You can do a lot from your normal userid, prefer to use it over the Domain Admin ID.

6. Try to solve issues without logging interactively into Domain Controllers.

7.  If you aren’t sure about something, don’t do it.

8. Ask questions. I much rather hear “I don’t know” than someone try to guess.

</joe Commands>

Posted 19 February 2009 03:19 PM by Austin | no comments
How not to suck at security

Got a pointer to this cheat sheet from the activedir.org newsgroup.

It is full of security truisms. Everyone should read it at least twice!

Posted 19 February 2009 01:51 PM by Austin | no comments
How many FSMO role holders do you have in your Forest?

I got quite a decent surprise the other day whilst I was upgrading my “home” AD forest for W2K8 DCs, as you do ;-). I know this isn’t strange to a lot of folk but I have a functional forest at home that I use to support my household and the occasional family friend that may require access through my network whilst on a visit etc. This network also includes ISA 2006 (the best firewall out there by far!), a Certificate server and an Exchange server. This network is distinct and separate from my lab environment(s) which is/are essentially a VM environment where I can test stuff and crash and burn boxes to my hearts content.

But my home AD Forest has been around for a while as the diagram below shows:

AdCreatedate 

That's approximately 7 and a half years if you look at the creationTime for the Domain Naming Context! A lot has gone on in that AD environment over the years and I most certainly didn't keep exact records. Wasn't that important an environment I guess.

Anyway, back to the jist: How many FSMO role holders do you have in a single domain Forest? I have always had a standard answer for that and it was 5. Two forest wide FSMO role holders: The Schema Master and the Domain Naming Master and Three Domain wide FSMO role holders: The PDCe, the RID master and the Infrastructure Master.

So, when my first and very old Windows 2003 DC died on me having served faithfully since it was an NT4 PDC, I seized the roles to my second Windows 2003 DC and moved in my first 2008 server and dcpromed it after running adprep /forestprep and /domainprep.

I then moved the FSMO roles back to the new Windows 2008 DC. Couple of days later, I decided, OK we might need an RODC here so lets RODCprep this environment. And that is where this story leads: adprep /rodcprep  failed with the following error:

Adprep could not contact a replica for partition DC=DomainDnsZones,DC=trucyber,DC=com
Adprep failed the operation on partition DC=DomainDnsZones,DC=trucyber,DC=com Skipping to next partition.
Adprep could not contact a replica for partition DC=ForestDnsZones,DC=trucyber,DC=com
Adprep encountered an LDAP error. Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
Adprep failed the operation on partition DC=ForestDnsZones,DC=trucyber,DC=com Skipping to next partition.
Adprep completed with errors. Not all partitions are updated.”

I knew my FSMO role holders were moved ok and functional so what was this about. A quick Google brought up KB949257

And sure enough, a check on the FSMO Role Owner for the DomainDnsZones partition confirmed it:

C:\Users\austin>dsquery * cn=Infrastructure,dc=domainDnsZones,dc=trucyber,dc=com -attr fSMORoleOwner
 

fSMORoleOwner

CN=NTDS Settings,CN=tru2k3,CN=Servers,CN=manchester,CN=Sites,CN=Configuration,DC=trucyber,DC=com

Tru2k3 was my dead DC and the FSMO role owners for non domain naming contexts (NDNC) do not move or get seized when the forest and domain roles are moved! 

Each  NDNC has an Infrastructure Master which may or may not be on the same DC holding the Domain Infrastructure Master role. KB 949257 has a script to fix the issue or you can maually edit using adsiedit.

So, to the question, how many FSMO roles in a single domain forest? The answer I now know is it depends on how many application partitions or NDNCs exist in the domain. You’ll have the 5 we all know about and an IM role for each NDNC in the domain. We live and learn.

Posted 09 February 2009 03:16 PM by Austin | no comments
Forefront TMG Public beta released!

Forefront Threat Management Gateway (TMG) is the advanced stateful packet and application-layer inspection firewall, virtual private network (VPN), and Web cache solution that enables you to easily maximize existing information technology (IT) investments by improving network security and performance.

This product supersedes Microsoft Internet Security and Acceleration (ISA) Server 2006 and 2004 and will only install on x64 Windows server 2008.

The public beta and release notes can be obtained here.

Enjoy!!

Posted 08 February 2009 08:14 AM by Austin | no comments
Hotfix to resolve problem in which a Live Communications Server 2005 forest Unprep command deletes the entire "\Microsoft\" parent container in Active Directory

http://support.microsoft.com/?kbid=960724

 

When you run the forest *Unprep* command, Live Communications

Server 2005 deletes the "\Microsoft\" parent container in the

Active Directory directory service. This hotfix resolves this

issue. After you apply this hotfix, the forest *Unprep* command

only deletes the Real-time Communications (RTC) child container.

Incorrect deletion of the Microsoft parent container can cause

data loss for products that use the Microsoft container under the

System partition. This data loss includes but is not limited to

Microsoft Certificate LifeCycle Manager 2007

Posted 05 February 2009 06:05 PM by Austin | no comments
Filed under:
Problems with BranchCache™ feature of Windows 2008 R2

I have been trying out some of the Windows 2008 R2 features and a colleague and I decided to try out the BranchCache feature. This feature is meant to be a WAN optimisation strategy for windows 7 and windows 2008 R2. Frequently used HTTP and SMB content in branch offices are cached locally and subsequent requests for the same content are served from the local cache.

There are 2 ways BranchCache can be implemented:

1. Storing the cache content on a dedicated BranchCache Server located in the branch office and

2. Peer content requests where a BranchCache server at the Main office redirects a branch office request for content previously delivered to the branch office to the contents location which is usually another workers Windows 7 PC.

At least that's the theory.

Whilst trying to setup a Lab for a BranchCache deployment, the process bombs out when trying to create the BranchCache-enabled shared network folder as shown in the diagram below:

clip_image001

 

The specific error states that: Flags for the SMB shared folder cannot be configured. The specified service does not exist as an installed service

This is confusing as the BranchCache Service is certainly installed as a service and started as shown below:

clip_image001[9]

Another key part of the process is to create hashes of the files in the shared folder using a tool called Hashgen.exe

I have been unable to find this tool on my install of Windows 2008 R2 and Google doesn't throw up any related answers.

It would be interesting to know if anyone else has come across this and how they fixed or resolved it.

Posted 02 February 2009 03:03 PM by Austin | 1 comment(s)
Filed under: , ,