Guide for Configuring AD to Back up BitLocker and TPM Recovery Information

The above guide is finally available: http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915-dfc3-4579-90cd-86ac666f61d4&displaylang=en. Go and get it! The package contains:



  • 48 page excellent guide 

  • LDIF file for extending Windows Server 2003 SP1/R2 schema

  • Script for modifying ACLs for computer objects in order to store TPM information and another for listing the permissions

  • Script for accessing BitLocker recovery info in AD

  • Script for accessing TPM recovery info in AD

According to the document, this schema update is supported for production use.


In addition to the tools within the package, you should also check a versatile manage-bde.wsf script that is included in Vista. Although it is possible to use this script to enable Bitlocker encryption on other partitions apart from boot partition (containing Windows), I wouldn’t recommend it since additional steps are required and key recovery is rather complex. http://www.windowsecurity.com/articles/Best-practice-guide-how-configure-BitLocker-Part1.html includes a concise summary of the steps.


Now if only more manufactures could make updated BIOS versions available in order to use TPM. So far, I’ve played around with Lenovo Thinkpad T60 (BIOS version 2.06 and 2.07) and it’s working perfectly 🙂

Windows Vista Bitlocker recovery keys and Active Directory schema extension

Although ADPREP executable exists on the Vista DVD (\sources\adprep\adprep.exe) with accompanying LDF files (sch14.ldf – sch39.ldf), you should NOT use it to extend the schema of Windows 2000/Server 2003/R2 Active Directory. These files are there for informational purposes only for showing what Longhorn Server will bring along when it’ll arrive.


Windows Vista Bitlocker recovery keys cannot be stored in the Active Directory before extending the schema and modifying AD permissions. The information and tools to perform these preliminary tasks will become available some time in the near future – when it’s ready, I guess 😉 In the mean time, you could have a look on extending the schema for Vista wired and wireless group policy @ http://www.microsoft.com/technet/network/wifi/vista_ad_ext.mspx.

Windows Vista Security Guide 1.0 available

Microsoft sticked to its behaviour on the release of the Vista Security Guide as it was made available the same day that the bits went to production. The final 1.0 version is available on http://go.microsoft.com/fwlink/?LinkId=74028 🙂

As you may have noticed, the security templates are no longer the primary means of defining the baseline security settings. They can still be used and are also included in the security guide package. However, the primary means for defining the baseline policies is to use the included GPOAccelerator Tool (a script) to implement the GPOs that come with the tool. The Guide comes with eight GPOs being a set of four GPOs for the Enterprise Client (EC) scenario and another set for the Specialized Security Limited Functionality (SSLF) scenario. The Guide also includes Word and Excel documents detailing the settings in each template/GPO. Go and get it!

P.S. It's also available online (without the tools) on http://www.microsoft.com/technet/windowsvista/security/guide.mspx

Windows Security Guides updated again

While looking for security info, I found that the Windows Server 2003 and XP security guides have been updated. Both have minor corrections in the text as well as updates to security templates.


Windows Server 2003 Security Guide (now version 2.1, released April 26, 2006)



Windows XP Security Guide (now version 2.1, released April 13, 2006)


My TechEd top 4 & Network Monitor 3

I’m sitting on the last stint on the TLC at TechEd 2006. There have been quite a number of people who found this area and us technical experts here [:)] Thanks everyone for coming!


Over these five days, the most common questions and some additional info for myself were:


1) Group Policy processing problems


You can find basic flowchart for troubleshooting on Figure 1 of  the white paper entitled “Troubleshooting Group Policy in Microsoft Windows Server“. You can also test your understanding of the group policy processing by checking little flowchart displayed in this figure in order to see whether you know what all different reasons for problems mean. Derek Melber just presented a session MGT425 here on this topic. You can also find additional information on our book [;)]


The first option I tend to use most often for GP troubleshooting is to open rsop.msc. The right (or secondary) mouse button is useful in this tool. A more advanced way of troubleshooting group policy is to use different log options available. I detail here the steps to enable the UserEnv log and a (free!) tool to interpret it. I can say that I learned my group policy skills with this log file [:)] I wish Policy Reporter would have been available in 1999 or that I would have found it then.



  1. Either use http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833 to set the UserEnvDebugLevel registry setting OR perform steps 2-7

  2. Download GPO Logging ADM Template from http://www.gpoguy.com/Tools.htm#EventLogADM.

  3. Extract gpolog.adm from the zip file.

  4. Open gpedit.msc (GPOE) on the machine you want to start monitoring.

  5. Add the template into GPOE (right-click Administrative Templates > Add/Remove Templates… > Add… > pick the gpolog.adm

  6. In the View menu, select Filtering… uncheck setting “Only show policies that can be fully managed”

  7. Open Local Computer Policy\Administrative Templates\System\Group Policy\Logging
    Enable UserEnv.Log logging of policy (and profiles) with Verbose logging.

  8. Restart the computer.

  9. Log file userenv.log is created in %Windir%\Debug\UserMode.

  10. In order to interpret this file, download Policy Reporter from http://www.sysprosoft.com/policyreporter.shtml.

  11. Install Policy Reporter and start it.

The new version of Policy Reporter even displays the processing delays. Obviously, you have to run these steps as an administrator. I use runas most of the time.


Other well hidden gems worth mentioning are 32 GPMC scripts (found in %Program Files%\GPMC\Scripts after installing GPMC) that many haven’t found yet. They are great for backing up GPOs and documenting them.


2) Active Directory DCs on 64-bit architecture


You can find a recent white paper entitled “Active Directory Performance for 64-bit Versions of Windows Server 2003” on this topic. Microsoft’s recommendation is to start considering converting existing environments to 64-bit architecture on environments when the size of your AD database exceeds 2.75 GB.


3) Problems with large number of group memberships


Another question that we discussed with several attendees had to do with Maximum Kerberos token size which may become an issue (e.g. kb 327825) in larger environments. Good information is available on http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx.  You can download command line tool called TokenSz in order to see the current token and to further diagnose it.


4) DNS problems


DNS being the cornerstone of Active Directory network is very often the culprit for various problems (authentication, replication, GP processing etc.). There is a plenty of information available on many sites. The best troubleshooting tip is to get it right the first time i.e knowing what you are doing when configuring the DNS service. In case you are having problems, you might want to start with TechNet Support WebCast: Troubleshooting DNS @ http://support.microsoft.com/?kbid=905900 & DCDIAG tool to pinpoint your problems.


Network Monitor III


The most exciting tool I’ve seen this week was Microsoft Network Monitor III. For many problems and troubleshooting them, I often use Network Monitor 2.0 (either the one included in Windows Server operating systems or the full version from SMS 2003). The new version 3.0 will become available on a limited beta at the end of the summer. Some of the features that we saw today, were:



  • Capturing multiple interfaces simultaneously

  • Dynamic display filters

  • Configurable parsers

  • Only network monitor tool to work on Windows Vista

I’m looking forward to the beta programme and the lauch of the tool – when it’s going to be ready.


That’s all for now. Regards to everyone and thanks! This was my second TechEd and the first in U.S. It was also the best TechEd so far [:D]

It’s that time of the year again – Technet Pro tomorrow

Tomorrow, I’ll present a talk on Windows Server 2003 R2 in the Technet Pro 2006 seminar in the Finlandia Hall. The event was fully booked weeks ago with some 1400 registrations! My demo setup for tomorrow will include four virtual machines (three WS03 R2 & one Windows XP) running on Virtual Server R2 which runs on Windows Server 2003 R2, Enterprise Edition. Since I won’t demo ADFS, this setup should be enough. any way, I’m looking forward to a great event.


For the last few weeks I’ve started to get myself familiar with Office 2007. Also, I’ve “upgraded” my Vista installation to build 5308 – and I’ve done it twice already. The first time I joined the machine into AD domain over VPN and on the second time I made the join while connected through Ethernet. It seems that the second time & route made the Vista run smoother 🙂 BTW, there’s a lot of great info on Vista @ http://windowsconnected.com/. I’m sure that the IE 7 chat that I just participated will find its way into the forums of that site as well – it’s there already!!!


In the beginning of the week, I conducted a IIS 6 course, MOC 2576. During the research, I came across with another MVP’s, Bernard Cheah’s great IIS blog. http://www.iistoolshed.com/ is a nice collection of IIS related tools. To start off with diagnosing IIS, you could first check out IIS Diagnostics Toolkit.

Some great security info

I’ve been extremely busy with courses & seminars over the last few weeks – dare I say it’s been one of the busiest January that I can recall. However, in between I’ve come across some great security related info:



 

Sovelto and FCS Partners merge

My employer (and the company that I was a senior partner and shareholder of), Sovelto Oy, merged with another ICT training and consulting company, FCS Partners Oyj, as of today. We are really excited about the merger and are really looking forward to an exciting future. Together we form the largest ICT training company in Finland. FCS Partners and Sovelto are the two rising stars in the market. Both companies have grown and developed under the hard circumstances after the rapid growth in the IT market. The organization of the merged company will be based on experts and partners with high value on expertise and professional training. In the flat hierarchy organization all personnel will be directly interfacing the customers.


Over the last weekend we’ve started to integrate our IT systems. So far, so good 🙂 Of course, there have been minor hickups but nothing major so far. What makes it so interesting is that both companies are using the latest versions of most Microsoft server applications and operating systems.


BTW, the name of the new company is FCS Sovelto Oyj.