Server 8 – Data Deduplication

Whoa!  As I was poking around just now on another machine I built I ran across this little gem!

**Updated – screenshots!!

1)  From Server Manager, ensure DASHBOARD is selected in the navigation node then select Manage in the top right corner of the window.

2)  Select Add Roles and Features from the context menu.


3)  Press Next on the Before you Begin screen.


4)  From the Select Installation Type screen, confirm that Role-Based or Feature-Based installation is selected.  Press Next.


5)  Select the server you are targetting from the Server Pool pane, then press Next.


6)  From the Select Server Roles screen, place a check beside File Services.  Press Next.


7)  On the Features screen, accept the defaults by pressing Next.


8)  Read the blurb on File Services, then press Next.


9)  On the Select Role Services screen, place a check beside Data Deduplication.  Press Next.


10)  Read the Confirm Installation Selections screen, then press Install if you are certain all looks correct.


11)  You can watch the progess on this screen.


12)  If the installation was successful, press the Close button to exit.


Notice now in Server Manager there is a FILE SERVICES navigation node available!


**Note: If you don’t see this node available after refreshing and you recheck Steps 1-6 and find the File Services box is not checked now – perform the following:

1)  Ensure you have turned on Automatic Updates.

2)  Launch PowerShell, and run the following commands –

> Import-Module ServerManager

> Add-WindowsFeature -name FS-Data-Deduplication

> Import-Module Deduplication

Your File Services Node should now be present.


Setting Up Deduplication on a Volume.

If you select that node, your server should show up in the middle pane with an Activation Status of Not Activated (meaning you have not yet setup any Dedupe).


If you right-click on the server’s line item a context menu appears.  At the top of the menu is an entry for Configure Deduplication Settings.


Here you can enable background optimization and a Primary and Secondary schedule for it to run.  Setup your preferences and press OK to continue.


Again, in the Navigation Node (left pane), you select Volumes to show a list of volumes present.


Right-click any volume (other than the System or Boot) and your option for Configure Deduplication is there.


Selecting this entry opens a screen where you can check Enable Data Deduplication on the Volume.  You can exclude folders and extensions also.  Press OK when you’re done.


Data Deduplication can’t be enabled on the System or Boot Volumes – this is the same as any disk-based service limitation.

This feature is fantastic!  Native De-dupe – finally….



Server 8 – Group Managed Service Accounts

Managed Service accounts were introduced in Server 2008 R2, and while it was a good start, they weren’t useful for what you really wanted to do with them – such as using them as a cluster service account.

Server 8 has improved on these accounts with Group Managed Service Accounts – a new security principal called gMSA. 

With gMSA, you can now have services running on multiple hosts inside your domain using these accounts. 

The requirements are pretty steep, so you would need to determine if using gMSAs would be worth the risk. 

1)  The Schema must be brought up to the Server 8 version.  So, the Forest Root needs at least one Server 8 DC.

2)  Each domain within the Forest requires at least one Server 8 DC.  This is because the gMSA principals need to be run through the Group Key Distribution Service for password management / updates across whatever servers they are being used – which is a new service on Server 8.

3)  Only services running on Server 8 can use these principals.

As was the case with MSAs on Server 2008 R2, only the IIS Application Pools and the Windows Service Control Manager supports these accounts.  Authentication for these accounts can be done against any DC running any version of OS.

These accounts can only be created via Active Directory Administrative Center and their password change interval can be set here at the same time.

Once I get Server Manager working again, I can post a few screen shots!





Server 8 – Fine-Grained Password Policy GUI

Since Windows Server 2008 we have had the ability to use more than one Password Policy per domain.  It was less than idea to setup and configure this feature, so many Admins held off.

Now, Server 8 brings us a GUI to manage it.  The only two prerequisites are having Active Directory Administrative Center installed and the Domain Functional level must be 2008 or better.

1)  To get started, launch ADAC.

2)  Create a few Global Groups – add some test users to each.

3)  Select your domain in the Navigation Node panel, and double click the System container in the center panel, then double click on the Password Settings Container.


4)  From this next screen, select New>Password Settings.


5)  On the Create Password Settings screen, fill in the required information.  In the Name field, use something descriptive that you can relate to the purpose of this unique policy.  In my example, I named it the same as the Global Group it would be applied to – this way, I could use the description field in the Group properties to describe more detail of restrictions.  You also have a Description field within the Password Policy that can be used to detail whatever change needs to be applied.  For the Precedence field, start your numbers with enough free numbers between the number you select and 1, so that you give yourself the ability to add policies with higher precedence in the future without the need to change this constantly.  Change any other settings you require, don’t forget to put something in the Description field that is meaningful to the policy details.  When you have completed the policy details, select the Add button under the Directly Applies to panel header.



6)  The standard Select Users or Groups applet appears.  Type in your group name, press Check Names, then OK if the principal resolves to a good name.


7)  From the Create Password Settings screen, press OK if you are finished.  You should now return to the Password Settings Container that shows your new policy in the centre pane.


8)  Any of these policies can be editted by right-clicking the policy and selecting Properties, making the changes then pressing OK.

9)  To delete a policy it is necessary to open it and uncheck the “Protect from accidental deletion” checkbox and pressing OK before you are able to delete it.

More information regarding Fine-Grained Password Policies and how they work can be found here:



Server 8 – ADAC PowerShell History

A really nice feature of ADAC in Server 8 is the ability to visually see what PowerShell code is used to execute any of your tasks within Active Directory Administrative Center (ADAC).  I’m a little old school, but PowerShell is something I have yet to master, so any help I can get building scripts is a bonus.

The only real prerequisite is to have ADAC installed.

1)  From Administrative Tools, launch Acitve Directory Administrative Center.

2)  Create a few test users.

3)  Create a new OU – call it Test1.

4)  Now, if you notice the panel header at the bottom of the window, Windows Powershell History – select the arrow on the right to expand this pane.


5)  Select your domain under the Navigation panel, then double click the Users container in top, center pane.  Select one of your test user accounts – in my example, I selected Mike Smith.  Under the Task panel, select Move.


6)  In the Move dialogue box, select the Test1 OU that you created earlier.  Press OK.


7)  Your user is immediately moved.  Have a look at the lower panel now and scroll to the very bottom until you find a command “Move-ADObject” – expand it, and this is the command that does the work.


8)  If you want to, you can use the right context menu to Select All, Copy or get Help – this will be useful if you plan to build a set of PowerShell scripts for later use.  Note that using “Select All” will select all the commands in the History window.


I think I’m going to be using this feature a lot while I learn PowerShell!



Server 8 – Installing Active Directory

Gone are the days of DCPROMO.  To install Active Directory on a fresh Windows Server 8 machine, it’s all now managed through Server Manager.  Below is a walkthrough with screenshots.

1)  After installing the new Server 8 OS and restarting, when you log in with the Administrator account Server Manager launches.  There are some other tasks that should be done prior to installing Directory Services, such as ensuring you have a static IP address, the servername is correct, and any other details you require.  Once you are ready, from Server Manager, select Add Roles.


2) On the Before You Begin page, read over the warnings and press Next.


3)  At the Select Installation Type, accept the default Role-Based installation.  Press Next.


4)  On the Server Selection screen, select your server in the list.  The new cool thing you can do is select multiple servers to do this to all at once.  Press Next.


5)  On the Select Server Roles screen, check the box beside Active Directory Domain Services.  Press Next.


6)  The next screen is more of a prompt to let you know more Features need to be added for Directory Services and gives you the opportunity to add them by pressing Add Required Features.


7)  Since I’m only installing one server for testing, I went into the Features pane and added more of the tools from Remote Administration.  Press Next to continue.


8)  At the Active Directory Domain Services page, read the info and press Next.

9)  At the Confirmation Screen, carefully look over the summary and if there are no changes, press Install.


10)  When the proper services and bits are loaded on the server the Results screen is displayed.  If you’re like me and scanned it over and saw the installation was successful, you probably pressed the Close button.  Not so fast!!!  If you notice the link I am indicating by the red arrow, “Promote this server to a Domain Controller”, this is where AD is actually installed.  For such an important piece of the process to be obscurely hidden in a link way up there is really sloppy.  To launch a second wizard that actually does install AD rather than just the underlying bits, select that link now.  If you already pressed Close (like I did….) then there is another place to launch this secondary wizard – see Step 11.


11)  Optional – if you pressed Close in the Results screen, then AD is not installed.  Launch Server Manager, and select the Dashboard link.  Scroll way down until you find the red Active Directory section.  Under that is a tiny, tiny link that is labelled “More…” – select it.  If you saw and pressed the link in Step 10 then skip to Step 13.

12)  Another task screen will open – find the link way over at the end of the line that is kind of dimmed, select it to launch the next wizard.


13)  On the new Active Directory Domain Services Configuration Wizard (that’s a mouthful!), for Deployment Configuration, select your option of adding a DC to an existing domain, adding a Domain to an existing Forest, or creating a new Forest.  In my case, it was a new Forest.  Specify the Root Domain.  Press Next.


14)  On the Domain Controller Options screen, select the Forest and Domain functional levels you want, check the box next to Domain Name System (since I am installing the first DC, this step is necessary as I do not have any other DNS servers for this Forest/Domain) – if you have DNS already present for the DC you are setting up then DNS may be optional for you.  Specify the DSRM password – please note: this is NOT the local Administrator password; it is for the local SAM when booting into Directory Services Restore Mode and AD is not loaded – write it down and don’t lose it!!  Press Next.


15)  On the Additional Options screen, you can change the location of the AD database (DIT), logfiles and SYSVOL – but unless you have a very compelling reason it’s best to leave them at the default locations.  Press Next.


16)  On the Review your options screen, read through carefully to ensure that everything is correct.  Press Next to continue.


17)  The Wizard will now run a few Prerequisite checks to ensure AD can be configured as you requested.  If the check is successful, you may continue by pressing Install.


18)  The Installation pane is now displayed.  As AD is configured, the status is displayed in the pane.


19)  If the installation was successful, you will be presented with the following screen.  If there were issues, they will be listed under the dropdown for Detailed operation results.  Press Close to complete the wizard and reboot your newly promoted DC.


Wow!  That was a ton of work.  Now, I’m not usually critical of Microsoft because they tend to try their best to improve things – however…. with DCPROMO you had 13 very quick and dirty screens to promote a server.  Apparently, we have 17 now if you don’t miss the Promote link in Step 10.  I hope this gets a bit more refined before the final product – especially that really poorly placed link to promote the server to a DC!

Now that I have AD installed, I can begin to post about the new and/or improved features I see in Server 8.



Server 8 – Improved Active Directory Recycle Bin

Windows Server 8 has vastly improved a few utilities and added some new ones – I will only touch on the Active Directory-related improvements.

Recovering accidentally deleted items in AD has been possible for awhile now, but it has traditionally required Directory Services Restore Mode to accomplish it.  This required taking the DC offline to effect the change.  In Server 2003 we could use Tombstone Reanimation, however link-state and non-link-state attributes were not completely (if at all) recoverd with the object.  This is relatively old news and there has been lots of information posted about it.  In Server 2008 R2, it became Recycle Bin.  Enabling it was a Powershell command, and restoring objects was tedious and error-prone.


With Server 8, we now have a GUI to help take care of this – and it’s so easy to use even a Cave Man can do it! (Sorry Geico!).

First off, the prerequisites haven’t changed, you still need a minimum of Forest Functional level of Windows Server 2008 R2.  This means all AD DS DCs and all servers hosting AD LDS be running 2008 R2.  Recycle Bin is disabled by default because it cannot be disabled once you enable it (it’s an irreversible process).  You need to be absolutely sure you need and want this feature because it cannot be rolled back – and because of this, certain abilities such as the ability to roll back functional levels will be lost.  Recycle Bin is managed using Active Directory Administrative Center (ADAC), and therefore that feature needs to be installed.

Once you understand the risk, the prerequisites are met and you wish to proceed, install ADAC, launch it and perform the following actions:

1)  Select your domain under the Navigation Node.  Notice the link under Tasks.  Select the link to Enable the Recycle Bin.

2)  You will be warned about this one-way process.  Press OK to proceed.


3)  You’ll now need to refresh the view in ADAC to see the new container.  If you have many DCs in your environment, it may take some time to replicate the changes.  Be patient before you go testing it out.  If you only have one or two DCs that are on the same wire it should be very quick.  Press OK to continue.


4)  If it worked as expected, you’ll notice a nice new container for Deleted Objects.


5)  You want to test it out – I know you do!!  Create a test object (a User or Computer) and allow it to replicate out.  Go into Active Directory Users and Computers (or use ADAC), find this object and delete it.  From within ADAC, open the new Deleted Objects container.  Inside, you’ll find your deleted object – in my test it was Mr. Delete Me.


6)  To restore your object, simply select it in the Deleted Objects pane and take note of the two new Tasks that appear.  You can Restore or Restore To…  By selecting Restore, your object is restored to it’s original container immediately, with no further prompts.


7)  If you select Restore To…, you get the following dialogue box that allows you to select the new container or OU where you would like the object to be restored to.  Press OK once you have made your selection and it occurs immediately with no further prompts.


With this new method of using Active Directory’s Recycle Bin feature it takes all the complexity away and makes it a very useful way of recovering from accidental deletion.  Nice job from our Directory Services PG!

Have fun!


NetApp Ontap 8.x CIFS share and AD groups

Today I ran across an issue with CIFS on a NetApp filer running Ontap 8.01 while attempting to add some AD Groups to the Share permission on the filer.

Using System Manager 2, System Manager 1.1, the CLI , etc – I was unable to add any Active Directory groups to the share permissions of shares created in CIFS.

Turns out it a bug….

The way to deal with it is to use Computer Management from a Windows box, Connect to Another Computer, enter the filer name, then use the Shares section to manage permissions.

Hope this saves someone some time!


Windows Server 8 – disable Metro UI

Hey again,

I’ve been involved with some Windows Server 8 scenario testing via MS Connect invitation and have been extremely distracted with the new Metro UI.  I can apprecitate the fact the Microsoft wants to unify all Win 8 platforms and bring a host of new “look and feel” goodness to their Windows vNext line of OSes, however…..

This is a SERVER – so distractions such as the Metro UI and the fact that you really, really, really (get the point!) need a touchscreen to benefit from it make navigating very painful.

So….let’s disable it for testing anyway.

This only affects the currently logged in user.  If you can find it, run Regedit and navigate to the following key:  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

Change the value of RPEnabled to 0 (zero).


This has been blogged about elsewhere also, but I thought I would help spread the word – tested and working in the familiar interface once again.

More to follow…..