Re-Awarded: Microsoft Most Valuable Professional (MVP) for Directory Services

Wohoo, what a way to start a new year! I just got the message that I’m reawarded as MVP for Windows Server – Directory Services. This is my 11th consecutive MVP-Award.


Thanks Microsoft, and I’m looking forward to a great year!



A great TechEd so far …

… will get even better. Tomorrow morning Sam Devasahayam and I will present the session “What’s new in Active Directory in Windows Server 2012”. It’s loaded from information of the Active Directory Product Group, and I’ll bring in some real-world scenarios. I’m looking forward to the session. Loads of information and loads of reference slides to take away after the session.

After the success from TechEd US we decided that we are again taking questions using twitter. If you come to the session, and you have a question but don’t feel like walking up to one of the microphones, you can use twitter to ask the question and we will get to it in the session or if we are running short on time we will get back afterwards.

Questions? Simply use the hashcode #TESIA312 for tomorrows session.

image  image

Hopefully will see you there!


P.S.: If you like the session, please don’t forget to fill in the session evaluation. I will provide a MS-Tag and QR-Code right at the end of the session, so have your phones ready Winking smile

Session “Evolution of AD Recovery” from TechEd US available online

Hi again,

I forgot to mention that the session is available online – for those who couldn’t make it to TechEd US and were asleep when it was streamed online. For everyone who will be at TechEd Europe, don’t watch it now, come by and say hello in Amsterdam Winking smile

WP_000032  photo-intro

And … THANKS JIMMY for the pictures!

My demo equipment at TechEd

Hi there,

I spoke to multiple people being totally excited about my demo equipment at TechEd, and was asked couple times if I can blog this. So here we go.

The hardware I used is a Lenovo Tablet X220T – thanks Lenovo! It’s a great hardware: I love to work with tablet pc’s, and I’ve worked with it for years, however a hardware I had before died on me (was my personal one, but I used it as main device reducing my work laptop for demo and test). I always preferred Lenovos Keyboards and their solid business laptops. And the tablet is great – I like being able to work in a train, plane, wherever, having all input options (mouse+keyboard, touch or stylus) and select whether to write a long text using keyboard, reviewing, sketching out or handwriting annotations using a pen or simply touching the things I want to open or select. I want to work the way I prefer, not thinking about input but being able just to do it. I POWERED (had to say this in caps) the Lenovo with Windows 8, which rocks!! It’s also able to handle 16GB of RAM, which is great for Hyper-V in Windows 8. There’s a new version out, X230T, with USB 3, mSATA for Broadband or additional disk (cool, mSATA Disk for the OS, traditional and bigger HDD for the data and VMs in a convertible tablet form factor with 16GB), and a optional battery where they claim up to 18 hours uptime. I cannot wait to get my hands on one of these, and if it’s as satisfying as I believe it’s definitely shopping time for me. To get back to my presentation – I’ve done multiple with the same hardware and since I currently have only one internal HDD I’m using an external SATA-Drive with PCI-Express-Adapter to speed up if I need more power for my VMs (did this at The Experts Conference in April).

The new default installation of Windows Server 2012 is the Server Core option. You are also able to switch back and forth – or in between. The options are Server Core, Full Server, or in between with Server Core with Management GUI. The last option has Server Manager and the management interfaces but still lacks Explorer (Shell, Start Menu, File Browsing), Internet Explorer and many other things. It’s new to Server Core in Windows Server 2012 to decide whenever to either install or uninstall Management or full GUI. Additionally, Server Core offers now the possibility to uninstall binaries which are not needed. Back in the early days of Windows there were no unused binaries on disk, however it was always hard to struggle when you were installing a new component on an existing server because you were asked for the CD and had to insert the right language version and also the right distribution media (e.g. it depended whether it was a volume licence media, off the shelf media, MSDN or TechNet,…). With some version – IIRC it was Vista/2008 – this was changed and all the compresed binaries for all components (roles and features) were copied onto the system, even when they were not used but so that if anyone was going to install a component later (s)he wasn’t asked for the media.

Today, Virtualization and packing multiple machines on one host is critical, especially when we talk about cloud computing. So in Windows Server 2012 we are able to install or uninstall roles or features, but we are also able to uninstall the features and remove the binaries from the system, allowing us a smaller footprint of the operating system installation. However, when you remove a feature, you can still install it, but you need to ensure that the machine is able to connect to Windows Update or you need to provide the install.wim-file, installation media or an installed server to pull the binaries from.

I’ve created a base image (I always do this, then creating differential disks to create individual machines, gives higher performance with multiple machines, less disk space and easy creation of new machines).

So since it’s the new installation default, and I think that is a great way to go (reducing systems to what they are supposed to do), I used Server Core as only operating system option for my demos at TechEd. I decided to strip down the base image as much as possible, and was running a Powershell command to remove all binaries which are not used right after the installation:

(get-WindowsOptionalFeature -online) | %{ if ($_.State -eq ‘Disabled’)


    disable-WindowsOptionalFeature -FeatureName $_.FeatureName -online –remove


I needed the management tools somewhere, so I put the Remote Server Administration Tools (RSAT) for Windows 8 on the host operating system. There is some configuration needed when you remotely want to install a Server Core as first domain controller, since the client and the server are obviously not on the same domain. However, you can do this (enable remote management on the server, configure the client to trust the server using Windows Remote Management and HTTPS,..), for some things you’ll have to fall back to the commandline in Server Core (Server Manager allowed me to install the binaries, however was unable to promote the DC, I had to do this with dcpromo /promotes …). But I always had to right-click and configured the account used for Management. This is not the experience I want for the attendees of my session.

So I decided to join the host to the domain of the virtual machine on the same host. Risky? Not really. The default configuration will start the VM when it was started when powering down. But it’s taking a bit longer than the host, apparently. Also, cached credentials allow me to log on without a running DC. So when I was logging on to quickly, I didn’t get a kerberos ticket and was unable to access the server. But [WIN]+[L] to log Windows and then logging back on is a workaround in this case, and I made sure before my session that I was able to start Server Manager and work remotely against my machine.

Joining the machine was a bit tricky. I tried to avoid mangling DNS. On the conference net my client is getting its IP-Settings via DHCP, but trying to keep the server on DHCP was a hazzle since I needed to reconfigure the trusted hosts. So my DC needed a static IP, and I felt I want this different from the conference net. So the client was basically on two different subnets. But he needs full DNS to the DC in order to join the domain and in order to work. LMHosts and Hosts are no option, since you can’t configure SRV-Records there (what the client is looking for in an Active Directory domain). So one option was to configure the client (=host) to use only DNS-Services of the DC. But the DC was not able to forward requests, remember, it’s on a separate network. And I didn’t need internet connectivity for the DC, but for the client (since I allowed questions via Twitter in my session).

So I thought it would be cool if I’d be able to use conditional forwarding on the client. Conditional Forwarding is a DNS-Server feature introduced in Windows Server 2003, where you can configure that certain DNS namespaces are not resolved via the standard forwarder but via another specific one. Conditional Forwarding (and Stub Zones) are frequently used within companies when they have multiple DNS namespaces.

Conditional Forwarding on the Client brought me to Direct Access. In DA you are able to configure, on the client, which IP-Adresses and which DNS-namespaces should be resolved against a corporate DNS-Server instead of using Internet DNS-Services. Direct Access is much more, but I just needed this piece. So I configured the name resolution policy table to forward requests against the virtual subnet or against my virtual DNS-namespace to the virtual DC, and everything worked like a charm.

I think this setup is really cool. I was able to demo almost everything without logging into the virtual machine, by just using the RSAT-Tools from the host. The host was able to connect to the internet and to the virtual world and knew where to go with every request. I was able to receive twitter questions right on stage and answered them in the session (and also online after the session later). And with the Windows 8 tablet, I was able to highlight areas using the pen, using touch to advance slides or to bring in the twitter application on a split screen – twitter to the right and presentation to the left – without leaving the current topic but also showing attendees what questions got in and that we are really answering them on stage. Switching to the demo consoles was also easy doing touch. And keyboard/mouse for demoing the server and typing in commands in Powershell or CMD.

It was a great success at TechEd US, and I will repeat the same setup and strategies at TechEd Europe in about a week.


“speaking 2.0” at Microsoft TechEd today

I’m speaking today about “The Evolution of Active Directory Recovery” at TechEd 2012 US (SIA319, 1pm in Hall N310). The session will also be streamed.

I had a great idea, and I’m looking forward to see how it’s working. And I haven’t seen this before Winking smile:

I’ll be taking questions using Twitter.

If you are in the audience (in the hall or online) and you have any questions, just twitter them using the hashtag #TESIA319 – this enables me to follow up with the answers either in the session, or if we are short on time or have to many sessions I’m following up afterwards. This also enables attendees who are not sitting close to a Microphone, who are watching the streamed version or who feel more comfortable writing than speaking to ask their questions.

Two simple rules: use the #TESIA319 hashtag – I will not monitor anything else during the session, and please ask questions in the areas I’ve covered, so that we can try avoiding to have questions which are covered in the next slides.

Looking forward to the session and hopefully seeing you there!

Ulf B. Simon-Weidner

TechEd 2012 US

Hi there,

I’m currently at TechEd 2012 in Orlando, and it’s time to get back blogging again. As you’ve propably seen, the Release Candidate for Windows Server 2012 and Windows 8 Release Preview have been released.

No wonder that there is a lot of information at TechEd about the new Windows Operating Systems. I’ve been working with both versions for a while now and love the products. Computacenter Germany is in the Windows Server Rapid Deployment Program and we currently deploy WS2012 in production, and we are currently delivering a roadshow about Windows 8 where I have the honor to present Windows Server 2012 features which are supporting a great client infrastructure.

I’m speaking on Thursday at 1pm about the Evolution of Active Directory Recovery. I’m looking forward to the session – I’ve delivered it just a few month back at The Experts Conference in San Diego, but have updated it a lot. There is not a single slide which is the same Winking smile. Additionally I’m exited running it from the release previews, but will post more details on my demo-infrastructure later.

If you are at TechEd, and interested in high level Active Directory content, I encourage you coming by (or find me at the Active Directory & Dynamic Access to Files booth), if you sent your collegues let them know. The session will also be live streamed for those who couldn’t make it to TechEd. If you make it to TechEd Europe in Amsterdam later this month, don’t stay up late (in European Timezones) to watch the stream but come by to the repeat of the session in Europe.

Let me know how you liked it, and don’t forget to provide official feedback if you want this deep-level content sessions about Active Directory coming back – it’s a small fight every year at TechEd and at some years we had almost no AD sessions. Another reason why I’m so exited about this years TechEd.

Details about the session are at

If you want to twitter about it, please use #tesia319 and follow me @DSGeek.

Speaking engagements

I’m currently getting ready for some speaking engagements:

Tuesday next week (Sept 21st) I’m proud to moderate the Windows Infrastructure Track of the IIR IT-Admin Tech Talk. In this track we are covering not only the operating system related technologies, but also Cloud, Office 365, Sharepoint and Exchange. I’ll also present two sessions myself there:

13 Years Active Directory
an overview of previous and future scenarios

I will cover various design considerations, misunderstandings of early designs, whether corporate infrastructures have adjusted or should be adjusted. At the end we will take a look into challenges for future designs, on-premises and in the cloud.

Who am I in the cloud?

In this session I will talk about challenges and opportunities of cloud computing in general and Office 365 in special: Does cloud mean sunshine for the CIO and rain for the Admin? Which skills are needed? What is the long-term strategy for cloud computing in your enterprise?

The IT-Admin TechTalk will be in Frankfurt and is in German language.

Also the next international conference is coming up. The Experts Conference Europe will also be in Frankfurt in October this year. It is about half a year after TEC USA in Las Vegas. TEC is known to be the best and high-skilled conference when it comes to Directory Services, and has expanded over the years beyond the AD and FIM tracks to also cover Exchange, Sharepoint and Cloud technologies in different tracks. TEC is attracting the most high-skilled speakers, Microsoft values the conference so much that they send more Program Managers and Developers of the product groups to TEC than to their own IT-Pro Conference TechEd. Additionally TechEd EU will not happen this year, so maybe you are able to convince your boss. Las Vegas has been a great success, lots of interesting sessions, a lot of community interaction, and I’m very much looking forward to Frankfurt. This conference is in English.

At The Experts Conference I will speak three sessions, but will post details later when the agenda is done.


First Developer Preview of Windows “8” released

In case you missed it: yesterday was the Keynote of the BUILD-conference (the Professional Developer Conference got a new name), and Steven Sinofski (Vice President of the Windows Server Division at Microsoft) officially introduced the first version of Windows “8” to the broad public. Pretty exciting and a lot of changes. You can see the keynote at, and download the developer preview at If you are a MSDN subscriber there are more versions and information available, including a developer preview of the server version. If you are at BUILD, I highly recommend to see the server sessions also, as far as I know there is one today which will present the overview what’s coming in the next server version. Pretty exciting!

Please remember:

  • Windows “8” is a codename and might change
  • It is a developer preview – not a quite-stable beta – only for testing and starting to develop for the new user interface (Metro, the same than Windows Phone)

And BTW, some tipps:

  • Since Vista you can install using a USB-Key which I find totally cool. You are likely to have to re-format your USB-Key. You can do this using Diskpart.exe, “List Disk”, “Select Disk #” (make sure you have the Key selected, and we will wipe it in the next step). “Clean” will wipe the key, then you have to “Create Partition Primary”, make it “Active”, and format it NTFS “Format FS=NTFS QUICK”. Fat or Fat32 won’t work since the image of the developer preview is over 4 GB. Copy all Files from the ISO-Image (extracted) to the USB-Key. Afterwards you can boot from the key and install.
  • If installation is failing to find the disk drive prompting you to point to a driver, it might be an issue with the USB-Key (some are detected as harddrive and make issues when installing). Try a different key, or burn the ISO. Bad message here – you need to burn it to a dual-layer DVD since it’s to large. And installing from a USB-Key is usually faster than from DVD.

Enjoy the preview!


R2: Forest and Domain Mode can be reverted

I was asked many times “what may break if I update the forest or domain mode?”. Usually … nothing! Actually I’ve never heard of anything breaking when you increased the forest or domain mode. However, in Windows Server 2008 or lower versions of domain controllers there was no possibility to roll back the forest or domain mode.

No way!

No way?

OK – you were able to do a forest recovery (recovering at least one DC of each domain in the forest and rebuild the forest), however I doubt that this is a option usually.

What domain or forest modes for? Actually the only thing they are responsible for, is to tell all domain controllers that each domain controller at the domain or forest has now a certain operating system level, that there will not be new dcpromos of down level operating systems (or at least will not be successful, so no down level DCs will be added to the domain), and that the domain controller can enable certain features which are only allowed if all DCs are at the same level. Examples for this is linked value replication at the Windows Server 2003 Level, fine grained password policies at the Windows Server 2008 domain mode, automatic changes of SPNs or the possibility to turn on AD Recycle Bin at the Windows Server 2008 R2 forest mode. The domain or forest functional level change does only ensure that there are no downlevel DCs at that point, and publishes the status letting all DCs know. Each DC locally will do the changes he needs to do to communicate at the new level, such as changing the database when the recycle bin is turned on, or publishing that he is willing to replicate attribute values separately instead of on a big blob.

However, companies were anxious to increase the forest or domain level. Not because there’s known harm, but because a recovery is not easy if there might happen anything.

In Windows Server 2008 R2 the Active Directory product group made some changes: you are able to increase the domain and forest mode, and you are also able rollback the mode to Windows Server 2008, and switch around as you like. The upgrade of the forest or domain mode is reversible …

unless you enable a optional feature which requires this mode!

So this has changed. Forest or domain mode upgrades do not automatically enable features which make the mode non-reversible, you can first upgrade the forest or domain mode, wait for a few hours/days/weeks (as you like or your companies working behaviors require), and after you ensured that all applications are working turn on the features you like. Each new Active Directory feature (right now in Windows Server 2008 R2 there is only the Recycle Bin) states if it is able to turn it off and whether it requires a forest or domain level. The Recycle Bin cannot be reversed and – as stated – needs Windows Server 2008 R2 Forest level.

So rollback of the forest / domain mode is possible. However, once you increased the mode to Windows Server 2008 R2, the user interface will not allow you to decrease the mode again. This might lead to some confusion.


But we also got the Powershell Commandlets for Active Directory to help us out.

First we need to load the Powershell Commandlets for AD:

Import-Module ActiveDirectory

Then we need to decrease the forest mode first (the forest mode specifies the minimum version of the domain mode of any domain in the forest, therefore we cannot decrease the domain mode when the forest mode is higher):

Set-ADForestMode -identity (Get-ADForest).name -ForestMode Windows2008Forest

You can also specify the forest name in the “-identity” parameter, however I’m lazy, so I’m just getting the name of the current forest.

Next we are are able to decrease the domain mode:

Set-ADDomainMode -identity (Get-ADDomain).name -DomainMode Windows2008Domain

And here is the result, the mode has changed and is changeable again:

after posh

Voila, hopefully you don’t have to do this in production, but at least it is possible and should ease your migration efforts.


“Active Directory” SPECIAL EDITION of the IT-Administrator published


MVP Florian Frommherz and I wrote a Special Edition of the IT-Administrator: almost 180 pages which provide in-depth information about Active Directory. We are discussing the Evolution of AD, Domain and Forest Strategies, Understanding the Domain/Forest Levels, LDAP Backgrounds and Application Performance testing, AD and DNS, AD Backup and Recovery, Background Information about the AD Recycle Bin, Virtualization of DCs, Replication Across Firewalls, RODCs, Delegation and MSAs, Fine Grained Password Policies and many more.
We are very happy with the result: a huge amount of in-depth information for any AD Admin or Consultant.

Sorry – just in German for now. But an interesting read.

If you got it, feel free to provide feedback!