Archive for the 'Active Directory' Category

More speaking engagements

Saturday, October 6th, 2007

While we are in preperation for TechEd:IT-Forum which will be in Barcelona in November, there are more speaking engagements already scheduled:

October 24th and 25th:

The IT-Administrator asked me to speak about what’s new in DNS and Active Directory in Windows Server 2008 at the German Tradeshow Systems. (Details)

November 12th to 16th:

I’ll be delivering two sessions and an interactive session at TechEd:IT-Forum in Barcelona. My sessions will be “A Directory Services Geeks View on How to (not) extend your schema” and “Active Directory Recovery in Windows Server 2008”, and I will host an interactive session (like the chalk-&-talks of the previous year, a session where attendees are encouraged to ask questions and get them answered) with Stephanie from the AD Product Group about “Active Directory Domain Services in Windows Server 2008”.

February 19th to 21st:

Windows Server 2008 will be launched in Germany, and I’ll speek at the launch event in Frankfurt. My sessions are “Active Directory Domain Services and DNS in Windows Server 2008” and “A Directory Services Geeks View on Access Control Entries”.

March 2nd to 5th:

NetPro already announced the Directory Experts Conference 2008 in Chicago, and I was honored to be asked back as speaker.

Security-Boundary: Forest vs. Domain

Saturday, August 25th, 2007

About time for a somewhat technical post:

In some Newsgroup we recently discussed if it’s considered Best-Practice to deploy a lot of single-domain forests as opposed to a single multi-domain forest. The major reason herefore was that in the early Windows 2000 days, somebody said that the domain is the security boundary. After they’ve figured out that you can elevate yourself as domain admins for a inner-forest trusted domain, they revised this statement and said that the only security boundary is the forest, not the domain.

Since this attack is not that likely, I prefer to state this differentelly:

  • The forest is the security boundary against malicious attacks (the attack is being done on purpose)
  • The domain is the security boundary against (domain) administrative mistakes

So for many things the domain might be enough of a security boundary. If you don’t trust admins of a different domain enough that you think they might perform an attack (= elevate their rights in an area where they don’t belong) on purpose, either fire them, fire them, don’t give them administrative rights, fire them or put them into a separate forest.

Ressource-Forests (yeah – back to the NT days) are sometimes a good idea too, especially if separate companies want to share ressources, however keep in mind that they are a bit harder to manage and it depends on the application how well it integrates. You are also better of to use some solution like the Microsoft Identity Integration Server (or the Identity Integration Feature Pack) which is now part of Identity Lifecycle Manager to synchronize accounts into the ressource forest, however make sure to protect them well enough and to trust the admins of the resource forest from all parties. MIIS/IIFP allows you to sync the passwords of the users in question (by using a password filter on all DCs to notify MIIS, who’s changing the passwords in the connected directories) to allow a better integration via single sign on / single credentials [1]. Don’t forget to design processes for the changes in the ressource forest which are signed off by all participating companies.

OK – back to the subject – don’t take any recommendations to deploy many single-domain forests only or to put everything in the same forest – think about it if it’s really necessary and valuable to deploy multiple forests/domains. At one point there was a recommendation: If you are designing your active directory, and you think you need to add a different domain, rethink that decision. Not true in all scenarios, however think about your design.

One reason for multiple domains have been different password policies – and as I posted before this reason is vanishing in Windows Server 2008.

There are multiple opinions on this, so don’t hold back on feedback / your thoughts.

P.S.: I do respect statements like the one “to recommend multiple single-domain forests” – they are a bit extreme however deliver the message. For example a friend of mine was at one of the top security sessions at TechEd US (where they showed a real-world-unlikely attack), and afterwards in the bathroom he heard attendees who just phoned back their companies to instruct them patching their Servers. So even after the attack was not to likely to happen in a real company, it delivered the message to keep your systems secure.

[1] Single Sign-On: The user is logging in once to his workstation, and getting access to other ressources automatically without re-authenticating
Single Credentials: I made this up a couple years ago – I think more valuable in the beginning are single credentials (combinations of username/password). Users in enterprises are sick of multiple accounts, because they have to remember different usernames and/or passwords, which is leading to weak passwords. If you are able to synchronize the password for the user more easily than providing him with single sign-on this is still valualbe, since the users don’t have to remember multiple passwords. I wouldn’t mind entering the same password to access multiple applications, however I do mind remembering different credentials.

DEC-Europe

Friday, August 24th, 2007

DEC-Europe is approaching, and since I was communicating heavily the past days about this conference I decided to sum up my favorite reasons why this is the conference to be:

  • It’s dedicated to Microsoft Directory Services
  • Attendees and Speakers are usually in the same hotel, encourages a lot of after-hour chats
  • This is the conference of a very high value for the Microsoft Identity and Access Management Product Group, therefore you have a lot of key-players from the PG being there, and they hear your feedback.
  • The content is very technical – I’m very sure that everyone who attends is getting new knowledge, ideas,…
    I think I know a lot about Active Directory and DS in general, however every time I’m at DEC I’m boosting my knowledge.
  • It’s all about community. Even since it’s hosted by NetPro it’s not about the company. They don’t want product pitches outside of the clearly marked sponsor-sessions, they don’t talk much about their own products, they welcome everyone – even competitive companies. It’s all and only about the Directory Services Communities.
  • Microsoft Most Valuable Professionals and other industry notables are there and collaborate, answer questions, and just hang around.

I just booked my flights, and I’m very excited to be part of this great conference again. So I hope to see everyone in Brussels in a month.

Ulf

P.S.: I’ll be presenting the following sessions – and Gil, Guido Jorge and me will also do a daily session about Windows Server 2008 Scenarios.

A Directory Services Geek’s View on Access Control Entries
You have already deployed Active Directory (AD), but still have a lot of domain administrators? You want to increase security, decrease the risk of administration gone awry and offload daily tasks to delegated admins? In this session you will learn how Access Control works in AD, notes from the field about implementing role based administration and how to figure out what to delegate. Additionally we will drill down on implementing delegation using scripts and share details on what to delegate. After this session you’ll be able to design and implement role-based administration in your infrastructure.

A Directory Services Geek’s View on How to (not) update your Schema
Are you:
– supposed to integrate some 3rd Party Schemaextensions in your Forest?
– asked to design your own schema extension?
– trying to figure out how to administer additional or new attributes?
Then you have to see this session. We will clear up the fog around schema extensions by explaining the difference between schema extensions and schema configuration, talk about designing/evaluating schema extensions (when is a extension “smooth” and when is it dangerous), and provide guidance on creating administrative interfaces for additional / new attributes. We are also announcing how Windows Server 2008 helps you when extending your schema. Come to this very technical session to get the most complete coverage about schema extensions you have ever seen.

Timetraveling Active Directory

Wednesday, May 9th, 2007

When I posted about the Fine Grained Password Policies (aka Password Settings Objects) in the Active Directory of Windows Server “Longhorn” I’ve also got permissions to blog about a very exciting new feature in Longhorn – the possibility to create and access Active Directory “Snapshots”. So what is this feature?

In all previous Versions of Active Directory it had been very hard to:

  • determine which values a object had at a specific time before
  • determine which backup is the right one to restore in case of an Active Directory recovery
  • authoritatively restore objects in Active Directory
  • Figuring out and fixing Group Memberships (as well as other Forward-/Backlink-Relationships) after an authoritative restore

However – in Windows Server “Longhorn” you’ll get the possibilities to create Active Directory “Snapshots” (which is basically a Volume Shadow Copy of your Operating System and Active Directory Partitions – however it’s been made sure that the AD-Database is at a consistent state). Afterwards you are able to mount these snapshots into the file-system, and start a Read-Only LDAP-Service of this database (DIT-File). You can also start such a Read-Only LDAP-Directory from a previous backup whose files have been restored in a different place.

So how are we doing this?

First – let’s create a snapshot. The easiest way to do this is using ntdsutil.exe:

  1. On a Windows Server “Longhorn” Domain Controller, open the commandprompt and enter ntdsutil
  2. Enter Snapshot to go into the snapshot subcontext
  3. Hit ? to see all options, just for your information
  4. Now we need to select the directory of whom we want to create a snapshot – we could also use ADAM (called Active Directory Leightweight Domain Services in Windows Server “Longhorn”) – but in this case we care about Active Directory Domain Services, so enter Activate Instance NTDS
  5. Simply enter create, and a new snapshot is being created. Note the GUID which is being returned, we need this one later (but I show you a way how to retrieve it anyways).

OK – that was easy – now let’s mount the snapshot into the file system:

  1. Still in the subcontext snapshot in ntdsutil, examine which snapshots you have on your local system by typing list all. Now you get a list of all snapshots on the system.
  2. Now we want to mount a specific snapshot. First copy the GUID right next to the date/time of the snapshot you want to mount into the clipboard. Then type mount <GUID>. You get the message that the snapshot is being mounted to a directory C:\$SNAP_datetime_VOLUMEC$\.
  3. Navigate with Windows Explorer to this directory (if you don’t see it you have to change your folder options) and examine it’s content. You’ll see that it includes a full snapshot of the volume.

But we wanted to start up a own R/O Instance of Active Directory of this snapshots – there are no options in ntdsutil to do this. We need to use a different command: dsamain.exe

  1. Open up a new commandprompt
  2. Type dsamain.exe -dbpath:c:\$snap_timedate_volumec$\windows\system32\ntds\ntds.dit -ldapport:10000 -sslport:10001 -gcport:10002 -gcsslport:10003 (replace the path with the path of the ntds.dit in your snapshot, the portnumbers are up to you.
  3. The output should look as follows and inform you that the Active Directory Domain Services startup completed.

    Note that you don’t get back a prompt – whenever you decide you don’t need the new LDAP-Service anymore you’ll have to cancel it by hitting (Ctrl) + (C).

Now you can navigate in this “old version” of Active Directoy. I strongly hope and assume you are not in your production network right now – so make some changes you remember (such as changing a users properties, deleting something you don’t need anymore) – so that you have a possibility to see the changes between the two states of the Active Directory. In this example we’ll use simply ADSIEdit.msc to navigate the snapshot – you can use any other LDAP-Browser, script, tool which allows you to select other than default ports to navigate the LDAP-Directory.

  1. Start adsiedit.msc
  2. In adsiedit, use the Connect to… menu to specify your Active Directory Snapshot
  3. Now navigate the old version of Active Directory, and look for the changes you made.

After you are finished, you can stop dsamain with (Ctrl) + (C), then go into the ntdsutil-commandline. To unmount the snapshot you can type dismount <GUID>. If you can not remember which snapshots are mounted you can also use the list mounted command in this subcontext of ntdsutil.

AD-Snapshots is the first time ever Microsoft gives us such a important tool in our hands to enable us to do object-level or attribute-level recovery using simple scripts, or to select which objects to restore authoritatively. Previously you had to remember the distinguishedName of the objects you wanted to restore, or restart the DC without a network connection – figure out the DN-Path – then restart it in Directory Services Restore Mode again, and finally perform the authoritative restore. And remember – you can also do this against a Backup, so it’s a good way to figure out which is the best backup you want to restore in the case of a AD-Recovery.

Disclaimer: this blog post is about a beta-product which may change, I’ll try to update this blog-post if I recognize any changes.

Credits: Thank you Dmitri for this feature – you rock!

Windows Server "Longhorn" – Active Directory Attribute Editor and LDP

Tuesday, March 20th, 2007

Another Article of Jorge mentions the new “Attribute Editor” in Active Directory-Users and -Computers (ADUC) and Active Directory-Sites and -Settings (ADSS). Basically you have the Property-Page of ADSIEdit now in ADUC and ADSS and you are able to configure all attributes of the selected Object in a more generic view. I love this “feature” (*) – you’ll see it as soon as you have selected “Advanced View” in ADUS or ADSS and open a property page of a object.

Also I’d like to mention another great “feature” (*) of the property page – it shows you some of the data more human readable than it was in ADSIEdit. They are converting numbers now – e.g. to time-values a.s.o.

Another thing which has improved in ADUC is that if you select a domain controller you are able to access the NTDS-Settings-Object underneath it. For example you are able to configure the DC to be a Global Catalog (or not) on this dialogbox. This was providing a lot of confusion in the past where you either were able to see the DCs Properties in ADUC or to select whether it’s a GC or not in Active Directory-Sites and Settings – so well done Microsoft for deciding to show it in Active Directory-Users and Computers as well.

Jorge is also covering LDP in his post, and how much it has improved. What I really love in LDP is the Advanced Security Dialog which displays a Security Descriptor with it’s DACL, SACL and ACEs in the GUI or via a Text Dump. Just select Browse -> Security -> Security Descriptor out of the menu in ldp.exe and select the object and if you prefer a Text Dump or the “friendly view”.

Read Jorge’s article on Windows Server “Longhorn” – Management tooling to get more information about the possibilities in Active Directory-Users and -Computers and Active Directory-Sites and -Services.

(*) In Windows Server “Longhorn” we have Roles which we install, such as DNS-Server, Active Directory Domain Services, File Server, … and Features which are minor things to install such as Bitlocker, Telnet, Windows Backup, … so what do we call something which is a new thing but is not a Role or a Feature in the Product? In the past we’ve called it feature, but now we are without a wording for it.

dcpromo in Windows Server "Longhorn"

Tuesday, March 20th, 2007

Jorge’s Quest for Knowlege is currently covering a lot about the next Windows Server “Longhorn” which is due later this year.

In his Post Windows Server Longhorn – Installing, Removing and Upgrading to AD he is covering a lot of the options you get with the new dcpromo in Windows Server “Longhorn”.

I refer to this as the “Next -> Next -> Finish”-Consultant-proove Version of DCPromo. You know – Active Directory is a pretty complex topic, however there were many people out there who claimed to know Active Directory because they are able to install it using DCPromo. But it requires a lot more than that.

Microsoft basically took care of the “common Admin” by putting many of the best practices right into DCPromo, so if you are installing Active Directory by default now you’ll get much more what you’ve set afterwards as default, so I do expect that we are getting less calls from Scenarios which lack best practices.

However you are still able to run dcpromo and configure many settings (actually much more) by selecting the advanced installation right on the first screen of the dcpromo-wizard.

If you have access to the beta or to MSDN – give it a try to explore the new dcpromo-wizard – you’ll love it!

Read Jorges article where he tells you more about Installing, Removing and Upgrading to AD in Windows Server “Longhorn”

BGInfo in Vista and Longhorn

Tuesday, January 23rd, 2007

Did you try to use Sysinternals (now Microsoft) BGInfo on Windows Vista or Windows Server Codenamed “Longhorn”? Do you also prefer to see your network-settings such as IP-Adress and DNS-Server on the Background-Screen of BGInfo?

So did you like the picture you’ve got? Here’s an example:

BGInfo in Vista/Longhorn Default

So apparently we are getting nine IP-Addresses and nine DNS-Servers back, but only one is configured. However, we only want the one Address which is configured, not any virtual or whatever Network-Interface. We still can use BGInfo, but we need to put some more brain into it.

BGInfo also allows you to configure Scripts or custom variables, and return their value. So in BGInfo, follow these steps:

  1. In BGInfo, underneath the list box “Fields” where you are able to select which values to see, click “Custom”
  2. In the dialog box “User Defined Fields”, click “New”
  3. In the dialog box “Define New Field”, choose an “Identifyer”, such as “MyIPAdress”
  4. Under “Replace identifyer with” click “WMI Query”
  5. In the text box “Path”, enter the following WMI Query:
    SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE
  6. Close the dialog box with OK and repeat from Step 2 to create another new field:

Identifier:
    MyDNSServer
Path (WMI Query):
    SELECT DNSServerSearchOrder FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE

After you added MyIPAdress and MyDNSServer to your background, it’ll look like the following:

BGInfo - Fixed now with WMI

I’m still alive (3) – and MVP again!

Monday, January 22nd, 2007

So right after the new year started, I also got a great message: I was again reawarded as MVP for Windows Server – Directory Services. This is the fourth time in a row I got the award, and I’m really proud of it. THANK YOU Microsoft!

Currently work got me again, and this year will also be pretty busy. I’m looking forward to some interesting Projects, some interesting Conferences (I like to mention the Directory Experts Conference, which will be very exciting this year, we are already planning the Pre-Conference on Longhorn Server Active Directory and I’ll also talk a few sessions).

But I’m totally recovered and working like crazy – and I have a couple interesting posts to take care of pretty soon, so stay tuned!

I’m still alive (2)

Monday, January 22nd, 2007

So after getting back from Barcelona I had a lot of work to make sure I’ll be able to take some vacation during X-Mas. Worked like crazy. Also I had to finish an article, which was published in January in the IT-Administrator. I covered Security-Basics, Delegation and implementing Rolebased Administration in Active Directory. Yes – it complements my talk [;)]

Finally I was able to go on vacation from X-Mas to the first week of January. I was looking forward to it – I’m used to much work, however the last year was the worst ever and I was unable to finish everything – to many customers at the same time while always having issues to find “bodies”.

So what happened? Sure! If you give your body time to relax, it takes whatever needed to recover. So I had a bad could over New Years until the end of the first week in January. Not very relaxing, so I decided to stay the second week of January still at home and keep my workload low.

I had to recover and deserved it!

TechEd EU 2006 in Barcelona

Sunday, January 21st, 2007

So … TechEd was just great – I can not describe it in other words.

As I wrote in a prior post I had some sessions to take care of at TechEd. So after we arrived in Barcelona we first had a dinner with the MCT-Community which we really enjoyed. There are so many MCTs out there who are so dedicated to their “passion” (and job) that it’s always a pleasure to meet everyone and enjoy geek-talking. After the conference started I still wanted to adjust the demos of my session to show some new stuff. Unfortunately I made a small mistake (if you have dual-boot with Vista RC2 and XP try to avoid hibernating – especially if you have a laptop vendor which does provide very bad drivers) so I had some harddisk corruption on my Laptop. Did I mention that the PPTs and the demos were all supposed to run from my laptop (the XP-Part)? So I had some joy in fixing my Laptop on the road without the CDs, however I managed to get it up and running again (before it went right into a bluescreen after the bootmanager) – some files in XP were still corrupt (and they are currently still corrupt – didn’t had the time to reinstall and I’m only using the Vista-Installation anyways). Learned it the hard way – do not hibernate with shared disks.

So after I was sure that at least Powerpoint and VPC are back and running I was adjusting my demos. The rest of the time of the first days (there wasn’t much as you can assume) I spent in the Ask-the-Experts-Area and answered questions in the Longhorn Booth. This is one of my favorite things at those conferences – you get so much insight of many issues within multiple companies, and how attendees (mis)understand the products. This also gives me ideas which points we have to outline in talks and blogs, apart from enjoying to helping the attendees.

On Wednesday I had the first of two Chalk-&-Talks with Karmal Janardhan (Group Program Manager in the Active Directory Program Group). The concept of Chalk-&-Talks is a mixture between Ask-the-Experts and Breakout Sessions. You have many attendees in a session room, you are not supposed to use Powerpoint (a few slides to help the discussion getting started or outlining examples are accepted) and you are discussing technologies with the attendees. We did a Chalk-&-Talk on “Active Directory and DNS in Longhorn”. It was just great. Kamal is so deep into the planning and features of the technology, and I was able to contribute with my practical experience. We both enjoyed the session, and according to the discussion and feedback afterwards the attendees enjoyed it as well. I don’t think there was another session where you could get a better knowledge topic. OK – maybe Kamals Breakout Session which covered the same topic – but I even think we were able to explain it better in the Chalk-&-Talk due to the discussion format of the session. We had the last session-slot of the day and the room was crowded. There were people leaving because there was no more space. Afterwards in the Hotels Lounge some other speaker was complaining that the last session of the day was empty in many sessions and the attendees were supposedly already off partying, but I know where they were [;)].

On Thursday afternoon I had my own session: “A Directory Services Geek’s View on Access Control Entries (ACE)”. Since I just had a few minutes between the session prior to me I decided to use a longer break before to connect my laptop to   power at the speakers desk and get it up and running, so that the session before allows the power ma"A Directory Services Geeks View on Access Control Entries (ACE)" at TechEd EUnagement-drivers to “adjust”. Otherwise the time to start up as well as the performance would be questionable. This was a good decision – I didn’t had any issues with performance, the session and demos went very well (OK – I was a bit nervous because I still didn’t trust my recovered laptop). I love this session, since I was always missing Geek-Level content at TechEds, so I was happy to present it. There were a lot of interested attendees, feedback was great (e.g. “You can improve the conference by doing more sessions like this.”, and “excellent session – best one I have been to so far” on a Thursday afternoon). There were many interesting questions right after the session, but at some point we got bounced so that the next session was able to start. However I went right back into the Ask-the-Expert-Area and had some lengthy discussion about the topic with some attendees. Very interesting talks – so we continued until we were told that the exhibition area is closing and we are to leave.

On Friday Kamal and I repeated our Chalk-&-Talk about “Active Directory and DNS in Longhorn” right in the morning. We had slightly less attendees (probably partying the night before, or everyone was in our first session) but the discussion was still very good. Kamal is impressive – at her own session she got a comment like “how comes a little girl tells all geek’s in here how technology really works” [;)]. After the Chalk-&-Talk we went to the Ask-the-Experts-Area, and I didn’t leave until the conference was over. There were so many interesting questions. Actually some attendees were coming up to me with their “List of Questions” they made up during the week, so I was answering .. answering .. answering … (I call it the “streaming answering mode” now [;)]). 

However – what a great week – everytime again!