Congrats Microsoft: Windows Server 2008 is RTM

I cannot state it any better: the best Windows Server release ever has been released to manufacturing – Windows Server 2008 is finished.

Windows Server 2008 is very stable and very well-done for production use. As I wrote before we at Computacenter are using it since October 2007 in Production, and I have a customer where we already run a full shop only on Vista and 2k8 since September (on Beta 3).

And we’ve also done a lot of things, to quickly recap just what we’ve done with customers was a 10-city Roadshow in Germany (half-day sessions on WS2k8, last one will be in Berlin next week), countless presentations at customer or trade shows / events, countless sessions to make sure our staff is ready to sell and deliver WS2k8-Solutions, one press-release in October, and a couple references which will be published shortly.We will be with many people at the German Launchevent, are partner there with a booth, and I’ll deliver 3 sessions plus a interactive one, created many flyers and solutions around the product, … just being ready to deliver.

I’m very excited about the new product – let’s start deploying more of it!

And here are the blogs which will give you a feeling how it was at Microsoft in the last couple hours:

Windows Server 2008 – RTM!!!

Windows Server 2008 – A time to sit back, remember and party!

I’m on the Edge [;)]


Last week I was at TechEd:IT-Forum in Barcelona. I’ll follow up with more details later. However the guys from have done an interview with me, which went online last night. I was speaking about my sessions, AD Restore in Windows Server 2008 and Schema Updates.

You can find it currently on the homepage, and here’s the direct link for later:

Ulf on AD at TechNet Edge

More speaking engagements

While we are in preperation for TechEd:IT-Forum which will be in Barcelona in November, there are more speaking engagements already scheduled:

October 24th and 25th:

The IT-Administrator asked me to speak about what’s new in DNS and Active Directory in Windows Server 2008 at the German Tradeshow Systems. (Details)

November 12th to 16th:

I’ll be delivering two sessions and an interactive session at TechEd:IT-Forum in Barcelona. My sessions will be “A Directory Services Geeks View on How to (not) extend your schema” and “Active Directory Recovery in Windows Server 2008”, and I will host an interactive session (like the chalk-&-talks of the previous year, a session where attendees are encouraged to ask questions and get them answered) with Stephanie from the AD Product Group about “Active Directory Domain Services in Windows Server 2008”.

February 19th to 21st:

Windows Server 2008 will be launched in Germany, and I’ll speek at the launch event in Frankfurt. My sessions are “Active Directory Domain Services and DNS in Windows Server 2008” and “A Directory Services Geeks View on Access Control Entries”.

March 2nd to 5th:

NetPro already announced the Directory Experts Conference 2008 in Chicago, and I was honored to be asked back as speaker.


DEC-Europe is approaching, and since I was communicating heavily the past days about this conference I decided to sum up my favorite reasons why this is the conference to be:

  • It’s dedicated to Microsoft Directory Services
  • Attendees and Speakers are usually in the same hotel, encourages a lot of after-hour chats
  • This is the conference of a very high value for the Microsoft Identity and Access Management Product Group, therefore you have a lot of key-players from the PG being there, and they hear your feedback.
  • The content is very technical – I’m very sure that everyone who attends is getting new knowledge, ideas,…
    I think I know a lot about Active Directory and DS in general, however every time I’m at DEC I’m boosting my knowledge.
  • It’s all about community. Even since it’s hosted by NetPro it’s not about the company. They don’t want product pitches outside of the clearly marked sponsor-sessions, they don’t talk much about their own products, they welcome everyone – even competitive companies. It’s all and only about the Directory Services Communities.
  • Microsoft Most Valuable Professionals and other industry notables are there and collaborate, answer questions, and just hang around.

I just booked my flights, and I’m very excited to be part of this great conference again. So I hope to see everyone in Brussels in a month.


P.S.: I’ll be presenting the following sessions – and Gil, Guido Jorge and me will also do a daily session about Windows Server 2008 Scenarios.

A Directory Services Geek’s View on Access Control Entries
You have already deployed Active Directory (AD), but still have a lot of domain administrators? You want to increase security, decrease the risk of administration gone awry and offload daily tasks to delegated admins? In this session you will learn how Access Control works in AD, notes from the field about implementing role based administration and how to figure out what to delegate. Additionally we will drill down on implementing delegation using scripts and share details on what to delegate. After this session you’ll be able to design and implement role-based administration in your infrastructure.

A Directory Services Geek’s View on How to (not) update your Schema
Are you:
– supposed to integrate some 3rd Party Schemaextensions in your Forest?
– asked to design your own schema extension?
– trying to figure out how to administer additional or new attributes?
Then you have to see this session. We will clear up the fog around schema extensions by explaining the difference between schema extensions and schema configuration, talk about designing/evaluating schema extensions (when is a extension “smooth” and when is it dangerous), and provide guidance on creating administrative interfaces for additional / new attributes. We are also announcing how Windows Server 2008 helps you when extending your schema. Come to this very technical session to get the most complete coverage about schema extensions you have ever seen.

VMRCPlus out of the secret storage

Finally VMRCPlus is available to the public. I was bugging MS for years if they can’t release it, and finally it’s available.

VMRCPlus is a frontend for the users of Virtual Server, which provides a full console application instead of having VMRC to connect to the screen plus the Webinterface to configure machines. Way cool. If you work with Virtual Server, this is a must-have! 

Thanks to Tomek’s DS World – I found this reading your blog [;)]

What’s up?

OK – it’s been a while since I last posted. Many things were going on.

The last post was in the Directory Experts Conference-Timeframe. Wow – a lot was going on. I’ll write later some thoughts about DEC, even if others have covered it well (like Gil, Joe, Jorge, Tomek) it’s worth some words.

What else was going on? OK –  recently I’ve got ready for TechEd Orlando, where I answer questions in the Ask-the-Experts Area at the Windows Server – Active Directory Booth. Then I’m busy with a roadshow about Windows Server 2008 in Germany. If you are in Germany and have business-relationships with Computacenter go to or ask your contacts to join. We have done and will do 6 locations until end of June (already been to Ludwigshafen, Nuremberg, Stuttgart and Saarbrücken and will be in Frankfurt and Munich in June), with more location coming up in the second half of 2007. I did a lot to organize and create these events, and I’m working together with some great collegues here, so if you are able to take a chance and join.

Additional NetPro has announced that they will bring the Directory Experts Conference to Europe again this year, and I’m glad that I’m able to help being an active part of that conference. I’m looking forward to it very much.

Otherwise … many customer events and other things around Windows Server 2008 – this will be a great release and customers are asking about it like crazy. It’s always a pleasure to see a product being sucessful where you were able to provide good feedback on and you know that this feedback was aprechiated and taken into credit. I’m looking forward to the release, and as much as I’ve tested the previous and current versions, and what I know from RC1, this will be a blasting release. If you didn’t had a chance to look at it – do it now – you’re already late.

The baptism of a new Server: Windows Server 2008

Windows Server “Longhorn” finally got his name – as many would be surprise it will be “Windows Server 2008”.

Microsoft did name his products in the past to the Fiscal Year they released the product – since their “Fiscal New Years Day” is in the middle of the year and the new release of Windows Server is announced for the second half of the Calender Year 2007, many sources already assumed it’s naming as “Windows Server 2008”. They were right.

The announcement was on the Windows Server Division Weblog, and also the Windows Server 2008 Home Page has been adjusted and provides many valuable sources.

Timetraveling Active Directory

When I posted about the Fine Grained Password Policies (aka Password Settings Objects) in the Active Directory of Windows Server “Longhorn” I’ve also got permissions to blog about a very exciting new feature in Longhorn – the possibility to create and access Active Directory “Snapshots”. So what is this feature?

In all previous Versions of Active Directory it had been very hard to:

  • determine which values a object had at a specific time before
  • determine which backup is the right one to restore in case of an Active Directory recovery
  • authoritatively restore objects in Active Directory
  • Figuring out and fixing Group Memberships (as well as other Forward-/Backlink-Relationships) after an authoritative restore

However – in Windows Server “Longhorn” you’ll get the possibilities to create Active Directory “Snapshots” (which is basically a Volume Shadow Copy of your Operating System and Active Directory Partitions – however it’s been made sure that the AD-Database is at a consistent state). Afterwards you are able to mount these snapshots into the file-system, and start a Read-Only LDAP-Service of this database (DIT-File). You can also start such a Read-Only LDAP-Directory from a previous backup whose files have been restored in a different place.

So how are we doing this?

First – let’s create a snapshot. The easiest way to do this is using ntdsutil.exe:

  1. On a Windows Server “Longhorn” Domain Controller, open the commandprompt and enter ntdsutil
  2. Enter Snapshot to go into the snapshot subcontext
  3. Hit ? to see all options, just for your information
  4. Now we need to select the directory of whom we want to create a snapshot – we could also use ADAM (called Active Directory Leightweight Domain Services in Windows Server “Longhorn”) – but in this case we care about Active Directory Domain Services, so enter Activate Instance NTDS
  5. Simply enter create, and a new snapshot is being created. Note the GUID which is being returned, we need this one later (but I show you a way how to retrieve it anyways).

OK – that was easy – now let’s mount the snapshot into the file system:

  1. Still in the subcontext snapshot in ntdsutil, examine which snapshots you have on your local system by typing list all. Now you get a list of all snapshots on the system.
  2. Now we want to mount a specific snapshot. First copy the GUID right next to the date/time of the snapshot you want to mount into the clipboard. Then type mount <GUID>. You get the message that the snapshot is being mounted to a directory C:\$SNAP_datetime_VOLUMEC$\.
  3. Navigate with Windows Explorer to this directory (if you don’t see it you have to change your folder options) and examine it’s content. You’ll see that it includes a full snapshot of the volume.

But we wanted to start up a own R/O Instance of Active Directory of this snapshots – there are no options in ntdsutil to do this. We need to use a different command: dsamain.exe

  1. Open up a new commandprompt
  2. Type dsamain.exe -dbpath:c:\$snap_timedate_volumec$\windows\system32\ntds\ntds.dit -ldapport:10000 -sslport:10001 -gcport:10002 -gcsslport:10003 (replace the path with the path of the ntds.dit in your snapshot, the portnumbers are up to you.
  3. The output should look as follows and inform you that the Active Directory Domain Services startup completed.

    Note that you don’t get back a prompt – whenever you decide you don’t need the new LDAP-Service anymore you’ll have to cancel it by hitting (Ctrl) + (C).

Now you can navigate in this “old version” of Active Directoy. I strongly hope and assume you are not in your production network right now – so make some changes you remember (such as changing a users properties, deleting something you don’t need anymore) – so that you have a possibility to see the changes between the two states of the Active Directory. In this example we’ll use simply ADSIEdit.msc to navigate the snapshot – you can use any other LDAP-Browser, script, tool which allows you to select other than default ports to navigate the LDAP-Directory.

  1. Start adsiedit.msc
  2. In adsiedit, use the Connect to… menu to specify your Active Directory Snapshot
  3. Now navigate the old version of Active Directory, and look for the changes you made.

After you are finished, you can stop dsamain with (Ctrl) + (C), then go into the ntdsutil-commandline. To unmount the snapshot you can type dismount <GUID>. If you can not remember which snapshots are mounted you can also use the list mounted command in this subcontext of ntdsutil.

AD-Snapshots is the first time ever Microsoft gives us such a important tool in our hands to enable us to do object-level or attribute-level recovery using simple scripts, or to select which objects to restore authoritatively. Previously you had to remember the distinguishedName of the objects you wanted to restore, or restart the DC without a network connection – figure out the DN-Path – then restart it in Directory Services Restore Mode again, and finally perform the authoritative restore. And remember – you can also do this against a Backup, so it’s a good way to figure out which is the best backup you want to restore in the case of a AD-Recovery.

Disclaimer: this blog post is about a beta-product which may change, I’ll try to update this blog-post if I recognize any changes.

Credits: Thank you Dmitri for this feature – you rock!

I’m still alive (3) – and MVP again!

So right after the new year started, I also got a great message: I was again reawarded as MVP for Windows Server – Directory Services. This is the fourth time in a row I got the award, and I’m really proud of it. THANK YOU Microsoft!

Currently work got me again, and this year will also be pretty busy. I’m looking forward to some interesting Projects, some interesting Conferences (I like to mention the Directory Experts Conference, which will be very exciting this year, we are already planning the Pre-Conference on Longhorn Server Active Directory and I’ll also talk a few sessions).

But I’m totally recovered and working like crazy – and I have a couple interesting posts to take care of pretty soon, so stay tuned!

I’m still alive (2)

So after getting back from Barcelona I had a lot of work to make sure I’ll be able to take some vacation during X-Mas. Worked like crazy. Also I had to finish an article, which was published in January in the IT-Administrator. I covered Security-Basics, Delegation and implementing Rolebased Administration in Active Directory. Yes – it complements my talk [;)]

Finally I was able to go on vacation from X-Mas to the first week of January. I was looking forward to it – I’m used to much work, however the last year was the worst ever and I was unable to finish everything – to many customers at the same time while always having issues to find “bodies”.

So what happened? Sure! If you give your body time to relax, it takes whatever needed to recover. So I had a bad could over New Years until the end of the first week in January. Not very relaxing, so I decided to stay the second week of January still at home and keep my workload low.

I had to recover and deserved it!