Archive for the 'Uncategorized' Category

Re-Awarded: Microsoft Most Valuable Professional (MVP) for Directory Services

Wednesday, January 1st, 2014

Wohoo, what a way to start a new year! I just got the message that I’m reawarded as MVP for Windows Server – Directory Services. This is my 11th consecutive MVP-Award.


Thanks Microsoft, and I’m looking forward to a great year!



A great TechEd so far …

Wednesday, June 27th, 2012

… will get even better. Tomorrow morning Sam Devasahayam and I will present the session “What’s new in Active Directory in Windows Server 2012”. It’s loaded from information of the Active Directory Product Group, and I’ll bring in some real-world scenarios. I’m looking forward to the session. Loads of information and loads of reference slides to take away after the session.

After the success from TechEd US we decided that we are again taking questions using twitter. If you come to the session, and you have a question but don’t feel like walking up to one of the microphones, you can use twitter to ask the question and we will get to it in the session or if we are running short on time we will get back afterwards.

Questions? Simply use the hashcode #TESIA312 for tomorrows session.

image  image

Hopefully will see you there!


P.S.: If you like the session, please don’t forget to fill in the session evaluation. I will provide a MS-Tag and QR-Code right at the end of the session, so have your phones ready Winking smile

Session “Evolution of AD Recovery” from TechEd US available online

Sunday, June 17th, 2012

Hi again,

I forgot to mention that the session is available online – for those who couldn’t make it to TechEd US and were asleep when it was streamed online. For everyone who will be at TechEd Europe, don’t watch it now, come by and say hello in Amsterdam Winking smile

WP_000032  photo-intro

And … THANKS JIMMY for the pictures!

My demo equipment at TechEd

Sunday, June 17th, 2012

Hi there,

I spoke to multiple people being totally excited about my demo equipment at TechEd, and was asked couple times if I can blog this. So here we go.

The hardware I used is a Lenovo Tablet X220T – thanks Lenovo! It’s a great hardware: I love to work with tablet pc’s, and I’ve worked with it for years, however a hardware I had before died on me (was my personal one, but I used it as main device reducing my work laptop for demo and test). I always preferred Lenovos Keyboards and their solid business laptops. And the tablet is great – I like being able to work in a train, plane, wherever, having all input options (mouse+keyboard, touch or stylus) and select whether to write a long text using keyboard, reviewing, sketching out or handwriting annotations using a pen or simply touching the things I want to open or select. I want to work the way I prefer, not thinking about input but being able just to do it. I POWERED (had to say this in caps) the Lenovo with Windows 8, which rocks!! It’s also able to handle 16GB of RAM, which is great for Hyper-V in Windows 8. There’s a new version out, X230T, with USB 3, mSATA for Broadband or additional disk (cool, mSATA Disk for the OS, traditional and bigger HDD for the data and VMs in a convertible tablet form factor with 16GB), and a optional battery where they claim up to 18 hours uptime. I cannot wait to get my hands on one of these, and if it’s as satisfying as I believe it’s definitely shopping time for me. To get back to my presentation – I’ve done multiple with the same hardware and since I currently have only one internal HDD I’m using an external SATA-Drive with PCI-Express-Adapter to speed up if I need more power for my VMs (did this at The Experts Conference in April).

The new default installation of Windows Server 2012 is the Server Core option. You are also able to switch back and forth – or in between. The options are Server Core, Full Server, or in between with Server Core with Management GUI. The last option has Server Manager and the management interfaces but still lacks Explorer (Shell, Start Menu, File Browsing), Internet Explorer and many other things. It’s new to Server Core in Windows Server 2012 to decide whenever to either install or uninstall Management or full GUI. Additionally, Server Core offers now the possibility to uninstall binaries which are not needed. Back in the early days of Windows there were no unused binaries on disk, however it was always hard to struggle when you were installing a new component on an existing server because you were asked for the CD and had to insert the right language version and also the right distribution media (e.g. it depended whether it was a volume licence media, off the shelf media, MSDN or TechNet,…). With some version – IIRC it was Vista/2008 – this was changed and all the compresed binaries for all components (roles and features) were copied onto the system, even when they were not used but so that if anyone was going to install a component later (s)he wasn’t asked for the media.

Today, Virtualization and packing multiple machines on one host is critical, especially when we talk about cloud computing. So in Windows Server 2012 we are able to install or uninstall roles or features, but we are also able to uninstall the features and remove the binaries from the system, allowing us a smaller footprint of the operating system installation. However, when you remove a feature, you can still install it, but you need to ensure that the machine is able to connect to Windows Update or you need to provide the install.wim-file, installation media or an installed server to pull the binaries from.

I’ve created a base image (I always do this, then creating differential disks to create individual machines, gives higher performance with multiple machines, less disk space and easy creation of new machines).

So since it’s the new installation default, and I think that is a great way to go (reducing systems to what they are supposed to do), I used Server Core as only operating system option for my demos at TechEd. I decided to strip down the base image as much as possible, and was running a Powershell command to remove all binaries which are not used right after the installation:

(get-WindowsOptionalFeature -online) | %{ if ($_.State -eq ‘Disabled’)


    disable-WindowsOptionalFeature -FeatureName $_.FeatureName -online –remove


I needed the management tools somewhere, so I put the Remote Server Administration Tools (RSAT) for Windows 8 on the host operating system. There is some configuration needed when you remotely want to install a Server Core as first domain controller, since the client and the server are obviously not on the same domain. However, you can do this (enable remote management on the server, configure the client to trust the server using Windows Remote Management and HTTPS,..), for some things you’ll have to fall back to the commandline in Server Core (Server Manager allowed me to install the binaries, however was unable to promote the DC, I had to do this with dcpromo /promotes …). But I always had to right-click and configured the account used for Management. This is not the experience I want for the attendees of my session.

So I decided to join the host to the domain of the virtual machine on the same host. Risky? Not really. The default configuration will start the VM when it was started when powering down. But it’s taking a bit longer than the host, apparently. Also, cached credentials allow me to log on without a running DC. So when I was logging on to quickly, I didn’t get a kerberos ticket and was unable to access the server. But [WIN]+[L] to log Windows and then logging back on is a workaround in this case, and I made sure before my session that I was able to start Server Manager and work remotely against my machine.

Joining the machine was a bit tricky. I tried to avoid mangling DNS. On the conference net my client is getting its IP-Settings via DHCP, but trying to keep the server on DHCP was a hazzle since I needed to reconfigure the trusted hosts. So my DC needed a static IP, and I felt I want this different from the conference net. So the client was basically on two different subnets. But he needs full DNS to the DC in order to join the domain and in order to work. LMHosts and Hosts are no option, since you can’t configure SRV-Records there (what the client is looking for in an Active Directory domain). So one option was to configure the client (=host) to use only DNS-Services of the DC. But the DC was not able to forward requests, remember, it’s on a separate network. And I didn’t need internet connectivity for the DC, but for the client (since I allowed questions via Twitter in my session).

So I thought it would be cool if I’d be able to use conditional forwarding on the client. Conditional Forwarding is a DNS-Server feature introduced in Windows Server 2003, where you can configure that certain DNS namespaces are not resolved via the standard forwarder but via another specific one. Conditional Forwarding (and Stub Zones) are frequently used within companies when they have multiple DNS namespaces.

Conditional Forwarding on the Client brought me to Direct Access. In DA you are able to configure, on the client, which IP-Adresses and which DNS-namespaces should be resolved against a corporate DNS-Server instead of using Internet DNS-Services. Direct Access is much more, but I just needed this piece. So I configured the name resolution policy table to forward requests against the virtual subnet or against my virtual DNS-namespace to the virtual DC, and everything worked like a charm.

I think this setup is really cool. I was able to demo almost everything without logging into the virtual machine, by just using the RSAT-Tools from the host. The host was able to connect to the internet and to the virtual world and knew where to go with every request. I was able to receive twitter questions right on stage and answered them in the session (and also online after the session later). And with the Windows 8 tablet, I was able to highlight areas using the pen, using touch to advance slides or to bring in the twitter application on a split screen – twitter to the right and presentation to the left – without leaving the current topic but also showing attendees what questions got in and that we are really answering them on stage. Switching to the demo consoles was also easy doing touch. And keyboard/mouse for demoing the server and typing in commands in Powershell or CMD.

It was a great success at TechEd US, and I will repeat the same setup and strategies at TechEd Europe in about a week.


TechEd 2012 US

Tuesday, June 12th, 2012

Hi there,

I’m currently at TechEd 2012 in Orlando, and it’s time to get back blogging again. As you’ve propably seen, the Release Candidate for Windows Server 2012 and Windows 8 Release Preview have been released.

No wonder that there is a lot of information at TechEd about the new Windows Operating Systems. I’ve been working with both versions for a while now and love the products. Computacenter Germany is in the Windows Server Rapid Deployment Program and we currently deploy WS2012 in production, and we are currently delivering a roadshow about Windows 8 where I have the honor to present Windows Server 2012 features which are supporting a great client infrastructure.

I’m speaking on Thursday at 1pm about the Evolution of Active Directory Recovery. I’m looking forward to the session – I’ve delivered it just a few month back at The Experts Conference in San Diego, but have updated it a lot. There is not a single slide which is the same Winking smile. Additionally I’m exited running it from the release previews, but will post more details on my demo-infrastructure later.

If you are at TechEd, and interested in high level Active Directory content, I encourage you coming by (or find me at the Active Directory & Dynamic Access to Files booth), if you sent your collegues let them know. The session will also be live streamed for those who couldn’t make it to TechEd. If you make it to TechEd Europe in Amsterdam later this month, don’t stay up late (in European Timezones) to watch the stream but come by to the repeat of the session in Europe.

Let me know how you liked it, and don’t forget to provide official feedback if you want this deep-level content sessions about Active Directory coming back – it’s a small fight every year at TechEd and at some years we had almost no AD sessions. Another reason why I’m so exited about this years TechEd.

Details about the session are at

If you want to twitter about it, please use #tesia319 and follow me @DSGeek.

First Developer Preview of Windows “8” released

Wednesday, September 14th, 2011

In case you missed it: yesterday was the Keynote of the BUILD-conference (the Professional Developer Conference got a new name), and Steven Sinofski (Vice President of the Windows Server Division at Microsoft) officially introduced the first version of Windows “8” to the broad public. Pretty exciting and a lot of changes. You can see the keynote at, and download the developer preview at If you are a MSDN subscriber there are more versions and information available, including a developer preview of the server version. If you are at BUILD, I highly recommend to see the server sessions also, as far as I know there is one today which will present the overview what’s coming in the next server version. Pretty exciting!

Please remember:

  • Windows “8” is a codename and might change
  • It is a developer preview – not a quite-stable beta – only for testing and starting to develop for the new user interface (Metro, the same than Windows Phone)

And BTW, some tipps:

  • Since Vista you can install using a USB-Key which I find totally cool. You are likely to have to re-format your USB-Key. You can do this using Diskpart.exe, “List Disk”, “Select Disk #” (make sure you have the Key selected, and we will wipe it in the next step). “Clean” will wipe the key, then you have to “Create Partition Primary”, make it “Active”, and format it NTFS “Format FS=NTFS QUICK”. Fat or Fat32 won’t work since the image of the developer preview is over 4 GB. Copy all Files from the ISO-Image (extracted) to the USB-Key. Afterwards you can boot from the key and install.
  • If installation is failing to find the disk drive prompting you to point to a driver, it might be an issue with the USB-Key (some are detected as harddrive and make issues when installing). Try a different key, or burn the ISO. Bad message here – you need to burn it to a dual-layer DVD since it’s to large. And installing from a USB-Key is usually faster than from DVD.

Enjoy the preview!


R2: Forest and Domain Mode can be reverted

Wednesday, September 14th, 2011

I was asked many times “what may break if I update the forest or domain mode?”. Usually … nothing! Actually I’ve never heard of anything breaking when you increased the forest or domain mode. However, in Windows Server 2008 or lower versions of domain controllers there was no possibility to roll back the forest or domain mode.

No way!

No way?

OK – you were able to do a forest recovery (recovering at least one DC of each domain in the forest and rebuild the forest), however I doubt that this is a option usually.

What domain or forest modes for? Actually the only thing they are responsible for, is to tell all domain controllers that each domain controller at the domain or forest has now a certain operating system level, that there will not be new dcpromos of down level operating systems (or at least will not be successful, so no down level DCs will be added to the domain), and that the domain controller can enable certain features which are only allowed if all DCs are at the same level. Examples for this is linked value replication at the Windows Server 2003 Level, fine grained password policies at the Windows Server 2008 domain mode, automatic changes of SPNs or the possibility to turn on AD Recycle Bin at the Windows Server 2008 R2 forest mode. The domain or forest functional level change does only ensure that there are no downlevel DCs at that point, and publishes the status letting all DCs know. Each DC locally will do the changes he needs to do to communicate at the new level, such as changing the database when the recycle bin is turned on, or publishing that he is willing to replicate attribute values separately instead of on a big blob.

However, companies were anxious to increase the forest or domain level. Not because there’s known harm, but because a recovery is not easy if there might happen anything.

In Windows Server 2008 R2 the Active Directory product group made some changes: you are able to increase the domain and forest mode, and you are also able rollback the mode to Windows Server 2008, and switch around as you like. The upgrade of the forest or domain mode is reversible …

unless you enable a optional feature which requires this mode!

So this has changed. Forest or domain mode upgrades do not automatically enable features which make the mode non-reversible, you can first upgrade the forest or domain mode, wait for a few hours/days/weeks (as you like or your companies working behaviors require), and after you ensured that all applications are working turn on the features you like. Each new Active Directory feature (right now in Windows Server 2008 R2 there is only the Recycle Bin) states if it is able to turn it off and whether it requires a forest or domain level. The Recycle Bin cannot be reversed and – as stated – needs Windows Server 2008 R2 Forest level.

So rollback of the forest / domain mode is possible. However, once you increased the mode to Windows Server 2008 R2, the user interface will not allow you to decrease the mode again. This might lead to some confusion.


But we also got the Powershell Commandlets for Active Directory to help us out.

First we need to load the Powershell Commandlets for AD:

Import-Module ActiveDirectory

Then we need to decrease the forest mode first (the forest mode specifies the minimum version of the domain mode of any domain in the forest, therefore we cannot decrease the domain mode when the forest mode is higher):

Set-ADForestMode -identity (Get-ADForest).name -ForestMode Windows2008Forest

You can also specify the forest name in the “-identity” parameter, however I’m lazy, so I’m just getting the name of the current forest.

Next we are are able to decrease the domain mode:

Set-ADDomainMode -identity (Get-ADDomain).name -DomainMode Windows2008Domain

And here is the result, the mode has changed and is changeable again:

after posh

Voila, hopefully you don’t have to do this in production, but at least it is possible and should ease your migration efforts.


How to make your session prominent at TechEd Europe

Monday, November 9th, 2009

Funny – I arrived at TechEd Europe and many already talked to me about my session – I figured out it’s now popular because it had been rescheduled from Tuesday morning to Wednesday morning, so everyone at TechEd got a separate paper with the session updates and mine was one from the few.

I’ve also heard it’s popular looking at the registrations, so if you plan on coming, come a bit early to make sure to get in. We also do a re-run on Thursday morning.

SIA02-IS: Active Directory: What’s New in R2

Join this interactive and open discussion about Active Directory updates in Windows Server 2008 R2 or other topics that you bring up. Join product group members and an MVP with undoubted Active Directory experience.

It’s an interactive session, so we will be there (Brjann Brekkan, Technical Product Manager for Identity Management and I are presenting the session togehter), listening and talking to you about the questions you have about the new features of Active Directory Domain Services in Windows Server 2008 R2.

The session is scheduled on

  • Wednesday, 9:00, Interactive Theater 4 (green)
  • Thursday, 9:00, Interactive Theatre 6 (pink)


A funny / sad comment about the economy

Monday, May 18th, 2009

At TechEd USA in Los Angeles last week, Bill Veghte, Senior Vice President of Windows Business at Microsoft, made a comment which was funny but also sad:

I’m a technologist, so I can’t tell you where the economy will be in 6 month. A bad message is – a economist can’t tell you either.

A Directory Services Geek’s View on Active Directory Recovery in Windows Server 2008

Sunday, March 2nd, 2008

Ulf B. Simon-Weidner
Ulf B. Simon-Weidner

Presented at

  • Microsoft TechEd:IT-Forum, Nov 2007, Barcelona, Spain

  • Microsoft Launch 2008, Feb. 2008, Frankfurt, Germany

  • Directory Experts Conference 2008, Chicago, USA

  • Microsoft TechEd IT-Pro, June 2008, Orlando, USA

In my session “A Directory Services Geek’s View on Active Directory-Restore in Windows Server 2008” I’m using a script to convert a LDIF-File from the changetype “Add” to changetype “modify”. Why is that?

I’ve presented on how to restore a Tombstone to a user-object with only a limited set of properties. Then I used Active Directory-Snapshots to dump a LDIF-File with all attributes of the recovered objects by running the LDIF-Export against the port where I provided the Snapshot:

ldifde.exe -r “(cn=Joe Doe)” -t 10000 -f joe.ldf
            ^                 ^        ^
Filter Snapshot-Port Output-Filename

Afterward we have a LDIF-File, however it is the changetype “Add”, which we could use to create a new user, but only if all attributes are writeable and the syntax is correct. However since we dumped all attributes there are some which even a domain admin is unable to write because they are owned by the system or because of other reasons. But I prefer to dump all of them if I need to fully restore a user, so I even get custom schema extensions and everything else which I might not think of if I use a manual list of attributes. Now we are challenged to modify a user which already exists, and to do this we can not use the default output of LDIFDE. We need to convert the file as illustrated in the following picture:


To do this I wrote the following script:

‘ ModifyLDIF
‘ Converts LDF-Files from Changetype ADD to Changetype MODIFY,
‘ in result every Attribute will be changed separately
‘ Import the file using ldifde -i -z -k -f filename.ldf to
‘ continue changing attributes if one is ‘unwriteable’
‘ Parameter: 
‘   sInput:  Path/File of the Inputfile (LDF)
‘   sOutput: Path/File of the Outputfile (LDF)
‘   bDelSource: wenn TRUE wird die Eingabedatei hinterher gelöscht
‘ (c) Ulf B. Simon-Weidner,
set objArgs = WScript.Arguments
if objArgs.Count = 0 or objArgs.Count > 3 then ShowUsage
sInput = objArgs(0)
if objArgs.Count > 1 then
  sOutput = objArgs(1)
  sOutput = “”
  arrOut = split(sInput,“\”)
  for i = 0 to ubound(arrOut)-1
    sOutput = sOutput & arrOut(i) & “\”
    WScript.Echo sOutput
  sOutput = sOutput & “mod_” & arrOut(ubound(arrOut))
  WScript.Echo sOutput
end if
if objArgs.Count > 2 then
  bDelSource = objArgs(2)
  bDelSource = FALSE
end if
WScript.Echo “ModifyLDIF.vbs”
WScript.Echo “(c) Ulf B. Simon-Weidner,”
WScript.Echo “Inputfile:  “ & sInput
WScript.Echo “Outputfile: “ & sOutput
if bDelSource then WScript.Echo “Inputfile will be deleted after conversion”
ModifyLDIF sInput, sOutput, bDelSource
sub ModifyLDIF(sInput,sOutput,bDelSource)
  Set oFSO = CreateObject(“Scripting.FileSystemObject”)
  Set oInput = oFSO.OpenTextFile(sInput, 1)
  set oOutPut = oFSO.OpenTextFile(sOutput, 2, True)
  Do While oInput.AtEndOfStream <> True
    sLine = oInput.ReadLine
    if sLine<>“” then
      select case left(sLine,1)
        case ” “  
                  oOutput.WriteLine sLine
        case “-“
                  oOutput.WriteLine sLine
        case else
                  if bolBinary then
                    oOutput.WriteLine “-“
                    oOutput.WriteLine “”
                    bolBinary = FALSE
                  end if
                  sParm = left(sLine,instr(sLine,“:”)-1)
                  sValue = trim(mid(sLine,instr(sLine,“:”)+1))
                  if left(sValue,1) = “:” then
                    ‘First line of a binary value
                    oOutput.WriteLine “dn: “ & sCurrentDN
                    oOutput.WriteLine “changetype: modify”
                    oOutput.WriteLine “replace: “ & sParm
                    oOutput.WriteLine sParm & “:” & sValue
                    bolBinary = TRUE
                    select case sParm
                      case “dn”
                                sCurrentDN = sValue
                      case “changetype”
                                ‘ ignore this one
                      case “-“
                                ‘ ignore this one as well
                      case else
                                oOutput.WriteLine “dn: “ & sCurrentDN
                                oOutput.WriteLine “changetype: modify”
                                oOutput.WriteLine “replace: “ & sParm
                                oOutput.WriteLine sParm & “: “ & sValue
                                oOutput.WriteLine “-“
                                oOutput.WriteLine “”
                    end select
                  end if
      end select
    end if
  set oInput = nothing
  set oOutput = nothing
  if bDelSource then
  end if
  set oFSO = nothing
end sub
sub ShowUsage
  WScript.Echo “ModifyLdif.vbs <inputfile.ldf> [<outputfile.ldf> [<deleteinput>]]”
  WScript.Echo ”  inputfile:   Filename of the inputfile”
  WScript.Echo ”  outputfile:  Filename of the outputfile”
  WScript.Echo ”               If not provided, the filename of the inputfile”
  WScript.Echo ”               will be prefixed with a ““mod_”“”
  WScript.Echo ”  deleteinput: True or False (default), if True the inputfile”
  WScript.Echo ”               will be deleted after the outputfile is written”
end sub


Feel free to use this at your own risk [;)]