Done: Windows Server 2008 in production

I’m working for Computacenter Germany. And – as you know – I’m a beta-junkie and try to stay up to date on newest releases as soon as possible. So this makes me really proud: at Computacenter we decided to deploy Windows Server 2008 already.

After testing the product very well we decided to update our schema to Windows Server 2008 and deploy our first servers in production. And … one of the reasons why we did this to have the great new feature of Active Directory Snapshots available as soon as possible.

We released an press-article last week which I freely translated into english

Source (German), freely translated:

Computacenter relies early on Windows Server 2008

Head start for migrations and planning for Active Directory disasters

Kerpen, 30th October 2007. The European IT-Serviceprovider Computacenter relies early on Microsoft’s Windows Server 2008. The new generation of the server operating system (OS) is announced to be released in the first quarter 2008. Computacenter, who is part of the Microsoft Technology Adoption Program (TAP), already deployed Windows Server 2008 into its production network. The TAP is a initiative of Microsoft where selected customers implement products prior to their release into production infrastructures. Computacenter is participating in two different roles in the current TAP: as customer (who’s deploying the product) as well as as consulting partner, where experienced Computacenter Consultants are supporting their internal Information Services. The IT-Serviceprovider is not only gaining experiences by early deploying the new technologies, but improves on stability and reliability of its infrastructure. Computacenter is using those experiences when consulting their customers, especially when talking about Windows Server 2008 migrations and planning for Active Directory disasters.

Migrations with Computacenter

With the ending support livecycle of Microsoft for Windows 2000 Server and the release of the new Windows Server 2008 with a lot of new possibilities many companies are considering migrations. Computacenter has many years of experiences when migration Microsoft-Infrastructures. More than 300 Experts in the Microsoft area rely on their experiences and broad knowlege, tools and procedures to drive migration-projects to a fast sucess while maintaining risks and costs at as low as possible.

Securing the hard of the Windows Infrastructure

Active Directory is the main component of a Windows Infrastructure by holding all informations about useraccounts, computeraccounts, passwords and groups of a company. Employees are using it daily to get access to their computers and their data, find printers and receive corporate settings. Experts of Computacenter were frequently helping companies to recover their Active Directory (usually due to human mistakes). To address this issue Computacenter developed preventive guidance to protect Active Directory. Windows Server 2008 provides additional control, prevention and auditing-functionality. The OS enables administrators to create Snapshots of the Active Directory-Database. As opposed to a backup it’s easy to create snapshots multiple times a day. Futher the snapshots can be started as their own, read-only LDAP-Service. Hereby it’s possible to gather information out of the Directory of different times. Additional the new product supports to prevent objects from accidential deletion or to accidentally move them. Computacenter is using those new functions and has added them to their portfolio around Active Directory-Recovery and its prevention. The IT-Serviceprovider is úsing those technologies in its production network since October 2007.

Those experiences are corporated into Computacenters three-part offer of a Active Directory Disaster Workshop, Guidance and Concept, which enables customers to preventively prepare informations for a possible recovery of Active Directory, to react on disasters and to keep the associated down-times at a minimum level. In the Active Directory Disaster Workshop the attendees get the know-how to prevent, troubleshoot and recover Active Directory. They are practicing which informations are necessary and which steps to take in certain disaster scenarios. The Active Directory Disaster Guidance bundles Computacenters experiences in this topic. It describes best practices and experiences out of real disasters as well as tested procedures. The IT-Serviceprovider additionally creates a AD Desaster Concept to prepare the individual company for an AD Recovery.

Protect Objects from accidential deletion

Avalialbe in the GUI of Windows Server 2008, but also possible in any version of Active Directory, you are able to protect any object from accidental deletion. I had to recover a couple productive ADs over the past couple years, and everytime it was because of a accidental deletion. Also I’ve seen that OUs have been accidentally moved – this happened propably to everyone with files/folders in Windows Explorer – you accidentally got stuck on the mouse-key while hovering over a folder and drop it accidentally on another folder.

So how do you protect objects from accidental deletion in Windows Server 2008? That’s easy – first switch on the Advanced View, then go into the properties of the object in question. Here – on the “Object”-Tab – you’ll find the new checkbox “Protect Object from accidental deletion”.


By default, OUs created in Active Directory-Users and -Computers are protected. However, when you don’t create the OU in Active Directory-Users and -Computers or you created them before you got Windows Server 2008 in your domain (how likely – I know [;)] ) the OU will not being protected from accidental deletion.

However, what’s quite interesting is what’s being done in the Background: The Security-Descriptor of this object is being modified with a Deny-Entry for Everyone to delete and delete subtree. So it’s downward compatible with Windows Server 2003 and Windows 2000, and you are even able to do this either manually or using DSACLS today.

If you want to use DSACLS to protect an OU you can use the following command:

dsacls ou=MyUsers,dc=example,dc=com /d Everyone:SDDT

So if you are creating your OU-Structure with “dsadd ou” you might want to use this command to protect the OU from deletion. The checkbox in the GUI will also reflect this change, however I’ve seen that it sometimes takes a while or is inconsistently displaying wheter the OU is protected or not, however this might be a bug in the current beta and you should make sure it’s protected using the security tab to make sure it’s protected.

As I said, you’d be able to do this today as well. And if you want to protect your whole OU-Structure, you can use the following command to protect every OU in the domain:

for /f %i in (‘dsquery ou -limit 0’) do dsacls %i /d everyone:SDDT

Update: Marcus has pointed out that I the above command is only working if your OUs don’t include any spaces. That’s right, the for-command takes spaces as a delimiter and therefore will put everything behind the first space in the variable %j, after the second space in %k a.s.o. So here’s the corrected command which allows spaces in your DN (“tokens=*” state that everything should be included in the first variable, you could also do a 1,3,* which would put the first part into %i, the third into %j and the rest in %k,.. Marcus suggested another way which would also work by not specifying any delimiters “delimns=”):

for /f “tokens=*” %i in (‘dsquery ou -limit 0’) do dsacls %i /d everyone:SDDT

If you just want to protect certain levels, you only need to change the dsquery command.

Blush – to much honor

Nicki Wruck, the organizer of the “International Communities for Europe (ICE)”-Conference wrote in his blog about when we met a couple weeks ago at the SysAdmin Apprechiation Day (an event organized by Microsoft TechNet Germany):

Freely translated from

“There was another highlight: Mr. Directory himself had the pleasure to meet me: Ulf B. Simon-Weidner was there and we found instantly interesting topics to chat about. The most important was: he’ll be speaking at ice:2007, what I’m very proud of. Now I’ve got with Nils Kaczenski, Frank Röder and Ulf B. Simon-Weidner the greatest German-speaking AD-Specialists as speakers at the ice-conference.”

Thanks for the fish Nicki – it was a pleasure to meet you and I’m looking forward speaking at your conference!

My Session at ICE: Active Directory Domain Services und DNS in Windows Server 2008

Upcoming Conferences (aka my speaking engagements)

Recently there was a lot of activity on the conference front.

I already wrote about the Directory Experts Conference 2007 in Europe.

Two weeks ago there was the “Sysadmin Apprechiation Day” – and Microsoft TechNet celebrated the admins with a party. I was invited to join. And I met the organizer of the community conference “Intelligent Communities for Europe (ICE)” – and was asked to present there. I’m looking forward to it – I have heard a lot about this conference but haven’t been there yet.

Then Netpro announced the “Directory Experts Conference 2008” in Chicago. I’m proud to be asked back as speaker.

There might be more conferences, but since I haven’t been officially confirmed yet I’ll keep this for a later post. But if you followed my blog you will be able to find the page where some of my sessions are already listed [;)].

Remembering TechEd US in Orlando

Hi there,


I’m still way behind in blogging, however I want to keep the timeline and therefore it’s time to write about TechEd US in Orlando this year.

I love those conferences. But I guess thats – at least to the view folks reading my blog – “public” knowledge [;)].

I was scheduled into TechEd US again as Ask-the-Expert (or Technical Learning Guide or however they call it now). Basically I was staffing the Windows Server 2008 – Active Directory Domain Services Product booth.

I arrived on Friday evening in Orlando and had dinner with some friends. On Saturday during the day I had to go shopping (a live full of stress doesn’t help in packing luggage, I actually worked the whole night before taking of but forgot some of the clothes). In the evening we had a party with fellow MCTs – I enjoyed a great Surf & Turf at a nice restaurant.

On Sunday I had to go to the registration and get a intro in the product booth area. I met some friends and were chatting about some technical issues while finishing some setups on Server Core.

The conference started officially on Monday. At the Windows Server Information Desk they were giving out a book for free – “Introducing Windows Server 2008” from Mitch Tulloch published by MS-Press. Mitch has asked me shortly before finishing the book if I could provide some “Side Notes” (the concept of the book is to provide site-notes “from the experts”, and many Microsoft Employees of the product groups were contributing here), so I contributed two side-notes: one about the new DCPromo-Wizard and one about Granualar Password Settings. This was the first time I’ve seen the book printed, so it was very exciting for me. In the evening the Lead Program Manager of the Active Directory Product Group (whom I knew before) contacted me if I would like to present the demos in his session “Active Directory Domain Services in Windows Server 2008” on Tuesday and Wednesday. So we spent part of the evening to prepare the demos in the last minute and had some food with some other members of the product group afterwards.

Tuesday and Wednesday I was (again) working the whole time at the product booth, “sneeking out” only for our session. I enjoyed the session – and we apparently did pretty well on preparing the demos – one of the attendees even provided feedback that they were looking to canned. Funny with only some minutes of preperation, so I take this as a compliment when they are professional enough to appear canned. A recording of the second session is available at Virtual Teched (and got a rating of 4,5 out of 5 Stars).

Which was also funny – people started to queue through the half of the largest convention hall just to pick up a free copy of the book.

Thursday was working again (IIRC I took of for one session, and then went back to the booth), and Friday I was officially of duty but was still hanging out there.

Over the whole week we’ve had a lot of interest in Windows Server 2008 Active Directory Domain Services. We explained many featues to customers. We also had a lot of customers coming in with real-world issues, design questions, discussions, …, …, everything you can imagine. Couple very interesting scenarios. And we’ve also had great suggestions which we were either able to demonstrate right now how this might be possible, or took feedback. I’ve also mailed some suggestions right back into Redmond to some Developers or Program Managers I happend to know, so the feedback was heard.

Friday evening many of the MCTs went to see the Shuttle Launch, however I was way tired. Instead I went with one of the program managers and a developer to relaxed drinks and dinner, and as you can imagine we had a nice evening chatting a lot about suggestions for the next version of the Directory Services techonologies (we covered Certs, Security, Active Directory Domain Services (AD) and Leightweight Domain Services (ADAM), ADFS, ILM and RMS, so the full pallette of AD-Technologies. If they took all the feedback back to Redmond people there are swearing about me know and are busy until 2015 [;)] ).

Every day was interesting and busy, every night we had some more interesting discussions in more private groups (or parties), and one thing for sure – after getting back I needed sleep desperatelly.

“Sleep? Nah! It’s TechEd Season”

Directory Experts Conference US – and upcoming also in Europe

It’s been a long while since I blogged the last time, and I still have some things I want to tell you about. I’m trying to post those in the order they happend, so first of all let’s talk about the Directory Experts Conference in Las Vegas in April:

DEC was great – as usual. I just love this conference. It’s dedicated to Microsofts Directory Services, especially but not exclusively Active Directory. And this time my wife was able to join me – she was pretty sad not to join in last year but she had to finish her diploma. So we were visiting some friends in Minnesota first (I was living there for a year, and we still have very close friends there who we love to visit). And brining my wife does enlighten the conference and also justifies that I have to take vacation from work for couple conferences a year.

OK – so what happend at DEC?

Preconference Workshop
Laura Hunter, Gil Kirkpatrick, Guido Grillenmeyer, Jorge de Almeido Pinto and I were working for a couple month in advance to create the content of a “Windows Server Longhorn Workshop”. We created great content. Gil and Guido managed the logistics, Guido organized a lot of Hardware, Gil interacted with the Hotel to make sure we have sufficient power a.s.o. All of us created the content for the workshop, configured virtual machines, … We planned a infrastructure where we were able to provide about 160 Attendees in groups of two with four virtual machines each to follow the workshop. Guido got – apart from a whole lot of thin clients – two racks – one full of blade-servers configured with VMWare ESX and loads of RAM, and the other one hosted a SAN huge enough to store all machines. We also had WLAN-Accesspoints and all clients were connected via WLAN to the network provided by the servers.

When we arrived in Las Vegas on Thurday before the conference we got the hardware just the same evening. As the Hardware is being shipped across the world to serve conferences we didn’t get a grip on it until just before our Event. I started writing scripts and configuring everything so that the network infrastructure was set up, each client had the configuration it needed, and I even wrote a HTA-Application which outlined the lab-scenario – and if someone was clicking on one of the pictures of a server a RDP-Session was started with the right one of “his” servers. I also had to make sure that RDP-Configurations were created automatically in the background and configured that only the specific client was able to access his own four servers without networking with the other ones (we used the same servernames, SIDs a.s.o.).

However …

Some other issues started – we had some trouble getting the machines transfered over to the blade server. Then the images didn’t run in ESX, however we were able to fix this (but waisting a lot of time doing so). Then we had power issues – the hotel has confirmed that we’ll have enough power, however they provided us with a high current line which was 50 feet long. Nobody assumed that the length of the wire will give us trouble, however we had constant power issues that we weren’t able to start all blades. At some point (the last night before the show) somebody was running a heavy wagon over the wire, briefly afterwards the SAN went down and started to recover (which took hours) and the blades claimed to be unhappy without SAN and had issues as well.

OK – to keep the long story short – we had a lot of issues even after we had planned everything in advance but didn’t had enough time with the right hardware in advance and to much issues in a short timeframe to solve.

However …

We were working all night and got many of the machines up and running, but not enough. After working all night we were jumping in front of the audience and had to perform (I haven’t been back to the hotel room for almost two days in a row). So we decided to switch to a demo-format, had a MVP-Panel where we were talking and answering questions about Windows Server 2008, and I think we provided more knowhow than the attendees were able to expect in a whole week. We had issues before, but I was very happy with our performance. And at the end we got the best feedback of all preconferences (and the other ones were way smaller and had no issues).

OK, that was the preconf.

Start of the conference

Monday the conference started officially with the Keynote of Kim Cameron. I had the pleasure to meet Kim twice back in Redmond at the MVP-Summit, and he’s outstanding. The conference overall was great. Best thing about DEC is not only the very technical sessions, but also that the conference organizers encourage everyone to stay in the same hotel. You meet a lot of people you know from online communities or previous conferences. There’s a lot of interaction in the restaurants and bars after hours. Microsoft is bringing in many people from the Identity and Access Management Product Group (the home of Active Directory (Domain Services and Lightweight Directory Services), Identity Lifecycle Manager (Certificate Lifecycle Management and Identity Information Server) and Right Management Services). We had a lot of interesting conversations with members of the communities, first-time attendees, MVPs, MCTs, Microsoft Staff.

My Sessions

Apart from the Preconference, where I presented Windows Server 2008 Server Core and common Q&As, I was pleased to present two sessions:

A Directory Services Geek’s View on Access Control Entries
You have already deployed Active Directory (AD), but still have a lot of domain administrators? You want to increase security, decrease the risk of administration gone awry and offload daily tasks to delegated admins? In this session you will learn how Access Control works in AD, notes from the field about implementing role based administration and how to figure out what to delegate. Additionally we will drill down on implementing delegation using scripts and share details on what to delegate. After this session you’ll be able to design and implement role-based administration in your infrastructure.

A Directory Services Geek’s View on How to (not) update your Schema
Are you:
– supposed to integrate some 3rd Party Schemaextensions in your Forest?
– asked to design your own schema extension?
– trying to figure out how to administer additional or new attributes?
Then you have to see this session. We will clear up the fog around schema extensions by explaining the difference between schema extensions and schema configuration, talk about designing/evaluating schema extensions (when is a extension “smooth” and when is it dangerous), and provide guidance on creating administrative interfaces for additional / new attributes. We are also announcing how Windows Server 2008 helps you when extending your schema. Come to this very technical session to get the most complete coverage about schema extensions you have ever seen.

Both sessions were updated with the changes to the subject in Windows Server 2008. I really liked the second session – I wanted to deliver a session which is giving the full details on Schema Updates for a while – so far I’ve seen a lot of sessions which were always missing some important points. I was glad that I was able to deliver them first time at this DEC, and I’ve had a great audience. There were not only great attendees with a lot of questions and not anxious to ask them, but I also had a couple people from the Microsoft Active Directory Product Group and other Community Experts in this session, so we had a great session, lots of discussions and feedback to Microsoft.

Directory Experts Conference goes Europe (again)

After a couple years NetPro – the organizer of the Directory Experts Conference – has decided to bring the Directory Experts Conference back to Europe. It will be September 24th to 26th in Brussels, Belgium. I’m glad that I’ll be part of this conference as well (see the press-announcement), and I’m looking forward to another great conference!

DEC2007: A Directory Services Geek’s View on How to (not) extend your schema

Placeholder – content will be filled in shortly

DEC2007: A Directory Services Geek’s view on Access Control Entries

This is only a placeholder right now – check back later for content

Windows Server ‘Longhorn’: Granular Password Settings

I recently got permissions to blog about some of the features which are not as well known in the next version of Microsofts Server Operating System: Windows Server “Longhorn”. So let’s get started. One of them is that in Longhorn, you are not limited to implement a single Set of Password Settings to the whole domain (and therefor implementing different domains if you need different Password Settings), you are able to apply Password Settings on a Group and User basis. This is really great – I’ve had multiple companies who – for example – wanted to implement different password policies for administrative accounts.

After migrating to Windows Server “Longhorn” on their DCs, they are able to incorporate this feature.

For those of you, who wanted to implement it using OUs or GPOs, read the “appendix” [;)]

Which is important – this feature is available to you today – if you have MSDN or if you are a Betatester you already have access to the February CTP (IDX02) which is providing you with that feature, so you are able to test it (don’t implement Windows Server “Longhorn” in Beta in your production until being advised by Microsoft in a TAP-Program).

You are able to configure the Password Settings and Account Settings like in Group Policies, but on a granular level.
So how do you get it?

The basic concept is, that there’s a new object in Active Directory – the “Password Settings Object” which it’s LDAP-Name msDS-PasswordSettings. For a new set of Password Settings – you simply create one of those objects underneath the container “cn=Password Settings, cn=System, dc=example, dc=com“. You can do this using adsiedit.msc and you’ll have to fill in the mandatory attributes, which are listed in the following table:


GPO Branch



Password Setting

This is just a virtual number you can make up (make sure you leave some space in the numbering for future use) which defines which Password Settings are taking effect if mulitple apply to the same object (user or group, but settings on the user will always precendence settings on the group).
This will usually reflect on the “level” of the settings object, e.g. if you have stronger settings they have a lower value, if you have higher settings you’ll probably assing a higher precedence to them.


Password Setting

This attribute is boolean and defines if you want to store the passwords of the accounts (to whom the Password Settings Object applies) in reversible encryption or not. The default and best practice is “FALSE”


Password Setting

This setting defines how many old passwords the user cannot reuse again (to prevent the user from changing the password back and forward to the same one, or changing it multiple times until he’s able to reuse his old password).
The domain default is not to allow the last 24 passwords of that user.


Password Setting

This attribute is a boolean again, and defines if the password needs to be complex (does have at least three of the following character sets applied: lower letters, captial letters, numbers, symbols, unicode characters).
The domain default and best practice would  be to turn it on (TRUE).


Password Setting

This attribute defines the minimum lenght of a Password in characters. The domain default would be 7 characters long.


Password Setting

Also msDS-MinimumPasswordAge does just what it’s name suggests – defining the minimum age for Passwords. Minimum age is necessary to prevent a user changing his password x-times on the same day until exceeding the Password History back to the same value than before.
This is a negative number which you can compile/decompile using the scripts at…. as a guideline.
(domain default: 1 day = -864000000000)


Password Setting

And this is just the opposite and defines when you have to change you password. Also a negative number as above.
(domain default: 42 days = -36288000000000)


Account Lockout

Defines after how many failed attempts entering a password the user-object will be locked.
(domain default: 0 = don’t lockout accounts after invalid passwords)


Account Lockout

After which time should the “bad password counter” been reset?
(domain default: 6 min = -18000000000)


Account Lockout

How long should a password being locked?
(domain default: 6 min = -18000000000)

Afterwards you just need to link the new Password Settings Object to a group or user-account. You can only link this to global groups, so make sure to verify the group scope first. To link the PSO to a global group or user you just need to add the distinguished-name (e.g. “cn=my group, ou=corparate groups, dc=example, dc=com”) of the user or group in the attribute msDS-PSOAppliesTo of the Password Settings Object which you want to apply to the user or group. You can even prove it afterwards trying to change the (test)account by just resetting the password as Administrator.

So this is one of the great features coming with Windows Server “Longhorn” – I’m very excited about it!



How today’s password policies are implemented is actually not really through Policies. Actually a policy which is linked to the domain-head (the domain object in Active Directory, or the symbol which reflect the domain in Active Directory-Users and -Computers and in other interfaces) will be written to attributes of the domain-head, and those are the only settings which apply to any domain accounts. Everything which is configured in GPOs and linked to OUs is just applying to the computer accounts underneath that OU, and therefore to the local user accounts underneath (not user accounts). So if the Password Settings would be applied to OUs and GPOs it would be a bigger design change, and I guess you’d prefer to get the feature with the next Version than whenever [;)]

MVP-Summit – Back in Seattle / Redmond

I just traveled to Seattle to attend the MVP-Summit, and it’s already been great to meet so many MVPs again in the Hotels and on the Streets. During the next days the highlights will be to see Bill Gates live again and have many discussions with the Directory Services Product Group.

One thing which really bothered my during my trip here: at the airport in Chicago I’ve looked at the wireless network, and on the instruction card it mentioned the follwing:

How can I configure my computer to optimally enjoy Wi-Fi?

Make sure to disable your VPN, ipv6, firewall and proxy before connecting. [..]

So are they really suggest taking off your firewall for optimally enjoying Wi-Fi? In a public hotspot? I honestly hope they are changing these instructions.

To be fair – on the other side they recommended to set the checkbox in the “Windows Firewall” to “Don’t allow exeptions”. While this is a great advice and assumes that the Windows Firewall is turned on (you are unable to set that checkbox if it’s turned off) the sceenshot right next to it shows the Windows Firewall being turned off with the checkbox not set.

Time to redo the document I guess [;)]