Aahrg: Driving License vs. Programming and Distributing Software

To get a driving licence there are regulations in every country how to get a permit, do a eye-check, sign up for a theoretical test, do the test, and to perform in front of somebody who’s testing you. If you pass you’ll receive your drivers licence – at some countries unlimited, at others limited for a certain time when you have to show again that you are still able to drive a car.

If you want to write software: go for it. If you want to distribute it, you can go for it [1]. Nobody is testing you if you are able to write software, you don’t have to get a licence, but you may put your customers computers into jeopardy.

I’ve just looked for some software on the net, and found (again) a small link on the product page “requirements for Windows Vista”. There they do suggest to install as Admin (which is valid), and then they are going on with the recommendation to install the software into a directory other than “c:\program files” so that the software is able to update itself, then they are talking about changing registry keys, adjusting internet security zones,… There are so many things out there from different companies which do not realize that they do have some kind of responsibility that users keep their computer secure and they need programmers which try to support this as much as possible.

Poor users which don’t know better and get software like this – either those companies should program correctly or should be sued. I consider writing bad unsecure software the same as picking a lock of somebody elses door and leaving. And the suggestions above are as bad as suggesting to remove the lock of your own front-door when one of your kids minds opening the door with a key.

By the way – there’s such a thing as a driving licence for developing software which is written to work under Windows Vista without mangling it’s security settings. See the Certified for Windows Vista initiative which has also some interesting offerings if your software is tested and meets the requirements before May 2007.

[1] meeting requirements such as setting up a company are off topic here. 

Goodbye Jim

Unfortunately Jim Allchin did stick to his plans and left Microsoft after Windows Vista was RTMed.

I highly respect what he has accomblished in the last 17 years and hope that he’s coming back to the blog-o-sphere more personally.

Read his last post while being in the job – it’s hollarious!


I’m sad he left, but wish him all the best for the future!

What I really hate about DNS- and DHCP-Client-Services

Did you read my last post, and you weren’t happy with different spellings.

So here’s what I really hate about the DNS Client-Service and the DHCP Client-Service:

They are different depending on the Language Version of the OS, comparing German and English Windows:

OS-Language Service-Name
English DNS Client
English DHCP Client
German DNS-Client
German DHCP-Client

I do hate this, because I tend to be to lazy to open up a MMC just to stop, start or restart a service, instead I like to use a command prompt to take care of many tasks:

net stop DNS-Client

net stop “DNS Client”

or to restart

net stop DNS-Client && net start DNS-Client

net stop “DNS Client” && net start “DNS Client”

So just for stopping or restarting Services, I have to keep the language version in mind and decide whether I have to hyphenate them and put them in quotes or not. Can’t we just keep some names in sync? I’d like to meet the one who’s insisting that those names should be slightly different in the German language-version.

And before anyone is asking – the double-“&” means “do the second command if the first completed successfully” – so the service is only started if it stopped successfully.


Nils Kaczenski – a fellow MVP in Germany and with whom I wrote both books I’ve published so far – made a good comment here, which I like to pull on the main feed:

[..] why don’t you just use the service name instead of the display name? “net stop dnscache” stops the DNS Client service on every machine, no matter what its language is. You can find out the service names in Control Panel or by just querying “sc query” (or, more sophisticated: sc query|find /i “_name”). The most common names will surely burn into your mind quickly. 😉

So yes – certainly he’s right, and I can also recommend this procedure. I’ve done this way e.g. back in the early XP days when I had to take care of the Wireless Zero Configuration Service (wzcsvc – otherwise to much to type), however for some reasons I do DHCP, DNS and other services like by displayname. For whatever reason I’m just to lazy to keep them in mind and don’t mind typing – so I’m usually using the Services displayname. No clue why – my brain prefers it this way Wink – and there are more important things to remember.

I still don’t understand why they are “semi-translating” certain things which are totally useless. Currently the name is English but the hyphenation is German.

Feels like eating ice-cream to fast: brainfreeze – ouch.

DNS-Client rumors

I’ve just read something on the Internet, which makes me writing this post.

There are many people not realizing a few things when it comes to the interaction of the DNS Client- and the DNS Server-Service – so here are some common misunderstandings:

I don’t need the DNS-Client-Service on a DNS-Server

The DNS-Client resolves for the applications on that machine, the DNS-Server serves whichever DNS-Client is asking him.

If I’m trying to ping a computer per FQDN on a Server which is also DNS-Server, I can not reach/resolve it. However the server must be able to resolve the name, because when I’m looking in the DNS-Managementconsole I can see the record.

Meep – wrong – the Server does not directly care what records the DNS-Server on the same machine is holding. The DNS-Client is asking the DNS-Server he’s configured to use, which may not be the local DNS-Server.

What is wrong? For App-X Nameresolution is working, because I’m able to nslookup the name, however the app is not able to reach the server.

Try to ping the name of the server instead of NSLookup. If NSLookup works but ping doesn’t resolve it to a IP, restart the DNS Client-Service. NSLookup brings his own resolver and does not proove if the DNS Client is working, it’s only there for troubleshooting Name Resolution. Actually there are behaviors where NSLookup even resolves slightly different than the DNS Client.

I’m hardening my server by disabling unused services. DHCP Client is one of them, because I’m statically configuring my IP-Adress, so I don’t need it.

Usually the DHCP Client-Service takes care of registering Records in the Reverse Lookup Zone (PTR-Records) in DNS, so you might want to keep it.

I have configured a second DNS-Server in my DNS-Client, so my DNS-Client is able to resolve names even if the DNS Server-Service is not working / stopped.

This is a huge one. The second DNS Server will only be asked if the server is not reachable via TCP/IP. As long as it answers via IP it does not matter if the DNS-Server is answering or not.

I’m sure I forgot many of those rumors – so if you have some to share please provide comments, I’m happy to update this post.

TechEd:IT-Forum in Barcelona

Seems like the sessions are scheduled and set now – here are the ones I will be delivering:

IAM402 A Directory Services Geek’s View on Access Control Entries (ACE)
Ulf B. Simon-Weidner
Thu Nov 16 13:30 – 14:45

You have already deployed Active Directory (AD), but still have a lot of domain administrators? You want to increase security, decrease the risk of administration gone awry and offload daily tasks to delegated admins? In this session you will learn how Access Control works in AD, notes from the field about implementing role based administration and how to figure out what to delegate. Additionally we will drill down on implementing delegation using scripts and share details on what to delegate. After this session you’ll be able to design and implement role-based administration in your infrastructure.

IAMCT04 Active Directory (AD) and DNS Design with ‘Longhorn’ Server
Ulf B. Simon-Weidner , Kamal Janardhan
Wed Nov 15 17:00 – 18:15
Fri Nov 17 09:00 – 10:15

This Chalk-&-Talk brings together a wide variety of discussion topics dealing with ‘Longhorn’ AD and ‘Longhorn’ DNS. We would like to discuss and answer questions relating to pain points with AD within and without the branch office and AD/DNS designs and implementations as well as communicate the future improvements with AD in ‘Longhorn’ Server including RODC, Server Core etc.

Exploring the oldest Active Directories

  or what did I do this summer

This summer I decided to explore some of the oldest findings of Active Directories. Pretty interesting – looks like they were mainly creating Single-Domain-Trees in a common Forest with some other Single-Domain Forests a bit further away. I was unable to figure out if they had Subdomains – if yes they were still underground. There are other forests even further away, but they are also mainly Single-Domain Forests.

Speaking at the German Tradeshow "Systems"

During the German Tradeshow Systems the Magazin IT-Administrator which I’m writing for will deliver some technical sessions on Oktober 25th. I will speak at two of them, a fellow MVP Walter Steinsdorfer will do two others. The sessions will be delivered in German. So if you speak German and you are interested in attending please visit the following page for details and registration:


Enjoy the sessions!

DNS: Conditional Forwarders vs. Stub-Zones

Im my last blog post I mentioned how you are able to use conditional forwarders to forward request to specific namespaces / DNS-Zones to specific servers instead of using the general forwarder. This is also sometimes referres as “Forward Delegations”.

In this context I mentioned Stub-Zones and promised to explain later what they are. Im my words Stub-Zones are “Dynamic Conditional Forwarders”. What a Stub-Zone does: it queries a server you specify for a list of NS-Records, so you’ve got a list of all name-servers responsible for a zone. Then it’ll query the server for the A-Records of the Nameservers of the zone.

You are also able to use Stub-Zones instead of the regular (non-conditional) delegation, also refered as “Reverse Delegation”.

Stub-Zones are dynamic – if you add new Nameservers for a Zone the Stub-Zones will get this information and also use the new servers.
Also the Stub-Zones do receive their informations by just querying DNS-Servers instead of requesting a Zone-Transfer. You can even add Stub-Zones for Zones where Zone-Transfers are not allowed.

If Firewalls are involved: with a Stub-Zone you cannot specify which DNS-Server of the nameservers responsible for the zone in question is really used to resolve the name. If you have specific ports opened just between some servers in question then a Delegation is better.
Same thing if you would prefer the use of specific servers. For example if you have a Hub Office and some branch offices, and the forest root servers are in the hub office, a sub-domain is spread out in the remote offices. Usually all Cliens and Servers are querying the sub-domains DNS-Servers, however some central systems in the Hub-Office are using the Root-Servers for DNS-Requests. Do you really want those central systems which ask the Root-Domains-Servers for queries in the Sub-Domain to get delegated to a remote server? This “might” happen when you’d be using Stub-Zones. So you want to keep those at your central office.

So there are pro’s and con’s when it comes to using Stub-Zones instead of (static) delegations.

IAM402 A Directory Services Geek’s View On Access Control Entries (ACE)

IAM402 A Directory Services Geek’s View On Access Control Entries (ACE)

Ulf B. Simon-Weidner

You’ll have been at this session of me at Tech·Ed Europe: IT Forum 2006 in Barcelona? Great – I hope you liked it – and you are always welcome to provide feedback via the “Email”-Link on the left side.


Here you’ll find the examples and scripts which I mentioned during my session

Stay secure: For your security the executable scripts are provided as Text-Documents. Only run them in your test-environment if you understand what they are doing.


 ntSecurityDescriptor_vbs.txt This is an example for displaying the properties of the ntSecurityDescriptor
 MSDN: SDDL MSDN: Security Descriptor Definition Language
You can use various scripting technologies to put SIDs directly into ACEs. One good example is SubInAcl:
subinacl /file \\server\share\test /grant=S-1-5-21-1234567890-1234567890-1234567890-99999=F
This will grant permissions to the specified SID remotely. When using SubInAcl make sure you downloaded the current version at http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=subinacl.

Example Commandlines for Scripting Delegation using DSACLS:

List Rights:
dsacls “ou=Berlin,ou=MyUsers,dc=example,dc=com”

Allow to Write the Property “lockoutTime” on User-Accounts:
dsacls “ou=Berlin,ou=MyUsers,dc=example,dc=com” /A /G example\usw:WP;lockoutTime;user /I:S

Allow to Write the property “my-CostCenter” on User-Accounts (this is a custom schema-extension):
dsacls “ou=Berlin,ou=MyUsers,dc=example,dc=com” /A /G example\usw:WP;my-CostCenter;user /I:S

Allow to write the property “Members” on Group-Objects:
dsacls “ou=Berlin,ou=MyGroups,dc=example,dc=com” /A /G example\usw:WP;member;group /I:S

If you want to know what rights to delegate:
Run compattrib.vbs with the parameter distinguishedname and the objecttype, e.g. “compattrib.vbs cn=ulf,ou=myusers,dc=example,dc=com user”. When prompted change that object as admin, then click OK. A differencing file is being created which will show you the difference. Important is what has been changed and will be replicated, as well as the rights changed.

After the session I got questions on how I did execute my script via Active Directory-Users and -Computers.
To do this you just need to configure it in the configuration partition:
cn=user-display,cn=DisplaySpecifiers,cn=***,dc=… (*** is the number of the Language of the OS – 409 is US, 407 is German).
Then add the following value to the attribute adminContextMenu:

1,Compare Attributes,compattrib.vbs

The “1” is selecting the order on which the menuitems appear, you can change this on other value which are in this attribute as well. The second parameter is the Text of the menuitem, and the third one is the command (eventually with path) to execute. Now the menuitem will show up on all User-Objects within ADUC across the forest – however only if the script is available you are able to execute it.

I recommend to only do this in a Testenvironment or after solid testing.

 delegwiz_add.inf Example for extending the delegation wizard. You’ll find the file to modify in the Windows Directory in the INF-Folder: delegwiz.inf
 ACE-Bug on WindowsServerFaq I have an example on my website as well (used it when demonstrating an still existing error in ADUC)

I’ve also showed an example for extending user-interfaces with keeping delegated administration in mind. You only need to query “allowedAttributesEffective” to figure out which attributes the current user has write access to. Then disable changing those attribute-values. For read-access you need to put valid error-handling in place.

An example of a extended user-interface with delegated administration in place

Also look at those sources:

The Book “Active Directory” from Joe Richards and Robbie Allen (o’Reilley) is the first one I’ve seen providing you with the scripting information how to pull ACEs. I was proud to be one of the technical reviewers of this popular book. I wish those informations would have been available a couple years ago when I dived into ACLs – would have saved me a lot of work 😉

The “Active Directory Cookbook” from Laura Hunter and Robbie Allen (o’Reilley) provides a lot of scripting examples as well.

Sakari Kouti – who wrote a great book on “Active Directory” (together with Mika Seitsonen, Addison Wesley) – has a script on his site, look at http://www.kouti.com/scripts.htm and check out his ACLReport.vbs.

Questions / Feedback

I’m happy to answer questions – but since I’m getting a lot of mails they are not on my top priority – so bear with me. However if you want to provide feedback about the session or you have additional questions do not hesitate to contact me via the “Email”-Link on the left side.

Thanks for attending the sessions and for lot of the valuable feedback and discussions!


Ulf B. Simon-Weidner

A reflection of TechEd US in Boston

I just arrived back from the Microsoft TechEd US in Boston, which was a blast. Microsoft will release a lot of new software in the coming years, and they’ve announced their “4 promises” (which were presented in a style like the TV-Series “24”.
I actually was going to write about each of them here, however they are also covered on this site:
TechEd this year was great. The community area was in a perfect setup. Two years ago in San Diego we had those cabanas – couches and tables to sit together and exchange with each other. Last year in Orlando there were mainly tables. Last year at IT-Forum they had product booths only. We provided the feedback that a mixture would be great, and that’s how they did it this year. They were splitting it into three major areas (IT-Pro, Office and Collaboration, Development) and had couches, tables and product booths in each of those areas. And we had a lot of wired LAN and Power-Plugs there, so everyone was happy this time.
I spent most of the time answering questions and discussing scenarios about Longhorn Server, Windows Server 2003 (R2) and Directory Services, and had a lot of great conversations. It was great meeting many known faces again, and also to meet a lot of new ones.
And the products which will be coming out in the next years are incredible. We’ve never seen that many products with those functions in a single year before. Citing Microsoft: “We will release more products in the next 18 month than ever before”. I will cover a couple of them which fit into my blog in later posts.