Archive for the 'Windows Server' Category

More speaking engagements

Saturday, October 6th, 2007

While we are in preperation for TechEd:IT-Forum which will be in Barcelona in November, there are more speaking engagements already scheduled:

October 24th and 25th:

The IT-Administrator asked me to speak about what’s new in DNS and Active Directory in Windows Server 2008 at the German Tradeshow Systems. (Details)

November 12th to 16th:

I’ll be delivering two sessions and an interactive session at TechEd:IT-Forum in Barcelona. My sessions will be “A Directory Services Geeks View on How to (not) extend your schema” and “Active Directory Recovery in Windows Server 2008”, and I will host an interactive session (like the chalk-&-talks of the previous year, a session where attendees are encouraged to ask questions and get them answered) with Stephanie from the AD Product Group about “Active Directory Domain Services in Windows Server 2008”.

February 19th to 21st:

Windows Server 2008 will be launched in Germany, and I’ll speek at the launch event in Frankfurt. My sessions are “Active Directory Domain Services and DNS in Windows Server 2008” and “A Directory Services Geeks View on Access Control Entries”.

March 2nd to 5th:

NetPro already announced the Directory Experts Conference 2008 in Chicago, and I was honored to be asked back as speaker.

Security-Boundary: Forest vs. Domain

Saturday, August 25th, 2007

About time for a somewhat technical post:

In some Newsgroup we recently discussed if it’s considered Best-Practice to deploy a lot of single-domain forests as opposed to a single multi-domain forest. The major reason herefore was that in the early Windows 2000 days, somebody said that the domain is the security boundary. After they’ve figured out that you can elevate yourself as domain admins for a inner-forest trusted domain, they revised this statement and said that the only security boundary is the forest, not the domain.

Since this attack is not that likely, I prefer to state this differentelly:

  • The forest is the security boundary against malicious attacks (the attack is being done on purpose)
  • The domain is the security boundary against (domain) administrative mistakes

So for many things the domain might be enough of a security boundary. If you don’t trust admins of a different domain enough that you think they might perform an attack (= elevate their rights in an area where they don’t belong) on purpose, either fire them, fire them, don’t give them administrative rights, fire them or put them into a separate forest.

Ressource-Forests (yeah – back to the NT days) are sometimes a good idea too, especially if separate companies want to share ressources, however keep in mind that they are a bit harder to manage and it depends on the application how well it integrates. You are also better of to use some solution like the Microsoft Identity Integration Server (or the Identity Integration Feature Pack) which is now part of Identity Lifecycle Manager to synchronize accounts into the ressource forest, however make sure to protect them well enough and to trust the admins of the resource forest from all parties. MIIS/IIFP allows you to sync the passwords of the users in question (by using a password filter on all DCs to notify MIIS, who’s changing the passwords in the connected directories) to allow a better integration via single sign on / single credentials [1]. Don’t forget to design processes for the changes in the ressource forest which are signed off by all participating companies.

OK – back to the subject – don’t take any recommendations to deploy many single-domain forests only or to put everything in the same forest – think about it if it’s really necessary and valuable to deploy multiple forests/domains. At one point there was a recommendation: If you are designing your active directory, and you think you need to add a different domain, rethink that decision. Not true in all scenarios, however think about your design.

One reason for multiple domains have been different password policies – and as I posted before this reason is vanishing in Windows Server 2008.

There are multiple opinions on this, so don’t hold back on feedback / your thoughts.

P.S.: I do respect statements like the one “to recommend multiple single-domain forests” – they are a bit extreme however deliver the message. For example a friend of mine was at one of the top security sessions at TechEd US (where they showed a real-world-unlikely attack), and afterwards in the bathroom he heard attendees who just phoned back their companies to instruct them patching their Servers. So even after the attack was not to likely to happen in a real company, it delivered the message to keep your systems secure.

[1] Single Sign-On: The user is logging in once to his workstation, and getting access to other ressources automatically without re-authenticating
Single Credentials: I made this up a couple years ago – I think more valuable in the beginning are single credentials (combinations of username/password). Users in enterprises are sick of multiple accounts, because they have to remember different usernames and/or passwords, which is leading to weak passwords. If you are able to synchronize the password for the user more easily than providing him with single sign-on this is still valualbe, since the users don’t have to remember multiple passwords. I wouldn’t mind entering the same password to access multiple applications, however I do mind remembering different credentials.

VMRCPlus out of the secret storage

Tuesday, July 3rd, 2007

Finally VMRCPlus is available to the public. I was bugging MS for years if they can’t release it, and finally it’s available.

VMRCPlus is a frontend for the users of Virtual Server, which provides a full console application instead of having VMRC to connect to the screen plus the Webinterface to configure machines. Way cool. If you work with Virtual Server, this is a must-have! 

Thanks to Tomek’s DS World – I found this reading your blog [;)]

What’s up?

Tuesday, June 5th, 2007

OK – it’s been a while since I last posted. Many things were going on.

The last post was in the Directory Experts Conference-Timeframe. Wow – a lot was going on. I’ll write later some thoughts about DEC, even if others have covered it well (like Gil, Joe, Jorge, Tomek) it’s worth some words.

What else was going on? OK –  recently I’ve got ready for TechEd Orlando, where I answer questions in the Ask-the-Experts Area at the Windows Server – Active Directory Booth. Then I’m busy with a roadshow about Windows Server 2008 in Germany. If you are in Germany and have business-relationships with Computacenter go to or ask your contacts to join. We have done and will do 6 locations until end of June (already been to Ludwigshafen, Nuremberg, Stuttgart and Saarbr├╝cken and will be in Frankfurt and Munich in June), with more location coming up in the second half of 2007. I did a lot to organize and create these events, and I’m working together with some great collegues here, so if you are able to take a chance and join.

Additional NetPro has announced that they will bring the Directory Experts Conference to Europe again this year, and I’m glad that I’m able to help being an active part of that conference. I’m looking forward to it very much.

Otherwise … many customer events and other things around Windows Server 2008 – this will be a great release and customers are asking about it like crazy. It’s always a pleasure to see a product being sucessful where you were able to provide good feedback on and you know that this feedback was aprechiated and taken into credit. I’m looking forward to the release, and as much as I’ve tested the previous and current versions, and what I know from RC1, this will be a blasting release. If you didn’t had a chance to look at it – do it now – you’re already late.

The baptism of a new Server: Windows Server 2008

Wednesday, May 16th, 2007

Windows Server “Longhorn” finally got his name – as many would be surprise it will be “Windows Server 2008”.

Microsoft did name his products in the past to the Fiscal Year they released the product – since their “Fiscal New Years Day” is in the middle of the year and the new release of Windows Server is announced for the second half of the Calender Year 2007, many sources already assumed it’s naming as “Windows Server 2008”. They were right.

The announcement was on the Windows Server Division Weblog, and also the Windows Server 2008 Home Page has been adjusted and provides many valuable sources.

Timetraveling Active Directory

Wednesday, May 9th, 2007

When I posted about the Fine Grained Password Policies (aka Password Settings Objects) in the Active Directory of Windows Server “Longhorn” I’ve also got permissions to blog about a very exciting new feature in Longhorn – the possibility to create and access Active Directory “Snapshots”. So what is this feature?

In all previous Versions of Active Directory it had been very hard to:

  • determine which values a object had at a specific time before
  • determine which backup is the right one to restore in case of an Active Directory recovery
  • authoritatively restore objects in Active Directory
  • Figuring out and fixing Group Memberships (as well as other Forward-/Backlink-Relationships) after an authoritative restore

However – in Windows Server “Longhorn” you’ll get the possibilities to create Active Directory “Snapshots” (which is basically a Volume Shadow Copy of your Operating System and Active Directory Partitions – however it’s been made sure that the AD-Database is at a consistent state). Afterwards you are able to mount these snapshots into the file-system, and start a Read-Only LDAP-Service of this database (DIT-File). You can also start such a Read-Only LDAP-Directory from a previous backup whose files have been restored in a different place.

So how are we doing this?

First – let’s create a snapshot. The easiest way to do this is using ntdsutil.exe:

  1. On a Windows Server “Longhorn” Domain Controller, open the commandprompt and enter ntdsutil
  2. Enter Snapshot to go into the snapshot subcontext
  3. Hit ? to see all options, just for your information
  4. Now we need to select the directory of whom we want to create a snapshot – we could also use ADAM (called Active Directory Leightweight Domain Services in Windows Server “Longhorn”) – but in this case we care about Active Directory Domain Services, so enter Activate Instance NTDS
  5. Simply enter create, and a new snapshot is being created. Note the GUID which is being returned, we need this one later (but I show you a way how to retrieve it anyways).

OK – that was easy – now let’s mount the snapshot into the file system:

  1. Still in the subcontext snapshot in ntdsutil, examine which snapshots you have on your local system by typing list all. Now you get a list of all snapshots on the system.
  2. Now we want to mount a specific snapshot. First copy the GUID right next to the date/time of the snapshot you want to mount into the clipboard. Then type mount <GUID>. You get the message that the snapshot is being mounted to a directory C:\$SNAP_datetime_VOLUMEC$\.
  3. Navigate with Windows Explorer to this directory (if you don’t see it you have to change your folder options) and examine it’s content. You’ll see that it includes a full snapshot of the volume.

But we wanted to start up a own R/O Instance of Active Directory of this snapshots – there are no options in ntdsutil to do this. We need to use a different command: dsamain.exe

  1. Open up a new commandprompt
  2. Type dsamain.exe -dbpath:c:\$snap_timedate_volumec$\windows\system32\ntds\ntds.dit -ldapport:10000 -sslport:10001 -gcport:10002 -gcsslport:10003 (replace the path with the path of the ntds.dit in your snapshot, the portnumbers are up to you.
  3. The output should look as follows and inform you that the Active Directory Domain Services startup completed.

    Note that you don’t get back a prompt – whenever you decide you don’t need the new LDAP-Service anymore you’ll have to cancel it by hitting (Ctrl) + (C).

Now you can navigate in this “old version” of Active Directoy. I strongly hope and assume you are not in your production network right now – so make some changes you remember (such as changing a users properties, deleting something you don’t need anymore) – so that you have a possibility to see the changes between the two states of the Active Directory. In this example we’ll use simply ADSIEdit.msc to navigate the snapshot – you can use any other LDAP-Browser, script, tool which allows you to select other than default ports to navigate the LDAP-Directory.

  1. Start adsiedit.msc
  2. In adsiedit, use the Connect to… menu to specify your Active Directory Snapshot
  3. Now navigate the old version of Active Directory, and look for the changes you made.

After you are finished, you can stop dsamain with (Ctrl) + (C), then go into the ntdsutil-commandline. To unmount the snapshot you can type dismount <GUID>. If you can not remember which snapshots are mounted you can also use the list mounted command in this subcontext of ntdsutil.

AD-Snapshots is the first time ever Microsoft gives us such a important tool in our hands to enable us to do object-level or attribute-level recovery using simple scripts, or to select which objects to restore authoritatively. Previously you had to remember the distinguishedName of the objects you wanted to restore, or restart the DC without a network connection – figure out the DN-Path – then restart it in Directory Services Restore Mode again, and finally perform the authoritative restore. And remember – you can also do this against a Backup, so it’s a good way to figure out which is the best backup you want to restore in the case of a AD-Recovery.

Disclaimer: this blog post is about a beta-product which may change, I’ll try to update this blog-post if I recognize any changes.

Credits: Thank you Dmitri for this feature – you rock!

Windows Server "Longhorn" – Active Directory Attribute Editor and LDP

Tuesday, March 20th, 2007

Another Article of Jorge mentions the new “Attribute Editor” in Active Directory-Users and -Computers (ADUC) and Active Directory-Sites and -Settings (ADSS). Basically you have the Property-Page of ADSIEdit now in ADUC and ADSS and you are able to configure all attributes of the selected Object in a more generic view. I love this “feature” (*) – you’ll see it as soon as you have selected “Advanced View” in ADUS or ADSS and open a property page of a object.

Also I’d like to mention another great “feature” (*) of the property page – it shows you some of the data more human readable than it was in ADSIEdit. They are converting numbers now – e.g. to time-values a.s.o.

Another thing which has improved in ADUC is that if you select a domain controller you are able to access the NTDS-Settings-Object underneath it. For example you are able to configure the DC to be a Global Catalog (or not) on this dialogbox. This was providing a lot of confusion in the past where you either were able to see the DCs Properties in ADUC or to select whether it’s a GC or not in Active Directory-Sites and Settings – so well done Microsoft for deciding to show it in Active Directory-Users and Computers as well.

Jorge is also covering LDP in his post, and how much it has improved. What I really love in LDP is the Advanced Security Dialog which displays a Security Descriptor with it’s DACL, SACL and ACEs in the GUI or via a Text Dump. Just select Browse -> Security -> Security Descriptor out of the menu in ldp.exe and select the object and if you prefer a Text Dump or the “friendly view”.

Read Jorge’s article on Windows Server “Longhorn” – Management tooling to get more information about the possibilities in Active Directory-Users and -Computers and Active Directory-Sites and -Services.

(*) In Windows Server “Longhorn” we have Roles which we install, such as DNS-Server, Active Directory Domain Services, File Server, … and Features which are minor things to install such as Bitlocker, Telnet, Windows Backup, … so what do we call something which is a new thing but is not a Role or a Feature in the Product? In the past we’ve called it feature, but now we are without a wording for it.

dcpromo in Windows Server "Longhorn"

Tuesday, March 20th, 2007

Jorge’s Quest for Knowlege is currently covering a lot about the next Windows Server “Longhorn” which is due later this year.

In his Post Windows Server Longhorn – Installing, Removing and Upgrading to AD he is covering a lot of the options you get with the new dcpromo in Windows Server “Longhorn”.

I refer to this as the “Next -> Next -> Finish”-Consultant-proove Version of DCPromo. You know – Active Directory is a pretty complex topic, however there were many people out there who claimed to know Active Directory because they are able to install it using DCPromo. But it requires a lot more than that.

Microsoft basically took care of the “common Admin” by putting many of the best practices right into DCPromo, so if you are installing Active Directory by default now you’ll get much more what you’ve set afterwards as default, so I do expect that we are getting less calls from Scenarios which lack best practices.

However you are still able to run dcpromo and configure many settings (actually much more) by selecting the advanced installation right on the first screen of the dcpromo-wizard.

If you have access to the beta or to MSDN – give it a try to explore the new dcpromo-wizard – you’ll love it!

Read Jorges article where he tells you more about Installing, Removing and Upgrading to AD in Windows Server “Longhorn”

BGInfo in Vista and Longhorn

Tuesday, January 23rd, 2007

Did you try to use Sysinternals (now Microsoft) BGInfo on Windows Vista or Windows Server Codenamed “Longhorn”? Do you also prefer to see your network-settings such as IP-Adress and DNS-Server on the Background-Screen of BGInfo?

So did you like the picture you’ve got? Here’s an example:

BGInfo in Vista/Longhorn Default

So apparently we are getting nine IP-Addresses and nine DNS-Servers back, but only one is configured. However, we only want the one Address which is configured, not any virtual or whatever Network-Interface. We still can use BGInfo, but we need to put some more brain into it.

BGInfo also allows you to configure Scripts or custom variables, and return their value. So in BGInfo, follow these steps:

  1. In BGInfo, underneath the list box “Fields” where you are able to select which values to see, click “Custom”
  2. In the dialog box “User Defined Fields”, click “New”
  3. In the dialog box “Define New Field”, choose an “Identifyer”, such as “MyIPAdress”
  4. Under “Replace identifyer with” click “WMI Query”
  5. In the text box “Path”, enter the following WMI Query:
    SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE
  6. Close the dialog box with OK and repeat from Step 2 to create another new field:

Path (WMI Query):
    SELECT DNSServerSearchOrder FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE

After you added MyIPAdress and MyDNSServer to your background, it’ll look like the following:

BGInfo - Fixed now with WMI

I’m still alive (2)

Monday, January 22nd, 2007

So after getting back from Barcelona I had a lot of work to make sure I’ll be able to take some vacation during X-Mas. Worked like crazy. Also I had to finish an article, which was published in January in the IT-Administrator. I covered Security-Basics, Delegation and implementing Rolebased Administration in Active Directory. Yes – it complements my talk [;)]

Finally I was able to go on vacation from X-Mas to the first week of January. I was looking forward to it – I’m used to much work, however the last year was the worst ever and I was unable to finish everything – to many customers at the same time while always having issues to find “bodies”.

So what happened? Sure! If you give your body time to relax, it takes whatever needed to recover. So I had a bad could over New Years until the end of the first week in January. Not very relaxing, so I decided to stay the second week of January still at home and keep my workload low.

I had to recover and deserved it!