Back to live

May 13th, 2008

I haven’t blogged in a while. A long while. I’ve been through major changes in my live. Readjusting. Reloading. Sometimes you need to reevaluate things, in technology and in live. Being stable doesn’t equal avoiding changes. I’ve recently heard a statement “nobody will grant you that things get better when you make changes, but to make things better you have to make changes”. Very true. And – that’s in live and technology – I even believe that avoiding changes make things worse. Sometimes you even benefit from small changes. E.g. at our company we made things better by introducing a single Windows Server 2008 last year. And we had users and admins who had a big benefit. Re-evaluation is good, and changes … changes are being alive.

But this here is about technology. So let me make a small update on what’s going on with me in this field.

After the Directory Experts Conference in Chicago I was working back home, then went to the MVP-Summit in Seattle and it was great so see so many MVPs and folks from the Directory Services Product Group again. I really enjoyed it. Currently I’m preparing for two events: Microsoft TechEd USA for IT-Pros (yes – they followed the example from Europe and split the Developers and IT-Pros in two different weeks – however I enjoyed how it was before). At TechEd which will be in Orlando (again, been there last year, and a then two years before) I’ll present 3 sessions and two interactive ones. So five slots in two days (I’m only scheduled in on Wednesday and Thursdays), this will be quite funny [;)]. I’m looking forward to it. I’m sad I had to decline the developer-week, but I can’t take two weeks of vacation just speaking at two different TechEds. Would love to, but someone has to pay for my living. And I feel I really need vacation this year, I deserved it, believe me, but currently I’m unable to go on vacation.

Another thing I’m getting ready for is a whole day Workshop with the IT-Administrator, we’ll cover Windows Server 2008 and nothing else. I’m looking forward to it, and I was told that there are many people signing up for it.

So exciting events to come soon, and I actually have a couple ideas (some already finished) about new technical blog entries, so stay tuned. I’ll promise the next one will be technical and coming in a few days [;)].


P.S.: Thanks for listening – I can’t remember how many times I said this in the recent past and probably didn’t say it often enough.

Impressions of the Directory Experts Conference

March 3rd, 2008

Today is day one of the Directory Experts Conference in Chicago. So far the conference has been very good – but that was as expected. I had one session today right before lunch, “A Directory Services Geek’s View on Active Directory Recovery in Windows Server 2008”. Went quite well, however the power-plug on stage was switched off so my machine decided to go into sleep-mode during the presentation. For some reason this session is attracting Laptop-issues, during the Launch in Frankfurt the virtual machine decided to “unexpectedly shutdown”. Things happen, that’s part of the fun, isn’t it?

CIMG0031  CIMG0037  CIMG0039

A Directory Services Geek’s View on Active Directory Recovery in Windows Server 2008

March 2nd, 2008

Ulf B. Simon-Weidner
Ulf B. Simon-Weidner

Presented at

  • Microsoft TechEd:IT-Forum, Nov 2007, Barcelona, Spain

  • Microsoft Launch 2008, Feb. 2008, Frankfurt, Germany

  • Directory Experts Conference 2008, Chicago, USA

  • Microsoft TechEd IT-Pro, June 2008, Orlando, USA

In my session “A Directory Services Geek’s View on Active Directory-Restore in Windows Server 2008” I’m using a script to convert a LDIF-File from the changetype “Add” to changetype “modify”. Why is that?

I’ve presented on how to restore a Tombstone to a user-object with only a limited set of properties. Then I used Active Directory-Snapshots to dump a LDIF-File with all attributes of the recovered objects by running the LDIF-Export against the port where I provided the Snapshot:

ldifde.exe -r “(cn=Joe Doe)” -t 10000 -f joe.ldf
            ^                 ^        ^
Filter Snapshot-Port Output-Filename

Afterward we have a LDIF-File, however it is the changetype “Add”, which we could use to create a new user, but only if all attributes are writeable and the syntax is correct. However since we dumped all attributes there are some which even a domain admin is unable to write because they are owned by the system or because of other reasons. But I prefer to dump all of them if I need to fully restore a user, so I even get custom schema extensions and everything else which I might not think of if I use a manual list of attributes. Now we are challenged to modify a user which already exists, and to do this we can not use the default output of LDIFDE. We need to convert the file as illustrated in the following picture:


To do this I wrote the following script:

‘ ModifyLDIF
‘ Converts LDF-Files from Changetype ADD to Changetype MODIFY,
‘ in result every Attribute will be changed separately
‘ Import the file using ldifde -i -z -k -f filename.ldf to
‘ continue changing attributes if one is ‘unwriteable’
‘ Parameter: 
‘   sInput:  Path/File of the Inputfile (LDF)
‘   sOutput: Path/File of the Outputfile (LDF)
‘   bDelSource: wenn TRUE wird die Eingabedatei hinterher gelöscht
‘ (c) Ulf B. Simon-Weidner,
set objArgs = WScript.Arguments
if objArgs.Count = 0 or objArgs.Count > 3 then ShowUsage
sInput = objArgs(0)
if objArgs.Count > 1 then
  sOutput = objArgs(1)
  sOutput = “”
  arrOut = split(sInput,“\”)
  for i = 0 to ubound(arrOut)-1
    sOutput = sOutput & arrOut(i) & “\”
    WScript.Echo sOutput
  sOutput = sOutput & “mod_” & arrOut(ubound(arrOut))
  WScript.Echo sOutput
end if
if objArgs.Count > 2 then
  bDelSource = objArgs(2)
  bDelSource = FALSE
end if
WScript.Echo “ModifyLDIF.vbs”
WScript.Echo “(c) Ulf B. Simon-Weidner,”
WScript.Echo “Inputfile:  “ & sInput
WScript.Echo “Outputfile: “ & sOutput
if bDelSource then WScript.Echo “Inputfile will be deleted after conversion”
ModifyLDIF sInput, sOutput, bDelSource
sub ModifyLDIF(sInput,sOutput,bDelSource)
  Set oFSO = CreateObject(“Scripting.FileSystemObject”)
  Set oInput = oFSO.OpenTextFile(sInput, 1)
  set oOutPut = oFSO.OpenTextFile(sOutput, 2, True)
  Do While oInput.AtEndOfStream <> True
    sLine = oInput.ReadLine
    if sLine<>“” then
      select case left(sLine,1)
        case ” “  
                  oOutput.WriteLine sLine
        case “-“
                  oOutput.WriteLine sLine
        case else
                  if bolBinary then
                    oOutput.WriteLine “-“
                    oOutput.WriteLine “”
                    bolBinary = FALSE
                  end if
                  sParm = left(sLine,instr(sLine,“:”)-1)
                  sValue = trim(mid(sLine,instr(sLine,“:”)+1))
                  if left(sValue,1) = “:” then
                    ‘First line of a binary value
                    oOutput.WriteLine “dn: “ & sCurrentDN
                    oOutput.WriteLine “changetype: modify”
                    oOutput.WriteLine “replace: “ & sParm
                    oOutput.WriteLine sParm & “:” & sValue
                    bolBinary = TRUE
                    select case sParm
                      case “dn”
                                sCurrentDN = sValue
                      case “changetype”
                                ‘ ignore this one
                      case “-“
                                ‘ ignore this one as well
                      case else
                                oOutput.WriteLine “dn: “ & sCurrentDN
                                oOutput.WriteLine “changetype: modify”
                                oOutput.WriteLine “replace: “ & sParm
                                oOutput.WriteLine sParm & “: “ & sValue
                                oOutput.WriteLine “-“
                                oOutput.WriteLine “”
                    end select
                  end if
      end select
    end if
  set oInput = nothing
  set oOutput = nothing
  if bDelSource then
  end if
  set oFSO = nothing
end sub
sub ShowUsage
  WScript.Echo “ModifyLdif.vbs <inputfile.ldf> [<outputfile.ldf> [<deleteinput>]]”
  WScript.Echo ”  inputfile:   Filename of the inputfile”
  WScript.Echo ”  outputfile:  Filename of the outputfile”
  WScript.Echo ”               If not provided, the filename of the inputfile”
  WScript.Echo ”               will be prefixed with a ““mod_”“”
  WScript.Echo ”  deleteinput: True or False (default), if True the inputfile”
  WScript.Echo ”               will be deleted after the outputfile is written”
end sub


Feel free to use this at your own risk [;)]

HEROS happen {here}

February 21st, 2008

For the past three days I was at the Microsoft Launch Event Germany, the first and as we were told biggest (by the number of attendees) Launch for Windows Server 2008, Visual Studio 2008 and SQL Server 2008. I did three presentations:

  • Active Directory-Domänendienste in Windows Server 2008
    (Active Directory-Domainservices in WS2k8)
  • Erfahrungen eines Directory Services-Experten mit Sicherheit und Delegation im Active Directory
    (A Directory Services-Geek’s View on Access Control Entries)
  • Erfahrungen eines Directory Services-Experten mit Active Directory-Recovery mit Windows Server 2008
    (A Directory Services Geek’s View on Active Directory-Recovery in Windows Server 2008)

The event was very good and very successful as far as I can see. There were minor issues, e.g. on the first day it wasn’t that clear which sessions are in which rooms, and the acoustic was pretty bad in some of the rooms since you were able to hear the other speakers of the other rooms as well (luckily two of my presentations were in the good rooms), but over all I was very satisfied. A lot of good and experienced speakers, interested and interesting attendees with good questions and suggestion, a great event. Overall there were about 7500 people in Frankfurt attending this event.

I’ve also got a view good ideas for some new blog-posts, so stay tuned.

And now it’s time to get ready for the Directory Experts Conference 2008 in Chicago in the first week of March. I’ll also present there the “Directory Services Geek’s View on Active Directory-Recovery in Windows Server 2008” session.

Congrats Microsoft: Windows Server 2008 is RTM

February 5th, 2008

I cannot state it any better: the best Windows Server release ever has been released to manufacturing – Windows Server 2008 is finished.

Windows Server 2008 is very stable and very well-done for production use. As I wrote before we at Computacenter are using it since October 2007 in Production, and I have a customer where we already run a full shop only on Vista and 2k8 since September (on Beta 3).

And we’ve also done a lot of things, to quickly recap just what we’ve done with customers was a 10-city Roadshow in Germany (half-day sessions on WS2k8, last one will be in Berlin next week), countless presentations at customer or trade shows / events, countless sessions to make sure our staff is ready to sell and deliver WS2k8-Solutions, one press-release in October, and a couple references which will be published shortly.We will be with many people at the German Launchevent, are partner there with a booth, and I’ll deliver 3 sessions plus a interactive one, created many flyers and solutions around the product, … just being ready to deliver.

I’m very excited about the new product – let’s start deploying more of it!

And here are the blogs which will give you a feeling how it was at Microsoft in the last couple hours:

Windows Server 2008 – RTM!!!

Windows Server 2008 – A time to sit back, remember and party!

I’m on the Edge [;)]

November 21st, 2007


Last week I was at TechEd:IT-Forum in Barcelona. I’ll follow up with more details later. However the guys from have done an interview with me, which went online last night. I was speaking about my sessions, AD Restore in Windows Server 2008 and Schema Updates.

You can find it currently on the homepage, and here’s the direct link for later:

Ulf on AD at TechNet Edge

Done: Windows Server 2008 in production

November 6th, 2007

I’m working for Computacenter Germany. And – as you know – I’m a beta-junkie and try to stay up to date on newest releases as soon as possible. So this makes me really proud: at Computacenter we decided to deploy Windows Server 2008 already.

After testing the product very well we decided to update our schema to Windows Server 2008 and deploy our first servers in production. And … one of the reasons why we did this to have the great new feature of Active Directory Snapshots available as soon as possible.

We released an press-article last week which I freely translated into english

Source (German), freely translated:

Computacenter relies early on Windows Server 2008

Head start for migrations and planning for Active Directory disasters

Kerpen, 30th October 2007. The European IT-Serviceprovider Computacenter relies early on Microsoft’s Windows Server 2008. The new generation of the server operating system (OS) is announced to be released in the first quarter 2008. Computacenter, who is part of the Microsoft Technology Adoption Program (TAP), already deployed Windows Server 2008 into its production network. The TAP is a initiative of Microsoft where selected customers implement products prior to their release into production infrastructures. Computacenter is participating in two different roles in the current TAP: as customer (who’s deploying the product) as well as as consulting partner, where experienced Computacenter Consultants are supporting their internal Information Services. The IT-Serviceprovider is not only gaining experiences by early deploying the new technologies, but improves on stability and reliability of its infrastructure. Computacenter is using those experiences when consulting their customers, especially when talking about Windows Server 2008 migrations and planning for Active Directory disasters.

Migrations with Computacenter

With the ending support livecycle of Microsoft for Windows 2000 Server and the release of the new Windows Server 2008 with a lot of new possibilities many companies are considering migrations. Computacenter has many years of experiences when migration Microsoft-Infrastructures. More than 300 Experts in the Microsoft area rely on their experiences and broad knowlege, tools and procedures to drive migration-projects to a fast sucess while maintaining risks and costs at as low as possible.

Securing the hard of the Windows Infrastructure

Active Directory is the main component of a Windows Infrastructure by holding all informations about useraccounts, computeraccounts, passwords and groups of a company. Employees are using it daily to get access to their computers and their data, find printers and receive corporate settings. Experts of Computacenter were frequently helping companies to recover their Active Directory (usually due to human mistakes). To address this issue Computacenter developed preventive guidance to protect Active Directory. Windows Server 2008 provides additional control, prevention and auditing-functionality. The OS enables administrators to create Snapshots of the Active Directory-Database. As opposed to a backup it’s easy to create snapshots multiple times a day. Futher the snapshots can be started as their own, read-only LDAP-Service. Hereby it’s possible to gather information out of the Directory of different times. Additional the new product supports to prevent objects from accidential deletion or to accidentally move them. Computacenter is using those new functions and has added them to their portfolio around Active Directory-Recovery and its prevention. The IT-Serviceprovider is úsing those technologies in its production network since October 2007.

Those experiences are corporated into Computacenters three-part offer of a Active Directory Disaster Workshop, Guidance and Concept, which enables customers to preventively prepare informations for a possible recovery of Active Directory, to react on disasters and to keep the associated down-times at a minimum level. In the Active Directory Disaster Workshop the attendees get the know-how to prevent, troubleshoot and recover Active Directory. They are practicing which informations are necessary and which steps to take in certain disaster scenarios. The Active Directory Disaster Guidance bundles Computacenters experiences in this topic. It describes best practices and experiences out of real disasters as well as tested procedures. The IT-Serviceprovider additionally creates a AD Desaster Concept to prepare the individual company for an AD Recovery.

More speaking engagements

October 6th, 2007

While we are in preperation for TechEd:IT-Forum which will be in Barcelona in November, there are more speaking engagements already scheduled:

October 24th and 25th:

The IT-Administrator asked me to speak about what’s new in DNS and Active Directory in Windows Server 2008 at the German Tradeshow Systems. (Details)

November 12th to 16th:

I’ll be delivering two sessions and an interactive session at TechEd:IT-Forum in Barcelona. My sessions will be “A Directory Services Geeks View on How to (not) extend your schema” and “Active Directory Recovery in Windows Server 2008”, and I will host an interactive session (like the chalk-&-talks of the previous year, a session where attendees are encouraged to ask questions and get them answered) with Stephanie from the AD Product Group about “Active Directory Domain Services in Windows Server 2008”.

February 19th to 21st:

Windows Server 2008 will be launched in Germany, and I’ll speek at the launch event in Frankfurt. My sessions are “Active Directory Domain Services and DNS in Windows Server 2008” and “A Directory Services Geeks View on Access Control Entries”.

March 2nd to 5th:

NetPro already announced the Directory Experts Conference 2008 in Chicago, and I was honored to be asked back as speaker.

Protect Objects from accidential deletion

September 25th, 2007

Avalialbe in the GUI of Windows Server 2008, but also possible in any version of Active Directory, you are able to protect any object from accidental deletion. I had to recover a couple productive ADs over the past couple years, and everytime it was because of a accidental deletion. Also I’ve seen that OUs have been accidentally moved – this happened propably to everyone with files/folders in Windows Explorer – you accidentally got stuck on the mouse-key while hovering over a folder and drop it accidentally on another folder.

So how do you protect objects from accidental deletion in Windows Server 2008? That’s easy – first switch on the Advanced View, then go into the properties of the object in question. Here – on the “Object”-Tab – you’ll find the new checkbox “Protect Object from accidental deletion”.


By default, OUs created in Active Directory-Users and -Computers are protected. However, when you don’t create the OU in Active Directory-Users and -Computers or you created them before you got Windows Server 2008 in your domain (how likely – I know [;)] ) the OU will not being protected from accidental deletion.

However, what’s quite interesting is what’s being done in the Background: The Security-Descriptor of this object is being modified with a Deny-Entry for Everyone to delete and delete subtree. So it’s downward compatible with Windows Server 2003 and Windows 2000, and you are even able to do this either manually or using DSACLS today.

If you want to use DSACLS to protect an OU you can use the following command:

dsacls ou=MyUsers,dc=example,dc=com /d Everyone:SDDT

So if you are creating your OU-Structure with “dsadd ou” you might want to use this command to protect the OU from deletion. The checkbox in the GUI will also reflect this change, however I’ve seen that it sometimes takes a while or is inconsistently displaying wheter the OU is protected or not, however this might be a bug in the current beta and you should make sure it’s protected using the security tab to make sure it’s protected.

As I said, you’d be able to do this today as well. And if you want to protect your whole OU-Structure, you can use the following command to protect every OU in the domain:

for /f %i in (‘dsquery ou -limit 0’) do dsacls %i /d everyone:SDDT

Update: Marcus has pointed out that I the above command is only working if your OUs don’t include any spaces. That’s right, the for-command takes spaces as a delimiter and therefore will put everything behind the first space in the variable %j, after the second space in %k a.s.o. So here’s the corrected command which allows spaces in your DN (“tokens=*” state that everything should be included in the first variable, you could also do a 1,3,* which would put the first part into %i, the third into %j and the rest in %k,.. Marcus suggested another way which would also work by not specifying any delimiters “delimns=”):

for /f “tokens=*” %i in (‘dsquery ou -limit 0’) do dsacls %i /d everyone:SDDT

If you just want to protect certain levels, you only need to change the dsquery command.

Security-Boundary: Forest vs. Domain

August 25th, 2007

About time for a somewhat technical post:

In some Newsgroup we recently discussed if it’s considered Best-Practice to deploy a lot of single-domain forests as opposed to a single multi-domain forest. The major reason herefore was that in the early Windows 2000 days, somebody said that the domain is the security boundary. After they’ve figured out that you can elevate yourself as domain admins for a inner-forest trusted domain, they revised this statement and said that the only security boundary is the forest, not the domain.

Since this attack is not that likely, I prefer to state this differentelly:

  • The forest is the security boundary against malicious attacks (the attack is being done on purpose)
  • The domain is the security boundary against (domain) administrative mistakes

So for many things the domain might be enough of a security boundary. If you don’t trust admins of a different domain enough that you think they might perform an attack (= elevate their rights in an area where they don’t belong) on purpose, either fire them, fire them, don’t give them administrative rights, fire them or put them into a separate forest.

Ressource-Forests (yeah – back to the NT days) are sometimes a good idea too, especially if separate companies want to share ressources, however keep in mind that they are a bit harder to manage and it depends on the application how well it integrates. You are also better of to use some solution like the Microsoft Identity Integration Server (or the Identity Integration Feature Pack) which is now part of Identity Lifecycle Manager to synchronize accounts into the ressource forest, however make sure to protect them well enough and to trust the admins of the resource forest from all parties. MIIS/IIFP allows you to sync the passwords of the users in question (by using a password filter on all DCs to notify MIIS, who’s changing the passwords in the connected directories) to allow a better integration via single sign on / single credentials [1]. Don’t forget to design processes for the changes in the ressource forest which are signed off by all participating companies.

OK – back to the subject – don’t take any recommendations to deploy many single-domain forests only or to put everything in the same forest – think about it if it’s really necessary and valuable to deploy multiple forests/domains. At one point there was a recommendation: If you are designing your active directory, and you think you need to add a different domain, rethink that decision. Not true in all scenarios, however think about your design.

One reason for multiple domains have been different password policies – and as I posted before this reason is vanishing in Windows Server 2008.

There are multiple opinions on this, so don’t hold back on feedback / your thoughts.

P.S.: I do respect statements like the one “to recommend multiple single-domain forests” – they are a bit extreme however deliver the message. For example a friend of mine was at one of the top security sessions at TechEd US (where they showed a real-world-unlikely attack), and afterwards in the bathroom he heard attendees who just phoned back their companies to instruct them patching their Servers. So even after the attack was not to likely to happen in a real company, it delivered the message to keep your systems secure.

[1] Single Sign-On: The user is logging in once to his workstation, and getting access to other ressources automatically without re-authenticating
Single Credentials: I made this up a couple years ago – I think more valuable in the beginning are single credentials (combinations of username/password). Users in enterprises are sick of multiple accounts, because they have to remember different usernames and/or passwords, which is leading to weak passwords. If you are able to synchronize the password for the user more easily than providing him with single sign-on this is still valualbe, since the users don’t have to remember multiple passwords. I wouldn’t mind entering the same password to access multiple applications, however I do mind remembering different credentials.