Dirteam.com/ActiveDir.org Blogs

How to Build an AD Replication Delay (Lag) Site

Paul Bergson — Tue, 14 May 2013 11:58:00 GMT

To prevent having to restore objects from Active Directory due to accidentally deleting an object, you can have a remote DC which only sends/receives replication on a limited basis. You also want to prevent users from authenticating against, as well as services being used by other machines, since the metadata on this DC is aging away w/o replication keeping it up to date

Because of this you want to remove all advertised services via dns lookup. To do this, this DC must be isolated from other DC’s and all replication controlled. For that reason a separate site is required to control Intersite Replication.

The following are the steps taken to create a single lag site dc. If you would like to have more than one time frame to fall back upon, all you need do is repeat these steps for a different DC.

Promote a member server to a DC and allow replication to complete

Don’t load any unnecessary services
Don’t load WINS nor make this a WINS client

Create a separate site and site link (I use “Lag” as part of the name to help document it)

Create a new site
Create a new site link, including the source and the Lag sites. If you notice I have set the Site Link Replication Frequency (Replicate Every) to 15 minutes.

Click on the “Change Schedule” button to set the replication schedule to a time frame that fits for your enterprise. In this example, I have set the replication schedule for Saturday morning from the hours of 12:00 am to 2:00 am. So this site should allow replication updates to occur every 15 minutes, on Saturday’s, from the hours of 12:00 am until 2:00 am. Once a replication cycle starts it will continue until complete, which can go beyond the 2:00 am time frame, but no new cycles will start after 2:00 am.

Define the subnet and link it to a site

Borrowing some knowledge from a blog from Brian Desmond, I have created a separate single host site sub-net. I have reserved the address for the dc in dhcp (I reserved .240) and then defined the subnet as a /32 ip mask. The most precisely defined subnet in sites and services is considered the subnet location.

Move the new dc to the newly defined site (Lag Site)

Now that the DC has been placed in its own site and is no longer receiving regular AD replication updates, it needs to no longer advertise itself as a usable DC. To do this, a Group Policy Object will be created and linked to this new site.

Create a new GPO, but do not link it to any OU or Site at this time
Edit the Policy DC Locator DNS records not registered by the DCs. This is located at Computer Configuration / Administrative Templates / System / Net Logon / DC Locator DNS Records. The following mnemonics should be entered into the entry box:

Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress DcByGuid Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd

Link this new Group Policy to the “Lag” site, where the new DC resides

Change the policy to allow authenticated users to read and remove (Don’t deny) the right to apply
Add the computer name of the new DC and grant it Read and Apply. This will help prevent the wrong DC’s from having policy applied against.

Shut down the new Lag site DC

Open up the dns zone _msdcs and remove all of the new DC’s dns service records

Do not remove the Alias (CNAME) record at the root of the zone

Power the DC backup

During the reboot any dns records that would be needed will be rebuilt

Run dcdiag, repadmin and dnslint in verbose mode.

DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
dnslint /ad /s "ip address of your dc"

**Note 1: Using the /E switch in dcdiag will run diagnostics against ALL dc's in the forest. If you have significant numbers of DC's this test could generate significant detail and take a long time. You also want to take into account slow links to dc's which will also add to the time.

**Note 2: There are certain errors to expect, since the lag site DC won’t be advertising as a KDC you will be warned about this, etc… But, replication should be error free.

**Note 3: Forced replication will still occur, this model only prevents scheduled replication.

Common Challenges when Managing Active Directory Domain Services, Part 1: Security

Sander Berkouwer — Tue, 14 May 2013 07:28:49 GMT

In many organizations Active Directory Domain Services is the top tier in access management. Access to systems, information and connections, often, is governed by information in Active Directory. User objects and computer objects play a big role in this model, since they represent actual physical objects within the organization.

Now, not every organization acknowledges the importance of an up to date and lean Active Directory environment. In this series, I will show you four of the key challenges involved with managing Active Directory for any organization and how to solve them.

This series will focus most on the data inside the Active Directory database, instead of the actual technical implementation of Domain Controllers and such.

The challenge

Today, I want to talk to you about stale user objects and stale computer objects. From a security point of view, these objects represent a real security risk to your organization.

Stale user objects

Depending on the process surrounding creating user objects, these objects are usually created with a predefined password. This makes the tasks of creating an account and communicating the account to the actual colleague two separate tasks, that can be carried out by two different persons at two different times.

Alas, the delegation of work does not outweigh the security risk involved with tens, hundreds or even thousands of user objects that can be brute forced for their password , most of the time configured with a default password for new accounts (Welcome123 and P@ssw0rd come to mind). Tools like Zohno’s free Z-Hire, I discussed last year, have the explicit option to provide a default password (but not generating one) per template.

One of the other factors that don’t help in the situation with stale user objects is that account lockout settings are non-existent in default Active Directory implementations.

Stale computer objects

Stale computer objects are even worse than stale user objects from a security point of view. By default computer accounts have broader access to information in Active Directory and by default, the password for the security channel used to be a default derivation of the hostname as explained in Microsoft KnowledgeBase article 255042 on How to make machine accounts programmatically by using ADSI with Visual C++:

The initial password for the machine account must be set to the name of the computer in lower case.

Using net use from a non-domain joined computer using the computer account (the NetBIOS hostname) and the default password for the computer account, a malicious person might gain access to data in Active Directory, on file servers and in Exchange public folders, as explained by Marcus Murray in his Live demonstration about some of the ways hackers attack [PDF] on page 11.

Luckily, by default a domain-joined computer will change its computer password at a regular interval. This means, the security concerns surrounding stale computer objects only apply to the first week or month of the lifecycle of the computer object, depending on the Operating System of the domain-joined machine:

Windows 9x, Windows NT4, Windows 2000	7 days
Windows XP, Windows Vista, Windows 7, Windows 8	30 days

A more permanent solution to the problem was introduced with Windows 7 with Offline Domain Join. Not only does this Active Directory Domain Services-related feature offer the ability to join a computer to an Active Directory domain without a networking connection between a Domain Controller and the computer to be joined. Its communication streamlining also applies to every domain join, as I covered earlier in my blog post on the Top 5 Myths on Offline Domain Join.

(Part of) The solution

A lot of times, the root cause of stale objects in Active Directory is the lack of (procedures for the) interaction between an HR department (who known who were hired and fired), a facilities department (who knows where computers are located) and the IT department (who need to make these changes to keep Active Directory up to date).

Optimizing communication

Optimizing communication between the HR, facilities and IT departments should be your main focus when trying to solve the situations surrounding stale user objects and computer objects. A process-based approach would best suit tackling this.

Mitigating factors

Processes will save you in the long run, but as an Active Directory admin, there’s also a couple of things you can do right now. You can take action to prevent most of the security breaches, by:

configuring Account lockout policies in Active Directory
configuring new user objects with randomly generated complex passwords
migrating client computers to Windows 7 and/or Windows 8

Cleanup

With the long term covered with processes and the biggest security problems tackled, the only task left is the perform a cleanup in the Active Directory database.

You might want to get rid of:

Computer objects that have not been used to log onto in the last 30 days
User objects that have not been used to (interactively) log on ever
User objects that have not been used to (interactively) log on in the last 30 days.

Cleaning stale computer objects

To detect stale computer objects, Microsoft has released a script as part of Knowledgebase Article 197478 that, under the hood, uses nltest.exe to check the PasswordLastSet output. Several PowerShell scripts exist that check the PwdLastSet (script) or lastLogonTimestamp (script) attributes directly in the Active Directory database. Joe Richards’ command-line tool oldcmp.exe is one of the leanest tools available to tackle the problem, while many other 3rd party solutions offer the functionality as part of a more elaborate reporting solution.

Many of these Active Directory reporting solutions will set you back a fair amount of budget, but STEALTHbits’ free StealthAUDIT Active Directory Assessment will both report on stale objects in bar graphs and will output its findings in XML-based files, ready for your PowerShell scripts. Since StealthAUDIT uses its own Microsoft SQL Server database, the load on your Domain Controllers when being examined remains minimal.

When you use these tools, you might find a surprising list of computers that have been identified as stale, but purring away peacefully as part of every day operations… This situation can be caused by settings that disable computer account password resets. Always browse through the list with inactive computer objects, before accidentally deleting active computer objects.

Tip!
Protection from Accidental Deletion on individual computer objects might help preserving often targeted computer objects

Tip!
Before performing any cleanup actions, would be an excellent moment to enable the Active Directory Recycle Bin.

Cleaning stale user objects

Stale user objects can be targeted with much of the same 3rd party tools. Again, a load of scripts can be used to find (and remove) unnecessarily created user objects.

When running Windows Server 2012 and Windows Server 2008 R2-based Domain Controllers you can also use the Global Search functionality in Active Directory Administrative Center (dsac.exe). The Global Search option has a couple of helpful default criteria, that help you identify dangerous user objects. Below is a view on the criteria in the Windows Server 2012 Active Directory Administrative Center:

Obviously, the stale user objects that have the most potential to be used to wreck your environment would be:

enabled user objects
user objects without a password expiration date
user objects that have not been used to log on for more than 30 days.

Clicking on the Search button, would return a list with objects that need the attention of an Active Directory admin. Now, the list should not be considered as input to a script, since several reasons exist why user objects appear as stale, but still need to be retained:

User objects belonging to colleagues on maternity leave, sabbatical, etc.
User objects belonging to services that don’t log on interactively

From the list in the Active Directory Administrative Center you can easily pick the user objects you want to delete and disarming them by either right-clicking the selection and select Delete or Disable all from the context menu or pressing the Del button on your keyboard.

Concluding

Stale objects in Active Directory pose a significant security risk. You can address these risks by introducing processes to control the lifecycle of objects in Active Directory. Additionally, you can take actions to clean up your Active Directory.

Related blogposts

Tip: Zohno’s Z-Hire & Z-Term (freeware)
Top 5 Myths on Offline Domain Join

Active Directory Services and their System Center Management Packs

Sander Berkouwer — Mon, 13 May 2013 06:06:32 GMT

As you might be aware, every Microsoft technology has the requirement to be manageable through PowerShell and System Center. Manageability through System Center is done through Management Packs. (MPs).

While I discussed the PowerShell manageability stories for the five Active Directory services last Saturday, below is the overview of the availability and functionality of the Management Packs (MPs) for the five Active Directory services:

Active Directory Domain Services

For Windows Servers running the Active Directory Domain Services as Domain Controllers, a System Center Management Pack has been available for ages, even before the products responsible for management were labeled ‘System Center’ (System Center Operations Manager was called MOM Server and System Center Configuration Manager was called SMS Server).

The Active Directory Domain Services Management Pack for System Center provides both proactive and reactive monitoring of your Active Directory deployment. It monitors events that various Active Directory components and subsystems place in the Application, System, and Service event logs. It also monitors the overall health of the Active Directory system and provides alerts for critical performance issues.

When used with the Management Pack for the Windows Server Operating System, the DNS Server Role, File Services, Group Policy and DFS Replication, a complete management view starts to emerge, where you can monitor the health of your Domain Controllers.

The latest version (v6.0.8070.0) adds support for Windows Server 2012.

Download MP for AD Domain Services v6.0.8070.0

Also available is a System Center Integration Pack, that allows System Center 2012 - Orchestrator to connect to your Active Directory Server to automate Identity and Access management tasks.

Download System Center Integration Pack for Active Directory v7.0

Active Directory Lightweight Directory Services

The Active Directory Lightweight Directory Services (AD LDS) Management Pack provides both proactive and reactive monitoring of your AD LDS deployment running on Windows Server 2008 and Windows Server 2008 R2. It monitors events that are placed in the Application, System, and Service event logs by various Active Directory Lightweight Directory Services components and subsystems. It also monitors the overall health of the Active Directory Lightweight Directory Services system and alerts you to critical performance issues.

Download MP for AD Lightweight Directory Services v6.0.7220.0

Active Directory Certificate Services

The System Center Management Pack for Active Directory Certificate Services provides an early warning to administrators on issues that could affect services so they can investigate and take action, if necessary.

Two Management Packs for Active Directory Certificate Services are currently available. An ‘old’ Management Pack exists to manage Certification Authorities running on Windows Server 2008 and Windows Server 2008 R2. This Management Pack follows the 6.x version numbering. A completely new 7.x Management Pack is available alongside the 6.x version and enables management of Certification Authorities on Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.

Note:
The Management Packs for Active Directory Certificate Services monitors the core Certification Authority, but does not monitor Certificate Services role services (such as the Online (OCSP) responder, Network Device Enrollment Services (NDES), Certificate enrollment web services, NDES, or CA web enrollment).

Download MP for AD Certificate Services v6.0.7231.0
Download MP for Windows Server 2012 AD Certificate Services v7.0.8560.0

Active Directory Federation Services

The System Center Management Pack for Active Directory Federation Services 1.x has been available since September 2007 and for Active Directory Federation Services 2.x since June 2010.

The Management Pack for Active Directory Federation Services offers the ability to detect service outages, operational errors and operational warnings. It also alerts on configuration issues and background tasks failures. Auditing can also be monitored, as well as the communication between the federation server and the federation server proxy. With the Management Pack you can be notified of malformed access requests and the health of the Secure Sockets Layer (SSL) certificate of the federation passive website in Internet Information Services (IIS).

Depending on the version of Active Directory Federation Services, you can choose between the 6.x version and the 7.x version of the Management Pack, where version 6.x can be used to monitor Active Directory Federation Services 1.0 and version 7.x can be used to monitor Active Directory Federation Services 2.0 (available as a separate download for Windows Server 2008 R2) and 2.1 (bundled with Windows Server 2012).

Download MP for Windows Server 2003 R2 AD Federation Services v6.0.5000.0
Download MP for AD Federation Services 2.0 and 2.1 v7.0.8560.0

Active Directory Rights Management Services

The System Center Management Pack for Active Directory Rights Management Services (AD RMS) has been available since July 2011 and monitors the performance and availability of the Windows Server 2008 SP2 or Windows Server 2008 R2 versions of AD RMS. By detecting, alerting on, and automatically responding to critical events and performance indicators, this Management Pack helps indicate, correct, and prevent possible AD RMS related service outages. The System Center Monitoring Pack for Active Directory Rights Management Services for Windows Server 2008 SP2 or Windows Server 2008 R2 helps ensure that your AD RMS components are available and working correctly.

In September 2012, Microsoft released a version 7.x of the Management Pack for Active Directory Rights Management Services. This Management Pack can be used to manage Rights Management Services, running on Windows Server 2012. For Rights Management Services running on Windows Server 2008 and Windows Server 2008 R2, the 6.0.7xxx.x version of the Management Pack is the one to use. For sturdy Rights Management Servers on Windows Server 2003, the 6.0.5000.0 version of the Management Pack offers the desired monitoring capabilities.

Download MP for Windows Server 2003 Rights Management Services v6.0.5000.0
Download MP for AD Rights Management Services v6.0.7597.0
Download MP for Windows Server 2012 AD Rights Management Services v7.0.8560.0

Related blogposts

Active Directory Domain Services Management Pack for System Center updated last week
System Center Monitoring Pack for Active Directory was updated today

Related downloads

System Center Management Pack for Windows Server Operating System
System Center Management Pack for Windows 8 Client Operating System

Active Directory Services and PowerShell manageability

Sander Berkouwer — Fri, 10 May 2013 15:45:10 GMT

As you might be aware, every Microsoft server product has the requirement to be manageable through PowerShell and System Center. The PowerShell requirement is formulated as part of the Common Engineering Criteria (CEC).

With PowerShell available as a version 3 product (and part of Windows Server 2012) it’s time to see how the teams, responsible for the Active Directory products have built their management stories around PowerShell.

Active Directory Domain Services

The Active Directory Domain Services, that we love and loath as the core of our networking infrastructure on our Domain Controllers is manageable through PowerShell scripting. To enjoy PowerShell support in Active Directory Domain Services, it is recommended to manage your Domain Controllers from Windows Server 2012 or from a Windows 8 installation with the Remote Server Administration Tools (RSAT) for Active Directory installed. This way you can enjoy the 135 Active Directory Domain Services management-related PowerShell Cmdlets and 9 Active Directory Domain Services deployment-related PowerShell Cmdlets.

The Active Directory Domain Services team even went a few steps further and incorporated the PowerShell History viewer into the Active Directory Administrative Center (dsac.exe), that helps you discover the PowerShell magic that happens under the hood.

A couple of exceptions still exist, that make it impossible to manage Active Directory Domain Services from the PowerShell prompt completely. Tools like ntdsutil.exe, dsamain.exe, redirusr.exe and redircmp.exe come to mind, almost immediately. On the other end of the spectrum, several other functions in Active Directory Domain Services are only easily manageable with PowerShell. MSAs come to mind, quite to my own surprise...

Active Directory Lightweight Domain Services

The Active Directory Lightweight Domain Services offer specialized Domain Services, targeted at applications and perimeter networks. Their charm is you can manage the Lightweight Directory Services (mostly) with the same tools as you can manage the Directory Services in PowerShell (as long as you install the AD LDS Display Specifiers schema and Display Specifiers by importing MS-ADLDS-DisplaySpecifiers.ldf.).

Alas, the PowerShell learning ability, offered by the Active Directory Administrative Center (dsac.exe), is not available for Active Directory Lightweight Directory Services, since this management tool can not be directed to a Lightweight Directory Services installation.

Since most tools are exchangeable between Lightweight Directory Services and Directory Services, roughly the same exceptions for full PowerShell manageability exist.

Active Directory Certificate Services

Active Directory Certificate Services enable you to run Certification Authorities on Windows Servers. For Windows Server 2012, the team behind Active Directory Certificate Services has developed twelve PowerShell Cmdlets to deploy Certificate Services. Also an additional nine PowerShell Cmdlets were specifically created to manage certificates, but you can also manage these by mounting the Certificate Store as a PowerShell drive, if need be.

In versions of Windows Server earlier than Windows Server 2012, no built-in PowerShell Cmdlets were available to manage Active Directory Certificate Services, but you could rely on certutil.exe to script through them.

Active Directory Federation Services

As was the case with Active Directory Federation Services 2.0, which was a separately downloadable installation, Active Directory Federation Services 2.1, that comes bundled with Windows Server 2012, can be managed through PowerShell. A total of 48 Active Directory Federation Services-related PowerShell Cmdlets are available on Windows Server 2012, covering both deployment and management.

Active Directory Rights Management Services

As you might expect, the Active Directory Rights Management Services in Windows Server 2008 R2 and Windows Server 2012 are also PowerShell-enabled. Three straightforward Rights Management Services deployment-focused PowerShell Cmdlets (appropriately named Install-ADRMS, Uninstall-ADRMS and Update-ADRMS) and 21 Rights Management Services administration-focused PowerShell Cmdlets are at your disposal.

Related blogposts

New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets
New features in AD DS in Windows Server 2012, Part 5: PowerShell History Viewer

Active Directory Services on Server Core installations

Sander Berkouwer — Thu, 09 May 2013 18:58:18 GMT

Windows Server 2012 is a major leap forward for Server Core installations of Windows Server. Not only are Full installations of Windows Server convertible back and forth to Server Core installations without reinstallation, a whole slew of new Server Roles have become available for installation on the mean, clean Server Core installations.

Active Directory Domain Services have been available since day 1 on Server Core installations, but what about the other four services? Can you install these on Server Core?

The table below shows the Active Directory services, available for installation on Server Core installation of Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012:

You can install the Active Directory Services on Server Core installations in four ways:

From the command-line of the Server Core installation using:
1. dism.exe, pkgmgr.exe or the Install-WindowsFeature / Add-WindowsFeature PowerShell Cmdlet on Windows Server 2012
2. dism.exe or pkgmgr.exe or the Add-WindowsFeature PowerShell Cmdlet (after you’ve manually installed PowerShell and have imported the ServerManager PowerShell module) on Windows Server 2008 R2
3. ocsetup.exe or pkgmgr.exe on Windows Server 2008
From the command-line of the Server Core installation over a Remote Desktop Connection.
From a remote command-line of a Full installation of Windows, a full installation of Windows Server or another Server Core installation of Windows Server through remote PowerShell or Windows Remote Management (winrs.exe).
From Server Manager in Windows Server 2012, targeted at a Server Core installation of Windows Server 2012. This method does not work with Windows Server 2008 or Windows Server 2008 R2.

Related blogposts

Installing Server Core Domain Controllers
How to install a Server Core R2 Domain Controller
The importance of Server Core
Server Core Roles and Features in 2008 R2
Some Server Core Domain Controllers heading for a dead end street
How to get going with PowerShell in Server Core R2

Identity and Authentication in the cloud: Office 2013 and Office 365 (Poster)

Sander Berkouwer — Wed, 08 May 2013 06:19:06 GMT

Last week, Microsoft released a poster, detailing identity and authentication for Office 2013 and Office 365. It details the scenario where you would provision accounts in Microsoft's Online Services environment (Scenario 1) and also details the scenario where you would federate your on-premises Active Directory infrastructure with Microsoft's Online Services environment (Scenario 2):

You can download the poster in both PDF and Microsoft Visio Drawing (*.vsd) format. The PDF can be used across Operating Systems (as would identity and authentication in the cloud), where the Visio drawing can be used to reuse some of the drawing in your own drawings and/or presentations.

This PDF would also do nicely over your bed, but could also be used to escape from Alcatraz, if that more resembles your situation…

Today, Microsoft has released an update to the Server Posterpedia app. I’ve mentioned this app before and it has seen several updates since. Today, the Identity and Authentication in the cloud: Office 2013 and Office 365 Poster was added to the app. You’ll be able to spot it when you scroll to the right in the app under Office.

No, my Win-X menu doesn’t work

ChrisPetit — Tue, 07 May 2013 13:58:00 GMT

With the installation of Windows 8 there comes an end to the ‘classic’ start menu era. Off course you can put all the programs you want on the start screen. However, things like the control panel, command prompt or the computer management snap-in might be things you want to access easier and quicker. Fortunately for us power users there is another way.

Windows 8 comes loaded with predefined hotkey combinations. The windows key plays a huge role in these hotkey combinations.

One of these combinations might just be the most useful of all. Win + X. This will bring up a menu with the most used Control Panel and administration tools. You can also reach it by right clicking in the bottom-left corner of your screen. In windows 8 missing the start menu can be annoying if you need to get to these features often, but with this menu it is really easy. You can also reach it by right clicking in the bottom-left corner of your screen.

The shortcuts in this menu are in a folder inside the user profile:

C:\Users\%username%\AppData\Local\Microsoft\Windows\WinX

Inside you will default find three group folders corresponding with the groups, separated by lines in the Win+X menu.

A couple of months ago I migrated my work laptop to Windows 8 Enterprise. As I already had played around with it, a lot, not a lot of new things to discover there. So, as any It-Pro would do with a new operating system I went for the Control Panel to customize to my preferred settings

Right click in lower left-hand corner and….nothing happened. I tried again to no avail. Pressing the Windows-key and X at the same time (hence the name: Win-X Menu) did not bring up the menu either.

When I Checked the location mentioned above I noticed that there where no folders present. This can be due to a profile migrated from a previous version of windows or something with a mandatory profile in where the files are not present.

To solve this, just copy the files from a computer with a working Win-X Menu into the folder mentioned above and you should be good to go. You might want to restart after you put the files in the correct location. Inside there should be folders and within those the correct shortcuts.

The images show how they should look.

if you want to modify the menu there are other blogs written about that.

My portable lab hardware

dmstork — Mon, 06 May 2013 09:24:27 GMT

Recently somebody asked via Twitter my what the make and model is of my laptop, used for Exchange testing environments. Well, 140 characters is not a lot of space so I decided to blog about it.

Our company uses Dell laptops as a laptop standard, but other vendors might have comparable configurations. The main model type is a Precision M4700, but for lab purposes the configuration has been customized:

CPU: Intel Core i7-3820QM @ 2,70GHz
Memory: 32GB (4x8GB) 1600MHz DDR3
HDD1: 256GB SSD Full Mini Card
HDD2: 750GB 2.5” SATA 7200RPM
Battery: Primary 9-cell 97W/HR
Graphics: NVIDIA Quadro K1000M /w 2GB GDDR3 (it can switch with on-board graphics which helps battery life)
Wireless: EMEA Intel Centrino Advanced-N 6205 (802.11 a/b/g/n)
Bluetooth: Dell Wireless 380 Bluetooth
Optical: 8X DVD+/- RW Drive Slot load
Display: 15.6” UltraSharp FullHD Wide View Anti-Glare LED-backlit
Base option: Smartcard Reader
Palmrest: FIPS Fingerprint Reader
Camera: Integrated 1MP Camera with microphone

As operating system Windows 8 Enterprise has been installed. For virtualization VMware Workstation 9 is used with a company license. Unfortunately Hyper-V cannot be used at the same time.

With this configuration, I can concurrently run 1x DC (1vCPU and 2GB RAM), 3x Exchange 2013 (each 2vCPU and 4GB RAM), 1x Lync 2013 (2vCPU and 4GB), 1x Office Web App server (2vCPU and 2GB) and some additional virtual machines (Windows 8, linux router/firewall and virtual Load Balancers). Although I must admit that I turn of one or two Exchange server when testing with Lync and/or the Office Web App server.

To save space, I made several templates which are linked clones for the actual running servers. But even then 256GB is not a lot of space, so some machines are move to the significantly slower SATA drive. You do still get some speed benefit from having the template on SSD.

It’s possible that currently Dell does not provide the exact configuration anymore, but it’ll give you a sense what is (IMHO) necessary for a very decent lab laptop. For me this laptop was indispensable for testing proof of concept installations of Exchange 2013 environments. Key is memory and SSD.

How to use the Microsoft Authenticator WP app with Google

dmstork — Fri, 03 May 2013 18:52:00 GMT

A while back, Microsoft enabled the long awaited 2-factor authentication feature for Microsoft Accounts and released a code generator for Windows Phone.

But a little know fact is that this app can also be used for the Google Account Two-factor authentication. See the screenshots below on how to do this:

Go to the right corner of you Google page and select Account.

On the left you will see some options, select Security.

Select Settings.

When you haven’t entered a mobile phone number, you’ll have to do it now. Be sure it can receive SMS.

After requesting a code and receiving it, enter it and verify.

Optionally, you can let Google trust the current computer you are working on. This is not necessary for our goal.

Confirm enabling 2-step verification.

Now 2-step verification is configured, but not yet enabled. In the middle you can see the option for Mobile Application with the options: Android, iPhone and Blackberry. No Windows Phone. However, just choose Android.

A QR code appears. Start your Windows Phone Authenticator app, add an account (with the plus). It will request an account name and secret key, but you can scan the QR code by pressing the camera icon within the app (not the physical button on your WP phone). Enter the code which appears within the app for you Google account.

You’ll get a confirmation.

And now 2-step verification is active and works with the Windows Phone app. No need for Android, iPhone or Blackberry!

Be safe! Or in Dutch: “Hou je veilig!”

Update: The reverse is also true. You can use the Google Authenticator app for Microsoft Accounts. It's available for Android, iOS and Blackberry. Thanks to The UC Architects fellow and Exchange MVP Mahmoud Magdy for confirmation.
And if you have multiple devices, let each of them scan the same QR code. That way they each show the same code. However, you could consider this a bit less save (more devices to lose).

The DirTeam.com/ActiveDir.org Weblogs no longer offer SSL v2.0

Sander Berkouwer — Tue, 30 Apr 2013 07:00:00 GMT

As you might be aware, the DirTeam.com/ActiveDir.org Weblogs offers the ability to encrypt all http traffic to and from the website using Secure Sockets Layer (SSL) since December 2010. To enable this, you only need to direct your traffic to https://blogs.dirteam.com instead of http://blogs.dirteam.com. The functionality also includes feeds and (when you’re a blogger with us) the ability to securely post blogposts, comments and articles.

In its (default) configuration, the DirTeam.com/ActiveDir.org Weblogs offered both SSL v2.0, SSL v3.0, TLS v1.0, TLS v1.1 and TLS v1.2. Per last Saturday, the webserver has SSL v2.0 disabled, due to its inherited weaknesses in and its attack surface that may be used by the SSL BEAST ("Browser Exploit Against SSL/TLS") attack, allowing man in the middle (MITM) attacks.

We used IIS Crypto to make the necessary changes and checked the health of our SSL implementation here.

When you use https://blogs.dirteam.com, you can feel much safer.

Script converting Mail-User to Mailbox-User

dmstork — Mon, 29 Apr 2013 11:57:21 GMT

Not all organizations need to have every user to be mailbox-enabled, sometimes a mail-user (also referred to as mail-enabled user) with a forwarding SMTP address to an external mailbox is enough. However, it is surely possible that the requirements over time change and the mail-enabled user does need to be mailbox-enabled, making use of the calendar or perhaps even more efficient use of Lync integration.

However, converting a mail-user isn’t just changing the RecipientType of the account. First the users needs to be mail-disabled, most importantly it then looses all the configured SMTP addresses and the forwarding address. Then the user has to be mailbox enabled and all SMTP addresses that aren’t added via an Email Address Policy have to be manually added. Optionally, one can configure the mailbox to be forwarding to the external SMTP address.

To make this process somewhat more manageable, I created a script that converts a mail-user to mailbox-user. It keeps all configured SMTP addresses, when they correspond with an accepted domain (otherwise it will be discarded). The exception is the configured External SMTP address, it is optional to keep forwarding mail.

The syntax is depicted below:

Convert-MailUser –Identity <UserIdParameter> [-KeepForwarding]

The mail user will be mail disabled without a need for confirmation. The parameter -Identity is mandatory and a string. Accepted formats are:

User Principal Name
Display Name
Distinguished Name (DN)
Domain\Account
GUID

The switch [–KeepForwarding] is optional. This switch will retain the SMTP Forwarding address from the mail-user and will add it as an ForwardingSMTPAddress, with mail being forwarded to that address and sent to the Exchange Mailbox. No additional value (like $true/$false etc.) is required.

Please note that the ForwardingSMTPAddress value does not show up in the Exchange Admin Center view at the moment (Exchange 2013RTM CU1). You will have to use the Exchange Management Shell (Get-Mailbox|fl) to check whether the Mailbox is forwarding mail to an external address.

You can download this script from the TechNet Gallery.

Note: This script has been tested on Exchange 2013 on Windows Server 2012, but will probably work on 2010 and 2007 and Windows 2008 R2. Use at your own risk and the script is provided as-is.

Best Practices for Securing Active Directory

Sander Berkouwer — Fri, 26 Apr 2013 08:05:19 GMT

Today, Microsoft has released a document, detailing the Best Practices for Securing Active Directory Domain Services.

The document contains 22 best practice recommendations to assist organizations in enhancing the security of their Active Directory installations. By implementing these recommendations, organizations will be able to identify and prioritize security activities, protect key segments of their organization’s computing infrastructure, and create controls that significantly decrease the likelihood of successful attacks against critical components of their networking environments:

Patch applications.
Patch operating systems.
Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it.
Monitor sensitive Active Directory objects for modification attempts and Windows for events that may indicate attempted compromise.
Protect and monitor accounts for users who have access to sensitive data.
Prevent powerful accounts from being used on unauthorized systems.
Eliminate permanent membership in highly privileged groups.
Implement controls to grant temporary membership in privileged groups when needed.
Implement secure administrative hosts.
Use application whitelisting on domain controllers, administrative hosts, and other sensitive systems.
Identify critical assets, and prioritize their security and monitoring.
Implement least-privilege, role-based access controls to administer the directory, its supporting infrastructure, and domain-joined systems.
Isolate legacy systems and applications.
Decommission legacy systems and applications.
Implement secure development lifecycle programs for custom applications.
Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version.
Migrate critical assets to pristine forests with stringent security and monitoring requirements.
Simplify security for end users.
Use host-based firewalls to control and secure communications.
Patch devices.
Implement business-centric lifecycle management for IT assets.
Create or update incident recovery plans.

The document also discusses the most common attacks against Active Directory and countermeasures to reduce the attack surface, and recommendations for recovery in the event of complete compromise.

The 321-page document (135 pages of main content and 185 pages with appendices A through M) is provided for free in *.docx format. Download it here.

Related blogposts

Auditing directory changes aka "Who deleted this object"
How to create and use confidential attributes
MS013-032 Vulnerability in Active Directory Could Allow Remote Code Execution (Important)Preventing Domain Controller promotions, cloning and demotions in Windows Server 2012
Updated Active Directory Capacity Planning Guidance Available (adsizer.exe Be Gone!)

Acknowledgements

Thanks to Meinolf Weber for the tip.

Upgrading AD from 2003 to 2008

Paul Bergson — Thu, 25 Apr 2013 11:53:00 GMT

Upgrading Active Directory from 2003 to 2008

--- (Note: This is a copy from another site and at this time my snapshots are missing)---

· Microsoft’s Preupgrade check list

· Before upgrading AD verify all current applications are compatible

o Verify you are on the correct version for 2008

§ For example, does your SAN at its current release support 2008

§ Does the version of Exchange you are running support 2008

o Ensure all dc’s Windows 2000 dc’s are at least at SP4

§ From a command prompt run

Ø repadmin/showattr

· Verify that your Active Directory forest is healthy

o DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log

o netdiag.exe /v > c:\netdiag.log (On each dc)

o repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

o ntfrsutl ds your_dc_name > c:\sysvol.log

o dnslint /ad /s "ip address of your dc"

· Get a backup up of at least two separate dc’s, including your PDCe

· Although you can upgrade, I would strongly urge you to do fresh install on all new 2008 installations

o Upgrading

§ Verify that the hardware will be compatible with 2008

§ You cannot directly upgrade from W2K to W2K8, you must go W2K to W2K3 and then W2K3 to W2K8

§ The bloat associated with patching, etc… just is a waste of space

Ø Verify you have plenty of disk space available

Ø If you don’t have a good 20gb of free space, you are probably going to run into space issues, trust me on this. All future patches, etc… that roll into the o/s are kept in the system folder and slowly over time start to chew your volume.

§ verify that the machine upgrading holds the FSMO role of operations Master (Upgrade DC order)

o Fresh install

§ Ensure you had at least a 50gb system partition

§ Consider using x64, all future Windows server operating systems are going to x64 bit, starting with 2008 R2

Prep the forest, domain and dns zones

· Prep your forest

o Copy the adprep folder to a local folder on your dc or run from the cd

o Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

o Execute adprep (See KB753437, Be sure this is run on the Schema master, otherwise it will not run)

C:\adprep>adprep /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.

Opened Connection to DCTEST

SSPI Bind succeeded

Current Schema Version is 30

Upgrading schema to version 44

Connecting to "DCTEST"

Logging in as current user using SSPI

Importing directory from file "C:\WINDOWS\system32\sch31.ldf"

Loading entries............................................................................................................................................

139 entries modified successfully.

You should see multiple entries similar to above. Just let the system spin and you can go take a break while waiting. At the end you will see the following (Hopefully!).

................................................................................

Adprep successfully updated the forest-wide information.

o Although this dc has completed the schema upgrade, you must wait until ALL dc’s in your forest receive this change via replication (Converge).

§ Depending on your forest this could be in a few minutes to possibly days

· Once the proper amount of time has passed, the domain’s should now also be ready to be prep’ped

o If you would like to verify that the forest has been upgraded

§ Start up ADSIEdit

1. Connect to Configuration / Configuration / ForestUpdates / ActiveDirectoryUpdate

1. Right Click and select Properties

1. Revision = 2

Ø Connect to Schema / Schema

Right click and select properties

1. ObjectVersion = 44

o Adprep /domainprep (Domain must be in Native Mode 2003)

§ Adprep /domainprep /gpprep (Use this command line if upgrading from Windows 2000, Windows must be in Native Mode 2000)

C:\adprep>adprep /domainprep

Running domainprep ...

Adprep successfully updated the domain-wide information.

The new cross domain planning functionality for Group Policy, RSOP Planning Mode, requires file system and Active Directory Domain Services permissions to be updated for existing Group Policy Objects (GPOs). You can enable this functionality at any time by running "adprep.exe /domainprep /gpprep" on the Active Directory Domain Controller that holds the infrastructure operations master role.

This operation will cause all GPOs located in the policies folder of the SYSVOL to be replicated once between the AD DCs in this domain. Microsoft recommends reading KB Q324392, particularly if you have a large number of Group policy Objects.

o Although this dc has completed the domain prep upgrade, you must wait until ALL dc’s in this domain receive this change via replication (Converge).

§ Depending on your domain this could be in a few minutes to possibly days

· Once the proper amount of time has passed

o If you would like to verify that the domain has been upgraded

§ Start up ADSIEdit

Ø Connect to Configuration / Configuration / ForestUpdates / ActiveDirectoryUpdate

· If there are any near or far term plans to install RODC’s, prep your dns zones

o Adprep /rodcprep

§ This will traverse through the separate partitions and update the permissions

Ø Verify that the prep completed without error

Adprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\WINDOWS\debug\adprep\logs\yyyymmdd999999 for more information.

· Prep your domain

o Connect to the FSMO Infrastructure Master role holder

o From the cd either copy the \sources\adprep or run the following:

§ Adprep /domainprep /gpprep

Begin the actual installation

· New 2008 DC

o Verify that the AD DS role has been installed on your 2008 member server

o From an elevated command prompt promote this new DC

§ Dcpromo

· The following will pop up

· Followed by, Select Next

· Read the description on new secure channel controls and verify that you understand its impact and then select next

o KB942564 explains in greater details its impact within your organization

· Select Existing Forest and click next

· Verify the forest and credentials are properly set and click next

· Select a domain for this additional domain controller and click next

· Select the site where you would like the new dc to be placed in and click next

· Select those additional services you would require this dc to have and click next

· If the following pop up box appears

§ If you are installing an additional domain controller in either the forest root domain or a tree root domain, you do not have to create the DNS delegation. In this case, click Yes and disregard the message.

· Verify the default locations are as expected and click Next

· Enter the AD DS password and click Next

· On the Summary dialog box, verify all settings are correct and hit Next

· The following box will appear while the promotion advances. Please be patient during this process, depending on the size of your AD environment this could take a few minutes to multiple hours.

· Once the promotion is complete, click Finish and Restart the newly promoted dc

· Once complete allow all DC’s to properly replicate all changes within the infrastructure

· Microsoft recommends moving the FSMO roles to a 2008 DC

o From Active Directory Users and Computers (ADUC) right click on the domain and select Operations Masters

o From each of the three tabs (RID, PDC and Infrastructure) change to a 2008 DC

§ If your destination IM is also a GC, make sure all other dc’s are gc’s or that this is a single domain forest. Otherwise you can create phantom object problems.

o From Active Directory Domain and Trusts

§ Verify you are connected to the DC you want to transfer the Domain Naming role to

§ Right click and select Operations Manager

o From Schema Management

§ If you haven’t already, register the schema management

· From a command prompt

o regsvr32 schmmgmt.dll

· In the mmc console add the Schema management

· Select the Schema management console and connect to the DC you want to move the FSMO role to

· Right click on Schema management and Select operations Management

o To verify all fsmo roles have been transferred run the following from a command prompt

§ Netdom query fsmo

Applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs)

Sander Berkouwer — Tue, 23 Apr 2013 13:12:01 GMT

Recently, one of my readers approached me with some questions on Managed Service Accounts (MSAs). From our discussion, I realized a lot of people may be unclear about the applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs).

So, this blogpost features a comprehensive table, showing the applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs) in a glance.

In this table you can quickly see which Operating Systems you can run services, configured with Managed Service accounts (MSAs) and group Managed Service accounts (gMSAs):

Managed Service Accounts (MSAs)

Managed Service Accounts (MSAs) were introduced with Active Directory Domain Services in Windows Server 2008 R2. Managed Service Accounts (MSAs) can be used to run services on domain-joined clients and servers, to address typical service account challenges:

Service account password changes are a nightmare and they tend to break stuff. Thus, many organizations configure service accounts with non-expiring passwords. Nonetheless, it is a best practice to change these passwords regularly, for these accounts have a high risk of getting their passwords brute-forced.
Passwords for service accounts are stored in plain text in registry. Sure, the passwords are protected, but still accessible if you know how.
The Scope of service accounts is not easily set. Service accounts can often be used outside the intended scope, for instance to set up VPN connections are send mail through the (authenticated) SMTP gateway.

Under the hood, Managed Service Accounts (MSAs) are a new type of object (msDS-ManagedServiceAccount), derived from the computer account object and living in the Managed Service Accounts container under the domain root.

Managed Service Accounts (MSAs) can be configured in Active Directory environments running Windows Server 2003 and Windows Server 2008 Functional levels. Domains at the Windows Server 2008 R2 functional level provide native support for both automatic password management and SPN management.

Group Managed Service Accounts (gMSAs)

Alongside the Managed Service Account (MSA), in Windows Server 2012, a new type of object is being introduced: the group Managed Service Account. (msDS-GroupManagedServiceAccount)

gMSAs provide the same functionality as MSAs within the domain but also extends that functionality over multiple servers. This way, gMSAs provide a single identity solution for services running on a server farm, or on systems behind Network Load Balance. By using gMSAs, services can be configured for the new gMSA object and the password management is handled by Windows.

group Managed Service Accounts (gMSAs) can be configured in Active Directory environments running Windows Server 2003 and Windows Server 2008 Functional levels. Domains at the Windows Server 2008 R2 functional level provide native support for automatic SPN management.

Pictures of the NGN Tablet Day

Sander Berkouwer — Thu, 18 Apr 2013 12:08:46 GMT

Yesterday, the Dutch Networking User Group organized the Tablet Day at the Reehorst in Ede, the Netherlands. Dave and I presented a 45-minute session on device management through ActiveSync. The whole day was packed with sessions from many speakers and it was a great success with good drinks and a dinner afterwards.

Some people took pictures during our session, so I thought of sharing some of them with you in this blogpost.

We had a big room with nice natural lighting, that felt like a breath of fresh air in contrast to the main auditorium of the Reehorst. The room was filled with 150 seats and, as you can see in the picture below, the majority of them were used by people attending our session:

Since this was the third time Dave and I presented on the topic, we felt pretty confident and had a lot of fun discussing the IOS 6.1 ActiveSync bug, the effects of ActiveSync settings on various tablet and phone models and the missing Swipe Password API on Android-based devices:

I will be speaking at the UK VMUG Meeting in London

Sander Berkouwer — Wed, 17 Apr 2013 07:00:02 GMT

I just received confirmation on speaking at the UK Virtual Machine User Group (VMUG) Meeting in the Hilton Doubletree hotel in London on Tuesday May 21, 2013.

I will be delivering my session on virtualization-safe(r) Active Directory and Domain Controller Cloning. The same session I have been delivering for the past year at numerous events, including the Dutch 2013 Microsoft TechDays.

About the UK Virtual Machine User Group

The UK Virtual Machine User Group (VMUG) is an association of persons with a vested interest in the successful deployment of virtual infrastructure and their associated technologies.

The committee are all volunteers and are directly employed to manage and design virtual infrastructure in their organizations.

VMUG UK is the largest independent cloud and virtualization user group in the UK. As a user group, run by administrators and architects of virtualized systems, the VMUG is all about the contents in the presentations at their events, meeting like minded engineers and learning about new products and trends.

In contrast to other VMUGs, the UK VMUG has a broader view on virtualization than most VMUGs, who mostly focus on VMware-only virtualization.

About the London Meeting

The London meeting will take place from 9AM to 4PM on May 21, 2013 at the Hilton Doubletree hotel.

The meeting is packed with presentations from Microsoft, VMware, York University, EG Innovations and Verizon. Also, attendees will be able to discover VMware automation in the available lab environment. As an attendee looking at advancing your career in virtualization, arrange for a one to one meeting with UK's largest virtualization and cloud employment agency during the Career Clinic.

After the event there will be a bar from 4PM to 6PM.

Register today to attend this meeting.

The mysterious Exchange App, the new ActiveSync?

dmstork — Tue, 16 Apr 2013 17:45:00 GMT

Recently the backend of my Office 365 P1 account was upgraded to the Wave 15 series of products, which obviously includes Exchange 2013. But going through the settings of the Exchange Admin Center, I noticed something that made me curious.

When you go to the Exchange Admin Center, click to Recipients>Mailboxes and select a user, you can see in the Mobile Devices section the option to disable the Exchange App below the option to disable Exchange ActiveSync. I’ve highlighted it in the screenshot on the left.

This is probably the same thing what was previously named the Outlook App in the Exchange 2013 Preview version. Check my previous blog post on exactly this topic.

Some interesting observations: the rename from Outlook app to Exchange app. Is this to distinguish between this app and the Office 2013 Outlook that may or may not become available for Windows RT tablets?

The option to disable the Exchange App is separate from Exchange ActiveSync is interesting. Does this mean the Exchange App does not use the ActiveSync protocol and uses for instance Exchange Web Services (EWS)? That could mean that mobile devices with the Exchange app can have a lot more features compared to only ActiveSync, which sadly hasn’t been enhanced in this most recent release of Exchange as you can read in another blog post of mine. Or will it just be a special ActiveSync “device” which may overrule disabled ActiveSync?

I’ve checked whether these options were present in Exchange 2013 Cumulative Update 1 (CU1), but this isn’t the case. That suggests that these options will be available at the earliest in CU2 and thus at the end of Q2 following the new servicing plan for Exchange. I would expect the Exchange App would be released around the time these options become general available in Exchange with a CU (or Service Pack?). And hopefully for a lot of different Mobile OSs.

But practically all of this is speculation, we will have to wait and see. An announcement or perhaps even release during TechEd 2013 North America is somewhat logical, seeing the timeframe and it being a big event (plus some wishful thinking on my part, as I am attending this event ).

KnowledgeBase: You cannot use redirusr.exe and redircmp.exe in the Windows Server 2008 DFL on Windows Server 2008

Sander Berkouwer — Mon, 15 Apr 2013 15:29:53 GMT

In the past years, I’ve found many systems and many errors. Today, I’m sharing behavior in Microsoft Windows Server that had me frown and chuckle. A bug in Active Directory code I’ve been grateful for, since it illustrates the nature of software.

Note:
This behavior has not been publicized in the Microsoft KnowledgeBase (yet).

In the past two versions of Windows Server, the Active Directory team has made an effort to migrate all of the command-line stuff to PowerShell. Two of the command-line tools I still use frequently, however, have not been converted to PowerShell: redirusr.exe and redircmp.exe.

redirusr.exe and redircmp.exe were my partners in crime for the last couple of years, in which I setup loads of Active Directory structures for small sized organizations, following the Best Practice Active Directory Design for Managing Windows Networks. I used them in newly setup environments to automatically place newly created computer and user accounts in specific Organizational Units (OUs) in Active Directory.

A short history on redirusr.exe and redircmp.exe

Microsoft introduced the ability to change the default container (or Organizational Unit) where new users and computers are stored in the Windows Server 2003 Domain Functional Level (DFL). Both tools won’t work in Windows 2000 Domain Functional Level. When using the commands on a Windows Server 2008-based Domain Controller for a domain with the Windows 2000 Domain Functional Level both tools error out with the following message:

Error, unable to modify the wellKnownObjects attribute. Verify that
the domain functional level of the domain is at least Windows Server 2003:
Unwilling To Perform
Redirection was NOT successful.

This is by design. As the error indicates you need to raise the Domain Functional Level (DFL) to Windows Server 2003. It is not the subject of this blogpost.

Using redirusr.exe and redircmp.exe

On a Windows Server 2003-based Domain Controller and Windows Server 2008-based Domain Controller in an Active Directory domain with the Windows Server 2003 Domain Functional Level (DFL) you can use the following commands:

dsadd ou "OU=Redirected Users OU,DC=DomainName,DC=Tld"
dsadd ou "OU=Redirected Computers OU,DC=DomainName,DC=Tld"
redirusr "OU=Redirected Users OU,DC=DomainName,DC=Tld"
redircmp "OU=Redirected Computers OU,DC=DomainName,DC=Tld"

These commands will add two Organizational Units with names Redirected Users OU and Redirected Computers OU. After creation it will run the two commands to automagically place new useraccounts and computeraccounts in the new OUs.

The below two commands will output the following message, when successful:

Redirection was successful.

Now for the bug…

I expected the above commands to work on a Windows Server 2008-based Domain Controller for an Active Directory domain with the Windows Server 2008 Domain Functional Level (DFL)…

Unfortunately this is not the case. The error message is:

Error, unable to modify the wellKnownObjects attribute. Verify that
the domain functional level of the domain is at least Windows Server 2003:
Referral
Redirection was NOT successful.

Obviously the Verify that the domain functional level of the domain is at least Windows Server 2003 part of the message is a standard message, but the part behind it is different, compared to the Windows 2000 Domain Functional Level output. It is apparently willing to perform, but was referred.

This is actual behavior on a Domain Controller running Windows Server 2008 RTM. (or Windows Server 2008 with Service Pack 1, if you want to be 100% correct)

Unfortunately there is no way to redirect users and computers using the redirusr.exe and redircmp.exe commands on a Windows Server 2008 RTM-based Domain Controller in an Active Directory domain with the Windows Server 2008 Domain Functional Level (DFL).

The workaround

To use the redirusr.exe and redircmp.exe commands in an Active Directory domain with the Windows Server 2008 Domain Functional Level (DFL), either:

Install Service Pack 2 on a Windows Server 2008-based Domain Controller and run the commands on this Domain Controller, or
Upgrade a Domain Controller to Windows Server 2008 R2 or Windows Server 2012 and run the commands on this Domain Controller.

DirTeam bloggers at TechEd Europe 2013

ChrisPetit — Thu, 11 Apr 2013 08:26:16 GMT

From Monday June 24 2013 to Friday June 28 2013, Microsoft organizes TechEd Europe at the Feria Internacional de Madrid (IFEMA) in Madrid, Spain. With a much warmer climate than Amsterdam (TechEd Europe 2012) and Berling (TechEd Europe 2009 and TechEd Europe 2010) and Microsofts convenient repositioning of this event in June, this event should be packed with IT Pros and Developers from across Europe.

To represent the DirTeam.com / ActiveDir.org Weblogs at TechEd Europe, I will be present with fellow blogger Sander Berkouwer and OGD colleague Maarten de Vreeze.

We will be staying in the AC Hotel Madrid Feria by Marriott on Via de los Poblados, just a few blocks from the convention center.

Our flight in from Amsterdam Schiphol Airport (AMS) leaves late Saturday afternoon June 22, and we will be making a short stop in Paris (CDG) on our way to Madrid Barajas Airport(MAD). On our way back we will again be making a short stop in Paris (CDG) on Saturday evening and arriving at Amsterdam Schiphol Airport (AMS) late, in what we hope would be a similar temperature as Madrid...

We’re looking forward to TechEd and to seeing you there!

MS013-032 Vulnerability in Active Directory Could Allow Remote Code Execution (Important)

Sander Berkouwer — Wed, 10 Apr 2013 08:25:59 GMT

It’s not often, that Active Directory Domain Controllers get security updates. The Active Directory Domain Services Server Role is one of the most robustly written code, as I pointed out in an earlier blogpost on Statistics on Active Directory-related Security Bulletins. Since 2001, Microsoft has issued 18 Security Bulletins with patches to address issues in Active Directory Directory Services, Active Directory Lightweight Directory Services and ADAM.

Yesterday, during the April 2013 Patch Tuesday, Microsoft has released a new Active Directory-related security bulletin: MS013-032.

This security update resolves a privately reported vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sends a specially crafted query to the Lightweight Directory Access Protocol (LDAP) service, that leads to excessive memory consumption and could cause the LDAP service to become non-responsive. This issue was privately reported to Microsoft and documented as CVE-2013-1282

This Security update is not classified as Critical, since an attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts. In certain configurations, anonymous users could authenticate as the Guest account.

Affected Operating Systems

This security update is rated Important for Active Directory, Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Service (AD LDS), and Active Directory Services on the following, currently supported, Windows Server Operating Systems:

Active Directory on Windows Server 2003 SP2 x86
Active Directory on Windows Server 2003 SP2 x64
Active Directory Application Mode (ADAM) on Windows Server 2003 SP2 x86
Active Directory Application Mode (ADAM) on Windows Server 2003 SP2 x64
Active Directory Services on Windows Server 2008 SP2 x86
Active Directory Services on Windows Server 2008 SP2 x64
Active Directory Application Mode (ADAM) on Windows Server 2008 SP2 x86
Active Directory Application Mode (ADAM) on Windows Server 2008 SP2 x64
Active Directory Services on Windows Server 2008 R2
Active Directory Application Mode (ADAM) on Windows Server 2008 R2
Active Directory Services on Windows Server 2008 R2 SP1
Active Directory Application Mode (ADAM) on Windows Server 2008 R2 SP1
Active Directory Services on Windows Server 2012

This security update is rated Low for Active Directory Application Mode (ADAM) and Active Directory Lightweight Directory Services (AD LDS) on the following, currently supported, Windows client Operating Systems:

Active Directory Application Mode (ADAM) on Windows XP SP3
Active Directory Application Mode (ADAM) on Windows XP Professional x64 SP2
Active Directory Lightweight Directory Service (AD LDS) on Windows Vista SP2 x86
Active Directory Lightweight Directory Service (AD LDS) on Windows Vista SP2 x64
Active Directory Lightweight Directory Service (AD LDS) on Windows 7 x86
Active Directory Lightweight Directory Service (AD LDS) on Windows 7 x64
Active Directory Lightweight Directory Service (AD LDS) on Windows 7 SP1 x86
Active Directory Lightweight Directory Service (AD LDS) on Windows 7 SP1 x64
Active Directory Lightweight Directory Service (AD LDS) on Windows 8 x86
Active Directory Lightweight Directory Service (AD LDS) on Windows 8 x64

The security update addresses the vulnerability by correcting how the LDAP service handles specially crafted LDAP queries.

On all affected Operating Systems, except for Windows 8 and Windows Server 2012, this security update replaces Security update MS011-095.

Guidance

You are urged to test and implement the update corresponding to the Security Bulletin on the affected Operating Systems running the aforementioned Active Directory services.

MS08-003 Security Update for Active Directory
A New Vulnerability in Active Directory (MS09-018)
MS11-095 Vulnerability in Active Directory could allow Remote Code Execution (Important)
Statistics on Active Directory-related Security Bulletins

Meet Azure Active Directory: Your Cloud-based Identity Service

Sander Berkouwer — Tue, 09 Apr 2013 07:05:41 GMT

Today, Microsoft made Azure Active Directory generally available (GA). This means it is ready for production use.

Azure Active Directory enables organizations to provision their users with a single identity that can be used to access applications that are run on Windows Azure, run by 3rd party cloud-based vendors and/or within their own datacenters.

Azure Active Directory offers four main capabilities:

It’s an Azure-based Active Directory environment, that you, as an admin, can use to authorize access to apps and services within your organization’s Azure, Intune and Office 365 subscriptions.

These Microsoft cloud services already rely on the identity management capabilities provided by Azure Active Directory. These capabilities include a cloud based store for directory data and a core set of identity services including user logon processes, authentication and federation services.
The Azure Active Directory that you create is able to federate with an on-premise Active Directory environment, based on open standards including SAML, OData and WS-FED. With federation and single sign-on enabled, your colleagues can access resources within your company, plus access cloud applications seamlessly with the set of credentials and means of authentication they are already familiar with.

With Identity controlled on-premises, colleagues can granularly be enabled for federation, granted access and revoked access. All without any delays.
Azure Active Directory can be used to leverage identity and access management to 3rd party cloud-based apps.

As an organization, you can leverage this functionality to use Azure Active Directory as your identity federation hub or identity provider (IP) to provide a seamless, single sign-on experience across your on-premises environment, Microsoft Online Services, 3rd party cloud services and applications built on Windows Azure with popular web identity providers like Microsoft Account, Google, Yahoo!, and Facebook.
Azure Active Directory offers the Azure Active Directory Graph. This is an innovative social enterprise graph providing an easy RESTful interface for accessing objects such as Users, Groups, and Roles with an explorer view for easily discovering information and relationships.

You may leverage any of these capabilities, independent of each other.

The best thing? Azure Active Directory is free.

KnowledgeBase: Unable to install Windows Server 2012 Essentials with domain suffixes .net, .corp, .com, .org etc

Sander Berkouwer — Mon, 08 Apr 2013 09:22:32 GMT

Microsoft has released KnowledgeBase Article 2830511, detailing a bug in the Installation Wizard of Windows Server 2012 Essentials, that prevents you from installing the server as a Domain Controller for an Active Directory domain with a public top-level domain (TLD), like .com, .corp, .org, .edu, .int and the country-specific top-level domains.

About Windows Server 2012 Essentials

Windows Server 2012 Essentials is the latest version of Windows Small Business Server Essentials. It is a flexible, affordable, and easy- to-use server solution designed and priced for small businesses with up to 25 users and 50 devices that helps them reduce costs and be more productive. Windows Server 2012 Essentials is an ideal first server, and it can also be used as the primary server in a multi-server environment for small businesses.

By removing the ‘Small Business Server’ moniker, Microsoft clearly communicates how Windows Server Essentials is positioned in the market relative to the other Windows Server editions. It does not come with Exchange Server, but it does come with client backup and remote web access.

Installing Essentials

As Microsoft aims Windows Server 2012 Essentials as the successor to Windows Small Business Server 2011, After installing Windows Server 2012, which is more or less identical to installing the Standard or Datacenter edition of Windows Server 2012, Microsoft assists system administrators, apparently installing their first server, with a wizard to configure the server; the Set Up Windows Server 2012 Essentials wizard.

The first screen of this wizard makes you verify the date and time settings. This is specifically useful when your time zone is not Pacific Time (-08h00 GMT). From an Active Directory point of view, though, it doesn’t matter since Active Directory, internally, runs at Greenwich Main Time (GMT). The second screen lets you choose between a Clean install and a Server migration.

The third screen is where the Active Directory magic happens:

The link What should I know before I personalize my server? explains that the Company name is used to associate your server with your company and the customize your company reports. You can type up to 254 characters for your company name.

The Internal domain name groups your server and client computers together to share a common database of user names, passwords, and other common information. Your users see this name when they log on to their computers, but is used internally only and is not the same as an Internet domain name. Your internal domain name must meet the following criteria:

Can be up to 15 characters long
Can contain letters, numbers and dashes (-)
Must not start with a dash
Must not contain any spaces
Most not contain only numbers

This screen only offers to set up your Windows Server 2012 Essentials as a Domain Controller for a .local domain name, where the NetBIOS name of the domain is equal to the second level domain name. The wizard does not offer to configure Windows Server 2012 Essentials as a Domain Controller for an Active Directory domain with a public top-level domain (TLD), like .com, .corp, .org, .edu, .int and the country-specific top-level domains. (ccTLDs)

Microsoft KnowledgeBase article 2830511 explains the absence of a sensible choice for the domain name as by design to simplify the user experience.

Now, I can agree to some extent, that preventing a situation where an inexperienced admin may create a single-label domain name, is a good goal. However, other means exist to prevent these associated problems. Since Windows Server 2008, for instance, when you try to create a single-label domain name, you are presented with the following error:

The DNS name "<single label DNS domain name> proposed for this Active Directory domain consists of a single label, which is not recommended. DNS domain name should be unique and fully qualified, consisting of one or more labels separated by a period ("."), followed by a top level domain.

Example: corp.<domain>.com

If you click No, you can assign a fully qualified DNS name like the example. If you implement a single-label DNS domain name, you must configure all member computers and domain controllers as described in article 300684 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=92467) so they can register records and resolve queries until the domain is retired.

Do you really want to assign a single-label DNS domain name to this Active Directory domain?

Also, targeting Windows Server 2012 Essentials as the cost-efficient server solution, brings back the point of not forcing business into register a public domain name (at up to $10 per year).

The part I can’t agree with is the absence of the ability to create a domain name with a public top-level domain (TLD), since Microsoft has repeatedly made this a best practice approach.

Many Microsoft products and services assume your internal domain name ends with a public top-level domain (TLD). Lync Server and Exchange Server, for instance, are easier installed, configured and integrated when using the public DNS domain name. Also, Single Sign-On with Office 365 is problematic when you use a DNS domain name ending with a non-public top-level domain (TLD).

Configuring Essentials with a public TLD

Now, while the Set Up Windows Server 2012 Essentials wizard does not give you the option to configure the Active Directory domain name with a public top-level domain (TLD), it is possible to configure Windows Server 2012 Essentials with a public top-level domain (TLD) through the answer file method.

To this purpose you’ll need to place a plain text file named cfg.ini in the root of removable media (floppies not allowed, sorry) and make sure the media is available to Windows Server 2012 Essentials at the moment you set it up.

The fields NetBiosName and DNSName can be used to configure your Windows Server 2012 Essentials with the Active Directory domain names you’d like to use. More information on creating the contents of cfg.ini can be found here.

Note:
Windows Server 2012 Essentials configures Active Directory with the Windows Server 2012 Domain Functional Level (DFL) and Windows Server 2012 Forest Functional Level (FFL). There is no way in cfg.ini to configure it otherwise. You will need to configure a Domain Controller on Windows Server 2012 Standard first and use the Server migration option in the Set Up Windows Server 2012 Essentials wizard. Afterwards, you can remove the Windows Server 2012 Standard Domain Controller from the network.

So you want to continue using Windows XP?

Sander Berkouwer — Mon, 08 Apr 2013 06:13:11 GMT

One year of Windows XP support remains. After twelve years, now is the time to migrate off this 2001 Operating System or to take your security measures to assure your colleagues experience the least impact of the End of Support (EoS) situation. Of course, migrating to a later version of Windows or to another (supported) Operating System is the best approach. If, however, you want to continue running Windows XP in your organization, you should begin taking measures, beginning today:

Disable unneeded administrator accounts

A decade ago, when admins started deploying Windows XP machines, often, colleagues were given accounts with local administrative privileges. Many organizations came from Windows 9x and colleagues were used to having these privileges on their systems and demanded it (back). However, when logged on as an administrator in Windows XP, every action performed, is performed with total control over the system. When a colleague, logged on as an administrator, encounters malware, this piece of malware is capable of taking full control over the system, including installing a hypervisor to make itself undetectable from malware scanners.

Windows XP installations should be checked for accounts that are members of the local Administrators group. Colleagues that are part of this group should have a good reason to be in it. Applications that require administrative privileges can be run through runas.exe.

Tip!
Don’t replace memberships of the Administrators group with memberships of the Power Users group. A power user is an administrator, but doesn’t know it yet…

When done, you should create a group policy to fill the local Administrators groups on your Windows XP machines based on Restricted Groups. This group should be as empty as possible and configured in replace-mode.

Also, the built-in local administrator account on all your Windows XP machines should be disabled, where possible. You can perform this action in various ways, but the most effective method is through Group Policy. The Accounts: Administrator account status was introduced to this purpose, specifically.

Update Windows XP with the latest updates

April 8, 2014 will be the last Patch Tuesday for Windows XP. After this date, no updates or Service Packs will be released for Windows XP. Shortly after this date, you will want to create a system image for Windows XP, including all the updates. Sysprep it, so you can deploy it easily when a Windows XP installation fails.

Note:
While this image can be used to reimage Windows XP computers, it will have no effect on the current install base.

Note:
Not all software handles sysprep gracefully. Test.

Now, some updates require earlier updates. It is, therefore, an illusion to think that updating a Windows XP computer once, will update it to the fullest. Also, running Windows Update might confront your colleagues with a hundred updates and the accompanying hours of their unproductivity to install them.

Centralized update solutions, like the free Windows Server Update Services (WSUS) and C’t’s WSUS Offline Update, allow a phased roll out of Windows Updates and Service Packs, but you should start to do this today if you want to make sure your Windows XP computers are up to date on April 8, 2014.

Don’t use the built-in programs to access the Internet

Windows XP comes with several built-in tools, like Internet Explorer, Windows Media Player, Wordpad and Notepad. With the End of Support in sight, you should at least change processes and behavior within your organization to move away from these programs, since these programs are updated through Windows Update and, thus, don’t receive updates after April 8, 2014.

As an alternative to Internet Explorer, Google’s Chrome or Mozilla’s Firefox should be used. At the moment, both manufacturers support Windows XP (with at least Service Pack 2) for their newest releases. As an alternative to Windows Media Player, VLC Media Player may be used.

However, you should be aware that these programs get updates. Using Group Policy to deploy these programs, allows you to deploy and replace them. Group Policy Setings and Group Policy Preferences can be used to manage settings for these programs.

Software Restriction Policies can be used to limit access to the built-in programs. After April 8, 2014, you can use hash rules without problems, since the hashes will no longer change due to the lack of updates.

Deploy and update a multi-tier anti-malware solution

Malware scanners come in many forms and shapes. Everyone has their own favorite, but for your organization you should be looking for a centrally manageable malware solution, like McAfee’s ePolicy Orchestrator, Symantec AntiVirus Corporate Edition and Microsoft System Center Endpoint Protection. These solutions let you manage your anti-malware measures centrally and empower you to stay on top of outbreaks.

Scanning mere workstations for malware is not enough. You should scan for malware on user-accessible network locations (like file- and mailservers) and, ideally, on the perimeter of your network. If you possess a perimeter device that supports malware scanning, enable it.See if you can enable Intrusion Detection (IDS) and Host Intrusion Prevention (HIPS) too.

Luckily, centralized management also means centralized updates. When giving a choice, make sure to check for updates at least daily for workstations and hourly for mailservers and perimeter devices.

Configure the (Windows) Firewall

Most anti-malware solutions for endpoint protection include firewalls. If yours doesn’t, or if you don’t want to use it, Windows XP with Service Pack 2 comes with an elaborate firewall.

The built-in firewall can be configured with Group Policy to allow only the traffic you want to allow, based on port, program, protocol and host whitelisting. This will raise the bar significantly for malware to communicate and propagate.

Tip!
You only have to configure and test Windows Firewall rules once. You can then drag them to the Windows Firewall pane in the Group Policy editor.

Testing of firewall rules is easy with the logging feature. Instead of dropping connections, you can just log them. The logs will show you the additional rules to create. Also, free network traffic capture tools like Netmon and WireShark can be useful to analyze (the purpose of) network chatter.

Uninstall or disable add-ons, plug-ins and extensions

Running the most recent version of a 3rd party browser, will not ensure you have the recent version of the add-ons, plug-ins and extensions used within the browser. Software from Adobe, like Flash, Reader and its Shockwave Player and Oracle (Java) will need to be updated regularly or disabled. These notorious programs have been known to provide attack vectors on fully patched Windows installations, so if you can’t keep them up to date, disable them.

Update Microsoft Office

While the End of Support for Windows XP is gathering quite some mainstream media attention, you should be aware of the lifecycle of the other business-critical Microsoft software in your environment. On Windows XP clients, the most obvious business-critical Microsoft program would be Microsoft Office. You should be aware that support for Office XP (version 2002) ended on July 12, 2011. Support for Office 2003 ends on April 8, 2014 too.

If you want to keep using Office XP or Office 2003, make sure to update it and disable macros. Also, think about using Outlook Web Access / Outlook Web App and not Outlook. These measures will defuse most Office-based attacks, but will not protect you from leaks within Office programs. If you want to safely exchange documents with partners and customers over the Internet and through mail, make sure to upgrade to Office 2007.

Note:
You cannot install Office 2010 or Office 2013 on Windows XP. If you want to migrate to these Office versions, you will need to migrate the Operating System first.

Build a software and documents repository

With many software vendors ending their support for Windows XP at the same time as Microsoft does, you could become stuck in the situation where you can no longer download the version of a program that you need. Or the documentation on how to install it, configure it and/or manage it.

New features in Active Directory Domain Services in Windows Server 2012, Part 21: Resource SID Compression

Sander Berkouwer — Fri, 05 Apr 2013 07:41:54 GMT

In the earlier 20 blogposts on new features in Active Directory Domain Services in Windows Server 2012, I’ve covered most of the main stream new features. Today, I’m covering a lesser known feature: SID Compression. While this feature has been around in earlier versions of Active Directory Domain Services in Windows Server, it has been enhanced in Windows Server 2012 to provide more value.

Along with related token features like the default larger size (48,000 bytes) and the capabilities to store claims as part of Dynamic Access Control it offers the path to solve token bloat.

SID Compression in earlier versions

In earlier versions of Active Directory Domain Services in Windows Server, SID Compression has been available for years.

When a Ticket Granting Ticket (TGT) is created, the SIDs for global groups and universal groups of the Active Directory domain the user account is a member of, are compressed in the authorization data field (PAC) of the TGT. Compression is achieved by storing the SID Namespace once with a shorter identifier. SIDs for group in this SID Namespace were then linked with their Relative ID (RID) to the SID Namespace through the identifier.

The following group SIDs are compressed:

Global groups in the user's account domain
Universal groups in either the user’s account domain

All other group SIDs are uncompressed. This includes Domain Local Groups, SIDs from any other groups outside the Active Directory domain the user account is a member of (like SIDhistory) and SIDs for well-known groups.

SID Compression in Windows Server 2012

Along with other Kerberos Token logic, in Windows Server 2012 a new SID Compression scheme is used. This feature is called Resource SID Compression. It is enabled by default.

SID Compression can now also be used to compress Kerberos Service Tickets (STs), not just Kerberos Ticket Granting Tickets (TGTs), enabling the compression of SIDs for Domain Local Groups for the Active Directory domain the user account is a member of and any resource domains.

The following group SIDs will be compressed by default in Windows Server 2012:

Global groups in the user's account domain
Domain local groups in the resource domain
Universal groups in either the user’s account or resource domain
SID history groups in either the user’s account or resource domain

The following group SIDs will not be compressed:

Groups a user is a member of which are in other domains
Well known SIDs

Disabling Resource SID Compression

Microsoft has identified some problems with the new SID Compression scheme in Microsoft KnowledgeBase article 2774190. Since Service Tickets (STs) now also feature SID compression and are the tickets that are presented to services (like file servers, web servers) these services need to understand the new scheme. If they don’t, obviously, access denied errors will be displayed.

When you’re running into this situation, you can disable resource SID compression on a Windows Server 2012 KDC using the DisableResourceGroupsFields registry value under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters registry key.

This registry value has a DWORD registry value type. You completely disable resource SID compression when you set the registry value to 1. The Key Distribution Center (KDC) reads this configuration when building a service ticket. With the bit enabled, the KDC does not use resource SID compression when building the service ticket.

You do not need to reboot Domain Controllers after making these changes.

Acknowledgements

Many thanks to Guido Grillenmeier, Lee Flight and Dean Wells.

Active Directory-related changes to Windows Deployment Services in Windows Server 2012

Sander Berkouwer — Mon, 25 Mar 2013 12:54:00 GMT

Windows Deployment Services has a long-standing tradition of being part of the Windows Server Operating System. What used to be Remote Installation Services (RIS), became Windows Deployment Services (WDS) in Windows Server 2003 Service Pack 2.

Windows Deployment Services (WDS) has ties to Active Directory, as I’ve blogged about earlier. In Windows Server 2012, however, some of the statements in that blogpost have changed.

Among the many improvements in Windows Deployment Services (WDS) in Windows Server 2012, these three Active Directory-related changes pop out:

Standalone server

Windows Deployment Services (WDS) is now configurable as a Standalone server, without the need for Active Directory. Although this was possible in Windows Server 2008 r2, already, that configuration was limited and complex: You needed to configure the server using wdsutil.exe or the registry editor.

In Windows Server 2012, while installing the Windows Deployment Services (WDS) Server Role you can configure it as a Standalone server as opposed to the Integrated with Active Directory mode. In this mode, information on prestaged devices is stored in a local store.

The Standalone Mode is useful since it allows for a portable deployment solution that is independent of any existing environment.

Active Directory Prestaged Devices

Prestaging devices is now possible in the Windows Deployment Services Graphical User Interface (GUI). You no longer have to use wdsutil.exe for that purpose. It is possible to prestage devices, based on their:

MAC Address
GUID (Global Unique Identifier)
DUID (DHCPv6 Unique Identifier)

You can pre-stage setting like the computer name, PXE policies, boot image, installation image, permissions on join and more. You can also, optionally, create an unattend.xml for the device.

BitLocker Network Unlock

Now, you might almost think, integrating Windows Deployment Services (WDS) is no longer a Server Role that is better with Active Directory. While the above feature makes your life as a deployment admin easier, Windows Deployment Services offer unrivaled functionality when used with Active Directory. One of the new features surrounding Windows Deployment Services in Windows 8 and Windows Server 2012 on hardware with UEFI 2.3.1 is the possibility to automatically unlock the Operating System drive when a machine is booted while connected to the corporate network. This feature allows for desktops and servers to be secure, but not burdening the user or server admin with security protocol.

One of the requirements for BitLocker Network Unlock is Windows Deployment Services (WDS). Other requirements include Active Directory Domain Services and Active Directory Certificate Services. See the combo?

Concluding

Windows Deployment Services is a mature component for many deployment scenarios. You can use it with or without Active Directory, and this blogpost provides an overview of the benefits in both scenarios.

Related Blogposts

WDS without Active Directory
Windows Deployment Services: A Real Ghostbuster Part 1
Deploying Windows 7 with Windows Deployment Services
Five Must-Have Hardware components to get the most out of Windows 8

Dirteam.com/ActiveDir.org Blogs

How to Build an AD Replication Delay (Lag) Site

Common Challenges when Managing Active Directory Domain Services, Part 1: Security

The challenge

Stale user objects

Stale computer objects

(Part of) The solution

Optimizing communication

Mitigating factors

Cleanup

Cleaning stale computer objects

Cleaning stale user objects

Concluding

Related blogposts

Related Microsoft Knowledgebase articles

Further reading

Active Directory Services and their System Center Management Packs

Active Directory Domain Services

Active Directory Lightweight Directory Services

Active Directory Certificate Services

Active Directory Federation Services

Active Directory Rights Management Services

Related blogposts

Further reading

Related downloads

Active Directory Services and PowerShell manageability

Active Directory Domain Services

Active Directory Lightweight Domain Services

Active Directory Certificate Services

Active Directory Federation Services

Active Directory Rights Management Services

Related blogposts

Further reading

Active Directory Services on Server Core installations

Related blogposts

Further reading

Identity and Authentication in the cloud: Office 2013 and Office 365 (Poster)

No, my Win-X menu doesn’t work

My portable lab hardware

How to use the Microsoft Authenticator WP app with Google

The DirTeam.com/ActiveDir.org Weblogs no longer offer SSL v2.0

Script converting Mail-User to Mailbox-User

Best Practices for Securing Active Directory

Related blogposts

Acknowledgements

Upgrading AD from 2003 to 2008

Applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs)

Managed Service Accounts (MSAs)

Group Managed Service Accounts (gMSAs)

Further reading

Pictures of the NGN Tablet Day

Further reading

I will be speaking at the UK VMUG Meeting in London

About the UK Virtual Machine User Group

About the London Meeting

Further reading

The mysterious Exchange App, the new ActiveSync?

KnowledgeBase: You cannot use redirusr.exe and redircmp.exe in the Windows Server 2008 DFL on Windows Server 2008

A short history on redirusr.exe and redircmp.exe

Using redirusr.exe and redircmp.exe

Now for the bug…

The workaround

Further reading

DirTeam bloggers at TechEd Europe 2013

MS013-032 Vulnerability in Active Directory Could Allow Remote Code Execution (Important)

Affected Operating Systems

Guidance

Related Posts

Further reading

Meet Azure Active Directory: Your Cloud-based Identity Service

Further reading

KnowledgeBase: Unable to install Windows Server 2012 Essentials with domain suffixes .net, .corp, .com, .org etc

About Windows Server 2012 Essentials

Installing Essentials

Configuring Essentials with a public TLD

Further reading

Related KnowledgeBase articles

So you want to continue using Windows XP?

Disable unneeded administrator accounts

Update Windows XP with the latest updates