Dirteam.com/ActiveDir.org Blogs

Changing Windows 7 back to the ‘old’ Windows

Sander Berkouwer — Sat, 27 Jun 2009 18:13:37 GMT

Windows 7 has a mass appeal to Windows XP users and their system administrators. While major advances were made in Windows Vista and Windows 7, you will always find people opposing change. And, boy! A lot has changed in the user interface since Windows XP!

In the past opposition has been dealt with with deception many times. The first sewing machines, for instance, were disguised as furniture, so they’d lack any resemblance with the industrial sewing machines found in factories.

In this post I’ll show you how to revert parts of the user interface in Windows 7 back to Windows XP. Using clear step-by-step procedures you’ll find how to:

Go back to grey windows and bars
Change back the Taskbar and re-enable the Quick Launch

Fade to grey

To lose the transparency on the taskbar and revert it back to grey, all you need to do is select the Windows Classic theme. To select it, right-click on an empty space on the desktop and select Personalize from the context menu. Under Change the visuals and sounds on your computer scroll down to Basic and High Contrast Themes (6). Select Windows Classic as your theme. Close the Personalization window.

The Windows Classic theme will also automatically change the Window borders to Windows XP-style dimensions.

The taskbar

One of the major improvements in Windows 7 is the new taskbar and the Aero capabilities, Flip 3D, Aero Shake, Aero Snap and Aero Peek, coming with it. The taskbar even got a new name: “The Superbar”. It, of course, is the first giveaway to Windows XP users, something has changed.

Correct the buttons and the height

To correct the lay-out of the taskbar itself, you need to edit its properties. Right-click on an empty space on the taskbar and select Properties from the context menu. Perform the following actions:

Under Taskbar appearance select Use small icons
Under Taskbar appearance select Combine when taskbar is full as value for Taskbar buttons.
Click OK.

Now all you need to do is unpin the programs, currently available on the taskbar.

Re-enable the Quick Launch icons

With the standard Windows 7 buttons gone, you can start re-enabling the Quick Launch icons Windows XP users love. For this you need to add the Quick Launch Toolbar to the taskbar. Your first step is to right-click on an empty space on the taskbar, expand Toolbars and click on New toolbar…. The New Toolbar – Choose a folder window appears. Type the following location in the Folder: field:

%appdata%\Microsoft\Internet Explorer\Quick Launch

Click Select folder to add the Quick Launch folder to your taskbar. It should appear on the right side of your taskbar. Of course this is not the place where you’d want the Quick Launch bar or how you want it to look, so let’s change that.

First off, right-click on the Quick Launch label and deselect both Show Text and Show title. Now right-click on en empty space on the taskbar and deselect Lock the taskbar. Drag the Quick Launch bar next to the Start Button, where Windows XP lovers would expect it to be. If necessary swap dragging the Quick Launch with the other taskbar areas.

Fix Windows Live Messenger

One of the annoyances in Windows 7 is the way Windows Live Messenger interacts with its taskbar buttons. With the Windows XP settings you’ll find starting Windows Live Messenger results in two taskbar buttons. To fix this you’ll need to run Windows Live Messenger in Windows Vista compatibility mode.

In the Start Menu Search field type msnmsgr.exe. Right-click the search result and select Properties from the context menu. Open the Compatibility tab. Under Compatibility Mode select Windows Vista for the Run this program in compatibility mode for: field. Click OK.

Concluding

It’s not hard to revert parts of the user interface in Windows 7 back to Windows XP and fool users at first glance. This might just be what you need to convince your users their new desktops are up to spec.

A dream come true… (looking back at 3 years of blogging)

Sander Berkouwer — Fri, 26 Jun 2009 21:39:43 GMT

“I’ve always believed in information equality.”

While hundreds of companies charge their customers for services with knowledge and experience as unique selling points (USPs), I’ve sat on the sideline enjoying the view. I heard these companies (most of them Microsoft Partners) complaining about shifting expectations and a changing landscape. They fear becoming obsolete, because customers wise up and Microsoft (among others) supply standard tools, frameworks and even products to replace their tools, frameworks and products. Lately even with Online Services. I’ve known information is dynamic in nature. I expected nothing less in this line of business.

“It’s why I started blogging.”

I felt information can be made available freely, without repercussions. Standard practices may be shared without cost, product pitfalls may be found easily and demos can be shown indefinitely. In the end for business it’s not information that counts, but relationships and reputation. I feel a customer should connect without you, not because he knows you’re capable of doing the job, but because you’re granted the job.

“It’s why I kept blogging.”

My employer benefits from my blog. Not in a direct financial way, but in an indirect relationship-based way. Because when I speak to a client I direct them to information I’ve shared here. Because when the (potential) customer reads the information he is reminded of the ways of his current IT partner. … and not just customers. Other IT Pros started reading this blog as well… and linking back to it. As a company we could have generated more revenue on the short term (if our sales force would be up to spec) but in the long term we’re seeing increased deal sizes, etc.

“It’s way this blog had 250.000+ hits in three years.”

Today marks the third anniversary of this blog. A lot has happened in my life. I’ve become a father, an MVP, a Product Manager and even a Bachelor in ICT. I’ve continued to share my creative views on using Microsoft products and technologies (Active Directory, Hyper-V) and people obviously like them. Starting from 0 visitors per day, back in June 2006, this blog picked up to receive nearly 700 hits per day (on weekdays). The rate in which these hits increase is even more staggering: It doubles every year. The first year this blog saw 35,000 hits, the second year 70,000 and in the third year it reached its current 140,000 hit/year average.

“It’s why I’m passionate about this website.”

With my blog receiving a third the hits of the DirTeam.com / ActiveDir.org Weblogs I didn’t need to think twice when Carlos asked me to become the Chief Technology Officer (CTO) of the website, effectively making sure the website(s) on these servers continue to run smoothly.

“It’s why I love this stuff”

Being awarded a 2009 Microsoft Most Valuable Professional (MVP) award for Directory Services is simply the icing on the cake. I’m making an effort because I want to and because people ask me to. People keep telling me I’m doing a brilliant job. That’s what keeps me going. Microsoft recognizes me and values my feedback. That’s nice.

“It’s why it feels like a dream come true”

Just a simple guy, with a simple view and simple means, making an effort. Being noticed, being seen. It’s like a dream come true…

Command Line version of Server Manager in Windows Server 2008 R2

Jorge — Sat, 20 Jun 2009 20:29:39 GMT

Today I was playing with "ServerManagerCMD.EXE" Windows Server 2008 R2. When I executed it I saw the following informational message:

"Servermanagercmd.exe is deprecated, and is not guaranteed to be supported in future releases of Windows. We recommend that you use the Windows PowerShell cmdlets that are available for Server Manager."

It was created in Windows Server 2008 and it is already deprecated! J

It is not really a surprise, because Microsoft is going all the way with PowerShell and more and more products are becoming PowerShell-enabled. Also see this post on how to use snap-ins/modules.

So instead of….

ServerManagerCmd.exe

Installs and removes roles, role services and features. Also displays the list of all roles, role services, and features available, and shows which are installed on this computer. For additional information about the roles, roles services, and features that you can specify using this tool, refer to the Help for Server Manager.

-query [<query.xml>] [-logPath <log.txt>]

-install <name>

[-resultPath <result.xml> [-restart] | -whatIf] [-logPath <log.txt>]

[-allSubFeatures]

-remove <name>

[-resultPath <result.xml> [-restart] | -whatIf] [-logPath <log.txt>]

-inputPath <answer.xml>

[-resultPath <result.xml> [-restart] | -whatIf] [-logPath <log.txt>]

-help | -?

-version

Switch Parameters:

-query [<query.xml>]

Display a list of all roles, role services, and features available, and shows which are installed on this computer. (Short form: -q) If <query.xml> is specified, the information is also saved to a query.xml file with additional information.

-inputPath <answer.xml>

Installs or removes the roles, role services, and features specified in an XML answer file, the path and name of which is represent by <answer.xml>. (ShortForm: -ip)

-install <name>

Installs the role, role service, or feature on the computer that is specified by the <name> parameter. Multiple roles, role services or features must be separated by spaces. (ShortForm: -i)

-allSubFeatures

Used with the -install parameter to install all subordinate role services and features along with the role, role service, or feature named with the -install parameter. (Short form: -a)

-remove <name>

Removes the role, role service, or feature from the computer that is specified by the <name> parameter. Multiple roles, role services or features must be separated by spaces. (ShortForm: -r)

-resultPath <result.xml>

Saves the result of the ServerManagerCmd.exe operation to a <result.xml> file, in XML format. (Short form: -rp)

-restart

Restarts the computer automatically, if restarting is necessary to complete the operation.

-whatIf

Display the operations to be performed on the current computer that are specified in the answer.xml file. (Short form: -w)

-logPath <log.txt>

Specify the non-default location for the log file. (Short form: -l)

-help

Display help information. (Short form: -?)

-version

Display the version of the Server Manager command that is running, Microsoft trademark information, and the operating system.

(Short form: -v)

Examples:

ServerManagerCmd.exe -query

ServerManagerCmd.exe -install Web-Server -resultPath installResult.xml

ServerManagerCmd.exe -inputPath install.xml -whatIf

You should start using….

For Server Manager with PowerShell you should do the following:

Start PowerShell (e.g. from the command-line type POWERSHELL)
Import the Server Manager Module with: Import-Module ServerManager
You will get the following cmdlets to list/add/remove features AND roles:
- Get-WindowsFeature --> lists available features and roles and which features and roles are installed at that moment
- Add-WindowsFeature --> installs a feature or role
- Remove-WindowsFeature --> removes a feature or role

Also check out: http://technet.microsoft.com/en-us/library/dd378896(WS.10).aspx

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Which PowerShell Snap-Ins and Modules are available for use?

Jorge — Sat, 20 Jun 2009 20:09:19 GMT

This is the way to determine which PowerShell Snap-Ins and Modules are available in Windows Server 2008 R2…

PS C:\> Get-PSSnapin

Name : Microsoft.PowerShell.Diagnostics

PSVersion : 2.0

Description : This Windows PowerShell snap-in contains Windows Eventing and Performance Counter cmdlets.

Name : Microsoft.WSMan.Management

PSVersion : 2.0

Description : This Windows PowerShell snap-in contains cmdlets (such as Get-WSManInstance and Set-WSManInstance) that are used by the Windows PowerShell host to manage WSMan operations.

Name : Microsoft.PowerShell.Core

PSVersion : 2.0

Description : This Windows PowerShell snap-in contains cmdlets used to manage components of Windows PowerShell.

Name : Microsoft.PowerShell.Utility

PSVersion : 2.0

Description : This Windows PowerShell snap-in contains utility Cmdlets used to manipulate data.

Name : Microsoft.PowerShell.Host

PSVersion : 2.0

Description : This Windows PowerShell snap-in contains cmdlets (such as Start-Transcript and Stop-Transcript) that are provided for use with the Windows PowerShell console host.

Name : Microsoft.PowerShell.Management

PSVersion : 2.0

Description : This Windows PowerShell snap-in contains management cmdlets used to manage Windows components.

Name : Microsoft.PowerShell.Security

PSVersion : 2.0

Description : This Windows PowerShell snap-in contains cmdlets to manage Windows PowerShell security.

….Loading the Snap-In is done by: Add-PSSnapin <String Name>
(e.g. Add-PSSnapin Microsoft.PowerShell.Security)

PS C:\> Get-Module -ListAvailable

ModuleType Name ExportedCommands
----------------------- -------------------------
Manifest ActiveDirectory {}
Manifest ADRMS {}
Manifest AppLocker {}
Manifest BestPractices {}
Manifest BitsTransfer {}
Manifest GroupPolicy {}
Manifest PSDiagnostics {}
Manifest ServerManager {}
Manifest TroubleshootingPack {}
Manifest WebAdministration {}

….Loading the Module is done by: Import-Module <ModuleType Name>
(e.g. Import-Module ActiveDirectory)

Cheers,

Jorge

Provisioning to AD and OCS through ILM 2007

Jorge — Fri, 19 Jun 2009 13:23:19 GMT

To provision IM-enabled AD accounts this is what you can do in your provisioning code for the AD MA… (example code snippet from my test/demo environment)

If mventry("im").Value.ToLower = "yes" Then
Dim strSIPDomain As String
Dim strSIPHomeServer As String
strSIPDomain = AD_DS_Production_USERS_MA_Params("sipdomain")
strSIPHomeServer = AD_DS_Production_USERS_MA_Params("siphomeserver")
AD_DS_Production_USERS_CsEntry("msRTCSIP-PrimaryUserAddress").Value = "sip:" & Replace(mventry("displayName").Value, " ", ".") & strSIPDomain
AD_DS_Production_USERS_CsEntry("msRTCSIP-PrimaryHomeServer").Value = strSIPHomeServer
AD_DS_Production_USERS_CsEntry("proxyAddresses").Values.Add("sip:" & Replace(mventry("displayName").Value, " ", ".") & strSIPDomain)
AD_DS_Production_USERS_CsEntry("msRTCSIP-OptionFlags").Value = "256"
AD_DS_Production_USERS_CsEntry("msRTCSIP-ArchivingEnabled").Value = "0"
AD_DS_Production_USERS_CsEntry("msRTCSIP-UserEnabled").BooleanValue = True
End If

Sipdomain and siphomeserver are values stored as parameters in an XML file. Another thing to note is that "msRTCSIP-PrimaryHomeServer" needs a DN to an OCS pool, but it is NOT a reference attribute. It is a string attribute!

Cheers,

Jorge

Today's IT Infrastructure

Jorge — Thu, 18 Jun 2009 08:46:42 GMT

I found the following once in a presentation. It gives you an idea of "Today's IT Infrastructure". ;-)

Looks complex!

Cheers,

Jorge

----------------------------------------------------------------------------------------

Technorati Tags: Day-to-day stuff

--------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------------

Where to put SSL certificate for LDAP …

tomek — Wed, 17 Jun 2009 21:06:00 GMT

Protecting LDAP traffic with SSL is a good idea, especially if in network environment some applications are (ab)using LDAP as authentication protocol.

Some explanation of abusing word – LDAP never was designed as authentication protocol (like Kerberos is). Its name states it clear “DIRECTORY ACCESS PROTOCOL”. However because it is simple to use and effective it is often used as such. Because it wasn’t designed to be an authentication protocol it lacks features which would protect credentials etc. which might expose authentication data for different threats which are common for every important information sent in a clear text over a network. To say it in simple word – when you are doing simple LDAP bind over non secure connection you are just exposing your credentials to others. For proof see see screenshot from network trace below:

So I think this screenshot itself should be enough to start to think about securing LDAP traffic with SSL (convincing developers to use different protocol or to enforce SSL connection in an app might be on the other hand tough task).

Getting back to the topic – good news is that Active Directory infrastructure makes it pretty easy to enable SSL on LDAP protocol. Just give DC proper certificate and it will start to accept LDAP over SSL connections. “Proper” means that it has to meet some criteria, one of them is that its purpose statement should contain Server Authentication (1.3.6.1.5.5.7.3.1) OID on a list.

Deploying certificates in environment with Enterprise CA based on Windows Server integrated with AD is also easy – you can take advantage of auto enrollment feature and DCs will request and install certificates on their own. It is also possible to use third party certificates. Procedure for requesting and installing such certificates on DCs in described in KB321051. In both cases (auto enrollment and KB manual procedure) certificate is being installed in Personal store of local system.

This store has this disadvantage that it might contain many different certs installed by other services and applications if required. If it will contain many certificates meeting requirements for DC to use this cert to protect LDAP traffic it will just pick one. We don’t have real control which one.

Since Windows 2008 there is a way to have more control on this behavior and select certificate which will be used to protect LDAP traffic. If certificate will be put in NTDSA\Personal store instead of default Local system store it will be picked up by directory service in first place and used for LDAP traffic protection.

If there will not be any of certificates in NTDSA\Personal store DC will fall back to old behavior and search for certificate in Local system store

Looks easy … one problem I have with this solution is that I can’t find a way to use auto enrollment mechanism to enroll certificate for DC and put it directly in NTDSA store. If there is anyone who have idea how to do this … comments are open :).

Fixing Hyper-V ACLs

Jorge — Tue, 16 Jun 2009 18:43:00 GMT

Are you having issues with Hyper-V VMs and experiencing similar issues as explained here? The solution to these issues is to fix the permissions of the Hyper-V, but do you know exactly what permissions are needed or what's missing? Stop thinking!

Use the script attached to this post or as shown below. How does it work?

The script is used as a drop-target. A what? A drop-target! Select all the corresponding Hyper-V VM folders and files and drop it on the icon of the script. At that point the script will figure out the correct permissions that are needed to use the VM in Hyper-V.

Let's talk credits. Credits should go to me for posting this stuff while being watched! J

Credits for the script go to a person that:

Is British
Used to be an MVP for Directory Services
Loves scripting, especially "batch" (he wanted to create a spell checker in batch)
Now loves PowerShell
Would like to sell that to the world as "PoSH"
Now walks the grounds of the "Dark Side" managing DS Stuff
Appeared in some cool video a few months back wearing weird stuff

I think you now know who he is. If you don't you'll figure it out some way! J Trust me!

------------------------------------------

:: fix HyperV ACLs.CMD / Dean Wells (DeanWe), Microsoft / October 2008

:: Script adds a suitable ACE (NT Virtual Machines\Virtual Machines or VM-specific) to any number of files supplied as arguments

:: (drag and drop works best) permitting them to be used by the Windows HyperVisor without rendering permissions errors. Special

:: case logic is included to handle symlinks and the permissioning differences required between VHDs and XML configuration files.

@echo off

set issuingAUTHORITY=NT Virtual Machine

set groupPRINCIPAL=Virtual Machines

set EXITcommand=pause

set FAILED=0

set FAILEDfile="%TEMP%\%~n0.$$$"

del %FAILEDfile% 1>nul 2>&1

title Hyper-V ACL fixerupper ...

if "%~1"=="" (

echo/

echo #ERROR - nothing to do!

goto :END

)

echo/

:LOOP

:: Restore default environment for each iteration

set icaclsSUFFIX=

set SECURITYprincipal=%groupPRINCIPAL%

set shortSECURITYprincipal=Group ACE

set PERMISSION=RW

set FILEtype=%~x1

:: Assume the absence of an extension indicates a folder [it's not pretty but it'll do in this context]

if "%FILEtype%"=="" (

set FILEtype=folder

set icaclsSUFFIX=/t

)

:: Determine file type [VHDs require "RW" while the XML configuration files and their symlinks require "F"]

:: For VHDs, we assume many VMs _may_ require access to the file so we add the "NT Virtual Machine\Virtual Machines" ACE

:: For XML configuration files and their symlinks, we treat those as private and add the VM-specific ACE

echo "%~a1" | find /i "l" 1>nul 2>&1

if not errorlevel 1 (

set icaclsSUFFIX=/l

set FILEtype=symlink

set SECURITYprincipal=%~n1

set shortSECURITYprincipal=VM ACE

set PERMISSION=F

) else (

if /i "%FILEtype%"==".xml" (

set PERMISSION=F

set SECURITYprincipal=%~n1

set shortSECURITYprincipal=VM ACE

)

set HYPERVfile=%~n1 [%FILEtype% / %shortSECURITYprincipal%:%PERMISSION%] ..............................................

set HYPERVfile=%HYPERVfile:~0,67%

set /p=+ %HYPERVfile% <nul

icacls "%~1" /grant "%issuingAUTHORITY%\%securityPRINCIPAL%":%PERMISSION% %icaclsSUFFIX% 1>nul 2>&1

if errorlevel 1 (

icacls "%~1" /grant "%issuingAUTHORITY%\%groupPRINCIPAL%":%PERMISSION% %icaclsSUFFIX% 1>nul 2>&1

if errorlevel 1 (

set FAILED=1

echo #FAILED!

echo %~n1 [%FILEtype% / %shortSECURITYprincipal%:%PERMISSION%] >>%FAILEDfile%

) else (

echo SUCCESS!

)

) else (

echo SUCCESS!

)

shift

if not "%~1"=="" goto :LOOP

echo/

if not "%FAILED%"=="1" (

color 2E

echo The command completed successfully.

set EXITcommand=ping -n 6 localhost

) else (

color 4E

echo #ERROR - the following Hyper-V file was/were not permissioned correctly:

echo/

type %FAILEDfile%

)

:END

%EXITcommand% 1>nul 2>&1

------------------------------------------

Cheers,

Jorge

Importing Hyper-V VMs

Jorge — Tue, 16 Jun 2009 14:02:43 GMT

If you have exported a Hyper-V VM to a folder and then try to import it again on another computer for example, you might get the following error:

[Window Title]
Hyper-V Manager

[Main Instruction]
A server error occurred while attempting to import the virtual machine.

[Content]
Import failed.

[Expanded Information]
Import failed. Unable to save the virtual machine under location 'E:\VMStore\_HYPER-V_EXPORTS\OCG_ILM2DEMO-Server\'. Error: General access denied error (0x80070005)

Hide details [Close]

I solved this by giving the Network Service account modify permissions to the folder and its subfolders that contained the VM Export. Worked like a charm for me.

Cheers,

Jorge

Active Directory Forest Recovery Guides

Jorge — Fri, 12 Jun 2009 21:03:32 GMT

The following AD Forest Recovery Guides are available:

Best Practices: Active Directory Forest Recovery (W2K)
- http://www.microsoft.com/downloads/details.aspx?FamilyID=3eda5a79-c99b-4df9-823c-933feba08cfe&displaylang=en
Planning for Active Directory Forest Recovery (W2K3)
- http://www.microsoft.com/downloads/details.aspx?familyid=afe436fa-8e8a-443a-9027-c522dee35d85&displaylang=en
Planning for Active Directory Forest Recovery (W2K8)
- http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=326C8A7A-DCAD-4333-9050-A6303FF3155C&displaylang=en

Cheers,

Jorge

Windows Server 2008 R2 Documentation & Resources

Jorge — Fri, 12 Jun 2009 14:41:57 GMT

Get those docs here

Cheers,

Jorge

Active Directory Gateway WebService is available for ‘legacy’ OSes

Jorge — Fri, 12 Jun 2009 14:37:23 GMT

The Microsoft Active Directory Management Gateway Service lets information technology professionals manage Active Directory Directory Service and Active Directory Lightweight Directory Service instances that are running on the same server. The Active Directory Management Gateway Service is available as part of Windows Server 2008 R2 and available as a separate download for some previous versions of Windows Server 2008 and Windows Server 2003.

Information technology professionals can use Active Directory Module for Windows PowerShell or Microsoft Active Directory Administrative Center (ADAC) to manage Active Directory Management Gateway Service instances on servers that are running Windows Server 2008 Service Pack 1 (SP1) and later versions and Windows Server 2003 Service Pack 2 (SP2) and later versions.

The Active Directory Management Gateway Service provides the same functionality as Active Directory Web Services on Windows 7. After you install the Active Directory Management Gateway Service, the service runs as the Windows Server R2 Active Directory Web Services service

For more info see KB article: The Active Directory Management Gateway Service is now available

It looks like it is not yet available for download. Don't worry, it will be soon, I guess, RGHT? J

Cheers,

Jorge

Read-Only Domain Controller (RODC) Branch Office Guide is available

Jorge — Fri, 12 Jun 2009 14:27:06 GMT

The Read-Only Domain Controller (RODC) Branch Office Guide is now live on TechNet and the Download Center!

TechNet: http://technet.microsoft.com/en-us/library/dd734758(WS.10).aspx
Download Center: http://go.microsoft.com/fwlink/?LinkId=153714

The guide covers the major considerations around deploying RODC's in Branch Office scenarios. Specifically, the topics include:

Branch Office Environment Characteristics
Deciding Which Type of Domain Controller Meets the Needs of a Branch Office Location
Updates to Windows Server 2003 Branch Office Guide Recommendations
Planning/Deploying/Administering RODCs in Branch Offices
Monitoring Your Branch Office Environment

Cheers,

Jorge

ILM 2007 FP1 and Hyper-V

Jorge — Fri, 12 Jun 2009 13:12:18 GMT

At the moment Microsoft does not support ILM 2007 FP1 in ANY virtual environment.

I have not seen an official statement yet on some Microsoft page, but I have read here that ILM 2007 FP1 now is supported to run on Hyper-V. If you want to run it on VMWare, check out these KB articles from Microsoft about that:

Cheers,

Jorge

A New Vulnerability in Active Directory (MS09-018)

Sander Berkouwer — Wed, 10 Jun 2009 13:28:38 GMT

On Patch Tuesday for June 2009 (yesterday, June 9, 2009) Microsoft released security bulletin MS09-18 yesterday to address a vulnerability in Active Directory and Active Directory Application Mode (ADAM) that could allow remote code execution.

It’s should not come as a shock Microsofts Active Directory and Active Directory Application Mode (ADAM) contain insecure code, allowing for much mayhem in enterprise environments. Since MS07-039, MS08-003, MS08-35 and MS08-60 you should have experience with patching these particular Server Roles.

What I did find shocking was the way Microsoft talks about Active Directory Application Mode (ADAM), which is the old name for what most of us now call Active Directory Lightweight Directory Services (ADLDS), but when I examined the Security Bulletin I found out just why:

This vulnerability does not affect Windows Server 2008.

Again, Windows Server 2008 (and Windows Vista) are on the list with unaffected versions of Windows. Up to today only MS08-60 applies to Windows Server 2008. Recollecting: This was a moderate (not a critical) vulnerability that allows denial of service (not remote code execution).

To me, this shows the exceptional feat the Microsoft teams have accomplished in Windows Server 2008. It strengths me in my belief: Windows Server 2008 is the most secure Windows Server platform to date.

For all you Windows 2000 Server and Windows Server 2003 admins out there:

Happy patching!
(especially you, Windows 2000 Server aficionados!)

Active Directory Cleanup - The Most Common Question I See

pbbergs — Wed, 10 Jun 2009 01:30:00 GMT

I am out in the Microsoft NewsGroups and quite often I see someone having trouble with their Active Directory (AD) domain. The number one issue I see is they will lose a Domain Controller (DC) and just move on without realizing that without letting the rest of the DC’s know that this machine is not coming back –or– they attempt to reintroduce a DC back into the domain with the same name without cleaning up the metadata within AD.

To clean up AD after a lost DC is relatively simple and a script has been released that now makes it so there is no need to use ntdsutil. The few times I have had to clean up AD, I still use the manual method but I like to feel in control of things and see what is happening. There should be nothing wrong in using the script.

The KB article to manually cleanup the metadata is 216498

The TechNet script to clean up the metadata is linked here addmvb04

Once you have cleaned things up you still have to go into Active Directory Sites and Services and remove the lost DC from the site in which it belonged. This is a requirement even if you had a successful demotion. The steps for this are outlined at the end of each section within the manual cleanup.

Quotes about “The Boss”

Jorge — Sun, 07 Jun 2009 17:45:24 GMT

Reading the Dutch magazine called Quest; I saw the following funny quotes about "The Boss":

The biggest mistake a boss can make is by not saying: well done!
(John Ashcroft, American Politician [1942])

By working 8 hours a day, you might become the boss. And suddenly you must work 12 hours a day.
(Robert Frost, American Poet [1874-1963])

Never blame the boss for anything. He's got enough problems already.
(Donald Rumsfeld, Minister of Defense with the George Bush administration [1932])

Nothing is worse than a nervous boss. Especially if you are the one that made him nervous.
(Sidney Cross, American Artist [1921-1969])

If everybody says "you're right!", you are either very smart or the boss.
(André Birabeau, French Play Writer [1890-1974])

If you want to move ahead from a career perspective, you do not need to be the boss' son. Marrying his daughter is enough.
(Orlando Aloysius Battista, Canadian Writer [1917-1995])

Cheers,

Jorge

ILM 2007 FP1 and SQL Server 2008

Jorge — Sat, 06 Jun 2009 11:03:09 GMT

At the moment ILM 2007 FP1 officially supports:

SQL Server 2000 SP3a (and higher) Standard or Enterprise (x86/x64)
SQL Server 2005 SP1 (and higher) Standard or Enterprise (x86/x64)

I have not seen an official statement yet on some Microsoft page, but I have read here that SQL Server 2008 it supported by ILM Sync Engine, ILM Certificate Management, but also as a connected data source. For another MSFT employee I heard that SQL Server 2008 will most likely work with ILM 2007 FP1 RTM, but tests were validated with builds 3.3.11xx.x

Cheers,

Jorge

High Availability for ILM 2007 Sync Engine with Clustering

Jorge — Sat, 06 Jun 2009 10:54:42 GMT

When using ILM 2007 Sync Engine and you would like to have high availability you need to think about the all components of the solution. In the case of ILM 2007 Sync Engine those would be:

Windows Server
ILM 2007 Sync Engine
SQL Server
ILM Datastore

Windows Server and SQL Server can be made high available through Microsoft Clustering Services.

ILM Datastore can be made high available by putting it on a SAN/NAS/Shared Storage/Whatever, as long as you use a redundant set of disks, or in other words some RAID configuration such as RAID1 (mirroring), RAID5 (disk striping with parity) or RAID10 (mirroring and striping).

OK, but how about the ILM 2007 Sync Engine? For ILM 2007 Sync Engine you have following possibilities:

Operational Instance: the ILM instance which is actually running by importing, exporting and synching data between connected data sources (ILM server license needed)
HOT Standby Instance: the ILM instance which is NOT running (service = stopped and disabled), but for which its Windows Server is up and running (additional ILM server license needed). For a guide on how to implement this go here.
COLD Standby Instance: the ILM instance which is NOT running (service = stopped and disabled), but for which its Windows Server is ALSO NOT up and running (NO additional ILM server license needed)

So, when the Operational Instance dies for whatever reason, use need to use the available standby instance (for the COLD standby instance you need to start the server first of course) and activate it by using the MIISACTIVATE tool with the Encryption Keys created by the first ILM instance that was installed for the solution. If you are using password synchronization (PCNS) you need to reconfigure the PCNS object in AD to target the new ILM instance. As you can see that is a manual process. Can you automate it? That depends if you are using something that can automatically switch over to the standby instance.

Is ILM 2007 Sync Engine cluster-aware? Nope, it is not!

Can you install the Operational Instance of ILM 2007 Sync Engine on a Cluster (e.g. the active node) and is it supported by MSFT? Yes, it can be installed on the active cluster node and that is also supported by MSFT.

Can you install the Standby Instance of ILM 2007 Sync Engine on a Cluster (e.g. the passive node) and is it supported by MSFT? Yes, it can be installed on the passive cluster node and that is also supported by MSFT.

Even on a cluster you need to manually switch to the standby instance on the passive node by activating it if the operational instance on the active node fails or becomes unavailable.

Can this be automated, so that when the active cluster node dies, ILM automatically switches over to the passive node and would that be supported by MSFT? Yes it is possible to automatically failover ILM by using the script which can be found here. But, is this supported? Unfortunately, it is NOT supported by MSFT! Also take this post into account.

Cheers,

Jorge

Exporting Multi-valued attribute to SQL table

Jorge — Fri, 05 Jun 2009 15:18:40 GMT

Based upon my post about "Multiple Authoritative Sources for Group Memberships and how about precedence in ILM", a technology partner and I were setting up and test/demo environment. The idea was as follows.

The MGMT app is authoritative for groups and group memberships, which then flow into AD. Group Membership is established on business logic like for example:

Everyone with "JobTitle=Admin" and "Department=ICT" becomes a member of the group "R1Grp_EMPLOYEES_JOB_ICT_ADMIN"
Everyone with "employeeType=EMPLOYEES" becomes a member of the group "R1Grp_EMPLOYEES"
Etc.

However, in AD it must be possible to adjust/establish group memberships that do not follow the business logic. For example, a contractor is added to the group "R1Grp_EMPLOYEES". That new group membership flows (import) from AD to the MV through the "ADDS-Group-IMP" MA. From the MV it flows (export) to the SQL Database (multi-valued table) through the "MGMT-Group-EXP" MA.

When a group membership is established in the MGMT APP the following flags should be set in the SQL multiple valued tabled: MGMT=YES & IDM=NO (as properties of that specific group membership)

When a group membership is established in the MGMT APP the following flags should be set in the SQL multiple valued tabled: MGMT=NO & IDM=YES (as properties of that specific group membership)

This way the MGMT APP can check on eventual business conflicts by checking the flags and report on it!

So as a test we wanted to test this by adding a contractor person to the "R1Grp_EMPLOYEES" group. Initially the group "R1Grp_EMPLOYEES" contained 32 employee persons and after the change an extra contractor person was added to it.

What was the expect end result?

32 employee group memberships with the flags MGMT=YES & IDM=NO
1 contractor group membership with the flags MGMT=NO & IDM=YES

So I imported the group membership from AD into ILM and exported it to the SQL database.

What was the REAL end result?

32 employee group memberships with the flags MGMT=NO & IDM=YES
1 contractor group membership with the flags MGMT=NO & IDM=YES

What the heck?!?! Why are the flags of ALL group memberships for the group "R1Grp_EMPLOYEES" changed as if they were exported? I expect only one INSERT into the table and not 33 INSERTS.

The way to find out is to use SQL Server Profiler and check what's happening under the hood! So let's do this.

Before exporting to ILM I checked the ILM statistics. See picture below.

After exporting I checked the SQL Server Profiler Trace and saw the following…

Let's take a look at this trace

Yellow marked text: Delete all existing group memberships for the group "R1Grp_EMPLOYEES"
Green marked text: Add the new group membership for the new member (the one established in AD)
Blue marked text: Add the new group membership for the previously existing members (the ones established in MGMT APP)

I wonder WHY ILM works this way…Anyone from the Product Group care to explain? Please do so!

Cheers,

Jorge

Multiple Authoritative Sources for Group Memberships and how about precedence in ILM

Jorge — Wed, 03 Jun 2009 19:51:39 GMT

If multiple data sources are authoritative for "some-attribute" and all authoritative data sources are considered equal, in ILM 2007 you must configure "Attribute Flow Precedence" for that "some-attribute" where all management agents (MAs) use Rules Extension for the flow of that "some-attribute". When ALL MAs are using Rules Extensions for that particular attribute, you will be able to check the option "Use Manual Precedence". In your code for each MA you check if the value in the CS differs from the value in the MV and when that is the case you allow the flow of the attribute value from the CS to the MV, etc. etc. It will look similar to the picture below.

Until now nothing special! Now imagine that "some-attribute" is the "member" attribute of the "group" object. The "member" attribute is a multi-valued reference attribute. It can therefore contain multiple values and it does not have real values, but rather references to OTHER objects such as for examples "user" objects.

Now for the "member" attribute you have the scenario as above. Two connected data sources are authoritative for managing group memberships such as for example:

Active Directory being managed by admins on one side AND some data source (ADAM, SQL, etc.) with a web-interface on the other side
OR
Active Directory being managed by admins on one side AND some data source (SQL, etc.) with some business logic to automatically create group memberships on the other side

What would you do? The easiest answer would seem say: "do the same as you did for that 'some-attribute'". Unfortunately that's not going to work because "reference" attributes (e.g. "member") cannot be used in advanced attribute flow through Rules Extensions and as mentioned earlier you need Rules Extensions to be able to use the option "Use Manual Precedence". Another way to prevent the complexity of precedence is using multiple MAs

This is the approach of the solution I used… (Thanks James!).

REMARK: as you know, there are many ways to get to Rome, and for such a scenario there are many other approaches.

The overall idea is shown in the picture below. The architecture looks very similar to the GalSync solution, but there is a subtle difference! The GalSync architecture uses one MA for each connected data source. In the GalSync architecture, each MA imports users, groups and contacts from the source and exports contacts to the target as shown below.

In the Group Management architecture where two connected data sources are equally authoritative for groups and their group memberships, you must use two MAs! The architecture of the solution is shown below.

Now you might think: Why not just create 1 MA for each connected system where each MA handles two different group object types like in the GalSync architecture? The answer to this that you need two MAs for each system because groups in each system need to be connected to BOTH group object types (e.g. objecttype: group_ADDS & group_MGMT) in the MV. Any CS object can only be connected to a single MV object(type).

The logic of this usage case is:

Employees in HR
- HR is authoritative for employees
- Employees objects are imported into the HR CS through the HR MA and then projected as a person object into the MV
- Employees are provisioned into ADDS CS and MGMT APP CS and exported into the end-system through the corresponding MA (ADDS-Users and MGMT-Users)
Groups in ADDS
- ADDS is authoritative for groups and group memberships
- Group objects in ADDS are imported into the ADDS-Group-IMP CS through the ADDS-Group-IMP MA and then projected as a group_ADDS object into the MV
- Group objects (objectType=group_ADDS) are provisioned into MGMT-Group-EXP CS and exported into the MGMT APP through the MGMT-Group-EXP MA
- Group Memberships originating in ADDS follow the same path through the member attribute in each object as the group object itself
Groups in MGMT APP
- MGMT APP is ALSO authoritative for groups and group memberships
- Group objects in MGMT APP are imported into the MGMT-Group-IMP CS through the MGMT-Group-IMP MA and then projected as a group_MGMT object into the MV
- Group objects (objectType=group_MGMT) are provisioned into ADDS-Group-EXP CS and exported into the ADDS through the ADDS-Group-EXP MA
- Group Memberships originating in MGMT APP follow the same path through the member attribute in each object as the group object itself

REMARK: You might expect a group object or group membership originating in a certain source flowing to the other source and then coming back to the original source and keep flowing around in circles. Don't worry as it will not happen, AS LONG AS the correct order of imports/syncs/exports is followed. Otherwise you may see "A DELETION" followed by "AN ADDITION" singing around

REMARK: Be aware you need additional imports and joins to make the "circle" complete!

Something else to be aware of is, that it is very difficult to achieve "last-writer-wins". In reality you will achieve "last-sync-wins". Assuming you execute your imports/sync very often then you might get very close to "last-writer-wins". See the remark above! Very important to know!

This is how you can do it in ILM 2007 FP1. How would you do this in ILM "2", or rather FIM 2010 as it is called right now? In FIM 2010 it is much easier to achieve the scenario. In FIM 2010 the picture at the top of this post has an additional option called "Equal Precedence". When that option is checked, the corresponding MAs are equally authoritative for that attribute. And yes, it also applies to multi-valued reference attributes! In FIM 2010 you would not need to use two MAs for each system, but just one to manage groups and group memberships.

Cheers,

Jorge

OCG Documentor for ILM/MIIS

Jorge — Wed, 03 Jun 2009 17:20:00 GMT

OCG has a tool called the OCG Documentor for ILM. This tool automatically documents the server configuration, the MA configuration and the code used in the Rules Extensions. It's cool, its' hot, it's accurate and it's fast!

There's a free version and there is a paid for version. You could compare the versions with IIFP and ILM. The free version only allows documentation of the AD, ADAM and GalSync MAs and the paid for version allows documentation of all other MAs including XMAs including the addition of additional documentation. After using the free version it is possible upgrade to the paid for version by purchasing a release key.

After reading all the info, a WORD report is generated based upon that information. Did you ILM configuration change for whatever reason, then simply rerun OCG' Documentor and your documentation is up-to-date again.

Summarized:

Provides semi-automated documentation of your ILM installation
Provides an Integrated report which includes all management agents and metaverse configuration details with built in cross references (hyperlinks)
Extracts source code from the installation's Visual Studio projects and inserts at the appropriate points in the report
Produces a document which is readable and can be easily distributed
Can be used as part of an iterative development process
Will detect and warn of configuration errors and anomalies
The MIIS documentation can be customized via a control file which enables you to:
- Insert word documents into the report at specified locations to add context-specific information such as descriptions and diagrams
- Insert sections of content from other text files, this for instance would allow you to include code details which may not be detected by the documentor.

If you are interested in documenting your complete ILM installation as part of a system audit, then please contact us: info@oxfordcomputergroup.com

To download the tool and for more information, click here.

To purchase a release key, click here

To see an example report see the ZIP file as an attachment to this post which contains a PDF.

Something else that's very interesting is that at the moment a colleague of mine in the UK is building a FIM2010 (a.k.a. ILM 2) compatible Documentor.

Cheers,

Jorge

Windows PowerShell Remoting with WinRM

Jorge — Tue, 02 Jun 2009 20:27:40 GMT

If you are using Windows PowerShell Remoting right now with WinRM CTP3 (or lower) on Windows Server 2008, it may break after you apply Service Pack 2 (SP2) for Windows Server 2008 (W2K8). One of the symptoms is the WinRM service not starting anymore and throwing the following error.

The solution? Don't install SP2! J

WAIT! There is another solution to this problem if you want to apply SP2 for W2K8.

Let's assume your starting point is:

Windows Server 2008 RTM with all kinds of hotfixes (or maybe even no hotfix)
Windows Remote Management v2 CTP3
Windows PowerShell v2 CTP3

If you want to apply SP2 you need to do the following:

Download the LATEST version of WinRM CTP3 from https://connect.microsoft.com/WSMAN/Downloads
Remove old version of WinRM CTP3 (DLL=WSMSVC.DLL, Date=2008-DECEMBER-13,Version=6.0.6001.18183) and reboot as needed
Install SP2 and reboot as needed
Install new version of WinRM CTP3 (DLL=WSMSVC.DLL, Date=2009-APRIL-08,Version=6.0.6002.18018) and reboot as needed
Set the "Windows Remote Management (WS-Management)" service from MANUAL to AUTOMATIC DELAYED
Start the "Windows Remote Management (WS-Management)" service

REMARK: for whatever reason, the "Windows Remote Management (WS-Management)" service is set to MANUAL and not started by default. This is different when comparing to the old WinRM CTP3 version. So after the installation of the new WinRM CTP3 version you need to reconfigure the "Windows Remote Management (WS-Management)" service.

Cheers,

Jorge

‘New-Runspace’ vs. ‘New-PSSession’

Jorge — Tue, 02 Jun 2009 20:16:12 GMT

Until Windows PowerShell CTP2, Microsoft used the CMDlet called "New-Runspace" for setting up a remote session. As of Windows PowerShell CTP3 that was changed to "New-PSSession". Why? I do not know. Just something to be aware of!

REMARK: this is not just for the 'New-Runspace', but rather for all related cmdlets, such as 'Remove-Runspace', etc.

Cheers,

Jorge

ILM RollUp Hotfix Packages

Jorge — Tue, 02 Jun 2009 20:07:47 GMT

The latest ILM RollUp Hotfix Package updates both MSDN and Enterprise versions of ILM. This is good because previous hotfixes only update Enterprise versions of ILM. When talking about ILM I mean ILM Provisioning/Synchronization Services (a.k.a. MIIS) AND ILM Certificate Management Services (a.k.a. CLM). Separate fixes are available for both as in reality they are still separate products that can interact with each other. When talking about the interaction between MIIS and CLM [1] a management agent is required to be installed on both the MIIS side and the CLM side. Additionally, configurations are required to provision CLM requests through MIIS. Examples are: configuring an MA, CLM config files, registry permissions, etc.

This is the part where it goes wrong. When Microsoft creates a new hotfix for ILM, for whatever reason they only create the hotfix for MIIS and CLM, and NOT for the MA components of CLM. Is that important, you may think? Heck, yes! Why? Because the CLM MA component on the MIIS side checks DLL versions when talking to CLM. Is version mismatches occur between those two, the CLM MA becomes usesless! Which of course sucks! The error you might see in the Application Event Log is similar to:

--------------------------------------------------------

The extensible extension returned an unsupported error in MIIS.

The stack trace is:

"Microsoft.MetadirectoryServices.ExtensibleExtensionException: Could not load file or assembly 'Microsoft.Clm.Common, Version=3.3.1087.2, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

Server stack trace:

at ExtensibleWfMA.ClmMaProxy.GetConnectionStringFromClm()

at ExtensibleWfMA.ClmMaProxy.GetConnectionString(String sqlUserName, String sqlPassword, Boolean sqlAuth, String miisSpecifiedConnectionString)

at ExtensibleWfMA.ClmMaProxy.GetSqlDatabaseTimeStamp(String sqlUserName, String sqlPassword, Boolean sqlAuth, String miisSpecifiedConnectionString)

at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)

at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(RuntimeMethodHandle md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)

at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext)

Exception rethrown at [0]:

at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

at ExtensibleWfMA.ClmMaProxy.GetSqlDatabaseTimeStamp(String sqlUserName, String sqlPassword, Boolean sqlAuth, String miisSpecifiedConnectionString)

at ExtensibleWfMA.ImportWF.beginImportCode_ExecuteCode(Object sender, EventArgs e)

at ExtensibleWfMA.MACallExport.GenerateImportFile(String filename, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fullImport, TypeDescriptionCollection types, String& customData)

Microsoft Identity Integration Server 3.3.1101.2"

--------------------------------------------------------

So what can you do in the scenario where you are using MIIS, CLM and the CLM MA?

You can update MIIS with its hotfix counterpart, but not the CLM with its hotfix counterpart. Assuming you installed ILM from the ILM media with build 3.3.1087.2, after applying the hotfix for MIIS you would have build 3.3.1101.2 for MIIS and still keep CLM at build 3.3.1087.2 so that the CLM MA, which is build 3.3.1087.2, works with CLM.

Or try to contact PSS and specifically mention you want NEW installation media for ILM with the latest build. I have not tried this myself, but it is worth the try!

[1] Using these names as there are shorter, only MSFT employees must always use the new full marketing names J

Cheers,

Jorge

Dirteam.com/ActiveDir.org Blogs

Changing Windows 7 back to the ‘old’ Windows

Fade to grey

The taskbar

Correct the buttons and the height

Re-enable the Quick Launch icons

Fix Windows Live Messenger

Concluding

Further reading

Disclaimer Pre-release Software

A dream come true… (looking back at 3 years of blogging)

Command Line version of Server Manager in Windows Server 2008 R2

Which PowerShell Snap-Ins and Modules are available for use?

Provisioning to AD and OCS through ILM 2007

Today's IT Infrastructure

Where to put SSL certificate for LDAP …

Fixing Hyper-V ACLs

Importing Hyper-V VMs

Active Directory Forest Recovery Guides

Windows Server 2008 R2 Documentation & Resources

Active Directory Gateway WebService is available for ‘legacy’ OSes

Read-Only Domain Controller (RODC) Branch Office Guide is available

ILM 2007 FP1 and Hyper-V

A New Vulnerability in Active Directory (MS09-018)

Further reading

Active Directory Cleanup - The Most Common Question I See

Quotes about “The Boss”

ILM 2007 FP1 and SQL Server 2008

High Availability for ILM 2007 Sync Engine with Clustering

Exporting Multi-valued attribute to SQL table

Multiple Authoritative Sources for Group Memberships and how about precedence in ILM

OCG Documentor for ILM/MIIS

Windows PowerShell Remoting with WinRM

‘New-Runspace’ vs. ‘New-PSSession’

ILM RollUp Hotfix Packages