Dirteam.com/ActiveDir.org Blogs

KMS Server won't activate additional servers

pbbergs — Tue, 31 Aug 2010 07:32:00 GMT

I have had my KMS server up and running for several years without any problems. Recently I was working on a new 2008 Standard Server and it wouldn't activate.

I attempted to first use the standard GUI on the Windows Activation screen. I was even surprised it popped up since KMS usually just works. I selelcted "Activate Windows online now", a few moments later it came back with the response "The Product key you typed is already in use".

What does that mean? So I thought: forget it, I'm jumping to an elevated command line.

I ran slmgr -ato and I got the message it was activating and waiting for a click on the Ok button. This was followed by the error message (What can't they open up a window within the program???).

Run 'slui.exe 0x2a 0xc004C008' to display the error text. Error: 0xC004C008

So I ran it as requested:

An error has occured

Code: 0xC004C008

Description: The activation server determined that the specified product key could not be used.

Finally something to work with. It turns out there are limits placed on your KMS server and you have to contact Microsoft to get your KMS server limits increased. So my sales rep and I contacted Microsoft Licensed Support at 1-866-230-0560.

They requested we send an upgrade request to the address kmsadd@microsoft.com

Ask for an increase in X number of activations on the key with the following details included:

Enrollment Number:
Company Name:
# of Activations:
KMS Key to modify:

It sure would have been helpful if Microsoft could have just said, "Hey Dude you have used up all your KMS licenses. Please contact your local sales rep to get your count increased."

I have now gone through the requested steps and emailed my request but I still have to wait up to two business days for it to complete.

The email response from their robot:

Thank you for your request for additional KMS activations. You can expect to receive a response within two business days.

All support and responses provided through this alias will be in English.

Please reference Case ID:xxxxxxx for any questions regarding this request.

Hopefully the tags on this page help others to quickly solve this problem.

Thanks to Josh Bussiere for his assistance.

I’m attending Tech·Ed Europe 2010, are you?

Sander Berkouwer — Mon, 30 Aug 2010 06:34:24 GMT

Since I’ve shared some key information on Tech·Ed Europe 2010 earlier, I guess you’ve already concluded I’ll be attending Tech·Ed Europe this year.

Together with two colleagues (Roland Zenhorst and Dave Stork) I’ll be staying in a triple room at the abba Berlin hotel ****. We’re flying in on Sunday November 7, and flying back home to Amsterdam Airport on Saturday November 13.

Just like previous years, I’m eager to meet you all, so leave a comment or send me a contact note/mail when you want to meet up.

Vote for your favorite new Windows 8 features!

Sander Berkouwer — Tue, 17 Aug 2010 22:56:00 GMT

With Microsoft planning for the next version of the Windows Desktop, collectively referred to as Windows 8, promising to supersede Windows 7 and Windows XP together, some of us feel a need to chip in.

Here’s your chance!

Together with Michael Pietroforte and a bunch of other Microsoft MVPs and insiders, we’re running a poll with features for the next version of the Windows Desktop.

Disclaimer
It is quite obvious that Microsoft won’t add all enhancements listed here, and for some features it is not very likely that they will consider them any time soon. But who knows, if those options receive enough votes, someone at Microsoft might get interested.

For your convenience, the features are listed below. Hoover over the description of the feature, to see the more elaborate description.

New user interface
Support for different form factors
More modularity
Third-party patch management
Bare metal hypervisor
Application virtualization
Application streaming
Windows Store
Windows Restore Button
Cloud APIs
New authentication methods
Instant-On
Malware protection
Better UAC
Migration from Windows XP
Better compatibility
Better security
Better performance
Less hardware requirements
Less bloat

Ready to vote?

Vote

Descriptions and poll not readable or useable? Go to 4Sysops.

Participating blogs

Demonic Talking Skull – I’M A UC BLOG – markwilson.it – msigeek – Standalone Sysadmin – Techinch – Teching It Easy: with Windows – The Experience Blog – The things that are better left unspoken – The Windows Club – WindowsObserver – WindowsPro – Within Windows – 7 tutorials – 4sysops

ILM/FIM Sync Engine Terminology

Jorge — Tue, 17 Aug 2010 20:29:00 GMT

The past week I delivered the FIM 2010 Foundation course that is made available by Oxford Computer Group. One of the things I noticed is that people struggle with all the terms and abbreviations. Because of that I promised my attendees to create a nice picture and include explanations. So here goes!

The picture below shows all possible actions that can be execute through one or more Run Profiles which have one or more steps.

MA = Management Agent

CS = Connector Space

MV = Metaverse

INBOUND ATTRIBUTE FLOW [1]: This flow is either caused by executing a Full Sync (touching all objects in the CS) or a Delta Sync (touching only changed objects in the CS) on a certain MA. This is the flow of data from a connector space object to a metaverse object. This only applies to CS objects that are in the same MA as for which the Run Profile was executed.

OUTBOUND ATTRIBUTE FLOW [2]: This flow is either caused by executing a Full Sync (touching all objects in the CS and corresponding MV objects) or a Delta Sync (touching only changed objects in the CS and corresponding MV objects) on a certain MA. This is the flow of data from a metaverse object to a connector space object in any affected MA. This applies to CS objects that are in the same MA as for which the Run Profile was executed and all other MAs that are affected by the inbound attribute flow from the MA as for which the Run Profile was executed.

PROJECTION [3]: This is the creation of a metaverse object based upon a connector space object when executing a Full Sync (touching all objects in the CS) or a Delta Sync (touching only changed objects in the CS). This only occurs when at least one projection rule has been configured in the MA and/or Sync Rule and when no joining rule was satisfied and when the connector filter in the MA is not met. This only applies to CS objects that are in the same MA as for which the Run Profile was executed. After projection, provisioning and inbound/outbound attribute flow may occur.

PROVISIONING [4]: This is the creation of a connector object based upon a metaverse object when executing a Full Sync (touching all objects in the CS and corresponding MV objects) or a Delta Sync (touching only changed objects in the CS and corresponding MV objects). This only occurs when provisioning is enabled in the metaverse and when either a Provisioning Rules Extension exists with provisioning code for one or more MAs or when an Outbound Sync Rule has been configured for one or more MAs with the option to create a resource in the target system. This only applies to MV objects that were "touched" because of the execution of Full/Delta Sync Run Profile on a certain MA.

JOINING [5]: This is the matching of connector space object with a metaverse object based upon certain (unique) identity data (e.g. employeeID) when executing a Full Sync (touching all objects in the CS) or a Delta Sync (touching only changed objects in the CS). This only occurs when at least one join rule has been configured in the MA and/or Sync Rule and when the connector filter in the MA is not met. This only applies to CS objects that are in the same MA as for which the Run Profile was executed. After joining, inbound/outbound attribute flow may occur.

IMPORT: This is the import of scoped data from a connected data source into the corresponding connector space. Either a Full Import or a Delta Import cam be performed. A Full Import just asks for all scoped data, whether or not it is new or has changed, and the sync engine determines new objects and/or changes by comparing it against existing CS objects. A Delta import asks the connected data source for the changes (assuming it can provide those) and the sync engine processes those changes.

EXPORT: This is the export of new/changed data (pending exports - adds, updates, deletes) from the connector space into the connected data source. Exports are always delta. Some connected data sources may want or expect a Full Export and it that case you would need to create your own MA for those connected data sources that expect it.

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3)

Jorge — Thu, 12 Aug 2010 14:08:18 GMT

This post focusses on restoring the SYSVOL when replicated through the DFS-R mechanism. For the previous posts see here and here.

SYSVOL Replicated Through DFS-R - Authoritative Restore - Steps To Take

To perform an authoritative restore of the SYSVOL when using DFS-R, use the following steps:

Start the Registry Editor
Navigate to "HKLM\SYSTEM\CurrentControlSet\Services\DFSR"
Create a key called "Restore" (only time only)
Create a string value called "SYSVOL" (only time only)
For the string value called "SYSVOL" assign the value of authoritative
Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore"
Create a key called "SystemStateRestore" (only time only)
Create a string value called "LastRestoreId" (only time only)
For the string value called "LastRestoreId" [1] assign the value of 10000000-0000-0000-0000-000000000000
Stop the DFSR Service
Start the DFSR Service

From the command-line the same can be achieved through:

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DFSR\Restore" /v SYSVOL /t REG_SZ /d "authoritative" /f
[1] REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\SystemStateRestore" /v LastRestoreId /t REG_SZ /d "10000000-0000-0000-0000-000000000000" /f
NET STOP DFSR
NET START DFSR

[1] When a backup application performs a system state restore, it must indicate that it has done so by setting the LastRestoreId registry value. The LastRestoreId is a GUID that is formatted as 00000000-0000-0000-0000-000000000000. The GUID has to be different each time a restore is requested. For example, if you have the LastRestoreId set as 10000000-0000-0000-0000-000000000000, for the next restore you have to set it to a different GUID, such as 20000000-0000-0000-0000-000000000000. For more information about setting LastRestoreId, see Registry Keys and Values for Backup and Restore.

As soon as the DFS-R Service starts, the following events appear with information about the non-authoritative restore.

Event ID 2109

Event ID 2110

Event ID 4106

Event ID 4108

SYSVOL Replicated Through DFS-R - Non-Authoritative Restore - Steps To Take

To perform a non-authoritative restore of the SYSVOL when using DFS-R, use the following steps:

Start the Registry Editor
Navigate to "HKLM\SYSTEM\CurrentControlSet\Services\DFSR"
Create a key called "Restore" (only time only)
Create a string value called "SYSVOL" (only time only)
For the string value called "SYSVOL" assign the value of non-authoritative
Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore"
Create a key called "SystemStateRestore" (only time only)
Create a string value called "LastRestoreId" (only time only)
For the string value called "LastRestoreId" [1] assign the value of 10000000-0000-0000-0000-000000000000
Stop the DFSR Service
Start the DFSR Service

From the command-line the same can be achieved through:

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DFSR\Restore" /v SYSVOL /t REG_SZ /d "non-authoritative" /f
[1] REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\SystemStateRestore" /v LastRestoreId /t REG_SZ /d "10000000-0000-0000-0000-000000000000" /f
NET STOP DFSR
NET START DFSR

As soon as the DFS-R Service starts, the following events appear with information about the non-authoritative restore.

Event ID 2109

Event ID 2110

Event ID 4110

Event ID 4102

Event ID 4604

Cheers,

Jorge

Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 2)

Jorge — Thu, 12 Aug 2010 14:08:02 GMT

This post focusses on restoring the SYSVOL when replicated through the NTFRS mechanism. For the previous post see here and for the next post see here.

SYSVOL Replicated Through NTFRS - Authoritative Restore - Steps To Take

To perform an authoritative restore of the SYSVOL when using NTFRS, use the following steps:

Start the Registry Editor
Navigate to "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup"
Double-click on "BurFlags"
Assign it a value of D4 (hex) or 212 (dec)
Stop the NTFRS Service
Start the NTFRS Service

From the command-line the same can be achieved through:

REG ADD "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" /v BurFlags /t REG_DWORD /d 212 /f
NET STOP NTFRS
NET START NTFRS

Also see Using the BurFlags registry key to reinitialize File Replication Service replica sets

As soon as the NTFRS Service starts, the following events appear with information about the non-authoritative restore.

Event ID 13566

Event ID 13553

Event ID 13554

Event ID 13516

SYSVOL Replicated Through NTFRS - Non-Authoritative Restore - Steps To Take

To perform a non-authoritative restore of the SYSVOL when using NTFRS, use the following steps:

Start the Registry Editor
Navigate to "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup"
Double-click on "BurFlags"
Assign it a value of D2 (hex) or 210 (dec)
Stop the NTFRS Service
Start the NTFRS Service

From the command-line the same can be achieved through:

REG ADD "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" /v BurFlags /t REG_DWORD /d 210 /f
NET STOP NTFRS
NET START NTFRS

Also see Using the BurFlags registry key to reinitialize File Replication Service replica sets

As soon as the NTFRS Service starts, the following events appear with information about the non-authoritative restore.

Event ID 13565

Event ID 13520

Event ID 13553

Event ID 13554

Event ID 13516

Cheers,

Jorge

Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 1)

Jorge — Thu, 12 Aug 2010 14:07:37 GMT

The SYSVOL contains logon scripts and GPOs for a particular AD domain. It replicates to all RWDCs and RODCs. When, during the promotion of the very first (W2K8/W2K8R2) RWDC, the DFL is configured with "Windows Server 2003" or lower, then the SYSVOL will use NTFRS as its replication mechanism. At a later stage when you increase the DFL to at least "Windows Server 2008", you can migrate the replication of the SYSVOL from NTFRS to DFS-R. The process for doing that is explained in the SYSVOL Replication Migration Guide: FRS to DFS Replication (Web Based) or SYSVOL Replication Migration Guide: FRS to DFS Replication (Word Doc).

If you need to migrate OTHER DFS NameSpaces from NTFRS to DFS-R then look at DFS Operations Guide: Migrating from FRS to DFS Replication and FRS to DFSR Migration Tool Released.

However, when, during the promotion of the very first (W2K8/W2K8R2) RWDC, the DFL is configured with at least "Windows Server 2008", then the SYSVOL will use DFS-R as its replication mechanism right away and no migration is needed to migration the replication of the SYSVOL from NTFRS to DFS-R.

The use of DFS-R, compared to NTFRS, is way better in terms of performance and stability. DFS-R also works better with RODCs than NTFRS. When the SYSVOL on an RODC is adjusted locally, the changes will remain and will not replicate out because the RODC does not support Outbound Replication to any DC. Over time, if you do this too often you will get inconsistencies. To resolve these consistencies you may need to do a non-authoritative restore of the SYSVOL when replicated by NTFRS. If the same occured on the RODC and DFS-R is being used as the replication mechanism for the SYSVOL, then the local change would be detected and reverted as if nothing had happen. This makes sure the SYSVOL contents remains consistent on RODCs. For other differences see The Case for Migrating SYSVOL to DFSR.

The availability of the SYSVOL is very important for users, because if it is not available on a certain DC (RWDC or RODC), both users and computers cannot log on using that DC.

For both replication mechanisms I will explain how to do an authoritative restore or a non-authoritative restore of the SYSVOL using either replication mechanism.

Authoritative Restore

With an authoritative restore, the data that's being restored is leading compared to all other versions of that same data on onther DCs. Taking that into account, when doing an authoritative restore on a RWDC, one should not forget that all other RWDCs and RODCs must do a non-authoritative restore.

Non-Authoritative Restore

With a non-authoritative restore, the data that's being restored or that is in place is not leading compared to all other versions of that same data on onther DCs. To get the most recent data, the DC for which a non-authoritative restore was done must get the most recent data from another DC.

For the post on restoring the SYSVOL when replicated through the NTFRS mechanism see here.

For the post on restoring the SYSVOL when replicated through the DFS-R mechanism see here.

Cheers,

Jorge

Speaking At TechED 2010? That's up to you!

Jorge — Mon, 09 Aug 2010 14:13:30 GMT

I have proposed to speak at TechED 2010 about the following: "DC Locator in AD for authN and SYSVOL/NETLOGON".

Please go to the following website and vote for my session called "Locating Domain Controllers for AuthN and SYSVOL/NETLOGON Access"

Website: http://europe.msteched.com/sessionpreference
Keyword to search for: LOCATING

Then click on the word ADD on the right of you screen.

THANKS!

Cheers,

Jorge

Speaking At TEC Europe 2010 In October

Jorge — Mon, 09 Aug 2010 13:56:48 GMT

Yes, it's that time of the year again! TEC 2010 EUROPE is coming and is planned for the first week of October 2010. This time you can find us in Dusseldorf. I'll be delivering one pre-conference workshops this year about disaster recovery together with Guido Grillenmeijer, Gil Kirkpatrick and Ulf "who's ya daddy" Simon-Weidner. The four of us are the "Masters of Disaster" :-)

In addition to that I'll be presenting about the DC Locator in AD for authN and SYSVOL/NETLOGON. From what I know right now, my session is scheduled on monday. There is a reason for it. Exactly one week later on October 11th we are expecting our new baby. We are hoping he/she comes a day earlier like Anne, so that his/her birthday will be: 10-10-10.

Information about the conference:

Event: The Experts Conference (TEC) 2010
Website: http://www.tec2010.com/
Location: Dusseldorf
Date: October 4th - 6th
Workshops: http://www.theexpertsconference.com/europe/agenda-speakers/pre-conference-workshops/
Agenda – TEC Directory/Identity: Not available yet
Agenda – TEC Exchange: Not available yet
Agenda – TEC Sharepoint: Not available yet
Sessions – TEC Directory/Identity: http://www.theexpertsconference.com/europe/agenda-speakers/directory-identity-training/session-abstracts/
Sessions – TEC Exchange: http://www.theexpertsconference.com/europe/agenda-speakers/exchange-training/session-abstracts/
Sessions – TEC Sharepoint: http://www.theexpertsconference.com/europe/agenda-speakers/sharepoint-training/session-abstracts/
Speakers – TEC Directory/Identity: http://www.theexpertsconference.com/europe/agenda-speakers/directory-identity-training/speaker-bios/
Speakers – TEC Exchange: http://www.theexpertsconference.com/europe/agenda-speakers/exchange-training/speaker-bios/
Speakers – TEC Sharepoint: http://www.theexpertsconference.com/europe/agenda-speakers/sharepoint-training/speaker-bios/

Make sure you are there and do not miss this!

Cheers,

Jorge

Auditing In Windows Server 2008 R2

Jorge — Fri, 30 Jul 2010 19:26:59 GMT

Auditing in Windows Server 2008 also provided granular audit policies, but those were only configurable locally on each server through the utility called AUDITPOL. From within a GPO you could only configure the global auditing policies. Windows Server 2008 R2 now also allows you to configure the granular audit policies through a GPO.

The Granular Audit Policies can be found in a GPO at the following location:

--> Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration

It contains the following node and subnodes:

Audit Policies
- Account Logon
  - Audit Credential Validation
  - Audit Kerberos Authentication Service
  - Audit Kerberos Service Ticket Operations
  - Audit Other Account Logon Events
- Account Management
  - Audit Application Group Management
  - Audit Computer Management
  - Audit Distribution Group Management
  - Audit Other Account Management Events
  - Audit Security Group Management
  - Audit User Account Management
- Detailed Tracking
  - Audit DPAPI Activity
  - Audit Process Creation
  - Audit Process Termination
  - Audit RPC Events
- DS Access
  - Audit Detailed Directory Service Replication
  - Audit Directory Service Access
  - Audit Directory Service Changes
  - Audit Directory Service Replication
- Logon/Logoff
  - Audit Account Lockout
  - Audit IPSec Extended Mode
  - Audit IPSec Main Mode
  - Audit IPSec Quick Mode
  - Audit Logoff
  - Audit Logon
  - Audit Network Policy Server
  - Audit Other Logon/Logoff Events
  - Audit Special Logon
- Object Access
  - Audit Application Generated
  - Audit Certification Services
  - Audit Detailed File Share
  - Audit File Share
  - Audit File System
  - Audit Filtering Platform Connection
  - Audit Filtering Platform Packet Drop
  - Audit Handle Manipulation
  - Audit Kernel Object
  - Audit Other Object Access Events
  - Audit Registry
  - Audit SAM
- Policy Change
  - Audit Audit Policy Change
  - Audit Authentication Policy Change
  - Audit Authorization Policy Change
  - Audit Filtering Platform Policy Change
  - Audit MPSSVC Rule-Level Policy Change
  - Audit Other Policy Change Events
- Privilege Use
  - Audit Non-Sensitive Privilege Use
  - Audit Sensitive Privilege Use
  - Audit Other Privilege Use Events
- System
  - Audit IPsec Driver
  - Audit Other System Events
  - Audit Security State Change
  - Audit Security System Extension
  - Audit System Integrity
- Global Object Access Auditing
  - File System (Global Object Access Auditing)
  - Registry (Global Object Access Auditing)

More detailed information about each auditing topic (including events) can be found:

Cheers,

Jorge

Managing The userAccountControl Attribute In AD By FIM

Jorge — Thu, 29 Jul 2010 21:02:46 GMT

If you are using some system manage Identities in AD and you are either using ILM 2007 FP1 or FIM 2010 you may need to configure the ILM/FIM Sync Engine to act on the AccountStatus value and translate that to the userAccountControl value in AD.

So...

If employeeStatus = 'Enabled' then the AD user account must be enabled, or in technical terms userAccountControl bit 1 (2nd bit) (2^1=2) must be disabled.

If employeeStatus = 'Disabled' then the AD user account must be disabled, or in technical terms userAccountControl bit 1 (2nd bit) (2^1=2) must be enabled.

If you want to do this using classic flow rules, then you need to the following:

The attribute "employeeStatus" must be available as a string attribute in the Metaverse. The attribute "userAccountControl" must be selected to be imported from AD.

In the AD MA you also need an advanced export attribute flow (MV:employeStatus --> CD:userAccountControl). For the flowrulename you can use anything you like. I prefer to make it as clear as possible to what happens, so I call it "generate-userAccountControl(CS)".

In the Rules Extension Project for the MA you need to add the following:

Imports ActiveDs <-- requires a reference added to the project!

Public Sub MapAttributesForExport(ByVal FlowRuleName As String, ByVal mventry As MVEntry, ByVal csentry As CSEntry) Implements IMASynchronization.MapAttributesForExport

Select Case FlowRuleName

Case "generate-userAccountControl(CS)"

If mventry("employeeStatus").IsPresent Then

Dim currentUACValue As Long

Dim newUACValue As Long

If csentry("userAccountControl").IsPresent Then

currentUACValue = csentry("userAccountControl").IntegerValue And (Not ADS_USER_FLAG.ADS_UF_PASSWD_NOTREQD)

Else

currentUACValue = ADS_USER_FLAG.ADS_UF_NORMAL_ACCOUNT And (Not ADS_USER_FLAG.ADS_UF_PASSWD_NOTREQD)

End If

Select Case mventry("employeeStatus").Value.ToLower

Case "enabled"

newUACValue = (currentUACValue Or ADS_USER_FLAG.ADS_UF_NORMAL_ACCOUNT) And (Not ADS_USER_FLAG.ADS_UF_ACCOUNTDISABLE)

Case "disabled"

newUACValue = currentUACValue Or ADS_USER_FLAG.ADS_UF_ACCOUNTDISABLE

End Select

csentry("userAccountControl").IntegerValue = newUACValue

End If

If you want to do this using declarative flow rules (Sync Rules), then you need to the following:

The attribute "employeeStatus" must be available as a string attribute in the Metaverse. The attribute "userAccountControl" must be selected to be imported from AD. The attribute "userAccountControl" must be available as a number attribute in the Metaverse.

In the Portal Portal you need an Inbound Sync Rule for the AD MA.

SOURCE = userAccountControl

TARGET = userAccountControl

In the Portal Portal you need an Outbound Sync Rule for the AD MA.

For the INITIAL FLOW in the outbound sync rule you can use the following:

SOURCE = IIF(Eq(employeeStatus,"Enabled"),512,514)

To make more readable...

    IIF(
        Eq(employeeStatus,"Enabled"),
        512,
        514
    )

TARGET = userAccountControl

For the PERSISTENT FLOW in the outbound sync rule you can use the following:

SOURCE = IIF(Eq(employeeStatus,"Enabled"),IIF(IsPresent(userAccountControl),BitAnd(33554397,userAccountControl),512),IIF(IsPresent(userAccountControl),BitOr(2,userAccountControl),514))

To make more readable...

    IIF(
            Eq(employeeStatus,"Enabled"),
            IIF(
                IsPresent(userAccountControl),
                BitAnd(33554397,userAccountControl),
                512

            ),
            IIF(
                IsPresent(userAccountControl),
                BitOr(2,userAccountControl),
                514
            )
    )

TARGET = userAccountControl

Cheers,

Jorge

Windows Server Core Configurator

Jorge — Thu, 29 Jul 2010 20:26:39 GMT

With Windows Server 2008, Microsoft introduced Server Core into the Windows Server operating system, which is a new installation option. Summarized: Windows Server WITH a GUI is Full Server and WIndows Server WITHOUT a GUI is Server Core. You could also call it "Windows without Windows" or "Windows Command Prompt".

Server Core has limited support for GUIs. Because of that a lot of the stuff locally must be done through Command Line Tools already in the operating system or third-party (free) tools. A non-exhaustive list of command line tools in Server Core can be found here.

Server Core is the perfect Windows Server option with the lowest attack surface you can imagine. Lots of the bagage that Full Server has is not available. If it is not available there's not much left to attack.

Although perfect in terms of security, admins may not feel that well because they do not always know all the required command line utilities with their options to do something on the server.

A while ago, the Server Core Configurator was born which allowed an admin to use a GUI to do stuff locally on Server Core. The story about that tool can be found here. Unfortunately that tool is not available anymore to download. So, what are the options now?

On codeplex you will find two versions of Windows Server Core Configurator. Version 1.1 can be used on Windows Server 2008 Server Core (x86 and x64) and on Windows Server 2008 R2 Server Core (x64 only) because it is based upon VB Script. Version 2.0 can only be used on Windows Server 2008 R2 Server Core (x64 only) because it leverages PowerShell. The required features are "NetFx-ServerCore Feature" and "PowerShell" and both are only available on the Server Core version of Windows Server 2008 R2. As soon as you start version 2.0 it checks for the required features. If those are not installed, then those will be installed. If you are using Server Core on Windows Server 2008 R2, I really suggest you use version 2.0 of the Windows Server Core Configurator. The GUI is amazing!

Have a look at some screenshots for both versions.

"Windows Server Core Configurator Version 1.1"

"Windows Server Core Configurator Version 2.0"

Isn't this just COOL?!

Cheers,

Jorge

Adding claim mapping to existing provider in SPS 2010, part deux

tomek — Tue, 13 Jul 2010 22:26:00 GMT

While ago I wrote short entry about adding new claim mapping to existing definition of identity token provider. After this post I got following comment from one of readers (good that I still have some of them here :) ):

When I run the powershell command it fails wit the following error: Add-SPClaimTypeMapping : Incoming claim types do not include claim type 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role'

I had no time to dig into this issue since then but as it often happens I had to do this on my own – so here is part duex of this tip – what to do if You have new claim definition and You have to add it to SPS 2010 identity provider definition.

(cc) Tiger Pixel

So let assume that we have new claim with type description as follows:

http://schemas.microsoft.com/ws/2010/07/identity/claims
/company

which is being issued by our ADFS 2 server for SPS 2010 application. Earlier we have defined Identity Token issuer in our SPS 2010 configuration (Jorge has gathered together some articles which describe in details how to do this) – in our case called ADFS20Server.

So how to add this new claim definition to identity token issuer in SPS 2010. Here comes a recipe:

Get IdentityTokenIssuer object:

$tokenIssuer = Get-SPTrustedIdentityTokenIssuer -Identity "ADFS20Server"

Add new claim type:

$tokenIssuer.ClaimTypes.Add("

http://schemas.microsoft.com/ws/2010/07/identity/claims
/company")

Create new claim mapping:

$companyClaim = New-SPClaimTypeMapping -IncomingCLaimType "http://schemas.microsoft.com/ws/2010/07/identity/claims
/company" -IncomingClaimTypeDisplayName "Company" -LocalClaimType
http://schemas.microsoft.com/ws/2010/07/identity/claims
/company

And add it to our token issuer configuration:

$companyClaim | Add-SPClaimTypeMapping -TrustedIdentityTokenIssuer $tokenIssuer

And voile:

PS. Thanks' goes to Bryan who pointed me in right direction when I was struggling with figuring this one out based on SPS2010 Powershell help :).

Changing the Weight and Priority of a Domain Controller Within a Site

pbbergs — Fri, 09 Jul 2010 12:37:00 GMT

If you have multiple domain controllers (dc) within a site and you would like to have one of these dc's refered to more often or only if no other dc is available. Selection of a dc within a site is controlled by both the weight and priority.

Weight of a Domain Controller

By default all dc's have a weight of 100, the heavier the weight the more often the dc is referred to. The formula for the referral is based is an elementary math. If there are two servers in a site and one has a weight of 100 and the other 200. The dc with twice the weight will receieve twice the referals.

To modify the weight of a dc the registry key:

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LdapSrvWeight is used.

Priority of a Domain Controller

By default all dc's have a priority of 0, the lower the priority the first in priority. The dc with the lowest priority in the site will receive ALL authentication requests unless it is unavailable. If the lowest priority dc is unavailable then the next lowest dc in the site will receive all requests, etc...

To modify the priority of a dc the registry key:

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LdapSrvPriority is used.

For additional information see: http://technet.microsoft.com/en-us/library/cc787370(WS.10).aspx

Configuring Sharepoint 2010 To Use ADFS v2 As An Authentication Provider

Jorge — Mon, 05 Jul 2010 20:40:35 GMT

I have started playing with ADFSv2 and I'm trying to configure Sharepoint 2010 to use ADFSv2 as an authN provider. I found the following links to get this done. I don't feel like searching for this again and because of that I decided to blog the links for future references.

Cheers,

Jorge

Server Manager in Windows Server 2008 R2, Part 3

Sander Berkouwer — Sun, 04 Jul 2010 19:19:02 GMT

What started with the Configure your Server wizard and the introduction of Server Roles in Microsoft Windows 2000 Server, resulted in the tangible value of the Initial Configuration Tasks wizard (oobe.exe) and the Server Manager (servermanager.msc) in Windows Server 2008 and Windows Server 2008 R2.

Part 1 and Part 2 of this series focused on Server Manager Remoting and how to gain complete Remoting functionality with PowerShell Remoting in addition to Server Manager Remoting.

Now, in this part of this series, let’s look at a different (but in my opinion equally big) new feature in Server Manager in combination with several Windows Server Roles: Best Practices Analyzers.

About Best Practices Analyzers

Best Practices Analyzers, or BPAs as TLA-addicts like to call them, are not new to Microsoft products. Not even close, since the first Best Practices Analyzer, the Microsoft Exchange Server Best Practices Analyzer (ExBPA), was released in 2004…

Best Practices Analyzers (BPAs)

Part of Server Manager

The first thing that’s new is that Best Practices Analyzers are now part of Server Manager. When you click on a Server Role in the left navigation pane of Server Manager, in the Summary screen (in the main pane) you can scroll down to the Best Practices Analyzer section. Here you can:

Start Best Practices Analyzer Scans using Scan This Role
Review Best Practices Analyzer results
Include and/or exclude specific Best Practices Analyzer results

The screenshot below shows the Best Practices Analyzers for the Active Directory Domain Services Role in Server Manager in Windows Server 2008 R2:

Extended to TechNet

When you view the properties of a Best Practices Analyzer result, either by double clicking a result in the results pane of by selecting the result and following the Properties link, you find more information on the result. Information per result include what was scanned, why it’s not compliant, what the risks are and how to fix the situation.

Below is an example of the “The PDC emulator master dc1.demo.ogd.nl in this forest should be configured to correctly synchronize time from a valid time source” result:

As you might notice, the information is pretty detailed. However, a link is displayed at the bottom of the screen with a hyperlink, promising even more information.

This hyperlink will make your browser (most likely Internet Explorer) visit a TechNet page. Offering clear formatting a more detailed step-by-step resolution path is offered. Actually, I don’t find the extra information the real punch. It’s the Community Content at the end of these TechNet pages, that might prove useful for many administrators.

Because, after working with the Exchange Best Practices Analyzer (ExBPA) for years, I found out not every BPA result results in a better working environment, in terms of usability, security or stability.

The Community Content feature on the TechNet BPA pages might contain warnings from other administrators, MVPs … well, actually anybody with a Windows Live ID!

Updated through Windows Update

There is no doubt in my mind, Microsoft will take the Best Practices Feedback. Even more, I don’t even doubt Microsoft to improve and expand on their Best Practice Analyzers.

As you might have already notice on your Windows Server 2008 R2 boxes, Microsoft is already actively offering update to the Best Practices Analyzer functionality, offering more Best Practices Analyzer scans and updated guidance.

Also available in PowerShell

One last thing I’m excited about in terms of Best Practices Analyzers is the fact you can use PowerShell cmdlets from the Best Practices Analyzer PowerShell Module and Kick off Best Practices Analyzer Scans , review Best Practices Analyzer results and include and/or exclude specific Best Practices Analyzer results from the command line.

Combining this with PowerShell remoting you can make fun PowerShell scripts to perform Best Practices Analyzer scans and export them to Excel, XML and/or HTML format periodically for an intern to manage.

An example of such a script (without error checking!) would be:

invoke-command -computername RemoteServer -scriptblock{
import-module ServerManager
import-module BestPractices
get-bpamodel | invoke-bpamodel
get-bparesult Microsoft/Windows/FileServices | select Severity, Title,Resolution | ConvertTo-HTML | set-content “C:\filebpa.html”
copy C:\filebpa.html \\FileServer\data\BPAReports
}

Concluding

Best Practices Analyzers in Windows Server 2008 R2 are a part of Server Manager. The Exchange team has done a lot of pioneering in this area. When looking at the Exchange Troubleshooting Assistant (ExTrA), Exchange Pre-Deployment Analyzer (ExPDA) and the Microsoft Exchange Server Remote Connectivity Analyzer work this team has done and how this work has found its way into other Microsoft products and technologies, I think we’re in for some serious guidance to make our lives a whole lot easier. A good thing? Who knows…

Server Manager in Windows Server 2008 R2, Part 2

Sander Berkouwer — Sun, 04 Jul 2010 10:09:58 GMT

Now, as I pointed out in Part 1, not all Server Manager functionality is available when you point it to a remote host. For these scenarios, and for repetitive tasks, you can use PowerShell.

PowerShell

One of the strong points of Windows Server 2008 R2 is the availability of PowerShell cmdlets, useable for managing most aspect of the Windows Server Operating System and built-in Roles and Features.

PowerShell Modules

Through the use of PowerShell modules, functionality can be added. The available modules are: (in alpabetical order)

Module	Server Role / Feature
ActiveDirectory	Active Directory Domain Services
ADRMS **	Active Directory Rights Management Services
AppLocker **	AppLocker
BestPractices **	Best Practices Analyzer
BitsTransfer *	Background Intelligent Transfer Service
FailoverClusters	Failover Clustering
GroupPolicy	Group Policy Management
NetworkLoadbalancingClusters	Network Load Balancing
PSDiagnostics *	PowerShell Diagnostics
RemoteDesktopServices	Remote Desktop Services
ServerManager **	Server Manager
TroubleshootingPack **	Windows Troubleshooting Wizards
Internet Information Services	WebAdministration

* Available by default in Windows Server 2008 R2
** Available by default, but not in Server Core installations

Of interest to this blogpost is the ServerManager PowerShell Module. Let’s start by importing the module to our PowerShell with the one-liner below:

Import-Module ServerManager

Now, you can use the three cmdlets hidden inside this module:

Add-WindowsFeature
Get-WindowsFeature
Remote-WindowsFeature

PowerShell Remoting

Just like the Server Manager MMC Snap-in (servermanager.msc) is able to remotely manage servers, PowerShell know the same trick. This can be useful for the scenarios (described in Part 1) where you cannot use the GUI.

For instance, the following code snippet can be used to remotely add the DNS Server role to a Full installation of Windows Server 2008 R2 (specified with RemoteServer):

Invoke-Command -computername RemoteServer -scriptblock {
Import-Module ServerManager
Add-WindowsFeature DNS
}

Concluding

Even though Server Manager in Windows Server 2008 R2 lacks some features when remotely managing Windows Server 2008 R2 installations, PowerShell Remoting can be used to fill in the blanks.

ADFSv2 Video By Matt Steele

Jorge — Sun, 04 Jul 2010 08:54:17 GMT

I just started diving into ADFS and its inner workings. I also found this great video by Matt Steele where he, in an easy way, explains at a high-level what ADFS can do for you and how it works in combination with Windows Azure.

See it here.

Cheers,

Jorge

Server Manager in Windows Server 2008 R2, Part 1

Sander Berkouwer — Fri, 02 Jul 2010 23:41:00 GMT

Server Manager opens when you close the Initial Configuration Tasks wizard. When you open Server Manager, it opens with an overview, as shown below:

Configuration items

It will show you the computer name, workgroup/domain information, IP addressing information and a quick view on remote management capabilities, windows firewall settings and windows update settings. Through the menu in the left pane, it offers quick access to roles and features, diagnostic tools (the event viewer, WSRM, performance monitor and the device manager) and the main configuration categories (task scheduler, windows firewall, services, WMI control and local users and groups).

Links and Wizards

Links are placed throughout the Server Manager to start corresponding GUI tools and/or wizards to change the information, if needed.

While, at first, both tools look the same on both Windows Server 2008 and Windows Server 2008 R2, under the hood, Server Manager is totally different. Let’s take a look at these differences, and how you can utilize the new features in everyday scenarios:

Server Manager Remoting

For the first time in the history of Microsoft Windows , the general configuration tool is capable of being used remotely. Not only can you use the Server Manager MMC Snap-in (servermanager.msc) on a Windows Server to point it to another Windows Server, the Snap-in is even part of the Remote Server Administration Tools for Windows 7.

When used remotely, however, Server Manager, lacks a couple of features, when you compare it to the Server Manager launched locally on a server. The table below shows the differences:

Functionality	Locally (Full install)	Remote (Full install)	Remote (ServerCore)
View main configuration items
View computer name
View domain/workgroup information
View IP addressing
View Remote Desktop settings
View Product ID and Activation status
View Windows Firewall settings
View Windows Update settings
Change main configuration items
Change computer name
Change domain/workgroup information
Change IP addressing
Configure Remote Desktop
Configure Server Manager Remote Settings
Enter product key and activate Windows
Change Windows Firewall settings
Configure Windows Updates settings
Run the Security Configuration Wizard
Configure IE Enhanced Security (IE ESC)
Server Roles and Features
View installed Roles
View installed Features
Add Roles
Add Features
Remove Roles
Remove Features
Check for new Roles
Manage Roles remotely
Manage Features remotely
Run Best Practices Analyzer scans
View Best Practices Analyzer results
Diagnostics
Event Viewer
Windows System Resource Manager	*	*
Performance Monitor
Device Manager (read-only)
Device Manager
Configuration
Task Scheduler
Windows Firewall with Adv. Security
Services
WMI Control
Local Users and Groups
Storage
Disk Management

* Only applicable when the Windows System Resource Manager feature is installed.

Concluding

Server Core Remoting offers functionality to manage servers remotely after you’ve set them up to be a part of your network and have assigned them roles.

With access to the Windows System Resource Manager being the only difference between remotely managing a Server Core installation and remotely managing a Full installation, it is safe to say Server Manager facilitates managing Server Core installations remotely. You could be managing Server Core installations without even noticing the difference from a management perspective. From a security, power and resource consumption perspective however, you’d notice the difference!

Groups and tokens

tomek — Mon, 28 Jun 2010 20:27:00 GMT

I'm done with an intensive month of sessions, delivered for different user groups and other communities online. When you managed to attend my session about Kerberos I hope you liked it ;). Now it's time for some blogging activities.

A friend asked on his blog (PL only, sorry) a question how to quickly determine the groups a computer account belongs to. Question was asked, time for answer, or at least: one of the possible answers :). Actually I was sure that I wrote about it here before but a quick search determined that I'm wrong (I'm sure I talked about it on last TEC in Berlin). If not ... time to do this now. Starting with the basics.

Constructed attributes

First let me introduce the concept of constructed attributes in Active Directory: Active Directory (among other capabilities) can handle dynamically constructed attributes, which are calculated on the fly when a query is issued to get them. If one looks at the object using a standard LDAP client (like LDP.EXE) or other tool these attributes will not be present on the object. However, when a query is issued to the directory to return them – magic happena and the value (if exists) will be calculated and returned.

(cc) Swansea Photographer

First example, which everybody is familiar with, are back-link attributes. Back-link attributes are pair attributes with forward links, which are used to store information about references among the objects – think member –> memberOf.

If we will take a look at user object properties using the new fancy attribute editor feature from Windows Server 2008 R2 Active Directory Users & Computers (ADUC) we can't see memberOf attribute.

However if we issue a query for this attribute using ADFIND.EXE, we find:

C:\ >adfind -b CN=tom.tom,ou=Accounting,DC=w2k,DC=pl -s base memberOF

AdFind V01.42.00cpp Joe Richards (joe@joeware.net) April 2010

Using server: FIMDC01.w2k.pl:389
Directory: Windows Server 2008 R2

dn:CN=tom.tom,ou=Accounting,DC=w2k,DC=pl
>memberOf: CN=Ksiegowosc,OU=FIMGroups,DC=w2k,DC=pl

1 Objects returned

We get a response ... magic

All the magic is being done by the directory service which is calculating, on the fly, the attribute value which was requested. There is more attributes which can be constructed by AD, and they all fall into one of three categories (at least based on available documentation):

Attribute is marked as constructed in the schema using ATTR_IS_CONSTRUCTED bit in the systemFlags attribute value.
Attribute is a back link. (as showed above)
It is the rootDSE attribute..

A list of constructed attributes is available on MSDN for anyone who is interested.

tokenGroups

And here is an answer (one of possible) to the question how to determine group membership for a workstation: One way is to query for tokenGroups attribute of a computer object. Attribute description is presented below:

These two computed attributes return the set of SIDs from a transitive group membership expansion operation on a given object

So if we query AD for a security principal and we ask for the tokenGroups attribute we will get a list of SID identifiers of groups, to which this computer object belongs when it logs on. The computer object in a domain is a security principal as others, so the query can be issued to retrieve its attributes and retrieve computer attributes values.

Once again using ADFIND.EXE:

C:\ >adfind -b CN=STS,CN=Computers,DC=w2k,DC=pl -s base tokenGroups
AdFind V01.42.00cpp Joe Richards (joe@joeware.net) April 2010

Using server: FIMDC01.w2k.pl:389
Directory: Windows Server 2008 R2

dn:CN=STS,CN=Computers,DC=w2k,DC=pl
>tokenGroups: S-1-5-21-2045789631-2668715847-4178987103-1162
>tokenGroups: S-1-5-21-2045789631-2668715847-4178987103-515

As you can see, we've got a list of SIDs corresponding to the groups. How to translate these SIDs to names? Use ADFIND.EXE with SID as query parameter:

C:\ >adfind -b dc=w2k,dc=pl -s subtree -f "(&(objectSid=S-1-5-21-2045789631-2668715847-4178987103-1162))" name

AdFind V01.42.00cpp Joe Richards (joe@joeware.net) April 2010

Using server: FIMDC01.w2k.pl:389
Directory: Windows Server 2008 R2

dn:CN=ADFS Servers,OU=FIMGroups,DC=w2k,DC=pl
>name: ADFS Servers

1 Objects returned

And that's all of the trickery for today ...

Windows Sharepoint Services 3.0 Breaks After Installing Update MS-KBQ983444

Jorge — Mon, 28 Jun 2010 15:54:21 GMT

In my personal FIM test environment I have not had any issues with update MS-KBQ983444 (MS10-039: Description of the security update for Windows SharePoint Services 3.0: June 8, 2010). However, at my customer I have experienced issues twice (different environments) after this update was installed.

One day the FIM Portal is working perfectly and you do not experience any issues. Everything is working fine. Suddenly the next day or a few days later, when you navigate to the FIM Portal you get an error as if the URL does not exist. Weird! After checking all kinds of stuff you find nothing is wrong and everything is as it needs to be.

After opening the event viewer, you may see errors similar to what you see in the pictures below:

If you see through Windows Update (Windows Update --> View Update History) that the update MS-KBQ983444 was installed recently you can almost be certain that it is not a FIM related issue, but rather a Windows Sharepoint Services (WSS) related issue.

On the FIM Portal Server(s) experiencing these I performed the following steps to solve this:

Open administrative command prompt windows
Navigate to "%COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\12\bin"
Execute the following command: "psconfig -cmd upgrade -inplace b2b -wait -force"

You may see similar output as shown in the following picture

Now try to access the FIM Portal again and everything should be OK again.

More related information:

Cheers,

Jorge

.NET Verification Tool

Jorge — Mon, 28 Jun 2010 14:11:31 GMT

FIM 2010 and a lot of other apps use some kind of version of .NET Framework. If you want to check the health and status of the .NET Framework version(s) you have installed, then you can use the .NET Framework Verification Tool.

SOURCE: http://blogs.msdn.com/b/astebner/archive/2008/10/13/8999004.aspx

=============================================================================================

.NET Framework Setup Verification Tool User's Guide

Introduction

This .NET Framework setup verification tool is designed to automatically perform a set of steps to verify the installation state of one or more versions of the .NET Framework on a computer. It will verify the presence of files, directories, registry keys and values for the .NET Framework. It will also verify that simple applications that use the .NET Framework can be run correctly.

Download location

The .NET Framework setup verification tool is available for download at the following locations:

REMARK: The .zip file that contains the tool also contains a file named history.txt that lists when the most recent version of the tool was published and what changes have been made to the tool over time.

Supported products

The .NET Framework setup verification tool supports removing the following products:

.NET Framework 1.0
.NET Framework 1.1
.NET Framework 1.1 SP1
.NET Framework 2.0
.NET Framework 2.0 SP1
.NET Framework 2.0 SP2
.NET Framework 3.0
.NET Framework 3.0 SP1
.NET Framework 3.0 SP2
.NET Framework 3.5
.NET Framework 3.5 SP1
.NET Framework 4 Client
.NET Framework 4 Full

By default, the .NET Framework setup verification tool will only list versions of the .NET Framework that it detects are installed on the computer that it is being run on. As a result, the tool will not list all of the above versions of the .NET Framework. This product filtering can be overridden by running the .NET Framework setup verification tool with the following command line switch:

--> netfx_setupverifier.exe /q:a /c:"setupverifier.exe /a"

Silent installation mode

The .NET Framework setup verification tool supports running in silent mode. In this mode, the tool will run without showing any UI, and the user must pass in a version of the .NET Framework to verify as a command line parameter. To run in silent mode, you need to download the verification tool .zip file, extract the file netfx_setupverifier.exe from the .zip file, and then run it using syntax like the following:

--> netfx_setupverifier.exe /q:a /c:"setupverifier.exe /p <name of product to verify>"

The value that you pass with the /p switch to replace <name of product to verify> in this example must exactly match one of the products listed in the Supported products section above. For example, if you would like to run the tool in silent mode and verify the install state of the .NET Framework 2.0, you would use a command line like the following:

--> netfx_setupverifier.exe /q:a /c:"setupverifier.exe /p .NET Framework 2.0"

Exit codes

The cleanup tool can returns the following exit codes:

0 - cleanup completed successfully for the specified product
1 - the required file setupverifier.ini was not found in the same path as setupverifier.exe
2 - a product name was passed in that cannot be verified because it does not support installing on the OS that the tool is running on
3 - a product name was passed in that does not exist in setupverifier.ini
100 - verification failed for the specified product
1602 - verification was canceled

Log files

This verification tool creates 2 log files by default that can be used to determine what actions the tool is taking and what errors it encounters while verifying a product. The 2 log files are listed below, and they are created in the %temp% directory by default. Note that you can find the %temp% directory by clicking on the Windows start menu, choosing Run, typing %temp% and clicking OK to open the directory in Windows Explorer.

%temp%\setupverifier_main_*.txt - this log contains information about all actions taken during a verification tool session; it will include information about each resource that the tool attempts to verify for a chosen product and whether or not that resource was found on the system; this log tends to be fairly long, so errors will be logged with the prefix ****ERROR**** to make it easy to search and find them
%temp%\setupverifier_errors_*.txt - this log only contains information about any errors found during verification of a chosen product
%temp%\setupverifier_netfx20testapp_*.txt - this log contains error information for the .NET Framework test application that is run by the verification tool. This log will only be created if there is an error while running the test application.

A new pair of log files will be created each time the verification tool is launched. The date and time the tool is launched will be appended to the end of the log file names by default in place of the * in the names listed above. If you want to control the exact names used for the log files, you can use the following command line parameters:

/l <filename> - specifies a name to replace the default value of setupverifier_main_*.txt for the main activity log for the verification tool
/e <filename> - specifies a name to replace the default value of setupverifier_errors_*.txt for the error log for the verification tool

For example, the following command line will allow you to specify non-default names for both log files:

--> netfx_setupverifier.exe /q:a /c:"setupverifier.exe /l %temp%\my_main_log.txt /e %temp%\my_error_log.txt"

=============================================================================================

Cheers,

Jorge

Four in a row

Sander Berkouwer — Fri, 25 Jun 2010 12:49:59 GMT

Four years ago, on June 26th 2006, I posted the first piece of writing to this blog space. Little did I know back then the adventure I was getting myself into…

Looking back, it’s not just the experience of writing stuff down for the whole world to see. It’s not just the half million pageviews on this blog. It’s the feedback I get from readers like you, from organizations like Microsoft and (since two years) the feedback I get from fellow Microsoft MVPs.

At times, it felt hard to come up with something interesting to tell you all about. With a personal goal to write at least one blogpost per week (on average) it’s sometimes hard. Some periods I didn’t visit any customers and couldn’t write about these experiences.

Over the past four years, however, I came up with 243 posts (not including this one) which exceeds my goal.

In the past four years you have posted 133 comments. Other bloggers have posted 358 trackbacks. To me it’s an honor that so many of you made an effort (registering, then reloading the page and then commenting) to comment on a post. Also, the links from other blogs feel like a compliment. Not just casual bloggers tend to link back, but we’re also receiving backlinks from the ‘Ask the Directory Services team’ blog and ‘The Experts Community’…

Thank You!

ADMT v3.2 Has Been Released

Jorge — Sun, 20 Jun 2010 14:26:36 GMT

"The Active Directory Migration Tool version 3.2 (ADMT v3.2) simplifies the process of migrating objects and restructuring tasks in an Active Directory® Domain Service (AD DS) environment. You can use ADMT v3.2 to migrate users, groups, service accounts, and computers between AD DS domains in different forests (inter-forest migration) or between AD DS domains in the same forest (intra-forest migration). ADMT can also perform security translation (to migrate local user profiles) when performing inter-forest migrations."

Download it from here.

Additional info about ADMT can be found here and here.

Latest ADMT Migration Guide can be downloaded from here.

Cheers,

Jorge

ADMT 3.2 Now Available!

Sander Berkouwer — Sat, 19 Jun 2010 14:53:00 GMT

Windows Server 2008 R2 was released on October 22nd 2009. With a slew of new Active Directory features, the newest incarnation of Windows Server was appealing to many customers. But not to some customers. One thing that stood in their way was the inability to restructure Active Directory domains and forests. Much needed functionality in their line of business, where mergers, acquisitions and divestitures occur often or even are their line of business.

The challenge was no suitable version of the Active Directory Migration Toolkit (ADMT) was available to support some of these scenarios. ADMT 3.1 does not support installation on Windows Server 2008 R2 or an Active Directory domain containing Windows Server 2008 R2 Domain Controller as its source domain.

Now, almost a year after Windows Server 2008 R2 RTM'ed and a little over a year since Microsoft acknowledged the problem, an appropriate version of the Active Directory Migration Tool is available: version 3.2 supports Windows Server 2008 R2 in all scenarios.

Downloads

Download ADMT version 3.2 here.
It’s available in English, Chinese (Simplified and Traditional), French, German, Japanese, Portuguese (Brazil), and Spanish.

The 263-page Active Directory Migration Tool (ADMT) Guide: Migrating and Restructuring Active Directory Domains for use with version 3.2 is available here. It’s available in the same languages as mentioned above.

Dirteam.com/ActiveDir.org Blogs

KMS Server won't activate additional servers

I’m attending Tech·Ed Europe 2010, are you?

Vote for your favorite new Windows 8 features!

Vote

Participating blogs

ILM/FIM Sync Engine Terminology

Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3)

Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 2)

Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 1)

Speaking At TechED 2010? That's up to you!

Speaking At TEC Europe 2010 In October

Auditing In Windows Server 2008 R2

Managing The userAccountControl Attribute In AD By FIM

Windows Server Core Configurator

Adding claim mapping to existing provider in SPS 2010, part deux

Changing the Weight and Priority of a Domain Controller Within a Site

Configuring Sharepoint 2010 To Use ADFS v2 As An Authentication Provider

Server Manager in Windows Server 2008 R2, Part 3

About Best Practices Analyzers

Best Practices Analyzers (BPAs)

Part of Server Manager

Extended to TechNet

Updated through Windows Update

Also available in PowerShell

Concluding

Further reading

Server Manager in Windows Server 2008 R2, Part 2

PowerShell

PowerShell Modules

PowerShell Remoting

Concluding

Further reading

ADFSv2 Video By Matt Steele

Server Manager in Windows Server 2008 R2, Part 1

Configuration items

Links and Wizards

Server Manager Remoting

Concluding

Further reading

Groups and tokens

Windows Sharepoint Services 3.0 Breaks After Installing Update MS-KBQ983444

.NET Verification Tool

Four in a row

ADMT v3.2 Has Been Released

ADMT 3.2 Now Available!

Downloads

Further reading