Dirteam.com/ActiveDir.org Blogs

Server Core Roles and Features in 2008 R2

Sander Berkouwer — Wed, 03 Feb 2010 13:36:24 GMT

Server Core installations are versatile, secure and highly-optimized installations of Windows Server. Dubbed ‘Windows without Windows’ by some, these installation in Windows Server 2008 R2 are capable of providing more (infrastructural) services than ever! Just like Full installations of Windows Server 2008 R2, depending on the edition of your choice, or budget, the Server Roles and Features installable on a Server Core installation, vary, though.

The table below shows the individual roles and features in fresh Server Core installations of Windows Server 2008 R2, Web (column 1), Standard (column 2), Enterprise (column 3) and Datacenter (column 4) edition. It also lists the Server Roles features in a fresh installation of the special-purpose Hyper-V server 2008 R2. (column 5):

Server Roles and Features	W	S	E	D	H
Active Directory Certificate Services
Certificate Authority
Active Directory Domain Services
Active Directory Domain Controller
Active Directory Lightweight Domain Services
DHCP Server
DNS Server
File Services
File Server
Distributed File System
DFS Namespaces
DFS Replication
File Server Resource Manager
Services for Network File System
Branchcache for network files
Hyper-V
Print and Document Services
Print Server
LPD Service
Remote Desktop Services
Remote Desktop Virtualization Host
Web Server (IIS)
Web Server
Common HTTP features
Static Content
Default Document
Directory Browsing
HTTP Errors
HTTP Redirection
WebDAV Publishing
Application Development
ASP.NET
.NET Extensibility
ASP
CGI
ISAPI Extensions
ISAPI Filters
Server Side Includes
Health and Diagnostics
HTTP Logging
Logging Tools
Request Monitor
Tracing
Custom Logging
ODBC Logging
Security
Basic Authentication
Windows Authentication
Digest Authentication
Client Certificate Mapping Authenti…
IIS Client Certificate Mapping Auth…
URL Authorization
Request Filtering
IP and Domain Restrictions
Performance
Static Content Compression
Dynamic Content Compression
Management Tools
IIS Management Scripts and Tools
Management Service
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
IIS 6 Scripting Tools
FTP Server
FTP Service
FTP Extensibility
IIS Hostable Web Core
.Net Framework 2.0 Features
.Net Framework 3.5.1 Features
.Net Framework 3.5.1
WCF Activation
HTTP Activation
Non-HTTP Activation
Background Intelligent Transfer Service (BITS)
Compact Server
BitLocker Drive Encryption
BranchCache
Failover Clustering
MultiPath I/O
Network Load Balancing
Quality Windows Audio Video Experience
SNMP Services
SNMP Service
Subsystem for UNIX-based Application
Telnet Client
Windows Process Activation Service
Process Model
.NET Environment
Configuration APIs
Windows Server Backup Features
Windows Server Backup
Command-line tools
Windows PowerShell
Windows PowerShell Cmdlets
Windows Server Migration Tools
WinRM IIS Extension
WINS Server
WoW64 Support
WoW64
WoW64 for .NET Framework 2.0 and Win…
WoW64 for .NET Framework 2.0
WoW64 for Windows PowerShell
WoW64 for .NET Framework 3.0 and 3.5
WoW64 for Print Services
WoW64 for Failover Clustering
WoW64 for Input Method Editor
WoW64 for Subsystem for UNIX-based ap…

red, unavailable green, available for installation gray, installed by default

Note:
While some Server Roles and Features are available in multiple editions of Windows Server, the specific capabilities of the roles may vary between editions.

How to get going with PowerShell in Server Core R2

Sander Berkouwer — Tue, 02 Feb 2010 15:31:33 GMT

Server Core installations of Windows Server 2008 R2 and installations of Hyper-V Server 2008 R2 offer Windows PowerShell. A lot has been written on the geekiness of PowerShell, how it wasn’t included in Server Core installations of Windows Server 2008 R2 and how you could enable it anyway. The question however is, how do you get started with using PowerShell in Server Core?

This blogpost shows you how to install PowerShell, how to start it up and issue some basic commands.

Installing PowerShell

To install Windows Powershell on a Server Core installation of Windows Server 2008 R2, issue the following three commands:

dism /online /enable-feature /featurename:NetFx2-ServerCore
dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell
dism /online /enable-feature /featurename:ServerManager-PSH-Cmdlets

These commands will install the .Net Framework 2.0 binaries. This is a package, Windows PowerShell depends on. After you’ve successfully installed the .Net Framework you can install Windows PowerShell. Use the last command to be able to use the built-in PowerShell cmdlets for Server Manager.

Note:
The above commands are case sensitive.

If you also need 32bit support in Windows Powershell, also issue the following two (again: case sensitive) commands:

dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64
dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell-WOW64

Tip!
You don’t need to install the base Windows on Windows (WoW) 64 package into a Server Core installation of Windows Server 2008 R2. This package is installed by default.

Starting PowerShell

To start using PowerShell you need to start it up. For some strange reason the path where PowerShell resides is not added to the %PATH% variable after installing, so you need to drill down to it, before you can start PowerShell.

Use the following commands:

cd C:\Windows\system32\WindowsPowerShell\v1.0
powershell

Now PowerShell is started. (Congratulations! )

Showing off PowerShell

One of the strongest examples of the strength of PowerShell is the ability to add and remove Server Roles and Server Features, without the need to worry whether you’re typing them right. (remember, the dism.exe command is case-sensitive)

for instance, on the PowerShell you can use the following command to install the Windows on Windows (WoW) 64 support for .Net Framework 2.0:

PS > enable-windowsfeature netFX2-ServerCore-WoW64

Also, one of the nice benefit of using the get-windowsfeature PowerShell cmdlet is you get the hierarchy, instead of the long list of Server Roles and Features you get when you use dism /online /get-features. See for yourselves, when you execute the following command:

PS > import-module ServerManager
PS > get-windowsfeature

New gear

Sander Berkouwer — Mon, 01 Feb 2010 15:54:00 GMT

I’ve used a Dell Latitude D630 laptop for the past 13 months. It’s been my loyal companion on two Tech·Eds, a MVP Summit, at least a dozen demos and presentations and has been with me to work with various customers. This device is equipped with an Intel Core 2 Duo T8100 processor, 4GB RAM, a 14,1” 1440x900 screen, Dell integrated WiFi and Bluetooth, a 9cell battery and a 160GB hard drive (fourth one).

This device now shows some remarkable traces of use, most notably a couple of cracks in the body and screen bezel, a row of dead pixels half way up the screen and a dent in the keyboard somewhere around the enter key. It also sounds a distressed ‘something’s wrong’ hardware beep once in a while…

It’s being replaced with:

a Dell Latitude E6500

A spanking new Dell Latitude E6500 in brush metal black with the following specs:

Intel Core 2 Duo P9700 (2,80 GHz) processor
15,4” WUXGA (1920x1200) LCD screen
8192 MB DDR2-800 RAM
250GB 7200rpm hard disk with free fall sensor
D-SUB & Display Port out
(with HDMI out through an optional cable)
eSATA port
USB Powershare port
(for charging USB devices when the laptop is off)
Integrated 2,0 Megapixel Webcam
8x DVD+/-RW drive
Wireless 370 Bluetooth
802.11a/b/g/n wireless networking
Integrated keyboard backlighting
6cell battery
3 years of Pro Support

Of course these specs are well above average, but some modifications need to be made (most of them to some of the accessories) to meet my needs. The 3-way power cord for instance doesn’t fit in the 230V socket in the back of the car and the privacy screen of the old laptop doesn’t fit on the new one. Also, I suspect my laptop bag to play a vital role in the damage done to the previous laptop, so I’m having that replaced as well.

A SSD drive is also on my wish list, but deemed too expensive at this point in time. I guess there's always room for improvement.

Update 3 has been released for FIM 2010 RC1

Jorge — Sat, 30 Jan 2010 12:55:54 GMT

Microsoft has released Update 3 for FIM 2010 RC1. It is available connect here. This is the final pre-release of the product before RTM. I think this is a major release because it can be installed as an update or as a new install from scratch. It contains a (new) installation guide. Make sure to read the release notes FIRST before installing it!!!

Summary of changes in Update 3

This package contains multiple updates to the following Microsoft® Forefront™ Identity Manager 2010 feature areas. It also contains a number of general improvements to FIM functionality and reliability.

New prerequisites:

Windows® Installer 4.5 for all server components
For the FIM Service: Microsoft SQL Server® 2008 Service Pack 1 (SP1)
For the FIM Add-In for Outlook: Microsoft Office Outlook® 2007 Service Pack 2 (SP2)

New supported platforms for FIM Certificate Management:

Windows Server® 2008 R2
Windows Server Datacenter Edition

FIM Synchronization Service improvements:

Fixed customer-reported failures in FIM Synchronization Service.
Fixed issues with multimastered attributes.
The FIM management agent (MA) will now store error messages with the operation during export. You do not have to look in the FIM Service event log anymore to view the errors.
You can now have several MAs that are responsible for deleting a resource. This solves a common problem in which custom code was necessary for Declarative provisioning.
Added two new Declarative provisioning functions:
Null – This SR should not contribute a value.
ReplaceString – Find and replace a substring in another string.

Introduces new Management Policy Rule (MPR) types:

The new Set Transition MPR type allows for easy creation of Policies that apply to Set membership changes (that is, when resources enter or leave a specific Set).
During Update 3 installation, all existing MPRs in the system are marked as Request-based MPRs.
The Run On Policy Update flag is now applicable only to the new Set Transition MPRs.
Temporal policy definitions require the use of the new Set Transition MPRs.

Fixes an issue in which queries did not evaluate correctly if they contained three or more conditions and at least two of them used the not() operator.
Adds support for Exchange 2010, which includes the following:

FIM Synchronization Service support for Active Directory MA and global address list (GAL) MA
The FIM Service sending and receiving mail
Outlook 2007 on Exchange 2010 sending approvals and group membership requests

Adds support for SQL Server Failover Clusters for High Availability.
Adds support for taking database backups without stopping the FIM Service.
Removes DomainSynchronizationActivity and replaces it with built-in logic to support cross-forest group management.

Important

This update deletes the WorkflowDefinition Group management workflow: Domain information synchronization for cross-forest resources, which has the Resource ID 955e3366-fbcc-43ee-b6e4-2001b81971da. You should back up any changes you may have made to this resource before installing the update and then re-create the functionality in a new activity.

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

ILM 2007 SP1 … Exchange 2010 support

tomek — Thu, 28 Jan 2010 22:28:00 GMT

FIM 2010 is still being cooked in Redmond area but in the meantime we got brand new ILM 2007 Service Pack 1 package which just was published on Downloads web site. ILM 2007 SP1 is cumulative hotfix package but also it brings support for provisioning objects with Exchange 2010.

This is nice progress if you remember how long we had to wait for Exchange 2007 to be supported with ILM … way to go for future ILM team.

Information how to use ILM AD MA to provision objects to Exchange 2010 is published on Technet in Deploy Exchange 2010 in a Cross-Forest Topology article.

Whit Exchange 2010 support we also are getting a new code example and description “Prepare for Online Mailbox Move”. Quote from download description:

Microsoft Exchange Server 2010 supports online mailbox migration from a remote Exchange Server 2010, Exchange Server 2007, or Exchange Server 2003 forest to your Exchange 2010 forest. Prior to performing the online mailbox migration, mail-enabled users with a predefined list of attributes must be present in the target Exchange 2010 forest where the mailbox will be moved to. You can use either the sample code or the sample script to help with your online mailbox migration:

The ILM-based rules extension sample code demonstrates how to customize your current ILM deployment to create the required mail-enabled users in the target Exchange 2010 forest. For more information, see Prepare Mailboxes for Cross-Forest Moves Using the PrepareMoveRequest.ps1 script in the Shell. To download the feature pack, see Microsoft Knowledge Base article 977791 (Service Pack 1 (build 3.3.1139.2) is available for Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1) .

The remote PowerShell-based sample script demonstrates how to run a PowerShell script to create the required mail-enabled users in the target Exchange 2010 forest. For more information, see Prepare Mailboxes for Cross-Forest Moves Using Sample Code.

Enjoy your reading …

Spot the difference

tomek — Thu, 28 Jan 2010 21:59:00 GMT

Where is a question there is an answer (at least in most cases). This time question was “How to check schema extension introduces to a forest?” and it was asked on ActiveDir.org. There was even more than one answer … apparently some consultants are watching this list :).

So how we can capture what was changed in schema since it was established together with our forest.

(cc tobym)

One of option is using Schema Analyzer tool which comes with AD LDS (ADAM) as it is described on Ask DS Team blog. If we have AD LDS instance and LDFI file with schema we want to analyze it will allow us to get difference between target and base schema. Easy but …

it requires access to AD LDS instance and LDIF file with schema
sometimes it is a bit overhead to get LDI file with difference and we require something easier.

So next approach, also not perfect but a bit simpler and in some cases might be good enough. Just take a(dfind.exe)ny LDAP query tool and query all schema including whenCreated in output. This attribute is replicated among all DCs and we can track date of creation of object. Simple example:

adfind -schema -f "(|(objectClass=attributeSchema)(objectClass=attributeClass))" ldapDisplayName whenCreated –adcsv

now redirect output to file … open it in Excel, sort it on whencreated collumn and voile…

Of course it is not perfect. Still it requires tool like Excel and it gives You only overview when attributes where created. And what about modifications?

In cases we need such information SchemaDiff.cmd script created by Dean Wells (included in archive) comes handy. This tool is based on querying replication metadata and this will give You information about new and updated attributes. Let see how it works:

C:\Temp>SchemaDiff.cmd w2k.pl

SchemaDiff 1.1 / Dean Wells (dwells@msetechnology.com) - March 2006

STATUS - Working [review title bar for progression] ...

       - Forest/schema creation timestamp: 2009-08-23 @ 22:51:06
       - base-schema has been MODIFIED since Forest creation
       - counting classSchema and attributeSchema instances: 1438
       - querying schema ...

*MOD: CN=Schema,CN=Configuration,DC=w2k,DC=pl
       - schemaInfo........................ {modified post-instantiation}

*MOD: CN=User,CN=Schema,CN=Configuration,DC=w2k,DC=pl
       - auxiliaryClass.................... {modified post-instantiation}

+NEW: CN=AstContext,CN=Schema,CN=Configuration,DC=w2k,DC=pl
+NEW: CN=AstExtension,CN=Schema,CN=Configuration,DC=w2k,DC=pl

(…)

Done - 57 schema object(s) added, 4 schema object(s) modified
       in Forest "DC=w2k,DC=pl"

Quick, nice and easy … and no additional tools required (I don’t count repadmin.exe as an additional tool in AD environment).

In general best way to answer such question is to have implemented schema governance process in your environment. It doesn’t have to be something very complicated, sometimes simple file with some procedures is enough … or WSS site in more advanced case. Key is to stick to it and follow it. Think about it …

Exchange 2010 Storage Calculator available! [update]

Heinrich Strauss — Sat, 23 Jan 2010 03:48:00 GMT

The updated version of the Exchange Storage Calculator has just been released! (3.2)

http://msexchangeteam.com/archive/2010/01/22/453859.aspx

With the Worldwide Release of Exchange 2010 yesterday, this provides a crucial planning step towards migration!

I know what I'm doing today! :P

-H.

Where is my DC?

tomek — Fri, 15 Jan 2010 20:28:00 GMT

It is common knowledge that in AD environment client (like workstation) will always (at least it should) try to connect to most optimal domain controller. Optimal from network and AD infrastructure configuration standpoint. This process is based on DNS queries and information stored in AD configuration and in perfect case should lead to situation when client has contacted most optimal DC at given moment.

So we have all subnets defines, connected with appropriate sites and DCs placed in these sites or covered in other way. And suddenly some clients from some small location are starting to use some random DCs instead one we designated for them in our bright and shiny configuration. In such case sys admin is entering his most favorite mode … troubleshooting

(cc) trriseesthings

AD configuration has been extensively reviewed and checked, network checked … event logs are not giving us a clue … what next (besides calling cavalry of some sort :) )?

In such case we have at least one additional troubleshooting mechanism which might be extremely useful in this process, which is enabling debug logging for DC locator process. In each Windows version netlogon service comes with ability to log debug information. What has to be done is enabling this mechanisms through registry change and settings some flags … these flags are described in KB 109626 Enabling debug logging for the Net Logon service.

When this will be done netlogon service will start to log diagnostic data in %widir%\debug\netlogon.log. These information might be very useful in troubleshooting process or at least should give us idea what is going on during this process. Sample netlogon.log part (slightly modified for better reading) from my lab environment is presented below .

[SITE] Setting site name to '(null)'
[SESSION] \Device\NetBT_Tcpip_{33941FFA-DFED-4744-BF9A-972228BC6FF0}: Transport Added (192.168.1.10)
[SESSION] Winsock Addrs: 192.168.1.10 (1) List used to be empty.
[SESSION] V6 Winsock Addrs: (0)
[CRITICAL] Address list changed since last boot. (Forget DynamicSiteName.)
[SITE] Setting site name to '(null)'
[DNS] Set DnsForestName to: w2k.pl
[DOMAIN] W2K: Adding new domain
[DOMAIN] Setting our computer name to wss wss
[DOMAIN] Setting Netbios domain name to W2K
[DOMAIN] Setting DNS domain name to w2k.pl.
[DOMAIN] Setting Domain GUID to ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[MISC] Eventlog: 5516 (1) "wss" "W2K"
[INIT] Replacing trusted domain list with one for newly joined W2K domain.
[SITE] Setting site name to '(null)'
[LOGON] NlSetForestTrustList: New trusted domain list:
[LOGON]     0: W2K w2k.pl (NT 5) (Forest Tree Root) (Primary Domain) (Native)
[LOGON]        Dom Guid: ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[LOGON]        Dom Sid: S-1-5-21-1855823386-3643518527-1754427229
[INIT] Starting RPC server.
[SESSION] W2K: NlSessionSetup: Try Session setup
[SESSION] W2K: NlDiscoverDc: Start Synchronous Discovery
[MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c00ffff1
[INIT] Join DC: \\resfs.w2k.pl, Flags: 0xe00013fd
[MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c00ffff1
[MAILSLOT] NetpDcPingListIp: w2k.pl.: Sent UDP ping to 192.168.1.1
[MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to resfs.w2k.pl
[MISC] NlPingDcNameWithContext: resfs.w2k.pl responded over IP.
[MISC] W2K: NlPingDcName: W2K: w2k.pl.: Caching pinged DC info for resfs.w2k.pl
[INIT] Join DC cached successfully
[SITE] Setting site name to 'Default-First-Site-Name'
[MISC] NetpDcGetName: w2k.pl. using cached information
[PERF] NlAllocateClientSession: New Perf Instance (001E6688): "\\resfs.w2k.pl"
    ClientSession: 00237D58
[SESSION] W2K: NlDiscoverDc: Found DC \\resfs.w2k.pl
[SESSION] W2K: NlSetStatusClientSession: Set connection status to 0
[DOMAIN] Setting LSA NetbiosDomain: W2K DnsDomain: w2k.pl. DnsTree: w2k.pl. DomainGuid:ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[LOGON] NlSetForestTrustList: New trusted domain list:
[LOGON]     0: W2K w2k.pl (NT 5) (Forest Tree Root) (Primary Domain) (Native)
[LOGON]        Dom Guid: ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[LOGON]        Dom Sid: S-1-5-21-1855823386-3643518527-1754427229
[SESSION] W2K: NlSetStatusClientSession: Set connection status to 0
[SESSION] W2K: NlSessionSetup: Session setup Succeeded
[INIT] Started successfully

Does it look useful??? I think so … happy troubleshooting and don’t forget that Network Monitor or WireShark will tell You the truth about what’s going on on a wire. And this is ultimate troubleshooting tool.

ADLDS (ADAM) for Windows 7

Jorge — Tue, 12 Jan 2010 08:12:12 GMT

In previous client versions of Windows, ADLDS (a.k.a. ADAM) was available for WXP. IN addition to that it was available in every server version of Windows (W2K3, W2K3R2, W2K8 and W2K8R2). There was no official version for Vista, but if I remember correctly (not sure though) it was possible to get the separate download working with some hacks.

However, since yesterday, Microsoft has provided a version of ADLDS for Windows 7. Now everybody with interest to have a lean and mean directory service on his desktop to test or develop software can do it on his desktop without the need to have a server OS.

Get it here!

….and for its logo, see here. J

Cheers,

Jorge

Re-awarded MVP

Sander Berkouwer — Sat, 02 Jan 2010 10:15:00 GMT

Being a Microsoft Most Valuable Professional (MVP) is a one-year gig. My first year as a Directory Services MVP started January 1, 2009. Since then I proudly displayed the MVP logo on the left hand side of my blog. From the Least Amount of Administrative Effort point of view, I was curious to find out whether I could keep the logo there.

With great pleasure I received the following e-mail today:

Congratulations 2010 Microsoft MVP!

Dear Sander Berkouwer,

Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year.

The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say "Thank you for your technical leadership."

Toby Richards
General Manager
Community & Online Support

What a great way to start 2010!

Re-Awarded for the 5th Time – MVP Directory Services

Jorge — Fri, 01 Jan 2010 18:51:19 GMT

Today I received an e-mail I was re-awarded again with the MVP Award for Directory Services. This year is the fifth time I have received this award! J

----------

Dear Jorge de Almeida Pinto,

Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year

----------

!!! THANKS !!!

Cheers,

Jorge

ADFS v2 RC and IIS certificates

tomek — Wed, 23 Dec 2009 23:38:56 GMT

In topic of ADFS Laura said once “If your ADFS is broken, it’s PKI. If it’s not PKI, you’ve got a typo. If it’s not a typo, it’s PKI”. Very true … in different aspects of PKI.

Because of Christmas break I have a bit more free time than usual, still taking under consideration free time which is available when I put my son to sleep. I decided to take a look at just released ADFSv2 RC bits. And I know that it is probably because of me but I managed to produce little problem during the setup procedure, which I think might affect also others so as always … time for blog post.

ADFSv2 and PKI requirements …

For those who have not gone through ADFSv2 setup procedure quick outline of its PKI requirements.

After ADFSv2 is installed as a service on machine next step is to configure it as federation server either standalone or part of a farm. Part of this setup is to provide information about certificate, which will be used as token signing certificate and card space signing certificate. This certificate has to be present in local system store for ADFS setup to be able to pick it up.

My setup …

In order to setup ADFS I’ve created a single machine on which I’ve loaded AD \ Certificate authority and IIS server (not best practice but in my lab I have to take care about available RAM and spindles so … less VMs is better).

To get certificate for my IIS server and later for ADFS service I’ve created cert request using IIS console and based on this request I’ve issued certificate from CA, installed it on my IIS and what *is important* I set this certificate to be used in HTTP binding on my IIS machine.

ADFS service setup and later procedure for configuring it as federation server went smooth and everything worked as it was expected. When I was asked which certificate to use I just choose certificate I’ve created earlier and configured for my IIS machine.

So where the problem begins?

Later I’ve decided that I want to setup my ADFS server using FQDN to avoid problems with SPNs configuration etc (BTW – I believe that after PKI and typos SPNs will be next common issue with ADFS v2 setup … I don’t know why … maybe it is called experience).

So I’ve added DNS record for new name, I’ve done all IIS stuff and among others I’ve revoked previous certificate and removed it from IIS configuration (just deleted it using IIS console), issued new request, new cert ... installed … done. Almost.

Next step is to change ADFS configuration to:

use new FQDN (easy)
use different certificate (should be easy).

First step was OK, but then when I wanted to change token signing certificate in ADFS i got error message which said something similar to:

The SSL certificate with thumbprint 42161585196B80292A675BA95D54429D1E1CF7CE is configured in IIS but could not be found in the Local Computer Personal certificate store. SSL Certificates configured in IIS must also be present in the Local Computer Personal certificate store in order for AD FS 2.0 to use them.

Thumbprint referred to certificate which I previously revoked and removed. Checked things few times … even if I was asked to select new certificate for ADFS to use, and I was ale to choose new certificate every attempt changed in way similar to described above.

Cause and solution …

After thinking about it for a while I’ve checked what certificate is assigned to HTTPS binding for IIS. And it turned out that there is no certificate … at least none was shown in UI. But apparently some reference to previously configured certificate was hold somewhere in IIS configuration and this was causing problem with ADFS configuration.

Once I selected new certificate to be also used for HTTP binding in IIS I was able to change signing certificate for ADFS and finish my setup.

So as it turned out:

deleting certificate in IIS setup and replacing it with new one is not enough. Remember about *BINDINGS*.
error messages are right but no always are pointing you directly in right place.
“If your ADFS is broken, it’s PKI. If it’s not PKI, you’ve got a typo. If it’s not a typo, it’s PKI” … with addition of SPNs :).

Hope this will help at least one person in a future ;).

Kerberos and non-standard port number

tomek — Sun, 20 Dec 2009 20:52:14 GMT

Kerberos in Windows Operating System is around for about 10 years and it is still causing problems and for many people it is like black magic voodoo. In most cases organizations and people in it are not aware that it is now working until it problem will occur on a surface with some application not working or reports not being displayed on MOSS web page …

… and when problem occurs some troubleshooting starts. To make this process a bit easier here is a short explanation of Kerberos, IE and and services running on non-standard port issue.

(cc) TheCX

This post is sponsored by letter A like Architect, because of our Architects inspired me to write it with his ranting about this problem.

Issue which is subject of this post is not related to Kerberos protocol itself, but to Internet Explorer and how IE handles such requests by default.

Never ending story, SPNs …

Short reminder what SPN is … when client application is trying to get access to resources and is using Kerberos authentication it requests at some point Ticket Granting Service (TGS). To specify to service to which it is requesting access in TGS request client specifies Service Principal Name (SPN). SPN then is being used by KDC to find an account which is related to this service and to prepare tickets for it. This is in short words how it works …

SPNs are just string values for servicePrincipalName attribute in form which consist of service prefix, host name and optionally port number.

For example for standard HTTP service running on www.w2k.pl host address SPN would be specified as HTTP/www.w2k.pl.

As I mentioned above there is also optional element of SPN which can be used to specify port on which service is running. In case of our HTTP service running on 8080 port SPN which will contain this port number will look like this HTTP/www.w2k.pl:8080.

Simple … it is helpful if we have services running on different ports and using different accounts – like application pools running on separate accounts associated with web sites on two different ports.

And here comes Internet Explorer …

Problem with Internet Explorer is that when it is being used as client application to request access to Kerberos enabled service on non standard port by default it will not include port number in SPN sent in TGS request. In such case network traffic capture will look somewhat like this (click to enlarge):

As we can see in this traffic IE is trying to request access to web site running on port 8080 but in TGQ request it is not exposing this information and instead of HTTP/lhr2dc01.w2k.pl:8080 it sends request with HTTP/lhr2dc01.w2k.pl as SPN value.

This behavior was first fixed for IE 6 with KB 908209. For IE6 it required fix to be installed and additional registry entry being made.

This article is not mentioning this but same behavior is present in IE7 and IE8. To fix this it doesn’t require fix to be installed but still it has to be enabled through same registry entry specified in KB mentioned above.

If this will be done same situation in network traffic looks as it is presented below (click to enlarge):

As it can be seen in this traffic analysis IE is requesting access to a web site with port specified in SPN and this allows authentication to be completed in this scenario.

When this is useful …

“Why bother???” This is required in scenarios when we have multiple services running on single host, different ports and under different security accounts. Good examples are multiple application pools on single IIS machine.

Probably anyone who will deploy MOSS sites with multiple accounts will came across this scenario and will have to deal with it.

Why not make it default …

Question is … why this is not enabled by default in IE 7 and 8? problem was fixed for IE6 but for later versions it might be included in a default configuration.

I don’t know official answer but first thing which cross my mind is - backward compatibility (you can call it IE6 curse if You want it :) ). Because IE6 worked in this way and many applications were configured to work in this way, which was allowed by IE6 problem turning it on by default in next versions would break all these applications.

IE6 was not specifying a port in SPN request and if there was suitable account with only one SPN without port being specified, and there was another service running on the same host with different port number but under the same service account it just works.

If You will enable this behavior applications running on different ports would break … registering additional SPN will fix it of course, but this would require some planning up front or quick troubleshooting (basic level of network traffic analysis required).

What I would like to see is configuration option which would enable this behavior through GPO … feedback given :).

7 Things to look for in Windows 7 PC Hardware

Sander Berkouwer — Fri, 18 Dec 2009 22:12:24 GMT

With Windows Vista amounting to a 31% market share in enterprise environments, many big companies will be making to switch from Windows XP to Windows 7 directly. In the eight years between their respective launches, a lot has changed in the world. Not just in the world we know, but also in the world of hardware. Windows Vista and Windows 7 support a lot of these new technologies and even build upon them to provide functionality not found in previous versions of Windows.

To benefit from some of Windows’ functionality you’ll need specific hardware. This post shows you the system specifications to look for in future standardized workstations and laptops. It may help you to determine whether those old crusty workstations will be prime targets for your Windows 7 deployment project…

1. Smooth operation

Windows XP is not a memory-hungry Operating System by todays standards. Running an Operating System smoothly with 512MB RAM is not something Windows Vista or Windows 7 pull off. But at least with Windows 7 you can get by with less RAM, to make a system open and manipulate Office files and have a couple of other applications open, compared to the 2GBs of RAM you’d need in a Windows Vista rig to get equal ratings on the quality of the IT environment from your colleagues.

Together with some colleagues I’ve performed my own tests and came to the following conclusions:

Windows 7 and 1GB RAM work together for light and medium office purposes
(2-6 applications open at the same time)
Most new PCs nowadays are sold with 2 GB RAM.

When you’re running more demanding programs, even on rigs with 2 GB RAM, you’re likely to run into a performance bottleneck. When Windows needs to allocate more RAM than is physically available, it will use the page file on the hard disk. Since disk storage is slower than RAM, this significantly hits performance. Adding RAM solves this problem.

Also, ReadyBoost, a feature that has been around since Windows Vista, can be used. Instead of using the page file on disk to expand RAM, first a file on a flash drive will be used. Flash drives are most commonly faster than disk storage. When using USB media, make sure it’s at least 256MB in size, USB 2.0 compatible and plugged into an USB 2.0 socket.

2. BitLocker Drive Encryption

Requires

a Trusted Platform Module (TPM) chip on the motherboard (version 1.2 or later), or USB support in the system BIOS
(and USB media you’re destined to lose…).
Windows 7 Enterprise
Optional: Active Directory schema update

One of the most promising features in Windows Vista Enterprise and Windows 7 Enterprise is the BitLocker functionality. In Windows Vista with Service Pack 1 and later it allows for encryption of the contents of the partitions on the hard disk. In Windows 7 it also allows for encryption of removable storage, which is called BitLocker-to-go. BitLocker can be enabled in many ways, but the most robust way requires a Trusted Platform Module (TPM) chip on the motherboard. The chip needs to be version 1.2 or later.

Without a suitable TPM chip BitLocker can only be used to encrypt the contents of the hard disk using a USB device, containing a startup key. This mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment, which would be an alternative system requirement to the TPM chip requirement.

An Active Directory schema update and accompanying tools are available to store recovery keys in Active Directory to allow central recovery of data on unbootable systems due to corrupted USB devices and messed-up TPM ownership.

3. Windows XP mode and MED-V

Requires

a CPU with
- Intel® Virtualization Technology or
- AMD-V™ features
Virtualization features enabled in the system BIOS
1,5 GB of additional hard disk space
512 MB of additional RAM
Windows 7 Professional, Windows 7 Enterprise or Windows 7 Ultimate

Recommended

Windows 7 licenses with Software Assurance and Microsoft Desktop Optimization Pack for Software Assurance (MDOP) licenses for large-scale deployments

For 100% 32bit Windows XP compatibility in Windows 7 Professional and Windows 7 Enterprise Microsoft offers a feature called Windows XP Mode. Leveraging the power of Windows Virtual Pc (the successor to Virtual PC 2007) it simultaneously boots up a virtualized and optimized instance of Windows XP. The built-in USB support allows the virtualized Windows XP instance access to USB devices, which can be used with legacy Windows XP drivers. Using the Application Publishing functionality, programs installed in the virtualized Windows XP instance show up in the Start Menu of the Windows 7 host.

Where Windows XP Mode can be used on an ad-hoc basis to address specific compatibility needs, Microsoft Enterprise Desktop Virtualization (MED-V) can be used for large-scale, centrally manageable deployments, when a Windows 7-compatible version of MED-V is released. (v1.0 SP1 should do the trick) and be part of the Microsoft Desktop Optimization Pack for Software Assurance (MDOP).

Microsoft Enterprise Desktop Virtualization (MED-V) is a compatibility solution based on policies to deploy, stream, secure, expire and update virtualized Windows installations on top of Windows Virtual PC. MED-V is based on technology from Kidaro, a 2008 Microsoft acquisition.

4. Multi Touch

Requires

a Multi Touch capable screen or touchpad
Windows 7, Home Premium, Professional, Enterprise or Ultimate.

Windows Touch has been around for a while now, and even had its own Windows edition in its heydays (Windows XP Tablet PC Edition). But the Touch interface as it’s found in Tablet PCs has had a major upgrade, with the arrival of Multi Touch functionality in Windows 7.

To take advantage of Windows Multi Touch, the computer needs to be equipped with a Multi Touch capable touchscreen or trackpad. Although, the multi touch touchscreen delivers the richest (Microsoft Surface-like) experience, a multi touch trackpad can also deliver the multi touch functionality needed for some business cases.

Note:
While Windows Multi-Touch offers capturing multiple concurrent touches, an application running on top of Windows will also need to offer this functionality.

5. Sleep

Requires

a Windows 7-compatible ACPI BIOS
Windows 7 compatible drivers
Windows 7 Home Basic, Home Premium, Professional, Enterprise or Ultimate.

One of the big and direct money-saving features in Windows Vista and Windows 7 is the way the computer will go to (hybrid) sleep when not used. Estimates on the impact of this feature, enabled by default, range from €60 per year per PC to comparing migrating Windows XP to Windows Vista or Windows 7 to cutting the emission of 10 average cars…

To stay asleep all connected devices need to work together. An USB mouse should not wake up the PC when the mouse is barely touched. To resume from sleep successfully, the BIOS of the PC should have a Windows 7-compliant ACPI, which means it should support ACPI revision 4.0, dated June 16, 2009.

6. DirectAccess

Requires

Windows 7 Enterprise or Windows 7 Ultimate
A server, installed with Windows Server 2008 R2, with two Network Interface Cards (NICs), configured as DirectAccess server and a member of the Active Directory infrastructure, placed on the perimeter network (also known as DMZ). One of the NICs of the DirectAccess server needs to be connected directly to the Internet, the other NIC needs to be connected to the intranet. On the DirectAccess server, at least two consecutive, public IPv4 addresses need to be assigned to the NIC connected to the Internet.
At least one server configured as a web server.
IPv6 connectivity on the corporate network (intranet) or a server configured with Microsoft Forefront Unified Access Gateway (UAG) configured as an IPv6/IPv4DNS and IPv6/IPv4NAT to provide access to IPv4-only hosts.
Active Directory infrastructure with at least one Domain Controller running Windows Server 2008 with Service Pack 2 or Windows Server 2008 R2.

Recommended

Active Directory Certificate Services recommended (certificates are required if the DirectAccess server needs to enforce client health)
Use of smartcards recommended, requiring a smartcard and smartcard reader per DirectAccess user.

Laptops and other domain-joined portables are hard to manage when they’re not connected to the corporate network. Also, in these situations, line of business (LOB) applications are unusable most of the time, except when a VPN or dial-up connection is in use.

With DirectAccess domain-joined computers can be connected to the corporate network whenever an Internet connection is available. There’s no need to VPN into the corporate network, since DirectAccess is configured centrally and settings are figured out automatically by the client.

When a computer is connected through DirectAccess, it is manageable. Group Policies can be used when the minimum amount of bandwidth is available. (slow link detection)

To make DirectAccess truly secure, use it in combination with Network Access Protection (NAP). For this to work you will need to work with certificates and the only truly secure way to store user certificates is to use smartcards. Many laptops have built-in smartcard readers. If you’re looking to deploy DirectAccess with vision, look for equipment with built-in smartcard readers (for laptops) or USB-attached smartcard readers (for desktops).

7. Future upgrades

Remember when Windows Server was a 32bit Operating System? With Windows Server 2008 R2 only 64bit versions of the Windows Server Operating System are available. Two questions remain at the end of the day when discussing Windows client upgrades:

Will the 32bit version of the next Windows client be a mainstream version in terms of software compatibility, software deployment and support?
Is there any reason not to deploy Windows 7 as a 64bit client in terms of software compatibility, software deployment and support in your current environment?

I guess the answer to the first question is ‘yes’. In most cases I think the answer to the second question is also ‘yes’, especially since some PCs already come with an amount of RAM not fully supported by a 32bit Windows client installation: 4GB.

If you’re looking to keep your options open for future upgrades, deploy 64bit installations of Windows 7. Remember though: 64bit Windows installations will only accept signed drivers.

Experiences and/or Differences with FIM2010 RC1 so far (Part 5)

Jorge — Mon, 14 Dec 2009 21:24:26 GMT

Reporting/Auditing

With RC0, a web services client could reconstruct resources via Requests, or betweenTime, atTime and allTime functions

With RC1, a web service client will be able to reconstruct resources via Requests

More attributes on Request, and new creator and target fields in RequestParameters values available
Configurable request trimming interval to auto-delete requests which have been archived

Also see: http://theexpertscommunity.com/item/show/blog/1381

Password Reset Feature

Configuring the MPRs for Password reset was quite complicated. In RC1 these MPRs are pre-configured by default, but are disabled. If you want to use the Password Reset feature you need to enable the MPRs!

Windows XP SP2 is now also supported.

Expect a huge change in how you will be able to use this feature. Very promising! J In time I will tell more about this.

Also interesting to know: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/7d538ef4-a286-481f-8ff1-6e4f886e2f1d

FIM MA Run Profiles

The FIM MA only supports Full Imports at the moment (see release notes)

FIM Portal Schema

Attributes of type "Unindexed String" are not yet supported by the FIM Portal and will not show up the UI for queries/filters.

It is possible to use a dash '-' in the systemName of an attribute, but you should not use it. Why? Well, other parts that may want to use that attribute may not accept that dash in the name. Look at the pictures below.

One of those places where this was found is in a workflow activity. For example… let's say you have created a string type attribute with the systemName 'My-Test-ID' and displayName 'My Test ID'. When using the function evaluator activity you can select as the destination [//Target/My-Test-ID]. You can type this in manually or first select //Target as your workflow parameter and then select 'My Test ID' as your parameter attribute. Click Save and you will see the error in the picture.

Cheers,

Jorge

Experiences and/or Differences with FIM2010 RC1 so far (Part 4)

Jorge — Fri, 11 Dec 2009 23:11:36 GMT

XPATH Filter changes

Double negations are not supported/possible anymore. An example of a double negation is "/Person[not(MyAttribute != '_$$$_')]"

In addition:

"contains()" function now works like SQL Full Text Search
descendants(), betweenTime(), atTime(), allTime() removed
membersof() changed syntax

Patches

After RC1, patches will be made available through Windows Update. You can also download these manually through the Windows Update Catalog.

At the time of writing, Update1 and Update2 have been released.

For the release notes see: FIM 2010 RC1, Update1 and Update2.

Management Agents (MA)

Support for:

Active Directory in Windows Server 2008
SQL Server 2008
Novell eDirectory 8.8
Sun Java System DS 6.2
IBM DB2 9.1, 9.5

To connect to RACF, ACF2, OS400, TopSecret, you will still need ILM 2007FP1.

FIM Service Partition

Checking Uniqueness during object creation

Sync Rules

Sync rules are now bidirectional, meaning that both inbound and outbound within one sync rule is possible.

New functions that are available for "External System Scoping":

NotContains, NotStartsWith, NotEndsWith

New functions that are available for attribute flows:

IsPresent

The GUI to create the Attribute Flows also changed. Previously you could create the attribute flows on one screen. Now you have one screen with two tabs for each attribute flow you need. One tab is for the source attribute and the other tab is for the destination attribute. I really do not like this change.

This is the main screen with all the attribute flows. When you want to create a new flow you click "New Attribute Flow"

This is what you will see when creating a new attribute flow.

Cheers,

Jorge

Experiences and/or Differences with FIM2010 RC1 so far (Part 3)

Jorge — Fri, 11 Dec 2009 21:16:53 GMT

Export/Import Portal Configuration

In ILM 2007 you were able to export the complete Sync Engine configuration and move that to some other instance instead of reconfiguration everything manually. That saved you a lot of work AND mistakes! Although it is possible export/import individual Mas, you need to be careful about that precedence configuration may not be configure the same as with the instance where you did the export. Sometimes it may be better to export the complete server configuration!

In ILM "2" RC0 it was not possible to export ANYTHING from the portal. So, you basically had to reconfigure stuff over and over and over again, until you get annoyed and start dying to be able to use FIM 2010 RC1! Why? FIM 2010 RC1 does allow you to export and import the portal configuration through PowerShell CMDlets. YES ! YES ! YES!!!!!!!!!!!

So, how do you do this? Follow the next steps:

Start PowerShell
Execute: Add-PSSnapin FIMautomation

The following FIM CMDlets become available:

Export-FIMConfig
- The Export-FIMConfig cmdlet extracts configuration objects from the FIM Service using the web service interface. The cmdlet recursively follows references contained in objects in order to extract a full representation of the service's configuration. If a reference points to an object which is not marked as a configuration object, the cmdlet downloads the entire representation but does not follow any references.
Import-FIMConfig
- The Import-FIMConfig cmdlet takes in a list of ImportObject objects and executes the web service calls. Please be warned that all ImportObjects sent to Import will be executed. As objects are created, the references are automatically resolved in subsequent update and create operations.
Join-FIMConfig
- The Join-FIMConfig cmdlet takes two lists of Export Objects and joins them into Match Objects. The cmdlet performs the join using criteria specified as arguments to the cmdlet. The join criteria is specific attributes to compare using case-sensitive matching. You may specify individual join criteria for each object type. For example, you may join on EmployeeID for Person and MailNickname for Groups. You may also use multiple attributes as join criteria. For example, you may join ConstantSpecifier objects on both the DisplayName and Value. No default join criteria is provided. The reason you must specify the join criteria is to ensure that this tool joins on attributes or collections of attributes that are unique in your organization.
Compare-FIMConfig
- The Compare-FIMConfig cmdlet takes in a list of MatchObject and performs an attribute-level comparison on the source and target objects. The cmdlet returns a list of changes to make to the target system such that it looks like the source system. The list of changes is guaranteed to be in precedence order. For example, if a Workflow Definition references an Email Template, then the cmdlet guarantees that the EmailTemplate exists prior to creating the WorkflowDefinition. All objects are processed generically without regard to object type except for ManagementPolicyRule objects. These objects are processed in a special way: the cmdlet guarantees that all dependent sets are updated prior to workflow definitions.
ConvertFrom-FIMResource
- The ConvertFrom-FIMResource serializes objects used elsewhere in the FIM Automation Snapin into xml. The motiviation of this cmdlet is so you can save intermediate work and transfer it among computers. The cmdlet serializes the objects using XmlObjectSerializer in .NET. It is necessary to use this cmdlet over Export-Clixml because Export-Clixml does not preserve nested and complex types.
ConvertTo-FIMResource
- The ConvertTo-FIMResource deserializes objects used elsewhere in the FIM Automation Snapin from xml. This is the complement cmdlet to ConvertFrom-FIMResource. The cmdlet deserializes the objects using XmlObjectSerializer in .NET.

Using the GET-Help CMDlet you can get additional information on how to use each FIM CMDlet, including examples (e.g. Get-help Export-FIMConfig)

Remark: Make sure to read this too!

WorkFlow Activities designed for ILM "2" RC0 to be used in FIM 2010 RC1

Short one. Check the following URL: http://blogs.dirteam.com/blogs/jorge/archive/2009/10/04/workflow-activities-designed-for-ilm2-rc0-may-not-work-for-fim-2010-rc1.aspx

Enable/Disable codeless provisioning

In RC0 you could only disable/enable scripted (through Rules Extensions) provisioning. As soon as an object mapping was defined in the ILM2 MA provisioning would occur, assuming other prerequisites were also met (initial flow only for anchor attributes and criteria). It was not possible to disable codeless provisioning. In RC1 you now can disable codeless provisioning through the Identity Manager GUI. If the setting is not checked, provisioning through Codeless Provisioning will not work. AND it is disabled by default!

Cheers,

Jorge

Experiences and/or Differences with FIM2010 RC1 so far (Part 2)

Jorge — Fri, 11 Dec 2009 21:06:37 GMT

MPRs

New MPRs have been defined or existing MPRs have been redefined. In ILM "2" RC0 an MPR called "Administrators have Full Control" existed which gave administrators Full Control permissions over existing stuff and new created stuff. In FIM 2010 RC1 I created a new object type called COMPUTER including the attributes I wanted on that. I then wanted to create a computer object and at the end when I clicked SUBMIT I got an access denied. Researching a bit more I found out that administrators only have Full Control over configuration stuff in the FIM Portal. They are not allowed to create users and in my case also computers. So, for those object types I had to create an MPR that gave the administrators Full Control over those objects. Now you can take two different approaches: (1) create a permissions based MPR for each object type or, (2) create a permissions based MPR that gives the administrators Full Control over ALL objects.

In addition, it is possible to disable and re-enable MPRs. Now you do not have to delete them or change them in a way so that there were not used by the system. Remember that when you get an access denied you cases might apply: (1) no MPR is available, or (2) an MPR is available but it is disabled!

After you have configured your FIM system with all kinds of MPRs, SETs, Workflows, etc. How are you going to find out or troubleshoot, after 6 months for example, how a particular system works? In ILM"2" RC0 that was a pain in the well-known behind! In FIM 2010 RC1 you will find a button called MPR Explorer (see below). It is "just" button and because of that you might miss it.

Clicking that button shows you the following screen which allows you to select what you want to check/do.

After that, for what you want to do, you define criteria as shown below. In my case I wanted to know which "enabled" "permissions-based MPRs" apply when "ADM.ROOT" makes a request to "Create a resource", "Delete a resource", "Read resource", "Add a value to a multi-valued attribute", "Remove a value from a multi-valued attribute" OR "Modify the value of a single-valued attribute" against "All Objects".

The results of the query I'm making are shown below

SCOM Management Pack

A SCOM Management Pack will be made available for FIM 2010.

Component	# Monitors	# Events
FIM Service	9	8
FIM Portal	11	10
FIM Sync	7	6
FIM CM	6	6

Cheers,

Jorge

Experiences and/or Differences with FIM2010 RC1 so far (Part 1)

Jorge — Fri, 11 Dec 2009 20:31:34 GMT

So FIM 2010 RC1 came out in the beginning of October are my first impressions, or changes I found (either through my own testing/reading or through some other posts):

OS Support

FIM 2010 now both supports Windows Server 2008 (x64) and Windows Server 2008 R2 (x64). Be aware though; if you want to combine all kinds of technologies on one server (e.g. test/demo environment) check all requirements and pre-requisites of all components. For example, Exchange Server 2007 is not supported on Windows Server 2008 R2 and FIM 2010 does not support Exchange Server 2010 yet. However, Microsoft changed their plans and has decided to support Exchange Server 2007 on Windows Server 2008 R2 in the (near) future!

Additional Options During install + FIM Portal Access

FIM 2010 Portal itself

The graphics department at Microsoft has been busy changing its looks and rebranding everything within the system from "Identity Lifecycle Manager "2"" to "Forefront Identity Manager 2010"

BEFORE

AFTER

Other Stuff within the product that was rebranded is:

ILM "2" RC0 Naming	FIM 2010 RC1 Naming
Identity Lifecycle Manager "2"	Microsoft Forefront Identity Management
ILM Service	FIM Service
MIIS / Sync Engine	FIM Synchronization Service
CLM	FIM Certificate Management
Object Type	Resource Type
Object Visualization Configuration (OVC)	Resource Control Display Configuration (RCDC)
Service: Microsoft Identity Integration Server	Service: Forefront Identity Manager Synchronization Service
Service: Microsoft Identity Lifecycle Manager Service	Service: Forefront Identity Manager Service
Service: Microsoft ILM Password Service	Service: Forefront Identity Manager Password Reset Client Service
Service: Certificate Lifecycle Manager	Service: Forefront Identity Manager CM Update Service
Identity Manager	Synchronization Service Manager

FIM MA in Identity Manager

Connection information for the FIM MA is different. You now need to specify the SQL Server, the SQL DB for the portal (to read from) and the address of the FIM Service you want to use for writes (You can have more than one FIM Service and you can dedicate a FIM Service instance for the FIM Sync Engine if you need/want to)

Cheers,

Jorge

Enabling FIM Portal Access for a Regular AD User Account

Jorge — Fri, 11 Dec 2009 20:19:14 GMT

To be able to access the FIM portal as a regular user, the following MUST be true:

The user has an AD user account
The attributes "Domain", "AccountName" and "ObjectSID" must have values populated about that AD user account synched by the FIM Sync Engine
The correct permissions have been configured for the AD user account in the FIM Portal (see more below)

To configure the correct permissions in the FIM Portal to allow portal access for regular users, additional configuration checkboxes appear during the installation of the FIM Portal:

Grant Authenticated Users access to the FIM Portal Site (must be checked if you want to allow access to the FIM Portal)
Grant Authenticated Users access to the FIM Password Reset Site (must be checked if you want to allow access to the FIM Password Portal)

In addition to this all, you as an administrator need to enable a few MPRs which by default are disabled. I'm talking about the following MPRs:

"General: Users can read non-administrative configuration resources"
"User management: Users can read attributes of their own"

You can check the MPRs in the FIM Portal or use can use this powershell script to do that for you. The result may look like:

This is for simple plain FIM Portal access. If you want to allow a user to do more, you need to create and/or enable additional MPRs.

Cheers,

Jorge

EXPORT CMDlet of FIM Migration Tooling not working as expected

Jorge — Fri, 11 Dec 2009 17:27:45 GMT

FIM 2010 provides CMDlets to migrate the configuration of the FIM Portal from one server to another. The first step is exporting the configuration of the SOURCE server. The Powershell script you can use for that is:

---------

# ExportPilot.ps1

# The purpose of this script is to export the current configuration in the pilot environment.

# The script stores the configuration into file "pilot.xml" in the current directory.

Add-PSSnapin FIMAutomation

$pilot_filename = "pilot.xml"

Write-Host "Exporting configuration objects from pilot."

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig

Write-Host "Exported " $pilot.Count " objects from pilot."

$pilot | ConvertFrom-FIMResource -file $pilot_filename

Write-Host "Pilot file is saved as " $pilot_filename "."

Write-Host "Export complete. The next step is to copy " $pilot_filename " to production and run SyncProduction.ps1."

---------

This script will export policy configuration, schema configuration and portal configuration. If you want to export custom configuration such certain object types you need to replace a line as specified in the documentation.

REPLACE

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig

WITH

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig -customConfig ("Group","Person")

However as soon as you execute your adjusted powershell script, you will get the following error:

-------------

Export-FIMConfig : Failure on making enumeration web service call.

Filter = Group

Error= Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: c

annot filter as requested

at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.Enumerat

eResources(SearchParameters parameters)

at Microsoft.ResourceManagement.WebServices.ResourceManager.MoveNext()

at Microsoft.ResourceManagement.Automation.ExportConfig.EndProcessing()

At C:\_FIM-CONFIG\ExportFIMConfigFromSource.ps1:10 char:27

+ $Source = Export-FIMConfig <<<< -uri http://localhost:5725/ResourceManagemen

tService -policyConfig -schemaConfig -portalConfig -customConfig ("Group","Pers

on")

+ CategoryInfo : InvalidOperation: (:) [Export-FIMConfig], Invali

dOperationException

+ FullyQualifiedErrorId : ExportConfig,Microsoft.ResourceManagement.Automa

tion.ExportConfig

-------------

This is telling you the filter of the customConfig option is wrong. That is weird as the way I'm using is also mentioned in the help of the CMDlet. However, it appears that you need to use the XPATH filter notation. So the correct line would be:

$pilot = Export-FIMConfig -uri http://localhost:5725/ResourceManagementService -policyConfig -schemaConfig -portalConfig -customConfig ("/Group","/Person")

Oh, by the way… This is for FIM 2010 RC 1 Update2

SOURCE: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/6e543d7a-2543-4975-9b5d-0615ae341e47

Cheers,

Jorge

Products, results and goals: When do we call a project a success ?

Paul — Fri, 11 Dec 2009 10:12:00 GMT

We have all heard the tales of horror on projects failing; a small continent of cash has been spent, years have gone by, projectteams work day and night.. but still, a project fails. Sometimes, when the failure is big enough we might even read about it in the paper or hear it on the 6 'o clock news. How is that possible ? How can it be that, despite such hard work and effort, it all ends in tears ? In this article, we'll take a closer look at the relation between products, results and goals. We'll...(read more)

Checking Uniqueness of an attribute in FIM 2010 during the CREATE process

Jorge — Thu, 10 Dec 2009 15:11:50 GMT

At the time of writing Update 2 has been released for FIM 2010 RC1. This update introduces a new feature for RCDCs which leverages XPATH.

In short, when you CREATE a new object in the FIM Portal you can configure an attribute in the RCDC (a.k.a. OVC) to check if the value that was entered manually already exists in the database. If it does not, you can continue. If it does already exist, it will tell you right away! Unfortunately this does NOT work when EDITING an object as the check is not made.

From my personal experience I can say that administering RCDC XML files in XML Notepad is friendlier than editing the text under the hood. Others like to do it in Visual Studio as that also performs additional checks.

Now let's say you do not use an activity to generate a unique AccountName for a person object in the FIM Portal. Instead you need to do it manually and you would like to know right away if it's possible to use that value or not.

In the RCDC for user creation you may have a similar section for the AccountName attribute.

In some editor, it would look like:

In XML Notepad, it would look like:

After you have edited the RCDC, you need to load it into the FIM Portal and finish it with an IISERESET. For the IISRESET, make sure to do that with elevated permissions (otherwise it will fail).

When creating a user manually and entering the AccountName, you will see the following if the attribute value already exists as soon as you click NEXT:

Source: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/cc51ca7a-908c-40bf-ae10-f47711dd321b

Cheers,

Jorge

Windows on Windows (WoW) in Server Core R2

Sander Berkouwer — Wed, 09 Dec 2009 22:54:39 GMT

As you’re probably aware Windows Server 2008 R2 is not available in a 32bit (x86) version. Only 64bit versions (both x64 and IA64) are available, but Microsoft happily provides 32bit Windows on Windows (WoW) support, so admins can install their favorite 32bit programs on top of their 64bit installations.

I’ve dedicated quite some blogposts to 64bit computing, its impact and its barriers, what it means for upgrading Windows Server and how my favorite server role benefits from 64bit computing. I’ve not discussed the way 64bit and Server Roles combine, so here it is.

About Windows on Windows 64-bits (WoW64)

WoW (Windows on Windows) technology offers backward compatibility between a processor architecture and one downlevel processor architecture. There’s a 32bit version of the WoW technology. It allows compatibility with 16bit applications. x64 versions of Windows since Windows XP and IA64 versions of Windows since Windows Server 2003 also have WoW onboard. This version allows to run 32-bit application in our 64-bit environments.

WoW offers backward compatibility with one previous architecture only. WoW in 32-bit Operating Systems can run (some) 16-bit applications and WoW in 64-bit Operating Systems can run 32-bit applications. The drawback is you cannot run any 16-bit applications on Microsoft's 64-bit Operating Systems.

About Server Roles and Server Features

Not every Windows Server is implemented in the same fashion. Therefore Microsoft has modularized most of the services a Windows Server can offer into Server Roles and Server Features. By adding a Server Role or Server Feature, an administrator can extend the services the server offers. Popular Server Roles are the File Server, Print Server and Application Server. Server Features aid Server Roles in delivering the services. The Failover Clustering feature in Windows Server Enterprise and Windows Server Datacenter for instance helps make a Server Role more redundant. Server Roles and Server Features can also be removed from a server, which will automatically delete the installed binaries, resulting in a more secure Operating System.

WoW as a Server Core Feature

With Microsofts ongoing strategy to further modularize the Operating System, it’s apparent Windows on Windows (WoW) became a Server Feature. With Microsoft Windows Server 2008 R2 being 64bit only, it’s a big plus the WoW functionality can be removed when unneeded or installed when needed.

Decision

When planning for Windows Server 2008 R2, the Server Core team had to decide between:

configuring Windows on Windows (WoW) as a Server Feature, installed by default.
configuring Windows on Windows (WoW) an optional Server Feature, allowing administrators to install it when they need 32bit support.

They decided to make WoW an optional feature and shipped as such as part of Windows Server 2008 R2 Beta.

Feedback

However, during the Beta period, the Server Core team received a lot of feedback on weird issues when administrators tried to install 64bit applications. Typically when installing a MSI package they would receive the following error message:

Error 1719. The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

When looking on the Internet for a resolution, typically they would find advice to reboot the system, reregister the Windows Installer service, start the Installer service (net start msiserver) and grant the System account "Full Control" permissions to the HKEY_CLASSES_ROOT hive of the registry. These actions would typically not result in a resolution of the problem.

Running the following command line before installing the application, however, resolved the problem:

Dism /online /enable-feature /featurename:ServerCore-WOW64

After installing the application the above command could be run again, but this time with enable-feature replaced with disable-feature.

Apparently the installer wasn’t a full x64 installer and according to Andrew Mason, Principal Program Manager on the Server Core team, the issue occurred often.

Change

For the Release Candidate of Windows Server 2008 R2, the Server Core team decided to enable the Windows on Windows feature by default. From that moment on Server Core installations followed the same approach to 32bit compatibility as Full installations do.

This decision helps to:

make Server Core a more predictable installation type, because Server Core installations and Full installation offer the same 32bit compatibility out of the box.
avoid confusion, because the error is a very generic error.
give Microsoft the opportunity to communicate to developers to take into account Windows on Windows (WoW) and 32bit backward compatibility is not a given in Windows anymore.
give Developers time to clean up their acts.

The only downside to this decision is the binaries involved with Windows on Windows (WoW) are installed by default, resulting in a bigger footprint, higher memory usage and some attack surface.

Concluding

In a x64 Server Core installation of Windows Server 2008 R2, the Windows on Windows Server Feature is enabled by default. This change was made between Windows Server 2008 R2 Beta and Windows Server 2008 R2 Release Candidate. The change was based on feedback.

You can uninstall the WoW Server Role by executing the following command:

Dism /online /enable-feature /featurename:ServerCore-WOW64

You do not need the WoW Server Role on Server Core installations of Windows Server 2008 R2 to be able to install and run the Domain Controller role. (This was a bug in pre-release versions of Windows Server 2008 R2)

On Hyper-V Server 2008 R2 installations, Windows on Windows 64 support is not installed by default. One might argue this is the first true 64bit-only Microsoft Operating System

Route 64
64bit-only Windows Server is good for Active Directory
Planning on upgrading to Windows 7 or Windows Server 2008 R2?

Resource Counts in FIM 2010 RC1 Fixed

Jorge — Tue, 08 Dec 2009 20:27:48 GMT

You might have noticed that resource counts do not work in FIM 2010 RC1 (even with Update 1). After installing update2, this is fixed again. However, take into account the following comment that I found on the FIM TechNet Forum.

"This feature is currently broken in RC1 and from RC1 forward will be not supported out of the box. However, if you plug the xpath query back in Approve Requests search scope again after Update 2 (not yet released), it should start to work again. You will get a penalty of 2 seconds on home page load when you add in this query. In fact for each nav bar count query you add in, it would be 2 second delay. For performance reason, we decided to not enable it out of box in Update 2."

Source: http://social.technet.microsoft.com/Forums/en/ilm2/thread/184bb2b7-b20a-4c8a-ab7d-d7098bd997ba

Cheers,

Jorge

Dirteam.com/ActiveDir.org Blogs

Server Core Roles and Features in 2008 R2

Further reading

How to get going with PowerShell in Server Core R2

Installing PowerShell

Starting PowerShell

Showing off PowerShell

Further reading

New gear

a Dell Latitude E6500

Update 3 has been released for FIM 2010 RC1

ILM 2007 SP1 … Exchange 2010 support

Spot the difference

Exchange 2010 Storage Calculator available! [update]

Where is my DC?

ADLDS (ADAM) for Windows 7

Re-awarded MVP

Congratulations 2010 Microsoft MVP!

Re-Awarded for the 5th Time – MVP Directory Services

ADFS v2 RC and IIS certificates

Kerberos and non-standard port number

7 Things to look for in Windows 7 PC Hardware

1. Smooth operation

2. BitLocker Drive Encryption

3. Windows XP mode and MED-V

4. Multi Touch

5. Sleep

6. DirectAccess

7. Future upgrades

Experiences and/or Differences with FIM2010 RC1 so far (Part 5)

Experiences and/or Differences with FIM2010 RC1 so far (Part 4)

Experiences and/or Differences with FIM2010 RC1 so far (Part 3)

Experiences and/or Differences with FIM2010 RC1 so far (Part 2)

Experiences and/or Differences with FIM2010 RC1 so far (Part 1)

Enabling FIM Portal Access for a Regular AD User Account

EXPORT CMDlet of FIM Migration Tooling not working as expected

Products, results and goals: When do we call a project a success ?

Checking Uniqueness of an attribute in FIM 2010 during the CREATE process

Windows on Windows (WoW) in Server Core R2

About Windows on Windows 64-bits (WoW64)

About Server Roles and Server Features

WoW as a Server Core Feature

Decision

Feedback

Change

Concluding

Related Posts

Further reading

Resource Counts in FIM 2010 RC1 Fixed