Dirteam.com/ActiveDir.org Blogs

Mail enabled Public Folder Recipient not found

dmstork — Tue, 16 Mar 2010 04:46:00 GMT

Recently I transitioned an Exchange 2003 Server to Exchange 2010. For the client redirection, I mostly wait two week before decommissioning the old Exchange server. Mailboxes, mail flow, remote access and the default Public Folder are all transitioned to the new server. So, in the event of a failure of the old server, the organization would not notice it.

Eventually most or all clients have been redirected, the new server has proven its stability and nothing stands in the way of decommissioning that old server.

Symptoms

So, the decommissioning in this case was troublesome. The setup exited halfway with an error and after that the setup could not remove all of Exchange, because it could not find the items to remove. Even the setup.log couldn't help me any further. Eventually I decided to manually remove Exchange 2003. The server itself would also be decommissioned; any leftovers on the server would be resolved eventually.

The new environment worked without any problems after that. But around 24 hours later, the administrators noticed that the mail enabled Public Folders couldn't receive any mail and the sender would get the following NDR:

554 5.6.0 STOREDRV.Deliver.Exception:ObjectNotFoundException;
Failed to process message due to a permanent exception with message The Active Directory user wasn't found.

Every mail enabled Public Folder was affected, even new mail enabled folders after this issue first arose. The folders where present in the "Public Folder" Address list, GAL and so forth. Even after re-generating the Offline Address book, the issue persisted. I have tested this via Outlook 2003/2007 and 2010 (beta) and via Outlook Web App. No mailbox enabled user had this issue and as far as we know no mail user had related issues with receiving (SMTP) mail.

I'm not sure of the exact steps, but when I tried to make a recipient with the same SMTP address as the troubled Public Folder, Exchange would give the same mail address. In other words, Exchange knew of the existence of that recipient, but couldn't find it.

A search on the internet wasn't successful in finding a relevant knowledge base article or such, although others seem to have the same issue or related issues. The pattern I noticed was that recently an Exchange (2003) server was decommissioned. See here and here. This post describes the same issue, but only has a work intensive workaround

Both first posts are related to Public Folder replication, but as this replication uses SMTP this issue could have the same cause.

Solution

As stated in the comments in both first posts, the resolution was to remove the (empty) Server container via ADSIedit. In my case it was the server container of the administrative group recently containing the Exchange 2003 server. In my case the location was:

CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,
DC=domain,DC=local

I assume that the failed setup may have had a role in this, although I still find it curious that an empty container could have such a detriment effect on mail enabled Public Folders.

Possibly clues to the underlying reasons can be found in the 24 hour frame and actions taken by the setup of perhaps Exchange 2003 or specific behavior of Exchange 2010 regarding recipients. I have never experienced this issue with Exchange 2007.

Conclusion

Check the above mentioned container with ADSIedit after you decommissioned your last Exchange 2000/2003 server. Remove the empty Server container (at you own risk and be sure to have a backup !!).

Active Directory Domain Services Command Fu, Part 1

Sander Berkouwer — Thu, 11 Mar 2010 14:04:41 GMT

As some systems administrators have already found out, on Microsoft Windows Servers some tasks cannot be performed using the Graphical User Interface (GUI). Although multiple vendors have released graphical tools to make these tasks ~~even more tedious~~ easier for the typical click-on-through Windows Admin, these tasks can easily be performed using the built-in command tools. Also, some queries for information using the built-in graphical tools can result in numerous clicks, ending with information scattered throughout management consoles and screens.

I think every self-respecting Active Directory Domain Services Admin should know the command-line equivalents of 3rd party tools or needlessly complex click sequences.

Even when you’re comfortable using them, it wouldn’t hurt to show off some Active Directory Domain Services Command Fu, would it? Then again, only the more advanced stuff in Active Directory Domain Services is hidden from plain sight. Unless you’re aiming on using ldp.exe or adsiedit.msc all the time to hack your way through your Active Directory jungle and if you’re truly aiming for that senior Active Directory admin position, you should keep reading!

So, to kick off this series, the following three Active Directory Domain Services management tasks, applicable to all current Domain and Forest Functional Levels, cannot or cannot be easily performed using the built-in Graphical User Interface (GUI), but instead rock on the command line!

Creating custom application partitions

Command-line tool to use:

dnscmd.exe

ntdstuil.exe

Replication in Active Directory is controlled through application directory partitions. An application directory partition is a directory partition that can be used to replicate changes only to specific domain controllers. Application directory partitions are particularly useful when controlling the Domain Controllers to which you want to replicate Active Directory-integrated DNS Zones, since some companies have requirements beyond the DomainDnsZones and ForestDnsZones application partitions available by default.

Tip!
To gain access to dnscmd.exe on a Windows 2000 Server you need to install the Resource Kit tools. a separately downloadable dnscmd.exe for usage on Windows 2000 Server is available here.

However, creating custom application directory partitions cannot be done using the Graphical User Interface (GUI). You will need to create a custom application directory partitions using dnscmd.exe /createdirectorypartition first, before you can change the replication scope of DNS to it.

While that last part can actually be performed using the Graphical User Interface, you can also use dnscmd.exe /enlistdirectorypartition to complete the task on the command line.

Alternatively, you can also use the built-in commands within the domain management context in ntdsutil.exe to delete or create directory partitions and add or remove replicas to or from the directory partition.

More information on custom application partitions:

Quering Group Policy Replication Health

Command-line tool to use:

gpotool.exe

Group Policy Objects (GPOs) typically consist of a Group Policy Container (stored within Active Directory under CN=Policies,CN=System,DC=Domain,DC=tld) and a Group Policy Template. (stored within the System Volume, SYSVOL in the Policies file folder)

When replicating the versions of the Group Policy Container (GPC) and Group Policy Template (GPT) might get skewed. When the version numbers don’t match, the Group Policy doesn’t get applied.

While you can check the versions and health of the Group Policy Object (GPO) using the Group Policy Management Console (GPMC) where you’d check the version tab, the GPMC is a download on most downlevel versions of Windows Server.

Using the Group Policy Verification Tool (gpotool.exe) you can check the health of Group Policy Objects (GPOs). Going one step further, using gpotool.exe with the /verbose switch, adds version information to the output.

Tip!
For Windows Server 2003, the Group Policy Verification Tool is part of the Windows Server 2003 deployment Tools. For Windows 2000 Serer, the Group Policy Verification Tool is part of the Windows 2000 Resource Kit.

More information on the Group Policy Verification tool:

Editing advanced trust properties

Command-line tool to use:

netdom.exe

Active Directory Domains and Trusts, to most, are the stuff of acquisitions,mergers and worlds of distrust between groups of admins. I don’t want to diverge much in the wonderful world of trusts, but I do want to talk about editing two trust-related properties, that are essential to restructuring Active Directory forests using the Active Directory Migration Tool (ADMT):

SID Filtering
SID History

SID History is an attribute for an Active Directory object that may contain a SID, the object used to have in a former Active Directory forest or domain. You can fill the sIDHistory attribute using the the Active Directory Migration Tool (ADMT) or manually. With the sIDHistory attribute, the object may bypass Access Control Lists (ACLs).

By default on Windows Server 2003 and onwards, sIDfiltering quarantining is turned on for Active Directory external trusts. This means, the SIDHistory attribute for a user is filtered out and discarded. When creating a trust from a Pre-SP4 Windows 2000 Server-based Domain Controller you will need to enable sIDfiltering manually if you want to use it.

Note:
Performing the commands below to enable SID History and disable SID Quarantining may post a security risk. When an attacker manually fills the sIDHistroy attribute, the attacker may gain unauthorized rights over the trust.

To disable SID Filtering quarantining and enable SID History use the following commands:

Netdom trust TrustingDomain.tld /domain: TrustedDomain.tld
/quarantine:No

Netdom trust TrustingDomain.tld /domain: TrustedDomain.tld
/enableSIDHistory:Yes

More information on Active Directory trusts:

Provisioning Mailboxes In Exchange 2007/2010 By ILM/FIM

Jorge — Wed, 10 Mar 2010 22:37:41 GMT

MS-KBQ275636 explains which attributes are required (at a minimum) to provision a mailbox into an Exchange 2007 (E2K7) environment. For an Exchange 2010 (E2K10) environment the game is a little different. Let's have a look at the HOW and WHY.

The mailbox needs an identifier and needs a location where it should be stored. The identifier can be split into two parts, being the "Alias" to identify the mailbox itself as a minimum to generate the mail address if no custom e-mail address policy has been specified, or when one has been specified to use the Alias AND to generate the legacyExchangeDN. For the GAL, the identifier of the mailbox is the "Display Name" and it is required by Exchange. It is not required by AD. When creating a user in AD, you only need to/must specify the Full Name (a.k.a. CN or RDN), but not the Display Name. If you use Active Directory Users and Computers the Display Name is derived from the Full Name. When creating a mailbox in Exchange whereas there is no Display Name, the Display Name will still be populated and is derived from the Full Name. With regards to the location you need to at least specify an Exchange Server and preferably a mailbox database on that Exchange Server. If you do not specify a mailbox database, Exchange will select a mailbox database randomly. In this case I personally do not like the random stuff, therefore I'd rather specify both the Exchange Server and the mailbox database. Other attributes such homeMTA and msExchHomeServerName are derived from the specified value for homeMDB. Let's have a look at the small differences between E2K7 and E2K10.

Provisioning Exchange 2007 Mailboxes

When provisioning mailboxes in Exchange 2007 you need to at least (the minimum) specify the following attributes:

mailNickname
homeMDB (e.g.: CN=Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=RFSRWDC1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB)

REMARK: The assumption is made here the Display Name was already specified during the creation of the user in AD.

REMARK: Note the fact that homeMDB in Exchange 2007 contains both the Mailbox Database Name and the Exchange Server Name (the bold parts)

In addition to specifying the minimum required attributes, you need to configure the ADDS MA as follows/shown:

PS.: I have no clue what the option "Exchange 2007 RUS Server" is used for. The weird thing is that there is no RUS anymore in Exchange 2007. The RUS existed in Exchange 2000/2003.

UPDATE 11-03-2010: According to my MVP friend, Brian Desmond, "Actually RUS still exists in Exchange 2007, it's just a synchronous thing inside the System Attendant which the cmdlets make an RPC call to for it to do its' work. SP2 added a parameter (the same as the optional option in the ADDS MA) to the various cmdlets to specify which Exchange server the cmdlet should call out to for RUS. I would leave it blank unless you have a good reason not to"

Exchange Server 2007 Mailbox Provisioning requires at least the following to be installed on the ILM/FIM Server:

PowerShell v1.0 (or PowerShell v2.0) for the execution of local PowerShell CMDlets.
Exchange Management Console providing the required CMDlets

For Exchange Server 2007, in AD the attributes look like:

dn:CN=Albert Einstein,OU=Users,OU=HISTORY1,OU=Org-Users,DC=ADCORP,DC=LAB
>mailNickname: AEinstein
>homeMDB: CN= Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=RFSRWDC1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB
>msExchHomeServerName: /o=MAIL-ORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RFSRWDC1

Provisioning Exchange 2010 Mailboxes

When provisioning mailboxes in Exchange 2010 you need to at least (the minimum) specify the following attributes:

mailNickname
homeMDB (e.g.: CN=Mailbox Database 1627792968,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB)
msExchHomeServerName (e.g. /o=MAIL-ORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RFSRWDC1)

REMARK: The assumption is made here the Display Name was already specified during the creation of the user in AD.

REMARK: Note the fact that homeMDB in Exchange 2010 only contains the Mailbox Database Name and NOT the Exchange Server Name. The Exchange Server Name is stored in the value for the attribute called msExchHomeServerName

In addition to specifying the minimum required attributes, you need to configure the ADDS MA as follows/shown:

PS.: For the option "Exchange 2010 RPS URI" you need to specify a URL in the form as shown of an Exchange Server that is hosting the "Client Access Server Role" so that the ILM/FIM server can use remote PowerShell CMDlets against it.

Exchange Server 2010 Mailbox Provisioning requires at least the following to be installed on the ILM/FIM Server:

PowerShell v2.0 for the execution of remote PowerShell CMDlets.

REMARK: Provisioning of Exchange 2010 mailboxes does not require the Exchange Management Console to be installed on the ILM/FIM server as remote PowerShell CMDlets are used!

For Exchange Server 2010, in AD the attributes look like:

dn:CN=Albert Einstein,OU=Users,OU=HISTORY1,OU=Org-Users,DC=ADCORP,DC=LAB
>mailNickname: AEinstein
>homeMDB: CN=Mailbox Database 1627792968,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MAIL-ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ADCORP,DC=LAB
>msExchHomeServerName: /o=MAIL-ORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RFSRWDC1

UPDATE 11-03-2010: I had a discussion with my friend on the "darkside", Tomek, about the information above. We discussed that the flow of the attributes as mentioned is required when using the Synchronization Rules in the FIM Portal. However you can still use "the old fashioned" Export Attribute Flow in the ADDS MA if you want to. Another way to provision mailboxes is to use the function "ExchangeUtils.CreateMailbox" in a Rules Extension DLL. Whatever the case, you really need to be careful when just flowing attributes. For example, the flow of the Mailbox Database and Exchange Server should only occur initially, meaning at the moment when creating the mailbox. It should therefore not be flowed anymore _after_ the creation of the mailbox, unless you would like to have issues! J

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Be careful what You promise … SYSVOL

tomek — Tue, 09 Mar 2010 22:43:00 GMT

... on my Polish blog question was asked on Sunday evening if I can provide some description on SYSVOL location process and pitfalls which might wait there. I said ... 'Why not' ... and then You have to keep Your promise. So today it will be about SYSVOL volume. Recently it is common topic for me as I gave a talk for local communities in Warsaw about GPO mechanics, which also touches this topic. If You can read Polish and You are interested slide deck is available on my Polish blog.

So ... regarding SYSVOL, everyone can see that it is there and it does a job ... until something bad will happen. This is in short words. Its primary goal is to server for domain clients files on a DC, in particular to server GPO templates which are file based part of GPO. GPO consists of two parts – GP container (GPC) in directory and GP Template (GPT) on SYSVOL. Plus some extras like logon scripts etc. If there is no SYSVOL or it is not up to date because of FRS problems (sounds familiar) there are no or outdated GPOs processed on a client side (actually if there is no SYSVOL shared DC will not do its job).

(cc) swingnut

From technical point of view SYSVOL is just a DFS domain based namespace which content is being replicated with FRS in pre-Windows 2008 operating systems and with DFS-R for Windows 2008 and higher if migration was done (if not ... what are you waiting for????). In fact SYSVOL content can be replicated in any way, as long as You know how to keep it in sync (don't tell it to our PSS guys that I wrote this ;) ).

SYSVOL is present on every DC, it is a DFS namespace so ... how can we tell which replica is our client using at this time??? And here is a problem we will talk about today.

Theory …

As I wrote few times on this blog (and Jorge wrote also about it + he will give a talk about this on upcoming TEC 2010 – if You will be there, don't miss it – I will miss it ;) ) client is locating DC using DNS records and information about sites and subnets in what is called DC location process. In this way DS client can (at least should) locate closest (in terms of AD configuration) DC which can handle its requests. Problem is that this is not a case with SYSVOL as SYSVOL location process is not following the same path as DC location process. many AD administrators has learned this in more painful way when they were trying to figure out why client is using SYSVOL replica in some small village north of whatever country it was.

Directory service client is receiving list of SYSVOL replica which is divided into two lists:

SYSVOL replicas in the same site
SYSVOL replicas outside of client site.

By default, both lists are in random order and are not reflecting things like costs or location in which DC is located, except obvious information about local DCs. This behavior does not ensure that client will use same DC for logon and SYSVOL within the same site if multiple DCs are in this site (word random is a key).

To ensure that DC which handles logon request will be the one which will also be used for SYSVOL location some tweaks has to be done. These tweaks (and update) are described in KB831201. After it will be applied DC which handles the request will return its own name as a first DC on a list of SYSVOL replicas returned to a client.

However problem remains if client, for whatever reason, is using SYSVOL replica outside of its site. List of replicas in the second list, which is replicas located outside of client's site, is not ordered with taking into consideration the cost of getting to this site – it is random. So it might happen that first DC on the list is in some place on far north (or south if you prefer) of a globe. With slow WAN link between them, which will affect client in terms of performance. It is also a common case I observe in customer networks, that customer will not be able to access this replica anyway, because of firewall policies which are in place and are prohibiting network traffic between branches.

How to deal with this? It can be resolved with additional configuration for DC, which will enable calculation of SYSVOL replicas list with taking cost of connection between client and replica into consideration. This option is available for DC based on Windows 2003 by default (there is also a fix described in KB823362 for Windows 2000 – remember , support for 2K ends on July this year) and it is called SiteCostedRefferals. To enable this option configure this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs\Parameters
Value Name: SiteCostedReferrals
Data Type: REG_DWORD
Value: 1

However, to make this work we have to provide additional information through configuration at directory level. This information is required for directory to calculate possible routes and this is information about which sites can be accessed by the client. To do this we can enable Bridge all site links (BASL) option, however this might not be a preferred way to do this. Why? Because this will also disrupt replication topology calculation process from KCC standpoint. But if we want to enable SYSVOL cost based replica list calculation while not disturbing KCC with BASL information we can choose to enable for given sites additional option, which will cause KCC to ignore information about site bridging during calculations, but still it will be seen in this way (bridged) for SYSVOL replica cost calculation.

In theory you can think about maintaining site bridges manually as alternative to BASL however I don't know if this will work in real world (but with right people following right process ... it might).

And with information provided above, for those who were not aware of it so far I hope life with SYSVOL is much simpler right now.

Toolkit …

Short information about tools which can be used in information gathering or troubleshooting process. Basic tool to start is dfsutil. DFSUTIL allows you to see list of replica from client point of view and see which one is active at given point in time. Two switches to remember:

DFSUTIL /SPCINFO
DFSUTIL /PKTINFO

In windows Server 2008 witches has changed and now it is::

DFSUTIL CACHE DOMAIN

DFSUTIL CACHE REFERRAL

To have access to DFSUTIL in Windows Server 2008 and later You have to install DFS management tools using features.

And that's all for now ... at least about SYSVOL.

Automatically Deleting Expired Objects in FIM 2010

Jorge — Mon, 08 Mar 2010 14:11:16 GMT

With FIM it is possible to automatically delete objects when those objects meet certain criteria. Examples of criteria are:

Expired objects at the end of their lifecycle. This could be based upon for example the defined ExpirationTime, which in turn may be based upon the EmployeeEndDate + 1 day.
Objects that were created but have never been used within a defined amount of time. This could be based upon for example the defined CreatedTime + 30 days
Objects that were created and have been used, but are not used anymore while still within their valid object lifecycle (between EmployeeStartDate and EmployeeEndDate). This could be based upon for example the LastLogonTimeStamp + 180 days.

The basic idea here is that you first define which objects are candidates to be deleted. Let's use the first example. In addition to the following you need to make sure that in this case the the "ExpirationTime" attribute is set. That could be based on the "EmployeeEndDate" + 1 day. Why "+1 day"? Well if the EmployeeEndDate is the last working day, you do not want to delete the object on that same date, but rather a day later.

You could create the following SET:

Name: "_SET: All People For Which ExpirationTime Has Passed Today" (Remark: I'm not saying "Expired Objects" because what's the definition of an expired object? I like to have clear naming so that's why the SET is called like this)

XPATH Filter: "/Person[ExpirationTime < fn:current-dateTime()]"

Then you need something (a process) that will carry out the deletion of the object. By default, FIM provides a workflow that will delete an object. The name of the workflow is "Expiration Workflow". The description is "This workflow will delete the resource to which it is applied."

Then you need something that's triggered based on the required condition and that it executes the workflow.

You could create the following MPR:

Name: "_MPR: TRN - Notify and Delete Expired Identities"

MPR Type: "Set Transition"

Transition Type: "Transition In"

Transition Set: "_SET: All People For Which ExpirationTime Has Passed Today"

Policy Workflows (Action Only): "Expiration Workflow" + "_WFW: Send Notification Because Of Expired Identity" (The first one suffices, but I also wanted to send the manager of the user a notification that the object was deleted)

So with this configuration, and after making sure an object has an ExpirationTime defined, the results are as follows. As soon as the user becomes a member of the SET ""_SET: All People For Which ExpirationTime Has Passed Today" because the ExpirationTime < Today AND the "FIM_TemporalEventsJob" has executed, the MPR will be triggered and execute the Workflow. In the requests you will see stuff like below. As soon as the object becomes a member of the SET a system event is generated as shown below, but with a PostProcessingError.

As you can see the, Expiration Workflow is the actual requestor/originator when trying to delete the object "Anne Pinto" and in this case it has been denied that action.

Looking closer at the System Event Request, you will see:

You will also see which MPR caused the System Event

What did we forget here? We made sure the action is carried out, but we forgot to assign the correct permissions so that the action is carried out correctly. In this case the "Expiration Workflow" needs to have DELETE permissions to be able to delete the objects in scope. Let's go through that configuration to see what's needed.

Permissions can only be assigned through SETs and a SET is just a grouping of objects that match certain criteria.

So we first need to create a SET that includes the Expiration Workflow. An example of such a SET is:

Name: "_SET: Expiration Workflow System"

XPATH Filter: "/*[ObjectID = 'f6d0bfce-df36-4756-98a2-cb8917428bae']" (this just references a specific object with the GUID specified. If I'm not mistaken this GUID is the same for the Expiration workflow in all FIM deployments)

Then you need something (a process) that allows the deletion of the object. Because it is about assigning permissions you need/must use a REQUEST based MPR. You cannot use TRANSITION based MPRs.

You could create the following MPR:

Name: "_MPR: RQP - Expiration Workflow Can Delete Expired Identities"

MPR Type: "Request"

Requestor: "_SET: Expiration Workflow System"

Operation: "Delete Resource"

Grants Permission: "TRUE"

Target Before Request SET: "_SET: All People For Which ExpirationTime Has Passed Today" (In this case I'm assigning permissions only to those objects that meet certain criteria. If I would have objects meet other criteria that are also candidates for deletion I would create additional MPRs/SET to fulfill that need.)

Resource Attributes: "All Attributes"

Policy Workflows (Action Only): "NONE"

Now a question that could arise is "Could I combine MPRs?" In this case the answer is NO. Why? Well for the action itself I need a transition based MPR which is great for time-based criteria. For the permissions part I need a request based MPR. Transition based MPRs cannot assign permissions.

Let's try this again. So with this configuration, and after making sure an object has an ExpirationTime defined, the results are as follows. As soon as the user becomes a member of the SET "_SET: All People For Which ExpirationTime Has Passed Today" because the ExpirationTime < Today AND the "FIM_TemporalEventsJob" has executed, the MPR will be triggered and execute the Workflow. The other MPR will allow the action to be performed.

As you can see the Expiration Workflow now successfully completed the request to delete the object "Anne Pinto"

As you can see below the actual request to delete the object matches the MPR that assigns the permission to do so. If you expected to see the MPR called "_MPR: TRN - Notify and Delete Expired Identities", then that's not correct. That MPR would be matched in the System Event that causes the action.

Cheers,

Jorge

Speaking at TEC 2010 USA (Los Angeles)

Jorge — Mon, 08 Mar 2010 12:19:29 GMT

Yes, it's that time of the year again! TEC 2010 USA is coming and is planned for the last week of April 2010. It is not is Las Vegas and it is not in Chicago. It is in Los Angeles this time. I'll be delivering two pre-conference workshops this year about disaster recovery together with Guido Grillenmeijer and Gil Kirkpatrick. The three of us are the "Masters of Disaster" J

In addition to that I'll be presenting about the DC Locator in AD for authN and SYSVOL/NETLOGON

Information about the conference:

Event: The Experts Conference (TEC) 2010
Website: http://www.tec2010.com/
Location: Los Angeles
Date: April 25^th – 28^th
Workshops: http://www.theexpertsconference.com/agenda-speakers/workshops/
Agenda – TEC Directory/Identity: http://www.theexpertsconference.com/agenda-speakers/directory-identity-training/conference-agenda/
Agenda – TEC Exchange: http://www.theexpertsconference.com/agenda-speakers/exchange-training/conference-agenda/
Agenda – TEC Sharepoint: http://www.theexpertsconference.com/agenda-speakers/sharepoint-training/conference-agenda/
Sessions – TEC Directory/Identity: http://tec2010.com/agenda-speakers/directory-identity-training/session-abstracts/
Sessions – TEC Exchange: http://www.theexpertsconference.com/agenda-speakers/exchange-training/session-abstracts/
Sessions – TEC Sharepoint: http://www.theexpertsconference.com/agenda-speakers/sharepoint-training/session-abstracts/
Speakers – TEC Directory/Identity: http://tec2010.com/agenda-speakers/directory-identity-training/speaker-bios/
Speakers – TEC Exchange: http://www.theexpertsconference.com/agenda-speakers/exchange-training/speaker-bios/
Speakers – TEC Sharepoint: http://www.theexpertsconference.com/agenda-speakers/sharepoint-training/speaker-bios/

Cheers,

Jorge

Speaking At Microsoft TechDays 2010 in Antwerp (Belgium)

Jorge — Mon, 08 Mar 2010 11:05:47 GMT

Microsoft is organizing an event at the end of the month called Microsoft TechDays 2010. The location is the Metropolis in Antwerp (like last year). Amongst others, I'm one of the speakers and I'll be talking about Forefront Identity Manager (FIM) 2010. I hope to see you there!

Information about the conference:

Event: Microsoft TechDays 2010
Website: http://www.techdays.be/
Location: Metropolis in Antwerp
Date: March 30th, 31st and april 1st
Practical Information: http://www.microsoft.com/belux/techdays/2010/practical.aspx
Agenda: http://www.microsoft.com/belux/techdays/2010/agenda.aspx
Sessions: http://www.microsoft.com/belux/techdays/2010/agenda.aspx
Speakers: http://www.microsoft.com/belux/techdays/2010/speakers.aspx

My session: March 31^st, 17:45-19:00

Cheers,

Jorge

Forefront Identity Manager 2010 has RTMed!

Jorge — Tue, 02 Mar 2010 11:48:48 GMT

Forefront Identity Manager 2010, ILM 2007 FP1's successor, has RTMed! Finally! J

Get the evaluation version here.

Cheers,

Jorge

Presenting for Hyper-V.nu (again)

Sander Berkouwer — Fri, 26 Feb 2010 09:45:43 GMT

On Wednesday March 3, 2010 Hyper-V.nu (the Dutch Hyper-V Community) organizes another meeting for Dutch Hyper-V enthusiasts. This time, they’re partnering with Nobel for the location, food and drinks.

About the event

The event will be held at Nobel at Gooimeer 18 in Naarden, the Netherlands from 9AM to 4PM. The website for the event is currently located at the frontpage of hyper-v.nu, but Nobel also has a nice page with information. Attending the meeting is free of charge. No such thing as a free lunch? Apparently, there is one… and it’s accompanied by free drinks after the event.

The agenda looks like this:

09:30 – 10:30	Microsoft Enterprise Desktop Virtualization (Ment van der Plas, Login Consultants, App-V MVP)
10:30 – 11:30	Active Directory and Hyper-V (Sander Berkouwer, OGD, Directory Services MVP)
11:45 – 12:45	Data protection in a Hyper-V R2 Virtual Environment (Hans Vredevoort, Nobel, Cluster MVP)
13:30 – 14:30	Exchange 2010 testing under Hyper-V R2 (Jaap Wesselius, DM Consultants, Exchange MVP)
14:30 – 15:30	Hyper-V R2 Clusters and HP Servers and Storage (Bert de Reus, Nobel)

My presentation

I’ll be providing a 60 minutes presentation on virtualizing Domain Controllers with Hyper-V.
This blog has seen some exposure on the subject already. All this stuff was covered in the following blogposts:

I think it’ll be fun, though, to actually break some Active Directory Domain Controllers using Hyper-V and System Center Virtual Machine Manager features, like cloning, snapshots, time synchronization and Online Physical to Virtual (P2V) migrations…

I hope to see you there!

Previous gigs with Hyper-V.nu

You might remember I gave a demo for Hyper-V.nu last November. In forty-five minutes I converted a couple of Hyper-V Server 2008 R2 boxes into a live migration Hyper-V R2 solution to deliver the message that building a live migration cluster with Hyper-V Server 2008 R2 boxes isn’t that difficult.

I had a great time and I guess the organization thought so too, because I’m back!
(after Alex Smits unfortunately double booked his agenda and backed out)

Sorry Kim ...

tomek — Wed, 17 Feb 2010 22:13:00 GMT

... Kim Cameron has linked and quoted my previous post on browser identification based on its characteristics available in public. There is EFF project which focus on checking how unique Your browser is against others based on public information.

As it turned out Kim's browser has even higher score (19.29) in this test then my original score (18.73). Then higher the score is then browser is more unique, thus easier to identify as unique on web sites without my consent.

As Kim said about himself and what I can say about myself (...) It’s not that I really think of myself as super competitive (...) but I couldn't resist ;) ...

It appears that what makes my browser so unique is set of plug-ins which are installed in my browser.

It looks like that there is not a lot of people with QuickTime, iTunes and Windows Live plug-ins installed together on same machine.

As Kim summarized his post:

I have to disagree. It is already a problem. A big problem. These outcomes weren’t at all obvious in the early days of the browser. But today the writing is on the wall and needs to be addressed. It’s a matter right at the core of delivering on a trustworthy computing infrastructure. We need to evolve the world’s browsers to employ minimal disclosure, releasing only what is necessary, and never providing a fingerprint without the user’s consent.

And now I will agree on that completely ... especially that my browser is so unique.

10 years of Active Directory

Sander Berkouwer — Wed, 17 Feb 2010 15:02:48 GMT

While last year, Jorge mentioned the 10 year anniversary of a production deployed Active Directory domain, today DirTeam is celebrating the 10 year anniversary of Active Directory as a released product.

The first deployed Active Directory domain

According to Brian Puhl, on April 9, 1999 the Domain Controllers for the redmond.corp.microsoft.com Windows NT4-based domain were upgraded to a pre-release version of Windows 2000 Servers and thus became an Active Directory domain. Of course, today this domain is serviced by Windows Server 2008 R2 Domain Controllers and running the Windows Server 2008 R2 Domain Functional Level…

Active Directory release

The introduction of Active Directory to the world was part of the release of Windows 2000 Server on February 17, 2000. At the launch event, Bill Gates ushered in the Next Generation of PC Computing. Today, this is 10 years ago.

Windows 2000 Server, today is still supported by Microsoft. Although, since June 30, 2005 Microsoft is only releasing security hotfixes for Windows 2000, the extended support period ends on July 13, 2010.

Are you still running Windows 2000 Server-based Domain Controllers?
You have less than 5 months to migrate to a newer version of Windows Server and experience the many benefits in Active Directory!

Integrated Authentication with Firefox and Exchange 2010

dmstork — Wed, 17 Feb 2010 09:21:00 GMT

With the Exchange 2010 Outlook Web App or OWA, it is possible to use Firefox to access your mailbox. Yes, this was always possible but the premium features were only available for Internet Explorer users. As of now, I could only detect one small difference between Firefox and IE namely the S/MIME functionality. Most users or even admins probably don’t know that it exists as it not often implemented.

I am a frequent user of Firefox and prefer it above IE, especially now with Exchange 2010. However, I am annoyed that I always have to enter my login credentials. That’s another benefit of IE: support for Integrated Authentication on Exchange. When logged in on a windows domain computer, why would you have to also log into the Webmail? You are already authenticated.

But… Firefox also supports Integrated Authentication! It is not configured by default, so this way it doesn’t accidentally present AD authentication information to an Internet server. Internet Explorer can be configured to forcibly recognize intranet domain names via Group Policies.

Just type the following in the Firefox addressbar:

about:config

And edit the following values:

network.negotiate-auth.delegation-uris
network.negotiate-auth.gsslib
network.negotiate-auth.trusted-uris

Just add the internal domain or the FQDN of your Exchange (CAS) server. The change is implemented instantly, but remember this only works on Windows domain computers residing in the same domain or forest as your Exchange Server.

Now I’m investigating whether these settings can be configured centrally via GPO’s or scripts. But that is another challenge as Firefox uses configuration files (prefs.js in the user profile) and no registry settings. If you have figured this out, let me know!

Further Reading:
Mozilla Firefox: Integrated Authentication

Exchange 2010: Configure Integrated Windows Authentication

Mailbox Replication Service unexpectedly quits when moving mailboxes from other Exchange server

dmstork — Wed, 17 Feb 2010 05:03:00 GMT

I’ve just completed a transition from Exchange 2003 directly to Exchange 2010. This is a supported scenario, but I did ran into some trouble. Luckily, I also have a solution.

Scenario

The installation of the Exchange 2010 server and upgrading of several items of the Exchange 2003 environment went without any hick-ups. The project was actually ahead of schedule and just when you think you could go home early…

Exchange 2010 now calls a mailbox move “Local Move Request”. The Exchange Mailbox Replication Service will then handle the mailbox move from one database to another. The source database can be Exchange 2003, 2007 or 2010. There are some cool benefits with this new approach, but I digress.

Symptoms

Very quickly after I requested a move of all 2003 mailboxes to the new Exchange 2010 server, the move of the mailboxes seemed to stall. I could see it with this Exchange Management Shell command:

Get-MoveRequest | ft Alias,Status,PercentComplete

Around 20-25%, this percentage suddenly dropped to 0%. After that it didn’t start up again (which it should).

Some research in the eventviewer showed this message:

Source: Service Control Manager
Event ID: 7031
Description:
The Microsoft Exchange Mailbox Replication service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Sure enough the Mailbox Replication service started again after five seconds. But after a while it crashed again and again. There where no other relevant errors or warnings which where related to this issue. I decided to increase the logging level of the Replication Service with this cmdlet:

Get-EventlogLevel -Identity "MSExchange Mailbox Replication\*" | Set-EventlogLevel -Level Expert

Note: decrease it again after you don’t need it anymore with “–Level Lowest”.

The expert logging increased my insight in what was happening:

Source: MSExchangeIS
Event ID: 9660
Description:
User JOSH (/o=Test/ou=First Administrative Group/cn=Recipients/cn=JOSH) failed to log on because their mailbox is in the process of being moved.

and

Source: MSExchange Mailbox Replication
Event ID: 1101
Description:
Mailbox move for 'Test.nu/Test/DOCENT/JOSH' (b0de20a6-72ee-47ef-8123-123e123e123e) encountered a transient failure. The operation will be retried (1 out of 60). Error code: -2147467259 MapiExceptionMailboxInTransit: Unable to open message store. (hr=0x80004005, ec=1292)

The above message appear several times. This is happening after the replication service crashed and is probably the lock put in place as with the normal mailbox move lock. Not really surprising. It is nice to see that the replication service is willing to try 60 times.

Source: MSExchange Mailbox Replication
Event ID: 1104
Description:
Mailbox Replication service started initial seeding stage for 'Test.nu/Test/DOCENT/JOSH(b0de20a6-72ee-47ef-8123-123e123e123e). Total number of messages in mailbox: 854 (103.7 MB (108,744,421 bytes)).

And then it goes ahead again, but very soon the replication service crashes again and this starts from scratch (events not shown). There were no further clues on what was happening. Some mailboxes went over perfectly though, others didn’t but another time they went over without a hitch. I did get the feeling that with more mailboxes moving at one time the chance of the service crashing increased, but because of time constraints this was not further investigated.

There were no antivirus clients interfering, no antispam, the servers were in the same forest and site within the same subnet. Both servers were virtualized via vSphere. Yes, for the Exchange 2003 server not a supported situation but the problem was with the Exchange 2010 server which is supported.

Even so the virtual machines were not on the same node and the VMWare tools were up-to-date. Also the Windows Servers and Exchange servers were up-to-date, even with Exchange 2010 Update Rollup 1.

Solution

At this time I decided to call Microsoft Support. After some checks with ADSIedit, disabling firewalls, changing the type of NIC and other checks, Microsoft advised running a integrity check of the Exchange 2003 mailbox store. As I had ran out of ideas, this looked like a good suggestion. So I started ISINTEG on the Exchange 2003 server with:

exchsrvr\bin\isinteg -s <servername> -fix -test alltests

After about half an hour this summary appears:

. . . . . SUMMARY . . . . .
Total number of tests : 21
Total number of warnings : 222
Total number of errors : 0
Total number of fixes : 541
Total time : 0h:33m:26s

Yep, that database was bad…

After that the mailbox move requests completed without any relevant problems.

(I did have a lot of errors described in KB940012 resulting in the move request CompletingWithWarnings, but they are not a problem.)

Conclusion

My troubleshooting focused on the new Exchange 2010 installation, because it’s Mailbox Replication Service repeatedly unexpectedly quits. I also had to take the source server in consideration (something with assumptions…).

Although the problem ultimately was caused by a corrupted Exchange 2003 mailbox store, I hope that Microsoft will make the Mailbox Replication Service somewhat more robust or let it generate relevant error messages. It would have saved me quite some time troubleshooting.

Anyway, If you are not familiar with the Exchange environment and it’s history, it is a good idea to also check the integrity of the source exchange database before moving mailboxes. You can check it with ESEUTIL and ISINTEG:

ESEUTIL /G <databasename.edb>

ISINTEG -s <servername> -verbose -test alltests

/me makes mental note ;-)

Is Your browser cheating on You??

tomek — Tue, 09 Feb 2010 22:16:38 GMT

Just to calm down my friends reading this blog … no, I haven’t developed personal relationship with my browser, however as many of us I’ve personalized it and I feel comfortable with it right now. All the plugins, configuration etc. It is our daily used tool now so probably all of us have done something to customize it.

Is our browser also attached to us or does it flirt (how strange it may sound) with others on the network???

(cc) bored-now

Through Kim Cameron’s blog I‘ve found project Panopticlick page started by Electronic Frontier Foundation (EFF). This project aims to try how easy is to identify person identity in Internet based on characteristics of its main tool … web browser. Question is how easy is to distinguish You from other Internet users based on elements like Your browser user agent, fonts, screen resolution and other data which can be accessed from browser by any web page.

Let see - this is example of check performed on my browser:

So my browser has unique footprint among almost 400k of other browser tested. In other words – yes, my browser is cheating on me and it allows web sites to track me without my knowledge … definitely not nice.

Another example which shows that this approach might work came from information about OpenOffice market share. Method which was used to identify OO users was based on checking fonts installed on system through browser. OO install unique fonts – which might be used as indicator that OO is present on a system – without user interaction at all. Scary … ???

Also Kim Cameron posted another example:

(…) The authors claim the groups in all major social networks are represented through URLs, so history stealing can be translated into “group membership stealing”. This brings us to the core of this new work. The authors have developed a model for the identification characteristics of group memberships – a model that will outlast this particular attack, as dramatic as it is. (…)

So browser can be used to identify a user in Internet or to harvest some information without its consent. Will it really become a problem and will it be addressed in some way in browsers in a future? This question has to be answered by people responsible for browser development. We will see …

Server Core Roles and Features in 2008 R2

Sander Berkouwer — Wed, 03 Feb 2010 13:36:24 GMT

Server Core installations are versatile, secure and highly-optimized installations of Windows Server. Dubbed ‘Windows without Windows’ by some, these installation in Windows Server 2008 R2 are capable of providing more (infrastructural) services than ever! Just like Full installations of Windows Server 2008 R2, depending on the edition of your choice, or budget, the Server Roles and Features installable on a Server Core installation, vary, though.

The table below shows the individual roles and features in fresh Server Core installations of Windows Server 2008 R2, Web (column 1), Standard (column 2), Enterprise (column 3) and Datacenter (column 4) edition. It also lists the Server Roles features in a fresh installation of the special-purpose Hyper-V server 2008 R2. (column 5):

Server Roles and Features	W	S	E	D	H
Active Directory Certificate Services
Certificate Authority
Active Directory Domain Services
Active Directory Domain Controller
Active Directory Lightweight Domain Services
DHCP Server
DNS Server
File Services
File Server
Distributed File System
DFS Namespaces
DFS Replication
File Server Resource Manager
Services for Network File System
Branchcache for network files
Hyper-V
Print and Document Services
Print Server
LPD Service
Remote Desktop Services
Remote Desktop Virtualization Host
Web Server (IIS)
Web Server
Common HTTP features
Static Content
Default Document
Directory Browsing
HTTP Errors
HTTP Redirection
WebDAV Publishing
Application Development
ASP.NET
.NET Extensibility
ASP
CGI
ISAPI Extensions
ISAPI Filters
Server Side Includes
Health and Diagnostics
HTTP Logging
Logging Tools
Request Monitor
Tracing
Custom Logging
ODBC Logging
Security
Basic Authentication
Windows Authentication
Digest Authentication
Client Certificate Mapping Authenti…
IIS Client Certificate Mapping Auth…
URL Authorization
Request Filtering
IP and Domain Restrictions
Performance
Static Content Compression
Dynamic Content Compression
Management Tools
IIS Management Scripts and Tools
Management Service
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
IIS 6 Scripting Tools
FTP Server
FTP Service
FTP Extensibility
IIS Hostable Web Core
.Net Framework 2.0 Features
.Net Framework 3.5.1 Features
.Net Framework 3.5.1
WCF Activation
HTTP Activation
Non-HTTP Activation
Background Intelligent Transfer Service (BITS)
Compact Server
BitLocker Drive Encryption
BranchCache
Failover Clustering
MultiPath I/O
Network Load Balancing
Quality Windows Audio Video Experience
SNMP Services
SNMP Service
Subsystem for UNIX-based Application
Telnet Client
Windows Process Activation Service
Process Model
.NET Environment
Configuration APIs
Windows Server Backup Features
Windows Server Backup
Command-line tools
Windows PowerShell
Windows PowerShell Cmdlets
Windows Server Migration Tools
WinRM IIS Extension
WINS Server
WoW64 Support
WoW64
WoW64 for .NET Framework 2.0 and Win…
WoW64 for .NET Framework 2.0
WoW64 for Windows PowerShell
WoW64 for .NET Framework 3.0 and 3.5
WoW64 for Print Services
WoW64 for Failover Clustering
WoW64 for Input Method Editor
WoW64 for Subsystem for UNIX-based ap…

red, unavailable green, available for installation gray, installed by default

Note:
While some Server Roles and Features are available in multiple editions of Windows Server, the specific capabilities of the roles may vary between editions.

How to get going with PowerShell in Server Core R2

Sander Berkouwer — Tue, 02 Feb 2010 15:31:33 GMT

Server Core installations of Windows Server 2008 R2 and installations of Hyper-V Server 2008 R2 offer Windows PowerShell. A lot has been written on the geekiness of PowerShell, how it wasn’t included in Server Core installations of Windows Server 2008 R2 and how you could enable it anyway. The question however is, how do you get started with using PowerShell in Server Core?

This blogpost shows you how to install PowerShell, how to start it up and issue some basic commands.

Installing PowerShell

To install Windows Powershell on a Server Core installation of Windows Server 2008 R2, issue the following three commands:

dism /online /enable-feature /featurename:NetFx2-ServerCore
dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell
dism /online /enable-feature /featurename:ServerManager-PSH-Cmdlets

These commands will install the .Net Framework 2.0 binaries. This is a package, Windows PowerShell depends on. After you’ve successfully installed the .Net Framework you can install Windows PowerShell. Use the last command to be able to use the built-in PowerShell cmdlets for Server Manager.

Note:
The above commands are case sensitive.

If you also need 32bit support in Windows Powershell, also issue the following two (again: case sensitive) commands:

dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64
dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell-WOW64

Tip!
You don’t need to install the base Windows on Windows (WoW) 64 package into a Server Core installation of Windows Server 2008 R2. This package is installed by default.

Starting PowerShell

To start using PowerShell you need to start it up. For some strange reason the path where PowerShell resides is not added to the %PATH% variable after installing, so you need to drill down to it, before you can start PowerShell.

Use the following commands:

cd C:\Windows\system32\WindowsPowerShell\v1.0
powershell

Now PowerShell is started. (Congratulations! )

Showing off PowerShell

One of the strongest examples of the strength of PowerShell is the ability to add and remove Server Roles and Server Features, without the need to worry whether you’re typing them right. (remember, the dism.exe command is case-sensitive)

for instance, on the PowerShell you can use the following command to install the Windows on Windows (WoW) 64 support for .Net Framework 2.0:

PS > enable-windowsfeature netFX2-ServerCore-WoW64

Also, one of the nice benefit of using the get-windowsfeature PowerShell cmdlet is you get the hierarchy, instead of the long list of Server Roles and Features you get when you use dism /online /get-features. See for yourselves, when you execute the following command:

PS > import-module ServerManager
PS > get-windowsfeature

New gear

Sander Berkouwer — Mon, 01 Feb 2010 15:54:00 GMT

I’ve used a Dell Latitude D630 laptop for the past 13 months. It’s been my loyal companion on two Tech·Eds, a MVP Summit, at least a dozen demos and presentations and has been with me to work with various customers. This device is equipped with an Intel Core 2 Duo T8100 processor, 4GB RAM, a 14,1” 1440x900 screen, Dell integrated WiFi and Bluetooth, a 9cell battery and a 160GB hard drive (fourth one).

This device now shows some remarkable traces of use, most notably a couple of cracks in the body and screen bezel, a row of dead pixels half way up the screen and a dent in the keyboard somewhere around the enter key. It also sounds a distressed ‘something’s wrong’ hardware beep once in a while…

It’s being replaced with:

a Dell Latitude E6500

A spanking new Dell Latitude E6500 in brush metal black with the following specs:

Intel Core 2 Duo P9700 (2,80 GHz) processor
15,4” WUXGA (1920x1200) LCD screen
8192 MB DDR2-800 RAM
250GB 7200rpm hard disk with free fall sensor
D-SUB & Display Port out
(with HDMI out through an optional cable)
eSATA port
USB Powershare port
(for charging USB devices when the laptop is off)
Integrated 2,0 Megapixel Webcam
8x DVD+/-RW drive
Wireless 370 Bluetooth
802.11a/b/g/n wireless networking
Integrated keyboard backlighting
6cell battery
3 years of Pro Support

Of course these specs are well above average, but some modifications need to be made (most of them to some of the accessories) to meet my needs. The 3-way power cord for instance doesn’t fit in the 230V socket in the back of the car and the privacy screen of the old laptop doesn’t fit on the new one. Also, I suspect my laptop bag to play a vital role in the damage done to the previous laptop, so I’m having that replaced as well.

A SSD drive is also on my wish list, but deemed too expensive at this point in time. I guess there's always room for improvement.

Update 3 has been released for FIM 2010 RC1

Jorge — Sat, 30 Jan 2010 12:55:54 GMT

Microsoft has released Update 3 for FIM 2010 RC1. It is available connect here. This is the final pre-release of the product before RTM. I think this is a major release because it can be installed as an update or as a new install from scratch. It contains a (new) installation guide. Make sure to read the release notes FIRST before installing it!!!

Summary of changes in Update 3

This package contains multiple updates to the following Microsoft® Forefront™ Identity Manager 2010 feature areas. It also contains a number of general improvements to FIM functionality and reliability.

New prerequisites:

Windows® Installer 4.5 for all server components
For the FIM Service: Microsoft SQL Server® 2008 Service Pack 1 (SP1)
For the FIM Add-In for Outlook: Microsoft Office Outlook® 2007 Service Pack 2 (SP2)

New supported platforms for FIM Certificate Management:

Windows Server® 2008 R2
Windows Server Datacenter Edition

FIM Synchronization Service improvements:

Fixed customer-reported failures in FIM Synchronization Service.
Fixed issues with multimastered attributes.
The FIM management agent (MA) will now store error messages with the operation during export. You do not have to look in the FIM Service event log anymore to view the errors.
You can now have several MAs that are responsible for deleting a resource. This solves a common problem in which custom code was necessary for Declarative provisioning.
Added two new Declarative provisioning functions:
Null – This SR should not contribute a value.
ReplaceString – Find and replace a substring in another string.

Introduces new Management Policy Rule (MPR) types:

The new Set Transition MPR type allows for easy creation of Policies that apply to Set membership changes (that is, when resources enter or leave a specific Set).
During Update 3 installation, all existing MPRs in the system are marked as Request-based MPRs.
The Run On Policy Update flag is now applicable only to the new Set Transition MPRs.
Temporal policy definitions require the use of the new Set Transition MPRs.

Fixes an issue in which queries did not evaluate correctly if they contained three or more conditions and at least two of them used the not() operator.
Adds support for Exchange 2010, which includes the following:

FIM Synchronization Service support for Active Directory MA and global address list (GAL) MA
The FIM Service sending and receiving mail
Outlook 2007 on Exchange 2010 sending approvals and group membership requests

Adds support for SQL Server Failover Clusters for High Availability.
Adds support for taking database backups without stopping the FIM Service.
Removes DomainSynchronizationActivity and replaces it with built-in logic to support cross-forest group management.

Important

This update deletes the WorkflowDefinition Group management workflow: Domain information synchronization for cross-forest resources, which has the Resource ID 955e3366-fbcc-43ee-b6e4-2001b81971da. You should back up any changes you may have made to this resource before installing the update and then re-create the functionality in a new activity.

Cheers,

Jorge

ILM 2007 SP1 … Exchange 2010 support

tomek — Thu, 28 Jan 2010 22:28:00 GMT

FIM 2010 is still being cooked in Redmond area but in the meantime we got brand new ILM 2007 Service Pack 1 package which just was published on Downloads web site. ILM 2007 SP1 is cumulative hotfix package but also it brings support for provisioning objects with Exchange 2010.

This is nice progress if you remember how long we had to wait for Exchange 2007 to be supported with ILM … way to go for future ILM team.

Information how to use ILM AD MA to provision objects to Exchange 2010 is published on Technet in Deploy Exchange 2010 in a Cross-Forest Topology article.

Whit Exchange 2010 support we also are getting a new code example and description “Prepare for Online Mailbox Move”. Quote from download description:

Microsoft Exchange Server 2010 supports online mailbox migration from a remote Exchange Server 2010, Exchange Server 2007, or Exchange Server 2003 forest to your Exchange 2010 forest. Prior to performing the online mailbox migration, mail-enabled users with a predefined list of attributes must be present in the target Exchange 2010 forest where the mailbox will be moved to. You can use either the sample code or the sample script to help with your online mailbox migration:

The ILM-based rules extension sample code demonstrates how to customize your current ILM deployment to create the required mail-enabled users in the target Exchange 2010 forest. For more information, see Prepare Mailboxes for Cross-Forest Moves Using the PrepareMoveRequest.ps1 script in the Shell. To download the feature pack, see Microsoft Knowledge Base article 977791 (Service Pack 1 (build 3.3.1139.2) is available for Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1) .

The remote PowerShell-based sample script demonstrates how to run a PowerShell script to create the required mail-enabled users in the target Exchange 2010 forest. For more information, see Prepare Mailboxes for Cross-Forest Moves Using Sample Code.

Enjoy your reading …

Spot the difference

tomek — Thu, 28 Jan 2010 21:59:00 GMT

Where is a question there is an answer (at least in most cases). This time question was “How to check schema extension introduces to a forest?” and it was asked on ActiveDir.org. There was even more than one answer … apparently some consultants are watching this list :).

So how we can capture what was changed in schema since it was established together with our forest.

(cc tobym)

One of option is using Schema Analyzer tool which comes with AD LDS (ADAM) as it is described on Ask DS Team blog. If we have AD LDS instance and LDFI file with schema we want to analyze it will allow us to get difference between target and base schema. Easy but …

it requires access to AD LDS instance and LDIF file with schema
sometimes it is a bit overhead to get LDI file with difference and we require something easier.

So next approach, also not perfect but a bit simpler and in some cases might be good enough. Just take a(dfind.exe)ny LDAP query tool and query all schema including whenCreated in output. This attribute is replicated among all DCs and we can track date of creation of object. Simple example:

adfind -schema -f "(|(objectClass=attributeSchema)(objectClass=attributeClass))" ldapDisplayName whenCreated –adcsv

now redirect output to file … open it in Excel, sort it on whencreated collumn and voile…

Of course it is not perfect. Still it requires tool like Excel and it gives You only overview when attributes where created. And what about modifications?

In cases we need such information SchemaDiff.cmd script created by Dean Wells (included in archive) comes handy. This tool is based on querying replication metadata and this will give You information about new and updated attributes. Let see how it works:

C:\Temp>SchemaDiff.cmd w2k.pl

SchemaDiff 1.1 / Dean Wells (dwells@msetechnology.com) - March 2006

STATUS - Working [review title bar for progression] ...

       - Forest/schema creation timestamp: 2009-08-23 @ 22:51:06
       - base-schema has been MODIFIED since Forest creation
       - counting classSchema and attributeSchema instances: 1438
       - querying schema ...

*MOD: CN=Schema,CN=Configuration,DC=w2k,DC=pl
       - schemaInfo........................ {modified post-instantiation}

*MOD: CN=User,CN=Schema,CN=Configuration,DC=w2k,DC=pl
       - auxiliaryClass.................... {modified post-instantiation}

+NEW: CN=AstContext,CN=Schema,CN=Configuration,DC=w2k,DC=pl
+NEW: CN=AstExtension,CN=Schema,CN=Configuration,DC=w2k,DC=pl

(…)

Done - 57 schema object(s) added, 4 schema object(s) modified
       in Forest "DC=w2k,DC=pl"

Quick, nice and easy … and no additional tools required (I don’t count repadmin.exe as an additional tool in AD environment).

In general best way to answer such question is to have implemented schema governance process in your environment. It doesn’t have to be something very complicated, sometimes simple file with some procedures is enough … or WSS site in more advanced case. Key is to stick to it and follow it. Think about it …

Exchange 2010 Storage Calculator available! [update]

Heinrich Strauss — Sat, 23 Jan 2010 03:48:00 GMT

The updated version of the Exchange Storage Calculator has just been released! (3.2)

http://msexchangeteam.com/archive/2010/01/22/453859.aspx

With the Worldwide Release of Exchange 2010 yesterday, this provides a crucial planning step towards migration!

I know what I'm doing today! :P

-H.

Where is my DC?

tomek — Fri, 15 Jan 2010 20:28:00 GMT

It is common knowledge that in AD environment client (like workstation) will always (at least it should) try to connect to most optimal domain controller. Optimal from network and AD infrastructure configuration standpoint. This process is based on DNS queries and information stored in AD configuration and in perfect case should lead to situation when client has contacted most optimal DC at given moment.

So we have all subnets defines, connected with appropriate sites and DCs placed in these sites or covered in other way. And suddenly some clients from some small location are starting to use some random DCs instead one we designated for them in our bright and shiny configuration. In such case sys admin is entering his most favorite mode … troubleshooting

(cc) trriseesthings

AD configuration has been extensively reviewed and checked, network checked … event logs are not giving us a clue … what next (besides calling cavalry of some sort :) )?

In such case we have at least one additional troubleshooting mechanism which might be extremely useful in this process, which is enabling debug logging for DC locator process. In each Windows version netlogon service comes with ability to log debug information. What has to be done is enabling this mechanisms through registry change and settings some flags … these flags are described in KB 109626 Enabling debug logging for the Net Logon service.

When this will be done netlogon service will start to log diagnostic data in %widir%\debug\netlogon.log. These information might be very useful in troubleshooting process or at least should give us idea what is going on during this process. Sample netlogon.log part (slightly modified for better reading) from my lab environment is presented below .

[SITE] Setting site name to '(null)'
[SESSION] \Device\NetBT_Tcpip_{33941FFA-DFED-4744-BF9A-972228BC6FF0}: Transport Added (192.168.1.10)
[SESSION] Winsock Addrs: 192.168.1.10 (1) List used to be empty.
[SESSION] V6 Winsock Addrs: (0)
[CRITICAL] Address list changed since last boot. (Forget DynamicSiteName.)
[SITE] Setting site name to '(null)'
[DNS] Set DnsForestName to: w2k.pl
[DOMAIN] W2K: Adding new domain
[DOMAIN] Setting our computer name to wss wss
[DOMAIN] Setting Netbios domain name to W2K
[DOMAIN] Setting DNS domain name to w2k.pl.
[DOMAIN] Setting Domain GUID to ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[MISC] Eventlog: 5516 (1) "wss" "W2K"
[INIT] Replacing trusted domain list with one for newly joined W2K domain.
[SITE] Setting site name to '(null)'
[LOGON] NlSetForestTrustList: New trusted domain list:
[LOGON]     0: W2K w2k.pl (NT 5) (Forest Tree Root) (Primary Domain) (Native)
[LOGON]        Dom Guid: ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[LOGON]        Dom Sid: S-1-5-21-1855823386-3643518527-1754427229
[INIT] Starting RPC server.
[SESSION] W2K: NlSessionSetup: Try Session setup
[SESSION] W2K: NlDiscoverDc: Start Synchronous Discovery
[MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c00ffff1
[INIT] Join DC: \\resfs.w2k.pl, Flags: 0xe00013fd
[MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c00ffff1
[MAILSLOT] NetpDcPingListIp: w2k.pl.: Sent UDP ping to 192.168.1.1
[MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to resfs.w2k.pl
[MISC] NlPingDcNameWithContext: resfs.w2k.pl responded over IP.
[MISC] W2K: NlPingDcName: W2K: w2k.pl.: Caching pinged DC info for resfs.w2k.pl
[INIT] Join DC cached successfully
[SITE] Setting site name to 'Default-First-Site-Name'
[MISC] NetpDcGetName: w2k.pl. using cached information
[PERF] NlAllocateClientSession: New Perf Instance (001E6688): "\\resfs.w2k.pl"
    ClientSession: 00237D58
[SESSION] W2K: NlDiscoverDc: Found DC \\resfs.w2k.pl
[SESSION] W2K: NlSetStatusClientSession: Set connection status to 0
[DOMAIN] Setting LSA NetbiosDomain: W2K DnsDomain: w2k.pl. DnsTree: w2k.pl. DomainGuid:ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[LOGON] NlSetForestTrustList: New trusted domain list:
[LOGON]     0: W2K w2k.pl (NT 5) (Forest Tree Root) (Primary Domain) (Native)
[LOGON]        Dom Guid: ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[LOGON]        Dom Sid: S-1-5-21-1855823386-3643518527-1754427229
[SESSION] W2K: NlSetStatusClientSession: Set connection status to 0
[SESSION] W2K: NlSessionSetup: Session setup Succeeded
[INIT] Started successfully

Does it look useful??? I think so … happy troubleshooting and don’t forget that Network Monitor or WireShark will tell You the truth about what’s going on on a wire. And this is ultimate troubleshooting tool.

ADLDS (ADAM) for Windows 7

Jorge — Tue, 12 Jan 2010 08:12:12 GMT

In previous client versions of Windows, ADLDS (a.k.a. ADAM) was available for WXP. IN addition to that it was available in every server version of Windows (W2K3, W2K3R2, W2K8 and W2K8R2). There was no official version for Vista, but if I remember correctly (not sure though) it was possible to get the separate download working with some hacks.

However, since yesterday, Microsoft has provided a version of ADLDS for Windows 7. Now everybody with interest to have a lean and mean directory service on his desktop to test or develop software can do it on his desktop without the need to have a server OS.

Get it here!

….and for its logo, see here. J

Cheers,

Jorge

Re-awarded MVP

Sander Berkouwer — Sat, 02 Jan 2010 10:15:00 GMT

Being a Microsoft Most Valuable Professional (MVP) is a one-year gig. My first year as a Directory Services MVP started January 1, 2009. Since then I proudly displayed the MVP logo on the left hand side of my blog. From the Least Amount of Administrative Effort point of view, I was curious to find out whether I could keep the logo there.

With great pleasure I received the following e-mail today:

Congratulations 2010 Microsoft MVP!

Dear Sander Berkouwer,

Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year.

The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say "Thank you for your technical leadership."

Toby Richards
General Manager
Community & Online Support

What a great way to start 2010!

Re-Awarded for the 5th Time – MVP Directory Services

Jorge — Fri, 01 Jan 2010 18:51:19 GMT

Today I received an e-mail I was re-awarded again with the MVP Award for Directory Services. This year is the fifth time I have received this award! J

----------

Dear Jorge de Almeida Pinto,

Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year

----------

!!! THANKS !!!

Cheers,

Jorge

Dirteam.com/ActiveDir.org Blogs

Mail enabled Public Folder Recipient not found

Symptoms

Solution

Conclusion

Further Reading

Active Directory Domain Services Command Fu, Part 1

Creating custom application partitions

Quering Group Policy Replication Health

Editing advanced trust properties

Provisioning Mailboxes In Exchange 2007/2010 By ILM/FIM

Be careful what You promise … SYSVOL

Automatically Deleting Expired Objects in FIM 2010

Speaking at TEC 2010 USA (Los Angeles)

Speaking At Microsoft TechDays 2010 in Antwerp (Belgium)

Forefront Identity Manager 2010 has RTMed!

Presenting for Hyper-V.nu (again)

About the event

My presentation

Previous gigs with Hyper-V.nu

Sorry Kim ...

10 years of Active Directory

The first deployed Active Directory domain

Active Directory release

Further reading

Integrated Authentication with Firefox and Exchange 2010

Mailbox Replication Service unexpectedly quits when moving mailboxes from other Exchange server

Scenario

Symptoms

Solution

Conclusion

Further reading:

Is Your browser cheating on You??

Server Core Roles and Features in 2008 R2

Further reading

How to get going with PowerShell in Server Core R2

Installing PowerShell

Starting PowerShell

Showing off PowerShell

Further reading

New gear

a Dell Latitude E6500

Update 3 has been released for FIM 2010 RC1

ILM 2007 SP1 … Exchange 2010 support

Spot the difference

Exchange 2010 Storage Calculator available! [update]

Where is my DC?

ADLDS (ADAM) for Windows 7

Re-awarded MVP

Congratulations 2010 Microsoft MVP!

Re-Awarded for the 5th Time – MVP Directory Services