Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer


AD Manager Plus

Blog roll



Is your organization ready for Windows 8.1? Part 15, Roaming Profile incompatibilities

In extensively managed networking environments, devices are generally domain-joined and employees gain mobility across these devices through folder redirection, offline files and roaming profiles. VPN access is mostly available, but when looking closely you might distinguish the occasional DirectAccess implementation.

In these environments, mobility over several devices, for instance a desktop and a laptop, often, offers challenges in terms of applications, settings and access to data.

While the above solutions offer a functioning environment when all devices run the same Operating System, it’s a different story when one device runs another or previous Operating System version.

In the past…

In the past, Roaming Profile incompatibilities have resulted in version 2 profiles. This distinction made sure colleagues with Windows XP and Windows Vista/7 devices could continue working effectively on both platforms, enjoying the same data, but not necessarily the same settings.

You probably remember the Username.V2 Roaming Profile folder names, if, at some point in the past, you’ve implemented Roaming Profiles on devices running Windows Vista, and beyond, in a Windows 2000 Professional / Windows XP Professional-based networking environment.

In the Windows 8.x era

To make matters more complicated, but more robust towards the people using devices with different Windows versions, Microsoft has updated the profile format in Windows 8. According to Microsoft KnowledgeBase article 2887239, the updated profile format, causes profiles to be incompatible between Windows 7 (and Windows Vista) on one side and Windows 8 and Windows 8.1 on the other side of the equation.

This means, that when a colleague switches from a Windows 7-based device with Roaming Profiles configured to a Windows 8-based device with the same Roaming Profiles configuration, the user profile is updated to the new Windows 8 format and the user profile is no longer compatible with the Windows 7-based device. But, both profiles are version 2 profiles.

Now, when you’re migrating your organization to Windows 8.1 from Windows 7 (and prior)and you’re not able to migrate all PCs for a specific colleague at one moment in time, this will cause problems when the colleague switches back and forth.


Introducing Version 3 profiles

Luckily, you can configure Windows 8.1 to create a different Roaming Profile. This Roaming Profile, then gets .v3 appended to the username in the folder name for the new Roaming Profile; it becomes designated as a version 3 profile.

This is achieved by making a change in the Windows registry and rebooting.

According to Microsoft KnowledgeBase article 2890783, the update that adds this functionality to Windows 8.1 is included in November 2013 update rollup. Make sure you have this update installed on devices where you want to use version 3 profiles.

To perform the specific registry change, follow these steps:

  1. Swipe in from the right edge of the screen, and then tap Search. Or, if you are using a mouse, point to the lower-right corner of the screen, and then click Search. In the search box, type regedit, and then tap or click regedit

         When you are prompted for an administrator password, type the password. If
         you are prompted for confirmation, provide confirmation.

  2. Locate and then tap or click the following registry subkey: 


  3. On the Edit menu, point to New, and then tap or click DWORD (32-bit) Value.
  4. Type UseProfilePathExtensionVersion
  5. Press and hold or right-click UseProfilePathExtensionVersion, and then tap or click Modify.
  6. In the Value data box, type 1, and then tap or click OK.
    It should look like this:
    UseProfilePathExtensionVersion in Windows Registry (click for original screenshot)
  7. Exit Registry Editor.

After you configure the UseProfilePathExtensionVersion registry entry, you have to restart the computer.

After the reboot, Windows 8.1 creates a user profile and appends the suffix ".v3" to the profile folder name to differentiate it from version 2 of the profile for Windows 7.

Of course, you can also use a Group Policy Preference (GPP) setting to add the registry key to Windows installations. You can target Windows 8.1-based devices specifically by either placing them in separate Organizational Units (OUs) within Active Directory Domain Services, or (when all devices reside in the same Organizational Unit) through WMI filters.



There is a reason why most organizations adopt the Group Policy Preferences to map drives and perform other environmental setup steps; Logon scripts are the way of the dodo.

If you haven’t made the transition to Group Policy Preferences, then your migration to Windows 8.1 would be a good time. If you can’t, disable Logon Script Delay for devices running Windows 8.1 and up.

Related blogposts

Is your organization ready for Windows 8.1? Part 1, Overview
Is your organization ready for Windows 8.1? Part 2, The best hardware for the job
Is your organization ready for Windows 8.1? Part 3, Start Button and Boot to Desktop
Is your organization ready for Windows 8.1? Part 4, Automatic App Updates
Is your organization ready for Windows 8.1? Part 5, Managing SkyDrive
Is your organization ready for Windows 8.1? Part 6, Start Screen Layout Management
Is your organization ready for Windows 8.1? Part 7, Managing Start Screen Theming
Is your organization ready for Windows 8.1? Part 8, Start Screen App Pinning
Is your organization ready for Windows 8.1? Part 9, Disable help tips in The New Interface
Is your organization ready for Windows 8.1? Part 10, Group Policy Caching
Is your organization ready for Windows 8.1? Part 11, IE Enhanced Protected Mode
Is your organization ready for Windows 8.1? Part 12, Assigned Access
Is your organization ready for Windows 8.1? Part 13, Quiet hours 
Is your organization ready for Windows 8.1? Part 14, Logon Script Delay    

Related KnowledgeBase Articles

Incompatibility between Windows 8.1 roaming user profiles and those in earlier versions 
Incompatibility between Windows 8 roaming user profiles and roaming profiles in other versions of Windows

Pictures of the Dutch 2014 TechDays

Last week, Microsoft Netherlands organized the 2014 TechDays at the World Forum in The Hague, where both Dutch and Belgian Developers and IT Professionals enjoyed two days of sessions, networking opportunities and catering.

On Wednesday April 16th, Raymond Comvalius and I were scheduled to deliver a 75-minute presentation on Bring Your Own (BYO), so we arrived early. Luckily, the event also started early both days, with the first sessions starting at 7:45 AM each day.

TechDays banners on the floor of the World Forum (click fr original photo)Entrance to the World Forum (click for original photo)Lanyards waiting to be used (click for original photo) 
Which one are you, Developer or IT Pro? (click for original photo)

Our session was scheduled for 10:50 AM in room Onyx. This room was fitted with 300 seats, a nice stage and two projection screens.

Our audience (click for original photo, provided by Microsoft Netherlands)I can do this with my eyes closed... (click for original photo, taken by Adnan Hendricks)Delivering. (click for original photo, taken by Arie de Haan)

Our session was great fun, and afterwards we received some great feedback. Needless to say I was proud of our achievement.

Proud TechDays Speaker (click for original photo, taken by Raymond Comvalius)

After our session, I dumped my stuff in the speaker room, switched from my blue Speaker polo to the orange Expert polo, and headed for the Ask the Experts (AtE) Area. I also spent the larger part of Thursday April 17th at the Ask the Experts (AtE) Area. A lot of my buddies were there and we had a lot of fun. The XBox One combined with Experts proved to be a real crowd pleaser.

XBox Experts (click for original photo, by Michel de Rooij)

I had a blast, and I hope you did too. Glimlach

See you at TechDays 2015? 

Updating Windows XP with all its updates

You may have read my blogpost on the actions admins need to take to continue working with Windows XP in their networking environments. It’s a long list. While many blogs and websites have shared similar information, one action is on everybody’s list:
Update Windows XP with the latest updates.

So, how easy is it to perform this task?

Without a fourth ServicePack for Windows XP, containing all the updates for Windows XP up till April 8th, 2014, it’s really about connecting a device running Windows XP to the internet and downloading the updates through Windows Update, or connecting a device to the corporate network and downloading updates from the on-premises Windows Server Update Services (WSUS) installation. This, of course, is not the best of ideas: Every security expert has warned against connecting Windows XP boxes to the internet or your corporate network after April 8th…

Straight from my toolbox comes a tool that helps you with this task:


WSUS Offline

WSUS Offline is an unofficial program, that you can use to update Windows installations for situations with no and low-speed Internet connectivity. It was previously known as "c't offline update" and "DIY Service Pack".

It allows you to simply check Microsoft products, after which it will fetch all the updates from Microsoft’s official FTP server. So far, this sounds like the official Windows Server Update Services (WSUS) that Microsoft offers, but Offline WSUS has another trick up its sleeve: After you’ve downloaded all the applicable updates, you can create a virtual CD/DVD (*.iso file) per product, per architecture (x86 / x64) and/or per language.

Version 9.1 of Offline WSUS was released on April 4th, 2014 and is the last version of Offline WSUS. This, then, is the version of Offline WSUS you want. You can get it from wsusoffline.net.

After you’ve downloaded wsusoffline91.zip, check it is 2281694 bytes in size and use Microsofts File Checksum Integrity Verifier to check it has a SHA1 checksum corresponding to 369d17656164139de81f49c3c32192286c492b1b.

Next, extract the contents of the file and run UpdateGenerator.exe. Next, select the Legacy products tab. This is where you’ll find updates for Windows XP x86:

Legacy Tab in the WSUS Offline Update 9.1

Download Office 2003 through WSUS Offline as well, when you’re running it in a networked environment, since support on this product also ended on April 8th, 2014.

You can point WSUS Offline to your on-premises Windows Server Update Services (WSUS) installation to pull all the updates. Use the WSUS… button to this purpose. After successful download and tests, you can free up (expensive) hard disk space by cleaning up the Windows XP updates there.


Today, I’ve selected English and Dutch for Windows XP (including ServicePacks) and ended up with two virtual DVDs (*.iso files) in to iso subdirectory of where I unpacked to:

  • wsusoffline-wxp-enu.iso
    807 MB, 181 applicable updates
  • wsusoffline-wxp-nld.iso
    821 MB, 181 applicable updates

From each of these virtual DVDs, I can now use the UpdateInstaller.exe executable to update 32-bit installations of Windows XP without an internet connection, without hassle.



WSUS Offline allows you to download updates for Windows XP (and Office 2013) to update them with Microsoft updates, once and for all. After that, you can easily run the executable from the (virtual) DVD or USB drive to update Windows XP without an internet and/or network connection, without hassle.

Related blogposts

So you want to continue using Windows XP? 
How to install Windows XP Mode for Application Compatibility 
Windows 7 Migration Checklist 
Windows 8 Migration Checklist  

Related downloads

Microsoft File Checksum Integrity Verifier

Further reading

Windows XP support has ended 
WSUS Offline Update 
Microsoft Windows Update 
Windows Server Update Services Home

Implications of the HeartBleed vulnerability on Single Sign-On and Federation implementations

heartbleedThis week, the Internet was abuzz with HeartBleed,a vulnerability in OpenSSL. This meant many secure websites and webservices, protected by OpenSSL, suddenly became a security risk and OpenSSL (and open source software, in general) suddenly became a lot less trustworthy.

About HeartBleed

The HeartBleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure Internet traffic. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). CVE-2014-0160 is the official reference to this bug.

The HeartBleed bug allows anyone to read the memory of the systems ‘protected’ by the vulnerable versions of the OpenSSL software (versions 1.0.1 through 1.0.1f). This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

HeartBleed and Microsoft

In formal communications, only when you’ve installed and configured OpenSSL you’d need to take action, when running Microsoft Operating Systems (OSs).

While this is strictly true, in the modern world of Single Sign-On and claims-based authentication, this might not necessarily be the right way to look at it…


Single Sign-On

Many organizations have implemented Single Sign-On (SSO) by integrating their applications into Active Directory Domain Services (AD DS). While Active Directory, itself, was not affected by HeartBleed, any application or service utilizing OpenSSL and integrating with said Active Directory can be used to leak information from Active Directory like usernames, passwords, SIDs  and token information.

Also, the private key used may be leaked, which, in turn, might contain information for a targeted attack against Active Directory Certificate Services (AD CS) and services relying on it, like Active Directory Rights Management Services (AD RMS).

Not until these OpenSSL implementations have been updated, the certificates in use have been replaced with different certificates (with a different private key) and users have changed passwords, the situation might be resolved.


Indeed, one single link in the authentication chain might cause the entire chain to fail…


To remedy such a situation, first, the vulnerable version of OpenSSL should be upgraded to at least version 1.0.1g or recompiled with -DOPENSSL_NO_HEARTBEATS. Additionally, any certificates in use by the OpenSSL implementation need to be reissued.

From there on, you might ask or force users to reset their passwords, unless you’ve already deployed a multi-factor authentication solution. When a security token is required, a malicious party can not login to a service with just the password alone.


Claims-based authentication

So, claims-based authentication, must be safe then? Passwords can’t leak from OpenSSL, when the OpenSSL process (or deamon) doesn’t have it, right?

While it’s true that OAuth2, OpenID Connect and SAML2 endpoints at resource providers may not leak passwords, because these endpoints typically only have signed tickets, other risks are still present. Also, the endpoint of the identity provider might be protected by a vulnerable implementation of OpenSSL…

When you’re the resource provider in a claims-based authentication implementation, you should make sure the identity provider you have federated with are not running vulnerable OpenSSL implementations. Their signing key may have been compromised and, thus, a malicious party could sign tickets as if they would have originated at the identity provider.

When you’re the identity provider in a claims-based authentication implementation, you should make sure the resource providers you have federated with are not running vulnerable OpenSSL implementations. Examples of affected resource providers are Facebook, Yahoo and Google. The private key of their implementation(s) may have been compromised and a certificate may have been issued that allows a malicious party to pretend to be your resource provider to get signed tickets from you.


Indeed, one single link in the authentication chain might cause the entire chain to fail…


To identify vulnerable identity and/or resource providers, use the tools at Filippo.io and/or the list on Mashable. Contact vulnerable identity and/or resource providers to have them upgrade their OpenSSL implementation(s) to at least version 1.0.1g or have their OpenSSL implementation(s) recompiled with -DOPENSSL_NO_HEARTBEATS. Additionally, they should reissue the certificates used by the implementation(s). 

From there on, you might ask or force users to reset their passwords, unless you’ve already deployed a multi-factor authentication solution.


Further reading

The Heartbleed Bug
Vulnerability Summary for CVE-2014-0160   
OpenSSL Security Advisory [07 Apr 2014]   
How to Protect Yourself From the Heartbleed Bug 
Information on Microsoft Azure and Heartbleed  
Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass

Virtualization-safe(r) Active Directory in VMware environments, Part 2

In the first post of this series, I’ve shown how to uncover the VM-GenerationID, the random value that unlocks all that Windows Server 2012 Active Directory Domain Services magic, on VMware’s vSphere and Workstation virtualization solutions.

Today, I’m showing you how to interpret this value and how this value might be different between versions of the VMware solutions used and the version of the VMware tools used.


You’ll need specific versions of VMware ESXi

First of all, if you want to run Windows Server 2012 on VMware vSphere, you’ll need at least ESXi 5.0 Update 1, since this is the first version of the hypervisor on which VMware supports Windows Server 2012.

But, VMware has implemented the VM-GenerationID functionality, as designed by Microsoft, into its products in the summer of 2012. It used the whitepaper and example code shared by Microsoft in its products. It did not finish this work prior to March, thus ESXi 5.0 Update 1 (released March 15, 2012) does not include the VM-GenerationID functionality.

These VMware ESXi versions support the VM-GenerationID functionality:

  • VMware ESXi 5.0 Update 2 (Build 914586) and subsequent updates to ESXi 5.0
  • VMware ESXi 5.1 (Build 799733) and subsequent updates to ESXi 5.1
  • VMware ESXi 5.5 (Build 1331820) and subsequent updates to ESXi 5.5

One thing to know, however, is the VM-GenerationID functionality in ESXi 5.0 Update 2 was implemented (and released on December 20, 2012), based on a draft of the VM-GenerationID whitepaper. Microsoft made a significant update to this whitepaper and the example code it shared with VMware and Citrix, before making it final:

In the draft version of the VM-GenerationID whitepaper, the VM-GenerationID value was defined as a random 64bit value. In the final version of the VM-GenerationID whitepaper, the VM-GenerationID value was defined as a random 128bit value.

This means you will find significant smaller values in the virtual machine configuration (*.vmx) file on the host and in the (hidden) Microsoft Hyper-V Generation Counter system device in virtual machines running on top of VMware ESXi 5.0 Update 2, compared to virtual machines running on top of later versions of ESXi, including ESXi 5.0 Update 3 (released October 17, 2013).

You’ll need VMware Tools

Without the VMware Tools installed, a virtual machine running Windows Server 2012 (or up) will not be able to benefit from the VM-GenerationID capabilities, since the VM-GenerationID value will not be put in the virtual machine’s RAM.

Without the VM-GenerationID in RAM, a virtual Domain Controller will not be able to see when it is reverted to snapshot or cloned and you will not benefit from the virtualization safeguards in Active Directory Domain Services that make it virtualization-safe(r).

Of course, updating to a more recent version of the hypervisor, requires upgrading the VMware Tools in virtual machines running atop the hypervisor, to be upgraded, too, to remain in a supported state.

Besides running in an unsupported state, running virtual machines with version 5.0 Update 1 of the VMware Tools on top of ESXi 5.0 Update 2 (or up) will not enable the VM-GenerationID functionality, since 5.0 Update 1 of the VMware Tools does not support it yet.



When you want to utilize the VM-GenerationID functionality in a networking environment, virtualized with VMware products, in a supported manner, you will need to:

  • Run ESXi 5.0 Update 2 (or up), ESXi 5.1, ESXi 5.5 as the hypervisor.
  • Have the VMware tools installed in the virtual machines.
  • Have the VMware tools version installed, corresponding to your hypervisor version.


Related blogposts

Virtualization-safe(r) Active Directory in VMware environments, Part 1 
List of Hypervisors supporting VM-GenerationID
Citrix XenServer joins the VM-GenerationID family
New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory

Further reading

Cloning Windows Server 2012 Domain Controllers on vSphere 5
Windows Server 2012 VM-Generation ID Support in vSphere

Pictures of the three Dutch IT Camps (The unofficial Hyper-D Farewell Tour)

I’ve had the pleasure of hosting three Microsoft IT Camps in the past three weeks and with them, effectively, organizing the unofficial ‘Hyper-D Farewell Tour’…

Hyper-D (Daniel van Soest) and I hosted all three IT Camps, consisting of four half-day Windows Server 2012 R2 Camps and two half-day System Center 2012 R2 Camps, following this schedule:

Below is a selection of pictures of our audiences (350 unique visitors), the venues and, of course, our selves:

Our audience at Van der Valk Amsterdam (click for original photo)
Our audience at Van der Valk Vianen (click for original photo)
Our audience at Van der Valk Breukelen (click for original photo)
This is what it looks like from our point of view (click for original photo)
Hyper-D explaining Service Templates in System Center Virtual Machine Manager (click for original photo) Well catered... (click for original photo)
This is us! (click for original photo)
Best piece of feedback of the series: VM-GenerationID picked as the best part of the session (click for original photo)
Hyper-D and me after our last IT Camp (click for original photo)

Thank You!


Related blogposts

I’m hosting three (sold-out) Windows Server 2012 R2 IT Camps with Daniel van Soest 
I’ll be hosting a Microsoft Netherlands Datacenter Virtualization IT Camp with Tony Krijnen
Pictures of the December 11 IT Camp with Tony Krijnen

I’m speaking at the Dutch 2014 TechDays

I’m very excited to announce I’m listed to speak on the TechDays event, hosted by Microsoft Netherlands on April 16 and April 17, 2014 at the World Forum in The Hague.

Of course, just like previous Dutch TechDays events, I’m also on the roster for the Ask the Experts. This is my 4th consecutive year there…

About the Dutch 2014 TechDays

TechDays 2014 LogoTechDays is an international series of Microsoft events, hosted by Microsoft subsidiaries around the world. Microsoft Netherlands, just like last year, has decided to make the event a 2-day event, filled with both IT Professionals and Developers content.

Microsoft Netherlands has arranged for several highly rated international speakers, like John Craddock, Bryon Surace, Chris Jackson and Paula Januszkiewicz to present sessions, next to our own heroes Maarten Goet, Ronald Beekelaar, Ruben Spruijt, Steven van Houttum, Jeff Wouters, Kenneth van Surksum, Roel van Bueren and Alex De Jong.


About my session

I will be hosting a 75-minute session, together with Raymond Comvalius (Windows IT Pro MVP). Our session is titled Bring Your Own Device Essentials with Windows technologies and focuses on the new BYO and Identity capabilities found in Windows 8.1 (Update) and Windows Server 2012 R2 (Update).

As part of the session, Raymond and I will convince our audience on the practical use cases of claims-based authentication, multi-factor authentication, the web application proxy, workplace join and work folders where you would open the network infrastructure up to the outside world, but, at the same time, still remain in control through Windows Intune and integration with on-premises Microsoft technologies like Active Directory and System Center Configuration Manager ……

Our session is planned on April 16, 2014 between 10:50 AM and 12:05 PM.

Will we see you there?


Related blogposts

I will be speaking at NGNs and NGIs shared BYO Event
I’ll be speaking at Experts Live 2013 
I will be speaking at NIC 2014 
Raymond and I will be delivering our BYOD Show to High School students

First signs of the XPocalypse…

The world, as a lot of people know it, is coming to an end on April 8, 2014: They’ll be cut off from the world, left out in the cold, doomed to live in a world of lawlessness and trapped in wars between good and (don’t be) evil.

I’m not talking about the religious end of time, but the end of support for Windows XP on April 8, 2014, commonly referred to as the XPocalypse.

Having left the world Windows XP on one the earliest betas of Windows Vista, I didn’t really take notice of the world of pain a lot of people still on Windows XP would have to endure. I posted a list of actions to perform when you want to keep on using Windows XP and thought that would’ve put IT administrators off of their plans to force this 12 1/2 year old Operating systems onto their end users.

Apparently, I was wrong.

I visited a tradeshow earlier this week, where I spoke to some (former) health professionals. Whenever I mentioned I was into Microsoft, I would get the strangest replies:

The end of support of Windows XP is a marketing move by Microsoft, which helps the sale of Macs.

I can no longer send e-mail through my Gmail account, when I’m on Windows XP. It’s not event April 8, yet!

Now, the last reply was a situation unknown to me, so I decided to investigate the situation.

The issue

In my exchange messages with the person telling me of this situation, I found out the person had no trouble creating, sending, forwarding and replying to messages on devices running Windows 7. His older Windows XP-based device was another story. He could not send mail on it. Also, he experienced the same behavior on the devices that one of the bigger hospitals in the region, offers to visitors to use. You’ve guessed it: Windows XP too.

Now, I’m guessing the hospital is conducting some strange research on how much abuse a visitor is willing to take. I can’t find another reason why they’d be insulting and exposing visitors to Windows XP…

Then, I turned to Google support. I looked into their browser support. They don’t offer any specific information for the consumer-grade GMail service, other than:

You can access Gmail through the Internet on browsers like Chrome, Firefox, Internet Explorer, and Safari on your computer.

In general, Gmail supports the current and prior major release of Chrome, Firefox, Internet Explorer and Safari on a rolling basis.

For its business users, Google does go into more detail on supported browsers for Google Apps:

As previously announced, Internet Explorer 11 launched on October 17, 2013, and as a result, we've discontinued support for Internet Explorer 9.

It is a very recent problem too, since people on Google’s product forums, only started noticing this behavior beginning March 21st.   

The solution

Apparently, Google wants people to use recent browsers and has found a way to lock out the hordes of loyal Windows XP users: Since Windows Internet Explorer 8 is the latest version of Internet Explorer they can upgrade to on Windows XP, they’ll need to get sucked into the Google ecosystem and use Google Chrome on their Windows XP-based devices.

For the visitors of the aforementioned hospital, using their locked-down visitor PCs, no cure is available.



Time will tell if Google’s decision to lock out Windows XP users, using their default browsers, is a good thing.

On the other hand, if Windows XP-based devices collectively change into botnet zombies on April 9, 2013, Google might just have saved our inboxes from loads of unsolicited messages (if you’d believe malware would actually use the GMail website)…

Related blogposts

So you want to continue using Windows XP?

Virtualization-safe(r) Active Directory in VMware environments, Part 1

When you check my list with virtualization platforms that support Virtualization-safe(r) Active Directory through the Microsoft backed VM-GenerationID capability, you’ll notice that VMware has been supporting it in their products for a while now: Both VMware Workstation and VMware ESXi support it towards Windows Server 2012 and Windows Server 2012 R2-based Virtual Machines (VMs).

Unfortunately, I haven’t come across a VMware environment in a while and, thus, didn’t have time to look into the way VMware has implemented the feature. Yesterday, for my presentation at the Dutch VMware User Group Conference, I did.

So, let me kick off this series in which I’ll be sharing what it feels like to virtualize and clone Active Directory Domain Controllers safely on both platforms, with a blogpost on finding out whether your virtual Domain Controllers may benefit from the VM-GenerationID on the VMware-based hypervisors and, thus, may be safely virtualized and cloned.


Finding the VM-GenerationID

Within a VMware environment, two ways exist to find out whether your Windows Server 2012 and Windows Server 2012 R2-based Virtual Machines (VMs) leverage the VM-GenerationID:

  • Listed in the Virtual Machine Configuration (*.vmx) file on the host
  • Listed as a system device in the guest.


From the Virtual Machine Configuration

When you have access to the files of a VMware-based Virtual Machine, you can check the Virtual Machine Configuration file (*.vmx) file. When you open this file with your favorite text editor (for instance, Notepad), you can search for the line that starts with  vm-genid:

Contents of the vmx file for a Virtual Machine running on a VM-GenerationID-capable VMware-based virtualization environment (Click for original screenshot)


Through the (hidden) system device

As part of the VM-GenerationID Whitepaper that was published and shared by Microsoft, a system device needs to be presented to each Virtual Machine. As we’ve seen before on a Virtual Machine running on XenServer 6.2.0, after running the VMware tools, this device can be found in Device Manager (devmgmt.msc).

VMware, however, has decided to make the Generation Counter device hidden from the default view in Device Manager (devmgmt.msc) in Virtual Machines (VMs) running on its VM-GenerationID-capable virtualization products.

To see the device, the option Show hidden devices from the View menu needs to be enabled, first:

Show hidden devices option in the View menu of Device Manager (click for original screenshot) 

Then, as part of the list of System devices the Generation Counter device can be found:

The Microsoft Hyper-V Generation Counter in Device Manager in a VMware-based Virtual Windows Server 2012 installation (click for original screenshot)

I don’t know the exact reason why VMware has chosen to make the Microsoft Hyper-V Generation Counter device a hidden device on virtualized Windows Server 2012 installation. I can only imagine…

Perhaps the fact that every Windows Server 2012 and Windows Server 2012 R2-based Virtual Machine on every current VMware virtualization solution has a device with a name containing Hyper-V after the VMware Tools have installed, combined with the fact admins can’t disable this feature, is slightly embarrassing to VMware? 



You can find out whether your virtual Domain Controllers may benefit from the VM-GenerationID on the VMware-based hypervisors through the Virtual Machine Configuration (*.vmx) file on the virtualization host and/or from the (hidden) system device in the guest.

Related blogposts

List of Hypervisors supporting VM-GenerationID   
Citrix XenServer joins the VM-GenerationID family     
New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning 
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory

Further reading

Cloning Windows Server 2012 Domain Controllers on vSphere 5  
Windows Server 2012 VM-Generation ID Support in vSphere

Pictures of CeBIT Hannover 2014

Last Wednesday and Thursday I visited CeBIT 2014 in Hannover, Germany with three of my esteemed colleagues: Adnan Hendricks, Michiel de Jongh and Bas Lips. We saw interesting new technology, met interesting people and concluded we, indeed, live in interesting times.

Our day at CeBIT started around 5 AM at our Delft Office, where we met to embark on our 4-hour drive to Hannover via Utrecht, Almelo and Osnabrück. It was a beautiful morning with a red moon just above the horizon and as we saw the sun rise it became apparent it would also become a nice day.


We arrived at the Hannover Messe at around 9:30 AM, via the infamous two-lane one-way highway. We parked at Ost 14, crossed the bridge and entered the Messegelände through Hall 3. Hall 3 was home to a booth by Topdesk, our sister company Dutch. We enjoyed a nice cup of coffee at their booth and acclimatized immediately. After all, we’re no CeBIT first timers…

In Hall 4, we encountered booths by T-Mobile, SAP, Salesforce and Microsoft. That’s right; their four booths covered a whole hall:

A Quick overview of Hall 3 at CeBIT 2014: T-Mobile, Microsoft and SAP (click for original photo)It was a beautiful day, but apparently T-Mobile expected it to rain (click for original photo)
Salesforce promoting their ideas on local software in a fun way at CeBIT 2014 (click for original photo)
The Microsoft booth at CeBIT 2014 (click for original photo)
Heike Ritter (Technical Evangelist, Microsoft Germany) delivering a presentation at Microsofts IT Pro Academy at CeBIT 2014. (click for original photo)

From Hall 4, we made our way through a couple of other halls at CeBIT and met several innovative new technologies, like the prosthetic hand from Touch Bionics, that enabled a woman to use the muscles in her underarm to move the fingers. An app on a device allowed her to program and tweak hand movements. This active prostheses allowed her to pick up and hold objects (without crushing them) and even shake hands.

While the personnel at Touch Bionics’ booth aimed at showing the internal working of their i-limb ultra with its active skin, sparking comparisons to RoboCop, this company also offers a skin matching program, making for perfect integration.

A couple of feet from this booth, Iameco showed their line of green electronics: PCs and laptops made from 100% recycled materials, like wood and aluminum. An impressive feat and well worth a second look, despite the fact that most employees probably prefer a new laptop to a ‘used’ one.

Another CeBIT 2014 Innovation Award winner, Kinematic Blocks, also was able to show off their technology: Robotics for children.

Kinematic Blocks demo (click for original photo)

This video illustrates their tech perfectly. I feel this is going to revolutionize the way toddlers are going to look at robotics and technology. The fact that they made their blocks 100% compatible with Lego Technics is a nice bonus. I wouldn’t be surprised if this tech made it to the top of the toys award lists.

We had a nice lunch and for the afternoon headed for the higher-numbered halls. CeBIT wouldn’t be CeBIT without halls and halls filled with South-East Asian companies, offering all kinds of IT-related means under the most straight-forward company names:

SpeedTech, the name says it all. (click for original photo) SeeTech, I see what you did there... (click for original photo)WP_20140312_15_22_06_ProBaudtec. As in modems... (click for original photo)
Hank Electronics, my favorite one (click for original photo)Another nice line-up of tech. (click for original photo)Routers and routers (click for original photo) With a company name like that, you don't have to question the quality. (click for original photo)

Also, we encountered the worldwide market leader in power supplies for ATM machines in the Hall with all the banking companies. I didn’t know them…

Of course, a visit to CeBIT wouldn’t be complete without a visit to the Munchner Halle.

A round of beers at the Munchner Halle (click for original photo)

Cheers! Glimlach

When you lose a bet…

People who know me, know me as a guy who likes to motivate people with random bets. It’s not intrinsic motivation, but it’s the kind of motivation that gets things done.

A few weeks ago, I made a bet with a couple of colleagues. These colleagues were competing in the Winter 2014 worldwide PowerShell Scripting Games with the help of the Dutch PowerShell User Group. They had a steep learning curve, underestimated the work and their morale was low. "Time for a bet", I thought.

So, with Jeff Wouters as our mutual witness, I bet I would buy a cake if one of the three teams we entered from within our company (DuPSOGD1, DuPSOGD2 and DuPSOGD3) would end up in the Top 10.

… and team DuPSOGD2 did.

Last Monday, I decided to ambush the guys and surprise them with cake:

Scripting Games Cake
Picture moment with team DuPSOGD2 (click for original photo)
Hungry! ;-) (click for original photo)

Also, Jeff dropped by with a couple of certificates from his User Group, to honor the team members with their achievements:

Look who dropped by while we're eating cake... (click for original photo)Jeff Wouters handing out the Dutch PowerShell User Group Certificates (click for original photo)
Dutch PowerShell User Group Certificates (click for original photo)

Not always, it’s a bad thing to lose a bet. Knipogende emoticon

Pictures of the Microsoft Netherlands CloudOS MVP Roadshow

Last Friday, I co-organized the CloudOS MVP Roadshow with Microsoft Netherlands in ‘De Werf’ (nicknamed ‘the Auditorium’) at Microsoft Netherlands in Schiphol, The Netherlands.

3 MVPs to one attendee... a very uncommon ratio, but not at this event! ;-) (featuring MVPs Ad Hendricks, Robert Smit & James van den Berg) (click for original photo, photo by William Jansen)

With our team of Microsoft employees and Microsoft MVPs we created a fantastic free all-day event for the 57 attendees.

We started the event at 9:30 AM with a introductory speech from Isabel Moll-Kranenberg. As the Business Lead for Windows Server and Windows Azure for the Netherlands, she introduced her team, the trends she sees, and the TechDays event.

Our audience in anticipation of the inspiring session of Isabel Moll (Click for original photo, photo by William Jansen)Isabel Moll kicking off the CloudOS MVP Roadshow (Click for original photo, photo by Maarten Goet)

Next up, Marc van Eijk (Windows Azure MVP) and James van den Berg (Cloud & Datacenter Management MVP) walked us through the Datacenter Management track:

Marc van Eijk on extending datacenters with virtualization and networking (click for original photo)Mr BlurryCam strikes again! Marc van Eijk presenting... but on what? ;-) (click for original photo)
The CloudOS explained. Questions? ;-) (click for original photo)
James van den Berg on ensuring business continuity and service delivery (click for original photo)James van den Berg in his habitat. (click for original photo)

After a short coffe break, SQL Server MVP André Kamman explained our audience on trends like Big Data and solutions like Hadoop:


As a special treat, Michiel Rozema from Microsoft Netherlands gave his inspiring Business Intelligence demo, querying for both the best salesman and bartender within the same minute.

During lunch, we mingled with the audience. This gave me the opportunity to appear in a selfie with the guy I could only introduce to the audience as ‘our administrative MVP contact within Microsoft’:
It's William! :-) (click for original selfie by William Jansen)

Of course, we all know who he is, right? Knipogende emoticon

After lunch, Raymond Comvalius presented on hybrid identity with slides on Access and information Protection. Slides that were very familiar to me…

Raymond Comvalius explaining claims (click for the original photo)Raymond leaning in to hear a question from our audience (click for original photo)
Raymond with his heads in the (projected) clouds (click for original photo)

This block of sessions also featured a demo-filled session by Ronny de Jong, to fill in for Maarten Goet, so the latter could get ready for System Center Universe Asia Pacific 2014.

Ronny de Jong on Unified Device Management (click for original photo, photo by William Jansen)

A modern IT infrastructure, based on the CloudOS and enabling modern access, needs cross-platform apps. Windows Phone Development MVP Tom Verhoeff. He shared his view on the various aspects of developing high-quality applications for both Windows Phone and The Modern Interface in Windows RT and recent versions of Windows:

Tom Verhoeff showing the three paths to embracing modern apps (click for original photo)

After these sessions, I lead the wrap-up to get questions and feedback from our audience. We gathered some great questions across our areas of expertise and filled some gaps in their interpretations of the Microsoft CloudOS and the Microsoft MVP Program:

Wrap-up time! :-) (click for original photo, photo by William Jansen)


I would like to thank everyone that was involved in making this event a success!

I appeared in ITBende Podcast 249 last Friday

Being involved with Microsoft Netherlands the way I am, has its advantages. Like yesterday, when I appeared in ITBende.nl Podcast 249 to talk about the Microsoft rumors of this last week, and, of course, to talk a little about the upcoming Dutch TechDays event.

I have been a guest on this podcast two times earlier and enjoyed it both times.


About ITbende

IT bendeITbende is a non-commercial Dutch IT news website with a weekly podcast, where Martin Broerse, Dae Punt, Luc Sala and Bart van Klaveren discuss the latest IT-related news. Often they invite people into their podcast to discuss a trending topic in more depth, get rumors confirmed or just get some more food for thought for future podcasts.


ITBende Podcast 249

Since I was also organizing the Dutch CloudOS MVP Roadshow yesterday, I had a little trouble joining the podcast from the start, but eventually found a wired connection on the 3rd floor of the Microsoft Netherlands office in Schiphol.

When I finally connected, the guys were already done talking about Samsung’s $930m fine towards Apple (1m00) and the underlying patent wars, 3D Printing (4m40) and their relation in terms of legal implications for 3D print shops, like HEMA. Building onto the various examples given on the blurring divide between devices and software (Toyota recall and FLIR), I joined the discussion from 22m14 onwards.

Almost directly I got a question on Windows XP displaying pop-ups at the 8th of every month regarding the end of support. Since I haven’t seen the pop-ups myself (or am running Windows XP), I really had nothing to add. Then, going forward, we’re discussing the rumor on a free version of Windows. (23m25)

Since CeBIT Hannover is on the schedule for next week, from 25m37 onwards, we discussed this event and its keynotes a bit. From 26m40 the discussion is steered back towards Microsoft topics. Of course, Windows 8.1 Update 1 was brought up. I shared what I saw when I took an early look at Windows 8.1 Update 1 (build 9600.16596). Answering a question on the Internet Explorer Enterprise Mode that is supposedly part of Windows 8.1 Update 1 (29m18), the discussion heads towards embracing new technologies versus being trapped in old technology.

From 28m28 onwards, a more light subject was chosen: DirectX 12. From 40m00, finally, I talked about the upcoming Microsoft TechDays event in The Hague, the Netherlands. Next up: the new social strategy for Microsoft Office and Microsoft Office 365. (41m35) From 47m40, then, the subject of Yahoo! no longer allowing access to Flickr with Facebook and Google accounts. Of course, the Azure Active Directory federation hub story applies there, so I brought it up.

Wrapping it up from 49m40, the guys invite me back for when there’s more news.
I guess I’ll be back next week. Knipogende emoticon


Related blogposts

Featured in the Dutch ITbende podcast today  
Featured in the Dutch ITbende podcast today (again)

Pictures of the 2014 Dutch VMUG Conference

Last Thursday, I was invited as a speaker at the 2012 Dutch VMware User Group Conference at Conference center 1931 in Den Bosch, the Netherlands, to present on virtualization-safe(r) Active Directory and Domain Controller Cloning in VMware environments.

Welcome to the VMUG Conference (click for original photo)Program for the End User Computing track, with my session listed at the bottom (click for original photo)

With over five hundred attendees, the organization had its hands full at the registration desk. Luckily, there was a badge for everyone.

NL VMUG Badges at the Registration Desk (click for original photo)

I arrived early to accommodate a couple of colleagues and customers in their travel and registration needs, and enjoyed many of the available sessions during the day.

Some colleagues  at the Dutch VMUG. Left to right:  Olaf van Kesteren, Bart Peeters, Joep Weesenbeek and Jos Schepens (click for original photo)

My session was scheduled for the last time slot, which gave me lots of possibilities to enjoy coffee at the booths of several sponsors, incorporate information people heard during the day and to tweak my demos and slides.

I checked out the room in advance:

The stage in Limousin 1 (click for original photo)Calm before the storm... (click for original photo)

In the same room, Ruben Spruijt and Jeroen van de Kamp presented an entirely new slidedeck with prelimary results of Project Virtual Reality Check (VRC) containing some real eye-openers for the audience:

Ruben Spruijt and Jeroen van de Kamp about to start their session (click for original photo)

Then, at last, it was time for my session:

Getting close to the end of the list now... (click for original photo)Let's give the audience what they're waiting for! (click for original photo)
Two Of A Kind Presentation Title (click for original photo)

Afterwards, we took some pictures with all the speakers, drank some beers with the attendees and ended up at Rancho Bravo (much) later, to enjoy steak:

Steak at Rancho Bravo (click for original photo)

It was a good day! Glimlach

I’m hosting three (sold-out) Windows Server 2012 R2 IT Camps with Daniel van Soest

Remember when I hosted a Microsoft Windows Server IT Camp with Tony Krijnen in December of 2012? Now, as part of my virtual Technical Evangelist (vTE) role within Microsoft Netherlands, I’m hosting IT Camps again.

Last time, I had a good time and the pictures to show it. Glimlach
So, it should not come as a surprise I’m really looking forward to the upcoming three Windows Server IT Camps with Daniel van Soest.

Microsoft Netherlands has been hosting Windows Server IT Camps for several years and their approach has been widely different to the approach taken by other subsidiaries: The approach, aimed at 1-day in-person events, has been to have people reuse their laptops as Hyper-V hosts using Boot from VHD technology and join them to an Active Directory domain, install the Hyper-V role, connect them to shared storage and then create Fail-over Clusters.

These IT Camps have gathered numerous nicknames in the past years, including “Guinness Book record attempts to create the largest Hyper-V Fail-over clusters in one day”.

This time around, the IT Camps have undergone a couple of changes. In contrast to the Windows Server 2012 IT Camps, the Windows Server 2012 R2 IT Camps only span half a day. Windows Server 2012 R2 offers many improvements over Windows Server 2012 that contribute to this change, and, of course, it’s not the first time Daniel and I do IT Camps.

Another change is that these IT Camps are invitation-only.

Further reading

I’ll be hosting a Microsoft Netherlands Datacenter Virtualization IT Camp with Tony Krijnen 
Pictures of the December 11 IT Camp with Tony Krijnen

More Posts Next page »