R2

BOIS planning guide for Windows 2003 R2

Today new file showed up on Microsoft Downloads which may be interesting for anyone working with Windows 2003 R2. This new file is Branch Office Infrastructure Solution for Microsoft Windows Server 2003 Release 2. Quoting description from this page:

(...) This solution provides detailed guidance to help medium to large organizations design branch office infrastructures into their environment. (...)

I think many peoples working with R2 may find this document very useful.

Migrating from FRS to DFS-R

Everyone that is using a domain based DFS namespace with more than one target most certainly is using FRS to replicate the data between the replica's. R2 provides a new state-based replication mechanism called 'DFS Replication'.

A summarization of its very cool features and characteristics:

• Unlike NTFRS (which is event-based), a state-based multimaster replication mechanism
• 'DFS Management' MMC for configuration and management
• Replication Group Characteristics:
  • Set of servers that are members of the replication group and participate in the replication of 1 or more replicated folders
  • Set of replicated folders
  • Replication topology (ring, full mesh, custom)
  • Schedule (days and hours) and bandwidth usage
• Replication Folder Characteristics:
  • Replicated between a number of replication group members
  • ‘File’ and ‘Subfolder’ replication filters
  • Staging folder to cache new and changed files for replication, with its own quota that governs when files are purged
• DFS-R uses ‘last writer wins’. Losing file is stored in the ‘ConflictAndDeleted’ folder that resolves the conflict. ‘ConflictAndDeleted’ folder also has its own quota that governs when files are purged and cleaned
• Remote Differential Compression (RDC):
  • By default enabled!
  • Only changes (at bit level!) are replicated between members
  • Data is compressed during replication
  • Not used on files < 64 KB (default value, can be changed)
  • On high-speed LANs/WANs it might NOT be beneficial. RDC can be disabled on a per connection basis
  • CROSS-FILE RDC: identifies files that are similar to the file that needs to be replicated from one server to another by using portions from files that are similar. One of the end-point servers must be R2 enterprise or R2 datacenter or R2 Storage edition!
• Scheduling and bandwidth throttling:
  • When configuring the interval you need to specify a start and stop time and the bandwidth usage
  • Schedules in 15 min. increments during 7 period
  • Schedules are based upon: ‘UTC’ or ‘Local time of receiving member’
  • Bandwidth usage options: ‘Full’, ‘No replication’, ‘16Kbps’, ’64Kbps’, ‘128Kbps’, ‘256Kbps’, ‘512Kbps’, ‘1Mbps’, ‘2Mbps’, ‘4Mbps’, ‘8Mbps’, ‘16Mbps’, ‘32Mbps’, ‘64Mbps’, ‘128Mbps’, ‘256Mbps’
  • Schedules and bandwidth usage can be defined for the replication group that applies to all connections or on a per connection basis a custom schedule and bandwidth usage can be defined
• DFS Replication can be used for:
  • Domain based DFS namespaces
  • Stand alone based DFS namespaces
  • Individual folders not part of a DFS namespace
• DFS Replication self-healing
  • For USN journal wrap errors (journal wrap errors can occur when changes are not recorded or are occuring to fast without being recorded)
  • For jet database corruption: Replication is halted but service is still available (unlike NTFRS)
• Member recovery and prestaging
  • DFS-R stores configuration in AD and the server caches same info locally in XML file. File is rebuild easily
  • Servers can be prestaged easily by just copying or restoring the data. Differences are checked…
  • Outdated files are updated by just replication the changes from the source server
  • Files on the prestaged server that do not exist on the source server are moved to the PreExisting folder
  • Unlike NTFRS which needed a non-authoritative restore of the replica set
• Built-in health metrics and diagnostic events
• Built-in WMI providers are available for monitoring DFS Replication
• Separate DFS Replication event log available
• Built-in diagnostic reports can be created with the 'DFS Management' snap-in (watch out for the RPC bug! --> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/02/360.aspx)
• MOM MP for DFS Replication

 

With the legacy 'Distributed File System' a namespace was created with underlying DFS folders. When one of the DFS folders had two or more DFS folder targets, replication could be setup using FRS and by choosing one of the DFS folder targets as primary master replica to start replication from that same replica to the other replicas.
 

With the new 'DFS Namespaces' a namespace was created with underlying DFS folders. When one of the DFS folders had two or more DFS folder targets, replication could be setup using DFS-R by creating a NEW replication group that contain the DFS folder targets a replication group members and contain the DFS folder as a replicated folder. Unfortunately, when working from the 'DFS Namespaces' node it is not possible to add the DFS folder as a replicated folder to an existing replication group. To be able to do that you first select an existing replication group, add a new replicated folder and select the replication group members that host that replicated folder. Last step is to SHARE and PUBLISH the replicated folder as a DFS folder in a DFS namespace. For the last part to succeed that DFS folder must not yet exist in the desired DFS namespace (very important!). Each replication group can contain one or more replicated folders.
 

So what is different in the concept between FRS and DFS-R? The main difference here is that each DFS folder using FRS for replication can be compared to ONE replication group only having ONE replicated folder. And as you just have read DFS-R can have replication groups with MULTIPLE replicated folders.
 

When migrating from FRS to DFS-R you have to possibilties:
(1) Configure each existing DFS folder using FRS replication within A SEPARATE DFS-R replication group with one replicated folder
(2) Configure each existing DFS folder using FRS replication within A SEPARATE OR EXISTING DFS-R replication group. This way one replication group can contain one or more DFS folders as replicated folders that share the same replication topology, replication schema and bandwidth usage.
 
Before starting with the migration from FRS to DFS-R, I do recommend that one first reads the following document as it contains information on how to setup/design DFS Namespaces and DFS Replication:

• Designing Distributed File Systems
  • http://technet2.microsoft.com/WindowsServer/en/Library/1aa249c0-40f3-4974-b67f-e650b602415e1033.mspx
     
    

The high-level steps to migrate from FRS to DFS-R are:

• Inventory all DFS folders within legacy DFS namespaces that use FRS replication
• Inventory for each DFS folder the following information:
  • DFS namespace path (e.g. \\<FQDN domain>\<namespace name>\<folder>)
  • Replication topology
  • Replication schema
  • File and subfolder filters (replicated folder specific)
  • Staging size (replicated folder specific for each specific replication group member)
  • DFS folder targets and the local path of the folder
  • Delegated tasks (can now be delegated at different level within DFS Namespaces and DFS Replication groups!)
• From the inventory see which DFS folders have the following characteristics in common and for those design a replication group that contains the DFS folders as replicated folders:
  • Replication topology
  • Replication schema
  • Delegated tasks
• Perform the following tasks for each DFS folder:
  • Remove FRS replication configuration by using the legacy 'Distributed File System snap-in', selecting the DFS folder, right-clicking it and select 'stop replication' (after doing that replication is stopped for that folder and configuration is removed!)
  • Wait for AD replication to complete or force replication through (without the quotes) -> "repadmin /syncall <FQDN DC where the changes were made> /e /d /A /P /q"
  • Wait for each DFS folder target to poll the new configuration from AD or force the folling through (without the quotes) -> "ntfrsutl poll /now <FQDN FRS based DFS folder target>"
  • Depending on the inventory create a new replication group or use an existing replication
  • Assign the DFS folder as a replicated folder, select the primary replica and select additional replicas
  • Configure the File and subfolder filters if different from the default
  • Configure the Staging Folder size if different from the default
    
    REMARK: from this point the DFS folder is available through the DFS namespace and replication is working. However when looking from the DFS Namespaces node by selecting the DFS folder and then the Replication TAB it will show: "Replication status: not configured". And when looking from the DFS Replication node by selecting the replication group and then the replicated folders TAB it will show: "Publication status: not published". The main reason for this is because an attribute is not populated (we will take care of that later!)
     
    REMARK: sharing and publishing the folder into the desired DFS namespace will not work because the DFS folder already exists in the DFS namespace
    
  • Use ADSIEDIT.MSC to populate the attribute "msDFSR-DfsPath" of the object "CN=<Replicated Folder>,CN=Content,CN=<Replication Group>,CN=DFSR-GlobalSettings,CN=System,DC=<Domain>,DC=<Tld>" with the DFS namespace path of the DFS folder that was collected earlier during inventory
  • Wait for AD replication to complete or force replication through (without the quotes) -> "repadmin /syncall <FQDN DC where the changes were made> /e /d /A /P /q"
  • Wait for each new DFS-R based DFS folder target to poll the new configuration from AD (by default 60 minutes) or force the folling through (without the quotes) -> "dfsrdiag PollAD /Member:<FQDN DFS-R based DFS folder target>"
  • Remove the hidden folders used by FRS from the DFS folder (e.g. "DO_NOT_REMOVE_NtFrs_PreInstall_Directory") (do not touch the "DfsrPrivate" folder as that is used by DFS-R)
• After migrating all DFS folders that used FRS to DFS-R cleanup the staging directories used by FRS (e.g. "Frs-Staging")
• If a DFS Namespace was created using the legacy 'Distributed File System' MMC then you might want to enable SITECOSTING at DFS namespace level. The legacy 'Distributed File System' MMC does not enable sitecosting by default as the 'DFS Management' MMC does
  

To create and configure DFS replication groups and to assign and configure replicated folder the 'DFS Management' MMC can be used or the command utility 'dfsradmin.exe' can be used. The latter, of course. can be usefull in performing repeated tasks!

 

Well.... this is it! ENJOY!
 
If you use this information, please be so kind to post any comments you have!

 
And of course: TRY IT FIRST IN A TEST ENVIRONMENT AND SEE IF THE RESULTS ARE SATISFYING!!!

Cheers,
Jorge

DFS Replication Health Report

So, lets say you have a few servers and you are playing with R2 and in specific 'DFS Namespaces' and 'DFS Replication'. As you may know 'DFS Replication' can be monitored through a built-in diagnostics report or through the Windows DFS Replication Management Pack for MOM.
The diagnostics report is generated through the new DFS Management snap-in by selecting the corresponding replication group for which you want to generate a report.

The servers you are using are just Windows Server 2003 with Service Pack 1 (with R2 of course!) with NO hotfixes. When trying to create a diagnostics report you might get a report that says that all server are unavailable for reporting (while they are up and running and replication is working). If you reboot the servers and try again it might report all servers with DFS replication errors (again while they are up and running and replication is working). Looking into the details of that messages it tells you the RPC hotfix is not installed.

So, if you want to be able to create a built-in diagnostics report, make sure the RPC hotfix (MS-KBQ908521) is installed

New webcast from Microsoft IT - ADFS and DFSR deployment

More and more information about R2 are showing up on the Microsoft web, among them we can find new webcast about ADFS and DFRS technolgy deployment at Microsoft. How Microsoft IT Deployed Active Directory Federation Services (ADFS) and Distributed File System Replication is level 300, available on demand webcast delivered by Brian Puhl and Dustin Fraser - both are Sr. Systems Engineers at Microsoft IT.

Live Branch Chat: Administering and Maintaining the Branch Office Technologies

Title:	Live Branch Chat:  Administering and Maintaining the Branch Office Technologies
Begin:	12/16/2005 10:00 AM
End:	12/16/2005 11:00 AM
Description:	This chat will focus on the day to day operations that administrators will go through after the solution is deployed. We will discuss configuration, delegation, determining the state of replication, monitoring and best practices that will help administrators keep branch users happy.
Location:	http://www.microsoft.com/communities/chats/default.mspx#05_1216_TN_bo

Is it a bug in the DFS Management MMC or is it me?

OK, lets say you are using the new DFS Management console and you create a new DFS namespace (old name: DFS root) assign DFS namespace servers (old name: DFS root servers). After that you create a DFS folder (old name: DFS link) below the DFS namespace and configure DFS folder targets (old name: DFS link targets).

 

With the old "Distributed File System' MMC you were done ans NTFRS replication was auto configured after choosing the replication topology and its primary member.

 

With the new replication mechanism, after the creation of the DFS folder the system ask you if you want to setup replication using a replication group. Of course, we do! You assign a name for the replication group and the name of the replicated folder is entered automagically. Just a before you need to choose the primary member and the type of the replication topology. Additionally you need configure the schedule and the bandwidth used during replication.

OK, so far so good!

Now here it comes...

That was not the only DFS folder you wanted to configure. You want another DFS folder in the DFS namespace. As you a daredevil you just do that! Let's live dangerously! ;-))

Again: create a new DFS folder and configure DFS folder targets.

When ready, the system again asks if you want to create a replication group. Heck no, I want to use the previous replication group. Looking at the DFS folder configuration it says replication is not configured. Well, that's true... Lets click on the link to start the "Replicate Folder Wizard" and add the new DFS folder to the existing replication group. Damn, an error... it says: "the replication group already exists". Well, yeah.. I want to add a new DFS folder to an existing replication group...OK, canceling.

Lets try it another way...

Right clicking the replication group lets add a new replicated DFS folder. I assign the primary member, choose the folders to replicate, choose available replication group member servers and the path of the folder to replicate. Done!!!

So lets see if everything works...

* Accessing the DFS namespace --> works great!

* Accessing a DFS folder in the DFS namespace --> works great!

* Seeing the properties of a DFS folder in the DFS namespace using Explorer --> looking good!

* Checking if replication works --> works great!

* Checking the namespace configuration and folder referrals --> everything OK and all referral status is enabled for all referrals

* Checking the replication status of the DFS folder through the namespace node --> for the first DFS folder it is configured and for the second DFS folder it is not configured??? (replication is working as I just configured the stuff!)

* Checking the replicated folders through the replication group node and the existing replication group --> for the first DFS folder it says "published to the namespace" while the namespace path is showed and for the second DFS folder it says: "not published" while no namespace path is shown. Hmmm...

OK, right clicking the replicated folder and choosing "share and publish in namespace". Two possible options: "share and publish...." and "share....". Hmmm, I just want to publish as everything is already working. OK, lets use the first... All information entered and at the end it says something like: the DFS folder already exists in the namespace... ;-(( Yes, that is true, it already exists because I configure it so.

 

OK, opening LDP and navigating to "CN=Content,CN=ReplGroup001,CN=DFSR-GlobalSettings,CN=System,DC=ADCORP,DC=LAN". To child objects exist with their attibutes:

CN=FolderDocs,CN=Content,CN=ReplGroup001,CN=DFSR-GlobalSettings,CN=System,DC=ADCORP,DC=LAN

CN=FolderDocs,CN=Content,CN=ReplGroup001,CN=DFSR-GlobalSettings,CN=System,DC=ADCORP,DC=LAN
 2> objectClass: top; msDFSR-ContentSet;
 1> cn: FolderDocs;
 1> distinguishedName: CN=FolderDocs,CN=Content,CN=ReplGroup001,CN=DFSR-GlobalSettings,CN=System,DC=ADCORP,DC=LAN;
 1> instanceType: 0x4 = ( IT_WRITE );
 1> whenCreated: 12/08/2005 15:05:19 W. Europe Standard Time W. Europe Daylight Time;
 1> whenChanged: 12/08/2005 15:05:19 W. Europe Standard Time W. Europe Daylight Time;
 1> uSNCreated: 42297;
 1> uSNChanged: 42297;
 1> showInAdvancedViewOnly: TRUE;
 1> name: FolderDocs;
 1> objectGUID: 9c978b45-5f41-4dfa-94f0-7b278b792029;
 1> objectCategory: CN=ms-DFSR-ContentSet,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAN;
 1> msDFSR-FileFilter: ~*, *.bak, *.tmp;
 1> msDFSR-DfsPath: \\ADCORP.LAN\DFSnamespace$\FolderDocs;

 

CN=FolderToolies,CN=Content,CN=ReplGroup001,CN=DFSR-GlobalSettings,CN=System,DC=ADCORP,DC=LAN

CN=FolderToolies,CN=Content,CN=ReplGroup001,CN=DFSR-GlobalSettings,CN=System,DC=ADCORP,DC=LAN
 2> objectClass: top; msDFSR-ContentSet;
 1> cn: FolderToolies;
 1> distinguishedName: CN=FolderToolies,CN=Content,CN=ReplGroup001,CN=DFSR-GlobalSettings,CN=System,DC=ADCORP,DC=LAN;
 1> instanceType: 0x4 = ( IT_WRITE );
 1> whenCreated: 12/08/2005 15:23:54 W. Europe Standard Time W. Europe Daylight Time;
 1> whenChanged: 12/08/2005 15:23:54 W. Europe Standard Time W. Europe Daylight Time;
 1> uSNCreated: 42335;
 1> uSNChanged: 42335;
 1> showInAdvancedViewOnly: TRUE;
 1> name: FolderToolies;
 1> objectGUID: 04b94303-8f61-4adb-908a-9e16c785f9d1;
 1> objectCategory: CN=ms-DFSR-ContentSet,CN=Schema,CN=Configuration,DC=ADCORP,DC=LAN;
 1> msDFSR-FileFilter: ~*, *.bak, *.tmp;

 

For some reason the SECOND DFS folder does not have the "msDFSR-DfsPath" attribute populated. For the second DFS folder it should be: msDFSR-DfsPath: \\ADCORP.LAN\DFSnamespace$\FolderToolies;

So ,using LDP (ADSIEDIT will also work) I populated the attribute. OK, going back to the DFS Management console and kicking the refresh button.

The replication status now says: "Replicated using DFS replication" where it first said "not configured"

The publication status now says: "Published to the namespace" where it first said "not published"

 

As you can see by just changing the attribute everything is OK again. However, I would prefer to have the possibilty to:

* Assign a replicated folder to an existing replication group

AND/OR

* Besides the two options an additional option like: "Publish..."

 

Besides this...Working with DFS namespaces and replication in R2 is so much better and easier!!! I must say it: great work guys!

DFS-N and DFS-R = cool!

Windows Server 2003 R2 Administration Tools Pack

Windows Server 2003 R2 Administration Tools Pack was published on Microsoft download web site. Adminpack is available in two versions:

• Adminpack (x86)
• Adminpack (x64)
  

R2 RTM'ed

As we can read on Steven's Bink web site, and also other sources :) Windows 2003 R2 went into RTM stage now. Go R2 Team :), we are (are we?) ready to use it.

Distributing Printer Connections in R2 along with Group Filtering

Before the summer vacation when R2 was publicly release as a beta2 I started working and testing with it. On of the things I played with was the distribution of Printer Connections along with Group Filtering.

To get distribution of printer connections working the following must be done:

* Configure the vb-script 'PPCLogonScript.vbs’ as a LOGONSCRIPT so that when a user logs on the script will check what GPOs are in place for the computer and for the user

* Create a GPO (let's called it 'GPO_PRINTER-CONNECTION_COMPUTERS') and link it to an OU with computers (let's call that OU 'COMPUTERS-OU')

* Create a GPO (let's called it 'GPO_PRINTER-CONNECTION_USERS') and link it to an OU with computers (let's call that OU 'USERS-OU')

* Join a computer to the domain and move it computer account into the 'COMPUTERS-OU'

* Create a simple user account in the 'USERS-OU'

* On some server (let's call that SERVER001) install 2 printers (let's call them PRINTER001 and PRINTER002)

* Distribute the printer connection of PRINTER001 using GPO 'GPO_PRINTER-CONNECTION_COMPUTERS'

* Distribute the printer connection of PRINTER002 using GPO 'GPO_PRINTER-CONNECTION_USERS'

By default a computer account (let's call that COMPUTER001) and a user account (let's call that USER001) when authenticated by a DC belong to the 'Authenticated Users' well-known security ID. Each GPO when created and linked has 'Authenticated Users' assign for READ and APPLY.

(TEST 1) So when booting 'COMPUTER001' and logging on with 'USER001' I you will see two printers connections within 'Printers and Faxes'  to \\SERVER001\PRINTER001 and \\SERVER001\PRINTER002. So far nothing happened...

Now I want the same printer connections to be distributed only to computers and users that are members of respectively the groups 'gsg_PrinterConnectionsComputers' and 'gsg_PrinterConnectionsUsers'.

Using the GPMC I remove 'Authenticated Users' from security filtering for BOTH GPOs 'GPO_PRINTER-CONNECTION_COMPUTERS' and 'GPO_PRINTER-CONNECTION_USERS'. Again using the GPMC I add 'gsg_PrinterConnectionsComputers' for security filtering to the GPO 'GPO_PRINTER-CONNECTION_COMPUTERS' and I add 'gsg_PrinterConnectionsUsers' for security filtering to the GPO 'GPO_PRINTER-CONNECTION_USERS'

(TEST 2) So when booting 'COMPUTER001' again and logging on with 'USER001' I you should not see the two printers connections within 'Printers and Faxes' because the computer account and the user account is not a member of the filtered groups. Wrong! You will still see them. I started to investigate this and found out the vb-script queried AD for objects of the class 'msPrintConnectionPolicy' and although the GPOs were configured with security filtering the printer connection objects explicitly had 'Authenticated Users' with 'Read All Properties' configured and is why the script was able to see them and add them. The solution to this was easy. For security filtering to work on GPOs WITH printer connections the 'Default Security' of the class 'msPrintConnectionPolicy' had to be changed slightly. Using the Schema MMC you had to ONLY remove 'Read All Properties' for 'Authenticated Users'.

With this change ALL NEW printer connection objects created after the permissions change were configured with the correct permissions so security filtering could be used for GPOs WITH printer connections. However for printer connections object created BEFORE the permissions change the permission were still the same and need to be changed to reflect the new definition of the 'Default Security' for the class 'msPrintConnectionPolicy'. If you allready has created a lot of printer connection objects in AD there is a quick solution to change this, and that is by using ADFIND (from joeware.net) and DSACLS (from the Support Tools)

Run the following command to get the distinguished name of existing printer connection objects:

* AdFind.exe -b "CN=Policies,CN=System,DC=<DOMAIN>,DC=<TLD>" -f "(objectCategory=msPrint-ConnectionPolicy)" -dn -dsq > ReACL_ALL_msPrint-ConnectionPolicies.cmd

Open ReACL_ALL_msPrint-ConnectionPolicies.cmd with notepad and:

* Add DSACLS at the beginning of each line

* Add /S /T at the end of each line

The result for each line should be something like:

DSACLS "CN={A4028A0A-C352-4D56-AD6A-D6C3E1B005DE},CN=PushedPrinterConnections,CN=Machine,CN={E1665B10-7917-4A67-992F-2D021A6495FC},CN=Policies,CN=System,DC=<DOMAIN>,DC=<TLD>" /S /T

Run ReACL_ALL_msPrint-ConnectionPolicies.cmd to so the explicit permissions of all existing objects match the new definition of the 'Default Security' for the class 'msPrintConnectionPolicy'.

(TEST 3) So when booting 'COMPUTER001' again and logging on with 'USER001' I you should not see the two printers connections within 'Printers and Faxes' because the computer account and the user account is not a member of the filtered groups. As both are not members of the groups the printer connections were removed by the group! (as it should be)

In ADUC I make 'COMPUTER001' a member of 'gsg_PrinterConnectionsComputers' and 'USER001' a member of 'gsg_PrinterConnectionsUsers'.

(TEST 4) So when booting 'COMPUTER001' again and logging on with 'USER001' I you the two printers connections reappear within 'Printers and Faxes' because the computer account and the user account are members of the filtered groups.

 

In RC0 and RC1 the vb-script 'PPCLogonScript.vbs’  was replaced by a utility called 'pushprinterconnections.exe'

The difference in usage is:

* The utility ‘PushPrinterConnections.exe’ (available in %WINDIR%\PMCSnap) must be used in startup script (for per-machine printer connections) and/or in loginscript (for per-user printer connections) to read the printer connections in AD and add to client/user.

 

Using the utility ‘PushPrinterConnections.exe’ which is available instead of the vb-script the following happens when dping the same tests:

TEST 1: same behavior as using the vb-script nothing changed

ADDITIONAL TEST: distribution of printer connection for \\SERVER001\PRINTER002. was removed from the GPO 'GPO_PRINTER-CONNECTION_USERS'. So when rebooting and logging on again the printer connection for PRINTER002 should be gone and that happened! So nothing wrong (yet)

ADDITIONAL TEST: distribution of printer connection for \\SERVER001\PRINTER001. was removed from the GPO 'GPO_PRINTER-CONNECTION_COMPUTERS' and distribution of printer connection for \\SERVER001\PRINTER002. was added again to the GPO 'GPO_PRINTER-CONNECTION_USERS'.. So when rebooting and logging on again the printer connection for PRINTER001 should be gone and printer connection for PRINTER002 should reappear and that happened! So nothing wrong (yet)

TEST 2: same behavior as using the vb-script nothing changed

ADDITIONAL TEST: deleted all printer conections on the client and rebooted. GPOs still filtered for the groups and accounts are still not members. Printer connection for \\SERVER001\PRINTER001 appeared and printer connection for \\SERVER001\PRINTER002 did not appear. The GPOs are filtered do both printer connections should not appear

TEST 3: Printer connection for \\SERVER001\PRINTER001 appeared and printer connection for \\SERVER001\PRINTER002 did not appear. The GPOs are filtered so both printer connections should not appear

TEST 4: both connections are available. same behavior as using the vb-script nothing changed. However if I remove the accounts from the groups and reboot/loggin the printer connections should disappear. However, that does not happen!

 

IMHO opinion the following solutions exist:

* Please tell me what is going wrong and how achieve what I want (how does the utility ‘PushPrinterConnections.exe’ work)

* Please repair the utility ‘PushPrinterConnections.exe’

* Please give back the VB-script that worked before

 

If someone knows an answer to this, feel free to post!

 

Cheers,

Jorge

R2 Virtual Labs

You dont want to install R2 yet cause you afraid (for what reason I do not know), or you just want to play with it but dont have the hardware well here are the R2 virtual labs!

Enjoy
Carlos

Update on requirements for RDC

Well I was told, the documents had it (now been rectified) and I even mentioned it at my Branch Office talk at Teched Africa 2005, RDC needs Windows Server 2003 Enterprise license in the replication group that will be using RDC.

Well to clarify this further, you *can use RDC with Windows Server 2003 Standard Edition, where Windows Server 2003 Enterprise Edition is needed is when you want to use RDC cross file option, otherwise known as similarity, this where the parts of one file is taken and used to construct another file on the other side of the replica group, to aid in efficient replication across your LAN\WAN.

Thanks Julius for correcting me on this I appreciate it.

Carlos

Duplicating FSRM quota and file screen templates and settings to multiple servers

With R2 Microsoft introduces, amongst others, the File Server Resource Manager (FSRM). With that MMC you define, configure and manage quotas and file screens. On a R2 server with the FSRM installed you can configure the following:
* FSRM Global Options
* Quota and Screening Templates
* Quota and Screening Settings for directories

However at this moment, if you have multiple servers you want to configure all the servers the same way, there is no way to do this through the GUI. To be able to distribute templates and settings command line tooling must be used.

With the FSRM the following three command line tools are available:

* dirquota.exe

   * Can be used to define, configure and manage quotas on directories, quota templates and global options

* filescrn.exe

   * Can be used to define, configure and manage file screen (exceptions) on directories, file screen templates and global options
* storrept.exe

   * Can be used to define, configure and manage reports

If you want to configure templates on multiple servers whereas all those servers use the same template settings you can use one of the 2 possible ways to accomplish that

(1) configuring all servers through the command line

First think about all the custom templates (quota and file screening) you need and translate those into command lines in a batch file using the commands "dirquota template add" and "filescrn template add" and "filescrn filegroup add". The command line options for both are listed below. There is no need to run this on each server as you can run the commands in the batch from 1 server against remote servers using the /REMOVE:<server> option

(2) configuring one server and export/import those settings onto other servers

First think about all the custom templates (quota and file screening) you need and configure one server through the GUI using the FSRM MMC. After configuration has been done. Export the template settings to a XML file using the command "dirquota template export" for quotas and the command "filescrn template export" for file screens and "filescrn filegroup export" for filegroups. After that use the command "dirquota template import" for quotas and the command "filescrn template import" for file screensand the command "filescrn filegroup import" for filegroups to import the settings into new servers. Again, it is not needed to run this on each server as you can run the commands the export server against remote servers using the /REMOVE:<server> option.

AND if you want to configure the same quotas and file screens on specific directories on multiple servers there is only one way to accomplish that without using the FSRM MMC on each server.

To configure custom settings (autoquotas/quotas and file screenings) on multiple servers you can use the command "dirquota quota add" for quotas, the command "dirquota autoquota add" for autoquotas and the the command "filescrn screen add" for file screens. The command line options are listed below. There is no need to run this on each server as you can run the commands in the batch from 1 server against remote servers using the /REMOVE:<server> option

####DIRQUOTA.EXE####
C:\>dirquota
The syntax of this command is:

Dirquota {Quota | Autoquota | Template | Admin}

   Quota             List, add, modify, and delete quotas.
   Autoquota         List, add, modify, and delete auto apply quotas.
   Template          List, add, modify, and delete quota templates.
   Admin             Configure settings and perform administrative operations.

The minimum sequence that uniquely identifies a switch can be used as an
abbreviation. For example, "Dirquota q l /list-n" is equivalent to
"Dirquota quota list /list-notifications".
####DIRQUOTA.EXE####

####FILESCRN.EXE####
C:\>filescrn
The syntax of this command is:

Filescrn {Filegroup | Screen | Exception | Template | Admin}

   Filegroup         List, add, modify, and delete file groups.
   Screen            List, add, modify, and delete file screens.
   Exception         List, add, modify, and delete file screen exceptions.
   Template          List, add, modify, and delete file screen templates.
   Admin             Configure settings and perform administrative operations.

The minimum sequence that uniquely identifies a switch can be used as an
abbreviation. For example, "Filescrn f l /f:MyFileGroup" is equivalent to
"Filescrn filegroup list /filegroup:MyFileGroup".
####FILESCRN.EXE####

####STORREPT.EXE####
C:\>storrept
The syntax of this command is:

Storrept {Reports | Admin}

   Reports           List, schedule, modify, delete, generate, and cancel
                     reports.
   Admin             Configure settings and perform administrative operations.

The minimum sequence that uniquely identifies a switch can be used as an
abbreviation. For example, "Storrept r l" is equivalent to
"Storrept reports list".
####STORREPT.EXE####

########QUOTA TEMPLATE########
C:\>dirquota template add
Add and configure new quota templates.

The syntax of this command is:

Dirquota Template Add /Template:TEMPLATE_NAME
                      {/Limit:LIMIT[kb|mb|gb] | /SourceTemplate:TEMPLATE}
                      [/Type:{Hard|Soft}] [/Label:LABEL] [/Add-Threshold:LEVEL]
                      [/Add-Notification:LEVEL,NOTIFY_TYPE,CONFIG_FILE]
                      [/Remote:MACHINE]

   /Template:TEMPLATE_NAME    Configure quota template with name TEMPLATE_NAME.

   /Limit:LIMIT[kb|mb|gb]     Impose folder size limit. By default LIMIT is in
                              KB, but "kb", "mb", and "gb" can be appended
                              to specify other units.

   /SourceTemplate:TEMPLATE   Configure quota template from another template
                              TEMPLATE.

   /Type:{Hard|Soft}          Make the quota limit hard or soft.
                                 Hard - Limit cannot be exceeded (default)
                                 Soft - Limit can be exceeded

   /Label:LABEL               Add quota label LABEL.

   /Add-Threshold:LEVEL       Add notification threshold at utilization
                              LEVEL %. The switch can be specified multiple
                              times.

   /Add-Notification:LEVEL,NOTIFY_TYPE,CONFIG_FILE

                              Add notification at threshold. The switch can be
                              specified multiple times. The parameters to be
                              used are:
                                 LEVEL       - notification threshold
                                 NOTIFY_TYPE - One of the following:
                                    M - E-mail notification
                                    E - Event log notification
                                    C - Command line notification
                                    R - Report notification
                                 CONFIG_FILE - Path to configuration file

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Use "Dirquota Notification /?" to view configuration file syntax.

Examples:
   Dirquota Template Add /Template:"User Quota Template" /limit:500mb
      /Add-Notification:100,M,email-quotaexceeded.txt

   Dirquota Template Add /Template:"User Quota Template 2"
      /SourceTemplate:"User Quota Template" /limit:250mb /Type:Soft
########QUOTA TEMPLATE########

########FILE SCREEN TEMPLATE########
C:\>filescrn template add
Add and configure new file screen templates.

The syntax of this command is:

Filescrn Template Add /Template:TEMPLATE_NAME
                      {/SourceTemplate:TEMPLATE | /Add-Filegroup:ADD_FG}
                      [/Type:{Active|Passive}]
                      [/Add-Notification:NOTIFY_TYPE,CONFIG_FILE] [/Overwrite]
                      [/Remote:MACHINE]

   /Template:TEMPLATE_NAME    Configure template with name TEMPLATE_NAME.

   /SourceTemplate:TEMPLATE   Configure file screen from template TEMPLATE.

   /Type:{Active|Passive}     Make the file screen active or passive.
                                 Active  - Users cannot save unauthorized files
                                           (default)
                                 Passive - Users can save unauthorized files
                                           but notifications will be raised

   /Add-Filegroup:ADD_FG      Add file group ADD_FG to the list of blocked file
                              groups for this file screen. The switch can be
                              specified multiple times.

   /Add-Notification:NOTIFY_TYPE,CONFIG_FILE

                              Add notification. The switch can be specified
                              multiple times. The parameters to be used are:
                                 NOTIFY_TYPE - One of the following:
                                    M - E-mail notification
                                    E - Event log notification
                                    C - Command line notification
                                    R - Report notification
                                 CONFIG_FILE - Path to configuration file

   /Overwrite                 Overwrite properties if template exists.

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Use "Filescrn Notification /?" to view configuration file syntax.

Examples:
   Filescrn Template Add /Template:"Forbidden Files Template"
      /Add-Filegroup:"Audio and Video Files" /Add-Filegroup:"Executable Files"
      /Add-Notification:M,email-forbiddenfiles.txt

   Filescrn Template Add /Template:"Forbidden Files Warning Template"
      /SourceTemplate:"Forbidden Files Template" /Type:Passive /Overwrite
########FILE SCREEN TEMPLATE########

########FILE SCREEN FILEGROUP########
C:\>filescrn filegroup add
Add new file groups.

The syntax of this command is:

Filescrn Filegroup Add /Filegroup:FG_NAME /Members:MEMBERS
                       [/Nonmembers:NONMEMBERS] [/Remote:MACHINE]

   /Filegroup:FG_NAME         Add file group with name FG_NAME.

   /Members:MEMBERS           Configure file group member patterns. MEMBERS is
                              a list of file name patterns separated by '|'.

   /Nonmembers:NONMEMBERS     Configure file group non-member patterns.
                              NONMEMBERS is a list of file name patterns
                              separated by '|'.

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Example:
   Filescrn Filegroup Add /Filegroup:"Log Files" /Member:"*.log|*.history"
########FILE SCREEN FILEGROUP########

########QUOTA TEMPLATE########
C:\>dirquota template export
Export templates to a file.

The syntax of this command is:

Dirquota Template Export /File:PATH [/Template:TEMPLATE_NAME] [/Remote:MACHINE]

   /File:PATH                 Export quota templates to the file at path PATH.

   /Template:TEMPLATE_NAME    Export only the template with name TEMPLATE_NAME.
                              If omitted, all quota templates defined on the
                              system are exported.

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Example:
   Dirquota Template Export /File:D:\usertemplate.xml
      /Template:"User Quota Template"
---------------------------------------------------
C:\>dirquota template import
Import templates from a file.

The syntax of this command is:

Dirquota Template Import /File:PATH [/Template:TEMPLATE_NAME | /Ignore]
                         [/Remote:MACHINE]

   /File:PATH                 Import quota templates from the file at path PATH.

   /Template:TEMPLATE_NAME    Import only the template with name TEMPLATE_NAME.
                              If omitted, all quota templates defined in the
                              file are imported.

   /Ignore                    Ignore templates that already exist on the
                              system.

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Example:
   Dirquota Template Import /File:D:\newtemplate.xml /Remote:FILESERVER1
########QUOTA TEMPLATE########

########FILE SCREEN TEMPLATE########
C:\>filescrn template export
Export templates to a file.

The syntax of this command is:

Filescrn Template Export /File:PATH [/Template:TEMPLATE_NAME] [/Remote:MACHINE]

   /File:PATH                 Export templates to the file at path PATH.

   /Template:TEMPLATE_NAME    Export only the template with name TEMPLATE_NAME.
                              If omitted, all templates defined on the system
                              are exported.

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Example:
   Filescrn Template Export /File:D:\filescreens.xml /Remote:FILESERVER1
---------------------------------------------------------
:\>filescrn template import
mport templates from a file.

he syntax of this command is:

ilescrn Template Import /File:PATH [/Template:TEMPLATE_NAME | /Ignore]
                        [/Remote:MACHINE]

  /File:PATH                 Import templates from the file at path PATH.

  /Template:TEMPLATE_NAME    Import only the template with name TEMPLATE_NAME.
                             If omitted, all templates defined in the file are
                             imported.

  /Ignore                    Ignore templates that already exist on the
                             system.

  /Remote:MACHINE            Perform the operation on machine MACHINE.

xample:
  Filescrn Template Import /File:D:\screening.xml
     /Template:"Document Screening Template"
########FILE SCREEN TEMPLATE########

########FILE SCREEN FILEGROUP########
C:\>filescrn filegroup export
Export file groups to a file.

The syntax of this command is:

Filescrn Filegroup Export /File:PATH [/Filegroup:FG_NAME] [/Remote:MACHINE]

   /File:PATH                 Export file groups to the file at path PATH.

   /Filegroup:FG_NAME         Export only the file group with name FG_NAME. If
                              omitted, all file groups defined on the system
                              are exported.

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Example:
   Filescrn Filegroup Export /File:D:\logfiles.xml /Filegroup:"Log Files"
-----------------------------------------------------------
C:\>filescrn filegroup import
Import file groups from a file.

The syntax of this command is:

Filescrn Filegroup Import /File:PATH [/Filegroup:FG_NAME | /Ignore]
                          [/Remote:MACHINE]

   /File:PATH                 Import file groups from the file at path PATH.

   /Filegroup:FG_NAME         Import only the file group with name FG_NAME. If
                              omitted, all file groups defined in the file are
                              imported.

   /Ignore                    Ignore file groups that already exist on the
                              system.

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Example:
   Filescrn Filegroup Import /File:D:\filegroups.xml /Remote:FILESERVER1
########FILE SCREEN FILEGROUP########

########QUOTA DEFINTION########
C:\>dirquota quota add
Add and configure new quotas.

The syntax of this command is:

Dirquota Quota Add /Path:PATH
                   {/Limit:LIMIT[kb|mb|gb] | /SourceTemplate:TEMPLATE}
                   [/Type:{Hard|Soft}] [/Label:LABEL]
                   [/Status:{Enabled|Disabled}] [/Add-Threshold:LEVEL]
                   [/Add-Notification:LEVEL,NOTIFY_TYPE,CONFIG_FILE]
                   [/Overwrite] [/Remote:MACHINE]

   /Path:PATH                 Configure quota on path PATH. The following
                              wildcards are supported:
                                 \.   - folder specified by PATH
                                 \*   - all immediate subfolders of PATH

   /Limit:LIMIT[kb|mb|gb]     Impose folder size limit. By default LIMIT is in
                              KB, "kb", "mb", and "gb" can be appended to
                              specify other units.

   /SourceTemplate:TEMPLATE   Configure quota from template TEMPLATE.

   /Type:{Hard|Soft}          Make the quota limit hard or soft.
                                 Hard - Limit cannot be exceeded (default)
                                 Soft - Limit can be exceeded

   /Label:LABEL               Add quota label LABEL.

   /Status:{Enabled|Disabled} Enable or disable quota.
                                 Enabled  - quotas are enforced (default)
                                 Disabled - quotas are disabled

   /Add-Threshold:LEVEL       Add notification threshold at utilization
                              LEVEL %. The switch can be specified multiple
                              times.

   /Add-Notification:LEVEL,NOTIFY_TYPE,CONFIG_FILE

                              Add notification at threshold. The switch can be
                              specified multiple times. The parameters to be
                              used are:
                                 LEVEL       - notification threshold
                                 NOTIFY_TYPE - One of the following:
                                    M - E-mail notification
                                    E - Event log notification
                                    C - Command line notification
                                    R - Report notification
                                 CONFIG_FILE - Path to configuration file

   /Overwrite                 Overwrite properties if quota exists.

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Use "Dirquota Notification /?" to view configuration file syntax.

Examples:
   Dirquota Quota Add /Path:D:\scratch /limit:50mb
      /label:"Scratch Folder Quota"

   Dirquota Quota Add /Path:D:\users\bob /SourceTemplate:"User Quota Template"
      /Add-Threshold:80 /Add-Notification:80,M,email-warning.txt
------------------------------------------------------------
C:\>dirquota autoquota add
Add and configure new auto apply quotas.

The syntax of this command is:

Dirquota Autoquota Add /Path:PATH /SourceTemplate:TEMPLATE [/Remote:MACHINE]

   /Path:PATH                 Configure auto apply quota on path PATH.

   /SourceTemplate:TEMPLATE   Configure auto apply quota from template TEMPLATE.

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Example:
   Dirquota Autoquota Add /Path:D:\users /SourceTemplate:"User Quota Template"
########QUOTA DEFINTION########

########FILE SCREEN DEFINTION########
C:\>filescrn screen add
Add and configure new file screens.

The syntax of this command is:

Filescrn Screen Add /Path:PATH
                    {/SourceTemplate:TEMPLATE | /Add-Filegroup:ADD_FG}
                    [/Type:{Active|Passive}]
                    [/Add-Notification:NOTIFY_TYPE,CONFIG_FILE] [/Overwrite]
                    [/Remote:MACHINE]

   /Path:PATH                 Configure file screen on path PATH. The following
                              wildcards are supported:
                                 \.   - folder specified by PATH
                                 \*   - all immediate subfolders of PATH

   /SourceTemplate:TEMPLATE   Configure file screen from template TEMPLATE.

   /Add-Filegroup:ADD_FG      Add file group ADD_FG to the list of blocked file
                              groups for this file screen. The switch can be
                              specified multiple times.

   /Type:{Active|Passive}     Make the file screen active or passive.
                                 Active  - Users cannot save unauthorized files
                                           (default)
                                 Passive - Users can save unauthorized files
                                           but notifications will be raised

   /Add-Notification:NOTIFY_TYPE,CONFIG_FILE

                              Add notification. The switch can be specified
                              multiple times. The parameters to be used are:
                                 NOTIFY_TYPE - One of the following:
                                    M - E-mail notification
                                    E - Event log notification
                                    C - Command line notification
                                    R - Report notification
                                 CONFIG_FILE - Path to configuration file

   /Overwrite                 Overwrite properties if file screen exists.

   /Remote:MACHINE            Perform the operation on machine MACHINE.

Use "Filescrn Notification /?" to view configuration file syntax.

Example:
   Filescrn Screen Add /Path:D:\scratch /Type:Passive
      /Add-Filegroup:"Audio and Video Files"
      /Add-Notification:M,screen-emailadmin.txt
      /Overwrite
########FILE SCREEN DEFINTION########

R2 Official Resources

Branch office home page

http://www.microsoft.com/branchoffice

Download the BOIS Guidance

http://go.microsoft.com/fwlink/?LinkId=47365

DFS Replication home page

http://www.microsoft.com/dfs

R2 home page

http://www.microsoft.com/windowsserver2003/r2

So here is a small FAQ about R2

So here is a small FAQ about R2:

Licensing:

Is R2 free?

The short answer is yes if you are on the Software Assurance program.

The best answer, if you not sure consult with your Microsoft licensing representative

 

Can I get the R2 disk by itself without the complete package?

No R2 is not sold separately it is part of the Windows Server 2003 R2 installation.

The install is two CD’s

CD1 – Windows Server 2003

CD2 – R2 Components

 

Compatibility:
 

Does R2 change my Windows Server 2003 install binary files

No, R2 is NOT a service pack

R2 merely adds new features to Windows Server 2003
 

How do I migrate my current DFS + FRS

You will have to recreate your FRSv1 replication groups as DFSR replication groups.

          There is no migration tool
 

Requirements
 

How do I get DFSR to work?

You have to manually recreate your current DFS+FRS groups within a DFSR environment
 

Do all servers in the replication group have to be Windows Server 2003 R2

Yes.

Can DFSR and FRSv1 be on the same box?

DFS Replication and FRS can be running on the same server, however they cannot be replicating the same data.
 

And RDC, any requirements?

Yes, at least one server in the replication group has to be Windows Server 2003 Enterprise

Limits in DFSR

Each server can be a member of up to 256 replication groups.

Each replication group can contain up to 256 replicated folders.

Each server can have up to 256 connections (for example, 128 incoming connections and 128 outgoing connections).

A replication group can contain up to 300 members.

A volume can contain up to 1,000,000 replicated files.

Coming Soon to a server near you!

Carlos and Jorge will be posting interesting articles and info bits about Windows Server 2003 R2.