Got a Live ID?
Join the conversation on Windows 7!
The Microsoft TechNet Forums are an online location where you can ask questions on a variety of Microsoft products. It’s a place to find answers from many of the Microsoft Program Managers, Microsoft support guys, Microsoft developers, Microsoft evangelists, Microsoft MVPs and Microsoft enthusiasts.
A while ago Microsoft decided to use these forums as the official location to get support on Service Pack 2 for Windows Vista and Windows Server 2008.
Along with the release of Windows 7 beta a series of new forums was created to support testers of Windows 7 and Windows Server 2008 R2. The first supported release being build 7000, which was officially announced today, made available for TechNet and MSDN subscribers and available tomorrow to the first 2.5 million people interested in testing the beta build of Microsoft upcoming Operating Systems.
The following TechNet Forums (and corresponding RSS feeds) are available:
Mark Wilson, Microsoft MVP, is one of the moderators for the new Windows 7 forums, so you’re in good hands, but please review the list with supported Windows 7 Beta technologies and/or your netiquette before you ask a question.
Related posts on DirTeam
Beta of Windows 7 and Windows Server 2008 R2 available!
Windows 7 Beta has been released!
Further reading
Windows 7 beta is available for download
Windows 7 Beta is Available for Download!
Microsoft TechNet Forums have completed their move to the social
From a TechNet Lurker to a TechNet Contributor
Microsoft Answer for the end-user
Microsoft TechNet/MSDN - Community Content Driven By You
New MSDN/TechNet Forums Update going live today!
Microsoft is getting ready to release Internet Explorer 8. The latest available version of Internet Explorer for Windows XP (SP2+), Windows Vista, Windows Server 2003 (SP2+) and Windows Server 2008 will be delivered as a Windows Update soon. Windows 7 will feature Internet Explorer 8 built-in.
Rendering in Internet Explorer 8
Besides improved reliability, security, performance and a handful of new features, Internet Explorer 8 introduces a new rendering engine, which is enabled by default. In recent news it was found that most websites are not capable of presenting content 100% as intended in Internet Explorer 8, compared to Internet Explorer 6, Internet Explorer 7 and other common browsers.
Incompatibility
Internet Explorer breaks with a tradition. In the past Internet Explorer wasn’t the most standards-compliant browser in the world (understatement…), but with Internet Explorer 8 Microsoft is trying to show its good side, with these nasty consequences as results.
Compatibility
While the Compatibility View functionality in Internet Explorer 8 offers the ability to open web pages with Internet Explorer 7 compatible rendering settings, this may not be an adequate solution. It’s definitely not a good solution for companies trying to stick with Internet Explorer 6.x.
Choice
Your web based application may be affected by the new rendering engine. When this is the result of testing your application, you might decide not to deploy Internet Explorer 8. This blogpost shows you your options:
- The Graphical User Interface (GUI)
- The Internet Explorer 8 Blocker Toolkit
- Windows Server Update Services (WSUS)
The Graphical User Interface
If you are a an administrator of your machine and as soon as the Internet Explorer setup is downloaded you will have three options:
- Install: The installation procedure will start after the genuine windows check and the homepage, favorites and search settings will be kept.
- Do not Install: You will not be asked again to install Internet Explorer 8, however if you have admin privileges you can always use the optional update to install Internet Explorer 8 afterwards.
- Ask again later: The installation process will be canceled and the Automatic Updates will ask you again after 24 Hours.
IE8 Blocker Toolkit
Microsoft has now released the Internet Explorer 8 Blocker Toolkit to block automatic delivery of Internet Explorer 8 to machines in environments where Automatic Updates are enabled. It offers three ways to block Internet Explorer 8 indefinitely from your environment:
Through a script
The Toolkit to Disable Automatic Delivery of Microsoft Internet Explorer 8 comes with ie8blocker.cmd. You can use the handy script to disable the delivery of Internet Explorer 8 through a machine startup script or perhaps a user logon script (if in the unlikely case you allow your users to be local administrators)
The script has the following command-line syntax:
IE8Blocker.cmd [<machine name>] [/B] [/U] [/H]
Using the /H or /? switch will help you further in your scripting quest. Don't worry if you mess up: the script can be run multiple times on the same machine without any problem.
Through the registry
The IE8Blocker.cmd script in the Toolkit to Disable Automatic Delivery of Internet Explorer 8 creates a registry key and sets the associated value to block or unblock (depending on the command-line option used) automatic delivery of Internet Explorer 8 on either the local machine or a remote target machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\8.0\DoNotAllowIE80
- When the key value name is not defined, distribution is not blocked.
- When the key value name is set to 0, distribution is not blocked.
- When the key value name is set to 1, distribution is blocked.
You can create this registry setting manually too if this is a more appropriate method for your environment.
Through a group policy
When you’re a fan of Group Policy (like I am) the Toolkit offers to disable the automatic delivery of Internet Explorer 8 a custom *.adm file with which all of you know your way around. If not I suggest you have a little chat with Darren Mar-elia or other Group Policy gods.
In the Internet Explorer 7 era Microsoft introduced a new container within Administrative Templates for the Computer Configuration called "Automatic Updates Blockers" underneath the Windows Update container. I expected further use for the container then, but the IE8 blocker is actually located inside a new container named "Automatic Updates Blockers v2".
In suspect the reason behind the new v2 container is the registry settings, corresponding with the Group Policy settings are not stored in a policies key and are thus considered a preference. Group Policy preferences were not available yet in the Internet Explorer 7 era.
Windows Server Update Services
In enterprise environments the tools of choice to control which updates get delivered to what (groups of) computers and servers are the free Microsoft Baseline Security Analyzer (MBSA), Enterprise Update Scan (EUS) tool, the free Microsoft Windows Update Services add-on to Windows Server, Microsofts aging Systems Management Server or of course Microsoft System Center Configuration Manager. Pick your tool of choice here.
Concluding
Internet Explorer 8 might prove to break your mission-critical web based application. As a last resort you might decide to block Internet Explorer 8 from your environments.
You have plenty of tools at hand to defend your networks. Use them wisely.
Related posts
To IE7 or not?
Deploying and managing FireFox centrally
Tool download
Toolkit to Disable Automatic Delivery of Internet Explorer 8
Further reading
Internet Explorer 8 Blocker Toolkit Q&A
Internet Explorer 8 Delivery through Automatic Updates
Internet Explorer Product Site
Readiness Toolkit for Developers, Testers & ITPros
Microsoft Update Management Solutions
5 things every web developer should know about IE8
IE8's standards compatibility promise
Microsoft: ‘We feel a strong obligation to customers with IE8′
Preparing Web Sites for Internet Explorer 8
Compatibility Mode in IE8
Preparing for IE8
Microsoft's Interoperability Principles and IE8
The Microsoft MVP Award Program recognizes and thanks outstanding members of technical communities for their community participation and willingness to help others. The MVP Award is given to exceptional technical community leaders who foster the free and objective exchange of knowledge by actively sharing their real-world expertise with technology users. The MVP Award celebrates the most active community members from around the world who provide invaluable online and offline expertise that enriches the community experience and makes a difference in technical communities that feature Microsoft products.
MVPs are a select group of experts representing technology's best and brightest people who share a commitment to community. While MVPs come from many backgrounds and a wide range of technical communities, they share a passion for technology and a demonstrated willingness to help others. MVPs do this by writing books and articles, managing Web sites, maintaining blogs, participating in user groups, hosting and contributing chats, presenting at events and training sessions, and answering questions in technical newsgroups, forums, or message boards.
Microsoft MVPs are an amazing group of individuals. By sharing their knowledge and experiences and providing objective feedback, MVPs help people solve problems and discover new capabilities. It gives us great pleasure to recognize and award MVPs as our way of saying thank you for their demonstrated commitment to helping others in technical communities worldwide.
Source: MVP Website
Today I received an email message to inform me I am awarded a 2009 Microsoft Most Valuable Professional (MVP) award for Directory Services.
No better way to start 2009!
Related stuff
My Microsoft MVP Profile
Further reading
Microsoft MVP Award Program Overview
Microsoft MVP Award Program Leadership
Microsoft MVP Awardees
Microsoft MVP Frequently Asked Questions (FAQ)
Communities and thoughts from Gerver's Desk
Microsoft Most Valuable Professional – Wikipedia
The Microsoft MVP Award Program Blog
MSMVPs.com – Blogs by current and former MVPs
I remember pretty well when Guy Teverovsky shared his CoreConfigurator tool, to help Server Core Systems Administrators perform everyday tasks through a Graphical User Interface (GUI).
I still remember the buzz it generated throughout the blogosphere, I still remember the amount of kudos to Guy for building and sharing this tool, I still remember the way I wanted the tool changed so it would actually help Confucius-style, but most of all I remember the way the tool disappeared due to intellectual property issues with his former employer.
This former employer, Smart-X, has now brought CoreConfigurator back to life.
About Smart-X CoreConfigurator
Smart-X dedicated a webpage to the tool. The page explains what the tool does and what it looks like.
It also explains the licensing:
The tool is free for personal use only.
You may use the tool without a valid license or license file for personal and non-commercial use, but you need to purchase a license from Smart-X if you need the tool in a commercial organization. The tool is licensed per organization and a license file can be purchased for $99.
| Current version |
1.1.0.5 |
| Download size |
2.19 MB |
| Supported Operating System |
Windows Server 2008 Server Core |
| Release date |
December 14, 2008 |
| Download link |
CoreConfig_V1105_D141208.zip |
The tool has been polished with a new sleek User Interface:
Working with the tool
I’ve used the tool to manage a Windows Server 2008 Server Core installation.
Download
The CoreConfigurator download package weight 2,18 MB. This package contains a User Guide in PDF format (608 KB) and the CoreConfigurator MSI package (1806 KB)
The package is only available as a HTTP download only. Making the download package available through a public FTP server might prove an interesting move. That way the package can be downloaded directly from the Server Core box itself, eliminating the need for a download box.
The user guide
For a commercial package a User Guide is a must. I think providing the user guide in PDF is a good move. It allows Unix and Linux guys to get started with the tools on their Server Core boxes too. (I feel Hyper-V with SuSe Linux Enterprise Server 10 guests make for a nice combo) Using a Word format would’ve been a huge barrier for these kind of guys.
The User Guide is pretty straightforward. I really don’t like the advertisement for other Smart-X tools though, but Page Dn fixed that little bit of irritation pretty quickly.
Too bad however the really cool features of CoreConfigurator are left out of the User Guide. I was really expecting a thorough write-up of the DCPROMO function, but unfortunately this feature is absent, just like the Backup Perf feature. Interestingly enough, these two features were part of later versions of Guy’s CoreConfigurator.
The User Guide gives me the impression a team at Smart-X has written a Windows Vista Configuration Panel-style window to accommodate all the buttons, left the features intact and actually didn’t know what these features do, so they kept away from them.
Installation
Installation is pretty straightforward for a MSI file, although I’m still unclear why tools like these need to be ‘installed’. A lot of other tools simply run off media. Joachim’s CCC even has a menu option to install the program on your Server Core box automatically.
Making CoreConfigurator available as a MSI file, instead of a package is not a really bad idea however. Since you’re installing a MSI, you can uninstall the program through wmic.exe if you don’t need it anymore. Other setup formats require a lot of fiddling to get uninstalled. Providing a ISO file next to the MSI file would make using CoreConfigurator in virtual environments more practical.
The installation itself is as simple as clicking Next > three times.
Auto Start or path cleverness
I don’t understand why some people still have a problem with making their program automatically start at logon or add the path to their executable to the PATH variable.
The developers at Smart-X seem to belong to this kind of people. Don’t you want me to use your program? Why do you insist I remember the directory I installed your program in? Why do you want me to manually change directories to your precious little
C:\Program Files\SmartX\Smart-X Configurator directory?
User Interface
The tool has been polished with a new sleek User Interface, resembling the Windows Vista Configuration Panel:
Since the adoption of Windows Vista worldwide is through the roof, this was a good decision. NOT!
Learn a man to fish…
The 13 tools available through the start screen are very useful. Unfortunately only the Activation tool shows the command used to retrieve the information. None of the tools show the commands used to set the information or the registry keys changed. This reminds me of an old saying:
Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
- Confucius
I feel The CoreConfigurator Tool isn’t very helpful. It is helpful to Smart-X though, because people come to rely on CoreConfigurator to do these little choirs for them whenever they install a new Server Core box, driving sales.
The Exchange team does a very good job at this in the Exchange Server 2007 Exchange Management Console. Every time you click together a command it shows you the corresponding command before it executes it. That’s helpful!
Display information
CoreConfigurator does not display information in the start screen on the current box or current configuration, like the Windows Server 2008 Server Manager does.
Bugs
CoreConfigurator still has a few bugs unfortunately, that make it less useful in a lot of environments. For instance you can’t add Domain user accounts to local groups using Users and Groups but you can still use Users and Groups after promoting the server to a Domain Controller. Changing Display settings prompts for a reboot, while logging off and on again will change it (if there were a log off button, that is). The firewall configuration tool will not detect whether the firewall is turned off, rules have been specifically enabled or disabled or keep a log of it’s own activity and the Feature installation tool isn’t very thorough in displaying installed features.
Inconsistencies
To make matters worse the behavior between different tools is inconsistent. Some tools have a Close button, others don’t. Some tools have a Cancel button, others don’t. Some tools make button titles change, while others remain the same. Quirky, to say the least.
Missing functionality
The tool lacks a button for the Regional and Language Options. This functionality is included one of the remaining Control Panel applets in Server Core installations of Windows Server 2008: intl.cpl.
The Updates section allow to enable and disable Automatic Updates, but does not offer functionality to check for updates manually.
Concluding
I still feel it’s a shame a great free tool, written by a MVP, gets transformed into a paid tool.
On the other hand now a big company has made it dedication clear to a large community to develop and maintain a tool, addressing a basic need. If I were to license this utility I would insist on Smart-X squashing the reported bugs in the next version, provide a roadmap for future versions and make some smart technical choices to up the quality.
In the meanwhile I’ll still continue to use Guy Teverovsky’s original CoreConfigurator utility. It provides the same functionality but remains free of charge for those who can find it.
Other tools are also available at no cost and won’t nag you with a license and splash screen. These tools offer a great alternative in some scenarios.
Tip jar: Thanks, SnirH.
Related posts
Overview of free Server Core configuration tools
Making HVConfig work on a normal Server Core installation
RIP CoreConfigurator (as we know it)
My beef with CoreConfigurator
A new gang in town – Server Core (W2K8)
Further reading
Guy Teverovsky’s Windowmaker blog
CoreConfigurator Clarifications
HyperVoria: CoreConfigurator Tool discontinued
LinkedIn: Guy Teverovsky
Server Core Installation Option of Windows Server 2008 Step-By-Step Guide
Download Free Windows 2008 Server Core Configurator
Codeplex: Windows 2008 Server Core Configurator (CoreConfig)
(Another) GUI-based Server Core Configurator
Windows 2008 Server Core Configurator
Server Core Configuration tool - now available
Need a little Windows Server 2008 Server Core help?
Core Configuration Console
Windows Server 2008 Core Config
Core Configurator is back!
Today I had an appointment with the thesis committee for the presentation and oral examination of the last part of my official studies to become a Bachelor in Information and Communication Technologies. (B ICT)
The presentation part of the appointment was 15 minutes and the examination lasted 40 minutes. After that the primary supervisor and the other committee member (the CEO and Program Manager of the educational institute, as a matter of fact) debated for five minutes without me, and called me back to inform me of my scores.
The table below shows perfectly how I passed:
| Part | Score | Factor | Score |
| Thesis document | 8,5 | 60% | 5,1 |
| Presentation | 9,0 | 20% | 1,8 |
| Examination | 8,5 | 20% | 1,7 |
| Total | | 100% | 8,6 |
That marks the end of a period of 13 years. I originally started studying at age 18 at the Delft University of Technology to become a Bachelor (BSc.) Industrial Design Engineering. After five years I quit these studies.
1 year, 9 months and 12 days ago I started these studies and today after 13 years of “studying” I achieved to end up with a degree.
The Windows Server 2008 R2 timeframe will also bring the next version of the Hyper-V technology. This new version can either be seen as Hyper-V R2 or Hyper-V v2.0 (depending on your opinion on Hyper-V) and comes with a load of new features and hardware support.
Note:
This information applies to Windows Server 2008 R2 during the pre-Beta timeframe. In the time up until the Release to Manufacturers (RTM) of the successor to Windows Server 2008, this information may change.
New features
Live Migration
Quick Migration was a good feature to make virtual guests highly available through Windows Server 2008 Fail-over clustering. Good enough for a version 1.0 product anyway. The way Quick Migration works however makes it unsuitable for certain implementations and presents a couple of challenges in updating your environment.
Live Migration is the successor to Quick Migration. Live Migration doesn’t pause and start the virtual guest, but instead involves copying the memory of the virtual guest between two Hyper-V nodes and then performing a hand-over.
Virtual storage hot add & remove
While you can’t hot plug a storage controller in your virtual guests in Hyper-V R2, you can add and even remove a virtual disk to the virtual SCSI controller of the virtual guest, while the virtual guest is running.
Of course the Operating System (OS) in the virtual guest will need to support this. Windows Server supports hot plugging of drives since Windows Server 2003.
Cluster Shared Volume (CSV)
While not exactly a Hyper-V 2.0 feature, Cluster Shared Volumes (CSV) do offer nice functionality to Hyper-V R2 in Failover Clustering configurations.
Remember you need to place one virtual guest per LUN on your shared storage? Fixed!
Cluster Shared Volume offers simultaneous access to files on LUNs on your shared storage devices through a filter driver. Geert Baeke has more information on this feature and how it works under the hood.
Second Level Address Translation
Intel and AMD processors and motherboards that support them offer new technologies that allow better virtual management. Technologies like Enhanced Page Tables (EPT) in Intels thesaurus and Nested Page Tables (NPT), part of Rapid Virtualization Indexing (RVI) in AMDs dictionary spell the end of shadow page tables.
Your benefit as a virtual admin? When you have virtual machines that are very memory intensive this feature might prove to be a 10% performance improvement.
Core parking
While new processors can certainly be useful when you want to improve your performance, they can also be used to reduce your power consumption. The basis for core parking is the fact you don’t need raw processor power for all virtual guests all the time.
Simply speaking a multi core processor will balance virtual guests over its processing cores. When the processor is intelligent enough it can decide to balance the virtual guests over fewer cores when fewer processing power is needed. The smartest processors around can then park these cores in sleep states where they don’t consume power. Intel and AMD make these kinds of processors.
When Hyper-V R2 is implemented on a system with such a processor it understands what the processor is trying to do and not freak out. Since the processor consumes around 30% of the total power consumed by a system there’s a lot of environmentally friendly power saving ahead and thus a lot less cooling required.
TCP Offloading, VMQ Support & Jumbo Frame support
Various networking improvements like TCP Offloading, Virtual Machine Queue (VMQ) and Jumbo Frame support allow the Network Interface Card (NIC) to perform a lot of the actions the processor would normally perform. When the NIC supports these features, Hyper-V will benefit from them, improving your network performance vastly.
Concluding
The virtualization team is making a lot of progress on the new iteration of Hyper-V. They even documented the behavior of these features in the Windows Server 2008 R2 Reviewers Guide. Some of these feature are even part of the Milestone 3 release (a pre-beta release) of Windows Server 2008 R2. Microsoft is already able to demo these features.
Since Windows Server 2008 R2 will require a new license, now would be a good time to purchase Windows Server 2008 with Software Assurance if you’re serious about Microsoft Server virtualization.
Related posts
Active Directory in Hyper-V environments, Part 4
A Best Practice approach to updating Hyper-V environments
Further reading
Hyper-V 2.0 Feature overview
[PPT] Intel Virtualization Technology: Strategy And Evolution
[PPT] Improving Networking Performance for Hyper-V Virtual Machines
[DOC] Windows Server 2008 R2 Reviewers Guide
Tech-Ed EMEA 2008: Clustered Shared Volumes
Windows Server 2008 R2 new features - the complete list - Part 1: Virtualization
Key features in the upcoming Windows Server 2008 R2
Upcoming Windows Server 2008 R2 with Some Key Features
Microsoft to do what VMware does nearly 10 years later…
One-VM-per-LUN doubters
Microsoft Hyper-V 2.0 to include Live Migration, vRAM hot plug, dynamic memory …
Live Migration in Hyper-V R2 zal gebruik maken van Cluster Shared Volumes Dutch
Microsoft details Hyper-V 2.0 and VDI features in a new paper
Disclaimer Beta Software
The information on this webpage applies to software from Microsoft that was in testing phase but utilizable by experienced users by the time the webpage was written. This software has not been released for sale, distribution or usage for the general public. The information on this webpage and the beta software are provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
While being involved with my company’s Hosted Messaging and Collaboration (HMC) implementation I ran into the Active Directory List Object Access Mode, set through the DS-Heuristics attribute. I decided to give you a little rundown of this mode and the other (default) Active Directory Visibility mode, how they’re different, how to enable (and disable) one or the other and what you can do with them in your environments.
About HMC
Microsoft’s Solution for Hosted Messaging and Collaboration (HMC) is a multitenant environment, that Microsoft partners can use to offer Microsoft Exchange, Microsoft Sharepoint and Microsoft Office Communications Server (OCS) to customers from within a datacenter. The current version is HMC 4.5, offering Exchange 2007 with Service Pack 1, Sharepoint Services 3.0 with Service Pack 1 and Office Communications Server (OCS) 2007.
Hosted Messaging and Collaboration (HMC) can be seen as the partner option to Business Processes Online Services (BPOS), in which Microsoft offers customers access to Exchange Server, Sharepoint Services, Live Meeting Server and (soon) Office Communications Server.
About DS-Heuristics
The DS-Heuristics attribute in Active Directory can be used to make global changes to the behavior of Active Directory and Active Directory controllers throughout the entire Active Directory forest. Settings include the behavior of Ambiguous Name Resolution (ANR) search filters, the capabilities within anonymous LDAP connections, the behavior of the User-Password attribute, the groups protected through AdminSDHolder and of course the visibility mode, the subject of this post.
Active Directory Visibility Modes
Within Hosted Messaging and Collaboration (HMC) a hosting provider uses a single Active Directory domain to deliver security services to multiple customers, which the provider facilitates by creating separate organizational units (OUs) for each client. Since the Service Level Agreement contains a couple of privacy related clauses the hosting provides requires that clients not be able to learn of the existence of other clients. The service provider is required to control the visibility of each customer's OU to users of that customer only. In such scenarios organizations need a way to tightly control visibility.
Active Directory offers two visibility modes:
- List Child Access mode
- List Object Access mode
The first mode is the default Access mode in Active Directory. Changing the visibility mode to List Object Access Mode changes the way security is handled. In the first mode when a user has the List Child permission in Active Directory it can see the child object and every object underneath it. In the second mode the user needs to have explicit List Object permissions on each and any object as well as the List Child permission to view objects.
By default, the Authenticated Users group is granted the List Contents access control right over objects in a domain. With List Object Access mode enabled access to other Organization Units (OUs) can be prohibited so users from one company (represented by an OU in the shared Active Directory) can only see users from their own company. To achieve this remove the List Contents access permission on containers of other companies and grant the List Object permission to the objects that the users or groups should be able to list.
Changing the Visibility Mode
To enable List Object Access Mode perform the following steps:
- Log on to a Domain Controller using an account that is a member of the Domain Administrators group.
- On Windows Server 2003 install the Windows Server 2003 Support Tools, available on the Windows Server 2003 Server CD.
- On the taskbar, click Start, point to Run, type MMC, and then press Enter.
- Click File, and then click Add/Remove Snap-in.
- Click Add, select ADSI Edit, and then click Add.
- Click Close, and then click OK.
- In the Select a well known Naming Context drop-down box, select Configuration, and then click OK.
- Expand Adsiedit.
- Expand Configuration.
- Expand CN=Configuration, DC=YourDomainName, DC=YourTLD.
- Expand CN=Services and CN=Windows NT.
- Right-click Directory Service, and then click Properties.
- Select the dsHeuristics attribute, and then click Edit.
You can now change the value to your desired mode, by editing the third character of the value.
| Visibility Mode | Value |
| List Child Access mode (default) | 0 |
| List Object Access mode | 1 |
The dsHeuristics value sets a couple of behaviors. By editing the third character of the Directory string you set the Visibility Mode. When the third character is 0 or absent (by default the value for dsHeuristics is 0, and thus the third character is absent) the Visibility Mode is set to List Child Access mode. (default)
- When done click OK twice and close the MMC.
Concluding
Changing the visibility mode of your Active Directory can significantly help blocking access to certain parts of your Active Directory. It’s definitely worth a look in highly secure environments, like multitenant environments.
Related posts
AdminSDHolder
Further reading
Download details: HMC 4.5
Active Directory Visibility Modes
Recipe 15.20. Enabling List Object Access Mode
DS-Heuristics Attribute
Use Manual Steps to Set Active Directory to List Object Mode
Anonymous LDAP operations to Active Directory are disabled in Windows Server 2003
Understanding AdminSDHolder and Protected Groups
HMC 4.5 and Exchange 2007 SP1 - Part #1 - Overview and Active Directory
Shared hosting with Exchange 2007 (Part 2)
Configuring Virtual Organizations and Address List Segregation in Exchange 2007
Mike Nash and Justin Graham announced the Customer Preview Program for Service Pack 2 Beta for Windows Vista and Windows Server 2008 on the The Windows Blog and the Windows Server Division Weblog earlier this week.
While MSDN and TechNet Plus subscribers have access to the Beta builds of this Service Pack, mere mortals had to wait until today to gain access to the bits. This wait is over!
Download links
Windows Vista Service Pack 2 Beta and Windows Server 2008 Beta 2 can be downloaded from the following locations:
- Windows Vista en Windows Server 2008 Service Pack 2 Beta
Windows Update Experience Kit
This is the hassle free way to get Service Pack installed on your Windows Vista with Service Pack 1 and/or Windows Server 2008 (includes Service Pack 1) boxes. The 2KB cmd file and the docx file for dummies included in this download allow you to unlock Service Pack 2 Beta from Windows Update. You can then download Service Pack 2 with all the benefits of the Background Intelligent Transfer Service (BITS) and the Windows Automatic Updates Service. (WuauServ)
- Windows Vista en Windows Server 2008 ServicePack 2 Beta ISO
Have a need to install Service Pack 2 Beta on multiple systems and/or multiple architectures? Use this 1210 MB weighing DVD image file for English, French, German, Spanish and Japanese Windows Vista with Service Pack 1 and Windows Server 2008 installations. The file includes the x86 and x64 version of Service Pack 2 for Windows Vista and the x86, x64 and IA64 version of Service Pack 2 for Windows Server 2008.
- Windows Vista en Windows Server 2008 ServicePack 2 Beta x86
Still enjoying your x86 installations of Windows Vista and Windows Server 2008? This stand-alone installer for Service Pack 2 is made for you! 388 Megabytes brings you the glory of Service Pack 2 for English, German, French, Spanish and Japanese versions of Windows Vista and Windows Server 2008.
- Windows Vista en Windows Server 2008 ServicePack 2 Beta x64
Have you transitioned to 64bit computing already? Take the next step on Route 64 and install the Beta build of Service Pack 2 for Windows Vista x64 and Windows Server 2008 x64. Pedal to the floor on Route 64!
- Windows Server 2008 ServicePack 2 Beta IA64
A collectors item at the moment it was released! This update may not be excluded in any serious Microsoft Update collection. Also very useful to update Intel Itanium versions of Windows Server 2008 to Service Pack 2 Beta…
Service Pack 2 information
Service Pack 2 includes all the updates, released for Windows Vista and Windows Server 2008 up to date. Application Compatibility updates are also part of the package. New functionality is also present, as described below:
Windows Vista
Service Pack 2 for Windows Vista includes the Windows Vista Feature Pack for Wireless. This means Service Pack 2 allows Windows Vista owners and users to connect to Bluetooth 2.1 devices, use the Unified Pairing user interface and Windows Connect Now updates.
Windows Vista SP2 also enables recording data on Blu-Ray drives from within Windows Vista. Another nice touch is sidebar gadgets requiring less resources, which is nice for those of you addicted to these little information providers.
Windows Vista with Service Pack 2 also works with new hardware. VIA 64bit CPU support is now available, as well as ICCD/CCID hardware. Ever been annoyed with Windows Vista not connecting to your Wi-Fi network after resuming from sleep? Also fixed.
Windows Server 2008
The list with new functionality for Windows Server 2008 is a bit different, although both Microsoft products use the same installer.
The most appealing feature is the integration of Hyper-V in Windows Server 2008 after installing Service Pack 2. Other welcome features are improved power settings and the ability to enable the DNS Server on the ISATAP address.
Getting started with SP2
Microsoft provided excellent resources to get started with Windows Vista and Windows Server 2008 Service Pack 2 Beta and what to look for in this release to ensure a smooth upgrade of your environment to Service Pack 2:
Concluding
Enjoy the Beta of Service Pack 2 on Windows Vista and/or Windows Server 2008.
More reading
Announcing the Windows Vista and Windows Server 2008 Service Pack 2 CPP
Windows Server 2008 and Windows Vista Service Pack 2 (SP2) CPP!
Windows Vista SP2 Beta Available to TechNet and MSDN Subscribers
Windows Vista Service Pack 2 Beta Download Available
Vista SP2: What’s inside?
Microsoft expands Vista SP2 testing
Windows Vista SP2 - What's Inside? What's Important?
Windows Vista Service Pack 2 Beta hits Technet and MSDN
Windows Vista and Server 2008 SP2 is opened up to the public, target release date
Microsoft Delivers Service Pack 2 Beta 2 for Vista, Server 2008
Windows Server 2008 R2 CPP Resources
Windows Vista SP2 Arrives
Vista SP2 CPP Announced!
Windows Vista SP2 Beta Public Download
Beta 2 of Vista SP2 now available to anyone
Disclaimer Beta Software
The information on this webpage applies to software from Microsoft that was in testing phase but utilizable by experienced users by the time the webpage was written. This software has not been released for sale, distribution or usage for the general public. The information on this webpage and the beta software are provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Updating environments with Hyper-V can be more of a challenge compared to updating an environment that consists of mere physical servers. Not only the workloads need regular updating, but also the Windows servers and Hyper-V servers underneath them.
The challenges
Hyper-V relies on a Parent Partition, whether you're using a Full installation of Windows Server 2008, a Server Core installation of Windows Server 2008 or the stand-alone Hyper-V Server. When you restart the Parent Partition your Child Partitions will also be paused. How to plan your maintenance window?
Updates can result in loss of functionality. Even though updates get tested thoroughly there is a chance a series or combination of updates or an incompatibility with a third party application or service hangs up your server or results in unexpected behavior. When you install any update it's hard to troubleshoot these kinds of situations: which update resulted in the situation?
Some updates address security holes and require immediate installation in some situations: The risk of breaking stuff outweighs the risk of getting compromised.
A Best Practice approach
WSSRA
Within a good design for any environment a difference would be made between physical and virtual machines, safe and unsafe(r) networks, application-, messaging-, directory-, database- and security services.
The Windows Server System Reference Architecture (WSSRA) comes to mind. The basis of this architecture is to unravel an environment into five layers, (network, storage, application, management and security) supplying guidance for meeting the requirements of an enterprise. The purpose of this guidance is to build highly available, secure, scalable, manageable, and reliable enterprise infrastructure.
Virtual environments
The same architectural approach can also be applied to virtual environments. The logical division would be virtual infrastructure, hosts and workloads. In a Microsoft server environment this would mean a divide between:
| Level | Description | Examples |
| 1 | Virtual infrastructure | Windows Server 2008 with Hyper-V
Hyper-V Server 2008 |
| 2 | Hosts | Windows 2000 Server
Windows Server 2003
Windows Server 2008 |
| 3 | Workloads | Exchange Server 2007
SQL Server 2008
Terminal Services Applications (like Office 2007) |
Patching goals
In a reference architecture patching would yield three goals:
- Patched systems
- Predictable downtime during maintenance windows
- Possibilities for investigation of relationships between patches and loss of functionality / availability
Formulating best practices
Patched systems
Not all updates need to be applied immediately
Software products need to be patched to provide security and functionality. Not every patch is important, depending on your situation. When the main focus for some systems is to secure systems you need to apply all security updates immediately. When your systems perform loads of transaction to other countries, you'd better apply all Daylight Savings Time (DST) patches, otherwise you can delay applying the updates a little while.
Microsoft offers three levels of updates: Important, Recommended and Optional.
Decide for yourself which updates need to be applied and when they need to be applied.
Test or delay updates
You'd better test updates in a test environment when systems are mission critical. The dependency on these systems usually justify the cost of a test environment. When you don't have a test environment wait at least until the third Tuesday of every month (a week after Patch Tuesday) and search online for any signs of updates breaking functionality or availability.
Virtualization offers flexible means to test updates. Snapshot functionality even allows a rollback scenario for updates. Remember though problems may occur on physical machines that you might not experience in virtual machines…
Predictable downtime
Automatically applying updates
Windows offers functionality to apply updates immediately. By default updates will be applied at night around 3:00 AM. This may not be an ideal method to apply updates:
- A branch office on the other side of the world might be using the system at that time
- The updates might be applied during backup, defragmentation or other maintenance
Furthermore this setting doesn't offer much control. In a small environment without a dedicated systems manager the setting would sound logical, but in large environment choosing the setting is illogical.
Windows Server Update Services
A means to gain control over updates and when (parts of) your servers restart (services) to apply updates is to use Windows Server Update Services (WSUS). Using Organizational Units and Group Policy Objects (GPOs) you can divide servers into logical groups. Setting the Microsoft products for which to apply updates, setting when to apply updates and whether to restart automatically are examples of how to control updating in your environment.
Optionally you can distribute 3rd party applications and updates through Windows Server Update Services (WSUS) by using the Local Publishing feature in the WSUS 3.0 SP1 API.
Even more control can be obtained using System Center Configuration Manager. The WSUS server integration with Configuration Manager 2007 allows to scan all clients in the organization and apply the updates.
Maintenance windows
End users don’t like to be confronted with downtime, but if they do, they prefer it to be announced in advance and have a fair amount of regularity. An IT department, that arranges a default maintenance window on Friday from 18:00 to 21:00 will receive less complaints, less questions and less frustration from end users, compared to an IT department, that organizes maintenance windows irregularly. Good candidates for maintenance windows are:
- The company’s weekly happy hour
- A departments weekly birthday cake eating hour
- Lunch time
Rogue Patch investigation
A critical element in updating your Microsoft environment is investigating which update was responsible for which broken functionality. (if any) This element is more important in virtualized environments, compared to physical environments, since a rogue patch on the Windows Server in the virtualization layer may cause serious problems for all virtual guests residing on the box.
Phased updating
In combination with the suggestion of having a maintenance window every week I suggest updating per logical layer. (virtual environment, virtual hosts, workloads) For instance this would result in a maintenance window for the virtual environment (where all virtual guests will go down temporarily when the virtual host reboots) every first Friday of the month, a maintenance window for all virtual Operating Systems running every second Friday of the month and a maintenance window for workloads running in the virtual guests (for instance Microsoft Exchange Server and Microsoft SQL Server) every third Friday of the month. One whole maintenance window remains to do maintenance on the Storage Area Network (SAN), the network, etc.
Depending on your environment you’d place your most critical layer on the second Friday of the month after you’ve tested them, since Microsoft releases updates every second Tuesday of the month. (except out-of-band updates) When you delay your updates (in lack of testing) place your most critical layer on the third Friday of the month.
Using snapshots
Creating a snapshot in Hyper-V before applying updates allows you to rollback updates in case of broken functionality. When everything’s fine you can ‘flatten’ the snapshot by applying the snapshot, shut down the virtual machine and allow sufficient time for the disk changes to be merged into the main VHD.
Note:
Using snapshots may not be a good idea in combination with certain workloads (read: Active Directory Domain Controllers) or availability needs. (with large updates the virtual machine may need to be off for a long period of time)
Concluding
Below are five of my best practices for updating virtual environments to control the updates to your virtual server environment, control the downtime and be able to address issues with rogue updates:
- Distinguish a virtualization layer, a virtual guests layer and a workload layer. Plan an update strategy per layer.
- Don’t install updates automatically unless it makes sense. (it rarely does)
- Use Windows Server Update Services whenever possible.
- Test or delay updates.
- Plan maintenance windows.
Related posts
(Manually) Updating Server Core
(Automatically) Updating Server Core
Analyzing the Server Core Updates Estimate
Further reading
Updating a web site to apply a security patch with the help of Hyper-V
Local Publishing of Updates and Applications
Released Hyper-V updates (up till September)
Integrated Installation and The Beauty of the Win6 Servicing Stack
How Microsoft IT does Patch Management
Patch Testing
Steve Riley on Hyper-V Patching
Hyper-V How To: Patch VMs Offline
Hyper-V in Windows Server 2008 Enterprise and Datacenter Edition offers the ability to make virtual machines highly available by leveraging failover clustering. This however is not a good idea in the case of Active Directory Domain Controllers.
In this post I’ll explain why Hyper-V High Availability for Domain Controllers is not a good idea and how to make Active Directory Domain Controllers highly available in a much easier, more cost effective way.
How Hyper-V High Availability works
When combining the Hyper-V Server Role with the Failover Clustering role in Windows Server 2008 you effectively create a High Available solution for virtual machines, stored on shared storage.
In it’s easiest (and most common) form two cluster nodes (“virtual hosts”), installed with Windows Server 2008 (Enterprise or Datacenter Edition), the Hyper-V Server Role and the Failover Clustering Server Role are attached to a shared storage device, where the files for a virtual machine (“virtual guest”) are stored.
One of the cluster nodes (“virtual host”) is the active node and runs the virtual machine (“virtual guest”). The other cluster node (“virtual host”) is the passive node. Both cluster nodes communicate through a heartbeat. That way the passive node can detect when the active node fails and become the active node. This is called a ‘failover’. The failover action can also be triggered manually.
The failover process
When a failover occurs behind the scenes the following actions occur:
- The virtual machine (“virtual guest”) is paused on the active node.
The memory is written to *.vsv and *.bin files in the process.
- The ownership of the shared storage volume on which the virtual machines files are stored, is transferred from the active node to the passive node. The active node loses its ability to access the files for the virtual machine (“virtual guest”) and effectively becomes the passive node. The former passive node gains control of the shared storage volume and can now access the NTFS file system on the shared storage device.
- The virtual machine (“virtual guest”) is resumed on the former passive node.
Another word for this behavior is called ‘Quick Migration’. The downtime for the virtual machine (“virtual guest”) depends on the amount of RAM assigned to the virtual machine (“virtual guest”).
Domain Controller High Availability
Doing it wrong…
The keyword above in light of Active Directory Domain Controller High Availability is paused. As you might remember from Active Directory in Hyper-V environments, Part 2 I gave the advice to:
Never save state or pause a Domain Controller
Always shut down virtual Domain Controllers properly to avoid replication errors.
When you start a Domain Controller, that is in a paused state it will take some time to regain accurate time. When the Domain Controller replicates without accurate time, replication errors occur.
Doing it right!
Within Windows Server 2008 Failover clustering you have granular control over the high availibility settings of each of the virtual machines (“virtual guests”) on each of the cluster nodes. You can choose whether to make a virtual machine highly available on a per virtual machine basis.
Choose not to make an Active Directory Domain Controller virtual machine (“virtual guest”) highly available using failover clustering. Instead deploy Active Directory Domain Controller virtual machines on at least two nodes. For this you don’t necessarily need shared storage.
This is consistent with best practices for physical deployments of Active Directory Domain Controllers: Active Directory uses a scale-out model.
Concluding
When you make Domain Controller virtual machines highly available using Hyper-V Failover Clustering in Windows Server 2008 you risk replication errors. Instead deploy multiple Domain Controller virtual machines and rely on the Active Directory model, like you would in a physical world. (Flexible Single Master Operations roles can be seized in case of emergency.)
Hyper-V R2, available in the Windows Server 2008 R2 timeframe will offer high availability without pausing and resuming virtual machines. (among other improvements)
Related posts
Active Directory in Hyper-V environments, Part 1
Active Directory in Hyper-V environments, Part 2
Active Directory in Hyper-V environments, Part 3
Further reading
Hyper-V on Wikipedia
Virtualization with Hyper-V
Malcolm Davis's Blog: Scale Up vs. Scale Out
Clustering Active Directory
Server Virtualisation - Live Migration vs. Quick Migration
Hyper-V Quick Migration & VMware Live Migration Part 1
Hyper-V Quick Migration & VMware Live Migration Part 2
Hyper-V Quick Migration & VMware Live Migration Part 3
Windows Server 2008 R2 and Windows 7 include new features in Active Directory, that were announced and explained at Microsoft’s Tech∙Ed Europe Middle East & Africa (EMEA) conference for IT Professionals in Barcelona (Spain) from November 3rd, 2008 to November 7th, 2008
Note:
This post represents the plans and progress made for Windows Server 2008 R2 and Windows 7 during the Milestone 3 timeframe, builds 6801 through 6937.
Active Directory Administrative Center
Windows Server 2008 R2 comes with new administrative tools. These tools offer a new Management experience. Biggest change is the management Console, called the Active Directory Administrative Center. This is a Microsoft Management Console (MMC) version 4 console and is task oriented. The Administrative Center replaces the current Active Directory Users and Computers (ADUC) MMC Snap-in (dsa.msc).
The new Management Console is a graphical shell for Powershell. After clicking together your commands, the administrative center shows the corresponding Powershell command on the screen and then execute it. This is the same way the Exchange 2007 Management Tools and Virtual Machine Manager 2008 work.
A feature called “Progressive Disclosure” is there to limit the information the tool returns to the administrator. This is useful for beginner administrators, but might also prove useful in delegation scenarios.
Best Practices Analyzer
Accompanying the Active Directory Administrative Center is the Active Directory Best Practices Analyzer (ADBPA), which will help Active Directory administrators to correct Active Directory problems proactively and compare Active Directory performance with previously made baselines.
Administrators, managing Exchange Servers will immediately recognize this tool as the Active Directory flavor of the Exchange Server Best Practices Analyzer (ExBPA), which provides them with help to correct the causes of unexpected behavior. The Active Directory Best Practices Analyzer (ADBPA) is a tool that goes beyond the Exchange Server Best Practices Analyzer (ExBPA), and integrates with the Server Manager, which in turn in Windows Server 2008 R2 receives a tremendous overhaul. (many roles will receive the ‘BPA’ treatment)
The version of the Active Directory Best Practices Analyzer (ADBPA) included in Windows Server 2008 R2 (version 1.0) focuses mainly on DNS problems, because they cause the most problems for Active Directory environments. Updates to the Active Directory Best Practices Analyzer (ADBPA) can be made available using Windows Update to address problems that might arise during the lifecycles of your Domain Controllers.
Powershell CMDlets
Powershell CMDlets are the basis of the new streamlined management experience. The team said there were approximately 85 Active Directory Services and Active Directory Lightweight Services related CMDlets available, most of them starting with Get-AD and Set-AD. These new Powershell CMDlets replace the current Active Directory command line tools. (dsget.exe, dsmod.exe, dsadd.exe, dsmove.exe, dsquery.exe and others)
The power of Powershell is not to be dismissed in Windows Server 2008 R2. For all you command line avoiders out there: there’s Graphical Powershell. This tool provides a Graphical User Interface (GUI), that allows you to interactively create and debug Powershell scripts within an integrated development environment similar to Visual Studio:
The Powershell CMDlets (and thus the Administrative Center) will use AD Web Services and the Windows Communication Foundation (WCF) instead of the common RPC and LDAP interfaces we use nowadays. According to the team this is the first step for leaving the RPC model and embracing a web services approach. The Active Directory team has plans to release a download of AD Web Services for previous versions of Windows Server. (Windows Server 2003 and Windows Server 2008)
Since the new AD Web Services require .Net, however, the new AD Web Service will not be compatible with Windows Server 2008 Server Core domain controllers (non-R2), since it lacks .Net framework. The new Active Directory Administrative Center and the Active Directory Powershell CMDlets cannot be used with Windows Server 2008 Server Core domain controllers.
Recycle Bin for Active Directory
Restoring deleted objects from Active Directory Directory Services and Active Directory Lightweight Directory Services in current versions of Windows Server, using the Directory Services Restore Mode, is not for the faint of heart. In this time of economic turmoil proposing an expensive 3rd party application for this purpose to the CFO isn’t for the faint of heart either…
Windows Server 2008 therefore comes with a Recycle Bin for Active Directory, that can be enabled. This features enables administrators to quickly undo an accidental deletion from Active Directory. It works like the Recycle Bin on a Windows client and allows an administrator to fully undelete a deleted object, because an object will not get tombstoned (immediately) but made inactive, while all the attributes and values are kept intact for a period of 180 days. After this period it will get recycled for 180 days, which effectively has the same function as the tombstone period.
To make the recycle bin possible a new forest level is introduced.
Managed Service Accounts
The Active Directory team created a new Active Directory object type, called a Managed Service Account. This object type, based on the workstation account allows for easier management of service accounts in Active Directory.
Since the new object type is based upon the computer account it is not hindered by account policies, like the password policy and the account lockout policy. Additionally it doesn’t offer interactive logons, which is an added layer of security. (but can also be a layer of trouble when a service needs to logon interactively)
Managed Service Accounts are related to Computer Accounts. You can add multiple Managed Service Accounts to one Computer Accounts, but you can’t, however, assign a Managed Service Account to multiple Computer Accounts.
The Managed Service Accounts feature requires the Windows Server 2008 R2 Domain level.
Offline Domain Join
One of the new features of Windows 7 and Windows Server 2008 R2 is their ability to join an Active Directory domain, without a direct communication path between the client wanting to become a member of the domain and a Domain Controller.
This is achieved through restructuring the way a client joins the domain in Windows 7 and Windows Server 2008 R2. You can use this feature with your existing Windows Server 2003 and Windows Server 2008 Domain Controllers.
A tool is made available named djoin.exe. It can be used to pre-provision a client at the Domain Co