One year of Windows XP support remains. After twelve years, now is the time to migrate off this 2001 Operating System or to take your security measures to assure your colleagues experience the least impact of the End of Support (EoS) situation. Of course, migrating to a later version of Windows or to another (supported) Operating System is the best approach. If, however, you want to continue running Windows XP in your organization, you should begin taking measures, beginning today:
Disable unneeded administrator accounts
A decade ago, when admins started deploying Windows XP machines, often, colleagues were given accounts with local administrative privileges. Many organizations came from Windows 9x and colleagues were used to having these privileges on their systems and demanded it (back). However, when logged on as an administrator in Windows XP, every action performed, is performed with total control over the system. When a colleague, logged on as an administrator, encounters malware, this piece of malware is capable of taking full control over the system, including installing a hypervisor to make itself undetectable from malware scanners.
Windows XP installations should be checked for accounts that are members of the local Administrators group. Colleagues that are part of this group should have a good reason to be in it. Applications that require administrative privileges can be run through runas.exe.
Don’t replace memberships of the Administrators group with memberships of the Power Users group. A power user is an administrator, but doesn’t know it yet…
When done, you should create a group policy to fill the local Administrators groups on your Windows XP machines based on Restricted Groups. This group should be as empty as possible and configured in replace-mode.
Also, the built-in local administrator account on all your Windows XP machines should be disabled, where possible. You can perform this action in various ways, but the most effective method is through Group Policy. The Accounts: Administrator account status was introduced to this purpose, specifically.
Update Windows XP with the latest updates
April 8, 2014 will be the last Patch Tuesday for Windows XP. After this date, no updates or Service Packs will be released for Windows XP. Shortly after this date, you will want to create a system image for Windows XP, including all the updates. Sysprep it, so you can deploy it easily when a Windows XP installation fails.
While this image can be used to reimage Windows XP computers, it will have no effect on the current install base.
Not all software handles sysprep gracefully. Test.
Now, some updates require earlier updates. It is, therefore, an illusion to think that updating a Windows XP computer once, will update it to the fullest. Also, running Windows Update might confront your colleagues with a hundred updates and the accompanying hours of their unproductivity to install them.
Centralized update solutions, like the free Windows Server Update Services (WSUS) and C’t’s WSUS Offline Update, allow a phased roll out of Windows Updates and Service Packs, but you should start to do this today if you want to make sure your Windows XP computers are up to date on April 8, 2014.
Don’t use the built-in programs to access the Internet
Windows XP comes with several built-in tools, like Internet Explorer, Windows Media Player, Wordpad and Notepad. With the End of Support in sight, you should at least change processes and behavior within your organization to move away from these programs, since these programs are updated through Windows Update and, thus, don’t receive updates after April 8, 2014.
As an alternative to Internet Explorer, Google’s Chrome or Mozilla’s Firefox should be used. At the moment, both manufacturers support Windows XP (with at least Service Pack 2) for their newest releases. As an alternative to Windows Media Player, VLC Media Player may be used.
However, you should be aware that these programs get updates. Using Group Policy to deploy these programs, allows you to deploy and replace them. Group Policy Setings and Group Policy Preferences can be used to manage settings for these programs.
Software Restriction Policies can be used to limit access to the built-in programs. After April 8, 2014, you can use hash rules without problems, since the hashes will no longer change due to the lack of updates.
Deploy and update a multi-tier anti-malware solution
Malware scanners come in many forms and shapes. Everyone has their own favorite, but for your organization you should be looking for a centrally manageable malware solution, like McAfee’s ePolicy Orchestrator, Symantec AntiVirus Corporate Edition and Microsoft System Center Endpoint Protection. These solutions let you manage your anti-malware measures centrally and empower you to stay on top of outbreaks.
Scanning mere workstations for malware is not enough. You should scan for malware on user-accessible network locations (like file- and mailservers) and, ideally, on the perimeter of your network. If you possess a perimeter device that supports malware scanning, enable it.See if you can enable Intrusion Detection (IDS) and Host Intrusion Prevention (HIPS) too.
Luckily, centralized management also means centralized updates. When giving a choice, make sure to check for updates at least daily for workstations and hourly for mailservers and perimeter devices.
Configure the (Windows) Firewall
Most anti-malware solutions for endpoint protection include firewalls. If yours doesn’t, or if you don’t want to use it, Windows XP with Service Pack 2 comes with an elaborate firewall.
The built-in firewall can be configured with Group Policy to allow only the traffic you want to allow, based on port, program, protocol and host whitelisting. This will raise the bar significantly for malware to communicate and propagate.
You only have to configure and test Windows Firewall rules once. You can then drag them to the Windows Firewall pane in the Group Policy editor.
Testing of firewall rules is easy with the logging feature. Instead of dropping connections, you can just log them. The logs will show you the additional rules to create. Also, free network traffic capture tools like Netmon and WireShark can be useful to analyze (the purpose of) network chatter.
Uninstall or disable add-ons, plug-ins and extensions
Running the most recent version of a 3rd party browser, will not ensure you have the recent version of the add-ons, plug-ins and extensions used within the browser. Software from Adobe, like Flash, Reader and its Shockwave Player and Oracle (Java) will need to be updated regularly or disabled. These notorious programs have been known to provide attack vectors on fully patched Windows installations, so if you can’t keep them up to date, disable them.
Update Microsoft Office
While the End of Support for Windows XP is gathering quite some mainstream media attention, you should be aware of the lifecycle of the other business-critical Microsoft software in your environment. On Windows XP clients, the most obvious business-critical Microsoft program would be Microsoft Office. You should be aware that support for Office XP (version 2002) ended on July 12, 2011. Support for Office 2003 ends on April 8, 2014 too.
If you want to keep using Office XP or Office 2003, make sure to update it and disable macros. Also, think about using Outlook Web Access / Outlook Web App and not Outlook. These measures will defuse most Office-based attacks, but will not protect you from leaks within Office programs. If you want to safely exchange documents with partners and customers over the Internet and through mail, make sure to upgrade to Office 2007.
You cannot install Office 2010 or Office 2013 on Windows XP. If you want to migrate to these Office versions, you will need to migrate the Operating System first.
Build a software and documents repository
With many software vendors ending their support for Windows XP at the same time as Microsoft does, you could become stuck in the situation where you can no longer download the version of a program that you need. Or the documentation on how to install it, configure it and/or manage it.
How Windows XP end of life will affect your desktop applications
Windows XP SP3 and Office 2003 Support Ends April 8, 2014
End of support for Microsoft Windows XP SP3 and Office 2003
Support for Office 2003
End of support for Office XP
XP in 2020? Not even close. Read the fine print...
Microsoft counts down to end of support for Windows XP
Microsoft: MED-V Not a Cure for Windows XP End-of-Life
Set Your Watches For the End of Windows XP
Prepare now for end of support for Windows XP, Microsoft Office 2003
Extended support for Windows XP ends in 365 days
Microsoft Set to Retire Windows XP
Preparing for the End of Windows XP and Office 2003 Support
Windows XP dies a year from … now!
UK businesses stalling on XP migration as end of Microsoft support looms
Related KnowledgeBase articles
294676 How to enable and use the "Run As" command when running programs
281140 How to disable the Local Administrator account in Windows
279301 Description of Group Policy Restricted Groups
825069 A member of the Power Users group may be able to gain administrator rights
302577 How to use the Sysprep tool to automate successful deployment of Windows XP
In the earlier 20 blogposts on new features in Active Directory Domain Services in Windows Server 2012, I’ve covered most of the main stream new features. Today, I’m covering a lesser known feature: SID Compression. While this feature has been around in earlier versions of Active Directory Domain Services in Windows Server, it has been enhanced in Windows Server 2012 to provide more value.
Along with related token features like the default larger size (48,000 bytes) and the capabilities to store claims as part of Dynamic Access Control it offers the path to solve token bloat.
SID Compression in earlier versions
In earlier versions of Active Directory Domain Services in Windows Server, SID Compression has been available for years.
When a Ticket Granting Ticket (TGT) is created, the SIDs for global groups and universal groups of the Active Directory domain the user account is a member of, are compressed in the authorization data field (PAC) of the TGT. Compression is achieved by storing the SID Namespace once with a shorter identifier. SIDs for group in this SID Namespace were then linked with their Relative ID (RID) to the SID Namespace through the identifier.
The following group SIDs are compressed:
- Global groups in the user's account domain
- Universal groups in either the user’s account domain
All other group SIDs are uncompressed. This includes Domain Local Groups, SIDs from any other groups outside the Active Directory domain the user account is a member of (like SIDhistory) and SIDs for well-known groups.
SID Compression in Windows Server 2012
Along with other Kerberos Token logic, in Windows Server 2012 a new SID Compression scheme is used. This feature is called Resource SID Compression. It is enabled by default.
SID Compression can now also be used to compress Kerberos Service Tickets (STs), not just Kerberos Ticket Granting Tickets (TGTs), enabling the compression of SIDs for Domain Local Groups for the Active Directory domain the user account is a member of and any resource domains.
The following group SIDs will be compressed by default in Windows Server 2012:
- Global groups in the user's account domain
- Domain local groups in the resource domain
- Universal groups in either the user’s account or resource domain
- SID history groups in either the user’s account or resource domain
The following group SIDs will not be compressed:
- Groups a user is a member of which are in other domains
- Well known SIDs
Disabling Resource SID Compression
Microsoft has identified some problems with the new SID Compression scheme in Microsoft KnowledgeBase article 2774190. Since Service Tickets (STs) now also feature SID compression and are the tickets that are presented to services (like file servers, web servers) these services need to understand the new scheme. If they don’t, obviously, access denied errors will be displayed.
When you’re running into this situation, you can disable resource SID compression on a Windows Server 2012 KDC using the DisableResourceGroupsFields registry value under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters registry key.
This registry value has a DWORD registry value type. You completely disable resource SID compression when you set the registry value to 1. The Key Distribution Center (KDC) reads this configuration when building a service ticket. With the bit enabled, the KDC does not use resource SID compression when building the service ticket.
You do not need to reboot Domain Controllers after making these changes.
Related KnowledgeBase Articles
327825 Problems with Kerberos authentication when a user belongs to many groups
2774190 Resource SID Compression in Windows Server 2012 may cause authentication problems on NAS devices
MaxTokenSize and Windows 8 and Windows Server 2012
184.108.40.206.3 Domain Local Group Membership
Key Distribution Center
Many thanks to Guido Grillenmeier, Lee Flight and Dean Wells.
Windows Deployment Services has a long-standing tradition of being part of the Windows Server Operating System. What used to be Remote Installation Services (RIS), became Windows Deployment Services (WDS) in Windows Server 2003 Service Pack 2.
Windows Deployment Services (WDS) has ties to Active Directory, as I’ve blogged about earlier. In Windows Server 2012, however, some of the statements in that blogpost have changed.
Among the many improvements in Windows Deployment Services (WDS) in Windows Server 2012, these three Active Directory-related changes pop out:
Windows Deployment Services (WDS) is now configurable as a Standalone server, without the need for Active Directory. Although this was possible in Windows Server 2008 r2, already, that configuration was limited and complex: You needed to configure the server using wdsutil.exe or the registry editor.
In Windows Server 2012, while installing the Windows Deployment Services (WDS) Server Role you can configure it as a Standalone server as opposed to the Integrated with Active Directory mode. In this mode, information on prestaged devices is stored in a local store.
The Standalone Mode is useful since it allows for a portable deployment solution that is independent of any existing environment.
Active Directory Prestaged Devices
Prestaging devices is now possible in the Windows Deployment Services Graphical User Interface (GUI). You no longer have to use wdsutil.exe for that purpose. It is possible to prestage devices, based on their:
- MAC Address
- GUID (Global Unique Identifier)
- DUID (DHCPv6 Unique Identifier)
You can pre-stage setting like the computer name, PXE policies, boot image, installation image, permissions on join and more. You can also, optionally, create an unattend.xml for the device.
BitLocker Network Unlock
Now, you might almost think, integrating Windows Deployment Services (WDS) is no longer a Server Role that is better with Active Directory. While the above feature makes your life as a deployment admin easier, Windows Deployment Services offer unrivaled functionality when used with Active Directory. One of the new features surrounding Windows Deployment Services in Windows 8 and Windows Server 2012 on hardware with UEFI 2.3.1 is the possibility to automatically unlock the Operating System drive when a machine is booted while connected to the corporate network. This feature allows for desktops and servers to be secure, but not burdening the user or server admin with security protocol.
One of the requirements for BitLocker Network Unlock is Windows Deployment Services (WDS). Other requirements include Active Directory Domain Services and Active Directory Certificate Services. See the combo?
Windows Deployment Services is a mature component for many deployment scenarios. You can use it with or without Active Directory, and this blogpost provides an overview of the benefits in both scenarios.
WDS without Active Directory
Windows Deployment Services: A Real Ghostbuster Part 1
Deploying Windows 7 with Windows Deployment Services
Five Must-Have Hardware components to get the most out of Windows 8
As an IT Professional, dedicated to help people out by sharing the information I research and uncover, I have donated much of my time to help the Dutch Networking User Group (NGN).
Now, it’s my great pleasure to announce that on Wednesday April 17, 2013, Dave Stork and I will be presenting a 45-minute session on Managing devices through Exchange ActiveSync during the NGN Tablet Day at the Reehost in Ede, the Netherlands.*
Active Directory is the cornerstone to most networking environments, but not all devices can be domain-joined and/or managed through Active Directory. While talking about these devices with clients, most of the time, they would think of mobile devices like tablets.
Several Microsoft solutions exist to manage these devices, depending on their capabilities and organizational strategy. In some cases, Internet-based Management in System Center Configuration Manager would suffice. In other scenarios Windows Intune would be just what the doctor prescribed. Remote Access Services, DirectAccess and Remote Desktop Gateway also have their advantages, but most of the time Exchange ActiveSync is the solution that just works.
Dave and I will, once again, assume the roles of Jos Haarbos and Hans Worst and explain the inner workings, management challenges and best practices surrounding Exchange ActiveSync in all supported versions of Exchange Server and Exchange Online in a 45-minute Dutch-spoken session.
Also, KMC Solutions, the sponsor for this event, will host a follow-up session on the added value of Mobile Device Management (MDM) in contrast to ActiveSync, delivering the complete picture during the day. Since KMC Solutions is also a Value Added Reseller (VAR), they will be able to talk about licensing and licensing costs.
Tickets are available through the event page. Tickets cost € 300. Members of the Dutch Networking User Group (NGN) benefit from the lower member fare for this event (€ 125).
* It will be the third time Dave and I will be presenting this session.
Centralized iPad management with profiles and policies
Upcoming Speaking Engagements (March & April 2012)
Upcoming Speaking Engagements
NGN TabletDag Dutch
KMC Solutions - NGN TabletDag 17 April in de Reehorst te Ede Dutch
At the Dutch Microsoft TechDays, my employer introduced ICT Expert Talks: a professional film booth, where we interviewed speakers, attendees and staff. You can find these interviews on YouTube in the ICT Expert Talks channel. In this blogpost, I’ll provide a peak behind the scenes of these interviews, the people involved, technology we used and fun we had.
Creating thirty interviews in two days is no simple feat. Joeri Pruys is a marketeer at OGD and a professional film maker in his spare time. Watch his short films on the website of Roundhay Garden Scene to enjoy his skills and get excited about his full film Habitat. Joeri designed most of the booth and operated the cameras to make sure people were in the perfect picture all the time:
Joep van der Zijden & Raymond Comvalius
Joep van der Zijden is our copywriter at OGD and has lend his voice to the latest radio commercials our company did. My buddy Raymond was involved through the Dutch Networking User Group (NGN). Joep performed most of the one-minute interviews and our landmark interview with David Chappell. Raymond did all the longer and more technical interviews with the speakers.
Joep and Raymond were our interviewers and they both did a fantastic job!
Martijn Vinke is the brains behind the operation and also a marketeer at OGD. He came up with the concept for the ICT Expert Talks and made it all happen. As the proud content owner, we could no longer beat the smile off his face on Day 2…
From a technology point of view Ivo van der Pas Jr. (also a colleague at OGD) worked the videos, made the cuts and uploaded the files to YouTube. Of course, all the equipment was running Windows.
Ivo made sure our 1-minute videos were on YouTube five minutes after the interview. Barely sufficient time to drink a cup of coffee…
Some of the interviews we shot are breathtakingly professional and educational, like the interview we did with David Chappell:
However, don’t let the professional look and feel of the interviews confuse you. We had a lot of fun, making these interviews!
Last week, Microsoft Netherlands organized the 2013 TechDays at the World Forum in The Hague, where both Developers and IT Professionals enjoyed two days of sessions, networking opportunities and catering.
On March 6th, I visited the event space, together with Raymond Comvalius. We explored the venue, checked out the film booth my employer had set up and met up with Christian van Woerkom and Vivian Andringa.
On March 7th, the first day of the main event, the first item on my schedule was my session “Two of a kind: Virtualization safe(r) Active Directory and Domain Controller Cloning” from 9:15AM to 10:30AM in room Everest.
After my session, I dumped my stuff in the speaker room and headed for the Genius Bar. This year, the Dutch TechDays event featured a Genius Bar with six touchscreens. A lot of my buddies were there and William Jansen and I took a couple of pictures:
The rest of the day, I divided my time between the Genius Bar, the ICT Expert Talks (more on that in my next blog post) and the IT Pro Keynote with Tony Krijnen and David Chappell:
I also spent some time in the Speaker Room. At the end of the day, in the Speaker Room, a picture was shot with most of the speakers to conclude the Speaker Drinks:
When your organization is looking to implement Windows Server 2012-based Domain Controllers, your Active Directory environment needs to meet certain requirements. Two of these requirements are the domain functional level and forest functional level.
In this blogpost I’ll explain the required domain and forest functional levels for the specific implementation steps.
About Active Directory functional levels
With every new Windows Server Operating System since Windows 2000 Server, Microsoft has introduced corresponding Active Directory functional levels. Two distinct Active Directory functional levels exist: the domain functional level and the forest functional level. Functional levels unlock Active Directory and Domain Controller functionality, while also limiting the possibility of adding Domain Controllers and/or domains with lower Operating System versions.
Let’s illustrate this with two examples. The Windows Server 2008 R2 Domain Functional Level (DFL) unlocks Authentication Mechanism Assurance (among other things) but also prevents admins from having Domain Controllers running Windows 2000 Server, Windows Server 2003, Windows Server 2003 R2 or Windows Server 2008 in the domain. The Windows Server 2008 R2 Forest Functional Level (FFL) adds the Active Directory Recycle Bin, while limiting the creation of domains in the forest running a lower Domain Functional Level.
To prepare an Active Directory domain, the domain needs to run the Windows 2000 Server Native Domain Functional Level (DFL).
Windows Server 2012-based writable Domain Controllers
To introduce Window Server 2012-based Domain Controllers, the Active Directory forest needs to run the Windows Server 2003 Forest Functional Level (FFL). In an environment where the forest functional level is Windows Server 2003, the Domain Functional Level of all domains in the forest needs to be Windows Server 2003 (not Windows Server 2003 interim)or higher.
Windows Server 2012-based Read-only Domain Controllers
If your goal is to introduce Read-only Domain Controllers in an existing environment, make sure the Active Directory forest runs the Windows Server 2003 Forest Functional Level (FFL). In an environment where the forest functional level is Windows Server 2003, the Domain Functional Level of all domains in the forest needs to be Windows Server 2003 or higher.
Also, at least one writable domain controller running Windows Server 2008 or higher must be deployed in the same domain as the Read-only Domain Controller and must also be a DNS server that has registered a name server (NS) resource record for the relevant DNS zone.
The third requirement for implementing Read-only Domain Controllers is you must have prepared the Active Directory forest for Read-only Domain Controllers using adprep.exe /rodcprep.
Related Knowledgebase Articles 3226992 How to raise Active Directory domain and forest functional levels
Understanding Active Directory Domain Services (AD DS) Functional Levels
Prerequisites for Deploying an RODC
What Are Active Directory Functional Levels?
Differences in domain and forest functional levels 2000 to 2008
Determining the Functional Level in Windows Server 2003
Active Directory Domain and Forest Functional Levels
A lot of people have an opinion on the Offline Domain Join (ODJ) functionality in Windows Server 2008 R2 and Windows Server 2012 Active Directory, Windows 7 and Windows 8. Of course, everyone is entitled to an opinion, but sometimes fact checking is useful for a discussion.
To this point, I have captured the top 5 myths on ODJ from discussions I had with people on this subject throughout the last couple of years. You find them in this blogpost.
5. Only Domain Admins can provision
A default Active Directory environment will only allow members of the Domain Admins group to provision computer accounts for Offline Domain Join (ODJ). Changing this behavior, however, is fairly simple. The following methods can be used to allow lower-privileged accounts the required privileges:
- The user right to Add workstations to the domain can be set using Group Policy.
This method allows you to create computers in the default Computers container and in any organizational unit (OU) that is created later (if no Deny access control entries (ACEs) are added).
- The Access Control List (ACL) of the default Computers container for the domain can be edited to delegate the correct permissions. Alternatively, an OU can be created and its ACL edited to grant the Create child – Allow permission. In this case, the /machineOU parameter needs to be added to the djoin /provision command.
4. Offline Domain Join has specific AD requirements
Many people believe Offline Domain Join has specific requirements in terms of Domain Controller Operating System level, Domain Functional Level (DFL) and Forest Functional Level (FFL).
First of all, Offline Domain Join does not require a Domain Functional Level or Forest Functional Level. Offline Domain Join can be used in any Active Directory environments, but djoin.exe is only available on Windows Server 2008 R2, Windows Server 2012, Windows 7, Windows 8 and Windows RT. You will need to perform the djoin.exe commands from machines running these Operating systems.
The availability of djoin.exe on Windows RT is a mystery to me too.
If your environments feature Domain Controllers running versions of Windows Server earlier than Windows Server 2008 R2, you will need to add the /downlevel command line switch.
3. Offline Domain Join is utterly useless in real life
Microsoft has excluded a lot of functionality to keep a level of security to this solution. Therefore, a user cannot log on to an offline joined computer with a domain account before the computer has seen a Domain Controller. Sure, this poses a challenge.
In Windows 8 and Windows Server 2012, Offline Domain Join was significantly improved. Offline Domain Join really proves its worth with the ability to offline provision DirectAccess clients with certificates and group policies.
2. Offline Domain Join blobs are encrypted
Although, Offline Domain Join blobs are not human-readable, these files are not encrypted. They are merely encoded. You can easily decode them to a more human-readable format, without a password. … and if you can, so can anyone else.
When you Offline Domain Join a computer, on both the Domain side and the computer side, a computer password is set to match. The password for the computer account could be exposed on the computer side by decoding the blob, as shown here. It then can be used for malign purposes on the domain side. But, this is also true for regularly domain-joined computers for the same reasons. Point is you should monitor for unused computer accounts (read: computer accounts that have not changed their computer account password recently).
I feel Offline Domain Join, by default, is more secure than the domain join procedures of older Windows clients, because the first time an offline joined computer sees the domain it resets its computer account. Previously, regularly domain-joined Windows installations only trigger to change their passwords after 30 days, by default.
1. Offline Domain Join is hardly used
It’s true not a lot of companies are actively deploying workstations using a process that actually incorporates an offline ODJ. When you look at the log file for a domain join operation, you will see that, actually, every domain join is an offline domain join, streamlining the communication between Domain Controller(s) and clients.
As you might know, I work together with the fantastic people at the Dutch Microsoft subsidiary in a team to help them achieve the maximum amplification of their IT Professionals content. One of the goals we set, was to get people to use the Microsoft Virtual Academy (MVA).
Microsofts Virtual Academy allows you to get up to speed fast with Microsofts newest technologies and products through free courses in an awesome web-based format, including ranking per country and timeframe. Points can be earned with every webpage visited, video watched, event attended, assessment taken and course completed.
Since I was one of the earliest Dutch people using the Microsoft Virtual Academy, I’ve seen people move into ranking positions. I thought it would be fun to get to know the highest ranking Dutch people on the Virtual Academy, and so I proposed to interview them for the Dutch Microsoft TechNet newsletter. Dutch In the past three months I have travelled through the Netherlands to meet the five highest ranking Dutch students and to get them to tell something about themselves and the Microsoft Virtual Academy.
For the first interview, I choose someone who was geographically close to me. In this case, the person was sitting at the opposite side of the same desk at my employer. At the time of our interview (December 2012) Ad Hendricks was the highest ranked student in the Microsoft Virtual Academy. The TechNet newsletter that featured his interview was about Windows 8, so in our interview we focused on the new deployment features and, of course, the Virtual Academy. Listen to the interview with Ad Hendricks (5min33) here. Dutch
The second person I interviewed also was someone I’ve known for quite a while. Patrick Keijzer used to be a colleague for years, before he moved on to globally roll out Lync to thousands of seats at a large international company. The TechNet newsletter with this interview had a lot of Office content, so Patrick and I chatted about Office and the Virtual Academy in this interview. Patrick clearly outlines how the Virtual Academy helps him to keep connected to new technology when your daily tasks have evolved into (project) management. Listen to the interview with Patrick Keijzer (7min17) here. Dutch
After the usual suspects, I went to see James T. Olaniyi. Working at the Dutch Ministry of Finance, James uses the Virtual Academy to boost his technical knowledge on Microsoft technologies to provide the best business advice on how to implement these. Without the Virtual Academy, System Center Configuration Manager would have still been underused at the Dutch government. Listen to the interview with James T Olaniyi (5min53) here. Dutch
In the time between the first interview and the interview with Frank Kurvers, Frank overtook Ad as the highest ranking student. I met up with Frank at his employer and we talked for almost 8 minutes on System Center Operations Manager. Just like Ad, Frank spends many nights on the Microsoft Virtual Academy website to learn about the newest technology. Listen to the interview with Frank Kurvers (7min57) here. Dutch
After a TechNet newsletter without an interview in this series, the upcoming Dutch TechNet newsletter will feature the last of the five highest ranking Dutch Microsoft Virtual Academy students: me. Jaap Bloem, our newsletter editor and research director at Sogeti, interviews me on this series, my view on the Virtual Academy and my session for TechDays Netherlands 2013. Listen to my interview (7min26) here. Dutch
Some nice tidbits on these interviews:
- The last interview has not been published in the TechNet newsletter yet. It will feature in the TechNet newsletter that will be sent in the last week of February.
- The first four interviews were recorded with a Røde microphone. Unfortunately this microphone was unavailable for the last interview. This interview was recorded with my Nokia Lumia 920. I can’t hear a difference in sound quality…
- All interviews are recorded in one take. In the interview with Frank Kurvers the volume of Franks voice was cranked up. This was the only edit deemed necessary.
- All interviews required several takes.
In Windows Server 2012, the Active Directory team has consciously blocked some Server Roles and Features from coexisting with the Active Directory Domain Services Role. Two months ago, I blogged on the incompatibility between the Fail-over Cluster Feature and the Active Directory Domain Services Role in Windows Server 2012. Earlier, I blogged on the incompatibility between the DirSync Tool and Active Directory Domain Services and Active Directory Federation Services.
Today, because of a new Microsoft KnowledgeBase article, titled Remote Desktop Services role cannot co-exist with AD DS role on Windows Server 2012, the Remote Desktop Services (RDS) Connection Broker can be added to the list of incompatibility with Active Directory Domain Services on the same Windows Server 2012 installation.
When you try to install the Remote Desktop Connection Broker (available as a Role Service for the Remote Desktop Services Role) on a Windows Server 2012-based Active Directory Domain Controller, it will fail rather cryptically. In the event log of this server, however, you will find a more specific error:
Additionally, if you try to promote a Windows Server 2012 installation with the Remote Desktop Connection Broker to an Active Directory Domain Controller, the Remote Desktop Connection Broker may fail and you may receive the following error message:
The server pool does not match the RD Connection Broker that are in it. Errors:
Cannot connect to any of the specified RD Connection Broker servers. Ensure that at least one server is available and the Remote Desktop Management (rdms), RD Connection Broker (tssdis), or RemoteApp and Desktop Connection (tscpubrpc) services are running.
Related KnowledgeBase article
2799605 Remote Desktop Services role cannot co-exist with AD DS role on Windows Server 2012
64bit Directory Synchronization Tool is here
Office 365 Management Portal Directory Synchronization
Active Directory in Hyper-V environments, Part 8
Microsoft is getting ready to release Internet Explorer 10 for Windows 7 and Windows Server 2008 R2. Internet Explorer 10 is built into Windows 8 and Windows Server 2012 by default and Microsoft vowed to bring it to Windows 7 and Windows Server 2008 R2 too. The latest available version of Internet Explorer will be delivered as a Windows Update soon.
Your enterprise web based application may be affected by the new Internet Explorer or its new security features. When this is the result of testing your application, you might decide not to deploy Internet Explorer 10. This blogpost shows you your options:
- The Graphical User Interface (GUI)
- The Internet Explorer 10 Blocker Toolkit
- Windows Server Update Services (WSUS)
The Graphical User Interface
If you are a an administrator of your machine and as soon as the Internet Explorer setup is downloaded you will have three options:
- Install: The installation procedure will start after the genuine windows check and the homepage, favorites and search settings will be kept.
- Do not Install: You will not be asked again to install Internet Explorer 10, however if you have admin privileges you can always use the optional update to install Internet Explorer 10 afterwards.
- Ask again later: The installation process will be canceled and the Automatic Updates will ask you again after 24 Hours.
IE10 Blocker Toolkit
Microsoft has now released the Internet Explorer 10 Blocker Toolkit to block automatic delivery of Internet Explorer 10 to machines in environments where Automatic Updates are enabled. It offers three ways to block Internet Explorer 10 indefinitely from your environment:
Through a script
The Toolkit to Disable Automatic Delivery of Microsoft Internet Explorer 10 comes with ie10_blocker.cmd. You can use the handy script to disable the delivery of Internet Explorer 10 through a machine startup script or perhaps a user logon script (if in the unlikely case you allow your users to be local administrators)
The script has the following command-line syntax:
IE10_Blocker.cmd [<machine name>] [/B] [/U] [/H]
Using the /H or /? switch will help you further in your scripting quest. Don't worry if you mess up: the script can be run multiple times on the same machine without any problem.
Through the registry
The IE10_Blocker.cmd script in the Toolkit to Disable Automatic Delivery of Internet Explorer 10 creates a registry key and sets the associated value to block or unblock (depending on the command-line option used) automatic delivery of Internet Explorer 10 on either the local machine or a remote target machine:
- When the key value name is not defined, distribution is not blocked.
- When the key value name is set to 0, distribution is not blocked.
- When the key value name is set to 1, distribution is blocked.
You can create this registry setting manually too, if this is a more appropriate method for your environment.
Through a group policy
When you’re a fan of Group Policy (like I am) the Toolkit offers to disable the automatic delivery of Internet Explorer 10 with a custom *.adm file.
The custom *.adm file from the Toolkit only offers a Computer setting; there is no Per-User setting.
To use the custom *.adm file, open up the Group Policy Editor, open the Computer Configuration node, then the Policies node and finally right-click the Administrative Templates node. Select Add/Remote Templates… from the context menu. Click Add… and browse to the folder where you extracted the Toolkit. Select IE10_blocker.adm and click Open. Click Close.
Navigate to Computer Configuration, then Administrative Templates, then Classic Administrative Templates, Windows Components, Windows Update and finally Automatic Updates Blockers v3.
Here, you’ll find a Group Policy Setting named Do not allow delivery of Internet Explorer 10 through Automatic Updates:
Enable it, and then click OK. This will instruct computers to ignore the Internet Explorer 10 download. The only thing you need to do next, is to instruct your colleagues to do the same (but only the colleagues with administrative privileges on their computers).
Windows Server Update Services
In enterprise environments the tools of choice to control which updates get delivered to what (groups of) computers and servers are the free Microsoft Baseline Security Analyzer (MBSA), Enterprise Update Scan (EUS) tool, the free Microsoft Windows Update Services add-on to Windows Server, and of course Microsoft System Center Configuration Manager. Pick your tool of choice here.
Internet Explorer 10 might prove to break your mission-critical web based application. As a last resort you might decide to block Internet Explorer 10 from your Windows 7 and Windows Server 2008 R2-based networking environments.
You have plenty of tools at hand to defend your networks. Use them wisely.
Toolkit to Disable Automatic Delivery of Internet Explorer 10
Internet Explorer 10 Delivery through Automatic Updates
Internet Explorer 9 Blocker Toolkit Download
Internet Explorer 9 Blocker Toolkit FAQ
Explore Internet Explorer 10
Manage Internet Explorer 10
Microsoft inches closer to delivering Internet Explorer 10 for Windows 7
Microsoft introduced the VM-GenerationID in Windows Server 2012, to enable Virtual Machines (VMs) to notice when they’re snapshotted, restored and/or cloned. Active Directory is the first technology to put the VM-GenerationID to good use.
The following Hypervisors support VM-GenerationID:
- Windows Server 2012 Standard Edition (Hyper-V)
- Windows Server 2012 Enterprise Edition (Hyper-V)
- Hyper-V Server 2012 (Hyper-V)
- Windows 8 Professional (Hyper-V)
- Windows 8 Enterprise (Hyper-V)
- VMware Workstation 9.0
- VMware vSphere 5.0 with Update 4
- VMware vSphere 5.1
Posted on blogs.dirteam.com on January 22, 2013
New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory
Windows Server 2012 VM-Generation ID Support in vSphere
Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)
Virtual Domain Controller Cloning in Windows Server 2012
Virtualized Domain Controller Architecture
Virtualize your Windows Server 2012 domain controllers
Virtualization-Safe Active Directory in Windows Server 2012
Cloning Virtual Domain Controllers in Windows Server 2012
I’m very excited to announce I’m listed to speak on the TechDays event, hosted by Microsoft Netherlands on March 7 and March 8, 2013 at the World Forum in The Hague.
About TechDays NL 2013
TechDays is an international series of Microsoft events, hosted by Microsoft subsidiaries around the world. Microsoft Netherlands, this year, has decided to make the event a 2-day event, filled with both IT Professionals and Developers content.
Together with the Belgian subsidiary, which is running the Belgian TechDays event on March 6 and March 7, 2013 at the Kinepolis filmtheatre in Antwerpen, Microsoft Netherlands has arranged for several highly rated international speakers, like John Craddock, Bryon Surace, Chris Jackson, Daniel Pearson,Johan Arwidmark, Vijay Tewari and Paula Januszkiewicz to present sessions, next to our own heroes Maarten Goet, Ronald Beekelaar, Ruben Spruijt, Steven van Houttum, Jeff Wouters, Kenneth van Surksum, Roel van Bueren and Alex De Jong.
About my session
My session, titled ‘Two of a kind: Virtualization-safe Active Directory & DC Cloning’ is a one-hour session on Active Directory Domain Services in Windows Server 2012. Specifically, I will be explaining and demoing the way Active Directory Domain Services leverage VMGeneration-ID to prevent problems commonly associated with reverting snapshots, like USN Rollbacks and Lingering Objects, and how organizations benefit when deploying Windows Server 2012-based Domain Controller virtually.
My session is planned in the first timeslot of the event, on March 7, 2013 between 9:15 AM and 10:30 AM.
Will I see you there?
New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory
TechDays NL - Speaker Bio Sander Berkouwer Dutch
TechDays NL - Session abstract Two of a kind: Virtualization-safe AD & DC Cloning Dutch
TechDays NL - Making PowerShell sexy
On October 6, 2011 I wrote about the updated Active Directory Domain Services Management Pack for System Center. Then, it was updated to version 6.0.7670.0. Today, I want to point you to another big update for the Active Directory Domain Services Management Pack for System Center: the 6.0.8070.0 update
About System Center Operations Manager
With Microsoft System Center Operations Manager (SCOM) you can leave the monitoring and alerting to software in a confident, fast and robust way. Now you can simply create an availability or replication bandwidth report by pressing a single button. No longer do you have to follow tedious routines to check up on your servers: The products in the System Center were created to do those things for you. Before Operations Manager became a part of the System Center family, it was known as Microsoft Operations Manager (MOM).
System Center Operations Manager (SCOM) comes with the basic set of monitoring tools to monitor Windows Servers. These basic monitoring capabilities can be extended using Monitoring Packs for specific Server Roles and Server Products. Even more, Operations Manager features an extensibility framework to allow any 3rd party developer to write Monitoring Packs. Packs have been written to manage UPS’s and even Linux hosts. Of course, monitoring is of little use in big environments with repeating errors, so System Center Operations Manager is designed to work together with the other members of the System Center family of products, like System Center Configuration Manager (formerly known as SMS Server) and System Center Orchestrator (formerly known as Opalis).
About the Active Directory Monitoring Pack
Active Directory Domain Services is a Server Role in Windows Server and Microsoft has deemed it fit to have its own Monitoring Pack. Even more, Microsoft has dedicated valuable time to actively maintain the Monitoring Pack for Active Directory.
The version of the Active Directory Monitoring Pack, released on January 17th, 2013, is 6.0.8070.0 and is the seventh version of the Monitoring Pack since it’s original version (6.0.5000.0).
This update is conveniently referred to as the December 2012 revision.
What’s new in this release?
This release focuses fixing problems reported by customers. The accompanying guide mentions:
- Added Windows Server 2012 Support
- Product Knowledge improvements
- Client Monitoring alerts identify problematic Domain Controllers in the description.
- Inter-domain trust alert identifies which trust is broken in the alert description.
- More specific action recommendations added to alert for “Could not determine FSMO role holder” and alert for “Domain Controller’s Ops Master is inconsistent.”
- KnowledgeBase article information added to alert for “The Active Directory database is corrupt.”
- KnowledgeBase article information added to alert for “Two replication partners have an inconsistent view of the FSMO role holders.”
- Some rules with names that begin “Client Side script…“ but were not actually executed by client-side monitors were renamed.
- More specific action recommendation added to description for Event ID 1000.
- Excessive alert fixes
- A duplicate alert that appears when a computer authentication fails was removed.
- Repetitive alerts for UserEnv and Netlogon were replaced with a single alert that includes a count of the number of occurrences.
- The alert for the number of allowable replication partners was increased from 100 to the maximum number of replication connections.
- The alert of FSMO role holder availability was refined so that it is issued less frequently in cases where operations master role holder is temporarily unavailable.
- Active Directory processor overload monitor was removed because it duplicates an existing monitor in the operating system management pack.
- Duplicate alerts for KDC errors and trust verification failures were removed.
- Informational alert was disabled for rule “The default security settings for the NTFS file systems have not been applied to Active Directory directory folders.”
- Script error fixes
- Multiple script errors were fixed to improve Active Directory site topology discovery, DNS verification, operation master role discovery, and other improvements.
- Rule error fixes
- Multiple rule errors were fixed to improve error handling, event logging, and server state reporting.
You can download the update here.
New Version: Active Directory Domain Services Management Pack for System Center
[OpsMgr 2007 R2] Active Directory Domain Services Management Pack for System Center
MP versions and release dates
[SCOM] Mise à jour (6.0.8070.0) du pack d’administration Active Directory
Active Directory Domain Services Management Pack for System Center 6.0.8070.0
Being on the Windows Phone bandwagon since Windows Phone 7 and enjoying my Generation 1 chassis (the Samsung Omnia 7) every day, It wasn’t hard deciding what Phone Operating System I wanted on my next phone.
Enticed by its build quality, its 8.7 megapixel photo camera with superb night view, its super sensitive 1280x768 4.5 inch diagonal screen you can touch even with your gloves on, its wireless charging capabilities and its 32GB onboard memory, I fell for the Nokia Lumia 920:
However, I couldn’t get myself to purchase a white one. After seeing many white HTC phones get really dirty in the bumped edges and envisioning having white peripherals (like the wireless charging pad) gathering dust, I bought a black one. Conservative, yes.