The things that are better left unspoken

Active Directory Domain Services Command Fu, Part 1

Sander Berkouwer — Thu, 11 Mar 2010 14:04:41 GMT

As some systems administrators have already found out, on Microsoft Windows Servers some tasks cannot be performed using the Graphical User Interface (GUI). Although multiple vendors have released graphical tools to make these tasks ~~even more tedious~~ easier for the typical click-on-through Windows Admin, these tasks can easily be performed using the built-in command tools. Also, some queries for information using the built-in graphical tools can result in numerous clicks, ending with information scattered throughout management consoles and screens.

I think every self-respecting Active Directory Domain Services Admin should know the command-line equivalents of 3rd party tools or needlessly complex click sequences.

Even when you’re comfortable using them, it wouldn’t hurt to show off some Active Directory Domain Services Command Fu, would it? Then again, only the more advanced stuff in Active Directory Domain Services is hidden from plain sight. Unless you’re aiming on using ldp.exe or adsiedit.msc all the time to hack your way through your Active Directory jungle and if you’re truly aiming for that senior Active Directory admin position, you should keep reading!

So, to kick off this series, the following three Active Directory Domain Services management tasks, applicable to all current Domain and Forest Functional Levels, cannot or cannot be easily performed using the built-in Graphical User Interface (GUI), but instead rock on the command line!

Creating custom application partitions

Command-line tool to use:

dnscmd.exe

ntdstuil.exe

Replication in Active Directory is controlled through application directory partitions. An application directory partition is a directory partition that can be used to replicate changes only to specific domain controllers. Application directory partitions are particularly useful when controlling the Domain Controllers to which you want to replicate Active Directory-integrated DNS Zones, since some companies have requirements beyond the DomainDnsZones and ForestDnsZones application partitions available by default.

Tip!
To gain access to dnscmd.exe on a Windows 2000 Server you need to install the Resource Kit tools. a separately downloadable dnscmd.exe for usage on Windows 2000 Server is available here.

However, creating custom application directory partitions cannot be done using the Graphical User Interface (GUI). You will need to create a custom application directory partitions using dnscmd.exe /createdirectorypartition first, before you can change the replication scope of DNS to it.

While that last part can actually be performed using the Graphical User Interface, you can also use dnscmd.exe /enlistdirectorypartition to complete the task on the command line.

Alternatively, you can also use the built-in commands within the domain management context in ntdsutil.exe to delete or create directory partitions and add or remove replicas to or from the directory partition.

More information on custom application partitions:

Quering Group Policy Replication Health

Command-line tool to use:

gpotool.exe

Group Policy Objects (GPOs) typically consist of a Group Policy Container (stored within Active Directory under CN=Policies,CN=System,DC=Domain,DC=tld) and a Group Policy Template. (stored within the System Volume, SYSVOL in the Policies file folder)

When replicating the versions of the Group Policy Container (GPC) and Group Policy Template (GPT) might get skewed. When the version numbers don’t match, the Group Policy doesn’t get applied.

While you can check the versions and health of the Group Policy Object (GPO) using the Group Policy Management Console (GPMC) where you’d check the version tab, the GPMC is a download on most downlevel versions of Windows Server.

Using the Group Policy Verification Tool (gpotool.exe) you can check the health of Group Policy Objects (GPOs). Going one step further, using gpotool.exe with the /verbose switch, adds version information to the output.

Tip!
For Windows Server 2003, the Group Policy Verification Tool is part of the Windows Server 2003 deployment Tools. For Windows 2000 Serer, the Group Policy Verification Tool is part of the Windows 2000 Resource Kit.

More information on the Group Policy Verification tool:

Editing advanced trust properties

Command-line tool to use:

netdom.exe

Active Directory Domains and Trusts, to most, are the stuff of acquisitions,mergers and worlds of distrust between groups of admins. I don’t want to diverge much in the wonderful world of trusts, but I do want to talk about editing two trust-related properties, that are essential to restructuring Active Directory forests using the Active Directory Migration Tool (ADMT):

SID Filtering
SID History

SID History is an attribute for an Active Directory object that may contain a SID, the object used to have in a former Active Directory forest or domain. You can fill the sIDHistory attribute using the the Active Directory Migration Tool (ADMT) or manually. With the sIDHistory attribute, the object may bypass Access Control Lists (ACLs).

By default on Windows Server 2003 and onwards, sIDfiltering quarantining is turned on for Active Directory external trusts. This means, the SIDHistory attribute for a user is filtered out and discarded. When creating a trust from a Pre-SP4 Windows 2000 Server-based Domain Controller you will need to enable sIDfiltering manually if you want to use it.

Note:
Performing the commands below to enable SID History and disable SID Quarantining may post a security risk. When an attacker manually fills the sIDHistroy attribute, the attacker may gain unauthorized rights over the trust.

To disable SID Filtering quarantining and enable SID History use the following commands:

Netdom trust TrustingDomain.tld /domain: TrustedDomain.tld
/quarantine:No

Netdom trust TrustingDomain.tld /domain: TrustedDomain.tld
/enableSIDHistory:Yes

More information on Active Directory trusts:

Presenting for Hyper-V.nu (again)

Sander Berkouwer — Fri, 26 Feb 2010 09:45:43 GMT

On Wednesday March 3, 2010 Hyper-V.nu (the Dutch Hyper-V Community) organizes another meeting for Dutch Hyper-V enthusiasts. This time, they’re partnering with Nobel for the location, food and drinks.

About the event

The event will be held at Nobel at Gooimeer 18 in Naarden, the Netherlands from 9AM to 4PM. The website for the event is currently located at the frontpage of hyper-v.nu, but Nobel also has a nice page with information. Attending the meeting is free of charge. No such thing as a free lunch? Apparently, there is one… and it’s accompanied by free drinks after the event.

The agenda looks like this:

09:30 – 10:30	Microsoft Enterprise Desktop Virtualization (Ment van der Plas, Login Consultants, App-V MVP)
10:30 – 11:30	Active Directory and Hyper-V (Sander Berkouwer, OGD, Directory Services MVP)
11:45 – 12:45	Data protection in a Hyper-V R2 Virtual Environment (Hans Vredevoort, Nobel, Cluster MVP)
13:30 – 14:30	Exchange 2010 testing under Hyper-V R2 (Jaap Wesselius, DM Consultants, Exchange MVP)
14:30 – 15:30	Hyper-V R2 Clusters and HP Servers and Storage (Bert de Reus, Nobel)

My presentation

I’ll be providing a 60 minutes presentation on virtualizing Domain Controllers with Hyper-V.
This blog has seen some exposure on the subject already. All this stuff was covered in the following blogposts:

I think it’ll be fun, though, to actually break some Active Directory Domain Controllers using Hyper-V and System Center Virtual Machine Manager features, like cloning, snapshots, time synchronization and Online Physical to Virtual (P2V) migrations…

I hope to see you there!

Previous gigs with Hyper-V.nu

You might remember I gave a demo for Hyper-V.nu last November. In forty-five minutes I converted a couple of Hyper-V Server 2008 R2 boxes into a live migration Hyper-V R2 solution to deliver the message that building a live migration cluster with Hyper-V Server 2008 R2 boxes isn’t that difficult.

I had a great time and I guess the organization thought so too, because I’m back!
(after Alex Smits unfortunately double booked his agenda and backed out)

10 years of Active Directory

Sander Berkouwer — Wed, 17 Feb 2010 15:02:48 GMT

While last year, Jorge mentioned the 10 year anniversary of a production deployed Active Directory domain, today DirTeam is celebrating the 10 year anniversary of Active Directory as a released product.

The first deployed Active Directory domain

According to Brian Puhl, on April 9, 1999 the Domain Controllers for the redmond.corp.microsoft.com Windows NT4-based domain were upgraded to a pre-release version of Windows 2000 Servers and thus became an Active Directory domain. Of course, today this domain is serviced by Windows Server 2008 R2 Domain Controllers and running the Windows Server 2008 R2 Domain Functional Level…

Active Directory release

The introduction of Active Directory to the world was part of the release of Windows 2000 Server on February 17, 2000. At the launch event, Bill Gates ushered in the Next Generation of PC Computing. Today, this is 10 years ago.

Windows 2000 Server, today is still supported by Microsoft. Although, since June 30, 2005 Microsoft is only releasing security hotfixes for Windows 2000, the extended support period ends on July 13, 2010.

Are you still running Windows 2000 Server-based Domain Controllers?
You have less than 5 months to migrate to a newer version of Windows Server and experience the many benefits in Active Directory!

Server Core Roles and Features in 2008 R2

Sander Berkouwer — Wed, 03 Feb 2010 13:36:24 GMT

Server Core installations are versatile, secure and highly-optimized installations of Windows Server. Dubbed ‘Windows without Windows’ by some, these installation in Windows Server 2008 R2 are capable of providing more (infrastructural) services than ever! Just like Full installations of Windows Server 2008 R2, depending on the edition of your choice, or budget, the Server Roles and Features installable on a Server Core installation, vary, though.

The table below shows the individual roles and features in fresh Server Core installations of Windows Server 2008 R2, Web (column 1), Standard (column 2), Enterprise (column 3) and Datacenter (column 4) edition. It also lists the Server Roles features in a fresh installation of the special-purpose Hyper-V server 2008 R2. (column 5):

Server Roles and Features	W	S	E	D	H
Active Directory Certificate Services
Certificate Authority
Active Directory Domain Services
Active Directory Domain Controller
Active Directory Lightweight Domain Services
DHCP Server
DNS Server
File Services
File Server
Distributed File System
DFS Namespaces
DFS Replication
File Server Resource Manager
Services for Network File System
Branchcache for network files
Hyper-V
Print and Document Services
Print Server
LPD Service
Remote Desktop Services
Remote Desktop Virtualization Host
Web Server (IIS)
Web Server
Common HTTP features
Static Content
Default Document
Directory Browsing
HTTP Errors
HTTP Redirection
WebDAV Publishing
Application Development
ASP.NET
.NET Extensibility
ASP
CGI
ISAPI Extensions
ISAPI Filters
Server Side Includes
Health and Diagnostics
HTTP Logging
Logging Tools
Request Monitor
Tracing
Custom Logging
ODBC Logging
Security
Basic Authentication
Windows Authentication
Digest Authentication
Client Certificate Mapping Authenti…
IIS Client Certificate Mapping Auth…
URL Authorization
Request Filtering
IP and Domain Restrictions
Performance
Static Content Compression
Dynamic Content Compression
Management Tools
IIS Management Scripts and Tools
Management Service
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
IIS 6 Scripting Tools
FTP Server
FTP Service
FTP Extensibility
IIS Hostable Web Core
.Net Framework 2.0 Features
.Net Framework 3.5.1 Features
.Net Framework 3.5.1
WCF Activation
HTTP Activation
Non-HTTP Activation
Background Intelligent Transfer Service (BITS)
Compact Server
BitLocker Drive Encryption
BranchCache
Failover Clustering
MultiPath I/O
Network Load Balancing
Quality Windows Audio Video Experience
SNMP Services
SNMP Service
Subsystem for UNIX-based Application
Telnet Client
Windows Process Activation Service
Process Model
.NET Environment
Configuration APIs
Windows Server Backup Features
Windows Server Backup
Command-line tools
Windows PowerShell
Windows PowerShell Cmdlets
Windows Server Migration Tools
WinRM IIS Extension
WINS Server
WoW64 Support
WoW64
WoW64 for .NET Framework 2.0 and Win…
WoW64 for .NET Framework 2.0
WoW64 for Windows PowerShell
WoW64 for .NET Framework 3.0 and 3.5
WoW64 for Print Services
WoW64 for Failover Clustering
WoW64 for Input Method Editor
WoW64 for Subsystem for UNIX-based ap…

red, unavailable green, available for installation gray, installed by default

Note:
While some Server Roles and Features are available in multiple editions of Windows Server, the specific capabilities of the roles may vary between editions.

How to get going with PowerShell in Server Core R2

Sander Berkouwer — Tue, 02 Feb 2010 15:31:33 GMT

Server Core installations of Windows Server 2008 R2 and installations of Hyper-V Server 2008 R2 offer Windows PowerShell. A lot has been written on the geekiness of PowerShell, how it wasn’t included in Server Core installations of Windows Server 2008 R2 and how you could enable it anyway. The question however is, how do you get started with using PowerShell in Server Core?

This blogpost shows you how to install PowerShell, how to start it up and issue some basic commands.

Installing PowerShell

To install Windows Powershell on a Server Core installation of Windows Server 2008 R2, issue the following three commands:

dism /online /enable-feature /featurename:NetFx2-ServerCore
dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell
dism /online /enable-feature /featurename:ServerManager-PSH-Cmdlets

These commands will install the .Net Framework 2.0 binaries. This is a package, Windows PowerShell depends on. After you’ve successfully installed the .Net Framework you can install Windows PowerShell. Use the last command to be able to use the built-in PowerShell cmdlets for Server Manager.

Note:
The above commands are case sensitive.

If you also need 32bit support in Windows Powershell, also issue the following two (again: case sensitive) commands:

dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64
dism /online /enable-feature /featurename:MicrosoftWindowsPowerShell-WOW64

Tip!
You don’t need to install the base Windows on Windows (WoW) 64 package into a Server Core installation of Windows Server 2008 R2. This package is installed by default.

Starting PowerShell

To start using PowerShell you need to start it up. For some strange reason the path where PowerShell resides is not added to the %PATH% variable after installing, so you need to drill down to it, before you can start PowerShell.

Use the following commands:

cd C:\Windows\system32\WindowsPowerShell\v1.0
powershell

Now PowerShell is started. (Congratulations! )

Showing off PowerShell

One of the strongest examples of the strength of PowerShell is the ability to add and remove Server Roles and Server Features, without the need to worry whether you’re typing them right. (remember, the dism.exe command is case-sensitive)

for instance, on the PowerShell you can use the following command to install the Windows on Windows (WoW) 64 support for .Net Framework 2.0:

PS > enable-windowsfeature netFX2-ServerCore-WoW64

Also, one of the nice benefit of using the get-windowsfeature PowerShell cmdlet is you get the hierarchy, instead of the long list of Server Roles and Features you get when you use dism /online /get-features. See for yourselves, when you execute the following command:

PS > import-module ServerManager
PS > get-windowsfeature

New gear

Sander Berkouwer — Mon, 01 Feb 2010 15:54:00 GMT

I’ve used a Dell Latitude D630 laptop for the past 13 months. It’s been my loyal companion on two Tech·Eds, a MVP Summit, at least a dozen demos and presentations and has been with me to work with various customers. This device is equipped with an Intel Core 2 Duo T8100 processor, 4GB RAM, a 14,1” 1440x900 screen, Dell integrated WiFi and Bluetooth, a 9cell battery and a 160GB hard drive (fourth one).

This device now shows some remarkable traces of use, most notably a couple of cracks in the body and screen bezel, a row of dead pixels half way up the screen and a dent in the keyboard somewhere around the enter key. It also sounds a distressed ‘something’s wrong’ hardware beep once in a while…

It’s being replaced with:

a Dell Latitude E6500

A spanking new Dell Latitude E6500 in brush metal black with the following specs:

Intel Core 2 Duo P9700 (2,80 GHz) processor
15,4” WUXGA (1920x1200) LCD screen
8192 MB DDR2-800 RAM
250GB 7200rpm hard disk with free fall sensor
D-SUB & Display Port out
(with HDMI out through an optional cable)
eSATA port
USB Powershare port
(for charging USB devices when the laptop is off)
Integrated 2,0 Megapixel Webcam
8x DVD+/-RW drive
Wireless 370 Bluetooth
802.11a/b/g/n wireless networking
Integrated keyboard backlighting
6cell battery
3 years of Pro Support

Of course these specs are well above average, but some modifications need to be made (most of them to some of the accessories) to meet my needs. The 3-way power cord for instance doesn’t fit in the 230V socket in the back of the car and the privacy screen of the old laptop doesn’t fit on the new one. Also, I suspect my laptop bag to play a vital role in the damage done to the previous laptop, so I’m having that replaced as well.

A SSD drive is also on my wish list, but deemed too expensive at this point in time. I guess there's always room for improvement.

Re-awarded MVP

Sander Berkouwer — Sat, 02 Jan 2010 10:15:00 GMT

Being a Microsoft Most Valuable Professional (MVP) is a one-year gig. My first year as a Directory Services MVP started January 1, 2009. Since then I proudly displayed the MVP logo on the left hand side of my blog. From the Least Amount of Administrative Effort point of view, I was curious to find out whether I could keep the logo there.

With great pleasure I received the following e-mail today:

Congratulations 2010 Microsoft MVP!

Dear Sander Berkouwer,

Congratulations! We are pleased to present you with the 2010 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year.

The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say "Thank you for your technical leadership."

Toby Richards
General Manager
Community & Online Support

What a great way to start 2010!

7 Things to look for in Windows 7 PC Hardware

Sander Berkouwer — Fri, 18 Dec 2009 22:12:24 GMT

With Windows Vista amounting to a 31% market share in enterprise environments, many big companies will be making to switch from Windows XP to Windows 7 directly. In the eight years between their respective launches, a lot has changed in the world. Not just in the world we know, but also in the world of hardware. Windows Vista and Windows 7 support a lot of these new technologies and even build upon them to provide functionality not found in previous versions of Windows.

To benefit from some of Windows’ functionality you’ll need specific hardware. This post shows you the system specifications to look for in future standardized workstations and laptops. It may help you to determine whether those old crusty workstations will be prime targets for your Windows 7 deployment project…

1. Smooth operation

Windows XP is not a memory-hungry Operating System by todays standards. Running an Operating System smoothly with 512MB RAM is not something Windows Vista or Windows 7 pull off. But at least with Windows 7 you can get by with less RAM, to make a system open and manipulate Office files and have a couple of other applications open, compared to the 2GBs of RAM you’d need in a Windows Vista rig to get equal ratings on the quality of the IT environment from your colleagues.

Together with some colleagues I’ve performed my own tests and came to the following conclusions:

Windows 7 and 1GB RAM work together for light and medium office purposes
(2-6 applications open at the same time)
Most new PCs nowadays are sold with 2 GB RAM.

When you’re running more demanding programs, even on rigs with 2 GB RAM, you’re likely to run into a performance bottleneck. When Windows needs to allocate more RAM than is physically available, it will use the page file on the hard disk. Since disk storage is slower than RAM, this significantly hits performance. Adding RAM solves this problem.

Also, ReadyBoost, a feature that has been around since Windows Vista, can be used. Instead of using the page file on disk to expand RAM, first a file on a flash drive will be used. Flash drives are most commonly faster than disk storage. When using USB media, make sure it’s at least 256MB in size, USB 2.0 compatible and plugged into an USB 2.0 socket.

2. BitLocker Drive Encryption

Requires

a Trusted Platform Module (TPM) chip on the motherboard (version 1.2 or later), or USB support in the system BIOS
(and USB media you’re destined to lose…).
Windows 7 Enterprise
Optional: Active Directory schema update

One of the most promising features in Windows Vista Enterprise and Windows 7 Enterprise is the BitLocker functionality. In Windows Vista with Service Pack 1 and later it allows for encryption of the contents of the partitions on the hard disk. In Windows 7 it also allows for encryption of removable storage, which is called BitLocker-to-go. BitLocker can be enabled in many ways, but the most robust way requires a Trusted Platform Module (TPM) chip on the motherboard. The chip needs to be version 1.2 or later.

Without a suitable TPM chip BitLocker can only be used to encrypt the contents of the hard disk using a USB device, containing a startup key. This mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment, which would be an alternative system requirement to the TPM chip requirement.

An Active Directory schema update and accompanying tools are available to store recovery keys in Active Directory to allow central recovery of data on unbootable systems due to corrupted USB devices and messed-up TPM ownership.

3. Windows XP mode and MED-V

Requires

a CPU with
- Intel® Virtualization Technology or
- AMD-V™ features
Virtualization features enabled in the system BIOS
1,5 GB of additional hard disk space
512 MB of additional RAM
Windows 7 Professional, Windows 7 Enterprise or Windows 7 Ultimate

Recommended

Windows 7 licenses with Software Assurance and Microsoft Desktop Optimization Pack for Software Assurance (MDOP) licenses for large-scale deployments

For 100% 32bit Windows XP compatibility in Windows 7 Professional and Windows 7 Enterprise Microsoft offers a feature called Windows XP Mode. Leveraging the power of Windows Virtual Pc (the successor to Virtual PC 2007) it simultaneously boots up a virtualized and optimized instance of Windows XP. The built-in USB support allows the virtualized Windows XP instance access to USB devices, which can be used with legacy Windows XP drivers. Using the Application Publishing functionality, programs installed in the virtualized Windows XP instance show up in the Start Menu of the Windows 7 host.

Where Windows XP Mode can be used on an ad-hoc basis to address specific compatibility needs, Microsoft Enterprise Desktop Virtualization (MED-V) can be used for large-scale, centrally manageable deployments, when a Windows 7-compatible version of MED-V is released. (v1.0 SP1 should do the trick) and be part of the Microsoft Desktop Optimization Pack for Software Assurance (MDOP).

Microsoft Enterprise Desktop Virtualization (MED-V) is a compatibility solution based on policies to deploy, stream, secure, expire and update virtualized Windows installations on top of Windows Virtual PC. MED-V is based on technology from Kidaro, a 2008 Microsoft acquisition.

4. Multi Touch

Requires

a Multi Touch capable screen or touchpad
Windows 7, Home Premium, Professional, Enterprise or Ultimate.

Windows Touch has been around for a while now, and even had its own Windows edition in its heydays (Windows XP Tablet PC Edition). But the Touch interface as it’s found in Tablet PCs has had a major upgrade, with the arrival of Multi Touch functionality in Windows 7.

To take advantage of Windows Multi Touch, the computer needs to be equipped with a Multi Touch capable touchscreen or trackpad. Although, the multi touch touchscreen delivers the richest (Microsoft Surface-like) experience, a multi touch trackpad can also deliver the multi touch functionality needed for some business cases.

Note:
While Windows Multi-Touch offers capturing multiple concurrent touches, an application running on top of Windows will also need to offer this functionality.

5. Sleep

Requires

a Windows 7-compatible ACPI BIOS
Windows 7 compatible drivers
Windows 7 Home Basic, Home Premium, Professional, Enterprise or Ultimate.

One of the big and direct money-saving features in Windows Vista and Windows 7 is the way the computer will go to (hybrid) sleep when not used. Estimates on the impact of this feature, enabled by default, range from €60 per year per PC to comparing migrating Windows XP to Windows Vista or Windows 7 to cutting the emission of 10 average cars…

To stay asleep all connected devices need to work together. An USB mouse should not wake up the PC when the mouse is barely touched. To resume from sleep successfully, the BIOS of the PC should have a Windows 7-compliant ACPI, which means it should support ACPI revision 4.0, dated June 16, 2009.

6. DirectAccess

Requires

Windows 7 Enterprise or Windows 7 Ultimate
A server, installed with Windows Server 2008 R2, with two Network Interface Cards (NICs), configured as DirectAccess server and a member of the Active Directory infrastructure, placed on the perimeter network (also known as DMZ). One of the NICs of the DirectAccess server needs to be connected directly to the Internet, the other NIC needs to be connected to the intranet. On the DirectAccess server, at least two consecutive, public IPv4 addresses need to be assigned to the NIC connected to the Internet.
At least one server configured as a web server.
IPv6 connectivity on the corporate network (intranet) or a server configured with Microsoft Forefront Unified Access Gateway (UAG) configured as an IPv6/IPv4DNS and IPv6/IPv4NAT to provide access to IPv4-only hosts.
Active Directory infrastructure with at least one Domain Controller running Windows Server 2008 with Service Pack 2 or Windows Server 2008 R2.

Recommended

Active Directory Certificate Services recommended (certificates are required if the DirectAccess server needs to enforce client health)
Use of smartcards recommended, requiring a smartcard and smartcard reader per DirectAccess user.

Laptops and other domain-joined portables are hard to manage when they’re not connected to the corporate network. Also, in these situations, line of business (LOB) applications are unusable most of the time, except when a VPN or dial-up connection is in use.

With DirectAccess domain-joined computers can be connected to the corporate network whenever an Internet connection is available. There’s no need to VPN into the corporate network, since DirectAccess is configured centrally and settings are figured out automatically by the client.

When a computer is connected through DirectAccess, it is manageable. Group Policies can be used when the minimum amount of bandwidth is available. (slow link detection)

To make DirectAccess truly secure, use it in combination with Network Access Protection (NAP). For this to work you will need to work with certificates and the only truly secure way to store user certificates is to use smartcards. Many laptops have built-in smartcard readers. If you’re looking to deploy DirectAccess with vision, look for equipment with built-in smartcard readers (for laptops) or USB-attached smartcard readers (for desktops).

7. Future upgrades

Remember when Windows Server was a 32bit Operating System? With Windows Server 2008 R2 only 64bit versions of the Windows Server Operating System are available. Two questions remain at the end of the day when discussing Windows client upgrades:

Will the 32bit version of the next Windows client be a mainstream version in terms of software compatibility, software deployment and support?
Is there any reason not to deploy Windows 7 as a 64bit client in terms of software compatibility, software deployment and support in your current environment?

I guess the answer to the first question is ‘yes’. In most cases I think the answer to the second question is also ‘yes’, especially since some PCs already come with an amount of RAM not fully supported by a 32bit Windows client installation: 4GB.

If you’re looking to keep your options open for future upgrades, deploy 64bit installations of Windows 7. Remember though: 64bit Windows installations will only accept signed drivers.

Windows on Windows (WoW) in Server Core R2

Sander Berkouwer — Wed, 09 Dec 2009 22:54:39 GMT

As you’re probably aware Windows Server 2008 R2 is not available in a 32bit (x86) version. Only 64bit versions (both x64 and IA64) are available, but Microsoft happily provides 32bit Windows on Windows (WoW) support, so admins can install their favorite 32bit programs on top of their 64bit installations.

I’ve dedicated quite some blogposts to 64bit computing, its impact and its barriers, what it means for upgrading Windows Server and how my favorite server role benefits from 64bit computing. I’ve not discussed the way 64bit and Server Roles combine, so here it is.

About Windows on Windows 64-bits (WoW64)

WoW (Windows on Windows) technology offers backward compatibility between a processor architecture and one downlevel processor architecture. There’s a 32bit version of the WoW technology. It allows compatibility with 16bit applications. x64 versions of Windows since Windows XP and IA64 versions of Windows since Windows Server 2003 also have WoW onboard. This version allows to run 32-bit application in our 64-bit environments.

WoW offers backward compatibility with one previous architecture only. WoW in 32-bit Operating Systems can run (some) 16-bit applications and WoW in 64-bit Operating Systems can run 32-bit applications. The drawback is you cannot run any 16-bit applications on Microsoft's 64-bit Operating Systems.

About Server Roles and Server Features

Not every Windows Server is implemented in the same fashion. Therefore Microsoft has modularized most of the services a Windows Server can offer into Server Roles and Server Features. By adding a Server Role or Server Feature, an administrator can extend the services the server offers. Popular Server Roles are the File Server, Print Server and Application Server. Server Features aid Server Roles in delivering the services. The Failover Clustering feature in Windows Server Enterprise and Windows Server Datacenter for instance helps make a Server Role more redundant. Server Roles and Server Features can also be removed from a server, which will automatically delete the installed binaries, resulting in a more secure Operating System.

WoW as a Server Core Feature

With Microsofts ongoing strategy to further modularize the Operating System, it’s apparent Windows on Windows (WoW) became a Server Feature. With Microsoft Windows Server 2008 R2 being 64bit only, it’s a big plus the WoW functionality can be removed when unneeded or installed when needed.

Decision

When planning for Windows Server 2008 R2, the Server Core team had to decide between:

configuring Windows on Windows (WoW) as a Server Feature, installed by default.
configuring Windows on Windows (WoW) an optional Server Feature, allowing administrators to install it when they need 32bit support.

They decided to make WoW an optional feature and shipped as such as part of Windows Server 2008 R2 Beta.

Feedback

However, during the Beta period, the Server Core team received a lot of feedback on weird issues when administrators tried to install 64bit applications. Typically when installing a MSI package they would receive the following error message:

Error 1719. The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

When looking on the Internet for a resolution, typically they would find advice to reboot the system, reregister the Windows Installer service, start the Installer service (net start msiserver) and grant the System account "Full Control" permissions to the HKEY_CLASSES_ROOT hive of the registry. These actions would typically not result in a resolution of the problem.

Running the following command line before installing the application, however, resolved the problem:

Dism /online /enable-feature /featurename:ServerCore-WOW64

After installing the application the above command could be run again, but this time with enable-feature replaced with disable-feature.

Apparently the installer wasn’t a full x64 installer and according to Andrew Mason, Principal Program Manager on the Server Core team, the issue occurred often.

Change

For the Release Candidate of Windows Server 2008 R2, the Server Core team decided to enable the Windows on Windows feature by default. From that moment on Server Core installations followed the same approach to 32bit compatibility as Full installations do.

This decision helps to:

make Server Core a more predictable installation type, because Server Core installations and Full installation offer the same 32bit compatibility out of the box.
avoid confusion, because the error is a very generic error.
give Microsoft the opportunity to communicate to developers to take into account Windows on Windows (WoW) and 32bit backward compatibility is not a given in Windows anymore.
give Developers time to clean up their acts.

The only downside to this decision is the binaries involved with Windows on Windows (WoW) are installed by default, resulting in a bigger footprint, higher memory usage and some attack surface.

Concluding

In a x64 Server Core installation of Windows Server 2008 R2, the Windows on Windows Server Feature is enabled by default. This change was made between Windows Server 2008 R2 Beta and Windows Server 2008 R2 Release Candidate. The change was based on feedback.

You can uninstall the WoW Server Role by executing the following command:

Dism /online /enable-feature /featurename:ServerCore-WOW64

You do not need the WoW Server Role on Server Core installations of Windows Server 2008 R2 to be able to install and run the Domain Controller role. (This was a bug in pre-release versions of Windows Server 2008 R2)

On Hyper-V Server 2008 R2 installations, Windows on Windows 64 support is not installed by default. One might argue this is the first true 64bit-only Microsoft Operating System

Route 64
64bit-only Windows Server is good for Active Directory
Planning on upgrading to Windows 7 or Windows Server 2008 R2?

A Curious Change in Default Password Policies

Sander Berkouwer — Mon, 07 Dec 2009 12:52:23 GMT

After releasing the whitepaper on Remotely Managing Server Core boxes, I received a message from a colleague. He claimed the following sentence on page 5 of the Whitepaper to be faulty:

After you first install Windows Server 2008, in either a full or Server Core installation, you are required to change the Administrator password to a password that meets the complexity requirements.

After investigating the issue, I concluded he’s right, although there is a longer story to it.

The above sentence is right for default installations of Windows Server 2008 RTM (with Service Pack 1), but is no longer valid for default installations, using Service Pack 2 slipstreamed media. This behavior applies to both Full and Server Core installations.

Let me explain.

Behavior in Windows Server 2008 RTM (with Service Pack 1)

When you log on the first time to a default Server Core installation of Windows Server 2008 x64 RTM (with Service Pack 1) the new password administrator password must meet complexity requirements. When you enter a simple password or attempt to use a blank password, the following error message is shown:

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

After supplying a strong password as the Administrator password (P@ssw0rd and Manage123 would both suffice), the same error and some tips are shown each time you try and change the password from the command line or using the Graphical User Interface behind Ctrl+Alt+Del.

Behavior in Windows Server 2008 with Service Pack 2

When you log on the first time to a default Server Core installation of Windows Server 2008 with Service Pack 2, you can change the administrator password to anything you’d like. If you’re not concerned with security you could even specify a blank password (by not supplying anything in both password fields)!

After logging in, you can change the password to anything you like…

Concluding

Somewhere along the line the default password policies in Windows Server 2008 were loosened. If you’d ask me, that’s not a good thing.

In Windows Server 2008 R2 RTM passwords must meet complexity requirements.

Used media

Operating System	Media code
Windows Server 2008 RTM (SP1)	x14-26714
Windows Server 2008 with integrated SP2	342336

Hyper-V.nu Meeting Action Shots

Sander Berkouwer — Tue, 24 Nov 2009 13:02:50 GMT

This morning I performed a ‘zero to live migration’ demo for the joined HP Netherlands, Hyper-V.nu (Dutch Hyper-V Community) meeting. You can find more information on this meeting on my previous blog post.

I brought my photo camera with me and asked Jaap Wesselius to take some pictures, while I showed some slides from a custom slide deck (in Dutch) and performed my demos for the audience (approximately 40 people).

Here are some of the pictures Jaap shot during the session:

With a big grin I explained what I was up to this morning. The unsuspecting audience had no idea. In the back is one the slides in the deck, titled “Purpose of the demo”, showing the environment. The red arrow shows the Live Migration stuff.

In the photo above, I explain the Failover Clustering feature in Windows Server 2008 R2 and how it helps to achieve high availability for Hyper-V Machines. Of course Cluster Shared Volumes (CSV) gets some attention too.

Jaap also shot a picture while I was performing some serious command-fu. In this picture I connect to one of my Hyper-V Server 2008 R2 nodes to add it to the cluster.

I had a great time!
(and I think I’ll bring along my photo camera more often)

Performing a Live Migration demo for Hyper-V.nu

Sander Berkouwer — Mon, 23 Nov 2009 12:38:15 GMT

On November 24, 2009 HP Netherlands and Hyper-V.nu (the Dutch Hyper-V Community) organize a special meeting. Between 9 AM and 12 AM several speakers will contribute to a deep dive into the possibilities in Windows Server 2008 R2 and the use of Microsofts desktop virtualization products. It’ll be fun hanging out with Jaap Wesselius and Hans Vredevoort, the guys behind Hyper-V.nu.

About the event

The event will be held at HP Netherlands at Startbaan 13, Amstelveen. The website for the event is located at www.hp.nl/events. The Hyper-V meeting in the left hand pane. You can also use this deeplink. Attending the meeting is free of charge. No such thing as a free lunch? Apparently, there’s also a free lunch…

Demo

I’ll be performing a demo. Using three Dell Latitude E6500 laptops and a Gb switch, I will be setting up a Live Migration environment within 45 minutes.

Of course I’ll have my Active Directory Domain Controller and iSCSI targets available before I start, so it’ll be a piece of the proverbial cake to connect the two Hyper-V Servers to the iSCSI box, manage disks, set up clustering, create a VM and live migrate it.

Cluster.exe, Diskpart.exe, various Microsoft Management Consoles (MMCs) and of course PowerShell will be shown during the demo, to provide a complete picture on the possibilities of Hyper-V Server 2008 R2 and Failover Clustering.

For those of you, that attended Tech·Ed Europe 2009 last week; Yes, indeed. I will be redelivering Joachim Nässlanders session. I pimped it in certain areas, but the goal and he core of the session remains. If you’re watching this blog closely, you should’ve already been able to pick up Joachim and I are becoming pretty good friends. Now all we need is a duo-session ;-)

Hope to see you there!

Tech∙Ed Europe 2009: Error 404 Wall not found

Sander Berkouwer — Sat, 14 Nov 2009 20:12:00 GMT

Tech∙Ed is over, but a couple of us is still in Berlin. We’re recuperating from clubbing and partying and planning to go sightseeing.

We went over the KaDeWe and ended up buying some nice souvenirs around the corner. Berlin this morning was great. Just like yesterday there was a little sun, a little rain, but overall a bit cloudy. Berlin in November is quite OK.

A text message from Tony inviting us over to Alexanderplatz for lunch was just what we needed though! Marien and I checked out of the hotel, got on the S-Bahn with all our luggage and went over there. Together with Tony, Daniel and Freena, we took over the local Subway. I don’t know how we did it, but we succeeded in scaring everybody off.

We ended up sitting in front of the Subway, when Tony (Hyper-T) and Daniel (Hyper-D)noticed some feet in the air. Sure enough, we were treated with a half-hour display of break dancing by five pretty cool, but obviously very well-trained dudes.

This was the way to end the week and Tech∙Ed Europe 2009. Despite being home for a week, despite the missing gear, despite the rain, despite places running out of beer two nights in a row and despite the horrendous amount of sleep deprivation, Tech∙Ed Europe 2009 was cool!

Tech∙Ed Europe 2009: Things to do in Berlin when you’re wasted

Sander Berkouwer — Sat, 14 Nov 2009 00:09:00 GMT

Last night the Dutch Country Drinks took their toll. Eventually I made it out of bed to attend some sessions, but the 9 AM session slot was a total write-off. I attended some later sessions though and heard the awful story of the missing gear.

Tech∙Ed Technical, Day 5

Last day of Tech∙Ed and I had some serious technical sessions to attend.

I attended a session by Aaron Margosis, who showcased the SysInternals suite of products. These can help troubleshoot pretty intense situations, where otherwise you’d be at a loss of what happened. I definitely picked up some tips and tricks here. Perhaps the track owner could offer Aaron Margosis the same option as John Craddock yesterday: Have two consecutive sessions ;-)

Goldrush

During the break I met up with Joachim. We were just typing away at our keyboards at a table in front of the SpecOps stand, when more and more people showed up wearing green SpecOps T-shirts. Apparently, SpecOps was giving away a gold bar, worth 3000 Euros.
I entered the competion earlier that week, but since I don’t win anything I didn’t bother with wearing the T-shirt or paying attention. I didn’t win, obviously.

Winding down

We stayed in Halls 3 and 4. These were the halls where the Community Lounge, the Technical Learning Center (formerly known as Ask the Experts) and all the booths of exhibitors were located. Marien and I talked to some more people and eventually left the venue.
At the hotel we grabbed our laptops and started blogging. At diner time we ate some food and continued blogging. I actually just saw a text message from Tony, inviting us to Club Week End, but I think it’s best to take it easy and fulfill the reputation of laidback people the Swedes tend to contribute to us.

We’re planning to leave the room by noon anyway and it’s a binging mess.
I don’t know how I’m going to stuff all the SWAG in my bag tomorrow, though…

The Server Core Updates Estimation, Revisited

Sander Berkouwer — Fri, 13 Nov 2009 16:47:15 GMT

Microsoft touts the smaller attack surface as one of the biggest benefits of using Server Core, compared to a Full installation of Windows Server 2008. Because a Server Core installation is optimized, it doesn’t include most of the vulnerabilities found in Full installations. A consequence of these optimizations is a Server Core installation might need fewer patches and possibly fewer reboots associated with installing these patches as well.

A year ago, roughly one year after the launch of Windows Server 2008, I analyzed the claim from Microsoft of a 40% reduction in Server Core applicable patches, compared to a Full installation. Before that I made fun of Secunia, but that’s another story ;-)

Andrew Mason, the Principal Program Manager for Server Core, at Tech∙Ed Europe 2009 this week shared his research on the amount of Server Core applicable patches and (most important) the amount of reboots involved with patching over the last two years.

I’ve placed the information he shared in the table below:

Scenario	Reduction of Patches	Reduction of Reboots
Accepting all applicable patches on Server Core	53%	67%
Applying only necessary patches on Server Core	68%	68%
Installing only critical patches on Server Core	62%	62%
Installing only necessary critical patches on Server Core	82%	82%

The scope of these values is based on:

These figures apply to a Server Core installation, without the Active Directory Domain Services, DNS Server, Print Server, Media Services, Telnet or Internet Information Services (IIS) roles installed. When these roles are taken into account the following table applies:

Scenario	Reduction of Patches
Accepting all applicable patches on Server Core	40%
Applying only necessary patches on Server Core	54%
Installing only critical patches on Server Core	44%

The difference between applicable patches and necessary patches is based on exploitability. Necessary patches are patches that apply to Server Core installations, because the affected files are on the disk of a Server Core installation but are not exploitable on Server Core installations. These are the updates containing the following information:

* Windows Server 2008 Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option, even though the files affected by these vulnerabilities may be present on the system. However, users with the affected files will still be offered this update because the update files are newer (with higher version numbers) than the files that are currently on your system.

Examples of this category can be found on Jeremy Jameson’s blog here.

(Manually) Updating Server Core
(Automatically) Updating Server Core
Analyzing the Server Core Updates Estimate
Handling Server Core Roles and Features
Server Core patching benefits, as shown by Secunia

The things that are better left unspoken

Active Directory Domain Services Command Fu, Part 1

Creating custom application partitions

Quering Group Policy Replication Health

Editing advanced trust properties

Presenting for Hyper-V.nu (again)

About the event

My presentation

Previous gigs with Hyper-V.nu

10 years of Active Directory

The first deployed Active Directory domain

Active Directory release

Further reading

Server Core Roles and Features in 2008 R2

Further reading

How to get going with PowerShell in Server Core R2

Installing PowerShell

Starting PowerShell

Showing off PowerShell

Further reading

New gear

a Dell Latitude E6500

Re-awarded MVP

Congratulations 2010 Microsoft MVP!

7 Things to look for in Windows 7 PC Hardware

1. Smooth operation

2. BitLocker Drive Encryption

3. Windows XP mode and MED-V

4. Multi Touch

5. Sleep

6. DirectAccess

7. Future upgrades

Windows on Windows (WoW) in Server Core R2

About Windows on Windows 64-bits (WoW64)

About Server Roles and Server Features

WoW as a Server Core Feature

Decision

Feedback

Change

Concluding

Related Posts

Further reading

A Curious Change in Default Password Policies

Behavior in Windows Server 2008 RTM (with Service Pack 1)

Behavior in Windows Server 2008 with Service Pack 2

Concluding

Used media

Further reading

Hyper-V.nu Meeting Action Shots

Performing a Live Migration demo for Hyper-V.nu

About the event

Demo

Tech∙Ed Europe 2009: Error 404 Wall not found

Tech∙Ed Europe 2009: Things to do in Berlin when you’re wasted

Tech∙Ed Technical, Day 5

Goldrush

Winding down

The Server Core Updates Estimation, Revisited

Related posts

Further reading