Tomek's DS World

While ago I wrote short entry about adding new claim mapping to existing definition of identity token provider. After this post I got following comment from one of readers (good that I still have some of them here :) ):

When I run the powershell command it fails wit the following error: Add-SPClaimTypeMapping : Incoming claim types do not include claim type 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role'

I had no time to dig into this issue since then but as it often happens I had to do this on my own – so here is part duex of this tip – what to do if You have new claim definition and You have to add it to SPS 2010 identity provider definition.

(cc) Tiger Pixel

So let assume that we have new claim with type description as follows:

http://schemas.microsoft.com/ws/2010/07/identity/claims
/company

which is being issued by our ADFS 2 server for SPS 2010 application. Earlier we have defined Identity Token issuer in our SPS 2010 configuration (Jorge has gathered together some articles which describe in details how to do this) – in our case called ADFS20Server.

So how to add this new claim definition to identity token issuer in SPS 2010. Here comes a recipe:

Get IdentityTokenIssuer object:

$tokenIssuer = Get-SPTrustedIdentityTokenIssuer -Identity "ADFS20Server"

Add new claim type:

$tokenIssuer.ClaimTypes.Add("

http://schemas.microsoft.com/ws/2010/07/identity/claims
/company")

Create new claim mapping:

$companyClaim = New-SPClaimTypeMapping -IncomingCLaimType "http://schemas.microsoft.com/ws/2010/07/identity/claims
/company"  -IncomingClaimTypeDisplayName "Company" -LocalClaimType

http://schemas.microsoft.com/ws/2010/07/identity/claims
/company

And add it to our token issuer configuration:

$companyClaim | Add-SPClaimTypeMapping -TrustedIdentityTokenIssuer $tokenIssuer

And voile:

PS. Thanks' goes to Bryan who pointed me in right direction when I was struggling with figuring this one out based on SPS2010 Powershell help :).

I'm done with an intensive month of sessions, delivered for different user groups and other communities online. When you managed to attend my session about Kerberos I hope you liked it ;). Now it's time for some blogging activities.

A friend asked on his blog (PL only, sorry) a question how to quickly determine the groups a computer account belongs to. Question was asked, time for answer, or at least: one of the possible answers :). Actually I was sure that I wrote about it here before but a quick search determined that I'm wrong (I'm sure I talked about it on last TEC in Berlin). If not ... time to do this now.  Starting with the basics.

Constructed attributes

First let me introduce the concept of constructed attributes in Active Directory: Active Directory (among other capabilities) can handle dynamically constructed attributes, which are calculated on the fly when a query is issued to get them. If one looks at the object using a standard LDAP client (like LDP.EXE) or other tool these attributes will not be present on the object. However, when a query is issued to the directory to return them – magic happena and the value (if exists) will be calculated and returned.

(cc) Swansea Photographer

First example, which everybody is familiar with, are back-link attributes. Back-link attributes are pair attributes with forward links, which are used to store information about references among the objects – think member –> memberOf.

If we will take a look at user object properties using the new fancy attribute editor feature from Windows Server 2008 R2 Active Directory Users & Computers (ADUC) we can't see memberOf attribute.

However if we issue a query for this attribute using ADFIND.EXE, we find:

C:\ >adfind -b CN=tom.tom,ou=Accounting,DC=w2k,DC=pl -s base memberOF

AdFind V01.42.00cpp Joe Richards (joe@joeware.net) April 2010

Using server: FIMDC01.w2k.pl:389
Directory: Windows Server 2008 R2

dn:CN=tom.tom,ou=Accounting,DC=w2k,DC=pl
>memberOf: CN=Ksiegowosc,OU=FIMGroups,DC=w2k,DC=pl

1 Objects returned

We get a response ... magic

All the magic is being done by the directory service which is calculating, on the fly, the attribute value which was requested. There is more attributes which can be constructed by AD, and they all fall into one of three categories (at least based on available documentation):

1. Attribute is marked as constructed in the schema using ATTR_IS_CONSTRUCTED bit in the systemFlags attribute value.
2. Attribute is a back link. (as showed above)
3. It is the rootDSE attribute..

A list of constructed attributes is available on MSDN for anyone who is interested.

tokenGroups

And here is an answer (one of possible) to the question how to determine group membership for a workstation: One way is to query for tokenGroups attribute of a computer object. Attribute description is presented below:

These two computed attributes return the set of SIDs from a transitive group membership expansion operation on a given object

So if we query AD for a security principal and we ask for the tokenGroups attribute we will get a list of SID identifiers of groups, to which this computer object belongs when it logs on. The computer object in a domain is a security principal as others, so the query can be issued to retrieve its attributes and retrieve computer attributes values.

Once again using ADFIND.EXE:

C:\ >adfind -b CN=STS,CN=Computers,DC=w2k,DC=pl -s base tokenGroups
AdFind V01.42.00cpp Joe Richards (joe@joeware.net) April 2010

Using server: FIMDC01.w2k.pl:389
Directory: Windows Server 2008 R2

dn:CN=STS,CN=Computers,DC=w2k,DC=pl
>tokenGroups: S-1-5-21-2045789631-2668715847-4178987103-1162
>tokenGroups: S-1-5-21-2045789631-2668715847-4178987103-515

As you can see, we've got a list of SIDs corresponding to the groups. How to translate these SIDs to names? Use ADFIND.EXE with SID as query parameter:

C:\ >adfind -b dc=w2k,dc=pl -s subtree -f "(&(objectSid=S-1-5-21-2045789631-2668715847-4178987103-1162))" name

AdFind V01.42.00cpp Joe Richards (joe@joeware.net) April 2010

Using server: FIMDC01.w2k.pl:389
Directory: Windows Server 2008 R2

dn:CN=ADFS Servers,OU=FIMGroups,DC=w2k,DC=pl
>name: ADFS Servers

1 Objects returned

And that's all of the trickery for today ...

A recent post from Brad Turner reminded me of something I wanted to blog about since I setup my Forefront Identity Manager (FIM) lab for self-password reset for users. So here it is – WMI permissions …

… If you want to enable the self-password reset scenario for users (which is one of scenarios you definitely want to enable when you deploy FIM) there is a number things to do – enabling MPRs, set permissions in AD, configure sync engine settings and also configure WMI permissions. All steps required are outlined in this TechNet document. One of the steps is setting up permissions on the WMI space on the FIM synchronization service machine.  

The instructions tell you to set up some permissions on the ROOT\CIMV2 namespace and all the child namespaces for the FIM 2010 service account. The reasons behind these changes is the actual password reset on the object is being performed through WMI calls to the FIM synchronization service, which enables lookups for MV objects and CS objects and the password reset call. Actually, the same scenario is possible for ILM 2007 or even MIIS 2003 with not so magical code and I’ve used it in the past to deploy similar solutions for customers … but this is just on the side note.

There is nothing wrong with these instructions, but well … I tend to think in problems when instructions tell me to delegate “all rights” on an entire tree of objects, when it is not completely necessary. 

Disclaimer
This comes from my experience and if you want to stick to the completely supported way it probably means that this has to be done by the TechNet or ask Microsoft representative about support. However I don’t think that it will break the scenario – in my case it works great and it worked for ILM 2007 … but well, I got a reason to write a disclaimer ;).

If you take a look at the WMI tree on the FIM synchronization service you will notice that there is a specific namespace: ROOT\MicrosoftIdentityIntegrationServer. It is enough to set permissions outlined in the TechNet document only on this namespace to make FIM self-password reset scenario work, when it comes to WMI permissions.

It should be also easy to fix it in Brad Turner's script (great work Brad).

May and June this year are speaking engagements months for me. Mostly these engagements are local events in Poland - if you're interested in them, please visit my Polish blog.

One event will be in English and is organized on-line through Live Meeting by my friend, Polish MVP - Robert.

If You have spare 75 minutes on the 19th June please join me through Live Meeting for the *free* VirtualStudy Conference 2010. I have the honor and pleasure to be part of this event as a speaker among MVPs and other well recognized members of the community.

I will deliver an English version of my session from last Microsoft Technology Summit 2009 conference about the Kerberos protocol, how it works and how to troubleshoot it: Catching one tail with three heads - Kerberos explained.

DirTeam.Com will have strong presence on this event, as Sander will also speak at this event. Just sit comfortable, grab a drink and have fun listening about tech.

I’m playing a little bit with Sharepoint 2010 and the claims model (probably more posts on this topic will follow) where ADFS v2 (yes, it has shipped in case you missed it) acts as a trusted claims provider for SPS 2010. It is a great scenario which I think will find its use in many organizations, however re-thinking all access and role models for Sharepoint applications might be a tough work at start. More on this approach soon.  Right now, a quick configuration tip …

(cc) Tiger Pixel

… if you have defined trusted claim provider in Sharepoint, like ADFS 2 server for example, part of its configuration is a set of claims it can provide to SPS and mapping of these claims. In claim provider properties it looks like this:

PS C:\> (Get-SPTrustedIdentityTokenIssuer -Identity "ADFS20Server").ClaimTypes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

What if you want to add another one for example “Role”. Nothing simpler – run Powershell and you will find the Add-SPClaimTypeMapping cmdlet which should allow you to do exactly what is requested. Problem is that when you take a look at an example provided in TechNet documentation or the cmdlet help you will get examples, which not necessary fits cmdlet syntax, like this one:

Get-SPTrustedIdentityProvider –Name "LiveIDSTS" | Add-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "PUID" -LocalClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint

What to do then? Simple example how to add new claim mapping to trust provider is presented below:

$map2 = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$ti = Get-SPTrustedIdentityTokenIssuer -Identity "ADFS20Server"
Add-SPClaimTypeMapping -Identity $map2 -TrustedIdentityTokenIssuer $ti

Quick check:

PS C:\> (Get-SPTrustedIdentityTokenIssuer -Identity "ADFS20Server").ClaimTypes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.microsoft.com/ws/2008/06/identity/claims/role

Done !

Few weeks ago I wrote about FIM 2010 support for Windows 2008 R2 Active Directory environment with Recycle Bin enabled. Basically it wasn't supported configuration at that time. But world is changing ... and FIM as well.

Few days ago FIM 2010 Update 1 was released  to Windows Update and also Windows Catalog. You can use Windows Catalog to download this update in case Your FIM can't access Internet or is not configured to update automatically.

This update brings also support for AD with Recycle Bin enabled for FIM Active Directory MA and synchronization engine. Prerequisite for this update is hotfix described in KB 979214 which brings changes to DirSync control behavior. This hotfix might be also useful if You have application which uses DirSync control in conjunction with Windows 2008 R2 directory.

Unfortunately there still is no update for this issue for ILM 2007 FP1, which still will have problems with importing some changes when Recycle Bin will be enabled. Hopefully some solution will be released soon.

I promised to get back to AD WS topic so here I am.  My last post was about the process of Active Directory Web Services (AD WS) instance location from a client perspective. When a client locates the service, in most cases, it is with the purpose to do something with it – query, update ... . But what if something goes wrong and we want to troubleshoot this? Of course there is always network traffic analysis, but there is also an AD WS debug logging mechanism which can be used for it. All you need to do is turn it on. How??

(cc) ehpien

AD WS is a web service written in WCF and installed on every Windows Server 2008 R2-based DC. It is also available as the AD Management Gateway option for Windows Server 2003 and Windows Server 2008. The service has its own configuration stored in a file named Microsoft.ActiveDirectory.WebServices.exe.config, placed in the AD WS installation folder (%WINDIR%\ADWS by default).

Configuration parameters are described on these TechNet pages, however information about the diagnostic logging option is missing there. To configure this mechanism, alter the configuration file and add in an <appSettings> section with the following entries:

<add key="DebugLevel" Value="<log_level>" />

where log_level might be one of following values: None, Error, Warn or Info. Info is the highest level of debug mode, which will log full debug info and also the communication exchange between clients and the service. To configure where the debug information will be stored, add the following key to the config file:

<add key="DebugLogFile" value="<path to log file>" />

I think that options in this case are self explaining. Final configuration might look something like this:

<add key="DebugLevel" Value="Info" />
<add key="DebugLogFile" value="C:\ADWSLog\Adws_trace_log.txt" />

After making these changes in the configuration file, restart the service to make them take effect.

This change has to be introduced into each instance configuration separately. But it might be only a file copy operation – it depends on your environment.

One thing to remember – there is nothing like free debug operation – it always has some cost attached in performance. I don't know what this cost is in AD WS case but always consider it when you will decide to use it – especially in Info mode...

Some time ago I wrote about issues with the ILM 2007 FP1 Active Directory MA connecting to Windows 2008 R2 forests. In short words: it is supported as long as Recycle Bin is not enabled.

Someone asked a question ActiveDir.org, whether it is supported in regards to FIM 2010. I've asked a few people (thanks Andreas) and it looks the same. FIM 2010 AD MA is supported to work with Windows 2008R2 Active Directory if Recycle Bin is not enabled. However there is light at the end of the tunnel ...

... the problem with the ILM \ FIM AD MA is related to the usage of the DirSync control, which can be used in conjunction with LDAP queries to retrieve changes from AD since the last query. Because links to deleted objects in AD with Recycle Bin enabled are treated in a different way (links are disabled \ enabled instead of being deleted) it caused the effect, that when a user is restored, group membership is not correctly imported in these delta cycles. However, the AD team has released a hotfix. It is described in KB 979214 which corrects behavior of DirSync control in this scenario.

This of course won't fix the problem with the FIM AD MA itself. This will be fixed when an update to FIM will be released (sorry, no date known to me at this moment).

However this fix is also important to know to application developers using DirSync to pull changes from AD. Good to know, if such applications are (not) working in your environment maybe it is worth to deploy this fix.

Windows Server 2008 R2, among other changes, brings a new interface to access directory services – the Active Directory Web Service (ADWS). It is also available for older systems – Windows 2003 and 2008 – as Active Directory Management Gateway (available as separate download).

(cc) paprikaOptic

ADWS I being used so far by a few Windows 2008 R2 components like the new AD interface AD Administrative Center and Powershell module for AD (yes, this Powershell module uses Web Service, not LDAP). This Powershell module was a cause of e-mail I got from one of my friends (and customers also).

When he tried to use Powershell module from workstation to connect to ADWS on a newly deployed Windows Server 2008 R2 box he got the following message:

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
WARNING: Error initializing default drive: 'Unable to find a default server
with Active Directory Web Services running.'.
PS C:\Windows>

Now, here comes the ultimate question: how does the client locate the ADWS instance? – in this case the client being the Powershell module.

The ultimate answer to this question is as always ... DC locator. DC Locator is a process which allows clients to locate an optimal domain controller. Optimal in the AD meaning of this word: closest to a client from a network perspective, where network is represented through sites and subnets in AD configuration.

A client can also pass some additional requests to a DC locator process, which are being used to choose a DC with specific roles, required by the client in this moment. This might be a request for a writable DC or a DC acting as a GC. The Domain controller passes such information in DS_FLAGS structure.

To allow clients to located DCs with ADWS instances an additional flag was added to the DS_FLAGS structure. Description of this new flag states as follows:

DS_WS_FLAG, The Active Directory Web Service, as specified in [MS-ADDM], is present on the server.

And this information can be used to locate a DC with ADWS instance, when a client will specify the additional DS_WEB_SERVICE_REQUIRED flag in the DC request. Same goes for DCs with ADMG installed.

This might be the end of this post, but life isn't perfect and often we will have to deal with mixed environments with W2008R2 and other, older DCs in the same network. Problem is that 2003/2008 DCs doesn't understand this new flag. To correct this, an additional hotfix has to be installed, KB969249 (2003) or KB967574 (2008).

If you will plan to deploy W2008R2 and use Powershell module or other software which uses ADWS, especially in larger environments, remember to deploy enough ADWS instances to handle client traffic and to allow DC locator to locate DCs which host such service. This is especially important in environments with large number of DCs deployed. This way you won't be surprised if your newly created powershell script will fail to locate an ADWS instance.

Enough for today ... but we will get back to ADWS soon...

This post is the beginning of new troubleshooting saga – Everybody lies ... except network traffic. Chapter 1: the case of the mysterious DHCP Server.

In my daily job as an IT consultant sometimes I have to deal with problems. Different kind of problemss – easy, hard ... it depends on the case. A few days before my current week off (SPRING !!!) I got a problem which was described as follows;

• Workstation is working in a network segment with DHCP server. Workstation was able to acquire a correct IP address, but ...
• Later, after acquiring network configuration from DHCP server, workstation configuration was altered with a different set of DNS servers, DNS name suffix etc. This configuration suggested another network segment, connected with this network segment through some routers.

Everything worked, except some problems with accessing network resources with different addresses in both network segments (but similar names – similar if you eliminate the DNS suffix from the equation).

After some speculations – well ... it is with Windows 7 so maybe it is DirectAccess or IPv6 in general or maybe it is just a little gnome altering configuration – it's time for an ultimate question and answer: gathering network traffic from affected workstation.

Network traffic never lies

The main reason DHCP clients exist on a host is to acquire IP configuration. To fulfill this goal DHCP clients use a series of packets, broadcasted to request IP configuration. And the workstation which was a subject of this problem was doing exactly what we expected. In network traffic a chat between the client and the DHCP server was visible in the form of following request exchange:

• DHCP Discover –> DHCP Offer
• DHCP Request –> DHCP Ack.

Our client, which was exchanging packets with a DHCP server in local network segment (Server A), in result acquired IP address and some configuration.

(click to enlarge)

But after the DHCP client acquired an IP address it has a right to request some additional information about the network (if such are available from server). To do this client is sending another packet which is called DHCP Inform. As a response the client gets another DHCP Ack message which contains the requested information. And this was what our client did:

(click to enlarge)

However, instead of getting DHCP Ack from the DHCP server on the local network segment the answer came from Server B, which was located in another network segment and was configured with slightly different options.  Because the network configuration (router) allowed such messages to cross network segment boundaries it was completed successfully and  this was the mystery to be solved.

Conclusions ...

We have at least two conclusions from this story:

1. If you have two DHCP servers serving clients from one network segment for the same IP scope, make sure that these are configured in the same way.
2. (This will be common for the entire troubleshooting saga (I hope next stories will follow shortly)) If there is a problem in a network environment, in most cases the easiest and quickest way to solve it is to take a look at network traffic.

P.S.#1 If anyone is interested in DHCP protocol flow -  KB 169289 and RFC2131 are there for you.

P.S. #2 Just BTW – in another case I was working on lately, I learned about a small change in behavior of a DHCP server in Windows Server 2008 R2 - KB 2005980 describes it to you.

P.S. #3 This question was asked on my Polish blog when I described the same post – what about ipconfig output in this case. Well ... it showed ServerA as the one who served the client.

I'm on the train which is taking me to Poznań for meeting with a customer, so this gives me an opportunity to finally write something. For a start I'll share a quick tip about ADU&C and the delegation tab as an introduction to further posts.

If you want to set a right to delegate user credentials in the Kerberos authentication schema to some account, one way of doing this is through ADU&C. In the object properties there is a Delegation tab which allows you to configure appropriate delegation settings. But what if it is not there? (the tab, not the object)

If the delegation settings tab is not visible, it simple means that no SPNs have been configured for the given account. And the deal is simple ... no SPNs, no delegation scenarios. So how does one configure the delegation settings in this case? Just add SPN value to the object and the delegation tab will appear in the object properties!

Magic is done. Careful readers know right now that some Kerberos post is on the way ... to Poznań ;).

PS. Train was ~45 minutes late at arrival.

... on my Polish blog a question was asked on Sunday evening if I can provide some description on the SYSVOL location process and the pitfalls which might wait there. I said ... 'Why not'  ... and then you have to keep your promise. So today it will be about SYSVOL volume. Recently it is common topic for me as I gave a talk for local communities in Warsaw about GPO mechanics, which also touches this topic. If you can read Polish and you are interested, the slide deck is available on my Polish blog.

So  ... regarding SYSVOL, everyone can see that it is there and it does a job ... until something bad happens. That's the short version. Its primary goal is to serve domain clients files on a DC, in particular to serve GPO templates which are the file based part of GPO. Remember:  a GPO consists of two parts – the GP container (GPC) in the directory and the GP Template (GPT) in SYSVOL. Plus some extras like logon scripts etc.  If there is no SYSVOL or it is not up to date  because of FRS problems (sounds familiar?) there are no or outdated GPOs processed on a client side (actually if there is no SYSVOL share, a DC will not do its job).

(cc) swingnut

From a technical point of view, SYSVOL is just a DFS domain based namespace which content is being replicated with FRS in pre-Windows 2008 operating systems and with DFS-R for Windows 2008 and higher if migration was done (if not ... what are you waiting for????). In fact, SYSVOL content can be replicated in any way, as long as you know how to keep it in sync (don't tell our PSS guys I wrote this ;) ).

SYSVOL is present on every DC, it is a DFS namespace so ... how can you tell which replica is our client using at a given time??? And here is the problem we will be talking about today.

Theory …

As I wrote a few times on this blog (and Jorge wrote also about it  + he will give a talk about this on the upcoming TEC 2010 – if you will be there, don't miss it – I will miss it ;) ) a client is locating DCs using DNS records and information about sites and subnets in what is called the DC location process. This way, DS client can (at least should) locate the closest (in terms of AD configuration) DC which can handle its requests. Problem is that this is not the case with SYSVOL, as SYSVOL location process does not follow the same path as the DC location process. Many AD administrators have learned this in a more painful way, when they were trying to figure out why clients are using SYSVOL replicas in some small village north of whatever country it was.

A directory service client is receiving a list of SYSVOL replicas, divided into two lists:

• SYSVOL replicas in the same site
• SYSVOL replicas outside of the client site.

By default, both lists are in random order and are not reflecting things like costs or location in which DCs are located, except obvious information about local DCs. This behavior does not ensure that clients will use the same DCs for logon and SYSVOL within the same site, when multiple DCs are in this site (the word random is key).

To ensure that the DC which handles logon request will be the one which will also be used for SYSVOL location some tweaks have to be performed. These tweaks (and update) are described in KB831201. After applying the tweaks, the DC which handles the request will return its own name as the first DC on the list of SYSVOL replicas returned to a client.

However the problem remains if a client, for whatever reason, is using a SYSVOL replica outside of its site. The list of replicas in the second list, which is replicas located outside of clients site, is not ordered with taking into consideration the cost of getting to this site – it is random. So it might happen that the first DC on the list is in some place far north (or south if you prefer) of the globe. With slow WAN links between them, affecting clients in terms of performance. It is also a common case I observe in customer networks, where customers are not able to access this replica anyway, because of firewall policies which are in place and are prohibiting network traffic between branches.

How to deal with this? It can be easily resolved with additional configuration for DCs, which will enable calculation of the SYSVOL replicas list with taking cost of connection between client and replica into consideration. This option is available for Windows Server 2003-based DCs by default (there is also a fix described in KB823362 for Windows 2000 Server – remember , support for 2K ends on July this year) and it is called SiteCostedRefferals. To enable this option configure this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs\Parameters
Value Name: SiteCostedReferrals
Data Type: REG_DWORD
Value: 1

However, to make this work you have to provide additional information through configuration at the directory level. This information is required for the directory service to calculate possible routes and this is information about which sites can be accessed by the client. To do this we can enable Bridge all site links (BASL) option, however this might not be the preferred way to do this. Why? Because this will also disrupt the replication topology calculation process from KCC standpoint. But if we want to enable SYSVOL cost based replica list calculation while not disturbing KCC with BASL information we can choose to enable it for given sites, which will cause KCC to ignore information about site bridging during calculations, but still seeing it (bridged) for SYSVOL replica cost calculation.

In theory you can think about it as maintaining site bridges manually as alternative to BASL however I don't know if this will work in a real world scenario (but with right people following right process ... it might).

And with the information provided above, for those who were not aware of it so far, I hope life with SYSVOL is much simpler right now.

Toolkit …

Here's some short information about tools that can be used in information gathering or troubleshooting process. The basic tool to start with is dfsutil. Dfsutil allows you to see the list of replicas from the client point of view and see which one is active at given point in time. Two switches to remember: 

DFSUTIL /SPCINFO
DFSUTIL /PKTINFO

In Windows Server 2008, these  switches have changed and have become:

DFSUTIL CACHE DOMAIN
DFSUTIL CACHE REFERRAL

To have access to DFSUTIL in Windows Server 2008 and later you will have to install DFS management tools using features.

And that's all for now ... at least about SYSVOL.

... Kim Cameron has linked and quoted my previous post on browser identification based on its characteristics available in public. There is EFF project which focus on checking how unique Your browser is against others based on public information.

As it turned out Kim's browser has even higher score (19.29) in this test then my original score (18.73). Then higher the score is then browser is more unique, thus easier to identify as unique on web sites without my consent.

As Kim said about himself and what I can say about myself (...) It’s not that I really think of myself as super competitive (...) but I couldn't resist ;) ...

It appears that what makes my browser so unique is set of plug-ins which are installed in my browser.

It looks like that there is not a lot of people with QuickTime, iTunes and Windows Live plug-ins installed together on same machine.

As Kim summarized his post:

I have to disagree.  It is already a problem.  A big problem.  These outcomes weren’t at all obvious in the early days of the browser.  But today the writing is on the wall and needs to be addressed.  It’s a matter right at the core of delivering on a trustworthy computing infrastructure.    We need to evolve the world’s browsers to employ minimal disclosure, releasing only what is necessary, and never providing a fingerprint without the user’s consent.

And now I will agree on that completely ... especially that my browser is so unique.

Just to calm down my friends reading this blog … no, I haven’t developed personal relationship with my browser, however as many of us I’ve personalized it and I feel comfortable with it right now. All the plugins, configuration etc. It is our daily used tool now so probably all of us have done something to customize it.

Is our browser also attached to us or does it flirt (how strange it may sound) with others on the network???

(cc) bored-now

Through Kim Cameron’s blog I‘ve found project Panopticlick page started by Electronic Frontier Foundation (EFF). This project aims to try how easy is to identify person identity in Internet based on characteristics of its main tool … web browser. Question is how easy is to distinguish You from other Internet users based on elements like Your browser user agent, fonts, screen resolution and other data which can be accessed from browser by any web page.

Let see  - this is example of check performed on my browser:

So my browser has unique footprint among almost 400k of other browser tested. In other words – yes, my browser is cheating on me and it allows web sites to track me without my knowledge … definitely not nice.

Another example which shows that this approach might work came from information about OpenOffice market share. Method which was used to identify OO users was based on checking fonts installed on system through browser. OO install unique fonts – which might be used as indicator that OO is present on a system – without user interaction at all. Scary … ???

Also Kim Cameron posted another example:

(…) The authors claim the groups in all major social networks are represented through URLs, so history stealing can be translated into “group membership stealing”.  This brings us to the core of this new work.  The authors have developed a model for the identification characteristics of group memberships – a model that will outlast this particular attack, as dramatic as it is. (…)

So browser can be used to identify a user in Internet or to harvest some information without its consent. Will it really become a problem and will it be addressed in some way in browsers in a future? This question has to be answered by people responsible for browser development. We will see …

FIM 2010 is still being cooked in Redmond area but in the meantime we got brand new ILM 2007 Service Pack 1 package which just was published on Downloads web site. ILM 2007 SP1 is cumulative hotfix package but also it brings support for provisioning objects with Exchange 2010.

This is nice progress if you remember how long we had to wait for Exchange 2007 to be supported with ILM … way to go for future ILM team.

Information how to use ILM AD MA to provision objects to Exchange 2010 is published on Technet in Deploy Exchange 2010 in a Cross-Forest Topology article.

Whit Exchange 2010 support we also are getting a new code example and description “Prepare for Online Mailbox Move”. Quote from download description:

Microsoft Exchange Server 2010 supports online mailbox migration from a remote Exchange Server 2010, Exchange Server 2007, or Exchange Server 2003 forest to your Exchange 2010 forest. Prior to performing the online mailbox migration, mail-enabled users with a predefined list of attributes must be present in the target Exchange 2010 forest where the mailbox will be moved to. You can use either the sample code or the sample script to help with your online mailbox migration:

• The ILM-based rules extension sample code demonstrates how to customize your current ILM deployment to create the required mail-enabled users in the target Exchange 2010 forest. For more information, see Prepare Mailboxes for Cross-Forest Moves Using the PrepareMoveRequest.ps1 script in the Shell. To download the feature pack, see Microsoft Knowledge Base article 977791 (Service Pack 1 (build 3.3.1139.2) is available for Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1) .
• The remote PowerShell-based sample script demonstrates how to run a PowerShell script to create the required mail-enabled users in the target Exchange 2010 forest. For more information, see Prepare Mailboxes for Cross-Forest Moves Using Sample Code.

Enjoy your reading …