Windows 2008 R2 has hit RTM and many of users have already downloaded it from Technet and MSDN to evaluate or even deploy in the network. W2008R2 brings changes in many different aspects of operating system, some are saying that it should not be R2 but brand new OS version. Among other R2 brings changes also in Active Directory area. This rises common question in ILM community which was asked previous week on Technet ILM forum;
Are there any known issues with the ADMA and 2008 R2 DCs?
So let’s check if there are … :).
Important note: You have to remember that at the time this post is being written using ILM AD MA with Windows 2008 R2 forests is not supported configuration.
Despite further test results described in this post if you want to go life with Windows 2008 R2 and You are using ILM 2007 please contact PSS or respective Microsoft representative and discuss this with them.
Yes … I work for Microsoft but this is private blog and configuration and tests described below can’t be treated as official Microsoft documentation or statement.
I’ve setup some simple lab on Hyper-V R2 with two machines:
- DC running on Windows 2008 R2 in R2 native mode
- Windows Server 2008 with SQL 2005 and ILM 2007 FP1.
Single management agent was configured to connect ILM to my forest and few simple tests were performed:
- initial full import
- delta import after adding \ modifying \ deleting an user object
All works fine. Then I’ve created also simple SQL MA with some tables, configured projection rule for AD MA to bring objects into metaverse, join rules for SQL MA and some flows to flow data from SQL MA through MV to AD. This was supposed to test export operation and this also worked great … so far so good.
Now … only new R2 feature which really might have impact on ILM MA operations is Recycle Bin feature. Its simplest description is:
Information technology (IT) professionals can use Active Directory Recycle Bin to undo an accidental deletion of an Active Directory object.
Basically it introduces new object’s state in AD where it is deleted but still retains all attributes and what is more important can be brought back to life with all these attributes without using backup.
More technical description can be found on Technet pages. So with recycle bin AD object can be in Recycled or Deleted state. Let’s enable this feature see if it affects AD MA actions. Scope of our MA was configured for R2 forest with user and group objects in scope. No connector filtering.
Step 1: Delta import after user add \ rename \ delete for users
Looks fine. All change, including delete which was in fact putting object into recycle bin operation was picked up correctly. So far so good. It looks that it works as it should.
Step 2: Delta import after user who is a member of a group was deleted
Another test was to delete a user who is a member of a group which also is in scope of ILM MA. User names "7User” (brilliant names for test users 😉 ) was selected for this test as he was a member of “TestLink group”.
Delta import after such operations result in information about single object being deleted, which is our user:
Now we have first problem … we don’t have information about this member being removed from a group which also is in scope of our MA. Why this has happened?
The answer is that when Recycle Bin is enabled object which is in Recycle bin is no being removed from linked attributes like member on a group but these links are de-activated. This allows user to be restored later out of recycled bin with its group membership without the need of additional operations being performed. You can see deactivated links using LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID extended LDAP control:
Shameless plug: if you are interested how to do this in your code check my S.DS.P session on upcoming TEC conference in Berlin. Not going to TEC … than go :). Still not going … I will post examples here after TEC.
Step3: Bring me back to life … reactivating object
So we are missing information about changes in group membership after user who was member of this group was put in Recycle Bin in Active Directory. But let’s check what will happen if we will restore this user out of recycle bin (and I will do this using old fashion ldp.exe tool instead of brand new Powershell for AD interface … sorry Dean if You are reading this 🙂 ).
Well after performing this operation and delta import being executed again we can see that this use was added again … so it was recycled. However this again has not showed us change in group membership as proper link in its value was just activated.
So we have a problem here, that changes which affects user object and puts this user in AD Recycle Bin are not reflected on objects on which this user object is referenced through linked attribute.
How to workaround this shortage … well … full import will bring these information back again into connector space but this isn’t perfect as full imports are far from optimal from performance perspective in most organizations which are using ILM.
Conclusion …
So even if it looks at first that ILM Active Directory MA works well with R2 AD version in scenario where Recycle Bin feature is enabled it has some issues. I have performed some simple test and I haven;t touched CLM part of ILM
I know that product group has identified this problem and probably we will get resolution in some time from now. But I don’t know if and when Windows 2008 R2 will be fully supported (including Recycle Bin) with AD MA. If you want to get statement on that You will have to contact PSS.
And BTW … new hotfix package for ILM 2007 FP1 was just released with KB969742