Tomek's DS World

FIM 2010 is still being cooked in Redmond area but in the meantime we got brand new ILM 2007 Service Pack 1 package which just was published on Downloads web site. ILM 2007 SP1 is cumulative hotfix package but also it brings support for provisioning objects with Exchange 2010.

This is nice progress if you remember how long we had to wait for Exchange 2007 to be supported with ILM … way to go for future ILM team.

Information how to use ILM AD MA to provision objects to Exchange 2010 is published on Technet in Deploy Exchange 2010 in a Cross-Forest Topology article.

Whit Exchange 2010 support we also are getting a new code example and description “Prepare for Online Mailbox Move”. Quote from download description:

Microsoft Exchange Server 2010 supports online mailbox migration from a remote Exchange Server 2010, Exchange Server 2007, or Exchange Server 2003 forest to your Exchange 2010 forest. Prior to performing the online mailbox migration, mail-enabled users with a predefined list of attributes must be present in the target Exchange 2010 forest where the mailbox will be moved to. You can use either the sample code or the sample script to help with your online mailbox migration:

• The ILM-based rules extension sample code demonstrates how to customize your current ILM deployment to create the required mail-enabled users in the target Exchange 2010 forest. For more information, see Prepare Mailboxes for Cross-Forest Moves Using the PrepareMoveRequest.ps1 script in the Shell. To download the feature pack, see Microsoft Knowledge Base article 977791 (Service Pack 1 (build 3.3.1139.2) is available for Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1) .
• The remote PowerShell-based sample script demonstrates how to run a PowerShell script to create the required mail-enabled users in the target Exchange 2010 forest. For more information, see Prepare Mailboxes for Cross-Forest Moves Using Sample Code.

Enjoy your reading …

Where is a question there is an answer (at least in most cases). This time question was “How to check schema extension introduces to a forest?” and it was asked on ActiveDir.org. There was even more than one answer … apparently some consultants are watching this list :).

So how we can capture what was changed in schema since it was established together with our forest.

(cc tobym)

One of option is using Schema Analyzer tool which comes with AD LDS (ADAM) as it is described on Ask DS Team blog. If we have AD LDS instance and LDFI file with schema we want to analyze it will allow us to get difference between target and base schema.  Easy but …

• it requires access to AD LDS instance and LDIF file with schema
• sometimes it is a bit overhead to get LDI file with difference and we require something easier.

So next approach, also not perfect but a bit simpler and in some cases might be good enough. Just take a(dfind.exe)ny LDAP query tool and query all schema including whenCreated in output. This attribute is replicated among all DCs and we can track date of creation of object. Simple example:

adfind -schema -f "(|(objectClass=attributeSchema)(objectClass=attributeClass))" ldapDisplayName whenCreated –adcsv

now redirect output to file … open it in Excel, sort it on whencreated collumn and voile…

Of course it is not perfect. Still it requires tool like Excel and it gives You only overview when attributes where created. And what about modifications?

In cases we need such information SchemaDiff.cmd script created by Dean Wells  (included in archive) comes handy. This tool is based on querying replication metadata and this will give You information about new and updated attributes. Let see how it works:

C:\Temp>SchemaDiff.cmd w2k.pl

SchemaDiff 1.1 / Dean Wells (dwells@msetechnology.com) - March 2006

STATUS - Working [review title bar for progression] ...

       - Forest/schema creation timestamp: 2009-08-23 @ 22:51:06
       - base-schema has been MODIFIED since Forest creation
       - counting classSchema and attributeSchema instances: 1438
       - querying schema ...

*MOD: CN=Schema,CN=Configuration,DC=w2k,DC=pl
       - schemaInfo........................ {modified post-instantiation}

*MOD: CN=User,CN=Schema,CN=Configuration,DC=w2k,DC=pl
       - auxiliaryClass.................... {modified post-instantiation}

+NEW: CN=AstContext,CN=Schema,CN=Configuration,DC=w2k,DC=pl
+NEW: CN=AstExtension,CN=Schema,CN=Configuration,DC=w2k,DC=pl

(…)

Done - 57 schema object(s) added, 4 schema object(s) modified
       in Forest "DC=w2k,DC=pl"

Quick, nice and easy … and no additional tools required (I don’t count repadmin.exe as an additional tool in AD environment).

In general best way to answer such question is to have implemented schema governance process in your environment. It doesn’t have to be something very complicated, sometimes simple file with some procedures is enough … or WSS site in more advanced case. Key is to stick to it and follow it. Think about it …

It is common knowledge that in AD environment client (like workstation) will always (at least it should) try to connect to most optimal domain controller. Optimal from network and AD infrastructure configuration standpoint. This process is based on DNS queries and information stored in AD configuration and in perfect case should lead to situation when client has contacted most optimal DC at given moment.

So we have all subnets defines, connected with appropriate sites and DCs placed in these sites or covered in other way. And suddenly some clients from some small location are starting to use some random DCs instead one we designated for them in our bright and shiny configuration.  In such case sys admin is entering his most favorite mode … troubleshooting

(cc) trriseesthings

AD configuration has been extensively reviewed and checked, network checked … event logs are not giving us a clue … what next (besides calling cavalry of some sort :) )?

In such case we have at least one additional troubleshooting mechanism which might be extremely useful in this process, which is enabling debug logging for DC locator process. In each Windows version netlogon service comes with ability to log debug information. What has to be done is enabling this mechanisms through registry change and settings some flags … these flags are described in  KB 109626 Enabling debug logging for the Net Logon service.

When this will be done netlogon service will start to log diagnostic data in %widir%\debug\netlogon.log. These information might be very useful in troubleshooting process or at least should give us idea what is going on during this process. Sample netlogon.log part (slightly modified for better reading) from my lab environment is presented below .

[SITE] Setting site name to '(null)'
[SESSION] \Device\NetBT_Tcpip_{33941FFA-DFED-4744-BF9A-972228BC6FF0}: Transport Added (192.168.1.10)
[SESSION] Winsock Addrs: 192.168.1.10 (1) List used to be empty.
[SESSION] V6 Winsock Addrs: (0)
[CRITICAL] Address list changed since last boot. (Forget DynamicSiteName.)
[SITE] Setting site name to '(null)'
[DNS] Set DnsForestName to: w2k.pl
[DOMAIN] W2K: Adding new domain
[DOMAIN] Setting our computer name to wss wss
[DOMAIN] Setting Netbios domain name to W2K
[DOMAIN] Setting DNS domain name to w2k.pl.
[DOMAIN] Setting Domain GUID to ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[MISC] Eventlog: 5516 (1) "wss" "W2K"
[INIT] Replacing trusted domain list with one for newly joined W2K domain.
[SITE] Setting site name to '(null)'
[LOGON] NlSetForestTrustList: New trusted domain list:
[LOGON]     0: W2K w2k.pl (NT 5) (Forest Tree Root) (Primary Domain) (Native)
[LOGON]        Dom Guid: ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[LOGON]        Dom Sid: S-1-5-21-1855823386-3643518527-1754427229
[INIT] Starting RPC server.
[SESSION] W2K: NlSessionSetup: Try Session setup
[SESSION] W2K: NlDiscoverDc: Start Synchronous Discovery
[MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c00ffff1
[INIT] Join DC: \\resfs.w2k.pl, Flags: 0xe00013fd
[MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c00ffff1
[MAILSLOT] NetpDcPingListIp: w2k.pl.: Sent UDP ping to 192.168.1.1
[MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to resfs.w2k.pl
[MISC] NlPingDcNameWithContext: resfs.w2k.pl responded over IP.
[MISC] W2K: NlPingDcName: W2K: w2k.pl.: Caching pinged DC info for resfs.w2k.pl
[INIT] Join DC cached successfully
[SITE] Setting site name to 'Default-First-Site-Name'
[MISC] NetpDcGetName: w2k.pl. using cached information
[PERF] NlAllocateClientSession: New Perf Instance (001E6688): "\\resfs.w2k.pl"
    ClientSession: 00237D58
[SESSION] W2K: NlDiscoverDc: Found DC \\resfs.w2k.pl
[SESSION] W2K: NlSetStatusClientSession: Set connection status to 0
[DOMAIN] Setting LSA NetbiosDomain: W2K DnsDomain: w2k.pl. DnsTree: w2k.pl. DomainGuid:ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[LOGON] NlSetForestTrustList: New trusted domain list:
[LOGON]     0: W2K w2k.pl (NT 5) (Forest Tree Root) (Primary Domain) (Native)
[LOGON]        Dom Guid: ce28b6f7-a26a-4e0f-9f39-0e63e525493e
[LOGON]        Dom Sid: S-1-5-21-1855823386-3643518527-1754427229
[SESSION] W2K: NlSetStatusClientSession: Set connection status to 0
[SESSION] W2K: NlSessionSetup: Session setup Succeeded
[INIT] Started successfully

Does it look useful??? I think so … happy troubleshooting and don’t forget that Network Monitor or WireShark will tell  You the truth about what’s going on on a wire. And this is ultimate troubleshooting tool.

In topic of ADFS Laura said once “If your ADFS is broken, it’s PKI. If it’s not PKI, you’ve got a typo. If it’s not a typo, it’s PKI”.  Very true … in different aspects of PKI.

Because of Christmas break I have a bit more free time than usual, still taking under consideration free time which is available when I put my son to sleep. I decided to take a look at just released ADFSv2 RC bits. And I know that it is probably because of me but I managed to produce little problem during the setup procedure, which I think might affect also others so as always … time for blog post.

ADFSv2 and PKI requirements …

For those who have not gone through ADFSv2 setup procedure quick outline of its PKI requirements.

After ADFSv2 is installed as a service on machine next step is to configure it as federation server either standalone or part of a farm. Part of this setup is to provide information about certificate, which will be used as token signing certificate and card space signing certificate. This certificate has to be present in local system store for ADFS setup to be able to pick it up.

My setup …

In order to setup ADFS I’ve created a single machine on which I’ve loaded AD \ Certificate authority and IIS server (not best practice but in my lab I have to take care about available RAM and spindles so … less VMs is better).

To get certificate for my IIS server and later for ADFS service I’ve created cert request using IIS console and based on this request I’ve issued certificate from CA, installed it on my IIS and what *is important* I set this certificate to be used in HTTP binding on my IIS machine.

ADFS service setup and later procedure for configuring it as federation server went smooth and everything worked as it was expected. When I was asked which certificate to use I just choose certificate I’ve created earlier and configured for my IIS machine.

So where the problem begins?

Later I’ve decided that I want to setup my ADFS server using FQDN to avoid problems with SPNs configuration etc (BTW – I believe that after PKI and typos SPNs will be next common issue with ADFS v2 setup … I don’t know why … maybe it is called experience).

So I’ve added DNS record for new name, I’ve done all IIS stuff and among others I’ve revoked previous certificate and removed it from IIS configuration (just deleted it using IIS console), issued new request, new cert ... installed … done. Almost.

Next step is to change ADFS configuration to:

• use new FQDN (easy)
• use different certificate (should be easy).

First step was OK, but then when I wanted to change token signing certificate in ADFS i got error message which said something similar to:

The SSL certificate with thumbprint 42161585196B80292A675BA95D54429D1E1CF7CE is configured in IIS but could not be found in the Local Computer Personal certificate store.  SSL Certificates configured in IIS must also be present in the Local Computer Personal certificate store in order for AD FS 2.0 to use them.

Thumbprint referred to certificate which I previously revoked and removed.  Checked things few times … even if I was asked to select new certificate for ADFS to use, and I was ale to choose new certificate every attempt changed in way similar to described above.

Cause and solution …

After thinking about it for a while I’ve checked what certificate is assigned to HTTPS binding for IIS. And it turned out that there is no certificate … at least none was shown in UI. But apparently some reference to previously configured certificate was hold somewhere in IIS configuration and this was causing problem with ADFS configuration.

Once I selected new certificate to be also used for HTTP binding in IIS I was able to change signing certificate for ADFS and finish my setup.

So as it turned out:

• deleting certificate in IIS setup and replacing it with new one is not enough. Remember about *BINDINGS*.
• error messages are right but no always are pointing you directly in right place.
• “If your ADFS is broken, it’s PKI. If it’s not PKI, you’ve got a typo. If it’s not a typo, it’s PKI” … with addition of SPNs :).

Hope this will help at least one person in a future ;).

Kerberos in Windows Operating System is around for about 10 years and it is still causing problems and for many people it is like black magic voodoo. In most cases organizations and people in it are not aware that it is now working until it problem will occur on a surface with some application not working or reports not being displayed on MOSS web page …

… and when problem occurs some troubleshooting starts. To make this process a bit easier here is a short explanation of Kerberos, IE and and services running on non-standard port issue.

(cc) TheCX

This post is sponsored by letter A like Architect, because of our Architects inspired me to write it with his ranting about this problem.

Issue which is subject of this post is not related to Kerberos protocol itself, but to Internet Explorer and how IE handles such requests by default.

Never ending story,  SPNs …

Short reminder what SPN is  … when client application is trying to get access to resources and is using Kerberos authentication it requests at some point Ticket Granting Service (TGS). To specify to service to which it is requesting access in TGS request client specifies Service Principal Name (SPN). SPN then is being used by KDC to find an account which is related to this service and to prepare tickets for it. This is in short words how it works …

SPNs are just string values for servicePrincipalName attribute in form which consist of service prefix, host name and optionally port number.

For example for standard HTTP service running on www.w2k.pl host address SPN would be specified as HTTP/www.w2k.pl.

As I mentioned above there is also optional element of SPN which can be used to specify port on which service is running. In case of our HTTP service running on 8080 port SPN which will contain this port number will look like this HTTP/www.w2k.pl:8080.

Simple … it is helpful if we have services running on different ports and using different accounts – like application pools running on separate accounts associated with web sites on two different ports.

And here comes Internet Explorer …

Problem with Internet Explorer is that when it is being used as client application to request access to Kerberos enabled service on non standard port by default it will not include port number in SPN sent in TGS request. In such case network traffic capture will look somewhat like this (click to enlarge):

As we can see in this traffic IE is trying to request access to web site running on port 8080 but in TGQ request it is not exposing this information and instead of HTTP/lhr2dc01.w2k.pl:8080 it sends request with HTTP/lhr2dc01.w2k.pl as SPN value.

This behavior was first fixed for IE 6 with KB 908209. For IE6 it required fix to be installed and additional registry entry being made.

This article is not mentioning this but same behavior is present in IE7 and IE8. To fix this it doesn’t require fix to be installed but still it has to be enabled through same registry entry specified in KB mentioned above.

If this will be done same situation in network traffic looks as it is presented below (click to enlarge):

As it can be seen in this traffic analysis IE is requesting access to a web site with port specified in SPN and this allows authentication to be completed in this scenario.

When this is useful  …

“Why bother???” This is required in scenarios when we have multiple services running on single host, different ports and under different security accounts. Good examples are multiple application pools on single IIS machine.

Probably anyone who will deploy MOSS sites with multiple accounts will came across this scenario and will have to deal with it.

Why not make it default …

Question is … why this is not enabled by default in IE 7 and 8? problem was fixed for IE6 but for later versions it might be included in a default configuration.

I don’t know official answer but first thing which cross my mind is  - backward compatibility (you can call it IE6 curse if You want it :) ).  Because IE6 worked in this way and many applications were configured to work in this way, which was allowed by IE6 problem turning it on by default in next versions would break all these applications.

IE6 was not specifying a port in SPN request and if there was suitable account with only one SPN without port being specified, and there was another service running on the same host with different port number but under the same service account it just works.

If You will enable this behavior applications running on different ports would break … registering additional SPN will fix it of course, but this would require some planning up front or quick troubleshooting (basic level of network traffic analysis required).

What I would like to see is configuration option which would enable this behavior through GPO … feedback given :).

One of my friends PFE has asked me a question regarding userPassword attribute in directory which was related to some behavior he was observing in customer environment. We had a little chat about it and then I thought that maybe other has such questions as well so … here’s a topic for a blog. 

Behavior my friend was observing was related to a fact, that after some operations performed in environment customer has noticed that on some objects affected by these operations this attribute contained user password in clear text … now I can hear screams of all security guys :) … Yes, clear text and password has some connotations .. in most cases negative once.

(cc) Somewhat Frank

Of course fact that this password was there didn’t mean that it was available for anyone willing to read it … some ACLs still apply in directory … however the fact was that IT WAS THERE.

Matched DNs:
Getting 1 entries:
>> Dn: CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl
    4> objectClass: top; person; organizationalPerson; user;
    1> cn: jan Kowalski;
    1> sn: Kowalski;
    1> userPassword: P@ssw0rd!;

Whatever You thin at this point this is not a bug and there is no point in calling MSFT 112 number (if such exists at all :) ). It is expected and it is a result of userPassword attribute behavior dualism in AD.

userPassword …

userPassword is an attribute which can act differently when it is being written or read depending on directory configuration. Depending of directory settings it can be treated as:

• ordinary unicode attribute which can be written and read as any other unicode attribute in directory
• shortcut to user password in directory which will allow password change operation to be performed over LDAP.

In first case, when domain is below Windows 2003 level or at this level specific value in dsHeuristics, is not set this attribute is just an unicode attribute. We can write it and read it … let’s try:

admod -b "CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl" userPassword::P@ssword!!1

AdMod V01.10.00cpp Joe Richards (joe@joeware.net) February 2007

DN Count: 1
Using server: w2003r2base.w2k.pl:389
Directory: Windows Server 2003

Modifying specified objects...
   DN: CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl...

The command completed successfully

So we could modify this attribute … now let try to read it:

adfind -b "CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl" -s base userPassword

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: w2003r2base.w2k.pl:389
Directory: Windows Server 2003

dn:CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl
>userPassword: 5040 7373 776F 7264 2121 31

1 Objects returned

Success! So apparently we can write and read this attribute and if you will conduct this test on your own this will not affect user password in any way. We have just altered a text in a directory attribute.

However the game rules changes if we will set 9’th char in dsHeuristics to 1 (in fact according to documentation any character other than 0 or 2 should work) writes to this attribute will behave differently. After this modification userPassword attribute is write-only and we can’t read anymore.  But it will allow us to modify user password. Let see …

First dsHeuristics modification:

admod -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuratio
n,DC=w2k,DC=pl" dsHeuristics::000000001

AdMod V01.10.00cpp Joe Richards (joe@joeware.net) February 2007

DN Count: 1
Using server: w2003r2base.w2k.pl:389
Directory: Windows Server 2003

Modifying specified objects...
   DN: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=w2k,DC
=pl...

The command completed successfully

Done … now let’s try to do same modification as we did earlier:

admod -b "CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl" userPassword::P@ssword!!1

AdMod V01.10.00cpp Joe Richards (joe@joeware.net) February 2007

DN Count: 1
Using server: w2003r2base.w2k.pl:389
Directory: Windows Server 2003

Modifying specified objects...
   DN: CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl...: [w2003r2base.w2k.pl] Error 0x35
(53) - Unwilling To Perform

Wow … Error, ... but why? We’ve just tried to modify user’s password over LDAP protocol and in AD this is only allowed over SSL connection which was not specified in this case. So one more try using LDAPS this time:

admod -b "CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl" userPassword::P@ssword!!1 -ssl -h w2003r2base.w2k.pl:636

AdMod V01.10.00cpp Joe Richards (joe@joeware.net) February 2007

DN Count: 1
Using server: w2003r2base.w2k.pl:636
Directory: Windows Server 2003

Modifying specified objects...
   DN: CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl...

The command completed successfully

Now it has succeed, and now read test:

adfind -b "CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl" -s base userPassword

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: w2003r2base.w2k.pl:389
Directory: Windows Server 2003

dn:CN=jan Kowalski,OU=DRLab,DC=w2k,DC=pl

1 Objects returned

Nothing. This mean that we can use userPassword attribute to modify user password but of course we can’t read it afterwards … which is somehow expected..

problem …

Actual topic which started this conversation was KTPASS tool behavior which was observed in customer environment (KTPASS is a tool which allows keytab files to be created –> keytab are used with Unix boxes to allow authentication with Kerberos against AD … in short words).

So … in cases when KTPASS was used for an account, in which none modification to dsHeuristics was made password set for account with KTPASS was available for read with LDAP from appropriate directory object. Apparently KTPASS is trying to set a password using LDAP which leaves it in this attribute. Quick test shows that this is case. If we will try to generate new keytab for an account and specify a password:

ktpass -princ HOST/ubuntu.w2k.pl@W2K.PL -mapuser ubuntu$@W2K.PL -ptype KRB5_NT_SRV_HST -mapop set -pass P@ssw0rd1 -out ubuntu.keytab

(…)

Reset UBUNTU$'s password [y/n]?  y
Key created.
Output keytab to ubuntu.keytab:
Keytab version: 0x502
keysize 60 HOST/ubuntu.w2k.pl@W2K.PL ptype 3 (KRB5_NT_SRV_HST) vno 2 etype 0x17
(RC4-HMAC) keylength 16 (0xae974876d974abd805a989ebead86846)

 

and then we will use ADFIND:

adfind -b "CN=ubuntu,OU=DRLab,DC=w2k,DC=pl" -s base userPassword

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: w2003r2base.w2k.pl:389
Directory: Windows Server 2003

dn:CN=ubuntu,OU=DRLab,DC=w2k,DC=pl
>userPassword: 5040 7373 7730 7264 31

We will see that userPassword gets populated and if you will check its value it will be password specified with KTPASS. The same will happen with any other tool which will try to use LDAP to change or reset user password in such setup.

If we will modify this behavior with setting value on dsHeuristics it will change directory behavior and userPassword will contain no trace of password data in readable form.

Solution …

I think that there is no need for special solution as we don’t have a problem. Best way is to know how it works and if we are concerned with that just use this knowledge to enforce correct behavior … either by establishing some policy around usage of tools which uses LDAP to modify password or through altering directory settings to allow password change through LDAP and thus stopping userPassword from being holding current user password just “by accident”.

Of course ACLs still applies but one might be in hard position of explaining to some AUDITOR why THE PASSWORD IS THERE. In such case … you can redirect them to my blog or better … to MSDN pages.

Some time ago, when Windows 2008 was released I had some spare time (where are those days) and I wanted to master some of my .NET coding skills. What is better than find an idea to use them … and that’s how 1Identity Snapshot Recovery Tool was created.

Snapshot Recovery Tool is command line tool which might be used to un-delete existing tombstone and later to populate all or some of attributes with data from directory services snapshot data.

Snapshots is nice feature introduced in Windows 2008 which allows you to inspect Active Directory content at given point in time when snapshot was taken.  My opinion is that this was half-backed attempt to introduce something like Recycle Bin which is present now days in W2008R2. But hey .. it was there so I decided to use it.

Using this tool and snapshot data one can recover all attributes including links as in memberOf attributes for a user and member for a group.

It can recover single object or multiple objects based on GUID list or LDAP query.

Few words about original place where this tool was published – 1Identiyt. 1Identity was initiative of mine to build an independent network of directory services and identity experts which would build tools and documentation … it didn’t worked this time. Mostly because lack of time from my side. Maybe one day I will get back to this idea.

In the meantime … snapshot recovery tool is back here on DirTeam.org and if You want it, and You can find use for it … feel free to use it.

Comments, bug reports and suggestions welcomed here or on t.onyszko@w2k.pl.

P.S.#1 I want to say big THANK YOU here for Jorge who has tested this tool and provided very useful feedback regarding functionality and bugs. And showed this tool few times at some (DEC\TEC) occasions.

P.S.#2 I also want to say Thank you to all of You who have tried this tool and liked it. I read some blog posts and comments about it and it was nice to read that my work has actually helped somebody.

This post is probably first of TEC 2009 follow-up series, at least partially as I thought about covering it just before going to TEC. However Brian Desmond has touched this topic during his session so it is good reason to follow-up on it.

This will be about usage of catch-all subnets in AD topology design. What catch-all subnet means?? Let start from definition.

(cc) f-l-e-x

What’s this about …

When client computer is trying to locate domain controller it is performing location process during which it will try to discover its site based on network subnet information which will be send to DC  (Jorge has put nice description of DC location this process in three parts – I, II, III). If client will determine its site it will try then to locate DC in this site using DNS queries. Site location process fro Active Directory perspective is based on site and subnets defined in AD. If client network subnet matches subnet object defined in AD client is assigned to site to which this subnet was assigned at directory level.

But there might be situation in which client is not able to determine it’s site because subnet object corresponding to client’s network subnet was not defined in Active Directory.  In such situation client will pick one of available DCs (I will cover what “available” means in this context later) it can reach and will use it for its operation. Problem is that this might be far from most optimal DC for this client to use – for example it might be DC in one of far and poor connected branch site.

So what if we will create on subnet object (or few of them) which will span across multiple sites and will cover all of our subnets used in network. If these super subnets objects will be connected to some site our client will always be able to determine its site and at the end determine corresponding DCs. In worst case client will use not optimal DC but one in a site for which catch all subnet was configured. Done. Some explanation on this topic can be found in article in TechNET Magazine.

So what’s the catch …

Looks promising, but – can we do this in other way? Yes we can and I wrote about it earlier in my post How to cover un-covered – the case of missing subnet. In short words we can use DNS registration to control which site will be chosen by client in case it will not be able to determine exact site it belongs to. This can be achieved through proper registration of site and domain specific domain SRV records. If client will not be able to locate its own site it will pick one of DCs which registered domain specific records.

And that’s it … is it better approach than catch-all subnet? Is this better approach than catch-all subnet?? Probably it is just a personal preference but I like to use DNS records over such subnets. It is more elegant solution for me and I think that it is easier to manage and troubleshoot in case of some problems. The choice is Yours …

When catch-all subnet can benefit …

However I can see scenarios in which catch-all subnet can have some benefit. Let’s take a look at topology which is not exactly hub-n-spoke but is something which sometimes is called snow flake. In such topology we have central site (hub) and two or more tires of satellite sites.

If we would want to gather traffic from all clients from 3’rd tier at the 2’nd tier level and even if they can’t find their site not re-direct them to one of DCs in a hub we can’t do this with DNS records. In such case we can use catch-all subnet for each region \ sub configured at 2’nd tier sites level to control behavior of clients and keep all clients attached to correct site at 2’nd tier of our topology as on this picture.

Of course DNS records registration should also be correctly planned and configured for such design.

And that’s basically it – this just came out on Brian’s session on TEC and maybe it would not catch my ear\eye if I would not read this article on TechNET just before TEC.

So what do you think about using catch-all subnets? Are You using them? Any other ideas or comments? Comments are open … so is contact form :).

During preparation to TEC sessions and during TEC I noted some topics to blog about in a future so I hope that I will find time to blog about them soon. I noted also some URLs to tools which are out there so today’s post is some kind of web press release.

Patch management. If you have ever wondered how to deploy updates maybe You will get interested in script which was posted by  Brian Desmond on his blog. Pretty interesting if you will ask me. Worth to check.

Group nesting. If you are managing AD environment and You have nothing against using W2008R2 Powershell you might take a look at script posted on AD Powershell team blogs site. It allows You to select group and analyze how it is nested in other groups and even present it in (sic!) tree form. Nice example how to utilize R2 Powershell capabilities.

Speaking about R2 Powershell. As some of You may know these cmdlets are not utilizing LDAP but brand new AD Web Service which is also being shipped with R2. For down level DCs (look how quickly W2008 has become down level :) ) there is web download which delivers this service for Windows 2003 and 2008 DCs and ADAM \ AD LDS. It is called Active Directory Management Gateway and will allow You to manage these DCs with Powershell.

At the end something from other area – file server. New tool has hit Downloads web site – it is File Server Capacity Tool which comes in 32-bit i 64-bit flavor. I think name of this tool is self explaining.

So that’s all from web review for today …

So against all the commercials from mobile operators there are still places with absolutely no cell coverage ;). Now its time to give final review to sessions for TEC.

Small, but important change was introduced in ILM 2007 FP1 FAQ:

Wow … this means that something which already had happened at many customers is now officially supported configuration. Good for customers who are running ILM in VM or are thinking about moving to it with ILM.

(cc) BikoBikoBiko

FAQ mentions Hyper-V explicitly but as far as I understand KB 897615 this means support on SVVP approved platforms.  In case You need clarification on that ask your TAM (if You have PSS you know who the TAM is :) ).

ActiveDir.org is always a source of all sorts of directory related discussion. In most cases interesting once. I have to admit that I would like to have more time to catch up with ActiveDir.org and to be more active there (note to self) but with Wojtek @ home (he’s growing) it is getting even harder then before.

BTW – if you want to look for something AD related you can use custom search engine which was put together by Rick, one of ActiveDir.org members.

Today I was lurking through posts and I found discussion about using multiple UPN suffixes within a domain, and by multiple member who asked this question was meaning few thousands. This configuration was intended to allow some users (partners) to log on with their e-mail addresses to hosted directory.

Few useful information were thrown in the thread. Quick summary:

• GUI limits number of suffixes possible to be entered at forest level to 850 (Andrew Levicki), more can be added with scripts
• more means ~1300 in Windows 2003 and later UPN suffixes which can be stored in upnSuffixes attribute on CN=Partitions,<configuration partition> and with script you can enter whatever you like for specific user (joe). It is UI which enforces forest wide suffixes on user object. And You have to be careful  if it is configuration with forest trust [1]. But for that number of users and suffixes probably GUI won’t be preferred tool.
• We have explicit and implicit types of UPNs (Rick S.). See also KB 929272.
• If you want to use GUI anyway you can easily extend context menu with some script which will allow you to set desired UPN suffix for a user (Jorge).

Last comment from Jorge about extending UI in this way my eye as there is a bit more comfortable option if you want to have option to set different UPN suffix for users in hosted (or similar environment) which is often omitted. This is setting upnSuffixes attribute on OU level.

If users which will share common UPN suffix can be grouped in single OU structure (for example users from single partner company) one can set upnSuffixes attribute at OU level for desired value

This value will be later presented in GUI when new user will be created, among with other UPN suffixes configured for a forest.

Voile … and its done. Problem is that for another OU in this structure the same value (or different) will have to be set, as this information is not inherited from parent OU.

But I will agree with joe – with that number of users probably GUI won’t be preferred tool. But anyway … it is good to know and maybe somebody will benefit from this knowledge.

[1] - Using multiple UPN suffixes you have to remember that as long as these suffixes are only being used within single forest they are not so important. However with multiple forests UPN suffixes are being used to route authentication requests so you don’t want to get it broken so plan for it before you will deploy it in production.

Windows 2008 R2 has hit RTM and many of users have already downloaded it from Technet and MSDN to evaluate or even deploy in the network. W2008R2 brings changes in many different aspects of operating system, some are saying that it should not be R2 but brand new OS version. Among other R2 brings changes also in Active Directory area. This rises common question in ILM community which was asked previous week on Technet ILM forum;

Are there any known issues with the ADMA and 2008 R2 DCs?

So let’s check if there are … :).

Important note: You have to remember that at the time this post is being written using ILM AD MA with Windows 2008 R2 forests is not supported configuration. 

Despite further test results described in this post if you want to go life with Windows 2008 R2 and You are using ILM 2007 please contact PSS or respective Microsoft representative and discuss this with them.

Yes … I work for Microsoft but this is private blog and configuration and tests described below can’t be treated as official Microsoft documentation or statement.

I’ve setup some simple lab on Hyper-V R2 with two machines:

• DC running on Windows 2008 R2 in R2 native mode
• Windows Server 2008 with SQL 2005 and ILM 2007 FP1.

Single management agent was configured to connect ILM to my forest and few simple tests were performed:

• initial full import
• delta import after adding \ modifying \ deleting an user object

All works fine. Then I’ve created also simple SQL MA with some tables, configured projection rule for AD MA to bring objects into metaverse, join rules for SQL MA and some flows to flow data from SQL MA through MV to AD. This was supposed to test export operation and this also worked great … so far so good.

Now … only new R2 feature which really might have impact on ILM MA operations is Recycle Bin feature. Its simplest description is:

Information technology (IT) professionals can use Active Directory Recycle Bin to undo an accidental deletion of an Active Directory object.

Basically it introduces new object’s state in AD where it is deleted but still retains all attributes and what is more important can be brought back to life with all these attributes without using backup.

(cc) Spacing magazine

More technical description can be found on Technet pages. So with recycle bin AD object can be in Recycled or Deleted state. Let’s enable this feature see if it affects AD MA actions. Scope of our MA was configured for R2 forest with user and group objects in scope. No connector filtering.

Step 1: Delta import after user  add \ rename \ delete for users

Looks fine. All change, including delete which was in fact putting object into recycle bin operation was picked up correctly. So far so good. It looks that it works as it should.

Step 2: Delta import after user who is a member of a group was deleted

Another test was to delete a user who is a member of a group which also is in scope of ILM MA. User names "7User” (brilliant names for test users ;) ) was selected for this test as he was a member of “TestLink group”.

Delta import after such operations result in information about single object being deleted, which is our user:

Now we have first problem  … we don’t have information about this member being removed from a group which also is in scope of our MA. Why this has happened?

The answer is that when Recycle Bin is enabled object which is in Recycle bin is no being removed from linked attributes like member on a group but these links are de-activated. This allows user to be restored later out of recycled bin with its group membership without the need of additional operations being performed. You can see deactivated links using LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID extended LDAP control:

Shameless plug: if you are interested how to do this in your code check my S.DS.P session on upcoming TEC conference in Berlin. Not going to TEC … than go :). Still not going … I will post examples here after TEC.

Step3: Bring me back to life … reactivating object

So we are missing information about changes in group membership after user who was member of this group was put in Recycle Bin in Active Directory. But let’s check what will happen if we will restore this user out of recycle bin (and I will do this using old fashion ldp.exe tool instead of brand new Powershell for AD interface … sorry Dean if You are reading this :) ).

Well after performing this operation and delta import being executed again we can see that this use was added again … so it was recycled. However this again has not showed us change in group membership as proper link in its value was just activated.

So we have a problem here, that changes which affects user object and puts this user in AD Recycle Bin are not reflected on objects on which this user object is referenced through linked attribute.

How to workaround this shortage ... well … full import will bring these information back again into connector space but this isn’t perfect as full imports are far from optimal from performance perspective in most organizations which are using ILM.

Conclusion …

So even if it looks at first that ILM Active Directory MA works well with R2 AD version in scenario where Recycle Bin feature is enabled it has some issues. I have performed some simple test and I haven;t touched CLM part of ILM

I know that product group has identified this problem and probably we will get resolution in some time from now. But I don’t know if and when Windows 2008 R2 will be fully supported (including Recycle Bin) with AD MA. If you want to get statement on that You will have to contact PSS.

And BTW … new hotfix package for ILM 2007 FP1 was just released with KB969742

Well … at least in Poland we are saying that what happens once can happen again … like in Battlestar Galactica world. In last days it turned out that the same saying is true for network protocols. At least for one of them some time ago well known as Finger.

For those who are too young to remember (and I think we have right now generation of Internet users who might never heard about Finger), it was protocol which allowed to issue simple query to server (if somebody established one) to get some basic information about given user. Simple

finger tomaszon@server

would return information like real name etc.

It turned out that some people at Google has come with idea that we can get the same protocol idea and apply it in current Internet world. But instead of using some form of client (finger was a client to a service) and server address it should use something more familiar to ordinary user … e-mail address. Just send it to WebFinger service and you will get some information about owner of this e-mail. That simple.

(cc) ethangibbs808

Right now e-mail address is … well … just e-mail address. Can it be something more with WebFinger? Let just speak the project web page:

If I give you my email address today, you can't do anything with it except email me. I can't attach public metadata to my email address to give you more information. WebFinger is about making email addresses more valuable, by letting people attach public metadata to them. That metadata might include:

• public profile data
• pointer to identity provider (e.g. OpenID server)
• a public key
• other services used by that email address (e.g. Flickr, Picasa, Smugmug, Twitter, Facebook, and usernames for each)
• a URL to an avatar
• profile data (nickname, full name, etc)
• whether the email address is also a JID, or explicitly declare that it's NOT an email, and ONLY a JID, or any combination to disambiguate all the addresses that look like something@somewhere.com
• or even a public declaration that the email address doesn't have public metadata, but has a pointer to an endpoint that, provided authentication, will tell you some protected metadata, depending on who you authenticate as.

... but rather than fight about the exact contents.

Wow … so “Show me your e-mail and I will tell You who You are !”.  E-mail as identity or at least as Universal Identity Locator (UIR).

Some kind of similar idea is behind i-names or OpenID (I know, analogy is too big but there is). But WebFinger is trying to address one thing which stands in front of these technology adoption by ordinary Internet user – need to remember some new name \ URL \ identifier. Everybody knows their e-mail … OpenID provider … only geeks can remember that ;).

How it might be used … let see … OpenID. Instead of providing URL to OpenID provider user will provide Relaying Party with his e-mail and RP will use WebFinger to get details of OpenID URL and will handle redirection to correct web page.

PKI and e-mail … while writing e-mail to a person you are hitting ‘encrypt’ magic button and your mail agent contacts proper WebFinger server and retrieves public key of such person. Recipient mail agent is doing the same when e-mail is being read. Public key exchange made easy …

… not mentioning all Web 2.0 application developers who will be in a heaven of information about user applications, places he uses etc. Connections made easy.

Sounds great …

Just on the side note … does it remind You something? Identity Provider? Security Token Service? Does it ring the bell :)? At the end this is very similar what STS would do … 

But looking at this idea from other side …

… first, what one of users on my Polish blog has pointed me on is that in some way such service would be great source of information for all sorts of spammers etc. But as spam is still a problem I think that this might be mitigated in some way.

… second, I’m really not sure if I’m completely sold to e-mail as identity or UIR idea. People are using many e-mail addresses … business, private, private from school time etc. Via WebFinger e-mail is no longer identity attribute (claim) but it turns into integral element of one identity. Right now changing and e-mail is just inconvenient … you have to notify you address book citizens and probably change it in many service \ applications (once again – switch to IP \ STS \ claims might solve some of these problems). But when e-mail IS your identity pointer in Internet space changing it is not so easy … and at the end for one of biggest (if not biggest) e-mail SaaS provider as Google keeping You attached to you (g)mail is what is important for them :) …isn’t it?

That way or another this is interesting idea … will see if it will become a real thing or it will end up on forgotten protocols pile

This September – at least for me – is a speaking season. I’m speaking at two conferences. First is TEC 2009 organized by Quest in Berlin. TEC will gather many of well known people as speakers – let me quote Gil here:

TEC is comprised to two conferences this year. TEC/Identity and Access features speakers from Microsoft (Alex Weinert, Markus Vilcinskas, and Tomasz Onyszko for ILM/FIM 2010, Dean Wells, Nathan Muggli, and Brett Shirley for DS, and Matt Steele for Geneva), as well as notable MVPs Guido Grillenmeier, Jorge de Almeida-Pinto, and Brian Desmond.

TEC/Exchange includes Ross Smith IV, Greg Taylor, and Brett Shirley from Microsoft, as well as Exchange MVPs Ilse van Criekinge and Michael B. Smith.

And yes … I’m really flattered that I was mentioned in this announcement :).

Unfortunately I had to cancel my attendance in TEC 2009 in Las Vegas earlier this year but all signs shows that I will make to Berlin.

I’m going to present two sessions, one in directory services track and second in IdM track related to ILM:

If you will attend TEC and you are interested in these topics I will be more than glad to host You on my sessions :). And even if You will not attend my sessions and You will want just to say “hi” catch me in the breaks ;).

If You are not attending TEC … re-consider Your decision  … ask Your boss once again :). At least from my experience it is worth of time and money invested.

Second conference where I will speak is MTS 2009 organized by Polish MS sub. As this is Polish conference I will post more details on my second blog. If you are interested check out my W2K.PL blog in few days from now.