John Policelli's Blog

I ran into a situation where I needed to cluster two Hyper-V guests. I found several articles that provided guidance around setting up shared storage for this, but none of them were completely accurate. I then stumbled across the below post, which worked perfectly. It’s definitely worth a read.

Hyper-V Guest Clustering Step-by-Step Guide

I was very happy to hear that I was selected to present at TEC 2010 in Los Angeles.

TEC was previously known as DEC (Directory Experts Conference). The conference has been expanded to include training on Exchange and SharePoint, and effectively renamed to TEC. Here’s a snippet for the TEC 2010 Website:

For the 9th consecutive year, the TEC team will deliver expert-led, 400-level training on vital Microsoft technologies. In addition to its highly-acclaimed training on Microsoft Directory & Identity technologies, TEC 2010 will bring back a full agenda of Exchange training, staging the world’s leading authorities on Microsoft’s powerful messaging platform. And, this year, for the first time ever, we are pleased to introduce an entirely new TEC for SharePoint training conference!

I will be presenting in the Directory & Identity track. My session is called An In-Depth Look at AdminSDHolder, Protects Groups, and SDPROP.

Here is the abstract for my session:

Active Directory includes a number of built-in controls, which collectively provide an additional level of security for members of privileged groups. Even though these controls have been in place since the inaugural release of Active Directory a decade ago, administrators are still impacted by this functionality regularly. In this session, John Policelli will dive into the AdminSDHolder object, Protected Groups, and the Security Descriptor Propagator. Real-world examples, demos, and theory will be used to provide you with a comprehensive understanding of how these built-in controls interoperate and how you can use them to further secure members of privileged Active Directory groups.

I’ve attended DEC/TEC for several years, and it has proven invaluable each time. I have yet to find any comparable conferences. For more information on TEC 2010, please go to http://www.theexpertsconference.com/. I hope to see you there!

Microsoft recently published an article that addresses a hot topic – whether or not you should place several RODCs in the same Active Directory site. In my opinion, this article does a good job of giving you the information you’ll need to determine RODC placement. The article can be read here: http://technet.microsoft.com/en-us/library/ee522995(WS.10).aspx

In order to enable full support, three updates are required:

• Roll-Up 1 (RU1) for Exchange Server 2010
• MAPI v6.5.8147
• BlackBerry Enterprise Server 5.0.1 Maintenance Release 1 (MR1)

More information can be found here and here.

The Microsoft Exchange Team Blog has started a series of posts that are must reads if you plan to upgrade to Exchange Server 2010. Here’s a list of the posts they’ve published to date:

• Transitioning Client Access to Exchange Server 2010
• Upgrading Outlook Web App to Exchange 2010
• Upgrading Exchange ActiveSync to Exchange 2010

A couple of months after Exchange Server 2010 was released to manufacturing, Microsoft has released Update Rollup 1. The following is a list of issues fixed in Exchange 2010 Update Rollup 1:

Read the rest of this entry »

I have finally arrived at the point where I can say that I’m running efficiently .

Home Network

• Windows Server 2008 R2
• Hyper-V R2
• Windows 7
• Office 2010

Mobility

• Windows Mobile 6.5

Work

• Exchange Server 2010
• Windows 7
• Office 2010

It’s an efficient world after all .

Here’s a link to Microsoft’s New Efficiency Website: http://thenewefficiency.com

I’ve been following the Microsoft Learning’s Born to Learn blog for some time now. I’ve seen a number of public invitations for Beta exams. There’s a great post on this blog which will give you more insight on how to get invited to take a Beta exam. It can be found here: http://borntolearn.mslearn.net/2009/09/understanding-the-beta-invite-process.

Microsoft Released Update Rollup 1 for Exchange Server 2007 SP2. There are almost 50 issues that the update rollup fixes. Details on the Update Rollup can be found at http://support.microsoft.com/kb/971534 and http://msexchangeteam.com/archive/2009/11/21/453277.aspx.

Microsoft just released the Exchange 2010 Deployment Assistant, which can be found by going to http://technet.microsoft.com/exdeploy2010.

Read the rest of this entry »

I stumbled across a good post on Ulf B. Simon-Weidner’s Blog:

http://msmvps.com/blogs/ulfbsimonweidner/archive/2009/11/11/using-ad-powershell-to-protect-ous-from-accidental-deletion.aspx

Great post by the MS Exchange Team:

http://msexchangeteam.com/archive/2009/11/09/453117.aspx

NOTE: I revised this article to fix some mistakes and to include new content from Windows Server 2008 R2.

Active Directory has built-in processes that exist to secure users that are members of privileged groups. These processes have been around for quite some time, but Active Directory administrators still get stumped by them regularly. What follows, is a updated look at AdminSDHolder, Protected Groups, and SDPROP. Windows Server 2008 R2 specific content has been added.

This article will provide you with the following information:

• Overview
• How AdminSDHolder Works
• Default ACL on the AdminSDHolder Object in Windows Server 2008 R2
• Default Protected Groups and Users
• Modifying How Often the AdminSDHolder Background Process Runs
• How to Determine if a User or Group is Protected by AdminSDHolder
• Orphaned AdminSDHolder Objects
• Security Descriptor Propagator
• How to Force AdminSDHolder to Run
• Additional Resources

Read the rest of this entry »

It’s official, Kevin Allison (GM Exchange Customer Experience) published a post on the Microsoft Exchange Team Blog stating that Exchange 2007 will support Windows Server 2008 R2. The catch, it’s not here yet . There is no specific date provided in his post, but he does state “In the coming calendar year we will issue an update for Exchange 2007 enabling full support of Windows Server 2008 R2.”

Microsoft has made Group Policy cmdlets for Windows PowerShell available. These cmdlets, roughly 25 in total, can be used to:

• Maintain GPOs (create, remove, backup, reporting, and import)
• Associate GPOs with AD DS containers (link, update, and remove)
• Set inheritance and permissions on AD DS OUs and domains
• Configure registry-based settings and Group Policy Preferences Registry settings

Read the rest of this entry »

Microsoft started publishing the number of MCPs worldwide, broken down by credential on their Microsoft Learning site. The list can be found here: https://www.microsoft.com/learning/en/us/certification/cert-overview.aspx#tab5.

If you drill down a little further on this site, you’ll also find the number of MCAs and MCMs. Here’s the direct link for this information: https://www.microsoft.com/learning/en/us/certification/master.aspx#meet

Microsoft recently released a KB that outlines the methods that you can use to upgrade a Windows Server 2008, that has the Hyper-V role installed, to Windows Server 2008 R2.

The following methods are discussed in the KB:

1. Perform an in-place upgrade of the parent partition from Windows Server 2008 to Windows Server 2008 R2.
2. Export a virtual machine from a Windows Server 2008-based computer that has Hyper-V enabled, and then import it to a server that has Windows Server 2008 R2 with Hyper-V enabled
3. Using backup software that leverages the Hyper-V VSS Writer, back up a virtual machine that is running on Windows Server 2008, and restore it to Windows Server 2008 R2

As you may have heard, Windows Server 2008 R2 introduces a number of important changes and new features for Hyper-V, so if you are planning to upgrade then you should be familiar with this KB. The KB can be found here: http://support.microsoft.com/kb/957256.

There’s no doubt that virtualization is hot these days. The following articles, posted on the Dirteam.com Blog, will answer virtually all (no pun intended) questions that you have when it comes to Active Directory in Hyper-V environments.

• Active Directory in Hyper-V environments, Part 1
• Active Directory in Hyper-V environments, Part 2
• Active Directory in Hyper-V environments, Part 3
• Active Directory in Hyper-V environments, Part 4
• Active Directory in Hyper-V environments, Part 5
• Active Directory in Hyper-V environments, Part 6

I designed and implemented a fairly complex three-tier PKI, using Windows Server 2003 Certificate Services, a number of years back that proved to be a painful experience. At that time, there was not a lot of documentation available on MS Certificate Services. I recently stumbled across a couple of posts on the Ask the Directory Services Team Blog, which are worth a read of you’re dealing with PKI. They can be found here:

• Designing and Implementing a PKI: Part I Design and Planning
• Designing and Implementing a PKI: Part II

As you may have heard, Microsoft is working on ADMT 3.2, which will be fully supported for Windows Server 2008 R2. However, ADMT 3.2 is still under development and there is no official release date as of yet.

In the interim, a KB has been released that discuss the use of ADMT 3.1 on Windows Server 2008 R2 DCs. The KB points out the following supported scenarios for ADMT 3.1 on Windows Server 2008 R2 DCs:

• ADMT 3.1 must be run from a Windows Server 2008-based computer. The computer must be a member server or a domain controller.
• ADMT can be installed on any computer that is running Windows Server 2008, unless the computers are Read-Only domain controllers or in a Server Core configuration.
• The target domain must be based on Windows 2000 Server, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.
• The source domain must be based on Windows 2000 Server, Windows Server 2003, or Windows Server 2008.
• The ADMT agent, which is installed by ADMT on computers in the source domains, can operate on computers that are running Windows 2000 Professional, Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, or Windows Server 2008 R2.

Before you go ahead and use ADMT 3.1 with Windows Server 2008 R2 DCs, you should be aware of the known issues, which can be read by going to http://support.microsoft.com/kb/976659.

The Active Directory Recycle Bin is a handy new feature in Windows Server 2008 R2. Once enabled, it is now easier to recover accidentally deleted Active Directory objects.

Read the rest of this entry »

Windows Server 2008 R2, released to manufacturing in July, introduces a number of new features, including a host of new Active Directory Domain Services features. We look at the seven that pack the most powerful punch.

Read the rest of this entry »

A Computer World Canada  feature, Windows 7: Will you or won’t you, on Windows 7 adoption in Canada ran today following an interview with me. The story interviews a number of IT Managers across industries and business environments to present an overview of business’ approach to Windows 7.

For more details, see post on the Microsoft Exchange Team Blog: The fix for installation of Exchange 2007 SP2 with Windows 2008 R2 Domain Controllers is now available.

Since the release of Exchange Server 2010 RC1, there’s been a lot of debate over some ACEs that are added to the AdminSDHolder object by /PrepareDomain in Exchange 2010 RC1. For more information on this, see Exchange 2010 Modification of AdminSDHolder ACL Can Result in Elevation of Privilege and Exchange 2010 RC1 and AdminSDHolder.

A post was added to the Microsoft Exchange Team Blog this morning that confirms that this has been resolved in the RTM version of Exchange Server 2010. More specifically:

• /PrepareDomain no longer applies ACEs granted to Exchange Windows Permissions USG on the AdminSDHolder container.  If /PrepareDomain detects the ACEs granted to Exchange Windows Permissions USG on the AdminSDHolder container, /PrepareDomain will remove them.
• /PrepareDomain no longer applies the extended right ACE User-Change-Password to the Exchange Servers USG on the AdminSDHolder container.  If /PrepareDomain detects this ACE granted to Exchange Servers USG on the AdminSDHolder container, /PrepareDomain will remove it.
• /PrepareDomain no longer applies the extended right ACE User-Change-Password to the Exchange Servers USG on the domain partition.  If /PrepareDomain detects this ACE granted to Exchange Servers USG on the domain partition, /PrepareDomain will remove it.
• /PrepareDomain no longer applies an unscoped DeleteTree and WriteDACL ACEs on the domain partition.  Instead, these ACEs are replaced by scoping them specifically to user and inetOrgPerson class objects.

I compiled a list of Exchange Server 2010 resources, which are currently available. I will try to update this list as I come across additional Exchange Server 2010 resources.

Read the rest of this entry »

A post was added to the Microsoft Exchange Team blog yesterday that identifies an issue where Exchange 2007 SP2 Setup fails if all domain controllers are running Windows Server 2008 R2.

Read the rest of this entry »

UPDATE: This has been resolved in the RTM version of Exchange Server 2010. Please see Exchange 2010 and Resolution of the AdminSDHolder Elevation Issue for more details.

The PrepareDomain setup phase of Exchange 2010 RC1 adds several Access Control Entries (ACEs) to the Access Control List (ACL) of the AdminSDHolder object. One of these ACEs, Write Property for member, can be used to elevate privileges from Exchange Organization Administrator to Enterprise Admins.

Read the rest of this entry »

I came across a great post on the Ask the Directory Services Team blog, which covers the new AD Recycling Bin (ADRB) feature that is included with Windows Server 2008 R2. The post covers the following points and is a must read for anyone wanting to learn more about this new feature:

• Understanding how ADRB works under the covers.
• What the requirements are and how to turn ADRB on.
• Using ADRB, along with some best practices.
• Troubleshooting common issues people run into with ADRB.

The post can be read by going to http://blogs.technet.com/askds/archive/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting.aspx

One powerful feature in Windows Server 2008 R2 is its ability to recover objects from Active Directory, which is very handy in those "Uh oh" moments. John Policelli, author of Active Directory Domain Services 2008 How-To, explains what the Active Directory Recycle Bin does and how to use it.

Read the online article by going to: http://www.informit.com/articles/article.aspx?p=1374789

Remote Server Administrations Tools (RSAT) for Windows 7 are RTM. They can be downloaded here: http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en.

Note: This only runs on Windows 7 Business, Professional, and Ultimate

Ensure you remove any previous admin tools (RSAT for Windows 7 Beta/RC, RSAT for Windows Vista, AdminPack for Windows Server 2003).

Kurt Hudson, from the MS Active Directory Documentation Team, reminded us recently about a great article that describes how to use the Repadmin.exe tool to monitor, diagnose, and troubleshoot common replication problems in your Active Directory environment. All the information in the document applies to computers running the Windows 2000 Server and Windows Server 2003 operation systems.

The document includes the following topics:

Read the rest of this entry »

Are you having problems with Access Control Lists and permissions? It may be related to AdminSDHolder. Learn exactly what AdminSDHolder is, how it works—and how you can tweak it to better meet your organization’s needs.

Published in the September 2009 issue of Microsoft TechNet Magazine.

Back in May of 2008, I posted an entry on my blog regarding the built-in automated metadata cleanup in Windows Server 2008. Microsoft added similar content to its Windows Server 2008 TechNet library.

Here are some links:

• Windows Server 2008 Active Directory Domain Services Metadata Cleanup
• Clean Up Server Metadata
• Windows Server 2008 and Windows Server 2008 R2 Automate Metadata Cleanup

I recently prepared an existing Windows Server 2003 forest for Windows Server 2008 and started to see an error reported in DCDiag. When I did some research on the error I was seeing in DCDiag, I found that it was a known issue that I could ignore.

Read the rest of this entry »

You’ve probably heard that Windows Server 2008 R2 was released to manufacturing (RTM) on July 22nd. One of the major changes in Windows Server 2008 R2 it is the first Windows operating system to be offered for only 64-bit processors. So what if you need to prepare an existing Active Directory Domain Services forest/domain for Windows Server 2008 R2, and your existing servers run 32-bit versions of Windows Server? You may think that you’re SOL, but Microsoft planned ahead on this one.

Read the rest of this entry »

Mohammad Akif, National Security and Privacy Lead at Microsoft Canada, posted a blog on the Canadian IT Professionals blog announcing two critical security bulletins that were recently released. Here’s a snippet from the post:

Read the rest of this entry »

Windows Server 2008 R2 includes a new server role, called Active Directory Web Services (ADWS), which is a prerequisite to use the Active Directory Module for Windows PowerShell and the Active Directory Administrative Center. Until recently, you were unable to use the Active Directory Module for Windows PowerShell and the Active Directory Administrative Center unless you were managing a Windows Server 2008 R2 machine. However, Microsoft released the Active Directory Management Gateway Service (ADWGS) in early June to extend this functionality to Windows Server 2008 SP1 (and later versions) and Windows Server 2003 SP2 (and later versions).

Read the rest of this entry »

The Essential Business Server (EBS) team released the Microsoft IT Environment Health Scanner earlier this month. Active Directory health is one of those things that you cannot ignore. Let’s face it, Active Directory is the glue that ties virtually all Microsoft, as well as a significant number of third-party, products and technologies together. Having a good handle on your Active Directory health is a necessity.

Read the rest of this entry »

Does this sound familiar…you need to determine the port requirements for Active Directory and you find yourself having to refer to multiple KB articles. Well I have found myself in this situation many times, and I am happy to report that Microsoft has published a document that covers all Active Directory components (i.e. Replication, Trusts, GCs, RODCs, DNS, User and Computer Authentication, Group Policy, and Active Directory Web Services). I personally requested this whitepaper from MS, and helped the MS documentation team create it. The document can be found here: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx.

In case you haven’t heard, Microsoft released security bulletin MS09-018 to address vulnerabilities in Active Directory and Active Directory Application Mode (ADAM). It is important to note that this vulnerability DOES NOT apply to Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008.

Read the rest of this entry »

I posted an article on the Microsoft Identity and AD blog on Network World’s Microsoft Subnet community.

The blog entry is titled How-To Administer Active Directory Domain Services Groups Using Windows PowerShell and can be read by going to: http://www.networkworld.com/community/node/42601

In an ideal world, users are directed to the appropriate domain controller for Active Directory authentication, but this is not necessarily what happens in most organizations due to IP subnet information not being properly defined in Active Directory. This article presents a solution to ensure users locate the appropriate DC for authentication—a catch-all subnet to catch the authentication from clients on subnets are not defined in Active Directory.

Published in the June 2009 issue of Microsoft TechNet Magazine.

If your organization has multiple Active Directory forests, you need to manage multiple Active Directory schemas and ensure consistency between schemas. Check out our step-by-step guide to comparing and synchronizing Active Directory schemas in multi-forest environments.

Published in the April 2009 issue of Microsoft TechNet Magazine.

In conjunction with Pearson Education, Microsoft Subnet is giving away 15 copies of the hot title "Microsoft Active Directory Domain Services 2008 How-To" by John Policelli and published by Sams (a $39.99 value). Deadline for entries is June 30, 2009.

How to enter to win: 

Read the rest of this entry »

The folks over at IT Knowledge Exchange have been kind enough to post a chapter of my Active Directory Domain Services 2008 How-To book on their IT Bookworm Blog.

The free chapter is Chapter 11: Manage Fine-Grained Password and Account Lockout Policies. You can also click here to download the PDF for this chapter.

I posted an article on the Microsoft Identity and AD blog on Network World’s Microsoft Subnet community.

The blog entry is titled How-To Search Active Directory Domain Services Password and Account Settings Using Windows PowerShell and can be read by going to: http://www.networkworld.com/community/node/42303

I ran across a post on the Ask the Directory Services Team blog that mentions a known issue with ADMT 3.1 and Windows Server 2008 R2. The blog entry can be read here: http://blogs.technet.com/askds/archive/2009/05/22/admt-3-1-and-windows-server-2008-r2.aspx.

Read the rest of this entry »

I posted an article on the Microsoft Identity and AD blog on Network World’s Microsoft Subnet community.

The blog entry is titled How-To Administer Active Directory Domain Services User Accounts Using Windows PowerShell and can be read by going to: http://www.networkworld.com/community/node/42218

I posted an article on the Microsoft Identity and AD blog on Network World’s Microsoft Subnet community.

The blog entry is titled Introducing the Active Directory Module for Windows PowerShell and can be read by going to: http://www.networkworld.com/community/node/42157

Network World’s Microsoft Subnet site has posted Chapter 1: Introduction to Active Directory Domain Services of the SAMS Active Directory Domain Services 2008 How-To on their Website.

I have been asked to blog for Network World’s Microsoft Subnet community. The Network World blog I will be posting on is called Microsoft Identity and AD, and can be found here.

I added my first post on this blog, which is titled Introducing the New Active Directory Domain Services in Windows Server 2008 R2.

Here’s an excerpt from the post:

Windows Server 2008 introduced the most significant changes to Active Directory Domain Services (AD DS) since its inaugural release in Windows 2000 Server. Microsoft has continued along this path with Windows Server 2008 R2, making it the most noteworthy interim release of Windows Server.

AD DS in Windows Server 2008 R2 includes a number of important new features, including:

• Active Directory Recycle Bin
• Active Directory Module for Windows PowerShell
• Active Directory Administrative Center
• Active Directory Best Practices Analyzer
• Active Directory Web Services
• Authentication Mechanism Assurance
• Offline Domain Join

• Managed Service Accounts

Let’s take a closer look at each of these new features

The rest the post can be read here: http://www.networkworld.com/community/node/42051.

Windows Server 2008 R2 includes an Active Directory Module for Windows PowerShell. This new feature enables you to perform Active Directory administrative tasks by using PowerShell.

The following is a first look at the Active Directory Module for Windows PowerShell that is included with the Windows Server 2008 R2 Release Candidate.

Read the rest of this entry »

There is a great YouTube video on the progression of information technology. It’s worth a look…http://www.youtube.com/watch?v=cL9Wu2kWwSY.

In Windows Server 2008 R2, you can now roll back (lower) the domain functional level (DFL) and forest functional level (FFL). There are a couple of conditions and limitations to this new functionality, which I discuss below.

Read the rest of this entry »

The Active Directory Documentation Team has pointed out what “I” consider as a vulnerability with the built-in Active Directory Account Operators group, which applies to Domain Controllers. Under certain conditions, which are very common, the Account Operators group retains the Full Control permission on the computer object for a domain controller. As you could imagine, this is not desired in almost every case.

Read the rest of this entry »

Microsoft has a website called YouShapeIT, which I’ve been featured in this month.

The YouShapeIT TechNet website includes a significant amount of product information, presentations, podcasts, and resources for the theme of the month. For this month, the theme is Windows Server with a focus on Windows Server 2008 and Windows Server 2008 R2 (Beta).

I did an interview for YouShapeIT. The transcript and the MP3 audio file of the interview can be downloaded from http://www.microsoft.com/youshapeit/technet/Podcasts/2009-05/interview_johnpolicelli.aspx

Discover the most recent Active Directory Domain Services user interface improvements.

Read the rest of this entry »

My second book, Active Directory Domain Services 2008 How-To, is nearing publication. Below are some details on this publication:

Specifics:

• Author: John Policelli
• Published May 18, 2009 by Sams.
• Copyright 2009
• Dimensions 5-3/8 X 8-1/4
• Pages: 528
• Edition: 1st.
• ISBN-10: 0-672-33045-8
• ISBN-13: 978-0-672-33045-2

Read the rest of this entry »

Microsoft has expanded their Windows Server 2008 Active Directory Domain Services (AD DS) Planning and Architecture collection to included AD DS in the perimeter network. More specifically, the new guide covers the following:

• Determining whether AD DS is appropriate for your perimeter network
• The various models for deploying AD DS in perimeter networks
• Planning and deploying read-only domain controllers (RODCs) in perimeter networks

The guide can be downloaded by going to http://technet.microsoft.com/en-us/library/dd728034.aspx.

Have you ever been in a situation where you needed the Ldap-Display-Name of an Active Directory attribute or class, but all you had was the CN? I have found myself in this scenario many times. Virtually every time, I had to use multiple sources to determine the Ldap-Display-Name of the attribute or class, which was inefficient to say the least. I finally got fed up and developed a reusable process so that I can streamline the resolution of CN to Ldap-Display-Name for Active Directory attributes and classes.

Read the rest of this entry »

International Authority in Windows Technologies, Widely Acknowledged Networking Expert, Best-selling Author and Certification Exam Contributor, Microsoft Most Valuable Professional.

This interview was subsequently featured on a number of websites, including:

Read the rest of this entry »

I ran across a post on the Ask the Directory Services Team blog which is an important read for anyone who manages Active Directory.

The MS Directory Services team has found that Conficker infected computers are throwing bad password attempts, as many as 10,000 per minute from multiple clients, which in turn causes LSASS to consume a lot of CPU time on DCs.

The full post can be read by going to http://blogs.technet.com/askds/archive/2009/04/16/conficker-causes-lsass-to-consume-cpu-time-on-domain-controllers.aspx.

This new feature in Windows Server 2008 allows you to start, stop, and restart Active Directory Domain Services on a domain controller, thus facilitating more streamlined operations for performing offline tasks on a domain controller.

Read the rest of this entry »

I found out this morning that I was awarded the Microsoft Most Valuable Professional (MVP) designation for 2009. This is the second year that I have been designated as a Microsoft MVP in the Directory Services expertise. It’s truly humbling!

Below is an extract of the note that I got from the MVP program:

Read the rest of this entry »

Recovery processes for Active Directory Domain Service and Active Directory Lightweight Directory Services have been revamped in Windows Server 2008. Major new feature include point-in-time snapshots and stored data database mounting.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3812086.

The Directory Services Restore Mode (DSRM) account is used to log on to a domain controller in Directory Services Restore Mode to perform maintenance and recovery tasks. This account is often forgotten by most AD administrators, which results in a significant security risk. If exploited, this security risk can cause high impact.

I have ran Active Directory security assessments for a number of small, medium, and large sized companies over the years. In almost every case, I have identified the DSRM account as a risk, because it was not being secured adequately. I felt compelled to use this post to emphasize the importance of securing the DSRM account.

This is not a post that describes how-to change the password on a DSRM account; there’s thousands of such articles on the web. This post aims to give you a thorough understanding of the risks associated with not properly securing DSRM accounts, the impact of exploited DSRM accounts, and my recommendations to secure DSRM accounts.

Read the rest of this entry »

Support for Windows Server 2003 Service Pack 1 ends on April 14th, 2009 (less than one month from now).

This means there will be no support for computers that do not have Service Pack 2 installed, and Microsoft will not distribute any hotfixes or security updates for computers that have Service Pack 1 installed.

Read the rest of this entry »

I stumbled across a GUI-based tool which provides the ability to manage fine-grained password and account lockout policies. I couldn’t help install the tool to take a closer look. I have to admit that this simplistic tool does a much better job than the native tools at managing fine-grained password policies.

The tool is called Specops Password Policy BASIC and is available from Special Operations Software. It can be downloaded here.

For a detailed look at using the native tools for managing fine-grained password policies, see my posts Fine-Grained Password Policies in Windows Server 2008 and Manage Shadow Groups in Windows Server 2008.

Windows Server 2008 R2 includes a Best Practice Analyzer (BPA) for a limited number of server roles, including DNS Server.

The following is a first look at the DNS Server Best Practice Analyzer (DNS BPA) that is included with the Windows Server 2008 R2 Beta.

Read the rest of this entry »

Tim Springston, from Microsoft’s Customer Services and Support division (formerly Product Support Services), published a great explanation on titled “Gauging Size Differences in AD Databases”. This is a good read for those who have wondered, or have been asked, why the size of the AD database differs between domain controllers.

Tiim’s blog entry can be found here.

Microsoft has released a new feature for Windows Server 2008 that allows you to synchronize the Directory Services Restore Mode (DSRM) password with the password of a domain user account.

Read the rest of this entry »

Discover how read-only domain controllers provide improved security, faster logon times and an expanded set of administrative roles.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3803831

With the advent of Windows Server 2008, password management made a substantial leap. Learn how to improve security and craft policies for just about any situation.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3800436.

Microsoft has created a new team that is responsible for automating the steps in KB articles and Windows Error Reporting (WER) solutions so that you can click a button and have the issue resolved.

Read the rest of this entry »

The Windows Server 2008 R2 Beta includes a new Active Directory data management tool, called the Active Directory Administrative Center (ADAC). ADAC is a replacement of the Active Directory Users and Computers (ADUC) console. You can find more information on ADAC at my A First Look at the Active Directory Administrative Center in the Windows Server 2008 R2 Beta post.

I’ve been using ADAC as I evaluate the Windows Server 2008 R2 Beta, and what follows is a list of user interface enhancements and changes between ADAC and ADUC.

Read the rest of this entry »

I stumbled across a blog post, which lists a number of Windows 7 hotkeys. The blog post can be read here.

Windows Server 2008 R2 includes a new Recycling Bin feature for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

The following is a first look at the Active Directory Recycling Bin that is included with the Windows Server 2008 R2 Beta.

NOTE: Updated May 8, 2009 to include information for the RC build of Windows Server 2008 R2.

Read the rest of this entry »

Windows Server 2008 R2 includes a Best Practice Analyzer (BPA) for a limited number of server roles, including Active Directory Domain Services.

The following is a first look at the Active Directory Domain Services Best Practice Analyzer (AD DS BPA) that is included with the Windows Server 2008 R2 Beta.

Read the rest of this entry »

Learn how the expanded auditing options offer new levels of insight, granularity and control.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3797931

Microsoft has released a new Active Directory data management tool in Windows Server 2008 R2, which is now called the Active Directory Administrative Center.

What follows is an initial look at the new Active Directory Administrative Center (ADAC).

Read the rest of this entry »

The following is a step-by-step guide to installing Active Directory Domain Services in the Windows Server 2008 R2 Beta.

Read the rest of this entry »

I am profiled in the Canadian MVP Insider for the month of January.

The article is posted on the Canadian IT Pro Connection’s blog and can be read here: http://blogs.technet.com/canitpro/archive/2009/01/16/mvp-profile-john-policelli.aspx

There are a number of new Active Directory Domain Services features in Windows Server 2008. These new features improve auditing, security, and the management of Active Directory Domain Services and show Microsoft’s commitment to evolving Active Directory Domain Services. The following is an overview of the new Active Directory Domain Services features that are in Windows Server 2008.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3796561

The following is a step-by-step guide to installing the Windows Server 2008 R2 Beta on VMWare Workstation 6.5. The installation of Windows Server 2008 R2 is very similar to the Windows 7 installation.

Read the rest of this entry »

The following is a step-by-step guide to installing the Windows 7 Beta on Microsoft Virtual PC. The installation of Windows 7 is very similar to the Windows Vista installation.

Read the rest of this entry »

As you may have heard already, Microsoft released the Beta for Windows Server 2008 R2. This is the first operating system platform that will be 64-bit only.

Read the rest of this entry »

Microsoft’s Windows Server 2008 R2 Resources site contains a number of useful guides, presentations, and links to newsgroups and forums.

I stumbled across a presentation titled “Windows Server 2008 R2 Active Directory Updates” that gives a good overview on the changes to AD DS in Windows Server 2008 R2.

I’ve run across a few newsgroup posts lately where people have pointed out they cannot find Replmon.exe on Windows Server 2008. I finally got around to checking for myself and was surprised to see the tool is really gone. Read the rest of this entry »

As Steve Ballmer announced during his keynote speech at the Consumer Electronics Show (CES) in Las Vegas, the Windows 7 Beta and the Windows Server 2008 Beta are both available to the public starting January 9, 2009.

Read the rest of this entry »

Windows Live Essentials was released to the public on January 7th. The news can be read here.

I’ve been using the beta for a number of months now. I’ve done a lot of work with Windows Live Mail. One of the things I like most about Windows Live Mail is the ability to mail, newsgroups, and feeds into a single program. I have also used Windows Live Writer quite extensively over the past few months and I am very impressed with it’s capabilities.

The new Windows Live Essentials can be downloaded from http://download.live.com/

Microsoft previously published an article that lists 11 fairly significant known issues for deploying RODCs. The known issues that are listed in abovementioned KB article include the following:

• Group Policy fails to access Windows Management Instrumentation (WMI) filters on an RODC.
• Internet Protocol security (IPsec) policies fail to apply from an RODC.
• The Windows Time service (W32time) in Windows XP and Windows Server 2003 does not recognize an RODC.
• Unsecure domain join fails
• Domain join using RODC in the perimeter network fails.
• Password changes fail in the perimeter network when only an RODC is available.
• The RODC fails to retrieve or create a public key certificate.
• Spooler does not reflect the correct printer publish state.
• The Find Printer user interface (UI) hangs when a computer that runs Windows XP or Windows Server 2003 can contact an RODC but not a writable domain controller.
• Active Directory Service Interfaces (ADSI) in Windows XP and Windows Server 2003 requests a remote writable domain controller instead of a local RODC.
• Domain controllers running Windows Server 2003 perform automatic site coverage for sites with RODCs.

The KB article provides additional details on the scope and impact of each known issue. Additionally, there are workarounds listed for 6 of the 11 known issues.

However, Microsoft does recommend you install the Windows Server 2008 RODC Compatibility pack for Windows Server 2003 and Windows XP client computers that interact with RODCs. Additional information on this compatibility pack can be found here. It is important to note that Windows XP Server Pack 3 does not include this compatibility pack.

Let me start by stating that this article is NOT intended to be used to break Active Directory or for any malicious reasons. This article is intended to show that the use of built-in security groups, coupled with failing to follow the Principal of Least Privilege, is a HORRIBLE practice and can cause significant impact to your Active Directory environment.

In 2005 I provided a demonstration for a user group that showed that the use of built-in security groups, coupled with failing to follow the Principal of Least Privilege, could cause a domain-wide outage. In recent months, I have seen individuals posting in newsgroups and forums who have mistakenly exposed themselves to this same issue. Even more recently, I received an email from someone who attended my presentation in 2005 informing me that they too were impacted by this issue.

I decided to extract the relevant information from my 2005 demonstration and post it online. Again, my intent is not to show how you can break Active Directory. Rather, I intend to show you that by using built-in groups and failing to follow the Principal of Least privilege, you can make it very easy for someone to intentionally or unintentionally cause a domain-wide outage. I have updated my original content to include Windows Server 2008, as this risk also applies to Windows Server 2008.

In this article, I demonstrate how someone with membership in the built-in Account Operators group can (intentionally or unintentionally) exploit a system limitation and prevent all users in your domain from logging on. I start by providing some background information before the demonstration. I then provide some additional information on why the risk exists and what you can and cannot do about it. I conclude with some general recommendations and best practices to avoid such outages. Read the rest of this entry »

Having worked in the financial sector for a number of years, I have repeatedly saw the need for time to be synchronized down to the second or millisecond. Financial applications, such as trading applications, rely heavily on high accuracy time. The fact of the matter is that the Windows Time Service was not designed for high accuracy time. Microsoft designed the Windows Time Service to 1) make the Kerberos Version 5 authentication protocol work and 2) provide loose sync time for client computers.

I stumbled across a post from Microsoft’s Directory Services Team that outlines Microsoft’s position on high accuracy time requirements and the Windows Time Service. The post can be found here. This article is a good read of you want to understand what the Windows Time Service was and was not designed to do.

Microsoft has published an article that lists the improvements in Windows Server 2008 R2. The article can be downloaded here.

There are a few key AD DS improvements that are highlighted. Some of the improvements will apply to all Active Directory server roles in Windows Server 2008, while others will apply to the Active Directory Domain Services server role only.

Here is a list of the improvements in Windows Server 2008 R2:

• New Forest Functional Level
• PowerShell cmdlets
• Improvements to automated monitoring and notification
• Recovery of deleted objects (built-in Recycling Bin feature)
• Offline domain join support
• Managed service accounts
• Active Directory Administrative Center (goodbye ADUC)

Read the rest of this entry »

Windows Server 2008 introduces a new feature that allows you to create and view snapshots of data that is stored in AD DS and AD LDS. The Active Directory database mounting tool (Dsamain.exe) was referred to as Snapshot Viewer and Active Directory data mining tool during the beta releases of Windows Server 2008.

Microsoft states that the Active Directory database mounting tool is useful to simplify the forest recovery process and to audit modified and deleted objects. These are two very useful reasons to learn more about the Active Directory mounting tool. What follows is a step-by-step on how to use the Active Directory database mounting tool.

Read the rest of this entry »

I ran across a document from Microsoft that lists maximum limits for Active Directory. This document pertains to Windows 2000 Server and Windows Server 2003. There is no reference to Windows Server 2008 in the document. However, the majority of the limits also apply to Windows Server 2008.

Below is a summary of the maximums. The full details, including rationale, can be found here: http://technet.microsoft.com/en-us/library/cc756101.aspx. Read the rest of this entry »

Microsoft has included a new feature, the Attribute Editor, in Windows Server 2008 which allows you to view and modify attributes through two of the native Active Directory snap-ins (Active Directory Users and Computers and Active Directory Sites and Services). This is especially valuable when you need to view and/or modify attributes that are not part of the base schema, such as custom attributes. In the Windows 2000 Server and Windows Server 2003 versions of Active Directory, these attributes could only be modified programmatically or by using the ADSI Edit console. However, in Windows Server 2008, you can now modify custom attributes by using the native tools.

Read the rest of this entry »

The white paper that discusses schema management at Microsoft was recently updated and has been posted on Microsoft’s IT Showcase website. The technical white paper can be found here. The TechNet Webcast can be found here.

Read the rest of this entry »

The MCITP Self-Paced Training Kit (Exam 70-647): Windows Server® Enterprise Administration was published yesterday. The 70-647 Training Kit should be available through retailers by June 28th. The 70-647 Training Kit will also be included with the MCITP Self-Paced Training Kit (Exams 70-640, 70-642, 70-643, 70-647): Windows Server® 2008 Enterprise Administrator Core Requirements Training Kit. Both can be pre-ordered through retailers.

Read the rest of this entry »