John Policelli's Blog

Windows Server 2008 and Windows Server 2008 R2 include improvements to bridgehead server selection, which are not very well known. In fact, Microsoft only recently published an article on TechNet to explain the improvements to bridgehead server selection in Windows Server 2008 R2. What follows is an in-depth look at these improvements.

Read the rest of this entry »

I recently prepared an existing Windows Server 2003 forest for Windows Server 2008 and started to see an error reported in DCDiag. When I did some research on the error I was seeing in DCDiag, I found that it was a known issue that I could ignore.

Read the rest of this entry »

Does this sound familiar…you need to determine the port requirements for Active Directory and you find yourself having to refer to multiple KB articles. Well I have found myself in this situation many times, and I am happy to report that Microsoft has published a document that covers all Active Directory components (i.e. Replication, Trusts, GCs, RODCs, DNS, User and Computer Authentication, Group Policy, and Active Directory Web Services). I personally requested this whitepaper from MS, and helped the MS documentation team create it. The document can be found here: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx.

Microsoft has a website called YouShapeIT, which I’ve been featured in this month.

The YouShapeIT TechNet website includes a significant amount of product information, presentations, podcasts, and resources for the theme of the month. For this month, the theme is Windows Server with a focus on Windows Server 2008 and Windows Server 2008 R2 (Beta).

I did an interview for YouShapeIT. The transcript and the MP3 audio file of the interview can be downloaded from http://www.microsoft.com/youshapeit/technet/Podcasts/2009-05/interview_johnpolicelli.aspx

Discover the most recent Active Directory Domain Services user interface improvements.

Read the rest of this entry »

My second book, Active Directory Domain Services 2008 How-To, is nearing publication. Below are some details on this publication:

Specifics:

• Author: John Policelli
• Published May 18, 2009 by Sams.
• Copyright 2009
• Dimensions 5-3/8 X 8-1/4
• Pages: 528
• Edition: 1st.
• ISBN-10: 0-672-33045-8
• ISBN-13: 978-0-672-33045-2

Read the rest of this entry »

Microsoft has expanded their Windows Server 2008 Active Directory Domain Services (AD DS) Planning and Architecture collection to included AD DS in the perimeter network. More specifically, the new guide covers the following:

• Determining whether AD DS is appropriate for your perimeter network
• The various models for deploying AD DS in perimeter networks
• Planning and deploying read-only domain controllers (RODCs) in perimeter networks

The guide can be downloaded by going to http://technet.microsoft.com/en-us/library/dd728034.aspx.

International Authority in Windows Technologies, Widely Acknowledged Networking Expert, Best-selling Author and Certification Exam Contributor, Microsoft Most Valuable Professional.

This interview was subsequently featured on a number of websites, including:

Read the rest of this entry »

This new feature in Windows Server 2008 allows you to start, stop, and restart Active Directory Domain Services on a domain controller, thus facilitating more streamlined operations for performing offline tasks on a domain controller.

Read the rest of this entry »

Recovery processes for Active Directory Domain Service and Active Directory Lightweight Directory Services have been revamped in Windows Server 2008. Major new feature include point-in-time snapshots and stored data database mounting.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3812086.

I stumbled across a GUI-based tool which provides the ability to manage fine-grained password and account lockout policies. I couldn’t help install the tool to take a closer look. I have to admit that this simplistic tool does a much better job than the native tools at managing fine-grained password policies.

The tool is called Specops Password Policy BASIC and is available from Special Operations Software. It can be downloaded here.

For a detailed look at using the native tools for managing fine-grained password policies, see my posts Fine-Grained Password Policies in Windows Server 2008 and Manage Shadow Groups in Windows Server 2008.

Discover how read-only domain controllers provide improved security, faster logon times and an expanded set of administrative roles.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3803831

With the advent of Windows Server 2008, password management made a substantial leap. Learn how to improve security and craft policies for just about any situation.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3800436.

Learn how the expanded auditing options offer new levels of insight, granularity and control.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3797931

There are a number of new Active Directory Domain Services features in Windows Server 2008. These new features improve auditing, security, and the management of Active Directory Domain Services and show Microsoft’s commitment to evolving Active Directory Domain Services. The following is an overview of the new Active Directory Domain Services features that are in Windows Server 2008.

To read the article, please go to http://www.enterpriseitplanet.com/networking/features/article.php/3796561

I’ve run across a few newsgroup posts lately where people have pointed out they cannot find Replmon.exe on Windows Server 2008. I finally got around to checking for myself and was surprised to see the tool is really gone. Read the rest of this entry »

Microsoft previously published an article that lists 11 fairly significant known issues for deploying RODCs. The known issues that are listed in abovementioned KB article include the following:

• Group Policy fails to access Windows Management Instrumentation (WMI) filters on an RODC.
• Internet Protocol security (IPsec) policies fail to apply from an RODC.
• The Windows Time service (W32time) in Windows XP and Windows Server 2003 does not recognize an RODC.
• Unsecure domain join fails
• Domain join using RODC in the perimeter network fails.
• Password changes fail in the perimeter network when only an RODC is available.
• The RODC fails to retrieve or create a public key certificate.
• Spooler does not reflect the correct printer publish state.
• The Find Printer user interface (UI) hangs when a computer that runs Windows XP or Windows Server 2003 can contact an RODC but not a writable domain controller.
• Active Directory Service Interfaces (ADSI) in Windows XP and Windows Server 2003 requests a remote writable domain controller instead of a local RODC.
• Domain controllers running Windows Server 2003 perform automatic site coverage for sites with RODCs.

The KB article provides additional details on the scope and impact of each known issue. Additionally, there are workarounds listed for 6 of the 11 known issues.

However, Microsoft does recommend you install the Windows Server 2008 RODC Compatibility pack for Windows Server 2003 and Windows XP client computers that interact with RODCs. Additional information on this compatibility pack can be found here. It is important to note that Windows XP Server Pack 3 does not include this compatibility pack.

Microsoft has included a new feature, the Attribute Editor, in Windows Server 2008 which allows you to view and modify attributes through two of the native Active Directory snap-ins (Active Directory Users and Computers and Active Directory Sites and Services). This is especially valuable when you need to view and/or modify attributes that are not part of the base schema, such as custom attributes. In the Windows 2000 Server and Windows Server 2003 versions of Active Directory, these attributes could only be modified programmatically or by using the ADSI Edit console. However, in Windows Server 2008, you can now modify custom attributes by using the native tools.

Read the rest of this entry »

Windows Server 2008 introduces a new option designed to protect Active Directory Domain Services Objects (AD DS) objects from accidental deletion. I know of a number of companies that have experienced an impact on business continuity that could have been avoided by using this option. In my experience, the accidental deletions that have created the most impact were Organizational Unit (OU) deletions. This is likely why Microsoft has decided to enable this option by default when OUs are created through the Active Directory Users and Computers (ADUC) console.

Read the rest of this entry »

The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone.  This has been introduced to assist organizations to move away from WINS and allow organizations to move to an all-DNS environment. Unlike WINS, The GlobalNames zone is not intended to be used for peer-to-peer name resolution. Read the rest of this entry »

In Windows Server 2008, fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users in an OU, you can use a shadow group. Read the rest of this entry »

With the new fine-grained password policies feature in Windows Server 2008, we can finally create multiple password policies and account lockout policies for users in the same domain. The fact that the fine-grained password policies feature in Windows Server 2008 maps password policies to users and/or groups means that we have virtually unlimited flexibility when it comes to password policy and account lockout policy requirements. Read the rest of this entry »