Winrox - Architecture of Acceleration(TM)

Bandwidth utilization, latency, and the reliability of the Wide Area Network are three major concerns when administering a branch office environment. Windows Server 2008 helps to address these concerns through the following 5 technologies.

• RODC
  • Since the RODC does not accept changes, writable domain controllers that are replication partners do not have to pull changes from the RODC. This reduces the workload of bridgehead servers in the main site and the effort required to monitor replication.

  • RODC unidirectional replication applies to both AD DS and distributed file system (DFS) replication. The RODC performs normal inbound replication for AD DS and DFS replication changes.

• Group Policy

  • New XML-based format for policy-definition files called ADMX in Windows Server 2008 addresses policy file replication issues.
  • The ADMX format supports a central store for information relating to all policies. Specific Group Policy Object (GPO) settings associated with previous policy-definition file formats are no longer replicated as a result.
• SMB 2.0
  • SMB 2.0 protocol enhances communication by:
    • :Multiple SMB commands within the same packet. This reduces the number of packets sent between an SMB client and server, which was a common complaint against SMB 1.0
    • Larger buffer sizes compared to SMB 1.0.
    • Larger number of concurrent open file handles on the server.
    • Larger number of file shares for a server.
    • Durable handles that can withstand short interruptions in network availability.
• Next Generation TCP/IP stack
  • The Next Generation TCP/IP stack optimized for use in the variety of networking environments that exist today. Branch office environments benefit from enhancements to performance, connectivity, and reliability. The new TCP/IP stack includes or enhances:
    • Receive Window Auto-Tuning
    • Compound TCP
    • Enhancements for high-loss environments
    • Neighbor Unreachability Detection for IPv4
    • Changes in dead gateway detection
    • Changes to path maximum transmission unit (PMTU) black hole router detection
    • Routing compartments
    • Network Diagnostics Framework support
    • Windows Filtering Platform (WFP)
    • Explicit Congestion Notification (ECN)
• DFS
  • Adopts all of the changes made in Windows Server 2003 R2 including:
    • New state-based, multimaster replication, which is optimized for WAN environments and which supports replication scheduling, bandwidth throttling, and a new byte-level compression algorithm known as remote differential compression (RDC).
    • DFS namespaces, which help administrators group shared folders that are located on different servers. The shares can then be presented to users as a virtual tree of folders.
    • Read-only DFS, which enables members to access data without the ability to change it.

Jeff Loucks
Available Technology

  Subscribe in a reader 

A Read Only Domain Controller has the benefit of being able to perform administrative maintenance tasks without entering into Active Directory Restore Mode which previously required a reboot. The following command shows how to compact the Active Directory database from the command line. Before you start, remember not to leave the Active Directory Services stopped for a long period of time since replication of the active directory data will not occur during the period where it is shut down.

1. Stop the Active Directory Services.
2. From the command prompt with administrative privileges
   1. type ntdsutil and press enter
   2. type activate instance ntds and press enter
   3. type files and press enter
   4. type info and press enter
   5. type compact to c:\TEMP and press enter 
3. If you have successfully compacted the database you can now copy the files back to the proper location and delete the temp files. To do so execute the following command from the command prompt
   1. type copy "c:\TEMP\ntds.dit" "c:\Windows\NTDS\ntds.dit" and press enter
   2. When prompted press Y to overwrite and press enter.
4. Restart the Active Directory Services

Jeff Loucks
Available Technology

  Subscribe in a reader 

When you stop the Active Directory Domain Services you should make note that the following services also stop:

• File Replication
• Kerberos Key Distribution Center
• Intersite Messaging
• DNS Server
• DFS Replication

Stopping the Active Directory Domain Services has wide ranging effect on an RODC's ability to perform branch office duties.

 Jeff Loucks
Available Technology

  Subscribe in a reader 

A primary benefits of Read Only Domain Controllers is that the Domain Controller service can be managed like a regular service. It can therefore be stopped and started without rebooting the server. The effect of this is that the Active Directory database (NTds.dit) is offline. While the Domain Controller Services is stopped you can performs actions such as:

• Defragment the Active Directory Database
• Perform and authoritative restores of Active Directory objects.

For more information on Active Directory Maintenance Tasks and command line, please see the following resource:

How To Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows Server 2003
http://support.microsoft.com/kb/816120

Jeff Loucks
Available Technology

  Subscribe in a reader 

The following is a list of permissions which are supported or not supported for delegation to an RODC delegated administrator.

Supported:

• Active Directory Users and Computers
• Domain Controller Service
• Kerberos Key Distribution Center

• Active Directory Sites and Services

Not Supported:

• Global Catalog
• Bridgehead server
• PDC emulator
• RID Master

 Jeff Loucks
Available Technology

  Subscribe in a reader 

One of the benefits of  of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the command prompt. The following graphic shows a few commands including:

• adding local roles
• showing local roles

Remember, an RODC does not have all of the capabilities of a writeable domain controller. Consequently, an RODC cannot serve as the global catalog, operations masters, or bridgehead server.

For more information see this Technet Article: http://technet.microsoft.com/en-us/library/cc772478(WS.10).aspx

 Jeff Loucks
Available Technology

  Subscribe in a reader 

Susan has got a great post on Getting rid of the Red X's of the mapped drives. Man, these things bug you but never enough to go looking for an answer. Thanks Susan!

http://msmvps.com/blogs/bradley/archive/2009/11/27/getting-rid-of-the-red-x-s-of-the-mapped-drives.aspx

Jeff Loucks
Available Technology

  Subscribe in a reader 

The folowing is a list of features and benefits for read only domain controllers.

Features:

The deployment of RODC major features :

Benefits:

Here are the benefits of deploying RODC:

Jeff Loucks
Available Technology

  Subscribe in a reader 

The following command line can be run at the server core command line to install the DNS Server role.

start /w ocsetup DNS-Server-Core-Role

Jeff Loucks
Available Technology

  Subscribe in a reader 

The following command can be run at the Server Core command prompt to install terminal services in application mode for remote administration.

cscript c:\windows\System32\SCRegedit.wsf /ar 0

Jeff Loucks
Available Technology

  Subscribe in a reader 

While choosing a branch office solution, you have to address various issues, such as security, data replication, minimal IT capabilities, hardware costs, unauthorized physical access, and unwanted changes to Active Directory.

The following bulleted list discusses the points above and highlights the solutions to address the concerns. (Source:MSL 89-389)

• Security

  • In case the security at the branch office is your major concern, you should use the  Server Core installation option of the Windows Server 2008 operating system and install , RODCs, Server Message Block (SMB) 2.0, and BitLocker Drive Encryption. Server core offers a reduced attack surface because of the limited number of services which are running on the box.

• Replication between sites

  • If you need to tightly control replication between sites due to WAN links, you should install RODCs.

• Minimal IT administration capabilities

  •  If you have minimal IT administration capabilities, you should have a Server Core installation and install RODCs to minimize administration requirements.

• Hardware costs

  • If you have to minimize hardware costs at each branch office, you should consider server virtualization.

• Unauthorized physical access to servers

  • If you have limited capabilities to control the physical access to servers at a branch office, you should use BitLocker Drive Encryption to protect the system against data theft.

•  Unwanted changes to Active Directory

  • If you want to prevent unwanted changes from being made to Active Directory, you should use RODCs to prevent any updates to Active Directory.

The preceding points were some consdierations from the field when choose Branch office solutions.

Jeff Loucks
Available Technology

  Subscribe in a reader 

Spider webs. That is what I call most network diagrams I see. A diagram is worth a thousand words when it comes to understanding the layout of your network. There are a few skills which help you get full value out of diagramming and it is the intent of this post to highlight a few. Most involve clearing the cobwebs and bringing clarity through visual cues.

I am using a diagram that comes from an administrator for whom I have a lot of respect. He has taken on challenges and kept to a tight budget while advancing the use of technology to propel growth. He is a tremendous asset to his business and they know it. He however, is like a beautiful woman who does not know it. All the more valued for the fact that they do not act as though they are special.

When it comes to diagramming here is what he said to me while waiting for my diagram. "I'm interested in seeing your Visio drawing.  I might be better at them if I get to see a good example." I think there are a lot of administrators in this boat and therefore I choose this topics.

This diagram contains all of the information required to achieve the second diagram.

The second diagram is one I created and reuses the information from the first diagram and adds several techniques. It addes visual cues to highlight valuable bits of information.

Techniques:

Color Coding:

You will notice in the second diagram that colors are used in at least four ways

1. To differentiate internal and external networks as well as other network segments such as Public Internet
2. To differentiate network speeds such as Gigabit, 10/100

3. For emphasis in text. Notice internal IPs are color coded Blue and internal network segments show connections in blue

4. The External resources hosted at the Washington Main Branch are grouped in a red patterned box indicating they are external resources.

Groupings:

Notice in the second diagram all of the branch resources are grouped in a box with a title. This creates organization which helps the reader understand the physical location of resources. You will also notice that servers are grouped and aligned in the main branch.

Connectors:

• Connectors should not cross even though some times it is very difficult to avoid it.
• Connectors should reinforce groupings and use similar colors to reinforce important information such as location, speed, and security level.

Well those are a few helpful hints. I hope this is valuable to those who are out there creating diagrams. Documentation is the first sign of professionalism and the process brings clarity. I wouldn't worry if it is not perfect, it is the process of creating documentation which helps you understand and communicate better. Good luck and send me your examples!

 Jeff Loucks
Available Technology

  Subscribe in a reader

In planning a branch office configuration, you have to consider the impact of service level and user demands on the topology selection. From full Centralized Infrastructure where all of the resources are managed at the head office through to Full Local Infrastructure where the branch has local copies of everything they need to work.

Here are the three main types:

1. Fully Centralized - The head or Hub office provides all of the needed applications and authentication.
2. Hybrid - Key workloads are transfered to the office
3. Fully Local - All applications and authentication performed by local resources

Jeff Loucks
Available Technology

  Subscribe in a reader 

Branch offices come with a whole set of considerations and not the least of which is they generally are less secure than the main office. This is a critical concern for putting a domain controller in each office. The primary issue in almost every branch office is managing bandwidth across the wide area network. If you lose authentication request because of network outages the office can be rendered unproductive and so having a domain controller in the branch can effectively relieve the need to authenticate back to the main office. RODCs are designed to be deployed in locations that have a critical need for local authentication and authorization services but that also lack the trustworthiness and physical security requirements that are appropriate for a writable domain controller.

The following comes from a number of planning documents released by Microsoft.

What Is an RODC?

Read-only domain controllers (RODCs) are a new feature of Active Directory Domain Services (AD DS) in Windows Server 2008. RODCs are additional domain controllers for a domain that host complete, read-only copies of the partitions of the Active Directory database and a read-only copy of the SYSVOL folder contents. By selectively caching credentials, RODCs address some of the challenges that enterprises can encounter in branch offices and perimeter networks (also known as DMZs) that may lack the physical security that is commonly found in datacenters and hub sites. RODCs also offer a number of manageability improvements that are described in this guide. This section describes how RODCs work with the rest of the Active Directory environment, the main differences between RODCs and writable domain controllers, and the RODC features that can help resolve a number of security or manageability issues.

• Read-Only Active Directory Database, SYSVOL, and Unidirectional Replication
• RODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODC
• Administrator Role Separation
• Differences Between an RODC and a Writable Domain Controller
• Advantages That an RODC Can Provide to an Existing Deployment

So what are the prerequisites to install a 2008 Read Only Domain Controller? Here are a few.

 Prerequisites for Deploying an RODC

Complete the following prerequisites before you deploy a read-only domain controller (RODC):

• Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. This provides a higher level of replication consistency. The domain functional level must be Windows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functional level is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003 or higher.
  Constrained delegation supports security calls that must be impersonated under the context of the caller. Delegation makes it possible for applications and services to authenticate to a remote resource on behalf of a user. Because it provides powerful capabilities, typically only domain controllers are enabled for delegation. For RODCs, applications and services must be able to delegate, but only constrained delegation is allowed because it prevents the target from impersonating again and making another hop. The user or computer must be cacheable at the RODC for constrained delegation to work. This restriction places limits on how a rogue RODC may be able to abuse cached credentials.
• Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008. The adprep commands extend the Active Directory schema and update security descriptors so that you can add Windows Server 2008 domain controllers. 
  • Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate throughout the forest. Run the three commands as follows:
    • Prepare the forest by running adprep /forestprep on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role to update the schema. For more information, see Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008.
    • Prepare the domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operations master role. For more information, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008.
    • If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep. For more information, see Prepare a Forest for a Read-Only Domain Controller. For more information about how to resolve possible errors when you run adprep /rodcprep, see Adprep /rodcprep can have an error if the infrastructure master for an application directory partition is not available.
  • Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard, the command line, or an answer file. For more information, see Installing an Additional Windows Server 2008 Domain Controller (http://go.microsoft.com/fwlink/?LinkID=93254).
• Deploy at least one writable domain controller running Windows Server 2008 in the same domain as the RODC. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008. For fault tolerance, you should deploy at least two writable domain controllers running Windows Server 2008. An RODC can use the second domain controller for failover if the first domain controller is not available.

 All in all Branch offices are complex and it requires some comprehensive planning to manage the environment. Security and Authentication are only one aspect. This is one area where partners earn their living since you need to have a number under your belt before you even begin to feel comfortable.

Jeff Loucks
Available Technology

  Subscribe in a reader 

Perhaps the greatest challenge in Agile development methods is producing secure code in a Sprint. Microsoft developed the Security Development Lifecycle with a waterfall development methodology in mind.

So what do you do in a SCRUM environment? One solution might be to take all the SDL requirements and put them into the product backlog, then pull them into the active queue (aka the sprint backlog, if you’re using Scrum) just like any other user story. Another approach is to complete the entire SDL in every iteration. Every iteration would provide secured functionality after the SDL requirements have been completed. However, a whole new challenge would emerge. How does complete all that SDL work in a short sprint of 2 weeks to a month?

Microsoft has been working on the problem and completed an internal beta of the new methodology earlier this month. SDL for Agile Development Methodologies.

In brief, SDL-Agile breaks the SDL into three categories of requirements

1. Every-Sprint requirements, the requirements so important that they must be completed every iteration;
2. One-Time requirements, the requirements that only have to be completed once per project no matter how long it runs;

3. Bucket requirements, the requirements that still need to be completed regularly but are not so important that they need to be completed every sprint.

To download and read the complete SDL-Agile guidance click here.

Additional reading: Agile Manifesto

Jeff Loucks
Available Technology

  Subscribe in a reader 

Microsoft Chief Financial Officer Chris Liddell is leaving the company at the end of the year, the company announced Tuesday. Perhaps one of the strongest CFOs in the tech sector has left and Microsoft's selection shows the depth of its internal roster.

Prior to being named Microsoft CFO, Klein served as corporate vice president and CFO of Microsoft's Business Division (MBD), overseeing the financial performance of the division which includes the Microsoft Office System, Unified Communications, Microsoft Business Solutions and other businesses. In this role, Klein was responsible for overall financial management including financial and strategic planning, reporting and analysis as well as communications to the investment community.

Before joining MBD in February 2006, Klein was CFO of Microsoft's Server & Tools Business Group (STB). He joined Microsoft in 2002.

Jeff Loucks
Available Technology

  Subscribe in a reader 

So your new Windows 7 box just arrived and they said it is 64bit. Cool. Now how do you check.

Here are some tips which IT Pros have used for years but first the fastest way to find out:

#1 Way to determine if you have 64 Bit Windows. Using DxDiag.

1. Click the Start Button
2. Type dxdiag in the search and press Enter
3. The DirectX Diagnostic Tool will open.
4. On the System Tab  locate the Operating System Row and Check for 64 bit
5. 

6. Also note at the bottom you have the ability to run the 64-bit version of the DxDiag tool.

#2 Way to determine if you have 64 Bit Windows using MSInfo32.

1. Click the Start Button
2. Type msinfo32 in the search and press Enter
3. The System Information application will open.
4. In the System Type  row check for x64-based PC
5. 

#3 Way to determine if you have 64 bit Windows using Windows Explorer

1. Click on the Explorer Icon on the task bar
2. 
3. In the address bar of Explorer  type C:\ and Press Enter (Picture may appear different since it shows the result after you press enter, this computer uses Windows 7)
4. 
5. Browse the C Drive. If you see two Program Files directories (Program Files and Program Files (x86)) you have a 64 bit version of Windows

6. 

 What does not work that should? The Windows Version Tool (winver)

1. Click the Start Button
2. Type winver in the search and press Enter
3. The About Windows window will open.
4. This window only gives you non-processor type specific version information. I personally believe the information should be available here.
5. 

I hope you have fun with Windows 7, I am.

Jeff Loucks
Available Technology

  Subscribe in a reader

My father's new desktop arrived today by courier and it has Windows 7 Home Premium 64bit edition on the box. This marks the official launch of Windows 7 a product that really has treated me well for nearly 6 months now. When the Release to Manufacturing announced 2 months ago I upgraded my Vista Ultimate 64 bit to Windows 7 and boy it has been great ever since.

My father has been using Windows 7 Ultimate since July for their media center and Windows 7 Home Premium on his netbook and he was excited to get a replacement for his XP workstation which will retire after 5 years of service. Now I just have to carve out some time to help him migrate data. For a Windows 7 Walk through: User State Migration Tool Click here: http://download.microsoft.com/download/A/F/3/AF33254E-1AE4-4F7F-80A9-49E53E688511/usmt.wmv

More Information:

Windows User State Migration Tool (USMT) Version 3.0.1
http://www.microsoft.com/downloads/details.aspx?familyid=799AB28C-691B-4B36-B7AD-6C604BE4C595&displaylang=en

Windows XP to Windows 7 Hard-Link Migration of User Files and Settings
http://www.microsoft.com/downloads/details.aspx?familyid=E90EBEAD-7B48-4D1E-9461-BE5F07B83468&displaylang=en

Windows Easy Transfer for transferring from Windows XP (32 bit) to Windows 7
http://www.microsoft.com/downloads/details.aspx?familyid=734917D8-0663-4C26-89D0-2D00B632EBDB&displaylang=en

Have fun everyone!

Jeff Loucks
Available Technology

  Subscribe in a reader

In my last post I talked about Visio 2010 and how we are seeing tools which can drive a lot of business value by representing data in intuitive ways through SharePoint. I raised the concern about once you see the data the next question is how does technology empower action. The answer involves several aspects and perhaps the most important one of which is role based security. The question comes down to this, if I want to share information with my boss and co-worker and give them the ability to perform different actions, how is this done using SharePoint?

It appears that the answer today for SharePoint 2010 is that role based security is still a weakness.

This provokes another question. Is it time for Microsoft to create a role based security model which is robust and can be leveraged to empower action oriented interactivity with the data and business process? The answer should be a sound barrier breaking "YES". Here is why.

We now have the pieces of the puzzle coming together to empower business users to not only see the information which is important to them but then take action on that information. Being able to trigger a SharePoint Workflow within the right security context should be a skill that is achievable for the average SharePoint user. Consider this, the SharePoint User is now not only consuming data but also re-purposing it for the use of others. Setting the conditions under which others in the organization might or might not be able to trigger a specific workflow should require skill and knowledge yet still be simple enough that a user could do it without being a developer. To do this from a user's perspective with only a few clicks, one should be able to select anyone who works on my team can do a "follow up call" workflow but only my manager can "approve expenses" workflow. This is role based secuirty and is not present in SharePoint 2010.

And so SharePoint 2010 will lack the deep security model which is required to leverage the full power it offers to users.  The Achilles' Heel of developing a solution will be the need to create your own role based security model to supplement this weakness in SharePoint 2010. There maybe 3rd party products out there that help with this short coming.

Folks on the SharePoint team, please talk to the CRM team about their role based security. Although it is not the whole solution, it would be great to leverage a unified role based security model.

Jeff Loucks
Available Technology

  Subscribe in a reader

A few years ago Microsoft started talking about 'Model Based Programming' which would bring software development skills to the masses by making it easier to conceptualize program flows, decision paths and layout key functional areas while intuitively reflecting business processes. Visio 2010 is shining light on this important avant-garde vision. And it is doing it in a manner that seems so intuitive to regular folks that it is hard not to see the value.

Software developers and network admins were not the only users of Visio and as the Visio team looked at the other Personas, one can't help but deduce that the Visio team was among the first to see the power Model based design. In fact, one should have been able to predict that Visio would be the place where model based programming would first surface. I confess I didn't not see it. And so emerges another Microsoft product with ground breaking and important new features.

Still, I wonder if Microsoft understood Visio is the natural tool to put Model based programming in the hands of the masses. Looking around the help files, we can see that Visio can be used to create, import or export a Microsoft SharePoint Workflow,  which is the engine which puts Model based programming into effect.  Is it possible the team put these technologies together without understanding that they are the basis of Model Based programming? I believe, they understood perfectly well.

In fact if you look at the Visio Team blog, they talk about The Visio Graphics Service for SharePoint 2010. I recommend you spend some time on the blog since the Visio team is doing an exceptional job of laying out how this product is putting together a triple play of technologies that is sure to be a winner for business value.

A sample SharePoint / Visio mashup shows a Supply Chain Dashboard with real time data linked to the components of the supply chain.

So, the Visio team has shown how decisions are better informed by the data being represented graphically through SharePoint 2010 using the Visio Graphics Service, but I have yet to see how they have  built in the functionality to empower people to act on that data. This of course would be the ability to launch a workflow through a right click on the diagram which would leverage an underlying security model to empower certain actions based on roles. Too much to ask? Maybe so. Still, for those who know Dynamics CRM offers this type of functionality, seeing information is only half the battle but empowering action is where the battle is won.

As we look toward how the technology will impact business, I believe the impact will be impressive. The tools exist to give businesses tremendous value and once again Microsoft Partners will be essential in helping companies leverage the technology to maximum effect. I look forward to spending more time working with the new version of Visio 2010, and team thanks for a job well done.

 Jeff Loucks
Available Technology

  Subscribe in a reader