Learning to Fly - Mika's Blog

The above guide is finally available: http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915-dfc3-4579-90cd-86ac666f61d4&displaylang=en. Go and get it! The package contains:

• 48 page excellent guide 
• LDIF file for extending Windows Server 2003 SP1/R2 schema
• Script for modifying ACLs for computer objects in order to store TPM information and another for listing the permissions
• Script for accessing BitLocker recovery info in AD
• Script for accessing TPM recovery info in AD

According to the document, this schema update is supported for production use.

In addition to the tools within the package, you should also check a versatile manage-bde.wsf script that is included in Vista. Although it is possible to use this script to enable Bitlocker encryption on other partitions apart from boot partition (containing Windows), I wouldn't recommend it since additional steps are required and key recovery is rather complex. http://www.windowsecurity.com/articles/Best-practice-guide-how-configure-BitLocker-Part1.html includes a concise summary of the steps.

Now if only more manufactures could make updated BIOS versions available in order to use TPM. So far, I've played around with Lenovo Thinkpad T60 (BIOS version 2.06 and 2.07) and it's working perfectly :)

Although ADPREP executable exists on the Vista DVD (\sources\adprep\adprep.exe) with accompanying LDF files (sch14.ldf - sch39.ldf), you should NOT use it to extend the schema of Windows 2000/Server 2003/R2 Active Directory. These files are there for informational purposes only for showing what Longhorn Server will bring along when it'll arrive.

Windows Vista Bitlocker recovery keys cannot be stored in the Active Directory before extending the schema and modifying AD permissions. The information and tools to perform these preliminary tasks will become available some time in the near future - when it's ready, I guess ;) In the mean time, you could have a look on extending the schema for Vista wired and wireless group policy @ http://www.microsoft.com/technet/network/wifi/vista_ad_ext.mspx.

Microsoft sticked to its behaviour on the release of the Vista Security Guide as it was made available the same day that the bits went to production. The final 1.0 version is available on http://go.microsoft.com/fwlink/?LinkId=74028 :)

As you may have noticed, the security templates are no longer the primary means of defining the baseline security settings. They can still be used and are also included in the security guide package. However, the primary means for defining the baseline policies is to use the included GPOAccelerator Tool (a script) to implement the GPOs that come with the tool. The Guide comes with eight GPOs being a set of four GPOs for the Enterprise Client (EC) scenario and another set for the Specialized Security Limited Functionality (SSLF) scenario. The Guide also includes Word and Excel documents detailing the settings in each template/GPO. Go and get it!

P.S. It's also available online (without the tools) on http://www.microsoft.com/technet/windowsvista/security/guide.mspx

While looking for security info, I found that the Windows Server 2003 and XP security guides have been updated. Both have minor corrections in the text as well as updates to security templates.

Windows Server 2003 Security Guide (now version 2.1, released April 26, 2006)

• Download Center: http://go.microsoft.com/fwlink/?linkid=14846
• TechNet online: http://go.microsoft.com/fwlink/?linkid=14845

Windows XP Security Guide (now version 2.1, released April 13, 2006)

• Download Center: http://go.microsoft.com/fwlink/?linkid=14840
• TechNet online: http://go.microsoft.com/fwlink/?linkid=14839

I'm sitting on the last stint on the TLC at TechEd 2006. There have been quite a number of people who found this area and us technical experts here Thanks everyone for coming!

Over these five days, the most common questions and some additional info for myself were:

1) Group Policy processing problems

You can find basic flowchart for troubleshooting on Figure 1 of  the white paper entitled "Troubleshooting Group Policy in Microsoft Windows Server". You can also test your understanding of the group policy processing by checking little flowchart displayed in this figure in order to see whether you know what all different reasons for problems mean. Derek Melber just presented a session MGT425 here on this topic. You can also find additional information on our book

The first option I tend to use most often for GP troubleshooting is to open rsop.msc. The right (or secondary) mouse button is useful in this tool. A more advanced way of troubleshooting group policy is to use different log options available. I detail here the steps to enable the UserEnv log and a (free!) tool to interpret it. I can say that I learned my group policy skills with this log file I wish Policy Reporter would have been available in 1999 or that I would have found it then.

1. Either use http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833 to set the UserEnvDebugLevel registry setting OR perform steps 2-7
2. Download GPO Logging ADM Template from http://www.gpoguy.com/Tools.htm#EventLogADM.
3. Extract gpolog.adm from the zip file.
4. Open gpedit.msc (GPOE) on the machine you want to start monitoring.
5. Add the template into GPOE (right-click Administrative Templates > Add/Remove Templates… > Add… > pick the gpolog.adm
6. In the View menu, select Filtering… uncheck setting “Only show policies that can be fully managed”
7. Open Local Computer Policy\Administrative Templates\System\Group Policy\Logging
   Enable UserEnv.Log logging of policy (and profiles) with Verbose logging.
8. Restart the computer.
9. Log file userenv.log is created in %Windir%\Debug\UserMode.
10. In order to interpret this file, download Policy Reporter from http://www.sysprosoft.com/policyreporter.shtml.
11. Install Policy Reporter and start it.

The new version of Policy Reporter even displays the processing delays. Obviously, you have to run these steps as an administrator. I use runas most of the time.

Other well hidden gems worth mentioning are 32 GPMC scripts (found in %Program Files%\GPMC\Scripts after installing GPMC) that many haven't found yet. They are great for backing up GPOs and documenting them.

2) Active Directory DCs on 64-bit architecture

You can find a recent white paper entitled "Active Directory Performance for 64-bit Versions of Windows Server 2003" on this topic. Microsoft's recommendation is to start considering converting existing environments to 64-bit architecture on environments when the size of your AD database exceeds 2.75 GB.

3) Problems with large number of group memberships

Another question that we discussed with several attendees had to do with Maximum Kerberos token size which may become an issue (e.g. kb 327825) in larger environments. Good information is available on http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx.  You can download command line tool called TokenSz in order to see the current token and to further diagnose it.

4) DNS problems

DNS being the cornerstone of Active Directory network is very often the culprit for various problems (authentication, replication, GP processing etc.). There is a plenty of information available on many sites. The best troubleshooting tip is to get it right the first time i.e knowing what you are doing when configuring the DNS service. In case you are having problems, you might want to start with TechNet Support WebCast: Troubleshooting DNS @ http://support.microsoft.com/?kbid=905900 & DCDIAG tool to pinpoint your problems.

Network Monitor III

The most exciting tool I've seen this week was Microsoft Network Monitor III. For many problems and troubleshooting them, I often use Network Monitor 2.0 (either the one included in Windows Server operating systems or the full version from SMS 2003). The new version 3.0 will become available on a limited beta at the end of the summer. Some of the features that we saw today, were:

• Capturing multiple interfaces simultaneously
• Dynamic display filters
• Configurable parsers
• Only network monitor tool to work on Windows Vista

I'm looking forward to the beta programme and the lauch of the tool - when it's going to be ready.

That's all for now. Regards to everyone and thanks! This was my second TechEd and the first in U.S. It was also the best TechEd so far

I have safely arrived in Boston and will be working as an Technical Expert on the Technical Learning Center in Windows Server Infrastructure Track. Hope to see you there!

Tomorrow, I'll present a talk on Windows Server 2003 R2 in the Technet Pro 2006 seminar in the Finlandia Hall. The event was fully booked weeks ago with some 1400 registrations! My demo setup for tomorrow will include four virtual machines (three WS03 R2 & one Windows XP) running on Virtual Server R2 which runs on Windows Server 2003 R2, Enterprise Edition. Since I won't demo ADFS, this setup should be enough. any way, I'm looking forward to a great event.

For the last few weeks I've started to get myself familiar with Office 2007. Also, I've "upgraded" my Vista installation to build 5308 - and I've done it twice already. The first time I joined the machine into AD domain over VPN and on the second time I made the join while connected through Ethernet. It seems that the second time & route made the Vista run smoother :) BTW, there's a lot of great info on Vista @ http://windowsconnected.com/. I'm sure that the IE 7 chat that I just participated will find its way into the forums of that site as well - it's there already!!!

In the beginning of the week, I conducted a IIS 6 course, MOC 2576. During the research, I came across with another MVP's, Bernard Cheah's great IIS blog. http://www.iistoolshed.com/ is a nice collection of IIS related tools. To start off with diagnosing IIS, you could first check out IIS Diagnostics Toolkit.

I've been extremely busy with courses & seminars over the last few weeks - dare I say it's been one of the busiest January that I can recall. However, in between I've come across some great security related info:

• The "RunAs Guru", Aaron Margosis, posted that the LUA White Paper has been released. It's available on http://go.microsoft.com/?LinkId=58445.
• Ian Hameroff has written a great summary on IPSec and its evolving role in securing corporate LANs.
• WSSRA Virtual Environments for Development and Test was released few weeks go. I wish I had time to set up some of those scenarios...
• Jason Fossen has posted a great set of scripts and other info on ISAscripts.org as a downloadable zip file.
• Last but not least, Technet Virtual Labs have nice testbeds for you try out the most common scenarios for a number of Microsoft products without need to set up your own lab.

My employer (and the company that I was a senior partner and shareholder of), Sovelto Oy, merged with another ICT training and consulting company, FCS Partners Oyj, as of today. We are really excited about the merger and are really looking forward to an exciting future. Together we form the largest ICT training company in Finland. FCS Partners and Sovelto are the two rising stars in the market. Both companies have grown and developed under the hard circumstances after the rapid growth in the IT market. The organization of the merged company will be based on experts and partners with high value on expertise and professional training. In the flat hierarchy organization all personnel will be directly interfacing the customers.

Over the last weekend we've started to integrate our IT systems. So far, so good :) Of course, there have been minor hickups but nothing major so far. What makes it so interesting is that both companies are using the latest versions of most Microsoft server applications and operating systems.

BTW, the name of the new company is FCS Sovelto Oyj.

Microsoft has revised its "core" security guides.

Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?linkid=14846
now integrates info on Service Pack 1 and Security Configuration Wizard. Three scenarios have been slightly modified and are now called Legacy Client (LC), Enterprise Client (EC), and Specialized Security – Limited Functionality (SSLF). The version history (from ReleaseNotes.txt):
v2.0 Released: December 27, 2005
v1.3 Released: January 22, 2004
v1.2 Released: August 14, 2003
v1.1 Released: April 28, 2003
v1.0 Originally Released: April 24, 2003

Threats and Countermeasures Guide
http://go.microsoft.com/fwlink/?linkid=15160
From ReleaseNotes.txt: “Multiple changes to most of the chapters to reflect the new settings that are included in Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2.” The version history (from ReleaseNotes.txt):
v2.0 Released: December 27, 2005
v1.2 Released: January 22, 2004
v1.1 Released: August 14, 2003
v1.0 Originally Released: April 24, 2003

The last one was updated already earlier:

Windows XP Security Guide
http://go.microsoft.com/fwlink/?linkid=14840
Content quite heavily revised. The version history (from ReleaseNotes.txt):
v2.1 Released: October 20, 2005
v2.0 Released: August 25, 2004
v1.5 Released: January 22, 2004
v1.0 Originally Released: May 22, 2003

As I write this, I'm happily downloading the new December CTP build of Vista and Longhorn. Should be here (or actually in Helsinki) by morning... :)

Since msmvps.com is now running on Community Server, I thought it's about the time to get my act together again... I started by changing the display skin - partially since the one that I used before the upgrade wasn't available ;)

Autumn has been great! A lot of things have happened the absolute best being the MVP Summit in Redmond at the end of September. It was my second time on Microsoft campus and definitely better than the first! (The first was a pre-conference two-day MSF course of Windows 2000 MCT Technology Week in 2000). It was great to meet all those great and active fellow MVPs whose books, messages, postings and articles I've seen over the years. I learnt quite a bit about new technologies to come. It was also great to see the amount of effort and dedication Microsoft is putting into MVP programme :)

On Tuesday of that week I participated (Windows Server 2003) R2 September Tour with some 40 other beta testers. We met with a number of program groups and probably had some contribution to the final product. R2 RTM'd (was released to manufacturing) on an easy day for me to remember - the 6th of December, which happens to be our (Finland) Independence Day. R2 beta programme was the best I've ever participated! Now, we've only yet to get the Volume Licensing versions. I've talked and presented on R2 on various events during the autumn. Centralized print management, new distributed file system and file server management with new filtering, quotas and reporting are certainly going to implemented in most R2 deployments. Active Directory Federation Service (ADFS) is conceptually the most difficult R2 technology to grasp but it also enables some interesting scenarions for web applications between organizations. BTW, you can get the Windows Server 2003 R2 Administration Tools Pack with the following administration tools

• Print Management
• File Server Resource Manager (which includes Distributed File System)
• Identity Management for Unix
• MMC 3.0

A relaxing summer vacation is over. I managed to stay away from computers for most of the three weeks’ period J Prior to that I participated my first TechEd in Amsterdam and enjoyed it tremendously. Lot’s of interesting stuff and I also met a lot of nice people. My special thanks go to Ronald Beekelaar for organizing work for us to do!

Last week I couldn’t resist the temptation of installing beta 1of Vista. It was working surprisingly smoothly on VMware 5.0 guest on the internal hard disk of my laptop following Ipsi2000’s tips on http://www.vmware.com/community/thread.jspa?threadID=19960&start=15. On Monday this week I also installed Longhorn Server Beta 1 on Virtual PC 2004 SP1 guest and after installing VPC additions, things were rolling smoothly on that machine as well J I’m not sure what went wrong but I had to create the system partition with Windows Server 2003 Setup CD before setup continued past partition selection.

I thought I’d share few things. First off is the Windows Server 2003 user based auditing (officially called Per-User Selective Audit). I initially learned about it a long time ago but never figured out how to make it work. Now there is an article on this topic in the July issue of Windows IT Pro magazine. Unfortunately, you can only see the beginning (http://www.windowsitpro.com/Windows/Article/ArticleID/46625/46625.html) unless you’re a subscriber. Fortunately, there is information on this topic almost directly from Redmond on Windows auditing team’s blog  (http://blogs.msdn.com/ericfitz/archive/2004/12/20/327478.aspx). To summarize, the built-in command auditusr can be used in Windows Server 2003 SP1 and XP SP2 to include or exclude certain user(s) from auditing of other categories than object or directory access. The command simply wasn’t there in Windows Server 2003 RTM (Released to Manufacturing) so no wonder I couldn’t find it…

The second issue to share is a basic logon script for connecting two printers for certain users. Used with the (Computer configuration\Administrative Templates\System\Group Policy\)User Group Policy Loopback Processing group policy setting in Merge mode, it is easy to connect two printers for users based on the location of computer object (rather than user object which is the default behaviour) in the OU structure. The script is here:

Option Explicit

On Error Resume Next

Dim wshShell,ConnectPrinter1,ConnectPrinter2,SetDefaultPrinter

Set wshShell = WScript.CreateObject("WScript.Shell")

ConnectPrinter1 = "rundll32 printui.dll,PrintUIEntry /in /n\\printserver\printer1 /q"

SetDefaultPrinter = "rundll32 printui.dll,PrintUIEntry /y /n\\printserver\printer1"

ConnectPrinter2 = "rundll32 printui.dll,PrintUIEntry /in /n\\printserver\printer2 /q"

wshShell.Run ConnectPrinter1,0,True

wshShell.Run ConnectPrinter2,0,True

wshShell.Run SetDefaultPrinter,0,True

Set wshShell = Nothing

WScript.Quit()

Thanks for Kari Lehtinen in Hyvinkää for helping to fully utilize the power of the script! BTW, you can find the syntax and examples of the command by running (Start - Run)

rundll32 printui.dll,PrintUIEntry /?

The parameter is case-sensitive!

Greetings from Amsterdam!

I've already experienced a fabulous canal cruise and an excellent 1-day preconference session by Mark Russinovich and David Solomon. You can find me at R2 Branch Office Ask-The-Experts stand (20A) during the remainder of the week

You can get it on http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/default.mspx. I used the beta & RC versions in the past and due to the great experiences with them, installed SP1 to my WS03 Std Edition straight away. So far, everything is good...

http://www.microsoft.com/WindowsServer2003/downloads/servicepacks/sp1/sp1datasheet.mspx has a nice overview what's new.

http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx states that x64 versions of Windows Server 2003 for AMD64 and Intel EM64T systems will be available in another 24 days.

I've had a 16 (virtual) machine WSUS RC test lab up and running now for almost a week and it is running sweet :) This time I decided to use a workgroup scenario and WSUS's own computer group targeting. A bit more work than using AD & Group Policy but nice to see how well it works. Few comments:

• If you use virtual machines (and are running on a "memory-limited" host machine), make sure to reserve at least 384 MB of RAM for the WSUS server
• In order to speed things up initially in the clients i.e. to make the AU client to check up a specific SUS/WSUS server once, I used Software Update Services Utility instead of hacking the registry and restarting the Automatic Update service manually. The utility is a small command line tool with which you can force the AU client to call up a specific SUS/WSUS server within the next ten minutes instead of waiting for hours
• Computers will show up in the Computers section after they've made the first contact with the WSUS server. There is no "magic button" to add them there
• As stated in the WSUS Deployment Guide, "Microsoft Windows SQL Server 2000 Desktop Engine (WMSDE) ships with WSUS. It is available only if you install WSUS on a computer running Windows Server 2003. It is similar to the next option, SQL Server 2000 Desktop Engine (MSDE), but without limitations for database size or connections."
• Information on updates is first downloaded into the database. When a WSUS client reports that it needs an update, WSUS decides that on the next synchronization cycle, it'll download the update
• http://www.susserver.com/ has tons of info on SUS but especially the forum starts to heat up on WSUS as well

Overall, the system has been running really well. WSUS will certainly be a very welcome (and recommended) upgrade over SUS.

The successor to Software Update Services (SUS) is nearing its completion :) You can register for eval and download it on http://www.microsoft.com/windowsserversystem/updateservices/evaluation/trial/default.mspx

Highlights to follow...

What a hectic month February was! It started with some Windows Server 2003 & Active Directory training. In between I had an opportunity to fly over to UK to "cure" one Active Directory. And then towards the end of month I dug deep into Group Policy. Simultaneously, I was trying my best to be active in R2 beta programme which has been the best beta I've ever participated. Lots of action although some of it took place during day time - PST. We're ten hours ahead of it here in Finland ...

Last Thursday we had the first annual Technet Pro seminar with some 1300 people! The MVP status was lifted into the spotlight when with another MVP, I had an opportunity to speak in the keynote! I started by presenting the Windows Server roadmap and continued by demonstrating Windows Server 2003 SP1 Security Configuration Wizard and "R2" Branch Office technologies such as improved DFS (Distributed File System) and printer management. Interesting stuff!

Later I had a 45 minute talk on securing intranet and its services.The biggest challenge was trying to squeeze all services into as few virtual machines as possible in order to be able to demo them. Some challenges propped out during the demo as well...

Some of the gems I've come across during these busy weeks are:

http://www.microsoft.com/ISAServer/ has links to downloading eval for the Enterprise Edition which was launched last week. This is the first Microsoft product to store its configuration in ADAM (Active Directory Application Mode) directory. Enterprise Edition is available for download in MSDN for subscribers. Few days earlier, Service Pack 1 for Standard Edition became also available.

Darren Mar-Elia has a lot of great technical info on Group Policy on his site http://www.gpoguy.com/. The discovery of the months was his info on modifying the registry so that the Properties tab on Active Directory object (site, domain, OU) in ADUC (Active Directory Users and Computers) would show the "legacy" interface after installing GPMC (Group Policy Management Console). In quite a few GP demos before, I have had two DCs so that I can demo both tabs. After all, there is not much to show after GPMC is installed since there is only the Open button for accessing GPMC.

At the end of January (and I tell about it only now...) AutoProf changed its name to become DesktopStandard Corporation. Their PolicyMaker was awarded as SearchWin2000.com product of the year for 2004. I strongly recommend anybody wishing to learn extensibility of Group Policy to get familiar with DesktopStandard's products. Best of all, they've made one of the extensions available in a FREE tool PolicyMaker Registry Extension.

In order to learn how Group Policy processing really works (or doesn't work), you should enable the user environment debug logging. Technet kb article 221833 has the necessary info on modifying the registry. SysPro Software's Policy Reporter makes it much easier to interpret the output of the log file, userenv.log.

TechEd 2005 sessions have also become available. That's all for now, folks!