Learning to Fly - Mika's Blog : Active Directory

BitLocker Recovery Password Viewer for Active Directory Users and Computers tool

mika — Tue, 23 Jan 2007 04:20:00 GMT

A tool for viewing Bitlocker recovery passwords is now available: http://support.microsoft.com/?kbid=928202. It is supported when installed on Windows XP SP2 or Windows Server 2003.

Guide for Configuring AD to Back up BitLocker and TPM Recovery Information

mika — Fri, 12 Jan 2007 06:10:00 GMT

The above guide is finally available: http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915-dfc3-4579-90cd-86ac666f61d4&displaylang=en. Go and get it! The package contains:

48 page excellent guide
LDIF file for extending Windows Server 2003 SP1/R2 schema
Script for modifying ACLs for computer objects in order to store TPM information and another for listing the permissions
Script for accessing BitLocker recovery info in AD
Script for accessing TPM recovery info in AD

According to the document, this schema update is supported for production use.

In addition to the tools within the package, you should also check a versatile manage-bde.wsf script that is included in Vista. Although it is possible to use this script to enable Bitlocker encryption on other partitions apart from boot partition (containing Windows), I wouldn't recommend it since additional steps are required and key recovery is rather complex. http://www.windowsecurity.com/articles/Best-practice-guide-how-configure-BitLocker-Part1.html includes a concise summary of the steps.

Now if only more manufactures could make updated BIOS versions available in order to use TPM. So far, I've played around with Lenovo Thinkpad T60 (BIOS version 2.06 and 2.07) and it's working perfectly :)

Windows Vista Bitlocker recovery keys and Active Directory schema extension

mika — Thu, 07 Dec 2006 09:03:00 GMT

Although ADPREP executable exists on the Vista DVD (\sources\adprep\adprep.exe) with accompanying LDF files (sch14.ldf - sch39.ldf), you should NOT use it to extend the schema of Windows 2000/Server 2003/R2 Active Directory. These files are there for informational purposes only for showing what Longhorn Server will bring along when it'll arrive.

Windows Vista Bitlocker recovery keys cannot be stored in the Active Directory before extending the schema and modifying AD permissions. The information and tools to perform these preliminary tasks will become available some time in the near future - when it's ready, I guess ;) In the mean time, you could have a look on extending the schema for Vista wired and wireless group policy @ http://www.microsoft.com/technet/network/wifi/vista_ad_ext.mspx.

My TechEd top 4 & Network Monitor 3

mika — Fri, 16 Jun 2006 16:45:00 GMT

I'm sitting on the last stint on the TLC at TechEd 2006. There have been quite a number of people who found this area and us technical experts here Thanks everyone for coming!

Over these five days, the most common questions and some additional info for myself were:

1) Group Policy processing problems

You can find basic flowchart for troubleshooting on Figure 1 of the white paper entitled "Troubleshooting Group Policy in Microsoft Windows Server". You can also test your understanding of the group policy processing by checking little flowchart displayed in this figure in order to see whether you know what all different reasons for problems mean. Derek Melber just presented a session MGT425 here on this topic. You can also find additional information on our book

The first option I tend to use most often for GP troubleshooting is to open rsop.msc. The right (or secondary) mouse button is useful in this tool. A more advanced way of troubleshooting group policy is to use different log options available. I detail here the steps to enable the UserEnv log and a (free!) tool to interpret it. I can say that I learned my group policy skills with this log file I wish Policy Reporter would have been available in 1999 or that I would have found it then.

Either use http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833 to set the UserEnvDebugLevel registry setting OR perform steps 2-7
Download GPO Logging ADM Template from http://www.gpoguy.com/Tools.htm#EventLogADM.
Extract gpolog.adm from the zip file.
Open gpedit.msc (GPOE) on the machine you want to start monitoring.
Add the template into GPOE (right-click Administrative Templates > Add/Remove Templates… > Add… > pick the gpolog.adm
In the View menu, select Filtering… uncheck setting “Only show policies that can be fully managed”
Open Local Computer Policy\Administrative Templates\System\Group Policy\Logging
Enable UserEnv.Log logging of policy (and profiles) with Verbose logging.
Restart the computer.
Log file userenv.log is created in %Windir%\Debug\UserMode.
In order to interpret this file, download Policy Reporter from http://www.sysprosoft.com/policyreporter.shtml.
Install Policy Reporter and start it.

The new version of Policy Reporter even displays the processing delays. Obviously, you have to run these steps as an administrator. I use runas most of the time.

Other well hidden gems worth mentioning are 32 GPMC scripts (found in %Program Files%\GPMC\Scripts after installing GPMC) that many haven't found yet. They are great for backing up GPOs and documenting them.

2) Active Directory DCs on 64-bit architecture

You can find a recent white paper entitled "Active Directory Performance for 64-bit Versions of Windows Server 2003" on this topic. Microsoft's recommendation is to start considering converting existing environments to 64-bit architecture on environments when the size of your AD database exceeds 2.75 GB.

3) Problems with large number of group memberships

Another question that we discussed with several attendees had to do with Maximum Kerberos token size which may become an issue (e.g. kb 327825) in larger environments. Good information is available on http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx. You can download command line tool called TokenSz in order to see the current token and to further diagnose it.

4) DNS problems

DNS being the cornerstone of Active Directory network is very often the culprit for various problems (authentication, replication, GP processing etc.). There is a plenty of information available on many sites. The best troubleshooting tip is to get it right the first time i.e knowing what you are doing when configuring the DNS service. In case you are having problems, you might want to start with TechNet Support WebCast: Troubleshooting DNS @ http://support.microsoft.com/?kbid=905900 & DCDIAG tool to pinpoint your problems.

Network Monitor III

The most exciting tool I've seen this week was Microsoft Network Monitor III. For many problems and troubleshooting them, I often use Network Monitor 2.0 (either the one included in Windows Server operating systems or the full version from SMS 2003). The new version 3.0 will become available on a limited beta at the end of the summer. Some of the features that we saw today, were:

Capturing multiple interfaces simultaneously
Dynamic display filters
Configurable parsers
Only network monitor tool to work on Windows Vista

I'm looking forward to the beta programme and the lauch of the tool - when it's going to be ready.

That's all for now. Regards to everyone and thanks! This was my second TechEd and the first in U.S. It was also the best TechEd so far

WS03 User based auditing & simple logon script to connect printers

mika — Wed, 03 Aug 2005 22:24:00 GMT

A relaxing summer vacation is over. I managed to stay away from computers for most of the three weeks’ period J Prior to that I participated my first TechEd in Amsterdam and enjoyed it tremendously. Lot’s of interesting stuff and I also met a lot of nice people. My special thanks go to Ronald Beekelaar for organizing work for us to do!

Last week I couldn’t resist the temptation of installing beta 1of Vista. It was working surprisingly smoothly on VMware 5.0 guest on the internal hard disk of my laptop following Ipsi2000’s tips on http://www.vmware.com/community/thread.jspa?threadID=19960&start=15. On Monday this week I also installed Longhorn Server Beta 1 on Virtual PC 2004 SP1 guest and after installing VPC additions, things were rolling smoothly on that machine as well J I’m not sure what went wrong but I had to create the system partition with Windows Server 2003 Setup CD before setup continued past partition selection.

I thought I’d share few things. First off is the Windows Server 2003 user based auditing (officially called Per-User Selective Audit). I initially learned about it a long time ago but never figured out how to make it work. Now there is an article on this topic in the July issue of Windows IT Pro magazine. Unfortunately, you can only see the beginning (http://www.windowsitpro.com/Windows/Article/ArticleID/46625/46625.html) unless you’re a subscriber. Fortunately, there is information on this topic almost directly from Redmond on Windows auditing team’s blog (http://blogs.msdn.com/ericfitz/archive/2004/12/20/327478.aspx). To summarize, the built-in command auditusr can be used in Windows Server 2003 SP1 and XP SP2 to include or exclude certain user(s) from auditing of other categories than object or directory access. The command simply wasn’t there in Windows Server 2003 RTM (Released to Manufacturing) so no wonder I couldn’t find it…

The second issue to share is a basic logon script for connecting two printers for certain users. Used with the (Computer configuration\Administrative Templates\System\Group Policy\)User Group Policy Loopback Processing group policy setting in Merge mode, it is easy to connect two printers for users based on the location of computer object (rather than user object which is the default behaviour) in the OU structure. The script is here:

Option Explicit

On Error Resume Next

Dim wshShell,ConnectPrinter1,ConnectPrinter2,SetDefaultPrinter

Set wshShell = WScript.CreateObject("WScript.Shell")

ConnectPrinter1 = "rundll32 printui.dll,PrintUIEntry /in /n\\printserver\printer1 /q"

SetDefaultPrinter = "rundll32 printui.dll,PrintUIEntry /y /n\\printserver\printer1"

ConnectPrinter2 = "rundll32 printui.dll,PrintUIEntry /in /n\\printserver\printer2 /q"

wshShell.Run ConnectPrinter1,0,True

wshShell.Run ConnectPrinter2,0,True

wshShell.Run SetDefaultPrinter,0,True

Set wshShell = Nothing

WScript.Quit()

Thanks for Kari Lehtinen in Hyvinkää for helping to fully utilize the power of the script! BTW, you can find the syntax and examples of the command by running (Start - Run)

rundll32 printui.dll,PrintUIEntry /?

The parameter is case-sensitive!

Hectic February is well over

mika — Sat, 05 Mar 2005 23:13:00 GMT

What a hectic month February was! It started with some Windows Server 2003 & Active Directory training. In between I had an opportunity to fly over to UK to "cure" one Active Directory. And then towards the end of month I dug deep into Group Policy. Simultaneously, I was trying my best to be active in R2 beta programme which has been the best beta I've ever participated. Lots of action although some of it took place during day time - PST. We're ten hours ahead of it here in Finland ...

Last Thursday we had the first annual Technet Pro seminar with some 1300 people! The MVP status was lifted into the spotlight when with another MVP, I had an opportunity to speak in the keynote! I started by presenting the Windows Server roadmap and continued by demonstrating Windows Server 2003 SP1 Security Configuration Wizard and "R2" Branch Office technologies such as improved DFS (Distributed File System) and printer management. Interesting stuff!

Later I had a 45 minute talk on securing intranet and its services.The biggest challenge was trying to squeeze all services into as few virtual machines as possible in order to be able to demo them. Some challenges propped out during the demo as well...

Some of the gems I've come across during these busy weeks are:

http://www.microsoft.com/ISAServer/ has links to downloading eval for the Enterprise Edition which was launched last week. This is the first Microsoft product to store its configuration in ADAM (Active Directory Application Mode) directory. Enterprise Edition is available for download in MSDN for subscribers. Few days earlier, Service Pack 1 for Standard Edition became also available.

Darren Mar-Elia has a lot of great technical info on Group Policy on his site http://www.gpoguy.com/. The discovery of the months was his info on modifying the registry so that the Properties tab on Active Directory object (site, domain, OU) in ADUC (Active Directory Users and Computers) would show the "legacy" interface after installing GPMC (Group Policy Management Console). In quite a few GP demos before, I have had two DCs so that I can demo both tabs. After all, there is not much to show after GPMC is installed since there is only the Open button for accessing GPMC.

At the end of January (and I tell about it only now...) AutoProf changed its name to become DesktopStandard Corporation. Their PolicyMaker was awarded as SearchWin2000.com product of the year for 2004. I strongly recommend anybody wishing to learn extensibility of Group Policy to get familiar with DesktopStandard's products. Best of all, they've made one of the extensions available in a FREE tool PolicyMaker Registry Extension.

In order to learn how Group Policy processing really works (or doesn't work), you should enable the user environment debug logging. Technet kb article 221833 has the necessary info on modifying the registry. SysPro Software's Policy Reporter makes it much easier to interpret the output of the log file, userenv.log.

TechEd 2005 sessions have also become available. That's all for now, folks!

Reprint of the book

mika — Sat, 29 Jan 2005 14:39:00 GMT

We just received a note from our publisher stating that the 2nd Edition of our book "Inside Active Directory" is going to reprint :) Based on this and earlier information, it looks like Amazon rank isn't the full truth...

BTW, you can read the third chapter "Managing Active Directory OUs, Users, and Groups" of the book online. And if you happen to be Technet subcsriber, you can find chapter 4 "Securing Active Directory" of the first edition of the book on the Techical Information CD. The last CD/DVD that included the chapter was the December 2004.