I’m currently getting ready for some speaking engagements:
Tuesday next week (Sept 21st) I’m proud to moderate the Windows Infrastructure Track of the IIR IT-Admin Tech Talk. In this track we are covering not only the operating system related technologies, but also Cloud, Office 365, Sharepoint and Exchange. I’ll also present two sessions myself there:
13 Years Active Directory
an overview of previous and future scenarios
I will cover various design considerations, misunderstandings of early designs, whether corporate infrastructures have adjusted or should be adjusted. At the end we will take a look into challenges for future designs, on-premises and in the cloud.
Who am I in the cloud?
In this session I will talk about challenges and opportunities of cloud computing in general and Office 365 in special: Does cloud mean sunshine for the CIO and rain for the Admin? Which skills are needed? What is the long-term strategy for cloud computing in your enterprise?
The IT-Admin TechTalk will be in Frankfurt and is in German language.
Also the next international conference is coming up.
The Experts Conference Europe will also be in Frankfurt in October this year. It is about half a year after TEC USA in Las Vegas. TEC is known to be the best and high-skilled conference when it comes to Directory Services, and has expanded over the years beyond the AD and FIM tracks to also cover Exchange, Sharepoint and Cloud technologies in different tracks. TEC is attracting the most high-skilled speakers, Microsoft values the conference so much that they send more Program Managers and Developers of the product groups to TEC than to their own IT-Pro Conference TechEd. Additionally TechEd EU will not happen this year, so maybe you are able to convince your boss. Las Vegas has been a great success, lots of interesting sessions, a lot of community interaction, and I’m very much looking forward to Frankfurt. This conference is in English.
At The Experts Conference I will speak three sessions, but will post details later when the agenda is done.
Ulf
In case you missed it: yesterday was the Keynote of the BUILD-conference (the Professional Developer Conference got a new name), and Steven Sinofski (Vice President of the Windows Server Division at Microsoft) officially introduced the first version of Windows “8” to the broad public. Pretty exciting and a lot of changes. You can see the keynote at www.buildwindows.com, and download the developer preview at dev.windows.com. If you are a MSDN subscriber there are more versions and information available, including a developer preview of the server version. If you are at BUILD, I highly recommend to see the server sessions also, as far as I know there is one today which will present the overview what’s coming in the next server version. Pretty exciting!
Please remember:
- Windows “8” is a codename and might change
- It is a developer preview – not a quite-stable beta – only for testing and starting to develop for the new user interface (Metro, the same than Windows Phone)
And BTW, some tipps:
- Since Vista you can install using a USB-Key which I find totally cool. You are likely to have to re-format your USB-Key. You can do this using Diskpart.exe, “List Disk”, “Select Disk #” (make sure you have the Key selected, and we will wipe it in the next step). “Clean” will wipe the key, then you have to “Create Partition Primary”, make it “Active”, and format it NTFS “Format FS=NTFS QUICK”. Fat or Fat32 won’t work since the image of the developer preview is over 4 GB. Copy all Files from the ISO-Image (extracted) to the USB-Key. Afterwards you can boot from the key and install.
- If installation is failing to find the disk drive prompting you to point to a driver, it might be an issue with the USB-Key (some are detected as harddrive and make issues when installing). Try a different key, or burn the ISO. Bad message here – you need to burn it to a dual-layer DVD since it’s to large. And installing from a USB-Key is usually faster than from DVD.
Enjoy the preview!
Ulf
I was asked many times “what may break if I update the forest or domain mode?”. Usually … nothing! Actually I’ve never heard of anything breaking when you increased the forest or domain mode. However, in Windows Server 2008 or lower versions of domain controllers there was no possibility to roll back the forest or domain mode.
…
No way!
…
No way?
…
OK – you were able to do a forest recovery (recovering at least one DC of each domain in the forest and rebuild the forest), however I doubt that this is a option usually.
What domain or forest modes for? Actually the only thing they are responsible for, is to tell all domain controllers that each domain controller at the domain or forest has now a certain operating system level, that there will not be new dcpromos of down level operating systems (or at least will not be successful, so no down level DCs will be added to the domain), and that the domain controller can enable certain features which are only allowed if all DCs are at the same level. Examples for this is linked value replication at the Windows Server 2003 Level, fine grained password policies at the Windows Server 2008 domain mode, automatic changes of SPNs or the possibility to turn on AD Recycle Bin at the Windows Server 2008 R2 forest mode. The domain or forest functional level change does only ensure that there are no downlevel DCs at that point, and publishes the status letting all DCs know. Each DC locally will do the changes he needs to do to communicate at the new level, such as changing the database when the recycle bin is turned on, or publishing that he is willing to replicate attribute values separately instead of on a big blob.
However, companies were anxious to increase the forest or domain level. Not because there’s known harm, but because a recovery is not easy if there might happen anything.
In Windows Server 2008 R2 the Active Directory product group made some changes: you are able to increase the domain and forest mode, and you are also able rollback the mode to Windows Server 2008, and switch around as you like. The upgrade of the forest or domain mode is reversible …
… unless you enable a optional feature which requires this mode!
So this has changed. Forest or domain mode upgrades do not automatically enable features which make the mode non-reversible, you can first upgrade the forest or domain mode, wait for a few hours/days/weeks (as you like or your companies working behaviors require), and after you ensured that all applications are working turn on the features you like. Each new Active Directory feature (right now in Windows Server 2008 R2 there is only the Recycle Bin) states if it is able to turn it off and whether it requires a forest or domain level. The Recycle Bin cannot be reversed and – as stated – needs Windows Server 2008 R2 Forest level.
So rollback of the forest / domain mode is possible. However, once you increased the mode to Windows Server 2008 R2, the user interface will not allow you to decrease the mode again. This might lead to some confusion.
But we also got the Powershell Commandlets for Active Directory to help us out.
First we need to load the Powershell Commandlets for AD:
Import-Module ActiveDirectory
Then we need to decrease the forest mode first (the forest mode specifies the minimum version of the domain mode of any domain in the forest, therefore we cannot decrease the domain mode when the forest mode is higher):
Set-ADForestMode -identity (Get-ADForest).name -ForestMode Windows2008Forest
You can also specify the forest name in the “-identity” parameter, however I’m lazy, so I’m just getting the name of the current forest.
Next we are are able to decrease the domain mode:
Set-ADDomainMode -identity (Get-ADDomain).name -DomainMode Windows2008Domain
And here is the result, the mode has changed and is changeable again:
Voila, hopefully you don’t have to do this in production, but at least it is possible and should ease your migration efforts.
Ulf
 | MVP Florian Frommherz and I wrote a Special Edition of the IT-Administrator: almost 180 pages which provide in-depth information about Active Directory. We are discussing the Evolution of AD, Domain and Forest Strategies, Understanding the Domain/Forest Levels, LDAP Backgrounds and Application Performance testing, AD and DNS, AD Backup and Recovery, Background Information about the AD Recycle Bin, Virtualization of DCs, Replication Across Firewalls, RODCs, Delegation and MSAs, Fine Grained Password Policies and many more.
We are very happy with the result: a huge amount of in-depth information for any AD Admin or Consultant. Sorry – just in German for now. But an interesting read. If you got it, feel free to provide feedback! |
Ulf
TechEd Europe will be in Berlin next week, and I’m looking forward delivering three sessions there:
- SIA301-IS - Under the Hood: What Really Happens During Critical Active Directory Operations
Wednesday Nov 10, 9:00 – 10:00 AM
Thursday Nov 11, 4:30 – 5:30 PM
Come and discuss critical Active Directory-Operations.
Are you fully aware what “critical” operations in AD really do? In this interactive session we will talk about those operations, understanding what they are doing and how to distinguish whether operations are critical to your environment or not. Ulf has been working in the field for more than 13 years, and has a lot of notes and examples to share. We will talk about how to approach challenges, and study scenarios that show how other companies managed the associated risks and prepared for rollbacks. We have some common scenarios for everyone but please bring your own questions as well, as we want this talk to be as interactive as possible.
Since this is an interactive session don’t forget that they “live” from discussing opinions in the audience, so the repeat will be different.
- SIA306 - A Dozen Years AD - Discuss Previous and Future Design Decisions
Thursday Nov 11, 2:30 – 3:30 PM
Active Directory has evolved over the years, along with security recommendations and best practices. But has our corporate design changed that much? Is it required? What should we change, and what should we retain? Ulf B. Simon-Weidner is a long standing, internationally recognized expert in Active Directory, and in this session he will discuss Active Directory Designs of the past, present and future.
Usually we have one Infrastructure Master in the domain who’s responsible to maintain references to objects in other domains – such as users which are members of a group in a different domain – to make sure if the target-object (user) is being renamed, moved or otherwise his distinguishedname has changed it can still be found. He is doing this by creating phantoms (small objects which contain only distinguishedname, SID and GUID).
Actually, making it more complicated but accurate – those group memberships are not maintained by referencing the data directly (a group in the database does not contain the data of it’s members) but by referencing objects by the database-row (like an ID, called DistinguishedNameTag or DNT). So if we add a user to a group, there is a link-table in the database where there will be a new entry with the forward link referencing the DNT or the user and the backward-link referencing the DNT of the group. So the phantoms are also needed that there is a database-row for the target object, otherwise there wouldn’t be a DNT to reference as target.
The second role of the infrastructure master is to be a single machine in the domain, only for the purpose that we need to run an operation against the domain and make sure to hit a specific DC – and always the same if we run it multiple times, the infrastructure is used (e.g. for domainprep, rodcprep,..).
The second role is the reason why we have one IM per application partition, see my post “How many Infrastructure Masters do you have” about it.
So talking about reference update, the primary reason for the IM, this is also the reason why an infrastructure master cannot run on a global catalog – because it is using the GC (who knows about the objects in other domains anyways) to validate his local data against the data of the GC. For more about GCs vs. IM see “Global Catalog vs. Infrastructure Master”
But how do we get more Infrastructure Master (for reference update) in the domain?
Easy.
When you are running all DCs on Windows Server 2008 R2, turn on recycle bin. There you go. This will enable running an reference update task on every DC which is not a GC.
The reason behind this? When the recycle bin is enabled, the objects we knew before as tombstones are now deleted objects with all data maintained. We are able to restore these. Therefore we need to maintain reference updates for deleted objects as well, and those changes on deleted objects are not replicated to other DCs. Additionally we need to maintain links – links who point to or from deleted objects need to be “marked” as deactivated, so that it is possible to activate them when the object is restored.
Actually I will cover the recycle bin among a lot of useful information at TEC – if you are there come to my session:
A DS Geek’s Notes from the Field – Active Directory Recovery Unveiled
Speaker: Ulf Simon-Weidner
You’ve got R2 and enabled Recycle-Bin, so no other actions are necessary to prepare for an AD-Recovery? Or you haven’t yet deployed R2 (or switched to the forest-level)? Are you aware that even with today’s possibilities are not prepared for every scenario? You have to blend in certain features. You also have to manage them and adjust your processes accordingly! This session will give you an insight into experiences and practices from a field perspective about what can go wrong, what should you do to manage and look after AD in a proactive way. In this session, you’ll hear experiences from the field about Active Directory Disaster-prevention and recovery among interesting thoughts, scripts and scenarios. Think beyond and get inspired. This session will distinguish you from the Admins who keep their CV updated in case anything goes wrong to the ones who are prepared instead.
I just had a pretty interesting discussion via a mailing list with some other Active Directory MVPs and some members of the Active Directory Product Group in Redmond.
As we know, there is a new default for the tombstone lifetime in Active Directory. The discussion initiated because there is an article on Technet which is incorrect: http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx. Currently point 8 states that the tombstone lifetime, if it is <not set>, depends on the version of the Operating System of the first DC in the forest. However this is not correct and the article is already being changed.
If you are not familiar with tombstones, I wrote Some details about Tombstones, Garbage Collection and Whitespace in the AD DB a while ago. Basically, a tombstone is an object which is deleted, however a small part of it is maintained in AD for 60 or 180 days (by default) to make sure that all DCs receive the information that the object needs to be deleted. When the 60 or 180 days are over (this is the tombstone lifetime) every DC will delete the object locally (this is not replicated, the DC simply calculates if “time-of-deletion + tombstone-lifetime < now”, if yes the object is cleaned up. This “cleaning up” is done during garbage collection, which is by default every 12 hours.
The tombstone lifetime therefore is also the limit of the “shelf live” of an backup – if you’d use an backup which is older it would reintroduce objects which were already deleted, so the maximum age of an backup is the same as the tombstone lifetime.
In Windows Server 2003 SP1 Microsoft decided to increase the tombstone lifetime to 180 days, as I wrote in Active Directory Backup? Don't rush - you'll get more time. However, in Windows Server 2003 R2 there was a minor slip so this version introduced 60 days again. To clarify, this only changes if you set up a new forest and the value will depend on the level of the operating system of that first DC.
| Operating System of first DC | tombstoneLifetime (days) |
| Windows 2000 Server | 60 |
| Windows Server 2003 w/o SP | 60 |
| Windows Server 2003 SP1/2 | 180 |
| Windows Server 2003 R2 (SP1) | 60 |
| Windows Server 2003 R2 SP2 | 180 |
| Windows Server 2008 and higher | 180 |
You can verify what your tombstone lifetime is by looking at the Attribute "tombstoneLifetime" of the object cn=directory service,cn=windows,cn=services in the Configuration-Partition.
| dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=<forestDN>" –scope base –attr tombstonelifetime |
If the attribue has an value, tombstone lifetime is that value in days, if it has no value it is 60 days. What changed the default to 180 is the file schema.ini, which is creating the default objects in a new AD. The version of Windows Server 2003 SP1 and higher (see table above) of schema.ini sets simply the value 180 in the attribute tombstoneLifetime.
Is it recommended to adjust the Tombstone-Lifetime to the new default?
Over the years there were many infrastructures who’s DCs didn’t replicate within 60 days, leading to replication issues and lingering objects. There were many cases within Microsoft PSS and I’ve also seen a couple of infrastructures where I had to fix this. Therefore Microsoft decided to raise the default tombstone lifetime to 180 days, which also extends the lifetime of your backup. It is up to your company to decide whether to change the tombstone lifetime to the new default.
In the E-Mail-Thread we were also discussing if there are any issues with changing the tombstone lifetime.
If you lower the tombstone lifetime, there is no issue. The garbage collection process will be a bit more busy (usually it only needs to clean up changes from a 12 hour timeframe 60 or 180 days ago, but if we go down from 180 to 60 garbage collection needs to clean up the changes of 120 days the next time it is running). However this shouldn’t lead to a performance issue, and if you think it’ll be an issue you can stage it (e.g. moving from 180 to 150, waiting at least for replication + 12 hours, then go from 150 to 120 and so on).
However, if you want to raise the tombstone lifetime, e.g. from 60 to 180 to match the new default, there’s one scenario which needs to be considered:
Lets say we have two DCs, DC-Munich and DC-LA (L.A. because that where The Experts Conference will be in April). On DC-Munich we change the tombstoneLifetime from <not set> (=60) to 180. When garbage collection runs on DC-Munich it is bored – it already cleaned up all changes from 60 days ago but we instructed it to keep everything now to 180 days, so the next 120 days garbage collection does not need to do anything. However a bit later DC-LA (who hasn’t gotten replication with the new tombstoneLifetime yet) runs garbage collection and cleans up everything which happened in the 12h timespan 60 days ago.
In this scenario, DC-Munich has objects (tombstones) which were cleaned up on DC-LA, leading various detection mechanisms to identify them as lingering objects (repadmin will detect them, as well as various update processes which will prevent you from doing operations like schema updates for the next 120 days). This will resolve after 120 days, however is pretty inconvenient.
To increase tombstoneLifetime in big infrastructures, there is only one valid solution:
- make sure that garbage collection will not run instantly after you changed the attribute, then after changing the attribute force replication and make sure it’s replicated everywhere
lower the tombstone lifetime before increasing it. e.g. set it to 55 and make sure it has been replicated everywhere, then wait at least 12 hours or ensure that garbage collection was running on all DCs. This ensures that there are no objects which need to be taken care of garbage collection for the next couple days. Then increase the tombstone lifetime to the value you intended, e.g. 180 days. Make sure that replication works and every DC is getting the update in the next few days, and you are on the safe side
Thanks to Jesko who discussed this scenario with me – I was wrong – increasing is always causing trouble with lingering objects. Controlling garbage collection is the only way to go.
I think this scenario is very interesting, so I wanted to share it.
Hi there and happy new year!
Last year the server I used at home went dead, and since it was pretty customized it’s also pretty ugly to repair. I’ve used it as virtualization host and file server, with three hard drives – the first for the operating system and stuff I don’t need highly redundant, the other two mirrored with all the data I prefer to keep (fotos, projekt, personal stuff, music I’ve bought). Even my home-drive of my laptops is just a share which is always synchronized for offline usage. Remote Access was possible either using STTP (VPN via SSL, built into Windows Server 2008+ and Vista+) or Remote Desktop Gateway (RDP via SSL, same OS requirements).
So … Server dead … no money … but highly important data on it. So I’ve done some research, and also got recommendations from follow MVPs, and decided to go with Windows Home Server, and got it up the same way (OK, without virtualization and the Windows Server 2008 features, but works for now until budget allows me a virtualization host again, and even then I’ll keep the home server and run the virtualization separatelly – WHS is a great product and base of my home network, data backup and recovery and home media strategy now).
However, to get back to the subject…
Today I’ve consolidated some of the data and made some error and deleted stuff from one share (personal) which was not yet in the project share. However, I’ve implemented Volume Shadow Copies and should be able to get the Files back via the previous versions client. So I went into previous versions, located the files, they were still there, but I was unable to open them / copy them / restore them. I always got the message “Das Gerät ist nicht angeschlossen” which translates to “The device is not connected”. Weird. After searching in some German Home Server Forums, I’ve found the statement that VSS (Volume Shadow Copies, the supporting technology of Previous Versions or Windows Backup or AD-Snapshots) are not working on Windows Home Server but on by default because MS might use it in the future. However, WHS is also keeping your Data redundant across multiple drives, and in the forums it was mentioned that the Data is like Tombstones which points to the real data in other locations.
To make the post not overly long, this is how you get previous versions back on a Windows Home Server:
- Open up \\servername\d$\DE\shares\ (you also need to go via UNC if you do it from the WHS-console, Windows Server 2003 where WHS is based on only supports previous versions via UNC or mapped, not locally).
- Navigate to the folders or files and use previous versions there, then copy the files back to \\server\share.
This is because:
- \\server\share is the location where the tombstones of the data are stored, if you navigate there via previous versions you get the structure but only tombstone files which you can’t access or restore.
- \\server\d$\DE\shares is one of the location where the real data is stored, might also vary depending on your setup (I’m not sure if it’s always d$ or if it depends how the drives are configured) and across which volumes the data is kept redundant (which is automatically decided by WHS).
- \\server\c$\FS\<driveletter, e.g. F>\DE\shares would work as well, however VSS/Previous Version apparently has issues with the mount point, so you need to create a “Help Share” e.g. at c:\fs\F\DE\shares and then navigate via the new share [1].
Note: There are some things to consider:
- WHS automatically decides where to keep the data redundant, so you might have to search across the volumes (d:\de\shares, c:\fs\f\de\shares, c:\fs\g\de\shares …)
- Shadow copies are using by default 12% of the volumes space. If the “changed data” exceeds this limit the oldest snapshots will be released. Since it is likely that the volumes on your home server have different sizes (which is the default if you have to similar harddrives in your WHS, since the first one has one volume for the OS of 20MB usually), the default storage size for Volume Shadow Copies has different sizes. Therefore it might be that if you can access older data on one of the volumes which is not available on newer ones.
- Since I don’t know exactly how the “redundancy algorithm” of WHS works (and I don’t need to know, that’s the beauty of WHS) I recommend not to restore the data in the original paths (d:\de, c:\fs\f\de,..) but to copy them to the default shares.
I hope this is valuable information to some WHS-Users out there, it would have been valuable for me earlier today ;)
Happy weekend,
Ulf
[1] The issue here is apparently that the previous versions client is getting the information whether Volume Shadow Copes are set up or not from the share it accesses. This is not the case on the C-Drive by default. However, even if we enable Previous Versions on the C-Drive, the Previous Versions Client will only show the Volume Shadow Copies of the C-Drive and not from the Mount-Points, so I recommend keeping VSS turned of on the C-Drive (ehm – Volume).
The last day of TechEd Europe has started. It’s been great as usual. I was satisfied about my sessions, I’m satisfied about other sessions I’ve seen. However – what’s my value of TechEd?
- TechEd is inspiring: always when you are put together with a clever bunch of folks, it’s inspiring to talk about technologies, there possibilities as well as what’s lacking, and get a lot of good ideas.
- TechEd is networking: hard to keep up with all the people you know or you should know, but TechEd is one of the major places where you get so many people who work with the same technologies and share the same interests. Great place to keep in contact and meet new people – only bad thing that it’s to short
- TechEd is geeky: Couple years ago I was complaining that they didn’t have and real 400-Level Sessions at TechEd for IT-Professionals. Then I was able to deliver 400-Level sessions over the years (“A Directory Services Geek’s View on …”), mostly at TechEd EMEA but also at TechEd US. I’m glad to see that especially TechEd Europe is providing in-depth content to IT-Pros (this was actually one thing we’ve heard complains at TechEd US this year, however not at Europe! Hope this still improves). It’s fun to prepare those sessions, it’s fun delivering them, great to get the feedback and great to hear afterwards how happy the attendees are about not getting a marketing session.
- TechEd is broadening horizons: Especially when talking with attendees in the Technical Learning Center or after my sessions, or in the evening at parties, it’s broadening my horizons when they are asking questions, tell me about their scenarios and ideas. Even when working as consultant with many companies, I only get to meet a certain amount of customers. However at TechEd I’m meeting so many people every day, so many different scenarios, it’s just great to broaden my horizons and my knowledge!
- TechEd is knowledge: Breakout Sessions, Interactive Sessions, Technical Learning Center (Ask the Experts), Hands on Labs, … and about almost all Microsoft technologies – there is only one place where you can lean so much in different ways
- TechEd is community: MVPs, MCTs, CLIP, Microsoft employees, colleagues, friends, people who share the same interests, …
… there are lots of more points …
I’m doing multiple conferences a year, and TechEd is boosting knowledge in Microsoft technologies! I love it! To bad it’s the last day today, however I’m also looking forward going home and enjoying the weekend.
If you use Active Directory-Users and –Computers from Windows Server 2008 or higher (also ships with the Remote Server Administration Tools in Windows Vista or Windows 7), or the Active Directory Administrative Center in Windows Server 2008 R2 or Win7 RSAT newly created OUs are protected from accidental deletion. However, this does not apply to OUs which were there prior (migrated) or OUs which are created another way.
Therefore, during migrations or when you still run downlevel versions of the administration tools, I recommend to protect OUs from accidental deletion but you need to find another way to do it instead of looking into the Object-Tab of each OU (with Advanced View selected).
Powershell v2 and the new Active Directory Commandlets makes this easy for us:
First you need to import the Active Directory Commandlets:
import-module ActiveDirectory
Then you query all OUs, and pipe them into the set-ADOrganisationalUnit Command and specify to set the “flag” to protect the OUs from accidental deletion:
Get-ADOrganizationalUnit -filter * | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
Easy, right?
If you want to put this in a scheduled task, simply use the following commandline (in one line):
powershell.exe -command "&{import-module ActiveDirectory; get-ADOrganizationalUnit –filter *
| set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $true}"
I’ve heard from a speaker I respect the question whether Microsofts strategies are consequent because they are basing everything on Powershell, however the djoin.exe-command is not a Powershell command.
Interesting one, but also very understandable if you think about it. Djoin.exe is created to provide the following possiblity in Windows Server 2008 R2 and Windows 7:
- Create a computer account in the directory and store a file to support a offline-join of the computer to the domain
- Offline join the computer to it’s account using the file created in the prior step
The Active Directory Domain Services product group has created a lot of Powershell Commandlets to support Management of Active Directory on Windows Server 2008 R2, actually you can download the Active Directory Managment Gateway Service to support the Powershell commands running against Windows Server 2003 (R2) or Windows Server 2008 (without R2). The Management Gateway provides the Active Directory WebService, which is used by Powershell and the new Administrative Center. The WebService is automatically there if you install a Windows Server 2008 R2 Domain Controller, therefore you don’t need the Management Gateway there.
The Active Directory Powershell Commandlets are available on Windows Server 2008 R2, or Windows 7 with the Remote Server Administration Tools for Active Directory installed. If a system has not the Active Directory
As I said before, one of the two main responsibilities is to join computers offline to the domain, either in Scenarios with RODCs (e.g. in the DMZ) or mass-creation / joining e.g. if you have your hardware vendor or distributor preinstalling machines for you.
So – would we want to install the Remote Server Administration Tools for Active Directory on Clients or member servers just to join them to the domain? Nope. Would we want to have multiple powershell-modules for AD (e.g. one for server management, one for joining domains, one for directory data management, …)? Nope.
So I guess an exe for this purpose is OK, and I also guess that this is the reason behind.
Funny – I arrived at TechEd Europe and many already talked to me about my session – I figured out it’s now popular because it had been rescheduled from Tuesday morning to Wednesday morning, so everyone at TechEd got a separate paper with the session updates and mine was one from the few.
I’ve also heard it’s popular looking at the registrations, so if you plan on coming, come a bit early to make sure to get in. We also do a re-run on Thursday morning.
SIA02-IS: Active Directory: What's New in R2
Join this interactive and open discussion about Active Directory updates in Windows Server 2008 R2 or other topics that you bring up. Join product group members and an MVP with undoubted Active Directory experience.
It’s an interactive session, so we will be there (Brjann Brekkan, Technical Product Manager for Identity Management and I are presenting the session togehter), listening and talking to you about the questions you have about the new features of Active Directory Domain Services in Windows Server 2008 R2.
The session is scheduled on
- Wednesday, 9:00, Interactive Theater 4 (green)
- Thursday, 9:00, Interactive Theatre 6 (pink)
Ulf
The world is not as polite anymore as it was years ago. People are forgetting what was called “good behavior / manner”. And Powershell is entering the world and starting to monopolize in the world of scripting languages.
I think Powershell should show some level of social responsibility. And today, I’m taking action to change it:
I, Ulf B. Simon-Weidner, propose hereby that Powershell should be forced to show more social responsibility. Therefore I propose two actions:
- Any command executed should, by default, set the –whatif parameter
(This would prevent the commands from executing, it'll only tell us what it would do) - To really execute a command, the –please Parameter must be used, which will revoke the –whatif parameter.
Wouldn’t this be nice?
In Windows Server 2008 you are able to stop Active Directory-Domain Services using the services snap-in or by typing
net stop ntds
However, this is for servicing only and not a state where the DC is intended to be kept for a longer period. Stopping AD is intended for servicing NTDS where there is a need of a stopped AD (such as in Directory Services Restore Mode, DSRM) but where is no need of a completely flushed Memory and stopped dependencies. So what you can do are things like offline defragmentation of the database or moving the database a.s.o.
I think, this is a good feature. Yes, it would be great to do other things. Yes, it would be great to restore AD without going in DRSM. There are things which would be nice. However … it’s better than before, and that’s what is important.
I love to do things using scripts. I love to use a toolbox, some script I’ve used before. Imagine – in the past doing offline defrags of the Active Directory database would require to reboot into Directory Service Restore Mode, log on as local admin (=DSRM-admin) then run ntdsutil with the options to do offline defrag into new files, then copy the new files over the old ones, reboot again into full more.
However, in Windows Server 2008 and above it is as easy as stopping NTDS, offline defrag, moving, starting NTDS.
It is urgent that you keep in mind that you can stop NTDS, however it’s not ment to be there for a longer period.
However, three things which made me worry if this feature is not well understood:
- It’s not a state to keep for a longer period, not a replacement for recovery-DCs (which are turned off in the closet).
- Not a replacement for DSRM when it comes to System State Recovery / Authoritative Restore which a Backup restored. If you need to restore a system state backup, the only supported way is to do it in DSRM.
- Authoritative marking object which haven’t been replicated to the DC in question is OK, same goes for file-management operations other than restoring a backup (the content of the dit basically needs to remain the same)
- You can’t logon with the DSRM-Admin when NTDS is stopped. This was hitting – in the beta-timeframe – someone who had a single DC, stopped NTDS, speared some time (screen saver kicked in) and couldn’t log on. DSRM-logon is not possible by default with a stopped NTDS when there are not other logon-servers available (if they are, e.g. you have a second DC, they are authenticating you on the DC with the stopped NTDS).
DSRM-Admin (which equals to local admin on a DC) is only available on Small Business Server (by default) or if you modified the following registry-key:
HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior
Value 0: DSRM-Logon only when in DSRM (default)
Value 1: DSRM-Logon only when NTDS stopped (or DSRM) (default in
Value 2: DSRM-Logon always
HTH, Ulf
I was just pointed to the blog of David Loder who’s pointing out that the Release Candidate of Exchange 2010 is changing the permissions enforced by AdminSDHolder to critical groups to allow Exchange Organizational Admins to change the group memberships of Enterprise Admins, Schema Admins, Domain Admins a.s.o.
OK, one of Microsoft Program Managers already responded, and I do agree that this is not a released product and pre-release versions are there for finding those bugs.
I’d just like to say:
@Ross: This is not that hard to fix:
- for existing OUs stamp it on their ACE (preferably top-level - if inheritance is blocked on lower levels check and point to an KB
- for new OUs change the defaultNtSecurityDescriptor of the OU-Class in the schema
- don't touch adminSdHolder ;)
The first one will make sure that existing OUs allow Exchange Admins to control Group memberships (actually I’d even like to discuss if this is necessary – usually group membership administration is not done in the same instance where groups are mail enabled – the first one would be a generic help-desk task, the second a Exchange-Admin task).
I’d also prefer – if OUs are touched – that if the organization decided to block security inheritance at one point that a new version of some software shouldn’t go beyond that point but respect the design but warn them about the consequences.
The second suggestion makes sure that new OUs will get the permissions by default when creating the OU.
The third suggestion makes me think about two things:
- is there no process for infrastructure critical changes as changing the adminSdHolder (I’d think that the Active Directory Product Group should be involved if something as this is happening, how should they ensure security if other groups are mangling around with their mechanisms)?
- why is this coming up in RC? If a product is at Release Candidate Level, it’s mostly finished and usually there are not this many changes approved afterwards (unless they are critical). I hope that this will be fixed!
Thanks David for finding this one, very interesting, and I hope it’ll be fixed!
See Davids Blog for his post
See my blog-post about AdminSdHolder
And since I wanted to mention this: if you are in Europe (or want to come), The Experts Conference (TEC) is in Berlin next week and it is THE place for Active Directory and Exchange.
Windows Server 2008 R2 and Windows 7 were RTMd yesterday (June 22nd). Products are finished now, the code won’t be changed and the preparations for making them available via Download as well as producing the DVDs has started. Read the announcements on the official blogs:
http://blogs.technet.com/windowsserver/archive/2009/07/22/windows-server-2008-r2-rtm.aspx
http://windowsteamblog.com/blogs/windows7/archive/2009/07/22/windows-7-has-been-released-to-manufacturing.aspx
The products will be available soon, depending on which channels:
Downloads:
- MSDN/Technet: W7 Aug 6, R2 Aug 14
- Partner Network: W7 Aug 16, R2 Aug 19
- Action Pack: Aug 23 (W7 & R2)
- Volume Licensing (SA): W7 Aug 7, R2 Aug 19
The Evaluation-Version of Windows Server 2008 will be available on August 20th on the following page:http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx
Win7 will be available in stores Oktober 22nd, R2 on September 14th. The pre-order of Win7 is already running for a couple weeks.
Windows 7 will only be available in English on the Dates above, additional languages will follow early October. WS08R2 will be available in a couple languages such as English, German, Spanish,… and additional languages will be made available later in September.
http://blogs.technet.com/windowsserver/archive/2009/07/22/when-to-expect-windows-server-2008-r2-rtm.aspx
http://windowsteamblog.com/blogs/windows7/archive/2009/07/21/when-will-you-get-windows-7-rtm.aspx
I’m very excited to get the final version of both products, I’ve loved and used them in Production using the Release Candidate and can’t wait to install the final version instead! Congrats Microsoft!!! What a release!
Hyper-Excited: Windows Server 2008 R2 and Windows 7 will be finalized in the second half of July, which is when they will become available for Partners and MSDN a.s.o., and broadly available (Stores, on new PCs a.s.o.) at the End of October!!!
Windows Server Division Weblog:
http://blogs.technet.com/windowsserver/archive/2009/06/02/windows-server-2008-r2-rtm-and-general-availability.aspx
Windows 7 Teamblog:
http://windowsteamblog.com/blogs/windows7/archive/2009/06/02/the-date-for-general-availability-ga-of-windows-7-is.aspx
Woohooo!!!
At TechEd USA in Los Angeles last week, Bill Veghte, Senior Vice President of Windows Business at Microsoft, made a comment which was funny but also sad:
I’m a technologist, so I can’t tell you where the economy will be in 6 month. A bad message is – a economist can’t tell you either.
At TechEd I was staffing the Windows Server 2008 R2 Active Directory-Booth. We had a lot of interesting questions, scenarios and discussions there.
One interesting issue was a customer who asked us why his contacts in Active Directory are being displayed as containers and how he can take it off. Actually this took us some time to look into it. He had two forests – when he was targeting Active Directory-Users and –Computers against one forest, his contacts were displayed as containers (meaning there was a plus-symbol right next to it and you were able to see it in the tree, with no objects underneath). On the other forest the contacts weren’t displayed as container.
So we had to figure out what’s going on there. And what I’ve actually found is quite interesting, and I believe that more companies are running into this, so I found it worth documenting it on the web.
So what’s going on is that we found out the one forest was extended with the Windows Server 2008 Schema (adprep /forestprep) but the customer is still running Windows Server 2003 DCs. In the Schema of Windows Server 2003 by default there are not any objects who can be “underneath” a contact [1]. In the Windows Server 2008 Schema there are two new objects, which can be underneath a contact. Those are ms-net-ieee-80211-grouppolicy and ms-net-ieee-8023-grouppolicy. You can check this by querying the attribute allowedChildClassesEffective on a contact – this is a constructed attribute which is telling you which objects may be underneath the current object, more specifically which attributes the currently logged on user can create underneath the current object (taken permissions into credit). [2]
dsquery * “cn=My Contact,ou=…,dc=…” –scope base –properties allowedChildClassesEffective
In Powershellv2 (which ships with Windows Server 2008 R2 and in RSAT for Win7 (need to install, see [3]) you can use the following command (make sure that the Active Directory-Module is loaded, either use the shortcut or import-module ActiveDirectory):
get-adobject -identity "cn=My Contact,ou=…,dc=…" -properties allowedChildClassesEffective
In Active Directory-Users and –Computers there is an option in the view-menu which allows you to specify whether you’d like to see users, computers and groups as containers or not. In the version which ships with Windows Server 2008 (or is in the Remote Server Administration Tools of Vista and above) this setting is extended to behave on contacts as well. This setting is local to the computer and overrides any settings in the schema.
So apparently Active Directory-Users and –Computers is querying the schema, sees that contacts may contain other objects and is displaying them as containers, whether you’ve set the view-option or not (in Windows Server 2003 R2 and before) because is doesn’t apply to contacts. This is fixed with the versions which are shipping in Windows Server 2008 or RSAT for Vista and higher.
So if you extended the schema to Windows Server 2008 (R2), but your management consoles are still running on Windows Server 2003 (R2) / Windows XP and prior you’ll see contacts as containers.
There would be a workaround – there is a setting in the display specifiers which is modifying this behavior. It’s in cn=contact-display,cn=409,cn=display specifies,cn=configuration,dc… (your forest-root domain DN, you’ll also have to exchange the 409 with your language version, where 409 equals US-English, 407 would be German a.s.o.). So the workaround is to navigate to the contact-display object, then change the Value for the “treatAsLeaf”-attribute to TRUE (by default it’s <not set>) [4].
While this workaround will work, I wouldn’t actually recommend it, in my eyes the “bug” is not annoying enough that you’d change something in the configuration context. On the other hand, this setting is quite unimportant. So it’s up to you, however as soon as you start working with the Windows Server 2008 (R2) Management Consoles this wont annoy you anymore. So keep migrating ;)
Ulf
---
[1] It’s actually not defined in the object what kind of objects can be underneath, but on the child-objects what possible superior it may have.
[2] IMHO Scripting or Programming Best-Practice would mean to query an object prior to creating a child-object for allowedChildClassesEffective to make sure that the current user has the right to create the object.
[3] The Remote Server Administration Tools for Windows 7 include the Powershell Module for Active Directory. If you open the generic Powershell-Windows you’ll have to import-module ActiveDirectory first (there’s a shortcut installed in Administrative Tools which starts Powershell with this module loaded instead. Note that the PS-Provider relies on the Active Directory Webservice (ADWS), so you need one Windows Server 2008 R2 Domain Controller. ADWS is also announced to be available as Out-of-band Release/Hotfix for Windows Server 2003 and 3008, however this is currently not available. Win7 and WS2k8R2 are also just Release Candidates at this point, however I already want to mention how to do things using PSv2 since we have to get used to this in the AD-World (and it’s pretty impressive actually what you can do with it easily).
[4] Boolean Values in Active Directory are kind of weird – there are three states as opposed to two – either TRUE, FALSE or <not set> if the attribute is empty. Also the reason for a boolean value in general is to keep space limited, you only need one bit usually. However in AD the String of the Word TRUE or FALSE is stores.
I do have to say that I’m super-excited – or as Mark Russinovich tries to introduce the term … “Hyper-Excited” (Mark: would this be Hyper-E? – just kidding).
Bill Veghte (Sr. Vice President, Windows Business, Microsoft) and Ian McDonald (General Manager for Windows Server at MS) have introduced this morning at TechEd in Los Angeles the availability for Windows 7 and Windows Server 2008 R2 before the holiday season, meaning that Ian’s kids will be able to get the server for christmas .
I do love those OSs and their new features, working with them on all my machines and not using anything else anymore (apart from customer machines where they make me too). So I’ll blog more about this, and about TechEd especially during the week.
Can’t wait for Christmas now!
More Posts
Next page »