Directory Services/Active Directory

Ulf B. Simon-Weidner's Blog

November 2004 - Posts

Reflection of Trainings

I'll be in Hanover on Thursday and Friday this week to teach Windows Server 2003, Active Directory and DNS to System Engineers of our company. Those trainings are pretty exciting - they usually don't know a lot about Windows Server 2003, and usually even less about Active Directory and DNS, but they have a very good understanding in different technologies (NT, Novel, SQL, ...) - whatever the job role requests at the customer they are assigned to.

I like to teach those classes - they are more forcing on me and less boring on me than if the audience has the same skill level. However I had to think about classes I had in the past. Class environments are usually totally different than production networks. I'm experienced in both, and I rarely get the same errors in a class than in production. E.g. usually in a classroom I have about six Active Directory domains with about the double number of DCs which we set up within one hour. There are effects doing this which you won't have in a production network where you have time, you ensure that a DC is working very well before you set up additional DCs. Further I've seen students integrating DNS into AD but doing it simultaneously on DCs of the same domain, and using different application partitions. Or one time I had a forest root failure a couple minutes before the class was supposed to start. Hardware failure. Unfortunately I had no other DCs in the root domain, but one sub domain (I was setting this up the day before, and did the first DCs first, then I let them replicate and went to print the handouts. After I got back the classroom was locked, so I couldn't add additional DCs on that evening). There was no time setting up the servers again, so I had to demote the sub domain, clean everything up, then using another Server as forest root and setting up the AD-Structure again. Somehow I managed to get everything done shortly and was able to start with the class. On the next day - same class - we heard a loud scratching and a weird sound. The new forest root server had a total hardware failure. This was pretty weird: OK, as in most classes we were using client hardware for the servers but two hardware failures on the forest root in two days. The students were pretty lucky - we had an additional DC in the root domain at that point and I demonstrated how to recover when the server holding all roles fails.

I'm looking forward to the class on Thursday. Hope to have some interesting chats and discussions with the students. And for some reasons classrooms are like geek-talk - you enjoy scenarios which you won't have in production or which you would never implement in production but you still want to know how to do it. Great!

Posted Tue, Nov 30 2004 5:23 by Ulf B. Simon-Weidner | 2 comment(s)

My first magazin article

My first article in the German magazine IT-Administrator will be available in a few days. I'm pretty excited and so I've published the top part of the first page on the start page of www.windowsserverfaq.org today. The first article covers how to centrally administer the security features of Windows XP Servicepack 2.

The second article which will be in the January release of the magazine will cover how to ease administration in a Windows Server 2003 Active Directory using Saved Queries, Scripts and command line tools.

Posted Tue, Nov 30 2004 4:57 by Ulf B. Simon-Weidner | with no comments

German MVP Open-Day

On Friday there was the German MVP Open-Day. Apart from the morning where I was kind of dull the day was great - I enjoyed many talks with fellow MVPs and attendees from MS.

Also the other authors and the project lead from MS-Press, who was responsible for publishing our book, were there. First time all five of us met in one place, and we took the opportunity to sign our books for each other. The project lead also did some presentation and provided us with numbers - the book is selling very well. It's still within the Top 10 of Windows XP books, within the Top 100 of IT-Books. Actually the feedback I received from different readers was very good as well. I hope I'll find the time soon to start another one - I have a great idea for one (something more focused on AD - but nothing which is out there yet) but lack the time to start. Perhaps X-Mas will help to get started ;-)

And I took the opportunity to fix the next date for the next South-Germany regional MVP GetToGether. Looking forward to see the regional MVPs again in January (and we already received some confirmations of nice guests from MS). I think it's very necessary to keep those communities running - especially in Germany it's important to increase the awareness of communities in the IT-Field. I hope we'll see broader communities in the following years, but that's part of another post I'll blog soon (I'll post my vision and excitement about Y2k5+).

Posted Mon, Nov 29 2004 1:32 by Ulf B. Simon-Weidner | with no comments

Microsoft Architects Forum

On Tuesday there was the first (German) Microsoft Architects Forum in Mainz. Was a lot of traveling for me, since I had to get up at 2:30 in the morning and got back around 1:00 also in the morning, but the content was well done. Interesting stuff, and since it was run out of the Enterprise and Partner Group the content and audience was a bit different from the stuff I'm used from TechEd and IT-Forum. For example there was a presentation of the Windows Server System Reference Architecture (WSSRA) which is the new version of the guides and scripts formally known as MSA (Microsoft System Architecture). We are talking about guides and scripts to create a Datacenter which is easy to deploy and scale out since it's well designed, with best practices in mind. Everything is defined, networks, routers, firewall configuration a.s.o. E.g. if a customer who's running his Datacenter as in the WSSRA described needs more storage or performance in Exchange, he'd be able to call his supplier and get a pre-configured box which fit's directly into his infrastructure.

Another good presentation was about the Dynamic System Initiative (DSI). Future Versions of Visual Studio will enable the developer to design the whole application infrastructure in VS, and control even security settings of those boxes via GPOs. Very interesting, that fit's my prediction that Developer and Administrators will need to get closer together in the near future - I've seen many developers who did not fully understand the infrastructure they are developing against, and on the other hand many Administrators who do not know the issues of the applications and how to deploy them securely. I'll have to have a look at DSI and see how well it's able to define a process which allows the Developer to do his work, but enables the Administration or Project Team to take over control before deploying to the QSU or Production.

And tomorrow (actually today) I'll be at the German MVP-Summit - and I presume another round of interesting talks. Communities are great - one of the major things of the coming year(s) I expect communities to merge better with companies and get a kind of staging in the knowledge-mapping. Does that make sense? Is that even English? However, I really believe it's essential for companies (and/or their IT-Departments) to define a internal knowledge-management and it would not hurt to connect that with countrywide or global communities. We'll see - let me know what you think.

Posted Thu, Nov 25 2004 7:08 by Ulf B. Simon-Weidner | with no comments

Review of IT-Forum

Got back last weekend from IT-Forum. On Wednesday (the day after my last blog) the MVPs had another Breakfast Q&A with Microsofts Senior VP Bob Muglia - I was really impressed by him: I haven't seen many people of that position which are still able to discuss and get feedback from techies. Over the other days there were a lot of sessions, interesting conversations and not very much sleep. I had also some very interesting discussions with various customers at the Ask-the-Experts booth.

On Thursday Brian Komar (author of various books including Windows Security Resource Kit and Windows Server 2003 PKI Certificate Services who did some sessions about PKI and Security - I can highly recommend his books and sessions) and I explored the possibilities of Windows Movie Maker - we made a short clip which Brian showed prior to his PKI-Session on Friday - very funny. Was all about that Jesper Johannson (another speaker and author, search TechEd for a couple good articles of him) mentioned that Biometric devices are discussable since you are not able to revoke a thumb if you don't trust the employee anymore. Brians short clip prooved otherwise, and Jesper was a good sport and sponsored his voice for the resync after he's seen the first version. We had a lot of fun. Unfortunately the clip will not be available in the public since there might be copyright issues.

I was very sorry to leave on Friday, but was also looking forward to get back to my wife and to catch up on some sleep.

Posted Thu, Nov 25 2004 6:45 by Ulf B. Simon-Weidner | with no comments

DHCP, DNS and the DNSUpdateProxy-Group

I had a discussion in the Newsgroups lately about DHCP and the DNSUpdateProxy-Group which is used to write unsecured DNS-Entries to a DNS-Zone which only allows secure updates. That's propably not the correct definition, but it describes pretty much what that does. Using DHCP on Windows 2000 Server (with SP2 and above) or even better - on Windows Server 2003 - you are able to define accounts which should be used for registering the DNS-Records by the DHCP-Server. You should use this technique, there are almost no reasons to put the DHCP-Server in the DNSUpdateProxy-Group anymore.

Issues which were solved by the DNSUpdateProxy-Group in the past were clustering and overlapping scopes. E.g. if you put a DHCP-Cluster on a Cluster, and it's running on Node1 it'll write the Record it registers (usually PTR-Records for W2k+ and A + PTR-Records for downlevel clients) to the DNS-Zone and allows updates only to the computer account of Node1. Now if the cluster resource fails over to Node2, and a client receives an IP which was already existed before Node2 is not able to update the DNS-Records because only Node1 is supposed to update that record. Putting the computer accounts of Node1 and Node2 into the DNSUpdateProxy Group will modify the way the DHCP-Server is writing the records - it allows "Authenticated Users" to update the record - which is the same as if you were putting the record in there without security. I just don't like that. With Windows 2000 SP2 and above you are able to change the credentials under which the DHCP-Service is running, and the service will use those credentials to write the records. Using Windows Server 2003 DHCP allows you to keep the service running with it's default credentials and configure the account he's supposed to use for registering records in the properties of the DHCP-Server.

Now if you use the same account on all Servers who are serving the same zone - you are set and you don't need the DNSUpdateProxy-Group. You are even able to "Partition DHCP and DNS-Updates" across your company and subnets.

And I also believe in applying an account the least priviledges needed, so I'm pretty sure that you'll just need the rights for creating/deleting and updating DNSNode-Object in only the zone where the DHCP-Server writes the records for that account. Haven't tested that yet - when I did I'll write this together more properly and post it to my website. If you want to test, look at -> this thread (and let me know of your test).

To be kind of complete (without writing more and bugging your RSS-Reader) the only reason for using the DNSUpdateProxy-Group might be if you are in a migration szenario - however there are other solutions as well. If you are interested let me know (there's a feedback option on this blog if you haven't realized yet - not just the contact link ;-) ).

Posted Mon, Nov 15 2004 19:29 by Ulf B. Simon-Weidner | 7 comment(s)

IT-Forum Coppenhagen started

I arrived at the IT-Forum on Sunday and had loads of appointments in the first couple days. Today the official conference started, and Eric Rudder (the Vice President for Server and Tools at Microsoft) had a Q&A Breakfast with the MVPs, and afterwards was the Keynote with Bill Gates. Everything very exciting and I'm looking forward to more details on some topics during the week. Yesterday I attended John Craddocks and Sally Fields Pre-Conference Sessoin. Their Talk "Stretching Directory Boundaries, Cross Platform Identity Management, Authentication and Security" was pretty cool - they were covering mostly MIIS, ADAM and Federated Identity.

OK, more days and appointments to come. If I step over something very interesting I'll blog it - but as I said initially I try to keep the volume low to interesting content instead of blogging every update on Microsoft.com Downloads, Whitepapers or other stuff which is released and you'll find in a whole lot of blogs anyways ;-)

Posted Mon, Nov 15 2004 18:47 by Ulf B. Simon-Weidner | with no comments