Directory Services/Active Directory : TechEd

My Value of TechEd

Ulf B. Simon-Weidner — Fri, 13 Nov 2009 11:08:28 GMT

The last day of TechEd Europe has started. It’s been great as usual. I was satisfied about my sessions, I’m satisfied about other sessions I’ve seen. However – what’s my value of TechEd?

TechEd is inspiring: always when you are put together with a clever bunch of folks, it’s inspiring to talk about technologies, there possibilities as well as what’s lacking, and get a lot of good ideas.
TechEd is networking: hard to keep up with all the people you know or you should know, but TechEd is one of the major places where you get so many people who work with the same technologies and share the same interests. Great place to keep in contact and meet new people – only bad thing that it’s to short
TechEd is geeky: Couple years ago I was complaining that they didn’t have and real 400-Level Sessions at TechEd for IT-Professionals. Then I was able to deliver 400-Level sessions over the years (“A Directory Services Geek’s View on …”), mostly at TechEd EMEA but also at TechEd US. I’m glad to see that especially TechEd Europe is providing in-depth content to IT-Pros (this was actually one thing we’ve heard complains at TechEd US this year, however not at Europe! Hope this still improves). It’s fun to prepare those sessions, it’s fun delivering them, great to get the feedback and great to hear afterwards how happy the attendees are about not getting a marketing session.
TechEd is broadening horizons: Especially when talking with attendees in the Technical Learning Center or after my sessions, or in the evening at parties, it’s broadening my horizons when they are asking questions, tell me about their scenarios and ideas. Even when working as consultant with many companies, I only get to meet a certain amount of customers. However at TechEd I’m meeting so many people every day, so many different scenarios, it’s just great to broaden my horizons and my knowledge!
TechEd is knowledge: Breakout Sessions, Interactive Sessions, Technical Learning Center (Ask the Experts), Hands on Labs, … and about almost all Microsoft technologies – there is only one place where you can lean so much in different ways
TechEd is community: MVPs, MCTs, CLIP, Microsoft employees, colleagues, friends, people who share the same interests, …

… there are lots of more points …

I’m doing multiple conferences a year, and TechEd is boosting knowledge in Microsoft technologies! I love it! To bad it’s the last day today, however I’m also looking forward going home and enjoying the weekend.

Contacts displayed as containers

Ulf B. Simon-Weidner — Sun, 17 May 2009 08:58:01 GMT

At TechEd I was staffing the Windows Server 2008 R2 Active Directory-Booth. We had a lot of interesting questions, scenarios and discussions there.

One interesting issue was a customer who asked us why his contacts in Active Directory are being displayed as containers and how he can take it off. Actually this took us some time to look into it. He had two forests – when he was targeting Active Directory-Users and –Computers against one forest, his contacts were displayed as containers (meaning there was a plus-symbol right next to it and you were able to see it in the tree, with no objects underneath). On the other forest the contacts weren’t displayed as container.

So we had to figure out what’s going on there. And what I’ve actually found is quite interesting, and I believe that more companies are running into this, so I found it worth documenting it on the web.

So what’s going on is that we found out the one forest was extended with the Windows Server 2008 Schema (adprep /forestprep) but the customer is still running Windows Server 2003 DCs. In the Schema of Windows Server 2003 by default there are not any objects who can be “underneath” a contact [1]. In the Windows Server 2008 Schema there are two new objects, which can be underneath a contact. Those are ms-net-ieee-80211-grouppolicy and ms-net-ieee-8023-grouppolicy. You can check this by querying the attribute allowedChildClassesEffective on a contact – this is a constructed attribute which is telling you which objects may be underneath the current object, more specifically which attributes the currently logged on user can create underneath the current object (taken permissions into credit). [2]

dsquery * “cn=My Contact,ou=…,dc=…” –scope base –properties allowedChildClassesEffective

In Powershellv2 (which ships with Windows Server 2008 R2 and in RSAT for Win7 (need to install, see [3]) you can use the following command (make sure that the Active Directory-Module is loaded, either use the shortcut or import-module ActiveDirectory):

get-adobject -identity "cn=My Contact,ou=…,dc=…" -properties allowedChildClassesEffective

In Active Directory-Users and –Computers there is an option in the view-menu which allows you to specify whether you’d like to see users, computers and groups as containers or not. In the version which ships with Windows Server 2008 (or is in the Remote Server Administration Tools of Vista and above) this setting is extended to behave on contacts as well. This setting is local to the computer and overrides any settings in the schema.

So apparently Active Directory-Users and –Computers is querying the schema, sees that contacts may contain other objects and is displaying them as containers, whether you’ve set the view-option or not (in Windows Server 2003 R2 and before) because is doesn’t apply to contacts. This is fixed with the versions which are shipping in Windows Server 2008 or RSAT for Vista and higher.

So if you extended the schema to Windows Server 2008 (R2), but your management consoles are still running on Windows Server 2003 (R2) / Windows XP and prior you’ll see contacts as containers.

There would be a workaround – there is a setting in the display specifiers which is modifying this behavior. It’s in cn=contact-display,cn=409,cn=display specifies,cn=configuration,dc… (your forest-root domain DN, you’ll also have to exchange the 409 with your language version, where 409 equals US-English, 407 would be German a.s.o.). So the workaround is to navigate to the contact-display object, then change the Value for the “treatAsLeaf”-attribute to TRUE (by default it’s <not set>) [4].

While this workaround will work, I wouldn’t actually recommend it, in my eyes the “bug” is not annoying enough that you’d change something in the configuration context. On the other hand, this setting is quite unimportant. So it’s up to you, however as soon as you start working with the Windows Server 2008 (R2) Management Consoles this wont annoy you anymore. So keep migrating ;)

Ulf

---

[1] It’s actually not defined in the object what kind of objects can be underneath, but on the child-objects what possible superior it may have.

[2] IMHO Scripting or Programming Best-Practice would mean to query an object prior to creating a child-object for allowedChildClassesEffective to make sure that the current user has the right to create the object.

[3] The Remote Server Administration Tools for Windows 7 include the Powershell Module for Active Directory. If you open the generic Powershell-Windows you’ll have to import-module ActiveDirectory first (there’s a shortcut installed in Administrative Tools which starts Powershell with this module loaded instead. Note that the PS-Provider relies on the Active Directory Webservice (ADWS), so you need one Windows Server 2008 R2 Domain Controller. ADWS is also announced to be available as Out-of-band Release/Hotfix for Windows Server 2003 and 3008, however this is currently not available. Win7 and WS2k8R2 are also just Release Candidates at this point, however I already want to mention how to do things using PSv2 since we have to get used to this in the AD-World (and it’s pretty impressive actually what you can do with it easily).

[4] Boolean Values in Active Directory are kind of weird – there are three states as opposed to two – either TRUE, FALSE or <not set> if the attribute is empty. Also the reason for a boolean value in general is to keep space limited, you only need one bit usually. However in AD the String of the Word TRUE or FALSE is stores.

Windows 7 and Windows Server 2008 R2 availability announced for the holiday season

Ulf B. Simon-Weidner — Mon, 11 May 2009 19:05:10 GMT

I do have to say that I’m super-excited – or as Mark Russinovich tries to introduce the term … “Hyper-Excited” (Mark: would this be Hyper-E? – just kidding).

Bill Veghte (Sr. Vice President, Windows Business, Microsoft) and Ian McDonald (General Manager for Windows Server at MS) have introduced this morning at TechEd in Los Angeles the availability for Windows 7 and Windows Server 2008 R2 before the holiday season, meaning that Ian’s kids will be able to get the server for christmas .

I do love those OSs and their new features, working with them on all my machines and not using anything else anymore (apart from customer machines where they make me too). So I’ll blog more about this, and about TechEd especially during the week.

Can’t wait for Christmas now!

Rumors about AD-Snapshots

Ulf B. Simon-Weidner — Mon, 04 Aug 2008 15:17:43 GMT

I've recently heard /read some rumors about AD-Snapshots. As I wrote before in Timetraveling Active Directory the new feature of Active Directory in Windows Server 2008 - AD-Snapshots or "the Database Mounting Tool" (how Microsoft calls the technology) how to look at a snapshot / backup can help you recovering data from older states of your Active Directory. I've also spoken about this and demoed it in my "A Directory Services Geek's View on Active Directory Recovery in Windows Server 2008" which was so far presented at TechEd Europe 2007 in Barcelona, the German Windows Server 2008 Launch in Frankfurt, the Directory Experts Conference 2008 in Chicago, TechEd US 2008 in Orlando, and which will pre presented at ICE-Lingen (in Lingen at the end of August. I've also wrote articles about this in the IT-Administrator in March and April this year.

So some rumors:

a mounted Database will show you all partitions, however Microsoft only supports the domain partition, the other partitions are not supported.
As far as I know it is not supported to recover from snapshots at all, however it works but you have to script. As I mentioned the process is:

Creating a snapshot with NTDSUtil (ntdsutil -> snapshot -> Activate Instance NTDS -> Create)
or
Backing up the systemstate (wbadmin start systemstaterecovery -backuptarget:s:)
Mounting a snapshot in the filesystem (ntdsutil -> snapshot -> list all -> mount xyz)
or
Restoring the systemstate to an alternative location (wbadmin start systemstaterecovery –version:07/07/2008-14:41 –recoveryTarget:e:\recovery\)
Starting the snapshot / restored NTDS.dit as Read-only directory (dsamain -dbpath c:\$snap...\ntds\ntds.dit -ldapport 10000)
Reanimating the tombstone of the user(s) in question
Getting back additional data out of the snapshot and into production using scripts or ldifde.exe, see my post about converting the LDIF: Converting LDIF-Files
Fixing backlinks: This is not easily done using LDIFs. Remember that Backlinks are not writeable, so you have to retrieve the backlink, then update the forward-link in question. Using LDIFDE this would be hard to accomblish. Most of the time we mostly care about Group Memberships, then we can also use a one-line commandline:

dsget user cn=Ulf,ou=Demo,dc=xyz,dc=com -s localhost:10002 -memberof 
  | dsmod group -addmbr cn=Ulf,ou=Demo,dc=xyz,dc=com

you could retrieve information from other partitions, but you'll also have to script it and be aware that it's not supported from Microsoft
One rumor I've recently read: Using ntdsutil to perform an authoritative restore without rebooting in Directory Service Restore Mode. This is also not supported. The only supported way to perform an authoritative restore is in DSRM. However I've talked to some of the developers, and they said it'll work as long as you are rebooting instantly after performing the authoritative restore (to make sure that caches and everything is cleaned), so you can do it without DSRM (stopping AD, performing the non-authoritative and the authoritative restore, then rebooting the machine without restarting AD prior). However it's not supported!!!!
There are tools out there to help you recovering from a snapshot:

If you speak German and you are unable to attend ICE you can see my session at the German Launchevent Online. If you attend ICE come there, the session has been updated .

Why Clients don't (need to) understand the concept of Read-Only Domain Controllers (RODC)

Ulf B. Simon-Weidner — Mon, 16 Jun 2008 17:08:56 GMT

Hi There,

just back from TechEd, it's time for some technical posts. So one of the questions I got very often is what you need in your infrastructure to deploy read-only Domain Controllers. Along with that question goes what Client-Version of the Operating System is needed that they are able to authenticate with an RODC.

What is a RODC?
The Read-Only Domain Controller is a new concept in Windows Server 2008. While a regular Domain Controller allows updates to the domain contents on each DC, an RODC is only receiving updates from Full DCs. He will not take any write requests. He is further not replicating any password or cached secrets. This distinguishes him from a NT4 Backup Domain Controller (BDC), who had all passwords stored locally. Also he is - in every other means - a full domain controller and LDAP-Server, also stores all GPOs in Sysvol. To allow offline operations (when the WAN to the RODC-Site is failing) Administrators are able to configure if certain users passwords are allowed to be cached, by putting them in a group which is in the allow list. There is also a group whos passwords are denied to be cached, even if they are in the allow list. List group contains by default certain administrative accounts, such as domain administrators, enterprise administrators, the operators groups a.s.o.
The RODC is built for the unsecured Branch-Office or for the DMZ/perimeter network, where you are either unable to ensure the physical security of a DC or where the environment is untrusted.

So the first thing you need is to prepare your existing infrastructure. The RODC is a Domain Controller, so you need to update the schema. Further the RODC needs some assistance from a Full-DC, so you need to deploy enough Full-DCs to allow replication to the RODCs. For most environments one Full DC should be sufficient (RODCs only replicate inbound, not outbound, which also increases performance and decreases replication traffic), however I'd always prefer a second one to allow redundancy. To prepare the schema you need to perform the forestprep and domainprep operations (adprep /forestprep and adprep /domainprep), if you want to deploy RODCs you also need to perform a adprep /rodcprep in every domain of the forest to allow a Global Catalog on the RODC. However you do not need a Windows Server 2008 DC in Domains where you don't want to deploy RODCs. However two: there are other reasons why you should deploy Windows Server 2008 .

But how do RODCs perform certain functions? They can take the role of a Global Catalog server and of a DNS-Server. If a client (member-servers might also be clients to Active Directory, even the domain controller itself - his OS - might be a client to AD) tries to write against an RODC the RODC is using LDAP write referrals to tell the Client that he is supposed to write to a different DC (a Full Windows Server 2008 DC). LDAP referrals have been defined e.g. in RFC 2551 back in 1997, so LDAP-applications should be able to follow them.

And how is a logon performed against the RODC? The user is actually performing the logon against the RODC. The RODC is looking in his local AD to verify whether or not he's able to verify the users password. If he has no cached copy of the password he is forwarding the request to a full DC. Further he is requesting the full DC to replicate the password down to him, the full DC checks the allow- and deny-lists and decides whether or not to replicate the password down. The full DC further issues a kerberos ticket for the client. The RODC is informed that the client may log on, and the RODC is issuing his own kerberos ticket for the client. All other things of the logon process, such as compiling the token with group membership information and pulling down group policies is done against the RODC. If the user logs on another time, and the password is cached on the RODC, the RODC does not need to contact the full DC and is able to process the logon-request even if the WAN is offline.

The other thing are DNS updates. Clients in the Branch Office (or Remote Office how we prefer to call it nowadays) are supposed to use the local DNS-Server. However they might update their DNS-Records, which is totally acceptable. But if the RODC is not writeable, and DNS is stored in AD, and actually the DNS-Zones on a RODC are not writeable too, how are those updates performed. This answer is actually quite simple. We Windows Admins got spoiled over time, since our DNS-Servers - when the zone is stored in AD - allow updates on any DNS-Server which is also a DC and holds a copy of the AD-integrated Zone. However think back to the concepts of DNS. We always had a single primary DNS-Server who was able to write updates, and multiple secondaries who were just able to answer to queries. Clients who want to write in DNS had to request a SOA (start of authority) Record for the zone they want to write into. Full DCs who are DNS-Servers with an AD-integrated replica of the Zone were always answering with themselves as SOA (the SOA-Record only allows one Server, and there is only one SOA per Zone, as opposed to Nameserver (NS) Records where are multiple per DNS-Zone). RODCs don't have an SOA for themselves, they hold a SOA which is stating the Name of a Full DC. So that is simple, Clients who want to write into DNS are still (same technology as in the 80th) querying the zone for it's SOA, and then they are contacting the Server which is stated in the SOA to write the update. But RODCs provide some intelligence as well - if a client was contacting them for the SOA they wait for a moment to allow the client to update his record, then they are requesting a single-object-replication from the Full DC for the Clients DNS-Record so that the DNS-Information at the clients site is updated as soon as possible, while any other site will receive it with the regular replication.

So Clients / Memberservers and other machines should be able to run against RODCs. However, there are certain things which might affect this statement:

The Read-only partitial attribute set (RO-PAS): It is possible to define in the schema that certain attributes should not be replicated to RODCs. However the application needs to be aware of this, since those requests are not referred to a full DC.
Replication latencies: if an application is performing a write request it will be redirected to a full DC. If the application tries to read that data again before replication occurs, the RODC will still return the old data. If you want to make sure that your applications write against RODCs be aware of this issue, and look for a writeable DC when you perform write/readback-operations or make sure that you are not using write/readback (but stick against the RODC if you only perform read operations, otherwise you will slow down your application since it's always crossing the WAN).
Firewalls: especially in DMZ-Scenarios your clients might not have a connectivity to a full DC, so write referrals will fail. Make sure that you don't need write requests in those scenarios.
WAN-Offline: write operations will also fail in this scenario

I hope I was able to get some lights behind RODCs, theres a lot of more information available online, e.g. look at the following page: Application Compatibility with RODCs

Ulf

Back to live

Ulf B. Simon-Weidner — Tue, 13 May 2008 21:53:00 GMT

I haven't blogged in a while. A long while. I've been through major changes in my live. Readjusting. Reloading. Sometimes you need to reevaluate things, in technology and in live. Being stable doesn't equal avoiding changes. I've recently heard a statement "nobody will grant you that things get better when you make changes, but to make things better you have to make changes". Very true. And - that's in live and technology - I even believe that avoiding changes make things worse. Sometimes you even benefit from small changes. E.g. at our company we made things better by introducing a single Windows Server 2008 last year. And we had users and admins who had a big benefit. Re-evaluation is good, and changes ... changes are being alive.

But this here is about technology. So let me make a small update on what's going on with me in this field.

After the Directory Experts Conference in Chicago I was working back home, then went to the MVP-Summit in Seattle and it was great so see so many MVPs and folks from the Directory Services Product Group again. I really enjoyed it. Currently I'm preparing for two events: Microsoft TechEd USA for IT-Pros (yes - they followed the example from Europe and split the Developers and IT-Pros in two different weeks - however I enjoyed how it was before). At TechEd which will be in Orlando (again, been there last year, and a then two years before) I'll present 3 sessions and two interactive ones. So five slots in two days (I'm only scheduled in on Wednesday and Thursdays), this will be quite funny . I'm looking forward to it. I'm sad I had to decline the developer-week, but I can't take two weeks of vacation just speaking at two different TechEds. Would love to, but someone has to pay for my living. And I feel I really need vacation this year, I deserved it, believe me, but currently I'm unable to go on vacation.

Another thing I'm getting ready for is a whole day Workshop with the IT-Administrator, we'll cover Windows Server 2008 and nothing else. I'm looking forward to it, and I was told that there are many people signing up for it.

So exciting events to come soon, and I actually have a couple ideas (some already finished) about new technical blog entries, so stay tuned. I'll promise the next one will be technical and coming in a few days .

P.S.: Thanks for listening - I can't remember how many times I said this in the recent past and probably didn't say it often enough.

Congrats Microsoft: Windows Server 2008 is RTM

Ulf B. Simon-Weidner — Tue, 05 Feb 2008 07:12:21 GMT

I cannot state it any better: the best Windows Server release ever has been released to manufacturing - Windows Server 2008 is finished.

Windows Server 2008 is very stable and very well-done for production use. As I wrote before we at Computacenter are using it since October 2007 in Production, and I have a customer where we already run a full shop only on Vista and 2k8 since September (on Beta 3).

And we've also done a lot of things, to quickly recap just what we've done with customers was a 10-city Roadshow in Germany (half-day sessions on WS2k8, last one will be in Berlin next week), countless presentations at customer or trade shows / events, countless sessions to make sure our staff is ready to sell and deliver WS2k8-Solutions, one press-release in October, and a couple references which will be published shortly.We will be with many people at the German Launchevent, are partner there with a booth, and I'll deliver 3 sessions plus a interactive one, created many flyers and solutions around the product, … just being ready to deliver.

I'm very excited about the new product - let's start deploying more of it!

And here are the blogs which will give you a feeling how it was at Microsoft in the last couple hours:

Windows Server 2008 - RTM!!!

Windows Server 2008 – A time to sit back, remember and party!

I'm on the Edge [;)]

Ulf B. Simon-Weidner — Wed, 21 Nov 2007 23:23:05 GMT

Last week I was at TechEd:IT-Forum in Barcelona. I'll follow up with more details later. However the guys from edge.technet.com have done an interview with me, which went online last night. I was speaking about my sessions, AD Restore in Windows Server 2008 and Schema Updates.

You can find it currently on the homepage, and here's the direct link for later:

Ulf on AD at TechNet Edge

More speaking engagements

Ulf B. Simon-Weidner — Sat, 06 Oct 2007 21:30:43 GMT

While we are in preperation for TechEd:IT-Forum which will be in Barcelona in November, there are more speaking engagements already scheduled:

October 24th and 25th:

The IT-Administrator asked me to speak about what's new in DNS and Active Directory in Windows Server 2008 at the German Tradeshow Systems. (Details)

November 12th to 16th:

I'll be delivering two sessions and an interactive session at TechEd:IT-Forum in Barcelona. My sessions will be "A Directory Services Geeks View on How to (not) extend your schema" and "Active Directory Recovery in Windows Server 2008", and I will host an interactive session (like the chalk-&-talks of the previous year, a session where attendees are encouraged to ask questions and get them answered) with Stephanie from the AD Product Group about "Active Directory Domain Services in Windows Server 2008".

February 19th to 21st:

Windows Server 2008 will be launched in Germany, and I'll speek at the launch event in Frankfurt. My sessions are "Active Directory Domain Services and DNS in Windows Server 2008" and "A Directory Services Geeks View on Access Control Entries".

March 2nd to 5th:

NetPro already announced the Directory Experts Conference 2008 in Chicago, and I was honored to be asked back as speaker.

What's up?

Ulf B. Simon-Weidner — Wed, 06 Jun 2007 00:38:52 GMT

OK - it's been a while since I last posted. Many things were going on.

The last post was in the Directory Experts Conference-Timeframe. Wow - a lot was going on. I'll write later some thoughts about DEC, even if others have covered it well (like Gil, Joe, Jorge, Tomek) it's worth some words.

What else was going on? OK - recently I've got ready for TechEd Orlando, where I answer questions in the Ask-the-Experts Area at the Windows Server - Active Directory Booth. Then I'm busy with a roadshow about Windows Server 2008 in Germany. If you are in Germany and have business-relationships with Computacenter go to www.computacenter.de/veranstaltungen or ask your contacts to join. We have done and will do 6 locations until end of June (already been to Ludwigshafen, Nuremberg, Stuttgart and Saarbrücken and will be in Frankfurt and Munich in June), with more location coming up in the second half of 2007. I did a lot to organize and create these events, and I'm working together with some great collegues here, so if you are able to take a chance and join.

Additional NetPro has announced that they will bring the Directory Experts Conference to Europe again this year, and I'm glad that I'm able to help being an active part of that conference. I'm looking forward to it very much.

Otherwise ... many customer events and other things around Windows Server 2008 - this will be a great release and customers are asking about it like crazy. It's always a pleasure to see a product being sucessful where you were able to provide good feedback on and you know that this feedback was aprechiated and taken into credit. I'm looking forward to the release, and as much as I've tested the previous and current versions, and what I know from RC1, this will be a blasting release. If you didn't had a chance to look at it - do it now - you're already late.

TechEd EU 2006 in Barcelona

Ulf B. Simon-Weidner — Mon, 22 Jan 2007 00:20:15 GMT

So ... TechEd was just great - I can not describe it in other words.

As I wrote in a prior post I had some sessions to take care of at TechEd. So after we arrived in Barcelona we first had a dinner with the MCT-Community which we really enjoyed. There are so many MCTs out there who are so dedicated to their "passion" (and job) that it's always a pleasure to meet everyone and enjoy geek-talking. After the conference started I still wanted to adjust the demos of my session to show some new stuff. Unfortunately I made a small mistake (if you have dual-boot with Vista RC2 and XP try to avoid hibernating - especially if you have a laptop vendor which does provide very bad drivers) so I had some harddisk corruption on my Laptop. Did I mention that the PPTs and the demos were all supposed to run from my laptop (the XP-Part)? So I had some joy in fixing my Laptop on the road without the CDs, however I managed to get it up and running again (before it went right into a bluescreen after the bootmanager) - some files in XP were still corrupt (and they are currently still corrupt - didn't had the time to reinstall and I'm only using the Vista-Installation anyways). Learned it the hard way - do not hibernate with shared disks.

So after I was sure that at least Powerpoint and VPC are back and running I was adjusting my demos. The rest of the time of the first days (there wasn't much as you can assume) I spent in the Ask-the-Experts-Area and answered questions in the Longhorn Booth. This is one of my favorite things at those conferences - you get so much insight of many issues within multiple companies, and how attendees (mis)understand the products. This also gives me ideas which points we have to outline in talks and blogs, apart from enjoying to helping the attendees.

On Wednesday I had the first of two Chalk-&-Talks with Karmal Janardhan (Group Program Manager in the Active Directory Program Group). The concept of Chalk-&-Talks is a mixture between Ask-the-Experts and Breakout Sessions. You have many attendees in a session room, you are not supposed to use Powerpoint (a few slides to help the discussion getting started or outlining examples are accepted) and you are discussing technologies with the attendees. We did a Chalk-&-Talk on "Active Directory and DNS in Longhorn". It was just great. Kamal is so deep into the planning and features of the technology, and I was able to contribute with my practical experience. We both enjoyed the session, and according to the discussion and feedback afterwards the attendees enjoyed it as well. I don't think there was another session where you could get a better knowledge topic. OK - maybe Kamals Breakout Session which covered the same topic - but I even think we were able to explain it better in the Chalk-&-Talk due to the discussion format of the session. We had the last session-slot of the day and the room was crowded. There were people leaving because there was no more space. Afterwards in the Hotels Lounge some other speaker was complaining that the last session of the day was empty in many sessions and the attendees were supposedly already off partying, but I know where they were .

On Thursday afternoon I had my own session: "A Directory Services Geek's View on Access Control Entries (ACE)". Since I just had a few minutes between the session prior to me I decided to use a longer break before to connect my laptop to power at the speakers desk and get it up and running, so that the session before allows the power management-drivers to "adjust". Otherwise the time to start up as well as the performance would be questionable. This was a good decision - I didn't had any issues with performance, the session and demos went very well (OK - I was a bit nervous because I still didn't trust my recovered laptop). I love this session, since I was always missing Geek-Level content at TechEds, so I was happy to present it. There were a lot of interested attendees, feedback was great (e.g. "You can improve the conference by doing more sessions like this.", and "excellent session - best one I have been to so far" on a Thursday afternoon). There were many interesting questions right after the session, but at some point we got bounced so that the next session was able to start. However I went right back into the Ask-the-Expert-Area and had some lengthy discussion about the topic with some attendees. Very interesting talks - so we continued until we were told that the exhibition area is closing and we are to leave.

On Friday Kamal and I repeated our Chalk-&-Talk about "Active Directory and DNS in Longhorn" right in the morning. We had slightly less attendees (probably partying the night before, or everyone was in our first session) but the discussion was still very good. Kamal is impressive - at her own session she got a comment like "how comes a little girl tells all geek's in here how technology really works" . After the Chalk-&-Talk we went to the Ask-the-Experts-Area, and I didn't leave until the conference was over. There were so many interesting questions. Actually some attendees were coming up to me with their "List of Questions" they made up during the week, so I was answering .. answering .. answering ... (I call it the "streaming answering mode" now ).

However - what a great week - everytime again!

I'm still alive (1)

Ulf B. Simon-Weidner — Sun, 21 Jan 2007 22:58:03 GMT

OK - I haven't written a post in quite a long time. The last one was before I went to TechEd EU in Barcelona. So what happened?
I decided that I've deserved some vacation, so I went with my wife and a "close friends couple" to Hurghada, Egypt to do some sun-tanking and scuba-diving. I enjoyed it, there are great beautiful animals in the red sea (kind of poisoning too, so you are far safer snorkeling or diving then swimming or worse - walking).

Afterward we went almost straight (one day re-packing in Munich) to Barcelona.

TechEd and Barcelona was great (again). Microsoft has done a great deal in making this the best TechEd/IT-Forum in the last years (at least in my opinion), they valuated the feedback from last year and the conference was great. I'll continue in the next post with my experience from TechEd, since this is really deserving a separate post.