I've recently heard /read some rumors about AD-Snapshots. As I wrote before in Timetraveling Active Directory the new feature of Active Directory in Windows Server 2008 - AD-Snapshots or "the Database Mounting Tool" (how Microsoft calls the technology) how to look at a snapshot / backup can help you recovering data from older states of your Active Directory. I've also spoken about this and demoed it in my "A Directory Services Geek's View on Active Directory Recovery in Windows Server 2008" which was so far presented at TechEd Europe 2007 in Barcelona, the German Windows Server 2008 Launch in Frankfurt, the Directory Experts Conference 2008 in Chicago, TechEd US 2008 in Orlando, and which will pre presented at ICE-Lingen (in Lingen 
at the end of August. I've also wrote articles about this in the IT-Administrator in March and April this year.
So some rumors:
- a mounted Database will show you all partitions, however Microsoft only supports the domain partition, the other partitions are not supported.
- As far as I know it is not supported to recover from snapshots at all, however it works but you have to script. As I mentioned the process is:
- Creating a snapshot with NTDSUtil (ntdsutil -> snapshot -> Activate Instance NTDS -> Create)
or
Backing up the systemstate (wbadmin start systemstaterecovery -backuptarget:s:) - Mounting a snapshot in the filesystem (ntdsutil -> snapshot -> list all -> mount xyz)
or
Restoring the systemstate to an alternative location (wbadmin start systemstaterecovery –version:07/07/2008-14:41 –recoveryTarget:e:\recovery\) - Starting the snapshot / restored NTDS.dit as Read-only directory (dsamain -dbpath c:\$snap...\ntds\ntds.dit -ldapport 10000)
- Reanimating the tombstone of the user(s) in question
- Getting back additional data out of the snapshot and into production using scripts or ldifde.exe, see my post about converting the LDIF: Converting LDIF-Files
- Fixing backlinks: This is not easily done using LDIFs. Remember that Backlinks are not writeable, so you have to retrieve the backlink, then update the forward-link in question. Using LDIFDE this would be hard to accomblish. Most of the time we mostly care about Group Memberships, then we can also use a one-line commandline:
dsget user cn=Ulf,ou=Demo,dc=xyz,dc=com -s localhost:10002 -memberof
| dsmod group -addmbr cn=Ulf,ou=Demo,dc=xyz,dc=com |
- you could retrieve information from other partitions, but you'll also have to script it and be aware that it's not supported from Microsoft
- One rumor I've recently read: Using ntdsutil to perform an authoritative restore without rebooting in Directory Service Restore Mode. This is also not supported. The only supported way to perform an authoritative restore is in DSRM. However I've talked to some of the developers, and they said it'll work as long as you are rebooting instantly after performing the authoritative restore (to make sure that caches and everything is cleaned), so you can do it without DSRM (stopping AD, performing the non-authoritative and the authoritative restore, then rebooting the machine without restarting AD prior). However it's not supported!!!!
- There are tools out there to help you recovering from a snapshot:
If you speak German and you are unable to attend ICE you can see my session at the German Launchevent Online. If you attend ICE come there, the session has been updated .
There are certain roles in Active Directory - which is a multi-master directory (meaning that every DC can write if he's member of the domain) - which need a "single-master", someone who takes care that certain things are only performed once and they are unique.
As we should know, there are five of those "Flexible Single Master Operations"-Masters (FSMOs) (however let's not get into the discussion why they are called "Flexible" - back in the NT5-beta-days (beta of Windows 2000) they were even called "Floating"). Two which are unique in the forest, and three which are unique in the domain.
FSMOs per forest:
- Schema-Master: guess what - someone has to be responsible updating the schema and making sure that it's unique. What a surprise!
- Domain Naming Master: Same for certain names in the forest, which need to be unique.
FSMOs per domain:
- PDC-Emulator: the most complex and most important role. Not only reliable to replicate AD-content to NT4-BDCs (not in Windows Server 2008 anyways), but the PDC-Emulator is also the last instance of password changes, he's targeted by the Group Policy Object Editor, takes care of AD-integrated DFS-Namespace, the PDC-E of the forest-root-domain is responsible for providing the right time to all members of the forest, a.s.o. He's important, and you need him even if you don't have NT4 in your domain anymore (hopefully - it's gray-haired by now).
- RID-Master: My favorite role, since he reminds me on your account managers at the Octoberfest. Every year we take a lot of customers to the Octobeerfest . Someone is assigned per table to get beer-coupons for everyone. If he's running out he has to go to the account manager responsible to get another stack. The RID-Master is doing the same. He's making sure that RID (the last part of the security-identifier) is unique per domain by giving every DC a stack of RIDs to issue, and if he's running out of RIDs (meaning that his stack is half-empty / half-full) he's requesting the next RID-Pool.
- Infrastructure-Master: He's the one who makes sure that cross-domain memberships are being taken care of (what a sentence). So what he's really doing is comparing group-memberships and other cross-domain links against other domains (in the GC), and if some link is targeted at another domain in the forest he's taking care to create a phantom so that all DCs know what the link-target is. Why is that - lets get out of the "bullet-points".
If we look at the AD-Database (which is not being replicated - AD does take care of replication - the database is the local store per domain controller) there are two major tables in the database: the data-table and the link-table. Every row in the data-table is a single object, which is referenced by the "Distinguished Name Tag (DNT)". This is a unique ID for each object in the database (per domain controller - across domain controllers it is very unlikely that the same object has the same DNT - as I said - replication is on the application layer and not on the Database-Layer). However, there is the link-table. The Link-Table is taking care of all links. So all group-members vs. user-member-ofs a.s.o. are stored there with their DNT. If the DC needs to enumerate group members, he's simply searching in the link-table for the "link-source" and enumerates their targets, if he's looking for the member-of information of a user he's searching for the link-destination and enumerates their sources. Sounds logical? Hopefully.
But remember that groups (such as other links) may contain objects of other domains. How would we be able to reference those, they don't have a row and don't have a DNT in the domain database. That's where the Infrastructure-Master kicks in. He's taking care to create phantom-objects of objects which are referenced in a domain but which are from a foreign domain. So those objects are being created as "small version of those objects" in the domain where they are referenced. They are even smaller than the partitial attribute set which makes it into the Global Catalog. I've already blogged about the Global Catalog vs. Infrastructure Master dependency, so for this discussion go there. Also you can look at the Knowledgebase-Article "KB 248047: Phantoms, tombstones and the infrastructure master" on TechNet. The last parts about cross-domain references are the interesting ones in this context.
So how many FMSO-Role owners do we have in our forest?
- There is one Schema-Master.
- There is one Domain Naming Master.
- The number of PDC-Emulators is the same than the number of domains.
- The number of RID-Masters is the same than the number of domains.
- The number of Infrastructure Masters is ...
How many infrastructure masters do we have?
Most would say "as much as we have domains as well". Wrong!
And that's the interesting part - we do have one Infrastructure Master per domain, that's correct. But - remember that Windows Server 2003 introduced Application Partitions? We would be able to have link-references (they could even be cross partitions, not even domains) in an application partition as well. However if the "Domain Infrastructure Master" wouldn't hold a copy of the application partition (which has a separate and configurable replication scope - one of our customers has one application partition per site but cross-domain), how would he be able to take care of those cross-partition references? He wouldn't be able to, there's no way he could do this.
Therefor we have one infrastructure master per domain, plus one per application partition. So by default, if you have a Windows Server 2003 or higher forest with the default application partitions (for DNS, the forestDnsZones and domainDnsZones), let's assume five domains, then you have:
- 1 Schema Master
- 1 Domain Naming Master
- 5 PDC-Emulators
- 5 RID-Masters
- 11 Infrastructure Masters (5 Domain Infrastructure Masters + 1 for the forestDnsZones + 5 for the domainDnsZones of each domain - however they may reside on the same DC)
Where can I see the application partitions infrastructure masters?
To see where the IMs of the application partitions reside, you have to go into active directory with any tool like adsiedit.msc, ldp or whatever you prefer. Connect to the application partition, navigate to the cn=Infrastructure-object underneath the application partitions root, and look at the fSMORoleOwner-Attribute. It's pointing to the NTDSSettings-Object of the server who currently holds the role. You can also use dsquery to do this:
dsquery * cn=Infrastructure,dc=domainDnsZones,dc=example,dc=com -attr fSMORoleOwner |
If you want to figure out what partitions you have in the forest, you can use the following command:
dsquery * cn=partitions,cn=configuration,dc=example,dc=com -attr nCName |
And if we only want application partitions, we add the filter (systemflags=5) which means that we are looking for all partitions which don't replicate to the global catalog, which is the case for application partitions (Note: App-IMs may reside on GCs therefore ):
dsquery * cn=partitions,cn=configuration,dc=example,dc=com -filter "(systemflags=5)" -attr nCName |
And for those of you who like small one-line commands, they can figure out who the infrastructure master is for all application partitions (as said, all in one line):
for /f %i in ('dsquery * "cn=partitions,cn=configuration,dc=example,dc=com"
-filter "(systemflags=5)" -attr nCName ^| find /v "nCName"') do
@echo %i && dsquery * cn=Infrastructure,%i -attr fSMORoleOwner |
Have fun
But why do I care about application partitions infrastructure masters?
Actually I had a conversation about this in Redmond a couple years ago, that there's a infrastructure master for every application partition. I had actually forgotten about this, until a collegue of mine told me about an issue when preparing your forest for Windows Server 2008 Read-Only Domain Controllers (RODCs).
If you want to prepare your forest for Windows Server 2008 Read-Only Domain Controllers, you have to run "adprep /rodcprep". This command is setting permissions so that RODCs are able to replicate content. RODCs are not in the Domain Controllers Group, so by default they don't have sufficient permissions. Since RODCs may hold Active Directory-integrated DNS-Zones, they are also required to have those permissions on the application partition. Since we cannot be sure that a certain DC holds all application partitions - for domainDnsZones that's granted if you have multiple domains - and since it's not granted that the domains Infrastructure Master holds the application partitions in this domain (e.g. if he's not DNS-Server, he doesn't hold the domainDnsZones of his own domain as well) Microsoft decided to target the IMs with this command (we are still at "adprep /rodcprep").
Many companies have either reinstalled DCs or took DCs down. One of the DCs which has often been taken down is the first DC in the forest, either because he's being updated from a previous OS or because it was old hardware, hardware-failures a.s.o. However, the first DC in the forest also holds the application partition infrastructure master (let's introduce the acronym AP-IM and D-IM, second for the domains infrastructure master) for the forestDnsZones and for the domainDnsZones of the forest root domain. When administrators took down those DCs, they moved FSMOs because they know it's the right thing to do. However, if you use either the MMCs or ntdsutil to move the FSMOs (KB 324801: How to view and transfer FSMO roles in Windows Server 2003 and KB 255504: Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller) the AP-IM will not be moved automatically.
So it is very likely that a company has application partitions which do not have an infrastructure master, because the server is offline/removed and the role hasn't been transferred.
Is it critical if the application partition infrastructure master is not available anymore?
No, in most cases it's not. E.g. the default application partitions are used by DNS only, and only store the DNS-Zones and the dnsNode-Objects which reflect the records. They don't use links, therefor there's no need for an infrastructure master at those application partitions. However, you need to fix this for sure if you want to introduce Windows Server 2008 Read-Only Domain Controllers to be able to run "adprep /rodcprep". You can either do this manually by simply changing the attribute fSMORoleOwner of the cn=Infrastructure,dc=<your-application-partitions-dn>-Object with the distinguishedName of the NTDSSettings-Object of the server who's supposed to hold the role. The issue is also described in KB 949257: Error message when you run the "Adprep /rodcprep" command in Windows Server 2008: "Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com" which also provides you with a VBScript to change the role owner.
I'm writing for the German magazine IT-Administrator. Recently they've published an series about Windows Server 2008 and another about Active Directory-Recovery (in Windows Server 2008), and in August they'll publish an article about Hyper-V from me.
Recently they've asked me if I could present a half-day Workshop in Heidelberg. Last Thursday we did this, and the day was exciting and interesting. A lot of good questions, a very interested audience, and I really enjoyed being there. Here are two pictures (and no - I wasn't just sitting around - for some reason they took the pictures while I was demoing AD-Snapshots):
Hi There,
just back from TechEd, it's time for some technical posts. So one of the questions I got very often is what you need in your infrastructure to deploy read-only Domain Controllers. Along with that question goes what Client-Version of the Operating System is needed that they are able to authenticate with an RODC.
What is a RODC?
The Read-Only Domain Controller is a new concept in Windows Server 2008. While a regular Domain Controller allows updates to the domain contents on each DC, an RODC is only receiving updates from Full DCs. He will not take any write requests. He is further not replicating any password or cached secrets. This distinguishes him from a NT4 Backup Domain Controller (BDC), who had all passwords stored locally. Also he is - in every other means - a full domain controller and LDAP-Server, also stores all GPOs in Sysvol. To allow offline operations (when the WAN to the RODC-Site is failing) Administrators are able to configure if certain users passwords are allowed to be cached, by putting them in a group which is in the allow list. There is also a group whos passwords are denied to be cached, even if they are in the allow list. List group contains by default certain administrative accounts, such as domain administrators, enterprise administrators, the operators groups a.s.o.
The RODC is built for the unsecured Branch-Office or for the DMZ/perimeter network, where you are either unable to ensure the physical security of a DC or where the environment is untrusted.
So the first thing you need is to prepare your existing infrastructure. The RODC is a Domain Controller, so you need to update the schema. Further the RODC needs some assistance from a Full-DC, so you need to deploy enough Full-DCs to allow replication to the RODCs. For most environments one Full DC should be sufficient (RODCs only replicate inbound, not outbound, which also increases performance and decreases replication traffic), however I'd always prefer a second one to allow redundancy. To prepare the schema you need to perform the forestprep and domainprep operations (adprep /forestprep and adprep /domainprep), if you want to deploy RODCs you also need to perform a adprep /rodcprep in every domain of the forest to allow a Global Catalog on the RODC. However you do not need a Windows Server 2008 DC in Domains where you don't want to deploy RODCs. However two: there are other reasons why you should deploy Windows Server 2008 .
But how do RODCs perform certain functions? They can take the role of a Global Catalog server and of a DNS-Server. If a client (member-servers might also be clients to Active Directory, even the domain controller itself - his OS - might be a client to AD) tries to write against an RODC the RODC is using LDAP write referrals to tell the Client that he is supposed to write to a different DC (a Full Windows Server 2008 DC). LDAP referrals have been defined e.g. in RFC 2551 back in 1997, so LDAP-applications should be able to follow them.
And how is a logon performed against the RODC? The user is actually performing the logon against the RODC. The RODC is looking in his local AD to verify whether or not he's able to verify the users password. If he has no cached copy of the password he is forwarding the request to a full DC. Further he is requesting the full DC to replicate the password down to him, the full DC checks the allow- and deny-lists and decides whether or not to replicate the password down. The full DC further issues a kerberos ticket for the client. The RODC is informed that the client may log on, and the RODC is issuing his own kerberos ticket for the client. All other things of the logon process, such as compiling the token with group membership information and pulling down group policies is done against the RODC. If the user logs on another time, and the password is cached on the RODC, the RODC does not need to contact the full DC and is able to process the logon-request even if the WAN is offline.
The other thing are DNS updates. Clients in the Branch Office (or Remote Office how we prefer to call it nowadays) are supposed to use the local DNS-Server. However they might update their DNS-Records, which is totally acceptable. But if the RODC is not writeable, and DNS is stored in AD, and actually the DNS-Zones on a RODC are not writeable too, how are those updates performed. This answer is actually quite simple. We Windows Admins got spoiled over time, since our DNS-Servers - when the zone is stored in AD - allow updates on any DNS-Server which is also a DC and holds a copy of the AD-integrated Zone. However think back to the concepts of DNS. We always had a single primary DNS-Server who was able to write updates, and multiple secondaries who were just able to answer to queries. Clients who want to write in DNS had to request a SOA (start of authority) Record for the zone they want to write into. Full DCs who are DNS-Servers with an AD-integrated replica of the Zone were always answering with themselves as SOA (the SOA-Record only allows one Server, and there is only one SOA per Zone, as opposed to Nameserver (NS) Records where are multiple per DNS-Zone). RODCs don't have an SOA for themselves, they hold a SOA which is stating the Name of a Full DC. So that is simple, Clients who want to write into DNS are still (same technology as in the 80th) querying the zone for it's SOA, and then they are contacting the Server which is stated in the SOA to write the update. But RODCs provide some intelligence as well - if a client was contacting them for the SOA they wait for a moment to allow the client to update his record, then they are requesting a single-object-replication from the Full DC for the Clients DNS-Record so that the DNS-Information at the clients site is updated as soon as possible, while any other site will receive it with the regular replication.
So Clients / Memberservers and other machines should be able to run against RODCs. However, there are certain things which might affect this statement:
- The Read-only partitial attribute set (RO-PAS): It is possible to define in the schema that certain attributes should not be replicated to RODCs. However the application needs to be aware of this, since those requests are not referred to a full DC.
- Replication latencies: if an application is performing a write request it will be redirected to a full DC. If the application tries to read that data again before replication occurs, the RODC will still return the old data. If you want to make sure that your applications write against RODCs be aware of this issue, and look for a writeable DC when you perform write/readback-operations or make sure that you are not using write/readback (but stick against the RODC if you only perform read operations, otherwise you will slow down your application since it's always crossing the WAN).
- Firewalls: especially in DMZ-Scenarios your clients might not have a connectivity to a full DC, so write referrals will fail. Make sure that you don't need write requests in those scenarios.
- WAN-Offline: write operations will also fail in this scenario
I hope I was able to get some lights behind RODCs, theres a lot of more information available online, e.g. look at the following page: Application Compatibility with RODCs
Ulf
I haven't blogged in a while. A long while. I've been through major changes in my live. Readjusting. Reloading. Sometimes you need to reevaluate things, in technology and in live. Being stable doesn't equal avoiding changes. I've recently heard a statement "nobody will grant you that things get better when you make changes, but to make things better you have to make changes". Very true. And - that's in live and technology - I even believe that avoiding changes make things worse. Sometimes you even benefit from small changes. E.g. at our company we made things better by introducing a single Windows Server 2008 last year. And we had users and admins who had a big benefit. Re-evaluation is good, and changes ... changes are being alive.
But this here is about technology. So let me make a small update on what's going on with me in this field.
After the Directory Experts Conference in Chicago I was working back home, then went to the MVP-Summit in Seattle and it was great so see so many MVPs and folks from the Directory Services Product Group again. I really enjoyed it. Currently I'm preparing for two events: Microsoft TechEd USA for IT-Pros (yes - they followed the example from Europe and split the Developers and IT-Pros in two different weeks - however I enjoyed how it was before). At TechEd which will be in Orlando (again, been there last year, and a then two years before) I'll present 3 sessions and two interactive ones. So five slots in two days (I'm only scheduled in on Wednesday and Thursdays), this will be quite funny . I'm looking forward to it. I'm sad I had to decline the developer-week, but I can't take two weeks of vacation just speaking at two different TechEds. Would love to, but someone has to pay for my living. And I feel I really need vacation this year, I deserved it, believe me, but currently I'm unable to go on vacation.
Another thing I'm getting ready for is a whole day Workshop with the IT-Administrator, we'll cover Windows Server 2008 and nothing else. I'm looking forward to it, and I was told that there are many people signing up for it.
So exciting events to come soon, and I actually have a couple ideas (some already finished) about new technical blog entries, so stay tuned. I'll promise the next one will be technical and coming in a few days .
P.S.: Thanks for listening - I can't remember how many times I said this in the recent past and probably didn't say it often enough.
Today is day one of the Directory Experts Conference in Chicago. So far the conference has been very good - but that was as expected. I had one session today right before lunch, "A Directory Services Geek's View on Active Directory Recovery in Windows Server 2008". Went quite well, however the power-plug on stage was switched off so my machine decided to go into sleep-mode during the presentation. For some reason this session is attracting Laptop-issues, during the Launch in Frankfurt the virtual machine decided to "unexpectedly shutdown". Things happen, that's part of the fun, isn't it?
For the past three days I was at the Microsoft Launch Event Germany, the first and as we were told biggest (by the number of attendees) Launch for Windows Server 2008, Visual Studio 2008 and SQL Server 2008. I did three presentations:
- Active Directory-Domänendienste in Windows Server 2008
(Active Directory-Domainservices in WS2k8) - Erfahrungen eines Directory Services-Experten mit Sicherheit und Delegation im Active Directory
(A Directory Services-Geek's View on Access Control Entries) - Erfahrungen eines Directory Services-Experten mit Active Directory-Recovery mit Windows Server 2008
(A Directory Services Geek's View on Active Directory-Recovery in Windows Server 2008)
The event was very good and very successful as far as I can see. There were minor issues, e.g. on the first day it wasn't that clear which sessions are in which rooms, and the acoustic was pretty bad in some of the rooms since you were able to hear the other speakers of the other rooms as well (luckily two of my presentations were in the good rooms), but over all I was very satisfied. A lot of good and experienced speakers, interested and interesting attendees with good questions and suggestion, a great event. Overall there were about 7500 people in Frankfurt attending this event.
I've also got a view good ideas for some new blog-posts, so stay tuned.
And now it's time to get ready for the Directory Experts Conference 2008 in Chicago in the first week of March. I'll also present there the "Directory Services Geek's View on Active Directory-Recovery in Windows Server 2008" session.
I cannot state it any better: the best Windows Server release ever has been released to manufacturing - Windows Server 2008 is finished.
Windows Server 2008 is very stable and very well-done for production use. As I wrote before we at Computacenter are using it since October 2007 in Production, and I have a customer where we already run a full shop only on Vista and 2k8 since September (on Beta 3).
And we've also done a lot of things, to quickly recap just what we've done with customers was a 10-city Roadshow in Germany (half-day sessions on WS2k8, last one will be in Berlin next week), countless presentations at customer or trade shows / events, countless sessions to make sure our staff is ready to sell and deliver WS2k8-Solutions, one press-release in October, and a couple references which will be published shortly.We will be with many people at the German Launchevent, are partner there with a booth, and I'll deliver 3 sessions plus a interactive one, created many flyers and solutions around the product, … just being ready to deliver.
I'm very excited about the new product - let's start deploying more of it!
And here are the blogs which will give you a feeling how it was at Microsoft in the last couple hours:
Windows Server 2008 - RTM!!!
Windows Server 2008 – A time to sit back, remember and party!
Last week I was at TechEd:IT-Forum in Barcelona. I'll follow up with more details later. However the guys from edge.technet.com have done an interview with me, which went online last night. I was speaking about my sessions, AD Restore in Windows Server 2008 and Schema Updates.
You can find it currently on the homepage, and here's the direct link for later:
Ulf on AD at TechNet Edge
I'm working for Computacenter Germany. And - as you know - I'm a beta-junkie and try to stay up to date on newest releases as soon as possible. So this makes me really proud: at Computacenter we decided to deploy Windows Server 2008 already.
After testing the product very well we decided to update our schema to Windows Server 2008 and deploy our first servers in production. And ... one of the reasons why we did this to have the great new feature of Active Directory Snapshots available as soon as possible.
We released an press-article last week which I freely translated into english
Source (German), freely translated: http://www.computacenter.de/presse/pressemeldungen_2007/Computacenter_Pressemeldung_20071030.shtm
Computacenter relies early on Windows Server 2008
Head start for migrations and planning for Active Directory disasters
Kerpen, 30th October 2007. The European IT-Serviceprovider Computacenter relies early on Microsoft's Windows Server 2008. The new generation of the server operating system (OS) is announced to be released in the first quarter 2008. Computacenter, who is part of the Microsoft Technology Adoption Program (TAP), already deployed Windows Server 2008 into its production network. The TAP is a initiative of Microsoft where selected customers implement products prior to their release into production infrastructures. Computacenter is participating in two different roles in the current TAP: as customer (who's deploying the product) as well as as consulting partner, where experienced Computacenter Consultants are supporting their internal Information Services. The IT-Serviceprovider is not only gaining experiences by early deploying the new technologies, but improves on stability and reliability of its infrastructure. Computacenter is using those experiences when consulting their customers, especially when talking about Windows Server 2008 migrations and planning for Active Directory disasters.
Migrations with Computacenter
With the ending support livecycle of Microsoft for Windows 2000 Server and the release of the new Windows Server 2008 with a lot of new possibilities many companies are considering migrations. Computacenter has many years of experiences when migration Microsoft-Infrastructures. More than 300 Experts in the Microsoft area rely on their experiences and broad knowlege, tools and procedures to drive migration-projects to a fast sucess while maintaining risks and costs at as low as possible.
Securing the hard of the Windows Infrastructure
Active Directory is the main component of a Windows Infrastructure by holding all informations about useraccounts, computeraccounts, passwords and groups of a company. Employees are using it daily to get access to their computers and their data, find printers and receive corporate settings. Experts of Computacenter were frequently helping companies to recover their Active Directory (usually due to human mistakes). To address this issue Computacenter developed preventive guidance to protect Active Directory. Windows Server 2008 provides additional control, prevention and auditing-functionality. The OS enables administrators to create Snapshots of the Active Directory-Database. As opposed to a backup it's easy to create snapshots multiple times a day. Futher the snapshots can be started as their own, read-only LDAP-Service. Hereby it's possible to gather information out of the Directory of different times. Additional the new product supports to prevent objects from accidential deletion or to accidentally move them. Computacenter is using those new functions and has added them to their portfolio around Active Directory-Recovery and its prevention. The IT-Serviceprovider is úsing those technologies in its production network since October 2007.
Those experiences are corporated into Computacenters three-part offer of a Active Directory Disaster Workshop, Guidance and Concept, which enables customers to preventively prepare informations for a possible recovery of Active Directory, to react on disasters and to keep the associated down-times at a minimum level. In the Active Directory Disaster Workshop the attendees get the know-how to prevent, troubleshoot and recover Active Directory. They are practicing which informations are necessary and which steps to take in certain disaster scenarios. The Active Directory Disaster Guidance bundles Computacenters experiences in this topic. It describes best practices and experiences out of real disasters as well as tested procedures. The IT-Serviceprovider additionally creates a AD Desaster Concept to prepare the individual company for an AD Recovery.
While we are in preperation for TechEd:IT-Forum which will be in Barcelona in November, there are more speaking engagements already scheduled:
October 24th and 25th:
The IT-Administrator asked me to speak about what's new in DNS and Active Directory in Windows Server 2008 at the German Tradeshow Systems. (Details)
November 12th to 16th:
I'll be delivering two sessions and an interactive session at TechEd:IT-Forum in Barcelona. My sessions will be "A Directory Services Geeks View on How to (not) extend your schema" and "Active Directory Recovery in Windows Server 2008", and I will host an interactive session (like the chalk-&-talks of the previous year, a session where attendees are encouraged to ask questions and get them answered) with Stephanie from the AD Product Group about "Active Directory Domain Services in Windows Server 2008".
February 19th to 21st:
Windows Server 2008 will be launched in Germany, and I'll speek at the launch event in Frankfurt. My sessions are "Active Directory Domain Services and DNS in Windows Server 2008" and "A Directory Services Geeks View on Access Control Entries".
March 2nd to 5th:
NetPro already announced the Directory Experts Conference 2008 in Chicago, and I was honored to be asked back as speaker.
Avalialbe in the GUI of Windows Server 2008, but also possible in any version of Active Directory, you are able to protect any object from accidental deletion. I had to recover a couple productive ADs over the past couple years, and everytime it was because of a accidental deletion. Also I've seen that OUs have been accidentally moved - this happened propably to everyone with files/folders in Windows Explorer - you accidentally got stuck on the mouse-key while hovering over a folder and drop it accidentally on another folder.
So how do you protect objects from accidental deletion in Windows Server 2008? That's easy - first switch on the Advanced View, then go into the properties of the object in question. Here - on the "Object"-Tab - you'll find the new checkbox "Protect Object from accidental deletion".
By default, OUs created in Active Directory-Users and -Computers are protected. However, when you don't create the OU in Active Directory-Users and -Computers or you created them before you got Windows Server 2008 in your domain (how likely - I know ) the OU will not being protected from accidental deletion.
However, what's quite interesting is what's being done in the Background: The Security-Descriptor of this object is being modified with a Deny-Entry for Everyone to delete and delete subtree. So it's downward compatible with Windows Server 2003 and Windows 2000, and you are even able to do this either manually or using DSACLS today.
If you want to use DSACLS to protect an OU you can use the following command:
dsacls ou=MyUsers,dc=example,dc=com /d Everyone:SDDT
So if you are creating your OU-Structure with "dsadd ou" you might want to use this command to protect the OU from deletion. The checkbox in the GUI will also reflect this change, however I've seen that it sometimes takes a while or is inconsistently displaying wheter the OU is protected or not, however this might be a bug in the current beta and you should make sure it's protected using the security tab to make sure it's protected.
As I said, you'd be able to do this today as well. And if you want to protect your whole OU-Structure, you can use the following command to protect every OU in the domain:
for /f %i in ('dsquery ou -limit 0') do dsacls %i /d everyone:SDDT
Update: Marcus has pointed out that I the above command is only working if your OUs don't include any spaces. That's right, the for-command takes spaces as a delimiter and therefore will put everything behind the first space in the variable %j, after the second space in %k a.s.o. So here's the corrected command which allows spaces in your DN ("tokens=*" state that everything should be included in the first variable, you could also do a 1,3,* which would put the first part into %i, the third into %j and the rest in %k,.. Marcus suggested another way which would also work by not specifying any delimiters "delimns="):
for /f "tokens=*" %i in ('dsquery ou -limit 0') do dsacls %i /d everyone:SDDT
If you just want to protect certain levels, you only need to change the dsquery command.
About time for a somewhat technical post:
In some Newsgroup we recently discussed if it's considered Best-Practice to deploy a lot of single-domain forests as opposed to a single multi-domain forest. The major reason herefore was that in the early Windows 2000 days, somebody said that the domain is the security boundary. After they've figured out that you can elevate yourself as domain admins for a inner-forest trusted domain, they revised this statement and said that the only security boundary is the forest, not the domain.
Since this attack is not that likely, I prefer to state this differentelly:
- The forest is the security boundary against malicious attacks (the attack is being done on purpose)
- The domain is the security boundary against (domain) administrative mistakes
So for many things the domain might be enough of a security boundary. If you don't trust admins of a different domain enough that you think they might perform an attack (= elevate their rights in an area where they don't belong) on purpose, either fire them, fire them, don't give them administrative rights, fire them or put them into a separate forest.
Ressource-Forests (yeah - back to the NT days) are sometimes a good idea too, especially if separate companies want to share ressources, however keep in mind that they are a bit harder to manage and it depends on the application how well it integrates. You are also better of to use some solution like the Microsoft Identity Integration Server (or the Identity Integration Feature Pack) which is now part of Identity Lifecycle Manager to synchronize accounts into the ressource forest, however make sure to protect them well enough and to trust the admins of the resource forest from all parties. MIIS/IIFP allows you to sync the passwords of the users in question (by using a password filter on all DCs to notify MIIS, who's changing the passwords in the connected directories) to allow a better integration via single sign on / single credentials [1]. Don't forget to design processes for the changes in the ressource forest which are signed off by all participating companies.
OK - back to the subject - don't take any recommendations to deploy many single-domain forests only or to put everything in the same forest - think about it if it's really necessary and valuable to deploy multiple forests/domains. At one point there was a recommendation: If you are designing your active directory, and you think you need to add a different domain, rethink that decision. Not true in all scenarios, however think about your design.
One reason for multiple domains have been different password policies - and as I posted before this reason is vanishing in Windows Server 2008.
There are multiple opinions on this, so don't hold back on feedback / your thoughts.
P.S.: I do respect statements like the one "to recommend multiple single-domain forests" - they are a bit extreme however deliver the message. For example a friend of mine was at one of the top security sessions at TechEd US (where they showed a real-world-unlikely attack), and afterwards in the bathroom he heard attendees who just phoned back their companies to instruct them patching their Servers. So even after the attack was not to likely to happen in a real company, it delivered the message to keep your systems secure.
[1] Single Sign-On: The user is logging in once to his workstation, and getting access to other ressources automatically without re-authenticating
Single Credentials: I made this up a couple years ago - I think more valuable in the beginning are single credentials (combinations of username/password). Users in enterprises are sick of multiple accounts, because they have to remember different usernames and/or passwords, which is leading to weak passwords. If you are able to synchronize the password for the user more easily than providing him with single sign-on this is still valualbe, since the users don't have to remember multiple passwords. I wouldn't mind entering the same password to access multiple applications, however I do mind remembering different credentials.
DEC-Europe is approaching, and since I was communicating heavily the past days about this conference I decided to sum up my favorite reasons why this is the conference to be:
- It's dedicated to Microsoft Directory Services
- Attendees and Speakers are usually in the same hotel, encourages a lot of after-hour chats
- This is the conference of a very high value for the Microsoft Identity and Access Management Product Group, therefore you have a lot of key-players from the PG being there, and they hear your feedback.
- The content is very technical - I'm very sure that everyone who attends is getting new knowledge, ideas,...
I think I know a lot about Active Directory and DS in general, however every time I'm at DEC I'm boosting my knowledge. - It's all about community. Even since it's hosted by NetPro it's not about the company. They don't want product pitches outside of the clearly marked sponsor-sessions, they don't talk much about their own products, they welcome everyone - even competitive companies. It's all and only about the Directory Services Communities.
- Microsoft Most Valuable Professionals and other industry notables are there and collaborate, answer questions, and just hang around.
I just booked my flights, and I'm very excited to be part of this great conference again. So I hope to see everyone in Brussels in a month.
P.S.: I'll be presenting the following sessions - and Gil, Guido Jorge and me will also do a daily session about Windows Server 2008 Scenarios.
A Directory Services Geek's View on Access Control Entries
You have already deployed Active Directory (AD), but still have a lot of domain administrators? You want to increase security, decrease the risk of administration gone awry and offload daily tasks to delegated admins? In this session you will learn how Access Control works in AD, notes from the field about implementing role based administration and how to figure out what to delegate. Additionally we will drill down on implementing delegation using scripts and share details on what to delegate. After this session you'll be able to design and implement role-based administration in your infrastructure.
A Directory Services Geek's View on How to (not) update your Schema
Are you:
- supposed to integrate some 3rd Party Schemaextensions in your Forest?
- asked to design your own schema extension?
- trying to figure out how to administer additional or new attributes?
Then you have to see this session. We will clear up the fog around schema extensions by explaining the difference between schema extensions and schema configuration, talk about designing/evaluating schema extensions (when is a extension “smooth” and when is it dangerous), and provide guidance on creating administrative interfaces for additional / new attributes. We are also announcing how Windows Server 2008 helps you when extending your schema. Come to this very technical session to get the most complete coverage about schema extensions you have ever seen.
Nicki Wruck, the organizer of the "International Communities for Europe (ICE)"-Conference wrote in his blog about when we met a couple weeks ago at the SysAdmin Apprechiation Day (an event organized by Microsoft TechNet Germany):
Freely translated from http://blog.ice-lingen.de/VielZuSpaumltHellipOderDochNicht.aspx
"There was another highlight: Mr. Directory himself had the pleasure to meet me: Ulf B. Simon-Weidner was there and we found instantly interesting topics to chat about. The most important was: he'll be speaking at ice:2007, what I'm very proud of. Now I've got with Nils Kaczenski, Frank Röder and Ulf B. Simon-Weidner the greatest German-speaking AD-Specialists as speakers at the ice-conference."
Thanks for the fish Nicki - it was a pleasure to meet you and I'm looking forward speaking at your conference!
My Session at ICE: Active Directory Domain Services und DNS in Windows Server 2008
Recently there was a lot of activity on the conference front.
I already wrote about the Directory Experts Conference 2007 in Europe.
Two weeks ago there was the "Sysadmin Apprechiation Day" - and Microsoft TechNet celebrated the admins with a party. I was invited to join. And I met the organizer of the community conference "Intelligent Communities for Europe (ICE)" - and was asked to present there. I'm looking forward to it - I have heard a lot about this conference but haven't been there yet.
Then Netpro announced the "Directory Experts Conference 2008" in Chicago. I'm proud to be asked back as speaker.
There might be more conferences, but since I haven't been officially confirmed yet I'll keep this for a later post. But if you followed my blog you will be able to find the page where some of my sessions are already listed .
Hi there,
I'm still way behind in blogging, however I want to keep the timeline and therefore it's time to write about TechEd US in Orlando this year.
I love those conferences. But I guess thats - at least to the view folks reading my blog - "public" knowledge .
I was scheduled into TechEd US again as Ask-the-Expert (or Technical Learning Guide or however they call it now). Basically I was staffing the Windows Server 2008 - Active Directory Domain Services Product booth.
I arrived on Friday evening in Orlando and had dinner with some friends. On Saturday during the day I had to go shopping (a live full of stress doesn't help in packing luggage, I actually worked the whole night before taking of but forgot some of the clothes). In the evening we had a party with fellow MCTs - I enjoyed a great Surf & Turf at a nice restaurant.
On Sunday I had to go to the registration and get a intro in the product booth area. I met some friends and were chatting about some technical issues while finishing some setups on Server Core.
The conference started officially on Monday. At the Windows Server Information Desk they were giving out a book for free - "Introducing Windows Server 2008" from Mitch Tulloch published by MS-Press. Mitch has asked me shortly before finishing the book if I could provide some "Side Notes" (the concept of the book is to provide site-notes "from the experts", and many Microsoft Employees of the product groups were contributing here), so I contributed two side-notes: one about the new DCPromo-Wizard and one about Granualar Password Settings. This was the first time I've seen the book printed, so it was very exciting for me. In the evening the Lead Program Manager of the Active Directory Product Group (whom I knew before) contacted me if I would like to present the demos in his session "Active Directory Domain Services in Windows Server 2008" on Tuesday and Wednesday. So we spent part of the evening to prepare the demos in the last minute and had some food with some other members of the product group afterwards.
Tuesday and Wednesday I was (again) working the whole time at the product booth, "sneeking out" only for our session. I enjoyed the session - and we apparently did pretty well on preparing the demos - one of the attendees even provided feedback that they were looking to canned. Funny with only some minutes of preperation, so I take this as a compliment when they are professional enough to appear canned. A recording of the second session is available at Virtual Teched (and got a rating of 4,5 out of 5 Stars).
Which was also funny - people started to queue through the half of the largest convention hall just to pick up a free copy of the book.
Thursday was working again (IIRC I took of for one session, and then went back to the booth), and Friday I was officially of duty but was still hanging out there.
Over the whole week we've had a lot of interest in Windows Server 2008 Active Directory Domain Services. We explained many featues to customers. We also had a lot of customers coming in with real-world issues, design questions, discussions, ..., ..., everything you can imagine. Couple very interesting scenarios. And we've also had great suggestions which we were either able to demonstrate right now how this might be possible, or took feedback. I've also mailed some suggestions right back into Redmond to some Developers or Program Managers I happend to know, so the feedback was heard.
Friday evening many of the MCTs went to see the Shuttle Launch, however I was way tired. Instead I went with one of the program managers and a developer to relaxed drinks and dinner, and as you can imagine we had a nice evening chatting a lot about suggestions for the next version of the Directory Services techonologies (we covered Certs, Security, Active Directory Domain Services (AD) and Leightweight Domain Services (ADAM), ADFS, ILM and RMS, so the full pallette of AD-Technologies. If they took all the feedback back to Redmond people there are swearing about me know and are busy until 2015 ).
Every day was interesting and busy, every night we had some more interesting discussions in more private groups (or parties), and one thing for sure - after getting back I needed sleep desperatelly.
"Sleep? Nah! It's TechEd Season"
It's been a long while since I blogged the last time, and I still have some things I want to tell you about. I'm trying to post those in the order they happend, so first of all let's talk about the Directory Experts Conference in Las Vegas in April:
DEC was great - as usual. I just love this conference. It's dedicated to Microsofts Directory Services, especially but not exclusively Active Directory. And this time my wife was able to join me - she was pretty sad not to join in last year but she had to finish her diploma. So we were visiting some friends in Minnesota first (I was living there for a year, and we still have very close friends there who we love to visit). And brining my wife does enlighten the conference and also justifies that I have to take vacation from work for couple conferences a year.
OK - so what happend at DEC?
Preconference Workshop
Laura Hunter, Gil Kirkpatrick, Guido Grillenmeyer, Jorge de Almeido Pinto and I were working for a couple month in advance to create the content of a "Windows Server Longhorn Workshop". We created great content. Gil and Guido managed the logistics, Guido organized a lot of Hardware, Gil interacted with the Hotel to make sure we have sufficient power a.s.o. All of us created the content for the workshop, configured virtual machines, ... We planned a infrastructure where we were able to provide about 160 Attendees in groups of two with four virtual machines each to follow the workshop. Guido got - apart from a whole lot of thin clients - two racks - one full of blade-servers configured with VMWare ESX and loads of RAM, and the other one hosted a SAN huge enough to store all machines. We also had WLAN-Accesspoints and all clients were connected via WLAN to the network provided by the servers.
When we arrived in Las Vegas on Thurday before the conference we got the hardware just the same evening. As the Hardware is being shipped across the world to serve conferences we didn't get a grip on it until just before our Event. I started writing scripts and configuring everything so that the network infrastructure was set up, each client had the configuration it needed, and I even wrote a HTA-Application which outlined the lab-scenario - and if someone was clicking on one of the pictures of a server a RDP-Session was started with the right one of "his" servers. I also had to make sure that RDP-Configurations were created automatically in the background and configured that only the specific client was able to access his own four servers without networking with the other ones (we used the same servernames, SIDs a.s.o.).
However ...
Some other issues started - we had some trouble getting the machines transfered over to the blade server. Then the images didn't run in ESX, however we were able to fix this (but waisting a lot of time doing so). Then we had power issues - the hotel has confirmed that we'll have enough power, however they provided us with a high current line which was 50 feet long. Nobody assumed that the length of the wire will give us trouble, however we had constant power issues that we weren't able to start all blades. At some point (the last night before the show) somebody was running a heavy wagon over the wire, briefly afterwards the SAN went down and started to recover (which took hours) and the blades claimed to be unhappy without SAN and had issues as well.
OK - to keep the long story short - we had a lot of issues even after we had planned everything in advance but didn't had enough time with the right hardware in advance and to much issues in a short timeframe to solve.
However ...
We were working all night and got many of the machines up and running, but not enough. After working all night we were jumping in front of the audience and had to perform (I haven't been back to the hotel room for almost two days in a row). So we decided to switch to a demo-format, had a MVP-Panel where we were talking and answering questions about Windows Server 2008, and I think we provided more knowhow than the attendees were able to expect in a whole week. We had issues before, but I was very happy with our performance. And at the end we got the best feedback of all preconferences (and the other ones were way smaller and had no issues).
OK, that was the preconf.
Start of the conference
Monday the conference started officially with the Keynote of Kim Cameron. I had the pleasure to meet Kim twice back in Redmond at the MVP-Summit, and he's outstanding. The conference overall was great. Best thing about DEC is not only the very technical sessions, but also that the conference organizers encourage everyone to stay in the same hotel. You meet a lot of people you know from online communities or previous conferences. There's a lot of interaction in the restaurants and bars after hours. Microsoft is bringing in many people from the Identity and Access Management Product Group (the home of Active Directory (Domain Services and Lightweight Directory Services), Identity Lifecycle Manager (Certificate Lifecycle Management and Identity Information Server) and Right Management Services). We had a lot of interesting conversations with members of the communities, first-time attendees, MVPs, MCTs, Microsoft Staff.
My Sessions
Apart from the Preconference, where I presented Windows Server 2008 Server Core and common Q&As, I was pleased to present two sessions:
A Directory Services Geek's View on Access Control Entries
You have already deployed Active Directory (AD), but still have a lot of domain administrators? You want to increase security, decrease the risk of administration gone awry and offload daily tasks to delegated admins? In this session you will learn how Access Control works in AD, notes from the field about implementing role based administration and how to figure out what to delegate. Additionally we will drill down on implementing delegation using scripts and share details on what to delegate. After this session you'll be able to design and implement role-based administration in your infrastructure.
A Directory Services Geek's View on How to (not) update your Schema
Are you:
- supposed to integrate some 3rd Party Schemaextensions in your Forest?
- asked to design your own schema extension?
- trying to figure out how to administer additional or new attributes?
Then you have to see this session. We will clear up the fog around schema extensions by explaining the difference between schema extensions and schema configuration, talk about designing/evaluating schema extensions (when is a extension “smooth” and when is it dangerous), and provide guidance on creating administrative interfaces for additional / new attributes. We are also announcing how Windows Server 2008 helps you when extending your schema. Come to this very technical session to get the most complete coverage about schema extensions you have ever seen.
Both sessions were updated with the changes to the subject in Windows Server 2008. I really liked the second session - I wanted to deliver a session which is giving the full details on Schema Updates for a while - so far I've seen a lot of sessions which were always missing some important points. I was glad that I was able to deliver them first time at this DEC, and I've had a great audience. There were not only great attendees with a lot of questions and not anxious to ask them, but I also had a couple people from the Microsoft Active Directory Product Group and other Community Experts in this session, so we had a great session, lots of discussions and feedback to Microsoft.
Directory Experts Conference goes Europe (again)
After a couple years NetPro - the organizer of the Directory Experts Conference - has decided to bring the Directory Experts Conference back to Europe. It will be September 24th to 26th in Brussels, Belgium. I'm glad that I'll be part of this conference as well (see the press-announcement), and I'm looking forward to another great conference!
Finally VMRCPlus is available to the public. I was bugging MS for years if they can't release it, and finally it's available.
VMRCPlus is a frontend for the users of Virtual Server, which provides a full console application instead of having VMRC to connect to the screen plus the Webinterface to configure machines. Way cool. If you work with Virtual Server, this is a must-have!
http://blogs.technet.com/keithcombs/archive/2007/06/27/vmrcplus-goes-public-download-now.aspx
Thanks to Tomek's DS World - I found this reading your blog
OK - it's been a while since I last posted. Many things were going on.
The last post was in the Directory Experts Conference-Timeframe. Wow - a lot was going on. I'll write later some thoughts about DEC, even if others have covered it well (like Gil, Joe, Jorge, Tomek) it's worth some words.
What else was going on? OK - recently I've got ready for TechEd Orlando, where I answer questions in the Ask-the-Experts Area at the Windows Server - Active Directory Booth. Then I'm busy with a roadshow about Windows Server 2008 in Germany. If you are in Germany and have business-relationships with Computacenter go to www.computacenter.de/veranstaltungen or ask your contacts to join. We have done and will do 6 locations until end of June (already been to Ludwigshafen, Nuremberg, Stuttgart and Saarbrücken and will be in Frankfurt and Munich in June), with more location coming up in the second half of 2007. I did a lot to organize and create these events, and I'm working together with some great collegues here, so if you are able to take a chance and join.
Additional NetPro has announced that they will bring the Directory Experts Conference to Europe again this year, and I'm glad that I'm able to help being an active part of that conference. I'm looking forward to it very much.
Otherwise ... many customer events and other things around Windows Server 2008 - this will be a great release and customers are asking about it like crazy. It's always a pleasure to see a product being sucessful where you were able to provide good feedback on and you know that this feedback was aprechiated and taken into credit. I'm looking forward to the release, and as much as I've tested the previous and current versions, and what I know from RC1, this will be a blasting release. If you didn't had a chance to look at it - do it now - you're already late.
More Posts
Next page »