Directory Services/Active Directory

Ulf B. Simon-Weidner's Blog

Published by

Comments

# re: Dial-In Tab in Active Directory-Users and Computers@ Monday, September 27, 2004 10:00 PM

Pretty much same problem. Called "monkey-mouth" B. Gates soft to find out that Windows Server 2003 has absolutely no warranty support I purchased the software less than 1 month ago.

Ulf B. Simon-Weidner

# re: What to do if a Branch Office DC is not physically secured?@ Wednesday, October 27, 2004 11:35 AM

Hi Ulf,

I tried to include your RSS feed in my site yesterday. Unfortunately, the RSS component that your site is using is not too useful. It includes the complete text in the preview area and not a short version. I guess you do not have any influence on that but if you do - you should change it. Adding complete articles to an RSS-syndicated area is not quite what RSS was made for ...

Best wishes (and, oh: Great blog altogether!), Nils

Ulf B. Simon-Weidner

# IT-Forum, Clarification of my last blog and update@ Wednesday, October 27, 2004 12:28 PM

TrackBack

# re: Dial-In Tab in Active Directory-Users and Computers@ Tuesday, November 02, 2004 5:49 PM

Same problem right now ...

Ulf B. Simon-Weidner

# Did my last post made the Training-God upset?@ Sunday, December 05, 2004 3:44 PM

TrackBack

# Did my last post made the Training-God upset?@ Sunday, December 05, 2004 3:52 PM

TrackBack

# re: Dial-In Tab in Active Directory-Users and Computers@ Tuesday, January 04, 2005 4:16 PM

Same Problem here. I applies SP2 and all the current security patches and still no good. No dial in tab. I have uninstalled the Server 2003 adminpak and installed the Server 2000. The server 2000 adminpak DOES give you the dail-in tab

Ulf B. Simon-Weidner

# re: Dial-In Tab in Active Directory-Users and Computers@ Friday, January 07, 2005 11:00 AM

Sorry - KB 837490 has been changed yesterday. You still need a hotfix to get the Dial-Up Page.
See http://support.microsoft.com?id=837490

Ulf

Ulf B. Simon-Weidner

# re: Re-Awarded as MVP@ Monday, January 10, 2005 10:46 PM

Hi Ulf
I'v started to read Your blog lately - I'm also re-awarded last week - hope to see You on some event :).

Ulf B. Simon-Weidner

# re: Dial-In Tab in Active Directory-Users and Computers@ Monday, January 17, 2005 5:59 PM

Check to verify that File and Print Sharing is checked in your NIC properties.
Experienced after an upgrade SBS 2000 to 2003.

Ulf B. Simon-Weidner

# re: Dial-In Tab in Active Directory-Users and Computers@ Wednesday, January 19, 2005 1:30 PM

thanks Jeff, you're a lifesaver

Ulf B. Simon-Weidner

# re: Dial-In Tab in Active Directory-Users and Computers@ Thursday, January 20, 2005 6:08 PM

jeff i love you your a real lifesaver

Ulf B. Simon-Weidner

# re: DHCP, DNS and the DNSUpdateProxy-Group@ Thursday, February 03, 2005 5:35 PM

I have one dhcp online(DC) and one offline (DC) (backup)
The domain it's 2000 native mode one forest one domain
the dns zone is integrated in AD and allow only security update
i just wanna know if i need to start the backup dhcp server (stopping the another one) i need the dnsupdateproxy group and set with the netsh
command an account ?


thanks
Max

Ulf B. Simon-Weidner

# re: DHCP, DNS and the DNSUpdateProxy-Group@ Tuesday, February 15, 2005 10:55 PM

Hi Max,

sorry for answering so late - those Trainings and their preparation keep my busy right now.

You have a Offline DC? Then you need to be very carefull that you replicate them once in a while - latest every 60 days. There are other solutions to provide DHCP redundancy. If you have different subnets, you can put the DHCP-Servers on different subnets and split the scopes (the router needs to support BootP Forwarding / DHCP-Relaying). You'd also be able to configure the subnet on both DHCP-Servers, but activate it on just one. Enable conflict detection. Or cluster the DHCP-Server. Or install and configure DHCP on both servers, configure the same scopes, but put the DHCP-Server Service on one machine to deactivated and stop it.

Back to the reason of your question - do NOT use the DnsUpdateProxy-Group - configure both DHCP-Server Services to run under a specific Serviceaccount. As stated in the Blog DnsUpdateProxy is bad - it makes your dynamic updates as reliable as if they were "unsecure" - and this is paticulary bad if you are running DHCP on a DC. Create a Serviceaccount and configure the DHCP-Services to run under that account. That's much more secure.

Ulf B. Simon-Weidner

# re: Performance Tuning for Virtual PC@ Thursday, February 17, 2005 1:39 AM

TrackBack

# re: Offered AD and DNS Presentations@ Monday, February 28, 2005 1:27 PM

dns presentations

Ulf B. Simon-Weidner

# re: Offered AD and DNS Presentations@ Monday, February 28, 2005 1:27 PM

dns presentations

Ulf B. Simon-Weidner

# re: DHCP, DNS and the DNSUpdateProxy-Group@ Friday, March 11, 2005 10:31 PM

How does this solve the problem that the DNSUPDATEPROXY group was designed to fix, namely the prevention of stale records and the ability of upgrade clients (NT --> 2000) to refresh and update records created for them by the DHCP server?

Ulf B. Simon-Weidner

# Training, Speaking at CeBit, and getting a boost on Testing@ Wednesday, March 23, 2005 4:18 PM

TrackBack

# Training, Speaking at CeBit, and getting a boost on Testing@ Wednesday, March 23, 2005 4:18 PM

TrackBack

# Follow up discussion on the DNSUpdateProxy-Group@ Saturday, March 26, 2005 2:29 PM

TrackBack

# re: DHCP, DNS and the DNSUpdateProxy-Group@ Saturday, March 26, 2005 11:35 PM

Hi Bob,

I've answered your question in a new Blogentry:
http://msmvps.com/ulfbsimonweidner/archive/2005/03/26/39841.aspx

Thanks for the answer again, if you have comments they are always welcome and apprechiated.

Ulf

Ulf B. Simon-Weidner

# Access-based Enumeration @ Greg's Cool [Insert Clever Name] of the Day@ Sunday, March 27, 2005 12:09 AM

Access-based Enumeration @ Greg's Cool [Insert Clever Name] of the Day

TrackBack

# Windows Server 2003 - Servicepack 1 is RTM@ Wednesday, March 30, 2005 8:30 PM

TrackBack

# re: Hide folders underneath a share where the user has no permissions@ Friday, April 01, 2005 12:06 PM

Hi Ulf,

ist dieses Feature in der RTM Version wieder verschwunden? Ich kann jedenfalls bei meiner SP1 Installation weder in der GUI etwas neues entdecken, noch das Tool "abetool.exe" finden.

Viele Grüsse...Stefan

Ulf B. Simon-Weidner

# Access-based Enumeration - Part 2@ Thursday, April 07, 2005 3:52 PM

TrackBack

# re: Hide folders underneath a share where the user has no permissions@ Thursday, April 07, 2005 4:02 PM

TrackBack

# re: Hide folders underneath a share where the user has no permissions@ Friday, April 08, 2005 1:02 AM

Hi Stefan,

since I'm posting in english, I'll reply in english as well ;-)

I've got the confirmation that the ABETool didn't make it to the final version of SP1, but will be released soon according with a Whitepaper about ABE on the Web. Right now you can use Joe's tool ShrFlgs to modify the shares - works like a charm.

I've created a new blog entry about ABE:
http://msmvps.com/ulfbsimonweidner/archive/2005/04/07/41272.aspx

Enjoy, Ulf

Ulf B. Simon-Weidner

# re: Access-based Enumeration - Part 2@ Friday, April 08, 2005 3:21 PM

This is huge Ulf! Thanks...

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Wednesday, April 20, 2005 8:04 PM

OK, I'm not allowed to run the IM on my GC server because I have DCs in my domain which are not GCs.

I AM allowed to run the IM on my GC server because there's only one domain in my forest.

If both of these statements are true (and they describe my environment), which takes precedence?

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Friday, April 22, 2005 7:42 AM

Hello John,

the second one. In your scenario you do not need the IM, there are no other domains where he'd need to check for consistency.

Ulf

Ulf B. Simon-Weidner

# re: DialIn-Tab in ADUC (again)@ Friday, April 22, 2005 2:46 PM

Just verified that the W2k3 SP1 adminpack.msi solves this issue for us.

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Saturday, April 23, 2005 12:41 PM

Hi Ulf,

I would like to comment and suggest to include following references in your details for complete reference & clarification:

http://support.microsoft.com/?id=248047 and
http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Active+Directory&EvtID=1419&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0

Thanks, & have a nice weekend,
Tatjana Aggoussi

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Saturday, April 23, 2005 5:52 PM

Thank you Tatjana - i've updated it. Enjoy your weekend and the nice weather.

Ulf

Ulf B. Simon-Weidner

# re: Errorhandling in DSACLS and wrong ACEs in ADUC@ Monday, April 25, 2005 3:38 PM

Thank you so much for this post. This was driving me crazy. Makes perfect sense now. I hope anyone who uses DSACLS to set or read permissions and receives no results reads the above linked post.

Ulf B. Simon-Weidner

# re: Access-based Enumeration - Part 2@ Thursday, April 28, 2005 3:51 PM

Microsoft have now released a GUI tool to configure ABDE (http://www.microsoft.com/downloads/details.aspx?FamilyID=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en)

Ulf B. Simon-Weidner

# re: Access-based Enumeration - Part 2@ Thursday, April 28, 2005 5:53 PM

Hi Slavko,

yes, thanks for the link. It actually contains a GUI extension, a CMD-Tool and the Whitepaper for ABE.

I'll be blogging an updates with screenshots when I have a couple minutes to spare.

Ulf

Ulf B. Simon-Weidner

# re: Errorhandling in DSACLS and wrong ACEs in ADUC@ Wednesday, May 04, 2005 9:53 PM

Hello,

Just wondering what the minimum permissions needed to join computers to a domain are? I am scripting the creation of the computer objects with "dsadd computer" and plan to use "dsacls" to apply the necessary permissions. I really would like to limit these to the minimum possible. Any suggestions?

Thanks,
Ed.

Ulf B. Simon-Weidner

# re: Access-based Enumeration - Part 3@ Saturday, May 21, 2005 11:44 AM

Ulf - are You sure thath it should be this command ?
regedit32 %windir%\system32\abeui.dll

To register the dll You should use regsvr32.exe command.

Ulf B. Simon-Weidner

# re: Access-based Enumeration - Part 3@ Saturday, May 21, 2005 12:00 PM

Hi Tomasz,

thanks you very much - made an typo. I've corrected it.

Ulf

Ulf B. Simon-Weidner

# re: TechEd US and Windows Server 2003 R2@ Thursday, June 02, 2005 11:13 AM

Will you be bringing any R2 blankets with you ?

Ulf B. Simon-Weidner

# re: AdminSDHolder - or where did my permissions go?@ Thursday, June 02, 2005 11:23 AM

Hi Ulf,

tja, wir sind da auch gerade reingelaufen! Bestimmte User hatten das "inheritance" flag nicht gesetzt und auch die Rechte der OU nicht übernommen. Wir haben ein VBScript geschrieben, dass das Inheritance-Flag wieder setzt, aber nach einer Weile war das Flag wieder verloren und die Rechte nicht so, wie sie sein sollten. Zuerst kam ich nicht auf den "SDProp" threat, weil die betroffenen User keine besonderen sind und auch keine DIREKTE Mitgliedschaft in einer der geschützten Gruppen haben.
Die Frage konzentrierte sich dann darauf: wie bekomme ich eine vollständige Liste aller direkten UND indirekten Gruppenmitgleidschaften? Ich habe hier den Group Policy Modelling Wizard laufen lassen, der dir u.a. auch eine vollständige Liste all dieser Gruppen ausgibt. Und siehe da: die betroffenen User waren alle indirekte Mitglieder in "Account Operators", was bei einigen gar nicht der Fall sein sollte. Für die anderen Fälle haben wir es so gelöst, dass wir die entsprechenden Rechte auf dem "AdminSDHolder" Container gesetzt haben.

Viele Grüsse...Stefan

Ulf B. Simon-Weidner

# re: TechEd US and Windows Server 2003 R2@ Thursday, June 02, 2005 9:21 PM

R2 Blankets? Did I miss something? Have to search the NGs!

Ulf

Ulf B. Simon-Weidner

# TechEd US started@ Monday, June 06, 2005 7:55 AM

TrackBack

# re: Access-based Enumeration - Part 3@ Thursday, June 16, 2005 8:56 PM

I have windows server 2003 with Sp1 and ABE instastalled. I've activated on the server but i can still see the share from a client even though i don't have access to it.

Ulf B. Simon-Weidner

# re: Access-based Enumeration - Part 3@ Thursday, June 23, 2005 9:43 AM

Anyone tried this in a cluster? When my share(s) failover to the other node, I keep losing the ABE setting. The properties of the share resource in the resource group dont allow me to set anything about ABE.
Is here someone who can verify this?

Ulf B. Simon-Weidner

# re: Access-based Enumeration - Part 3@ Friday, July 01, 2005 5:37 PM

I can confirm the behaviour noted on fail-over clusters. The cluster service is not aware of the property and it does not re-initialize after a resource (shared folder) is moved to a different node. The only option that I can envision at this time a some sort of minitoring job that would reset ABE on the share when it moves to a new node in the cluster.

Ulf B. Simon-Weidner

# re: AdminSDHolder - or where did my permissions go?@ Monday, July 04, 2005 9:54 AM

Excellent blog post. In short, to resolve this issue on the user object which cannot be managed by the delegated user account, you need to; Right-click the object, click Properties, and then click the Security tab (Advanced) Check the option, "Allow Inheritable Permission from Parent".

Note: It may take at least an hour for the changes to be propogated from the PDC as defined on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\AdminSDProtectFrequency

This behavior is to protect the "protected groups" in AD like those who are member for Domain Admins or Bulit-in Groups.

Good day,
Mohammed Athif Khaleel
MVP - SUS / WSUS
I Blog on http://msmvps.com/athif/

Ulf B. Simon-Weidner

# re: AdminSDHolder - or where did my permissions go?@ Monday, July 04, 2005 7:12 PM

Hi Athif,

thanks for the feedback. To clarify, the procedure you described is for the issue mentioned in my blog under "What else is important to know", Number 2:
<i>"Users, which are removed out of one of the protected groups (or their nested groups) do not inherit permissions from parent objects. You need to check the box to inherit permissions when removing those users out of the group manually, or use a script to check your users."</i>

It will not work on users which are still in one of the protected group - there it will be reset after one hour again.

There's also a script in http://support.microsoft.com/kb/817433 underneath "Workaround, Method 1" which does enable the inheritance on all users in a domain with admincount=0 (AKA users formerly belonged to one of the protected groups).

Ulf B. Simon-Weidner

# re: Access-based Enumeration - Part 3@ Thursday, July 07, 2005 12:19 AM

Hi Kees-Jan and netmarcos,

Ward Ralston from the Windows Server Devision just published a solution for your issues on http://blogs.technet.com/windowsserver/archive/2005/07/06/407385.aspx.

HTH, Ulf

Ulf B. Simon-Weidner

# re: Follow up discussion on the DNSUpdateProxy-Group@ Monday, July 18, 2005 11:07 AM

Hello Simon

Your description of the DNSUpdateProxy issue is clear.
But is there a solution to the DHCP + DC issue?
I understand one should not install an AD-integrated DNS on a W2K(3) server and have that server account be a member of the DNSUpdateProxy group, as critical entries in the _mscdcs zone will be unsecure.

In other words, you cannot have the best of both worlds: if the DHCP/DC is a member of DNSUpdateProxy, it creates a security gap; if it is not, its computer account will become the sole owner of the clients record(s), and no one else will be able to update those records. Is this statement correct?

Any solution/workaround to this issue?

Ulf B. Simon-Weidner

# Viewing Phantom Objects@ Monday, July 18, 2005 11:19 AM

I will soon publish on my blog how to view Phantom objects; Viewing deleted objects is easy enough. In order to view Phantom objects, one needs to backup AD and access it offline using LDP.

http://spaces.msn.com/members/mvleriche/

Best regards,

MV

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Monday, July 18, 2005 11:25 AM

... Because the reason a GC cannot be an IM are Phantom objects...

Cheers

MV

Ulf B. Simon-Weidner

# Performance for VPC @ Saturday, July 23, 2005 12:36 AM

TrackBack

# re: Follow up discussion on the DNSUpdateProxy-Group@ Sunday, July 31, 2005 8:58 AM

TrackBack

# re: Follow up discussion on the DNSUpdateProxy-Group@ Sunday, July 31, 2005 5:58 PM

Hello Michel-Vincent,

as I stated in http://msmvps.com/ulfbsimonweidner/archive/2004/11/15/19325.aspx you are able to define an account which is used for the registration of the DNS-Records under WS2k3 and W2k SP2. In WS2k3 you can specify the account directly in the DHCP-Server Properties, in W2k you can let the service run under that account.

So there's no need to put the DC in the DNSUpdateProxy-Group - just let DHCP register the records using a predefined account.

Ulf

Ulf B. Simon-Weidner

# re: Global Catalog vs. Infrastructure Master@ Sunday, July 31, 2005 6:09 PM

Hello Michel-Vincent,

> I will soon publish on my blog how to view Phantom
> objects; Viewing deleted objects is easy enough. In
> order to view Phantom objects, one needs to backup
> AD and access it offline using LDP.

Can you specify what you mean? You can view phantom-objects online, and AFAIK there's no way to open AD offline with LDP - LDP is a LDAP-Browser and you can't access the DB directly.

> ... Because the reason a GC cannot be an IM are
> Phantom objects...

The GC can be a IM - as stated in my blog - but the IM will never be able to detect which phantom objects are required if it run's on the GC. However this is not necessary if either every DC in that domain is also a GC, or if it's a single domain (because there won't be external users in groups and therefor no need to create phantoms).

Ulf

Ulf B. Simon-Weidner

# re: AdminSDHolder - or where did my permissions go?@ Saturday, August 27, 2005 8:57 AM

Hi Simon,
Can you explain, what happens if the script as you mentioned is run on DC=domain, DC=com and contains some users who are part of the protected groups aka memeber of Adminstrators group. Will it ignore these or ???

Please email me Md DOT AthifKhaleel AT MVPS.ORG

Thanks
Mohammed Athif Khaleel
MVP - SUS / WSUS
Blog http://msmvps.com/athif/

Ulf B. Simon-Weidner

# re: More publishing@ Saturday, August 27, 2005 8:02 PM

I like the content. Any chance of pointing us to and "English" version of the "The secure Server" article. My german is a little rusty. :-)

Ulf B. Simon-Weidner

# re: AdminSDHolder - or where did my permissions go?@ Wednesday, August 31, 2005 5:52 PM

I am having the same issue, excpet the users that are not inheriting permissions are not members of any admin group. They actually are just random members of different OU's, with no common denominator. The way that I discovered this issue was that one of our helpdesk employees, who is not a member of an admin group, can make changes on most of the user accounts, but some she cannot. When I checked on it, the group she is a member of is not located on the security tab of these users and the permissions are not inheriting, while 95% of the other users in these same OU's are inheriting. Make sense?

Ulf B. Simon-Weidner

# re: AdminSDHolder - or where did my permissions go?@ Thursday, September 01, 2005 8:40 AM

Hi Athif,

if you refer to the script in KB 817433 it only resets inheritance if the adminCount is 0. That means only users are affected which have been previously in one of the administrative protected groups.

Ulf

Ulf B. Simon-Weidner

# re: AdminSDHolder - or where did my permissions go?@ Thursday, September 01, 2005 8:42 AM

Hi Adam,

it does not depend where your helpdesk user is a member of, it depends on where the accounts she tries to manage are members of. You can memberships of one of those "unmanageable" users with "whoami /all" on their desktop while they are logged in. Be carefull b/c even recursive memberships through a distribution group count but will not show via whoami.

You can also check the adminCount attribute of those users, if it's higher than 0 then they are underneath one of the protected groups.

Ulf

Ulf B. Simon-Weidner

# re: AdminSDHolder - or where did my permissions go?@ Thursday, September 01, 2005 4:33 PM

Thanks for the quick reply Ulf...
However, one of the users that is not inheriting permissions is only a member of All Users and Domain Users; no other groups. All Users is the universal distribution group. There are other users that are members of these groups and more that she can make changes to, but not this one. It is not inheriting permissions that would give her the rights to make those changes. KB817433 describes this issue. I got the patch from Microsoft and applied it, but have yet to see any changes.

Ulf B. Simon-Weidner

# Okay so we barely have a tree ...let alone a forest@ Saturday, October 15, 2005 11:22 PM

TrackBack

# Okay so we barely have a tree ...let alone a forest@ Saturday, October 15, 2005 11:23 PM

TrackBack

# Some details about Tombstones, Garbage Collection and Whitespace in the AD DB@ Sunday, October 30, 2005 6:27 AM

TrackBack

# re: New Article published on Windows Server 2003 R2: ADFS and ADAM@ Wednesday, November 02, 2005 12:19 AM

Hello,

How can I get the English version of your articles written in German magazine...

Appreciate your help
Sri

Ulf B. Simon-Weidner

# re: New Article published on Windows Server 2003 R2: ADFS and ADAM@ Wednesday, November 02, 2005 8:42 AM

Hello Sri,

unfortunately they are only available offline and in german, until the magazin decides to publish in different languages as well. They own the rights on these articles, as it is with most publishers.

Sorry about that, I'd love if they'd publish in other languages as well.

Ulf

Ulf B. Simon-Weidner

# Some details about Tombstones, Garbage Collection and Whitespace in the AD DB@ Saturday, November 05, 2005 4:17 AM

TrackBack

# TechEd US started@ Saturday, November 05, 2005 4:23 AM

TrackBack

# re: Windows Server 2003 R2: DFS out of the Branch Office Solutions@ Tuesday, November 08, 2005 6:53 AM

Hi Ulf,

In your testing, how many files were you replicating? What would/should the target usage scenario for RDC be? By this, I mean should you be replicating thousands of files or hundreds of files? What's the scalability on DFS-R? I've not done testing on a large scale, but am interested in hearing your opinion on where DFS-R may not be appropriate and where it would be appropriate.

Thanks.

-matt

Ulf B. Simon-Weidner

# re: Some details about Tombstones, Garbage Collection and Whitespace in the AD DB@ Monday, November 14, 2005 7:38 PM

One thing to note....your dsquery example for the preserved attribute list for tombstones isn't quite complete. More complete would be...those are the attributes which the schema is specifying. If you take that list and add to it the hard coded list (we have a list, in the code, which is hard coded in....this way you can't accidentally tell us to remove something which we really need) then you will have the full list. :)

Ulf B. Simon-Weidner

# re: Some details about Tombstones, Garbage Collection and Whitespace in the AD DB@ Monday, November 14, 2005 7:40 PM

Oh and on this item:
"There are additional attributes being kept in the tombstone, e.g. in Windows Server 2003 there is also the SID-History kept in the tombstone"

We actually added sidHistory as of WS2003 SP1 to that hard coded list I mentioned in the last post. We didn't change it in the schema as we didn't want a schema change associated with a service pack, but we wanted a more low-risk way of preserving this data.

Ulf B. Simon-Weidner

# re: Windows Server 2003 R2: DFS out of the Branch Office Solutions@ Tuesday, November 15, 2005 12:07 AM

Small correction Ulf. RDC works w/o issue across standard edition servers using DFS-R on both sides. You get the goodness of RDC in most cases. The one feature in R2 that requires ent edition on one side is cross-file RDC (the feature by which we take parts of one file and use them to construct another).

Ulf B. Simon-Weidner

# re: Virtual Server 2003 R2: Evaluation available on Microsoft Downloads@ Tuesday, December 06, 2005 8:55 AM

As a connected download - new version of VS2005 additions are also available. http://www.microsoft.com/downloads/details.aspx?familyid=a963433c-193b-41ac-af6e-ab7ab2db8541&displaylang=en

Ulf B. Simon-Weidner

# re: Virtual Server 2003 R2: Evaluation available on Microsoft Downloads@ Tuesday, December 06, 2005 1:53 PM

I'm getting the noticed that my Virtual Machine additons are out of date. I forgot how to get the updates.

Does the patch that Tomek mentions basically make the patched machine a R2 machine?

Ulf B. Simon-Weidner

# re: Virtual Server 2003 R2: Evaluation available on Microsoft Downloads@ Tuesday, December 06, 2005 4:57 PM

OK - answered my own question
http://www.microsoft.com/technet/prodtechnol/virtualserver/2005/proddocs/vs_deploy_setup_VM_OS_additions.mspx

The technique offered by MSFT to install VMA is "clunky" at best.

Ulf B. Simon-Weidner

# The Working Network - new feeds for Directory Services@ Friday, December 30, 2005 10:10 AM

I was posting lately about The Working Network.&amp;nbsp;Today I've updated and added blogs to OPML-O-Matter...

Directory Services/Active Directory

# The Working Network - new feeds for Directory Services@ Friday, December 30, 2005 12:11 PM

I was posting lately about The Working Network.&#160;Today I've updated and added blogs to OPML-O-Matter for...

Directory Services/Active Directory

# Happy New Year@ Saturday, December 31, 2005 10:20 AM

2005 is almost over, what a year! Last year I said 2005 will become a great year in the IT, and I think...

Directory Services/Active Directory

# The Working Network - new feeds for Directory Services@ Monday, January 02, 2006 3:09 AM

I was posting lately about The Working Network.&#160;Today I've updated and added blogs to OPML-O-Mater for...

Directory Services/Active Directory

# re: Access-based Enumeration - Part 3@ Wednesday, January 25, 2006 4:40 PM

Even I have windows server 2003 with Sp1 and ABE instastalled. I've activated on the few shares but i can still see the share from a client even though i don't have access to it

Swami

# re: Some details about Tombstones, Garbage Collection and Whitespace in the AD DB@ Wednesday, April 19, 2006 5:18 PM

I need some guidance on and AD subject. If I delete a user account from Active Directory, I want to prevent the reuse of that user ID FOREVER. For example, my user ID is “adamc”. If my account is deleted, I wish that no other person be allowed to use the user ID “adamc” forever until the end of time. This is for a medical company that currently tags record updates in their medical with the AD user ID of the user making the update. This user ID needs to remain unique, even after users are deleted from AD.



I understand there is a tombstone lifetime for objects in AD, but I do not know if it can be set to infinity.



Is there a simple solution for this?

can you email me at praveenv78 at yahoo dot com

Praveen

# re: Some details about Tombstones, Garbage Collection and Whitespace in the AD DB@ Tuesday, May 02, 2006 11:52 PM

Hello praveenv,
sorry - I've just seen your comment (for some reason the notification was off).
The tombstone-lifetime won't help you to fulfill your goal - you'd need to either keep those accounts in active directory but disable them, or create other objects with the same name which will prevent you from reusing the name. However other accounts are quite tricky - depending on which exact name-attributes you want to "lock".

I'd recommend to keep them, but disable them, and move them to a OU where they don't bother you. Or if you have a provisioning mechanism you can build it in there.

Ulf B. Simon-Weidner

# re: Access-based Enumeration - Part 3@ Wednesday, May 03, 2006 12:04 AM

Hello Swami,

sorry for getting back so late - comment notification does not work "currenty".

ABE won't hide shares, it just hides it's content for non-admins who do not have read access to the specific folders or files. Check out my other blog posts about ABE which demonstrate what to expect.

Ulf B. Simon-Weidner

# re: Some details about Tombstones, Garbage Collection and Whitespace in the AD DB@ Friday, May 12, 2006 3:04 PM

This is great information, but I have a few questions on the subject. Is it possible to purge all records manually in the "Deleted Objects" container? Can you set the tombstone lifetime to 1 day and have the garbage collection wipe out all records? Finally, once a tombstoned record has been purged, can we be guaranteed that it is not recoverable through the database? We are possible spinning off a division and were thinking about allowing the division to keep the DC and we would just delete all objects not part of the division's OU, but would want to make sure they couldn't recover any deleted objects.

Thanks!!

Steve

# re: Finished, Exhausted, Done!@ Tuesday, May 16, 2006 4:19 PM

Hi,

Congrats with the book, nice work. But will there also be an English translation?

Kind Regards,

Victor

Victor

# re: Finished, Exhausted, Done!@ Tuesday, May 16, 2006 4:37 PM

Hello Victor,

thanks for the fast response and the congrats.
Unfortunately there will not be an immediate english translation - MS-Press Germany is usually looking how a book does in the german market and may then decide to propose it to MS-Press US. Due to the nature of IT-Books it's unlikely that this is happening often, since those books don't last that long. However we might have a change, since this one and our first book covers a OS which is quite new and may run for a while in the market. The first book on XP sold about 4k by now, which is pretty good for an IT-Book.

I'll keep your email and let you know if this is happening - and you'll also read it here - but it's even more likely that I do another book directly in english than this one being translated. I'd prefer it otherwise ...

Ulf B. Simon-Weidner

# re: Some details about Tombstones, Garbage Collection and Whitespace in the AD DB@ Tuesday, May 16, 2006 4:56 PM

Hi Steve,

very interesting question. There's a two-day limit in the number you can set on the tombstone-lifetime, and setting it pretty low is dangerous as well (you need to keep the tombstone until everything is replicated to any DC in the forest). Microsoft recommends at least a value between 30-40 days. Also be aware, that tombstone-lifetime is a pre-forest setting, and that you may not use backups which are older than the tombstone-lifetime. Also if you want them to keep a DC be aware that you have to split the whole forest, so they need a DC of every domain.

Actually in the tombstone there are not that many dangerous informations. You could change those informations before tombstoning (deleting) the objects, only the GUID and SIDs remain, and those are only dangerous if the networks have access to each other again, which is in no way supported or recommended in a split-forest-scenario. So they would not be able to get any important information out of the tombstones, and they will expire anyways. You can check the attributes which are remaining in the tombstone by querying attributes with the dsquery command provided in the post above. Then write a script which changes all those attributes you do not want to another value, and delete the object.

When splitting the forest make sure that all required services, DNS, GCs, FSMOs a.s.o. are adjusted, and don't forget to do a metadata-cleanup of all DCs on the other side.

I hope those thoughts are usefull for you.

Ulf B. Simon-Weidner

# re: Finished, Exhausted, Done!@ Tuesday, May 16, 2006 6:19 PM

Congratulations Ulf!

Ryan

# re: Some details about Tombstones, Garbage Collection and Whitespace in the AD DB@ Monday, May 22, 2006 6:40 PM

Thank you for your reply, those were helpful comments. The idea was to take their DC off the net, seize roles, delete EVERYTHING possible, adjust the tombstone so it all purged ASAP and then bring up a 2nd DC to replicate and transfer roles and take my original DC back. If the occasion arises, we will see what happens. Thanks again!
Steve

Steve

# Reload Nuggets &raquo; Blog Archive &raquo; Checking the AD &#8220;tombstone&#8221; in Windows or SBS 2003@ Friday, June 09, 2006 5:04 PM

PingBack from http://reloadnuggets.com/archives/16

Reload Nuggets » Blog Archive » Checking the AD “tombstone” in Windows or SBS 2003

# Publications: Article and Book@ Monday, June 19, 2006 5:49 PM

My next Article was published in the June Edition of the IT-Administrator. In Informationsmekka Internet...

Directory Services/Active Directory

# delete without tombstone@ Friday, July 07, 2006 10:38 AM

i have a single DC, is there a posibility that the objects in Ad be deleted without being tombstoned.

thanks.

kini

# re: Some details about Tombstones, Garbage Collection and Whitespace in the AD DB@ Sunday, July 16, 2006 4:14 PM

Hello Kini,

No, that's not generally possible. AD will always create tombstones, and the minimum lifetime is 2 days. You could play around with the date and force garbage collection, but I woudn't do that.
However it's not bad to have tombstones. What's the reason why you don't want them. Actually I know companies who are using tombstones in their recovery plan instead of (authoritative) restores. And there are tools out there which rely on tombstones for AD-Recovery.
Let me know why you don't want them.

Ulf B. Simon-Weidner

# Windows Server Codename &amp;amp;quot;Longhorn&amp;amp;quot;@ Wednesday, August 23, 2006 2:28 PM

There are more and more info's out on the Web about the next generation of Windows Server Codename &#187;Longhorn&#171;...

Directory Services/Active Directory

# TechEd EU and what else is keeping me busy@ Wednesday, August 23, 2006 2:50 PM

I just recognized - I didn't post anything for a month. This is awful! Currently I'm very busy at my...

Directory Services/Active Directory

# re: Windows Server Codename 'Longhorn'@ Wednesday, August 23, 2006 4:19 PM

Ulf, you said:
"Active Directory has been implemented as Service in Longhorn"
I'm sorry but I have to correct you here. AD is not a service. It is restartable. But it is not the same as being a true service. This is why we call it "Restartable AD" instead of some other name that might include the word 'service' in it.

Eric Fleischman

# re: Windows Server Codename Longhorn@ Thursday, August 24, 2006 6:22 PM

Thanks ~eric - I've updated the blog-post to reflect your comment.

Ulf B. Simon-Weidner

# re: Directory Experts Conference and Book success@ Wednesday, August 30, 2006 1:29 AM

The Chicken ROCKS!

See www.dec2007.com for more information.

Gil

# DNS: Conditional Forwarders vs. Stub-Zones@ Wednesday, October 04, 2006 3:53 PM

Im my last blog post I mentioned how you are able to use conditional forwarders to forward request to

Directory Services/Active Directory

# re: I'm still alive (3) - and MVP again!@ Tuesday, January 23, 2007 3:42 AM

Congratulation.

acchong

# re: BGInfo in Vista and Longhorn@ Wednesday, January 24, 2007 12:46 PM

That would be because in Vista, changes to WMI allow you to iterate in the array in VBscript much easier. This would affect anything written in the old way. Check out Scriptcenter for articles on new Vbscript and WMI methods in Vista.

James Pogran

# re: What I really hate about DNS- and DHCP-Client-Services@ Friday, January 26, 2007 4:32 AM

Hi Ulf,

it's exactly the other way round: The German spelling uses the hyphen, the English spelling does not.

And - why don't you just use the service name instead of the display name? "net stop dnscache" stops the DNS Client service on every machine, no matter what its language is. You can find out the service names in Control Panel or by just querying "sc query" (or, more sophisticated: sc query|find /i "_name"). The most common names will surely burn into your mind quickly. ;-)

HTH & regards, Nils

Nils Kaczenski

# re: What I really hate about DNS- and DHCP-Client-Services@ Saturday, January 27, 2007 4:36 AM

Hi Nils,

shouldn't write posts that late - I first had it the correct way, then wanted to make sure and checked on my own machine. However I'm in a dual boot configuration right now - XP was in German, Vista in English, and I'm 99% working with Vista. So I mixed it up and thought that I'm on a German OS, woundered and changed the hypens Tongue Tied.

Never mind - thanks for letting me know and I'm changing the post now.

The other thing you mention - yes - I know I could use the service name, but for whatever reason I'm just to lazy to keep them in mind and don't mind typing - so I'm usually using the Services displayname. No clue why - my brain prefers it this way Wink - and there are more important things to remember.

I still don't understand why they are "semi-translating" certain things which are totally useless. Currently the name is english but the hypenation is german. Feels like eating ice-cream to fast: brainfreeze - outch.

Ulf B. Simon-Weidner

# Dns serverWeblog@ Sunday, January 28, 2007 1:45 AM

PingBack from http://dnsserver.jsblogs.biz/article/653876/

Dns serverWeblog

# W2K.PL &raquo; Blog Archive &raquo; Longhorn i zasady hase??@ Monday, March 12, 2007 5:17 PM

PingBack from http://www.w2k.pl/longhorn-i-zasady-hasel/

W2K.PL » Blog Archive » Longhorn i zasady hase??

# Longhorn and password policy@ Monday, March 12, 2007 5:31 PM

Ulf (DS MVP) who is now having a lot of fun during MVP summit with other MVPs (I'm really jealous) found

Tomek's DS World

# re: Windows Server 'Longhorn': Granular Password Settings@ Tuesday, March 13, 2007 3:11 AM

What a pity! To me it seems they just added complexity and missed the chance to add security. Why not implement sophisticated filters that check newly created passwords against a more complete set of criteria - such as dictionaries (a simple yet powerful way to avoid trivial and standard passwords) and all-too-simple variations of common passwords? The filtering functions you describe still allow trash passwords like "aaaaa1!" or the like.

So we still have to go for common password filters. I hope at least they did not cut the interfaces to do that.

Somewhat disappointed, Nils

Nils Kaczenski

# Windows Server Longhorn - Per User Password Policy@ Friday, March 16, 2007 11:15 AM

I can't imagine that this will make the front page of People Magazine , but if you are a Network or Security

Musings, Ramblings, and the Occasional Useful Information

# re: MVP-Summit - Back in Seattle / Redmond@ Friday, March 16, 2007 11:52 PM

Heh...Said wireless implementation is not exactly bullet proof either. You can use it without paying without all that much trouble.

Brian Desmond

# re: Windows Server 'Longhorn': Granular Password Settings@ Sunday, March 18, 2007 5:27 AM

Hi Nils,

while you are right that it would be nice to allow additional settings (grade of complexity, dictionary compares,..) I still believe that this is going in the right direction. What we get for now is less domains for password policy reasons, and a more granular way to decide which users should have which settings when it comes to lockouts and length. This is handy to differenciate regular users, admins, service accounts,...

If you want to add additional criteria which is not in Windows today at all, you'll have to stick with custom filters - and the risk for doing this. I think a password campaign in your company serves you better than a technical compare to dictionaries. There are enough interfaces out there which you are unable to influence (websites, 3rd-party apps) so your users should get taught what a good password is. Also creating a custom passflt.dll (IMHO) is a technical risk - it could blue-screen your DC since it's pretty deep in the system. Added features (like dictionaries) might increase the risk of a failure, which might leave your DC in a unstable state.

To answer your question, if you'd still be able to use a custom filter: as far as I know Yes. However if you want the added features described in this post you might need to get a new version of your filters as well, which take these settings into credit.

Ulf

Ulf B. Simon-Weidner

# re: Windows Server 'Longhorn': Granular Password Settings@ Sunday, March 18, 2007 8:42 AM

Nice post Ulf - this comment is similar to what I posted on ActiveDir.org where this feature is also being discussed right now. The discussions often mention the need of a UI to manage it.

I don’t think that administrators will need much of a UI to configure password policy – a useful cli-tool should do, as I don’t see this used for too many different policies in a company.  There may be exceptions where companies want to configure extra strong policies for (non-admin) users working with more sensitive data, but I don’t expect more than maybe 3-5 policies in most companies (…keep it simple…)

So while the challenge is not necessarily configuring the policies (even works quite fine with ADSIedit – you only have to get over the time-conversion quirk), it will certainly be understanding the active policy for a specific user, for example when a user calls the helpdesk because he or she has an issue setting a new password…  (I can hear them already asking the helpdesk why his 8 char password is not accepted…) How will the helpdesk know which policy applies to the user? What if it’s one that doesn’t have the default domain policy but instead is member of a group that a specific Password Settings Object (PSO) has been applied to?

This info is easy to retrieve, but it’s not available easily in the current UIs - the following two attributes will retrieve the required data:

* ms-DS-PSO-Applied => this is a Backlink attribute of a user or group object (corresponds to the ms-DS-PSO-AppliesTo ForwardLink of the respective PSO object) and returns the DN of all the PSOs that are directly linked with the user or group. Note that multiple policies can be applied to a user or group and you’d need to run a query over the various groups and nested groups to determine all the PSOs that are applied directly and indirectly to a user and then evaluate the one with the highest priority/precedence. You’d first want to check If a policy is applied directly to a user as this always takes precedence over any policy applied via a group.

* ms-DS-Resultant-PSO => this a constructed attribute for users that return the DN of the one resultant password policy that is applied to the user – you do not need to add any additional logic to find the right PSO, as this is what the system has already evaluated in the background.

Both values only return the DN of the respective PSO => the PW related attributes of the PSO still need to be read and displayed appropriately to be helpful to the admin/helpdesk folks.  This is where I expect the need for a UI to be more important – administrators and helpdesk folks will need a simple UI to show the Resultant-PSO and its values of a user. There is not much magic involved in this task, but one that simply needs to get done. It may be best to simply add a small VB script to the ADUC context menus of a user object via display-specifiers to show these values.

Note that these attributes are not part of any of the existing permission property sets; by default only members of domain admin group have access to the ms-DS-Resultant-POS attribute and PSO objects – as such this is one more thing to consider when delegating rights for other folks to read (or potentially edit) the password policies.

All in all I believe this is a very powerful feature - even though not all companies will need it. Especially those that try to get rid of the need of user's typing in their own passwords directly: moving to SmartCards will further increase security and won't require multiple PW policies...

cheers,

Guido

Guido Grillenmeier

# Windows Server Longhorn – Functional Levels@ Sunday, March 18, 2007 4:25 PM

Windows Server Longhorn will support three forest functional levels: Windows 2000 à W2K DCs and higher

Jorge 's Quest For Knowledge!

# Last CTP Before Beta 3@ Thursday, April 05, 2007 5:58 PM

Late on Wednesday, as part of our commitment to deliver regular updates of Windows Server "Longhorn"

Windows Server Division WebLog

# Windows Server "Longhorn" - Múltiplas Políticas de Senha@ Friday, April 06, 2007 9:53 AM

Uma limitação conhecida do Active Directory é a de ele suportar somente uma única política de senhas

Segurança na Microsoft

# Ziarniste polityki haseł@ Thursday, April 12, 2007 6:01 AM

Od lutowego CTP dostępne są ziarniste polityki haseł - czyli możliwość przypisywania polityk haseł do

Windows Server Code Name "Longhorn"

# Ziarniste polityki hasel@ Saturday, April 21, 2007 3:40 AM

 

pkrzysz blog

# New in Longhorn Server - Active Directory Changes Part 2@