Blog - Title

February, 2008

  • Windows Logon Options in Vista/2008: Part Two of Two

    Mike here. Blog time again… Previously, I wrote about two of the policy settings under the computer configuration. Today, I’ll finish writing about the Windows Logon Options policy category by covering the remaining policy setting under the computer configuration and all of the policy settings under the user configuration.

    All operating systems based on Windows NT (Windows Vista, Windows XP, Windows 2000, Windows Server 2003, and Windows Server 2008) have a security feature named Secure Attention Sequence (SAS). The purpose of the SAS is to alert the operating system that a user is ready to perform a secure action, such as logging on the computer. You see the results of SAS when you press CTRL+ALT+DEL to logon to Windows or when prompted to insert your smartcard. Both are results of a Secure Attention Sequence.

    Sometimes, software must simulate a Secure Attention Sequence. Most commonly, software designed for accessibility or ease of access have this requirement. Windows Vista has a policy setting that allows you to control what software can simulate a Secure Attention Sequence name Disable and enable software Secure Attention Sequence.

    This policy setting has four options, when enabled. These options are:

    • None—disallows any user mode software from simulating a Secure Attention Sequence.
    • Services—allows software running as a service to simulate a Secure Attention Sequence.
    • Ease of access applications—allows software specifically designed for ease of access to simulate a Secure Attention Sequence.
    • Services and Ease of access applications—allows both service and ease of access applications to simulate a Secure Attention Sequence.

    Disabling this policy, which is the same as leaving it not configured, allows only Ease of access application running on the secure desktop to simulate a Secure Attention Sequence.

    This concludes the computer policy settings, which leaves three remaining user policy settings. The first of these policy settings is the Set action to take when logon hours expire.

    You can configure permitted logon hours for each user in their respected user account. Enabling this policy allows you to configure the action Windows should perform when the user’s logon hours expire. For more information about configuring logon hours read “Assigning Logon Hours” from Microsoft TechNet. These options include:

    • Lock—locks the current session and prevents the user from unlocking the session outside of their permitted logon hours.
    • Disconnect—disconnects the user from the current session and prevents the user from reconnecting to the session outside of their permitted logon hours.
    • Logoff—logs the user off the computer and prevents further logons outside of the user’s permitted logon hours. Choosing this setting can result in possible data loss.

    clip_image002

    Figure 1- Time Restrictions Warning

    By default, Windows does not enforce user logon hours. However, once enabled, Windows warns the user before their logon hours expire and then performs the action you configured when the user’s logon hours expire. When setting this policy setting, you should consider the Remove logon hours expiration warnings.

    The Remove logon hours expiration warning, when enabled, allows you to configure Windows not to notify the user of the pending action before their logon hours expire, By default, Windows does not enforce user logon hours. Therefore, enabling this policy setting does not display warning unless the Set action to take when logon hours policy setting is enabled.

    The last user policy setting is equivalent to the computer configuration setting Report when logon server was not available during user logon. Windows displays a notification to the user explaining they have logged on using cached credentials because the logon server was not available. Enabling this policy could expedite the reporting of logon problems. And, as with the other policy, serves as an excellent way to further troubleshoot logon problems. Use this setting when you want to apply the policy setting to a specific user and not to the entire computer.

    Suffice to say, these policy settings can help you secure your corporate environment during off hours as well as assist with detecting possible logon problems earlier rather than later.

    -Mike Stephens

  • New KB articles February 10-16

    Now that Windows Server 2008 and Vista SP1 have released to manufacturing, you can expect to see quite a few KB articles coming out for those products. Before I list the ones relevant to Directory Services, here are a few general ones to be aware of -

    946405 Client computers may not work correctly when you add a Windows Server 2008-based domain controller to an existing pre-Windows Server 2008 domain
    929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
    948690 You cannot remotely access encrypted files after you upgrade a Windows Server 2003 file server to Windows Server 2008
    948680 Description of the Microsoft server applications that are supported on Windows Server 2008
    948070 Information and resources to use when you plan to upgrade Windows Server 2003 to Windows Server 2008
    947025 Support guidelines for migrating roaming user profiles data to Windows Vista or to Windows Server 2008
    947034 How to use unattended mode to install and remove Active Directory Domain Services on Windows Server 2008-based domain controllers
    948472 How to extend the Windows Server 2008 evaluation period
    947226 Description of security events in Windows Vista and in Windows Server 2008

    Previously I had mentioned the Server Core Step-by-Step Guide that does a great job of giving you the command-line equivalents for common admin tasks. One thing it does not cover is how to uninstall applications from Server Core, but I did come across this blog on the subject. Under the covers when you uninstall a program, the Add/Remove Programs (XP/2003) and Programs & Features (Vista/2008) control panel applets are just running whatever is specified in the UninstallString registry value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, so on Core installs of Server 2008 where those control panel applets do not exist, you just find that registry value and run the command it specified from the command-line. Be sure to check out the Server Core blog for other tips on Server Core.

    KB Title
    947460

    Error message when you try to open a mapped DFS folder after the computer comes out of standby in Windows XP Service Pack 2: "<Drive Letter>:\ is not accessible"

    947709

    How to use the “netsh advfirewall firewall” context instead of the “netsh firewall” context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista

    949093

    Windows Server 2008 will log on the administrator account automatically without displaying the logon dialog box when you set the administrator password as blank

    948690

    You cannot remotely access encrypted files after you upgrade a Windows Server 2003 file server to Windows Server 2008

    947237

    The autoenrollment functionality fails when a Windows Vista-based computer uses version 2 (V2) certificates

    947250

    How to let a user apply a Group Policy that has the "Devices: Unsigned driver installation behavior" Group Policy setting from a Windows Vista-based computer to a client computer

    947707

    When you use an account from an external MIT Kerberos realm to log on to a Windows Vista-based workstation, the logon fails

    948680

    Description of the Microsoft server applications that are supported on Windows Server 2008

    947729

    Error message when you try to use the Active Directory Service Interfaces extension for Terminal Services to read the properties for a user on a Windows Server 2008-based computer: "The directory property cannot be found in the cache"

    947055

    A replication may fail when you perform the replication among Active Directory Lightweight Directory Services (AD LDS) instances on a Windows Server 2008-based computer

    945121

    Error message when a user uses Internet Explorer 7 to open the certificate enrollment Web page to install an end entity certificate on a Windows Vista-based client computer

    947226

    Description of security events in Windows Vista and in Windows Server 2008

    947775

    On a Windows Server 2003-based computer that has a TCP Chimney Offload network adapter, the TCP data stream may be corrupted when the network adapter indicates an MDL chain whose starting MDL has a nonzero offset

    944984

    The user profile may not be correctly unloaded when you log off from a Windows Server 2003-based computer, and event 1517 is logged

    946406

    How to clone a certificate template from a Windows 2000 CA to a Windows Server 2008 CA

    945272

    When you try to move files from one network drive to another network drive, the files keep permissions from the source folders on a client computer that is running Windows XP or Windows Server 2003

    940864

    Certificate mapping fails on a Windows XP Service Pack 2-based computer that is running the Windows Server 2003 Administration Tools Pack

    947052

    The Knowledge Consistency Checker deletes the connection object for a read-only domain controller in Windows Server 2008

    941674

    The time stamp of a file's "Modified" box changes to the current time after you use the Encrypting File System to encrypt a file on a Windows XP SP2-based computer

    947242

    A temporary profile is loaded after you log on to a Windows Vista-based system

    948030

    Internet Explorer Maintenance-related Group Policy results are not displayed correctly in Group Policy Management Console on a Windows Vista-based computer

    947232

    Error message when you try to access an administrative share on a Windows Vista-based computer from another Windows Vista-based computer that is a member of a workgroup: "Logon unsuccessful: Windows is unable to log you on"

    947215

    Error message when you log on to a Windows Vista-based computer by using a temporary profile: "The User Profile Service failed the logon. User profile cannot be loaded"

    947708

    A user's icon and name are not displayed on the logon screen in Windows Server 2008 after you add the Terminal Server server role

    947027

    How to change the computer certificate on a Windows Server 2008-based computer that is running the "Routing and Remote Access" service and SSTP

    947498

    Object changes or new objects may be lost when the ADAM Synchronizer tool in Windows Server 2003 synchronizes data from Active Directory to ADAM

    947773

    A Windows Server 2003-based computer responds slowly to RDP connections or to SMB connections that are made from a Windows Vista-based computer

    947222

    When you redirect the Documents folder on a Windows Vista-based computer to a network share, the folder name unexpectedly changes back to Documents

    943459

    When the Kerberos ticket expires for a Kerberos-authenticated SMB connection that is created to a Windows Server 2003-based server, the oplock on a file cannot be broken in a timely manner

    947724

    How to set the /insite option on the Distributed File System (DFS) root on a Windows Server 2003-based computer

    947137

    Error message in Windows Server 2003 R2 when you use the Dfsmgmt.msc snap-in to create a new DFS namespace that contains a period (.) character

    946538

    MS08-003: Vulnerability in Active Directory could allow denial of service

    - Craig Landis

  • Windows Logon Options in Vista/2008: Part One of Two

    Mike here again. This is the first of a two part series that originally published on the Group Policy Team blog - updated for Windows Server 2008.

    I wanted to bring to your attention some new policy settings for Windows Server 2008 and Windows Vista. The Windows Logon Options policy settings are located under both the Computer and User Configurations\Policies\Administrative Templates\Windows Components\Windows Logon Options. This policy category has six policy settings, equally divided between user and computer configurations. These policy settings apply to computers running and users logging onto Windows Server 2008 and Windows Vista. Earlier versions of Windows will ignore most of these policy settings.

    NOTE: Read the explain text of each policy setting before you combine these policy settings with earlier policy setting in a single Group Policy object.

    clip_image002[4]

    Figure 1- Windows Logon Options policy settings

    I’ll start with highlighting two of the three policy settings under the Computer Configuration. The first of these is the Display information about earlier logons during user logon. When enabled, Windows displays a message after the user logs on. The message contains the date and time of the last successful logon; the date and time of the last unsuccessful logon; and the number of unsuccessful logons since the last successful logons by that user. The user must then acknowledge the message before Windows presents the user desktop.

    image

    Figure 2- Display Information about earlier logon result

    I know, this sounds like one of those annoying logon prompts that users click through—perhaps. However, I see this as another step in securing Windows on the workstation and the network. Most users know when they logged on last. Additionally, they know when they have typed their password wrong multiple times. Enabling this policy provides this information to users at each logon. Users can then evaluate this information with their own logon patterns to determine if there has been an attempt to compromise their account. And, you can use this policy setting to assist with troubleshooting account lockout issues. It's certainly useful for servers, where only administrators should have ever been logging on through the console or Terminal sessions.

    NOTE: This policy setting requires the logging on user account to be a user account from a Windows Server 2008 functional domain. Users logging on with user accounts stored in domains functioning at Windows Server 2003, Windows 2000 native, or mixed mode encounter an error message stating Windows could not locate the account information and prevents the user from logging on to the domain.

    The other valuable policy setting in this category is the Report when logon server was not available during user logon. Windows displays a notification to the user explaining they have logged on using cached credentials because the logon server was not available. Enabling this policy could expedite the reporting of logon problems. And, as with the other policy, serves as an excellent way to further troubleshoot logon problems.

    clip_image006[4]

    Figure 3- Results from Report when logon server not available

    Stay on the look out for some of the new policy settings in Windows Vista and 2008. Sometimes, enabling a policy ahead of time can help you troubleshoot later.

    -Mike Stephens

  • Read-Only Domain Controllers and Account Lockouts

    Hello again - Bob Drake here. Today I will be talking about a particular behavior with account lockouts that might be seen with the introduction of “Read-Only Domain Controllers” (RODC's) in Windows Server 2008. Windows 2008 RODC’s are domain controllers that can authenticate users and computers, but hold a read-only copy of Active Directory. This means that any changes (or writes) made to Active Directory must then be forwarded to a writable domain controller. Traditionally, account lockouts happen for many different reasons; with RODC’s there are a few added layers of potential issues that can complicate the efforts of resolving lockouts.

    The first step in understanding account lockouts is to thoroughly read through our TechNet whitepaper “Windows Server 2003 Security Guide”. In this guide, Microsoft points out the recommended settings to have a secure lockout policy. Unfortunately many customer implementations are configured with settings that cause “false lockouts”. The information suggested in this document is applicable to all Active Directory versions, not just 2003. False lockouts are accounts that lock out due to user error rather than application error. For instance, the recommended “lockout threshold” is to be set at 10 or higher:

    clip_image002

    “Account lockout threshold setting value to 50 for the Legacy Client and Enterprise Client environments, which should provide adequate security and acceptable usability. This value will prevent accidental account lockouts and reduce help desk calls, but will not prevent a DoS attack as described earlier. However, this guide recommends that you configure this policy setting value to 10 for Specialized Security - Limited Functionality environments.”

    Traditionally floods of false account lockouts are resolved by installing the “account lockout tools” and following the steps outlined in the TechNet article which describes how to use the tools.

    ** Special note here: Do NOT install the Account Lockout DLL on an Exchange server since it may prevent the Exchange store from starting **

    Once the tools are installed you can view the properties of the account password information directly on the user object in Active Directory Users and Computers:

    clip_image005

    clip_image007

    As seen it matches what the default domain policy is set to:

    clip_image009

    clip_image011

    In normal 2003 environments users authenticate with a local domain controller within their site. With the introduction of RODC’s, the authentication is a little different. There is a new password feature built into Windows Server 2008 called “Password Replication Policies”. The particular thing to point out from this article is:

    An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.”

    • If an account password has been allowed to be cached, then they can authenticate even if the WAN link is down.
    • If an account password has not been allowed to be cached, then they will not authenticate if the WAN link is down.

    I recommend extensive consideration and planning to determine the best solution for which accounts will be cached with considerations given to WAN links and reliability. Pay particular attention to the three solutions:

    • No accounts cached
    • Most accounts cached
    • Few accounts cached

    When a user logs into a computer located in a site where there is an RODC and the user’s password is not cached, the RODC in turn will make a request to a writable Windows Server 2008 domain controller (For more information on RODC’s and how they differ from writable domain controllers). If this writable DC is out of site and possibly over a WAN link, this could become a bandwidth issue, and potentially cause logon failures if it is an unreliable link. See the section “Password Replication Policy in operation . If the users password is allowed to be cached, after authenticating the user, the RODC with then requests a password replication and pulls the password into cache. There are a couple of cool methods on pre-populating the password cache:

    • Method 1: Open Active Directory Users and Computers from a writable domain controller, right click the RODC and go to properties. Select the “Password Replication Policy” tab then the advanced button. Once the next box opens, user accounts can be added by using the “Prepopulate Passwords” button and selecting the users from Active Directory:

    clip_image013

    • Method 2: Using the “Repadmin” utility from the support tools (this tool is built into Windows Server 2008 but can be downloaded for Windows Server 2003 here), and run the following syntax:

    repadmin /rodcpwdrepl [DSA_List] <Hub DC> <User1 Distinguished Name> [<Computer1 Distinguished Name> <User2 Distinguished Name> …]

    clip_image015

    Success!

    Cool Tip: If you have set up an RODC or you are taking over an RODC implementation and want to manage the users that have been authenticated to it with as little administration as possible you can use the “Repadmin” command to make your life easier:

    Repadmin /prp move <rodc> <group>

    The move command will send all the security principals from the “Authenticated to” list to the specified group that you name. If the group that you name does not exist, it will create the group on the fly, and also adds the group to the “Allowed List”… check it out:

    clip_image017

    clip_image019

    Notice that it asked to move all the security principals from the “auth2” list to the group I created “2008authlist” and created the group for me. This allows me to keep track of who authenticated in 2008, and manage that group automagically by sending all the users who authenticated to my RODC to a security group that I can control. From here I can run an LDIFDE command against the new security group and output its contents for auditing purposes:

    clip_image021

    Now getting to the account lockout portion and what administrators may run into. Let’s take a look at the following potential scenario:

    • User who has not been able to cache their password since a WAN link was down (IE: an executive visiting an offsite branch location)
    • The account lockout threshold is set at “3” on the Default Domain Policy.

    NOTE: I went with the account lockout threshold set at three (3) to show that when the threshold is set lower than the recommended setting of 10, there is a potential for false lockouts to occur. In this scenario the WAN link goes down, and the user tries their password more than 3 times incorrectly, causing the account to lock out. The real problem was not the threshold but the WAN link, but since the threshold was set too low, another issue happened.

    • The WAN link from the remote site goes down and the only available domain controller is the RODC

    No user passwords are cached on the 2008 Core RODC as seen:

    clip_image023

    User “Bob Drake” logs attempts to log into the RODC when the WAN link is down and gets the following:

    clip_image025

    First problem: Since the RODC needs a writable Windows Server 2008 Domain Controller, it fails the authentication and gives the error that the domain is not available.

    Second Problem: Since we chose not to cache the user’s password in advance the user fails to log in.

    To address the issues, and administrator changes the “Password Replication Policy”, allows for the user account password to be cached and resolves the broken WAN link:

    clip_image027

    So the user “Bob Drake” logs in again successfully and the password is cached:

    clip_image029

    Now going back to the scenario, let’s say that the WAN link goes down (remember our account lockout threshold was set at 3) and the user types his password wrong three times causing his account to be locked out on the RODC. Note that it does not show in the GUI on any of the domain controllers:

    2008 standard domain controller:

    clip_image031

    2008 RODC:

    clip_image033

    From the users view of his account that is locked out:

    clip_image035

    If we connect to the RODC using ADSIEDIT and take a look at two accounts side by side, we can see that the user account “Bob Drake” is locked out even though normal tools do not show it:

    clip_image037

    Note: The “LockoutTime” is stored in NT System Time format. To convert to a readable format you can use the w32tm command (w32tm /ntte):

    clip_image039

    When this occurs, there is no way to “unlock” the user’s account using normal methods like Active Directory Users and Computers. This is a unique case now since the user will be complaining that his account is locked out, but the administrators that look at the account do not see it as locked account. Other users continue to work (as long as the passwords were cached) providing they have not attempted three bad passwords making it appear that there is no other issue expect the account authentication lockout. A domain administrator would look at this and may be stumped on how to unlock the account.

    To get the account unlocked the WAN needs to be restored, which will allow for the user to authenticate again without doing anything else. Under normal account lockout methodology, the user’s bad password count would normally get replicated to the other domain controllers in the environment, but not the case here. Simply restoring the WAN link will then reset the bad password attempt to zero (0) and the account will no longer be locked out, allowing the user to attempt login again.

    In a situation like this where a company has implemented a RODC in a branch site, has a restrictive password policy set at the domain level, or an unreliable WAN link - they might want to consider creating an alternate “Fine Grain Password Policy”. This will allow a policy to be set that has a higher account lockout threshold than the default domain policy as well as a higher precedence. This way, when users at the branch office mistype their password more than three times, it will not lock the account out like the rest of the domain (or at least till they hit the higher threshold).

    New OU Fine Grain Password Policy with higher threshold and precedence:

    clip_image041

    To conclude, I highly recommend reading through the documentation about implementing Read-Only Domain Controllers (and possibly how site topologies work). If you know you have an unreliable WAN link, or there are strict password policies set at a domain level, you may want to reconsider the implementation of an RODC to accommodate your environment and make the RODC transition go smoothly.

    -Bob Drake

  • Get out and push! Getting the most out of DFSR pre-staging

    Hi, Ned here again. Today I am going to explain the inner workings of DFSR pre-staging in Windows Server 2003 R2, debunk some myths, and hand out some best practices. Let’s get started.

    To begin, this is the last time I will say ‘pre-staging’. While the term is commonly used, it’s a bit confusing once you start mixing in terminology like the Staging directories. So from here in I will refer to this as ‘pre-seeding’ and hope that it enters your vernacular.

    Pre-seeding is the act of getting a recent copy of replicated data to a new DFSR downstream node before you add that server to the Replicated Folder content set. This means that we can minimize the amount of data we transfer over the wire during the initial sync process and hopefully have that downstream server be available much quicker than simply letting DFSR copy all the files in their entirety over potentially latent network links. Administrators typically do this with NTBACKUP or ROBOCOPY.

    How Initial Sync works

    Before we can start pre-seeding, we need to understand how this initial sync system works under the covers. The diagram below is grossly simplified, but gets across the gist of the process:

    image

    Take a long look here and tell me if you can see a performance pitfall for pre-seeding. Give up? In step 6 on the upstream server, files need to be added to the staging directory before the downstream server can decide if it needs the whole file, portions of a file, or no file (because they are identical between servers). Even if both servers have identical copies, the staging process must cycle through on the upstream server in order to decide what portions of the file to send. So while very little data will be on the wire when all is said and done, there is some inherent churn time upstream while we decide how to give the downstream server what it needs, and it ends up meaning that initial sync might take longer than expected on the first partner. So how can we improve this?

    How initial sync works with pre-seeding

    First let’s take a look at how things will work on our third and all subsequent DFSR members in a Replication Group:

    image

    Since the staging directory upstream is already packed full of files, a big step is skipped for much of the process and the servers can concentrate on actually moving data or file hashes around. This means things go much faster (keeping in mind that the staging directory is a cache and is finite; the longer one waits, the more likely changes are to push out previously staged data). In one repro I did for this post, I found these results in my virtual server environment :

    Environment:

    • Three Windows Server 2003 Enterprise R2 SP2 servers running in Virtual Server 2005 VM’s on a private virtual network.
    • 4GB staging (the default).
    • 5.7GB data on a separate volume on upstream server.
    • To determine replication time, I measured the difference between DFSR Event Log event 4102 and 4104 (like so):

    Event Type:    Warning
    Event Source:    DFSR
    Event Category:    None
    Event ID:    4102
    Date:        2/8/2008
    Time:        11:40:35 AM
    User:        N/A
    Computer:    2003MEM21
    Description:
    The DFS Replication service initialized the replicated folder at local path e:\dbperf and is waiting to perform initial replication. The replicated folder will remain in this state until it has received replicated data, directly or indirectly, from the designated primary member.

    ====

    Event Type:    Information
    Event Source:    DFSR
    Event Category:    None
    Event ID:    4104
    Date:        2/8/2008
    Time:        11:40:36 AM
    User:        N/A
    Computer:    2003MEM21
    Description:
    The DFS Replication service successfully finished initial replication on the replicated folder at local path e:\dbperf.

    Testing results:

    • New Replication Group with no pre-staging
    • Initial sync took 28 minutes (baseline speed)
       
    • New Replication Group with one downstream server
    • Pre-seeded data with NTBACKUP on the downstream server
    • Initial sync took 24 minutes (~15% faster than baseline)
    • Same replication group with original two servers
       
    • Added a new third DFSR member
    • Pre-seeded data with NTBACKUP on the new downstream server
    • Initial sync took 13 minutes (~55% faster than baseline)

    55% faster is nothing to blow your nose at – and this is just a small amount of low latency data. If you take a very large set of data on a very slow link with high latency then base initial sync could take for example 2 weeks, out of which only 2 hours are spent to stage files and compute hashes, and the rest by sending data across the wire. In this case pre-seeding may be (1 week - 2 hours) / 1 week = 99% faster. As you can see, the fact that data was already staged upstream meant that we spent considerably less time rolling through the staging directory and didn’t spend most of our time verifying the servers are in sync.

    Optimizing pre-seeding

    Go here:

    http://blogs.technet.com/b/askds/archive/2010/09/07/replacing-dfsr-member-hardware-or-os-part-2-pre-seeding.aspx

    To get the most bang for our buck, we can do some of the following to spend the least amount of time populating the staging directory and the most time syncing files:

    • Set the staging directory quota on your hub servers as close to the size of your data as possible. Since hub servers tend to be beefier boxes and certainly closer to home than your remote branches, this isn’t a problem for most administrators. If you have the disk space, a staging quota that is the same size as the data volume will give the absolute best results.
    • When pre-seeding, always use the most recent backup possible and pre-seed off hours. The less data that is in flux in the staging directory while we run through initial replication the better. This may seem like a no-brainer, but customers frequently contact us about slow initial sync that they started at 9AM on a Monday with a terabyte of highly dynamic data!
    • The latest firmware, chipset, network and disk drivers from your hardware vendor will usually give an incremental performance increase (and not just with DFSR performance). You wouldn’t dream of running your servers without service packs and security hotfixes – why wouldn’t you treat your hardware the same way?

    Important Technical Notes (updated 2/28/09)

    1. ROBOCOPY - If you use robocopy.exe to pre-seed your data, ensure that you use the permissions on the replicated folder root (i.e.c:\my_replicated_folder) to be identical on the source and target servers before beginning your robocopy commands. Otherwise when you have robocopy mirror the files and copy the permissions, you will get unnecessary 4412 conflict events and perform redundant replication (your data will be fine). The issue here is in how robocopy.exe handles security inheritence from a root folder, and how that can change the overall hash of a file. So using the command-line /COPYALL /MIR /Z /R:0 is perfectly fine  as long as the permissions on the source and destination folder are *identical*. After pre-seeding your data with robcopy, you can always use ICACLS.EXE to verify and synchronize the security if necessary.

    2A. NTBACKUP (on Win2003 R2) - If you use NTBACKUP to pre-seed your data on a server where it already hosts DFSR data on that same volume (i.e. you are going to use a new Replicated Folder on the E: drive, and some other data was already being replicated to that E: drive), and you plan on restoring from a full disk backup, you need to understand an important behavior. NTBACKUP is aware of DFSR; NTBACKUP will set a restore key under the DFSR services key in the registry (HKLM\System\CurrentControlSet\Services\DFSR\Restore\<date time> and mark the DFSR service with a non-authoritative restore flag for that volume. The DFSR service will be restarted and the Replicated folders on that volume will do a non-authoritative sync. This should not be destructive to data, but it can mean that you could see your downstream server become unresponsive for minutes or hours while it syncs. When DFSR was written the thought was that NTBACKUP would be used for disaster recovery, where you would certainly be suspicious of the data and DFSR jet database and want consistency sync performed at restore time.

    2B. Windows Server Backup (Windows Server 2008 and Windows Server 2008 R2) - same as above but with newer tools. Do not use NTBACKUP to remotely backup or restore WIndows Server 2008 or later. This is unsupported and will mark files HIDDEN and SYSTEM, which you certainly don't want...

    3. XCOPY - The XCOPY /O command works correctly even without having the root folder permissions set identically, unlike robocopy. However it is certainly not as roboust and sophisticated as robocopy in other regards. So Xcopy is a valid option, but maybe not powerful enough for many users. 

    4. Third party solutions - be wary of third party tools and test them carefully before committing to using them for wide-scale pre-seeding. Thekey thing to remember is that the file hash is everything - if DFSR cannot match the upstream and downstream hashes, it will replicate the file on initial sync. This includes file metadata, such as security ACL's (which are not calculated by tools that do checksum calculating). In Windows Server 2008 R2 beta, check out the DFSRDIAG tool to see how we have made this a bit easier for people. If you really need a file hash checking tool, contact us with a support case, we have some internal ones.

    Wrap Up

    Finally – I don’t have numbers here for Windows Server 2008 yet, sorry. I can tell you that DFSR behaves the same way in regards to the staging process. Based on the performance improvements made elsewhere though (specifically the 16 concurrent file downloads combined with asynchronous RPC and IO), it should be much faster, pre-seeded or not; that’s the Win2008 DFSR mandate.

    Happy pollinating,

    - Ned Pyle

  • Deploying Legal Notices to domain computers using Group Policy

    Hi, Mike again. Every so often, I’ll talk with a customer wanting to deploy a legal notice to their workstations using Group Policy. Sounds simple, right? Well, it is actually a little tricky to make the legal notice work correctly. Here is a solution that I share with customers that want to do this and have it look right.

    It’s a natural assumption to have this done through Group Policy. Every computer in the domain applies it—it makes the job easy. Searching the Microsoft Knowledgebase does yield a few results—here is one.

    310430 How to configure Windows Server 2003 to display a message when users log on
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;310430

    It seems there is a security policy setting that helps us accomplish this task. So, we follow the article and, Figure 1 shows the results.

    clip_image002

    Figure 1- Configuring a legal caption in security policy

    clip_image004 Note:

    These examples are from a computer running Windows Vista Service Pack 1 with Remote Server Administration Tools. However, you can use Windows Server 2003 or Windows XP with the Group Policy Management Console (GPMC) to accomplish these results.

    Now, notice our Legal Notice on a Windows Vista SP1 computer and on Windows Server 2003 computer

    clip_image006

    Figure 2- Legal Notice on Windows Vista SP1

    clip_image008

    Figure 3- Legal Notice on Windows Server 2003

    Where is the formatting? How quickly we go from pretty to… “not so pretty”. There’s no way we are going to let the legal department see this. We have to fix it. But first, let’s briefly explain why this is happening.

    This problem originates from Windows NT 4; when we added Legal Notice Text to the operating system. At that time, it was a single string and did not support carriage returns. We made several attempts to change this behavior shortly after Windows 2000. Interestingly enough, those changes resulted in using a comma (,) as a delimiter for the carriage return. Kinda cool huh?.... Not! Eight years later, legal council craft very concise legal goo—which just might have a few commas included within the text. Then, administrators would have to enclose grammatical commas in quotation marks so Windows would not parse it as a carriage return. That didn’t work well. In Windows Server 2003, we changed the editor to accept a carriage return; now allowing you to format your text within the policy, as we did in the example. Well, that only solves the comma problem because there was not a change on Windows parses the strings. Windows now inserts the commas and quotes for you when it writes the policy setting. And, as you can see in our example; we started with two paragraphs or more and ended with a single blob of text in window. Lastly, this behavior has not changed with Windows Server 2008 or Windows Vista Service Pack 1. So—how do I format this text?

    You need to use a script to have your legal notice text appear properly formatted. Figure 4 shows a script you can use in a computer startup script (not a user logon script). The script writes the legal notice text to the policy registry key—just as if it were applied using the security policy settings. But, the script allows you to keep your formatting.

    Here is the code for the script. Copy and paste this code into a text file. Be sure to save the text file with a .vbs extension or it will not run correctly. Each command should appear on its own line (no text wrapping) as some of the text in the example is wrapped for readability.

    '==========================================================================
    '
    ' VBScript Source File --
    '
    ' NAME: legal.vbs
    '
    ' AUTHOR: Mike Stephens , Microsoft Corporation
    '
    ' DATE: 11/26/2007
    '
    ' COMMENT: sample computer startup script to deploy legalcaption and legaltext
    '
    ' ==========================================================================

    set wShell = CreateObject("Wscript.Shell")
    strLegalCaption = "Legal Notice"

    Const POLICY_KEY = "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\"
    Const LEGAL_CAPTION_VALUENAME = "legalnoticecaption"
    Const LEGAL_TEXT_VALUENAME = "legalnoticetext"

    strLegalText = ""

    strLegalText = strLegalText & "The easiest way is to insert the entire paragraph on one
       line, between the quotation marks." & vbcrlf &vbcrlf

    ' Copy the line above and repeat for each paragraph in the legal notice.
    ' Remember it is best to limit your notice to two paragraph that contain no more than 4
    ' sentences.

    wShell.RegWrite POLICY_KEY & LEGAL_CAPTION_VALUENAME, strLegalCaption, "REG_SZ"
    WShell.RegWrite POLICY_KEY & LEGAL_TEXT_VALUENAME, strLegalText, "REG_SZ"

    Figure 4- Sample Vbscript code to write legal caption text

    You’ll want to modify the sample code from Figure 4 to include your legal notice. Let me explain the script and which part requires your modifications.

    Line 1: set wShell = CreateObject("Wscript.Shell")

    This line creates a Windows Scripting Host shell object. The script uses method (or function) from the shell object to write to the registry.

    Line 2: strLegalCaption = "Legal Notice"

    Line 2 creates a variable named strLegalCaption and assigns the text Legal Notice to the variable. This is the text Windows uses for the title of the legal notice dialog box, which appears when the user presses CTRL+ALT+DEL.

    Line 3-5:

    Const POLICY_KEY = "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\"
    Const LEGAL_CAPTION_VALUENAME = "legalnoticecaption"
    Const LEGAL_TEXT_VALUENAME = "legalnoticetext"

    These lines create what is called a constant. Constants mean just that- they remain constant—their values cannot change; unlike the values of a variable, which can change. Line 3 is representative of the registry key location to which the script writes. Line 4 holds the registry value name for the legal caption (title of the dialog box) while line 5 holds the value of the legal text (message in the dialog box). Constants work similarly to search and replace features found in text editors and word processors. When Windows runs the script, it looks at the constants declared in the script and then searches the remainder of the script for those words which are designated as constants. It then replaces the word with the assigned value. Then, Windows continues running the script.

    Line 6: strLegalText = ""

    Line 6 creates a variable named strLegalText and assigns and empty string to the variable. The is equivalent to a blank line (without a carriage return).

    Line 7:

    strLegalText = strLegalText & "The easiest way is to insert the entire paragraph on one
    line, between the quotation marks." & vbcrlf & vbcrlf

    This line is the important line. This line defines the text of your legal notice ( the text appearing in the dialog box). The registry value name LegalNoticeText is a single string value. Therefore, the script must concatenate your entire legal text notice into one line of text, to include carriage returns. The first part of line 7 shows strLegalText = StrLegalText &. This command phrase handles concatenating your paragraphs into a single line of text; so we can write it into the single string registry value. The next phrase in the script is between the quotation marks. This represents the first paragraph of your legal notice. You’ll want to paste the entire paragraph between the quotation marks. The best way to do this is paste your paragraph into notepad ensuring that word wrap is off (click Format from the menu to ensure there is not a check next to Word Wrap). Position the cursor to the end of the first line. Use the delete key to move the text on the next to the current line. Be sure to keep your spaces. Follow this process until the entire paragraph is on one line (you’ll more than likely have to scroll to the right. Make sure you have an opening and closing quotation marks. It is likely your script will fail if the command is not on a single line.

    clip_image010 Important

    Quotation mark (“) represents the beginning and end of string when using Vbscript. Any alpha-numeric characters between the quotation marks, including spaces is included in the string—just like if you were typing a long file name as an argument for a command line application. Be certain your legal text does not include any quotation marks. If possible, you single quote marks (‘).

    Copy and paste your original line 7 and repeat the above for each paragraph you want included in your legal text. Things to look for are:

    • Inserting quotation marks between the beginning and ending quotation marks.
    • The entire command is not on a single line
    • You keep the & vbcrlf & vbcrlf immediately after the ending quotation mark at the end of each line that represents a paragraph in your legal text.

    My legal text notice in this example is three paragraphs with the last paragraph being a single sentence. Therefore, lines 7-9 will look similar for my example script (wrapped for readability—these are three separate commands on three separate lines).

    strLegalText = strLegalText & " Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen." & vbcrlf & vbcrlf

    strLegalText = strLegalText & " Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen." & vbcrlf & vbcrlf

    strLegalText = strLegalText & " Alle Menschen sind frei und gleich an Würde und Rechten geboren." & vbcrlf & vbcrlf

    Line 8, 9 (Sample script in Figure 4)

    wShell.RegWrite POLICY_KEY & LEGAL_CAPTION_VALUENAME, strLegalCaption, "REG_SZ"
    WShell.RegWrite POLICY_KEY & LEGAL_TEXT_VALUENAME, strLegalText, "REG_SZ"

    These two lines do all the work. Both lines use the Windows Scripting Host shell object to write to the registry of the local computer. This is accomplished using the RegWrite method. The first parameter to the RegWrite method is the full registry path (hive and value name). The second parameter is the value the script writes into the value name. The last parameter is the data type if the value name—in this case both value are strings, which are REG_SZ data types.

    Line 8 uses the POLICY_KEY constant and the LEGAL_CAPTION_VALUENAME constant to build the path to which the scripts writes. StrLegalCaption is the variable we used to hold the value of the legal caption. Line 9 uses the POLICY_KEY constant and the LEGAL_TEXT_VALUENAME constant to build the path to which the script writes. StrLegalText is the variable we used to hold the value of the legal text.

    Below is the example script created for contoso.com’s legal text notice, which is based on the sample script from Figure 4.

    '==========================================================================
    '
    ' VBScript Source File --
    '
    ' NAME: legal.vbs
    '
    ' AUTHOR: Mike Stephens , Microsoft Corporation
    '
    ' DATE: 11/26/2007
    '
    ' COMMENT: sample computer startup script to deploy legalcaption and legaltext
    '
    ' ==========================================================================

    set wShell = CreateObject("Wscript.Shell")
    strLegalCaption = "Legal Notice"

    Const POLICY_KEY = "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\"
    Const LEGAL_CAPTION_VALUENAME = "legalnoticecaption"
    Const LEGAL_TEXT_VALUENAME = "legalnoticetext"

    strLegalText = ""

    strLegalText = strLegalText & " Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen." & vbcrlf & vbcrlf

    strLegalText = strLegalText & " Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen." & vbcrlf & vbcrlf

    strLegalText = strLegalText & " Alle Menschen sind frei und gleich an Würde und Rechten geboren." & vbcrlf & vbcrlf

    ' Copy the line above and repeat for each paragraph in the legal notice.
    ' Remember it is best to limit your notice to two paragraph that contain no more than 4
    ' sentences.

    wShell.RegWrite POLICY_KEY & LEGAL_CAPTION_VALUENAME, strLegalCaption, "REG_SZ"
    WShell.RegWrite POLICY_KEY & LEGAL_TEXT_VALUENAME, strLegalText, "REG_SZ"

    Figure 5- Contoso.com's legal notice script

    If you can, disable your existing Group Policy object that contains your legal text notice security policy settings. Now, create a new Group Policy object and assign this at the level appropriate for your environment. Configure this GPO with a computer startup script and include your script. Refresh Group Policy and then logoff your workstation. Press CTRL+ALT+DEL.

    clip_image012

    Figure 6- Formatted legal notice

    - Mike Stephens

  • New KB articles January 20-26

    New Directory Services-related KB articles for the week. Enjoy!

    KB Title

    942845

    You cannot delete or rename the Offline Files when you work offline on a Windows Vista-based computer

    947224

    Error message when you try to connect to a computer that is running Windows XP or Windows Server 2003 through a RDP connection from a Windows Vista-based computer: "the remote computer you want to connect to cannot recognize credentials"

    947231

    After you create a VPN connection through a dial-up connection on a Windows Vista-based computer, VPN credentials are not cached

    947223

    Description of the Special Groups feature in Windows Vista and in Windows Server 2008

    947238

    Event ID: 1530 may be logged in the Application log on a Windows Vista-based client computer

    947235

    Error message when you try to access a mapped drive that is mapped to a Windows XP-based computer from a Windows Vista-based computer: "System error 5 has occurred"

    947249

    The recovery password for Windows BitLocker is not FIPS-compliant in Windows Vista and in Windows Server 2008

    947302

    You receive an error message when you try to use the Digital Signature Algorithm together with a private key to install the Active Directory Certificate Services role in Windows Server 2008

    947057

    How to set up SMTP replication on Windows Server 2008-based domain controllers

    919241

    An update is available that lets the Chkdsk.exe tool compact the NTFS security descriptor stream in Windows Server 2003 Service Pack 2

    947228

    Error message when you join a Windows Vista-based client computer to a top level domain (TLD) that has a purely numeric suffix: "An Active Directory Domain Controller for the domain <DNS domain name> could not be contacted"

    947240

    You cannot upgrade a Windows XP-based computer to Windows Vista when you put the "Documents and Settings" folder on a partition that differs from the system partition

    - Craig Landis