KB

Blogs

Hey all. If you have a moment, please try and post a comment on this post. Especially non-Microsoft employees. We're still trying to see why comments stopped working.

Update Nov 2: Well, it seems to be working now. :-) Thanks for all the help folks, it's much appreciated. Comment away, we'll see 'em now.

Thanks,

Ned

Hello everyone, Brian Singleton here. There has been a lot of confusion over the Remote Desktop Services (aka Terminal Server) client access license upgrade process in Windows and this posting is an explanation on how the behavior is actually supposed to function.

In Windows Server 2003 as well as Windows Server 2008 and Windows Server 2008 R2 we have a group policy setting called, “Prevent License Upgrade” and below is a description of the setting:

The license server will always try to provide the appropriate RDS CAL for a connection.  For example a license Server provides a Windows 2000 Remote desktop services (RDS) CAL token for clients connecting to a terminal server running Windows 2000, operating system, a Windows Server 2003 family RDS CAL token for a connection to a terminal server running Windows Server 2003, and a Windows Server 2008 family RDS CAL token for a connection to a terminal server running Windows Server 2008.

By default, if the most appropriate RDS CAL is not available for a connection, a Windows Server 2003 license server will issue a Windows Server 2003 RDS CAL, if available, to the following:

• A client connecting to a Windows 2000 terminal server

In the case of a Windows Server 2008 license server, it will issue a Windows Server 2008 RDS CAL, if available, to the following:

• A client connecting to a Windows Server 2003 terminal server
• A client connecting to a Windows 2000 terminal server

So if it works like it is stated in the group policy setting by default, “why does it not work for me”?

This feature is only utilized in mixed terminal server\terminal server license server environments.

The RDS CAL upgrade behavior functions as follows:

Scenario 1: Windows 2000 and Windows Server 2003:

In my environment I have a Windows Server 2000 licensing server as well as a Windows Server 2003 licensing server (TLS).  The Windows 2000 TLS does not have any available Windows 2000 TS CAL tokens, but my Windows Server 2003 TLS has only Windows Server 2003 Per Device TS CAL tokens installed.  I also have a Windows 2000 terminal server which retrieves its TS CAL token from the Windows Server 2000 TLS via license server override. In this scenario my client is a WinCE thin client, since we require a purchased TS CAL to be installed.  The first time I connect to the Windows 2000 terminal server, I obtain a Windows 2000 Temporary TS CAL token from my Windows 2000 TLS.  The second time I connect to the Windows 2000 terminal server the following occurs:

Since my Windows 2000 TLS does not have any purchased, permanent TS CAL tokens available, the Windows 2000 TLS will forward the request to another TLS via TS licensing discovery, in the case of my environment, to the Windows Server 2003 TLS.  Since my Windows Server 2003 TLS does not have any Windows 2000 TS CAL tokens installed it will issue a Windows Server 2003 TS CAL token to the client connecting to the Windows 2000 terminal server.

Scenario 2: Windows Server 2003 and Windows Server 2008/Windows Server 2008 R2:

In my environment I have a Windows Server 2003 licensing server as well as a Windows Server 2008 licensing server.  The Windows Server 2003 TLS does not have any Windows Server 2003 TS CAL tokens available, but my Windows Server 2008 TLS has only Windows Server 2008 Per Device RDS CAL tokens installed.  I also have a Windows Server 2003 terminal server which retrieves its TS CAL tokens from the Windows Server 2003 TLS via license server override.

In this scenario my client is a Windows XP Professional client.  The first time I connect to the Windows Server 2003 terminal server, I obtain a Windows Server 2003 Temporary TS CAL token from my Windows Server 2003 TLS.  The second time I connect to the Windows Server 2003 terminal server the following occurs:

Since my Windows Server 2003 TLS does not have any permanent TS CAL tokens available, the Windows Server 2003 TLS will forward the request to another TLS via TS licensing discovery, in the case of my environment, to the Windows Server 2008 TLS.  Since my Windows Server 2008 TLS does not have any Windows Server 2003 TS CAL tokens installed it will issue a Windows Server 2008 RDS CAL token to the client connecting to the Windows Server 2003 terminal server.

I hope this explanation on the TS CAL upgrade process has cleared the confusions you may have on this feature.

Brian “Bingleton” Singleton

Hi, David Everett here again to discuss an issue where DFS clients connect to out-of-site targets when the IPv6 protocol has been partially disabled using an incorrect method.

The customer deployed a DFS link replicated by DFSR. An in-site DFS namespace (DFSN) target called ContosoFS1 was deployed in the branch site. It wasn’t long before branch site users started reporting slow performance access data on the DFS link.

The 1^st step was to determine what Active Directory site the DFS clients resided, whether in-site targets existed in the DFS referral and if the in-site target was the Active Target of the DFS client.

To determine which site the client thought it belonged to in Active Directory, we ran this command from the client’s command prompt:

Nltest.exe /dsgetsite

This returned the correct site name. Then in order to determine if the in-site target server was appearing in the list of servers we had the user connect to the DFS link and had the user run this command at the command prompt:

Dfsutil.exe /pktinfo

We found that the client was seeing the in-site DFS target server in the referral. As shown below the in-site DFS target server, which is also a DFS Root server, was at the top of the referral order for \\contoso\dfsroot but ContosoFS1 was at the bottom of the referral order for the in-site folder target.

c:\>dfsutil /pktinfo
Microsoft(R) Windows(TM) Dfs Utility Version 4.2
Copyright (C) Microsoft Corporation 1991-2005. All Rights Reserved.

--mup.sys--
4 entries...
Entry: \Contoso\DFSRoot
ShortEntry: \Contoso\DFSRoot
Expires in 0 seconds
UseCount: 3 Type:0x81 ( REFERRAL_SVC DFS )
   0:[\ContosoFS1\DFSRoot] State:0x119 ( ACTIVE TARGETSET )
   1:[\ContosoFS2\DFSRoot] State:0x09 ( )
   2:[\ContosoFS3\DFSRoot] State:0x109 ( )
   3:[\ContosoFS4\DFSRoot] State:0x09 ( )
   4:[\ContosoFS5\DFSRoot] State:0x09 ( )

Entry: \Contoso\DFSRoot\TargetFolder
ShortEntry: \Contoso\DFSRoot\TargetFolder
Expires in 0 seconds
UseCount: 0 Type:0x1 ( DFS )
   0:[\ContosoFS4\TargetFolder] State:0x131 ( ACTIVE TARGETSET )   <- out of site IPv4-only W2K3 target that client is connected to
   1:[\ContosoFS3\TargetFolder] State:0x21 ( )    <- out of site IPv4-only W2K3 target
   2:[\ContosoFS5\TargetFolder] State:0x21 ( )    <- out of site IPv4-only W2K3 target
   3:[\ContosoFS1\TargetFolder] State:0x121 ( )    <- In-site target that should be at top of list but isn't because IPv6 is incorrectly disabled

Once we knew the client was determine its site correctly from active Directory and that the in-site DFS target server was appearing in the DFS referral the focus turned from the client to the Active Directory and the target server.

A quick glance at Active Directory Sites and Services snap-in suggested the IPv4 Site/Subnet logic was properly configured and correct site discovery by the client reinforced this. However, there were no Site/Subnet associations for IPv6 which is the preferred protocol for Windows Server 2008.

Since IPv6 is the preferred protocol for Vista and later Operating Systems I was going to implement an IPv6 Site/Subnet association in Active Directory Sites and Services and see if this would improve DFS referral ordering of the in-site DFS target server. I checked the configuration of IPv6 on ContosoFS1 and found the protocol had been unchecked; which is not a good practice.

It’s a common misconception that unchecking IPv6 disables the protocol when in fact all it does is introduce transient errors. Windows Vista and later operating systems heavily rely upon IPv6 for internal operation, which means the protocol cannot be disabled or uninstalled entirely. Unchecking IPv6 on the adapter settings only unbinds the protocol from the NIC and the OS can still attempt to send remote traffic to the NIC where it never hits the wire.

There are three solutions for this:

I. The preferred method is to place a check mark next to "Internet Protocol Version 6 (TCP /IPv6)" on the IP Properties of the Adapter and reboot the server.

II. Configure Static IPv6 addresses on your Windows Server 2008 DFS target servers and then define IPv6 Subnet/Site associations in Active Directory Sites and Services. See the following TechNet article on how to do this:

Create a Subnet Object or Objects and Associate them with a Site

III. For those who have some aversion to having any IPv6 traffic hitting the wire there is a “supported” [not recommended by the Microsoft Product Group] way to disable outbound IPv6 using the DisabledComponents registry value as directed in KB929852. Contrary to what the article states, it is possible to simply use Group Policy Preferences to disable IPv6 domain-wide – there is no need for a custom ADMX.

NOTE: It is beyond the scope of this blog to determine which components of IPv6 should be disabled in a given environment using DisabledComponents. To completely disable all External use of IPv6 configure DisabledComponents to ffffffff. Also, if you find IPv6 remains checked in the UI after configuring DisabledComponents in the registry rest assured the protocol is disabled for all remote traffic.

For those interested in more about DFS Site Discovery and Target Selection please see the DFS FAQ.

-David “Dy-no-miiiite!” Everett

Hey all, Ned here again. Mahesh from the DFSR development team has new posts up on the System Center Operations Manager 2007 management pack that was released for DFSR. Give them a read, Mahesh always writes good stuff.

Installing the management pack

Importing the management pack

Configuring the management pack

Optional configuration – enabling backlog monitoring 

These are in addition to the post I referenced back here. 

- Ned 'the redirector' Pyle

Hello, LaNae here again. Recently I worked with a customer that was looking for a comprehensive document that outlined the steps for decommissioning a server that had an ADAM/ADLDS instance installed on it. I along with the customer realized there is no such document and you have to piece together multiple documents to get the steps. I decided to write this blog at the urging of the customer so that others do not have this issue.

For the purpose of this blog we will work with the following example:

Current Configuration

• There are 2 ADAM/AD LDS instances in one configuration set.
• Server A and Server B are the names of the servers that host the instances.

Goal

Add Server C and Server D and install and configure ADAM/AD LDS instances that will be part of the existing configuration set. Remove the ADAM/AD LDS instances from Server A and Server B and decommission them.

Overview of Steps

1. Install ADAM or the AD LDS role on servers C and D.

2. Install and configure the ADAM/AD LDS instances one on each server to be members of the existing configuration set. Steps for ADAM: Managing Configuration Sets Steps for AD LDS: Practice Managing Replica AD LDS Instances

3. Once replication is complete you will need to transfer the ADAM/AD LDS built-in FSMO roles from Server A or B which ever holds the roles to Server C or D. There are only 2 roles you will need to transfer, Naming Master and Schema Master. Replication in ADAM or AD LDS

Check Replication

From an ADAM command prompt or regular command prompt depending on whether this is ADAM or AD LDS you can run the following command to check replication.

Repadmin /showreps servername:portnumber of instance

Determining FSMO Role Holder

If ADAM is installed all the following steps must be done from the ADAM command prompt. If using ADLDS a regular command prompt is fine.

1. Type dsmgmt <enter>

2. Type roles <enter>

3. Type connections <enter>

4. Type connect to server servername:portnumber of instance <enter>

5. Type quit <enter>

6. Type select operation target <enter>

7. Type list roles for connected server <enter> Note: This should list who owns the FSMO roles.

Transfer FSMO Roles to new Server

The following steps need to be done from an ADAM command prompt if running ADAM.

1. Open an ADAM tools command prompt.

2. At the command prompt, type: dsmgmt

3. At the dsmgmt: command prompt, type: roles

4. At the FSMO maintenance: command prompt, type: connections

5. At the server connections: command prompt, type: connect to server servername:portnumber where servername:portnumber is the computer name and communications port number of the ADAM instance that you want to use as the new naming master or schema master.

6. At the server connections: command prompt, type: quit

7. At the FSMO maintenance: command prompt, type: transfer rolename

Remove the Instances from the old servers

To remove an ADAM instance

1. Open Add or Remove Programs.

2. Click Change or Remove Programs, and then click the ADAM instance that you want to remove.

3. Click Remove.

To remove an AD LDS instance

1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click Programs and Features.

2. Locate and click the AD LDS instance that you want to remove.

3. Click Uninstall.

You can now decommission Server A and B.

- Lanae Wade

UPDATE June 19 2010 - stop reading and go here, we released ADMT 3.2:

http://blogs.technet.com/b/askds/archive/2010/06/19/admt-3-2-released.aspx

===============

Hi all, Ned here again. Microsoft is still working on ADMT 3.2, which can be installed on Windows Server 2008 R2 servers for migrations. There's no estimated date for this new tool yet.

In the meantime, we have tested ADMT 3.1 and come up with supported scenarios for using it to migrate to R2 domains. Below are two KB articles that cover the requirements, what's supported, and known issues. As anyone who has emailed me already knows, we definitely support running ADMT 3.1 on a Windows Server 2008 DC or member server in an R2 domain, and migrating with it will be supported. Read more about this:

Known issues that may occur when you use ADMT 3.1 to migrate to a domain that contains Windows Server 2008 R2 domain controllers - http://support.microsoft.com/kb/976659

You cannot uninstall ADMT 3.1 after you perform an in-place upgrade to Windows Server 2008 R2 -
http://support.microsoft.com/kb/974625 

Important note: If you do not have Windows Server 2008 (i.e. you went from Windows 2000 or Windows Server 2003 straight to Windows Server 2008 R2), you do have downgrade rights. See this website on how to get product keys and media for R2:

http://www.microsoft.com/windowsserver2008/en/us/downgrade-rights.aspx

Perhaps the onslaught of emails about this can now subside... :-)

- Ned "go go go" Pyle