Blog - Title

April, 2010

  • The Case for Migrating SYSVOL to DFSR

    Hello folks, Ned here again. Recently I was asked to provide a technical assessment of the risks of continuing to use the File Replication Service (FRS) and the benefits of migrating to DFSR, all regarding SYSVOL on domain controllers. I thought I’d find a decent set of documentation on TechNet, polish it up and send it along – I was wrong; I had to spend several hours coming up with a complete list.

    Now you can reap the benefits. Hopefully this helps you convince yourself or your management that the time has come to cut the cord on FRS, especially if you have already deployed your Windows Server 2008 DC’s.

    I sure hope you like bullet points!

    The risks and downsides of FRS and SYSVOL

    • FRS code is in maintenance mode, where Microsoft does not accept design change requests or bug fixes except when related to security.The last FRS bug fix update was released in KB939667. It was for Win2003 and nearly 3 years ago; Win2008 has never gotten an FRS bug fix update in its history.
    • Additionally, the FRS component began deprecation starting in Windows Server 2003 R2:  
      • The Microsoft product team stopped investing in FRS in Windows Server 2003 R2, when it was decided to build DFSR and have that replace FRS even for SYSVOL replication
      • DFSGUI.MSC FRS management tool was removed in Win2008
      • FRS component no longer installable in Win2008 R2 except for SYSVOL replication on DC’s
      • FRS component automatically uninstalled during in-place upgrade of Win2008 R2 non-DC’s 
    • FRS scalability and performance are significantly lower than DFSR, especially with frequently modified files, larger data sets, larger files, and slow wide area networks. FRS always replicates an entire file regardless of modification type (i.e. a security change, data change, attribute change, or file name change each replicate the entire file)
    • FRS does not include a public development interface (API or WMI) for monitoring, and it’s interface for management is limited
    • FRS does not have a native, supported health reporting mechanism.
    • FRS does not have a native, supported monitoring solution from Microsoft System Center. Only has legacy unsupported tools like Sonar, Ultrasound, CONNSTAT, etc. with limited MOM 2005 integration
    • FRS has limited performance monitoring counters through PERFMON/ETW
    • FRS does not have a working self-healing system for problems like database corruption,  journal wraps, and morphed folders
    • FRS does not fully support RODC SYSVOL replicas and allows data to become unsynchronized without chance of automatic resynchronization
    • FRS does not support the inter-site change notification flag, leading to artificially slow replication between DC’s in different AD logical sites
    • FRS does not have significant built-in instrumentation (debug logs, event logs) for troubleshooting and debugging

    The improvements and upsides to DFSR and SYSVOL

    • DFSR code is in active development with full product DCR and QFE support. Hotfixes for feature improvements as well as bug fixes are regularly released and also integrated into new Service Packs.
    • DFSR scalability and performance are designed to be superior to FRS. This includes:
      • Ability to replicate partial file changes using RDC (block-level delta replication) rather than entire files
      • Support for cross-file RDC that can construct new files from similar files, rather than replicating the new file over the wire (when using Enterprise edition)
      • A more efficient file compression on staged files
      • The number of files that can be replicated inbound and outbound simultaneously is significantly increased
      • Support for unstable and slow networks with asynchronous RPC
      • Support for more efficient OS kernel mechanisms introduced in Win2008 like unbuffered I/O, low priority I/O, and asynchronous I/O’s
      • No staging of smaller files (<=64KB by default)
      • Staging compression can be controlled on a per-file type basis
      • Scalable to a supported (not hard) limit of 10 terabytes of data. Although if you have 10TB in SYSVOL, you are doing it wrong buddy.
    • DFSR has a public interface (using WMI/DCOM) managing and monitoring all aspects of DFSR, including backlog (and files currently on the wire in Win2008 R2).  It also includes command-line tools that give feature parity with the GUI management tools
    • DFSR has a native, supported health reporting mechanism that is available through the GUI or command-line and generates HTML/XML outputs
    • DFSR has several releases of native, supported monitoring solutions from Microsoft System Center via management packs. The new Win2008 R2 File Services MP is also in final stages of beta
    • DFSR has more complete performance monitoring counters through PERFMON/ETW
    • DFSR has a self-healing system for problems like database corruption or journal wraps. Due to improved replication performance and the ability to enable content freshness protection, it is also very unlikely to ever see a journal wrap in the first place. DFSR also does not create morphed folders like FRS and instead uses a conflict resolution algorithm
    • DFSR supports RODC SYSVOL replicas and does not allow SYSVOL’s to remain out of sync in Win2008. In Win2008 R2 originating I/O in SYSVOL is completely blocked with a filter driver on RODC’s
    • DFSR  - while it does not directly support the AD DS inter-site change notification flag – always replicates SYSVOL immediately and continuously with its own internal change notification as long as the schedule is open; these scheduled windows are in 15 minute blocks and are assigned on the AD DS connection objects. If the current time matches an open block, you replicate continuously (as fast as possible, sending DFSR change notifications) until that block closes. If the next block is closed, you wait for 15 minutes, sending no updates at all. If that next block had also been open, you continue replicating at max speed.
    • DFSR has significant built-in instrumentation for troubleshooting and debugging, including considerable event logging and a large number of highly verbose debug logs (1000 debug logs maintained under compression by default in Win2008 R2, at the second to highest level of verbosity by default)

    A table

    Here’s a different way of looking at it, as I know executives love their matrices:

    Description

    FRS

    DFSR

    Reliable, fast, scalable, and continually improving

    No

    Yes

    Is deader than fried chicken

    Yes

    No

    Now go migrate. For most customers it will be a few hours of work. Your manager may not even have time to buy you lunch on a Saturday.

    Stay tuned for another article about the benefits of using FRS. Its title will be “the shortest blog post ever written” and will contain only a picture of my dogs eating their toys. Here’s a preview.

    image

    A special thanks to Mahesh from the DFSR product team for his timely review and contributions to this write up. You rock dude.

    Until next time,

    Ned “nom nom nom” Pyle

  • Win2008 R2 BPA Updates Released for April 2010 wave

    Ahoy hoy. The BPA release release cycle has just ticked over once for Windows Server 2008 R2. This means that you can now install – through Windows Update or the Download Center – add-ons that snap into Server Manager and will tell you if you are following MS best practices for your installed roles. Simply install the update, look at the role, and click “scan this role”. After some noodling, BPA will kick out info.

    For example, it appears I stink at running DFSN…

    image

    But I rule at running DFSR!

    image

    Here’s what just shipped:

    • Update for Best Practices Analyzer for HYPER-V for Windows Server 2008 R2
    • Update for Best Practices Analyzer for Network Policy and Access Services for Windows Server 2008 R2
    • Update for Best Practices Analyzer for Active Directory Rights Management Services for Windows Server 2008 R2
    • Update for Best Practices Analyzer for Application Server for Windows Server 2008 R2
    • Update for Best Practices Analyzer for File Services for Windows Server 2008 R2
    • Update for Best Practices Analyzer for DHCP Server for Windows Server 2008 R2
    • Update for Best Practices Analyzer for Windows Server Update Services for Windows Server 2008 R2

    Download them all from here.

    Read more about them all here.

    You need Windows Server 2008 R2 to use any of this stuff, so add it to your list of reasons to upgrade if you haven’t already. More BPA’s coming out when they… come out. Including updates to these existing ones, in theory.

    Hey Mahesh, where’s your post?

     

    Ned “beat filecab to the punch for once”  Pyle

  • Friday Mail Sack – I live again edition

    Hello all, Ned here again. After a brief absence, the rocket sled that I use to carry my disembodied head around has brought me back to AskDS headquarters. The coup is over and I have emerged triumphant again. You won’t be hearing from Jonathan until the truth serum wears off.

    So let’s talk some talk.

    Question

    There was a tool called ntrights.exe in the Win2003 resource kit tools, but we couldn't find one for Windows Server 2008. I need a command-line based tool to add security privileges for users.

    Answer

    The ntrights.exe tool still works fine even in Windows Server 2008 R2 and Windows 7 so feel free to use it. You could also use secedit.exe /configure with a custom INF file that added the user rights (good idea Mike). Not to mention group policy – adding privs with the command-line sounds like a lot of extra work to me.

    Question

    How much free space is needed for temporary files doing a USMT 4.0 scanstate? I grok that it arbitrarily requires at least 250MB as stated here, but could I need more? I plan to have the store file written to a network drive.

    Answer

    By default, the USMT temp/working folder is the operator's %TEMP% folder (obviously, this is local to the computer). The full set of files is not gathered here; the store is updated in a serialized fashion directly. The temporary file that USMT 4.0 creates is used purely to track work and back the stores catalog data and non-file data.

    When running scanstate /p the estimator for space figures how big the backing file will get, then adds an additional 1MB of "fudge factor". The binary size of gathered user data files never matters -just the quantity of units to be migrated.

    For example, in a repro I had a Windows 7 client with eight profiles. This created a temporary backing file that was 44MB. Then when I cut the migration down to a single user profile the temporary file was only 9MB. When I added 300+MB of data to my profile (so only 20 files, but each being very big), the temporary space usage estimate did not get appreciably larger.

    <?xml version="1.0" encoding="UTF-8"?>
    <PreMigration>
      <storeSize>
        <size clusterSize="4096">96075776</size>
      </storeSize>
      <temporarySpace>
        <size>10576664</size>
      </temporarySpace>
    </PreMigration>

    <?xml version="1.0" encoding="UTF-8"?>
    <PreMigration>
      <storeSize>
        <size clusterSize="4096">425594880</size>
      </storeSize>
      <temporarySpace>
        <size>10617624</size>
      </temporarySpace>
    </PreMigration>

    Also, you can use the USMT_WORKING_DIR override environment variable to make the temporary folder a remote server path. But the migration is going to get much slower. My repro scanstate ran ~2-3 times slower because I had traded fast local I/O for comparatively slow network I/O. That was on gigabit network with no contention. A hard-link migration would be much faster.

    Question

    Is there a way to isolate a DC in order to do an AD Schema upgrade? I cannot find any documentation on how to do this.

    Answer

    Isolating the Schema Master for ADPREP /FORESTPREP is not tested by the Product Group and not recommended*; we intentionally try to block you from this scenario starting in Win2003 SP1. Attempting to do so will return:

    “Adprep was unable to extend the schema.
    [Status/Consequence]
    The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.
    [User Action]
    Verify that the schema master is connected to the network and can communicate with other domain controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.”

    This was added back in Win2003 SP1, based on the fact that customers were causing horrendous issues trying to isolate their Schema Master FSMO servers during a migration or never verifying that the Schema master was healthy, then incorrectly (or never) reattaching them to their domain while the now split schemas diverged.

    Our supported and recommended methodology is for you to test the migration in your lab with a copy of your current forest/schema; if there are going to be problems in the schema upgrade, they will happen in your lab. Likewise if there are going to be problems with the Schema itself, they would occur there as well. Prior to upgrading your schema, we recommend that you get a good System State backup on all DC’s; but we recommend you do this every day, not just for Schema upgrades. If there was some irreconcilable issue you could restore your forest from backup using those system states using our forest recovery info here: http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(WS.10).aspx

    This was an especially excellent question – sometimes we imply through an absence of documentation rather than stating things flat out, unfortunately.

    * And to be clear here , yes it is possible to disable replication temporarily. Older documentation even used to say things like "disconnect your schema master" or "block outbound replication". Newer documentation does NOT, as we now have a decade's worth of experience with customers using those techniques in lieu of proper testing. And dealing with the fallout of that! We've had customers disable the replication then forget to ever turn it back on again; guess what happened after 61 days?

    When the AskDS team says something is possible, it often gets construed as it's recommended and supported. It's not. Testing your schema update in a lab costs nothing thanks to free virtualization products aplently. Do that and you cannot go wrong.

    Question

    Do the registry values in KB954968 apply to Windows Server 2008 and 2008 R2 also, in regards to configuring FSRM hard quotas to work with DFSR?

    Answer

    The registry values still work, yes. But they shouldn’t be as necessary in 2008/2008 R2 DFSR because all of the folders and files that FSRM would count against quota are now under a reparse point. The reparse point will prevent the quota from being enforced in this circumstance.

    So for example, if you set an FSRM quota against c:\condelrf, it would not affect the contents of the c:\condelrf\dfsrprivate folder:

    clip_image002

    Because that is actually this reparse point target location:

    clip_image002[4]

    So the data in there is not covered for quota. The KB and registry change from 2003 R2 were necessary because back then, dfsrprivate was a real folder under the DFSR replicated folder. When quota was hit there, kaboooooom.

    You still need to make sure that you approach hard quotas with extreme caution though:

    http://technet.microsoft.com/en-us/library/cc773238(WS.10).aspx#BKMK_064

    DFSR and FSRM do not really have a good interop story – using them together is not something I’d personally recommend, after many, many support cases fixing the fallout of inappropriately configured hard quotas.

     

    Finally, some sad news. Our fearless manager Mike O’Reilly - he of the swapped desk and the cubicle tree - has left us for greener pastures. At least as green as pastures get in Newfoundland. Mike is now a director at a large construction firm back on his native island in his pseudo-country we call America’s Hat. In fond memory, here is his email address: moreilly1974vw@hotmail.com. I sure hope it doesn’t get crazily inappropriate spam, what with it being out here on the Internet forever.

    That’s all, have a nice weekend folks,

     

    Ned “image “ Pyle

  • FRS to DFSR migration guide published

    Hi all, Ned here. A new Technet operations guide has been published that walks you through how to migrate from FRS to DFSR for non-SYSVOL folders running on Windows Server 2003 R2 and Windows 2008:  

    DFS Operations Guide: Migrating from FRS to DFS Replication
    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=a27008a8-4b28-49cc-80b5-05b867440af9

    We (Mike Stephens and I) are also working on a migration tool to be available from CodePlex. There is no ETA on this as even though we are code complete, we are entering the lawyer phase that is out of our control. The tool gives you a way to list, export, and delete your old FRS replicas then configure DFSR to replicate the same files on the same servers, all through a command-line interface, all pretty automagically. More on that when I have something concrete to tell you - again, please don't keep asking for ETA in the meantime, I am just going to ignore you. :-)

    Ned "thank goodness that's done" Pyle

  • Friday Mail Sack – Marshmallow Bird Edition

    Hi there intarwebz, Ned here. Hopefully you’re at home right now filling up the basket with Peeps for the kids. For those that aren’t, here are this week’s interesting questions from our readers and fellow employees.

    Question

    I am looking for a newer set of information on Active Directory’s LDAP V3 compliance. This old document is good but it was written when the LDAP V3 RFC was still in review by the IETF. Is there something more up to date I can use to fight the good fight?

    Answer

    You bet, and boy did we bury it. If you go into MSDN –> Open Specifications –> Windows Protocols –> Windows Communication Protocols –> [MS-ADTS] –> Details –> Common Details –> 3.1.1 Abstract Data Model –> 3.1.1.3 LDAP –> 3.1.1.3.1 LDAP Conformance you will find:

    http://msdn.microsoft.com/en-us/library/cc223226(PROT.10).aspx

    Which states in robot lawyer talk:

    “The purpose of this section is to document how the implementation of Active Directory DCs interprets the LDAPv3 RFCs, including differences from those RFCs. Except as noted in the following subsections, Active Directory is compliant to [RFC3377]. All error codes returned by Active Directory are taken from the resultCode enumeration of the LDAPResult structure defined in [RFC2251] section 4.1.10.”

    It covers Win2000, 2003, Win2008, and Win2008 R2 and specifically goes into details of compliance. We also have extended LDAP for AD purposes so we have extra functionality not mandated by the RFC’s.

    Enjoy your nap.

    Question

    I have a Java application that cannot retrieve data from a constructed attribute. Does anything need to be changed in AD to allow this to work?

    Answer

    If DSA.MSC, ADSIEDIT.MSC, LDP.EXE, LDIFDE.EXE, CSVDE.EXE, Get-AdObject, Joeware tools, DC's, Clients, Users, and the rest of the kitchen sink can all read it, nothing needs to be done with AD. Something needs to be done with the Java code. :-) This is the first thing we hammer into the heads of new engineers here in AD Support – validate with known quantity tools.

    Question

    Is there any good reason to turn on the “Disable machine account password change” security policy when computers are on a LAN and on all the time?

    Answer

    Officially, we do not recommend disabling the password changes, just like it says in the Explain tab in policy editor.

    image

    However, if you:

    • Restore a 31+ day old system state backup
    • Change the computer account password more than once with NLTEST and then restore a system state backup

    … then the computer would have to be rejoined to the domain. Not having the password change ever would prevent this.

    A computer account password getting brute forced is extremely unlikely (it’s ridiculously complex) so having it change every 30 days is mostly paranoia on our part. It is far easier – and thus more likely - that the machine itself gets owned without knowledge of the password, just through a careless user with admin rights or an un-patched security bug elsewhere; having the password change every 30 days would not save you in that scenario.

    Again though: officially not recommended. Especially since if your only downside is rejoining the computer to the domain after restoring it from backup. Not exactly the end of the world.

    Question

    How do I know if the Windows Server 2008-related content is updated on the TechNet? Any other ways can I get updates or alerts via email when the content has been updated ??

    Answer

    I hope you have a couple terabyte storage arrays lying around, you are looking to get updates from one of the busiest websites in the world. :-) There is no “alert me when TechNet is updated” option, but Craig and his TechNet Wiki pals came up with an interesting way to get this in a “lite” fashion through RSS:

    1. Go to http://technet.microsoft.com and search for something broad that you are interested in, like: Windows Server 2008 R2 DFSR

    image

    2. This returns a boatload of hits as you might expect. You then refine that into “documentation and articles”. Note though that there’s a little RSS nubbin’ here:

    image

    3. If you subscribe to that, you can see new content for those displayed topics when changed.  Nifty.

    image

    Wooo, and check this out:

    image

    Once you install that federated search connector in your Windows 7 client, now you get:

    image

    image

    Oh. Em. Gee. That’s cool. We also have one for MSDN.

    image

    Web 2.0 is so yesterday. Full client search within Windows Explorer is the future! :-D

    Final note

    There will not be a Friday Mail Sack next week as I am off to see the Cubs play the Braves in Atlanta on Thursday, and making a weekend of it. For our British, Indian, and Australian readers, baseball is defined as “A cricket-like game that does not take a month to play and does not involve cardigan sweaters”.

    Come by and say hi!

    image

    - Ned “theriot” Pyle

  • Friday Mail Sack – Limping In Edition

    Hi there world. It’s been a particularly gnarly week: not too many questions that most people would find relevant, plus it was just crazy busy (stupid Windows 7 and R2, being all popular and whatnot, leads to a lot of USMT work for me… D-: ). Hence – late posting with not much sirloin.

    Get to the choppah!

    Question

    I’ve installed my first few Windows Server 2008 R2 computers and tried to make them DFS Namespace V2 (i.e. “Windows Server 2008 Style”) root servers. I am having a bunch of issues setting it up though. For example, using DFSMGMT.MSC or running this command:

    DFSUTIL.EXE ROOT ADDDOM \\TESTSRV\Test V2

    always returns:

    Could not execute the command successfully
    SYSTEM ERROR - The version of the operating system installed on the server is incompatible with the functional level of the domain or forest.

    I’ve had various Win2008 servers for a while now and they add as V2 roots just fine in the same domain and forest. I also cannot delete previously created links in V2 namespaces using the R2 servers, I get error:

    The folder cannot be deleted. Cannot complete this function.

    What’s up here?

    Answer

    You need to raise the forest functional level to Windows Server 2003 or higher; right now it’s at Windows 2000, I’ll wager. Windows Server 2008 R2 DFSN requires the higher level due to how it does some AD object creation operations differently than Win2008. Confirmation here.

    Question

    Did the default SACL’s in Active Directory change between Windows 2000 and Windows Server 2003? It seems that when Directory Services Access auditing is enabled on a Win2003 domain, the logs are much quieter, but Win2000 is noisy as heck. If true, when I upgrade a Win2000 domain to 2003 will it get less chatty?

    Answer

    Indeed, they did change based on the experience we had with Win2000.

    clip_image001[4]

    vs.

    clip_image001[10]

    Yeowza! Win2000 has very aggressive settings, but Win2003 makes you go set SACL’s as needed for nearly everything. This is definitely the better approach as every company will have a different idea on what they want to audit.

    And no, they are not changed again by subsequent domain upgrades. They are a function of the first DCPROMO in a domain only, not any later ones. If you wanted to make an upgraded domain less chatty, examine the domain root DN; you will see where most of the SACL’s are being inherited from. :-)

    Statement

    I am going to $^%#&*^$&*# destroy you for posting my email address on the Internet! I hate your face so much! I get nothing but <redacted, but hilarious> spam now! AAARGGGHHH!!!!

    Signed, Mike O’Reilly.

    Reply

    I lol’ed.

     

    Have a good weekend, Earth.

    Ned “has on-call phone, so expect grumpy replies Monday” Pyle

  • New Directory Services KB Articles/Blogs 4/11-4/17

    KB

    982591

    Startup application may not run after disabled and re-enabled in MSConfig

    977629

    Terminal Services Group Policies may not take effect in Windows Server 2003 after a terminal server restart

    973284

    ADAM service runs slowly or stops responding during garbage collection

    976452

    Error message on a blue screen when you perform an operation to a DFS server from a computer that is running Windows Vista or Windows Server 2008: "PAGE_FAULT_IN_NONPAGED_AREA"

    979621

    A removable storage device is disabled when you enable a Group Policy to deny write access or to deny read access to the device on a computer that is running Windows Vista or Windows Server 2008

    980137

    Error message when you delete a folder that contains content on a client computer that is running Windows Vista or Windows Server 2008: "This operation can only be performed when you are connected to the network"

    980361

    Windows Server 2003 SP2 stops responding after a hard link is deleted on a NTFS volume

    981259

    A domain controller that is running Windows Server 2003 SP2 stops responding intermittently

    980596

    An LDAP bind to a Windows Server 2008-based server fails when the client enables only the "confidentiality protection" bit"

    980568

    A terminal server that is running Windows Server 2008 stops responding when lots of clients make terminal sessions to the server

    976266

    A computer stops responding when you try to access a network share file and when the computer is running Windows vista or Windows Server 2008

    980044

    You cannot access a newly copied file in a shared folder on a computer that is running Windows Server 2008 or Windows Vista

    980254

    The "dsget user -memberof -expand" command returns incorrect results in Windows Server 2008 R2 and in Windows 7

    979808

    "Robocopy /B" does not copy the security information such as ACL in Windows 7 and in Windows Server 2008 R2

    978836

    You cannot create or delete managed service accounts in a perimeter network in Windows 7 or in Windows Server 2008 R2

    979731

    Some Group Policy preferences are not applied successfully on computers that are running Windows 7 or Windows Server 2008 R2

    981750

    Error message occurs when you use GPMC to view a software restriction Group Policy setting in Windows 7 and in Windows Server 2008 R2: "An error has occurred while collecting data for Software Restriction Policies"

    981265

    You cannot create a software installation Group Policy setting on a read-only domain controller in Windows Server 2008 R2

    981166

    Some data is corrupted when cached and noncached I/O operations occur by using the same NTFS file handle

    976036

    The logon and logoff scripts do not run in Windows Server 2008 R2 if you use the same user account to create another RDC session

    981054

    The Group Policy preference settings for the "Terminal Session" item-level targeting item are not applied in Windows 7 or in Windows Server 2008 R2

    980628

    The "Load a specific theme" Group Policy setting is not applied correctly on a computer that is running Windows 7 or Windows Server 2008 R2

    981394

    A computer restarts when multiple Kerberos authentication requests are made at the same time in Windows 7 or in Windows Server 2008 R2

    976538

    File corruption may occur if you run a program that uses a file system filter driver in Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008

    979645

    You cannot use a script to join a computer automatically into a specified OU in a Windows 2000 domain when the computer is running Windows 7 or Windows Server 2008 R2

    981890

    The user profile is not updated when you configure a client computer that is running Windows 7 or Windows Server 2008 R2 to use roaming user profiles

    981872

    Access to a redirected folder or a home drive disconnects regularly on a computer that is running Windows Server 2008 R2 and Windows 7

    981462

    The account password on a client computer that is running Windows Vista or Windows Server 2008 is not changed when the Maximum password age is reached

    981314

    The "Win32_Service" WMI class leaks memory in Windows Server 2008 R2 and in Windows 7

    981717

    The PrincipalContext.ValidateCredentials method returns a false value even when you use valid credentials on a Windows Server 2008 SP2-based server that has AD LDS installed

    981603

    "The destination folder path is invalid" Error message when you extract a compressed file on a computer that is running Windows 7 or Windows Server 2008 R2

    978898

    You cannot access a volume in Windows 7 or in Windows 2008 R2 when the volume is encrypted by an encryption filter driver

    981118

    The CryptDecrypt function fails when you try to decrypt encrypted content on a computer that is running Windows 7 or Windows Server 2008 R2

    Blogs

    Friday Mail Sack – I live again edition

    Microsoft launches beta of Windows 'Fix It' site, service

    Registering and Troubleshooting Service Principal Names (SPNs)

    Please Do Not Change Your Password

    Five mistakes to avoid when deploying Hyper-V virtual machines

    Windows Remote Desktop Services spotlight

    Using Group Policy preferences for immediate and scheduled tasks

    Privilege Authority for Windows

    Microsoft to start providing 'limited troubleshooting' for unsupported service packs

    End of Support for Windows Vista with No Services Packs

    Powershell Script to Pre-Seed Computer Objects in AD

    Out Now: Microsoft Office 2010 Group Policy Settings Reference

    How to configure AppLocker Group Policy in Windows 7 to block third-party browsers

    Kerberos FAQ

    Claims Based Identity and Access Control (Book and Code Samples)

    Microsoft TechNet Wiki has launched !!!

    Active Directory Maximum Limits and Scalability

    Virtual Domain Controllers

    Active Directory Domain Services Command Fu, Part 4

  • It’s our turn to ask you a question

    Hi. Russell here. Scott and I are in the pre-production stages for a series of AskDS podcasts and video “How To’s.”

    We’d like your input on the content that will help you the most. As an example, we’ve been tasked with providing a video demo of Metadata cleanup. I bet you were not aware that there is a GUI version available, in addition to the tried and true NTDSUtil that we’ve all come to love (sarcasm intentional).

    So how about some ideas on what you want to see and hear? (scratch and sniff not available) What are some of your pain points that you’d like to have addressed by way of a podcast or video “How To?”

    Let us know in our comments section below or by emailing us through our contact form above.

    Thanks!

    Russell ”The Spaniard” Despain