Microsoft's official enterprise support blog for AD DS and more
Ahoy hoy. The BPA release release cycle has just ticked over once for Windows Server 2008 R2. This means that you can now install – through Windows Update or the Download Center – add-ons that snap into Server Manager and will tell you if you are following MS best practices for your installed roles. Simply install the update, look at the role, and click “scan this role”. After some noodling, BPA will kick out info.
For example, it appears I stink at running DFSN…
But I rule at running DFSR!
Here’s what just shipped:
Download them all from here.
Read more about them all here.
You need Windows Server 2008 R2 to use any of this stuff, so add it to your list of reasons to upgrade if you haven’t already. More BPA’s coming out when they… come out. Including updates to these existing ones, in theory.
Hey Mahesh, where’s your post?
Ned “beat filecab to the punch for once” Pyle
Hi. Russell here. Scott and I are in the pre-production stages for a series of AskDS podcasts and video “How To’s.”
We’d like your input on the content that will help you the most. As an example, we’ve been tasked with providing a video demo of Metadata cleanup. I bet you were not aware that there is a GUI version available, in addition to the tried and true NTDSUtil that we’ve all come to love (sarcasm intentional).
So how about some ideas on what you want to see and hear? (scratch and sniff not available) What are some of your pain points that you’d like to have addressed by way of a podcast or video “How To?”
Let us know in our comments section below or by emailing us through our contact form above.
Thanks!
Russell ”The Spaniard” Despain
Hello all, Ned here again. After a brief absence, the rocket sled that I use to carry my disembodied head around has brought me back to AskDS headquarters. The coup is over and I have emerged triumphant again. You won’t be hearing from Jonathan until the truth serum wears off.
So let’s talk some talk.
There was a tool called ntrights.exe in the Win2003 resource kit tools, but we couldn't find one for Windows Server 2008. I need a command-line based tool to add security privileges for users.
The ntrights.exe tool still works fine even in Windows Server 2008 R2 and Windows 7 so feel free to use it. You could also use secedit.exe /configure with a custom INF file that added the user rights (good idea Mike). Not to mention group policy – adding privs with the command-line sounds like a lot of extra work to me.
How much free space is needed for temporary files doing a USMT 4.0 scanstate? I grok that it arbitrarily requires at least 250MB as stated here, but could I need more? I plan to have the store file written to a network drive.
By default, the USMT temp/working folder is the operator's %TEMP% folder (obviously, this is local to the computer). The full set of files is not gathered here; the store is updated in a serialized fashion directly. The temporary file that USMT 4.0 creates is used purely to track work and back the stores catalog data and non-file data.
When running scanstate /p the estimator for space figures how big the backing file will get, then adds an additional 1MB of "fudge factor". The binary size of gathered user data files never matters -just the quantity of units to be migrated.
For example, in a repro I had a Windows 7 client with eight profiles. This created a temporary backing file that was 44MB. Then when I cut the migration down to a single user profile the temporary file was only 9MB. When I added 300+MB of data to my profile (so only 20 files, but each being very big), the temporary space usage estimate did not get appreciably larger.
<?xml version="1.0" encoding="UTF-8"?> <PreMigration> <storeSize> <size clusterSize="4096">96075776</size> </storeSize> <temporarySpace> <size>10576664</size> </temporarySpace> </PreMigration> <?xml version="1.0" encoding="UTF-8"?> <PreMigration> <storeSize> <size clusterSize="4096">425594880</size> </storeSize> <temporarySpace> <size>10617624</size> </temporarySpace> </PreMigration>
<?xml version="1.0" encoding="UTF-8"?> <PreMigration> <storeSize> <size clusterSize="4096">96075776</size> </storeSize> <temporarySpace> <size>10576664</size> </temporarySpace> </PreMigration>
<?xml version="1.0" encoding="UTF-8"?> <PreMigration> <storeSize> <size clusterSize="4096">425594880</size> </storeSize> <temporarySpace> <size>10617624</size> </temporarySpace> </PreMigration>
Also, you can use the USMT_WORKING_DIR override environment variable to make the temporary folder a remote server path. But the migration is going to get much slower. My repro scanstate ran ~2-3 times slower because I had traded fast local I/O for comparatively slow network I/O. That was on gigabit network with no contention. A hard-link migration would be much faster.
Is there a way to isolate a DC in order to do an AD Schema upgrade? I cannot find any documentation on how to do this.
Isolating the Schema Master for ADPREP /FORESTPREP is not tested by the Product Group and not recommended*; we intentionally try to block you from this scenario starting in Win2003 SP1. Attempting to do so will return:
“Adprep was unable to extend the schema. [Status/Consequence] The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended. [User Action] Verify that the schema master is connected to the network and can communicate with other domain controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.”
This was added back in Win2003 SP1, based on the fact that customers were causing horrendous issues trying to isolate their Schema Master FSMO servers during a migration or never verifying that the Schema master was healthy, then incorrectly (or never) reattaching them to their domain while the now split schemas diverged.
Our supported and recommended methodology is for you to test the migration in your lab with a copy of your current forest/schema; if there are going to be problems in the schema upgrade, they will happen in your lab. Likewise if there are going to be problems with the Schema itself, they would occur there as well. Prior to upgrading your schema, we recommend that you get a good System State backup on all DC’s; but we recommend you do this every day, not just for Schema upgrades. If there was some irreconcilable issue you could restore your forest from backup using those system states using our forest recovery info here: http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(WS.10).aspx
This was an especially excellent question – sometimes we imply through an absence of documentation rather than stating things flat out, unfortunately.
* And to be clear here , yes it is possible to disable replication temporarily. Older documentation even used to say things like "disconnect your schema master" or "block outbound replication". Newer documentation does NOT, as we now have a decade's worth of experience with customers using those techniques in lieu of proper testing. And dealing with the fallout of that! We've had customers disable the replication then forget to ever turn it back on again; guess what happened after 61 days?
When the AskDS team says something is possible, it often gets construed as it's recommended and supported. It's not. Testing your schema update in a lab costs nothing thanks to free virtualization products aplently. Do that and you cannot go wrong.
Do the registry values in KB954968 apply to Windows Server 2008 and 2008 R2 also, in regards to configuring FSRM hard quotas to work with DFSR?
The registry values still work, yes. But they shouldn’t be as necessary in 2008/2008 R2 DFSR because all of the folders and files that FSRM would count against quota are now under a reparse point. The reparse point will prevent the quota from being enforced in this circumstance.
So for example, if you set an FSRM quota against c:\condelrf, it would not affect the contents of the c:\condelrf\dfsrprivate folder:
Because that is actually this reparse point target location:
So the data in there is not covered for quota. The KB and registry change from 2003 R2 were necessary because back then, dfsrprivate was a real folder under the DFSR replicated folder. When quota was hit there, kaboooooom.
You still need to make sure that you approach hard quotas with extreme caution though:
http://technet.microsoft.com/en-us/library/cc773238(WS.10).aspx#BKMK_064
DFSR and FSRM do not really have a good interop story – using them together is not something I’d personally recommend, after many, many support cases fixing the fallout of inappropriately configured hard quotas.
Finally, some sad news. Our fearless manager Mike O’Reilly - he of the swapped desk and the cubicle tree - has left us for greener pastures. At least as green as pastures get in Newfoundland. Mike is now a director at a large construction firm back on his native island in his pseudo-country we call America’s Hat. In fond memory, here is his email address: moreilly1974vw@hotmail.com. I sure hope it doesn’t get crazily inappropriate spam, what with it being out here on the Internet forever.
That’s all, have a nice weekend folks,
Ned “ “ Pyle
Hello folks, Ned here again. Recently I was asked to provide a technical assessment of the risks of continuing to use the File Replication Service (FRS) and the benefits of migrating to DFSR, all regarding SYSVOL on domain controllers. I thought I’d find a decent set of documentation on TechNet, polish it up and send it along – I was wrong; I had to spend several hours coming up with a complete list.
Now you can reap the benefits. Hopefully this helps you convince yourself or your management that the time has come to cut the cord on FRS, especially if you have already deployed your Windows Server 2008 DC’s.
I sure hope you like bullet points!
Here’s a different way of looking at it, as I know executives love their matrices:
Description
FRS
DFSR
Reliable, fast, scalable, and continually improving
No
Yes
Is deader than fried chicken
Now go migrate. For most customers it will be a few hours of work. Your manager may not even have time to buy you lunch on a Saturday.
Stay tuned for another article about the benefits of using FRS. Its title will be “the shortest blog post ever written” and will contain only a picture of my dogs eating their toys. Here’s a preview.
A special thanks to Mahesh from the DFSR product team for his timely review and contributions to this write up. You rock dude.
Until next time,
Ned “nom nom nom” Pyle
Hi there intarwebz, Ned here. Hopefully you’re at home right now filling up the basket with Peeps for the kids. For those that aren’t, here are this week’s interesting questions from our readers and fellow employees.
I am looking for a newer set of information on Active Directory’s LDAP V3 compliance. This old document is good but it was written when the LDAP V3 RFC was still in review by the IETF. Is there something more up to date I can use to fight the good fight?
You bet, and boy did we bury it. If you go into MSDN –> Open Specifications –> Windows Protocols –> Windows Communication Protocols –> [MS-ADTS] –> Details –> Common Details –> 3.1.1 Abstract Data Model –> 3.1.1.3 LDAP –> 3.1.1.3.1 LDAP Conformance you will find:
http://msdn.microsoft.com/en-us/library/cc223226(PROT.10).aspx
Which states in robot lawyer talk:
“The purpose of this section is to document how the implementation of Active Directory DCs interprets the LDAPv3 RFCs, including differences from those RFCs. Except as noted in the following subsections, Active Directory is compliant to [RFC3377]. All error codes returned by Active Directory are taken from the resultCode enumeration of the LDAPResult structure defined in [RFC2251] section 4.1.10.”
It covers Win2000, 2003, Win2008, and Win2008 R2 and specifically goes into details of compliance. We also have extended LDAP for AD purposes so we have extra functionality not mandated by the RFC’s.
Enjoy your nap.
I have a Java application that cannot retrieve data from a constructed attribute. Does anything need to be changed in AD to allow this to work?
If DSA.MSC, ADSIEDIT.MSC, LDP.EXE, LDIFDE.EXE, CSVDE.EXE, Get-AdObject, Joeware tools, DC's, Clients, Users, and the rest of the kitchen sink can all read it, nothing needs to be done with AD. Something needs to be done with the Java code. :-) This is the first thing we hammer into the heads of new engineers here in AD Support – validate with known quantity tools.
Is there any good reason to turn on the “Disable machine account password change” security policy when computers are on a LAN and on all the time?
Officially, we do not recommend disabling the password changes, just like it says in the Explain tab in policy editor.
However, if you:
… then the computer would have to be rejoined to the domain. Not having the password change ever would prevent this.
A computer account password getting brute forced is extremely unlikely (it’s ridiculously complex) so having it change every 30 days is mostly paranoia on our part. It is far easier – and thus more likely - that the machine itself gets owned without knowledge of the password, just through a careless user with admin rights or an un-patched security bug elsewhere; having the password change every 30 days would not save you in that scenario.
Again though: officially not recommended. Especially since if your only downside is rejoining the computer to the domain after restoring it from backup. Not exactly the end of the world.
How do I know if the Windows Server 2008-related content is updated on the TechNet? Any other ways can I get updates or alerts via email when the content has been updated ??
I hope you have a couple terabyte storage arrays lying around, you are looking to get updates from one of the busiest websites in the world. :-) There is no “alert me when TechNet is updated” option, but Craig and his TechNet Wiki pals came up with an interesting way to get this in a “lite” fashion through RSS:
1. Go to http://technet.microsoft.com and search for something broad that you are interested in, like: Windows Server 2008 R2 DFSR
2. This returns a boatload of hits as you might expect. You then refine that into “documentation and articles”. Note though that there’s a little RSS nubbin’ here:
3. If you subscribe to that, you can see new content for those displayed topics when changed. Nifty.
Wooo, and check this out:
Once you install that federated search connector in your Windows 7 client, now you get:
Oh. Em. Gee. That’s cool. We also have one for MSDN.
Web 2.0 is so yesterday. Full client search within Windows Explorer is the future! :-D
There will not be a Friday Mail Sack next week as I am off to see the Cubs play the Braves in Atlanta on Thursday, and making a weekend of it. For our British, Indian, and Australian readers, baseball is defined as “A cricket-like game that does not take a month to play and does not involve cardigan sweaters”.
Come by and say hi!
- Ned “theriot” Pyle
KB
979751
A domain user account that has a blank password cannot be used to authenticate against Microsoft SharePoint Server 2010 or against Windows Live SkyDrive
Blogs
Best practices around Active Directory Authoritative Restores in Windows Server 2003 and 2008
Tuning replication performance in DFSR (especially on Win2008 R2)
Friday Mail Sack – Marshmallow Bird Edition
Enabling CEP and CES to enroll non-domain joined computers for certificates
Some RODC-related queries you’ll probably need some day
TechNet topic about how to upgrade domain controllers to Windows Server 2008 R2
New location for topic about Active Directory functional levels and features
Windows Server 2008 R2 to Phase Out Itanium
Five mistakes to avoid when deploying Hyper-V virtual machines
How to Disable BitLocker Drive Encryption Fixed Data Drive Read-Only Policy Using GPO
AdminSDHolder confusion and admin actions
Windows Server 2008 R2 + Xeon 7500 = Lightning Fast Performance with Mission-Critical Reliability
New Networking-related KB articles for the week of March 21 – March 27
Windows Remote Desktop Services spotlight
Developing an Active Directory Forest Recovery Plan
High Impact Issue: Servers may become unresponsive due to multiple issues
Event 17 – Certificate Corruption on Terminal Services/Remote Desktop License Servers
Changes to Windows 2008 LDAP limits
Windows Activation in Development Environments
Where is my (AD) web service?
Access Denied Error 0x80070005 message when initializing TPM for Bitlocker
Perfmon: Identifying processes by PID instead of instance
PowerShell Quick Start on Server Core R2
File Classification Infrastructure in Windows Server 2008 R2 - Capabilities
Powershell OU Shadow Script
Group Policy Setting of the Week 20 – Exclude File form being cached
Hello Internet! Last week, Ned said there wouldn’t be a Mail Sack this week because he was going to be out of town. Well, the DS team was sitting around during our “Ned is out of our hair for a few days” party and we decided that since this is a Team Blog after all, we’d go ahead and post a Friday Mail Sack. So even though the volume was a little light this week, perhaps due to Ned’s announcement, we put one together all by ourselves.
So without further ado, here is this week’s Ned-less Mail Sack.
Q: I’m using the Certificate Wizard in OCS to generate a certificate request and submit it to my Enterprise CA. My CA isn’t configured to issue certificates based on the Web Server template, but I have duplicated the Web Server template and modified the settings. My new template is configured to supersede the Web Server template.
The request fails. Why doesn’t the CA issue the certificate based on my new template if it supersedes the default Web Server template?
A: While that would be a really cool feature, that’s not how Supersedence works. Supersedence is used when you want to replace certificates that have already been issued with a new certificate with modified settings. In addition, it only works with certificates that are being managed by Windows Autoenrollment.
For example, the Administrator has enabled Autoenrollment in the Computer Configuration of the Default Domain Policy:
Further, the Administrator has granted the Domain Computers group permission to Autoenroll for the Corporate Computer template. Appropriately, every Windows workstation and member server in the domain enrolls for a certificate based on this template.
Later, the Administrator decides that she needs to update the template in some fashion – add a new certificate purpose to the Enhanced Key Usage, change a key option, whatever. Our intrepid Admin duplicates her Corporate Computer template and creates a new Better Corporate Computer template. In the properties of this new template, she adds the now obsolete Corporate Computer template to the Superseded Templates list.
The Admin clicks Ok to commit the changes and then sits back and waits for all of the workstations and member servers in the domain to update their certificate. So how does that work, exactly?
On each workstation and member server, the Autoenrollment server wakes up about every 8 hours and checks to see if it has any work to do. As this occurs on each Windows computer, Autoenrollment determines it is enabled by policy and so checks Active Directory for a list of templates. It discovers that there is a new template for which this computer has Autoenrollment permissions. Further, this new template is configured to supersede the template a certificate it already has is based upon.
The Autoenrollment service then archives the current certificate and enrolls for a new certificate based on the superseding template.
In summary, supersedence doesn’t change the behavior of the CA at all, so you can’t use it to control how the CA will respond when it receives a request for a certain template. No, supersedence is merely a hint to tell Autoenrollment on the client that it needs to replace an existing certificate.
Q: I’m seeing the following warning event recorded in the Active Directory Web Services event log about once a minute.
Log Name: Active Directory Web Services Source: ADWS Date: 4/8/2010 3:13:53 PM Event ID: 1209 Task Category: ADWS Instance Events Level: Warning Keywords: Classic User: N/A Computer: corp-adlds-01.corp.contoso.com Description: Active Directory Web Services encountered an error while reading the settings for the specified Active Directory Lightweight Directory Services instance. Active Directory Web Services will retry this operation periodically. In the mean time, this instance will be ignored. Instance name: ADAM_ContosoAddressbook
I can’t find any Microsoft resources to explain why this event occurs, or what it means.
A: Well…we couldn’t find any documentation either, but we were curious ourselves so we dug into the problem. It turns out that event is only recorded if ADWS can’t read the ports that AD LDS is configured to use for LDAP and Secure LDAP (SSL). In our test environment, we deleted those values and restarted the ADWS service, and sure enough, those pesky warning events started getting logged.
The following registry values are read by ADWS:
Key: HKLM\SYSTEM\CurrentControlSet\Services\<ADAM_INSTANCE_NAME>\Parameters Value: Port LDAP Type: REG_DWORD Data: 1 - 65535 (default: 389)
Key: HKLM\SYSTEM\CurrentControlSet\Services\<ADAM_INSTANCE_NAME>\Parameters Value: Port SSL Type: REG_DWORD Data: 1 - 65535 (default: 636)
Verify that the registry values described above exist and have the appropriate values. Also verify that the NT AUTHORITY\SYSTEM account has permission to read the values. ADWS runs under the Local System account.
Once you've corrected the problem, restart the ADWS service. If you have to recreate the registry values because they've been deleted, restart the AD LDS instance before restarting the ADWS service.
Thanks for sending us this question. We’ve created the necessary internal documentation, and if we see more issues like this we’ll promote it to the Knowledge Base.
Final Note
Well…that’s it for this week. Please keep posting your comments, observations, topic ideas and questions. And fear not, Ned will be back next week.
Jonathan “The Pretender” Stephens
980794
System state backup error in Windows Server 2008 and in Windows Vista: "Enumeration of the files failed"
Friday Mail Sack – While the Ned’s Away Edition
Group Policy Setting of the week 22 – Enable Transparent Caching (Offline Files)
AD WS diagnostic logging
Other places to find good information
Configuring Remote Desktop certificates
Windows 7 Security Just Got Easier: Download the Security Compliance Manager
Active Directory Domain Services Command Fu, Part 3
Manage Remote Desktop Licensing by using Windows PowerShell
New resources to help business customers deploy Windows 7
New Networking-related KB articles for the week of March 28 – April 3
How to remove imported Internet Explorer Group Policy Settings
Microsoft Desktop Player This has potential !
How to backup recovery information in AD after Bitlocker is turned ON in Windows 7
Dedicated Dump File for Windows Vista or Windows Server 2008
Common Engineering Criteria Website Re-Launches
Office Parsers Available
Microsoft pulls the plug on future Itanium support
How to use Group Policy to make Windows 7 90% more secure
Group Policy Setting of the week 21 – Configure Background Sync (offline files)