May, 2010

Hi folks, Ned here for a quickie. Back in April I posted a short mail sack piece about Schema updating best practices. Something I couldn't talk about that the time is now public:

Testing for Active Directory Schema Extension Conflicts
http://technet.microsoft.com/en-us/library/testing-for-active-directory-schema-extension-conflicts(WS.10).aspx

This article walks through using some simple techniques and a script to validate that an application's schema update is not going to cause issues. Nearly all AD Schema issues are caused by incorrect changes made by third parties - this article will help you prevent those issues.

Ned "shee-maa" Pyle

Hello Terra, it’s Ned here again. Before I get rolling, a big announcement:

On May 16th all the MSDN and TechNet blogs are being migrated to a new platform. This will get us back in line with modern blogging software, and include new features, better search, more user customization, and generally remove a lot of suck. Because AskDS is a very popular blog – thanks to you – we rated extra sandbox testing and migration support and we believe things are going to go smoothly. The migration will be running for a week (although many sites will be done before then) and during this time commenting will be turned off; just email us through our contact form if you need to chat. You can read more about the new features and track progress on the migration here.

On to this week’s most interesting questions.

• GPMC scripts in Win7/R2
• DFSR and port 5722
• DSA.MSC missing tabs
• ADLDS/ADAM password sync
• Scripting user home folders
• Win2008 Resource Kit tools
• Auditing

Question

What happened to the GPMC scripts in Windows 7 and Win2008 R2?

Answer

Those went buh-bye when Vista came out. They can be downloaded from here if you like and I’ll wager they’ll work fine on 7, but the future of scripting GP is in PowerShell. Recommended reading:

• Group Policy Cmdlets in Windows PowerShell
• Automating Group Policy Management with Windows PowerShell
• Simplify Group Policy Administration with Windows PowerShell

Question

KB832017 (Services Overview and Network Port Requirements...) lists port 5722/TCP as being used for DFSR -- but only on Server 2008 or Server 2008 R2 DCs.  What exactly happens over 5722/TCP?  KB832017 is practically the only time I've ever seen that port mentioned.

Answer

There’s no special reasoning here, it’s a bug. :-) In a simple check to determine if a computer was a member client or member server, we forgot that it might also be a domain controller. So the code ends up specifying a port that was supposed to be reserved for some client code. Amazingly, no Premier contract customer has ever opened a DCR with us asking to have it fixed. I keep waiting…

Nothing else weird happens here, and it will look just like normal DFSR RPC communication in all other respects – because it is normal. :)

You can still change the port with DFSRDIAG STATICRPC <options> if you need to traverse a firewall or something. You are not stuck with this.

Question

I am missing tabs in Active Directory Users and Computers (DSA.MSC) when using the Windows 7 RSAT tools. I found some of your old Vista content about this, but you later said most of this has been fixed. Whiskey Tango Hotel?

Answer

As is often the case with RSAT (a tool designed by committee due to all the various development groups, servicing rules, and other necessities of this suite), there are a series of steps here to make this work. I’ll go through this systematically:

After installing RSAT on a domain-joined Windows 7 client, you add the Role Administration Tools for "AD DS Snap-ins and Command-line Tools":

You then start DSA.MSC and examine the properties of a user. You notice that some or all of the following tabs are missing:

Published Certificates
Password Replication
Object
Security
Attribute Editor
Environment
Sessions
Remote Control
Remote Desktop Services Profile
Personal Virtual Desktop
UNIX Attributes
Dial-in

1. Enable "Advanced Features" via the View menu. This will show at least the following new tabs:

Published Certificates
Password Replication
Object
Security
Attribute Editor

2. If still not seeing tabs:

Environment
Sessions
Remote Control
Personal Virtual Desktop
Remote Desktop Services Profile

Add the following RSAT feature: "Remote Desktop Services Tools". Then restart DSA.MSC and if Advanced View is on, these tabs will appear.

3. If still not seeing tab:

UNIX Attributes

Add the following RSAT feature: "Server for NIS Tools". Then restart DSA.MSC and if Advanced View is on, this tab will appear.

4. The "Dial-In" tab will always be missing, as its libraries are not included in RSAT due to a design decision by the networking Product Group. If you need this one added, open a Premier contract support case and file a DCR. We’ve had a number of customers complain about this, but none of them bothered to actually file a design change request so my sympathy wanes. Until they do, there is no possibility of this being changed.

Question

What tools will synchronize passwords from AD to ADAM or ADLDS?

Answer

MIIS/IIFP (now Forefront Identity Management 2010) can do that. We don't have any in-box tools or options for this. [Thanks to our resident ADAM expert Jody Lockridge for this answer. He’s forgotten more about ADAM than I’ll ever know - Ned]

Question

I am trying to script changing user home folders to match the users’ logon ID’s. I’ve tried this:

dsquery.exe user OU=AD_ABC,DC=domain,DC=local | dsmod.exe user -hmdir \\servername\%username%

But this only places the currently logged on username in all users profile. How can I make this work?

Answer

DSMOD.EXE includes a special token you can use called $username$. It automatically uses the SAM account name passed in from DSQUERY commands and works with the –hmdir, –email, –webpg, and –profile arguments.

So if I do this to locate all my users and update their home directory:

I get this:

Question

When will the Windows Server 2008 Resource Kit utilities and tools be released?

Answer

Never. If it didn’t happen 3 years ago, it’s not going to happen now. The books do include helpful scripts and such, but the days of providing unsupported out of band reskit binaries are behind us - and it’s for the best. If you want to buy the 2008 books, here’s the place:

2008 Resource Kit -  http://www.microsoft.com/learning/en/us/book.aspx?ID=10345&locale=en-us
2008 GP Resource Kit - http://www.microsoft.com/learning/en/us/book.aspx?ID=9556&locale=en-usR

Question

Something something something Auditing something something something.

Answer

While I find Windows security auditing quite interesting and periodically write about it, if you want retroactive answers to every common audit question you need to visit Eric Fitzgerald’s  blog "Windows Security Logging and Other Esoterica”. Eric was once the PM of Windows Security auditing and helped design the new audit system in Vista/2008, then he moved on to helping design the Audit Collection Service, and gosh knows what he does now – he’d probably have to kill me after he told me. A million years ago, Eric was also a Support Engineer in my organization, so he knows your pain better than most Windows developers. Many questions I get asked about auditing have already been answered on his blog so give it a look before searching the rest of the Internet. Eric is also a funny, decent guy and a good writer – pick any blog post and you will learn something. I wish he wrote more often.

Finally, we had a nice visit this week from Tim Springston – yes, that  Tim Springston. Tim’s been working on a new system designed to make it easier for you to open support cases and have them route correctly so he bored us to tears demo’ed all that to us. Make sure you stop by his blog and check it out.

Until next time.

Ned “fingers crossed on the blog migration” Pyle

KB

Blogs

KB

Wiki

Blogs

Hello, Internetz. Jonathan here again. Ned didn’t tell you the whole story. Not only did I have to wait for the truth serum to wear off; I also had to chew my way out the straps. Nevertheless, I’ve emerged victorious and have again successfully stormed the AskDS gates and vanquished Ned. Don’t fear for the little Neebler, though. Yes, he’s been jammed into a steel drum along the side of one of our nation’s great highways, but he’s being fed well through the bung hole, mostly, and he has a nice view of the Interstate. I hope he enjoys playing Punch Buggy with himself.

Of course, knowing Ned, I give him about a week before he escapes, so let’s make the most of that time, shall we?

AskDS has been successfully migrated to our new blog platform. Unfortunately, the backup that was restored after the migration was older than we thought so we appear to have lost some of our more recent posts. I’m working now to re-post those articles now. Please let us know if I missed one.

--Jonathan “Pretender, Redux” Stephens

Hello there file server admins and datacenter monitoring gurus, Ned here again. After much skull sweat and gnashing of tooth, the File Services management pack for System Center Operations Manager 2007 has been released.

http://www.microsoft.com/downloads/details.aspx?FamilyID=3dc6188d-8a4c-4d0b-be85-8fe319b4693c&displaylang=en

This new MP covers:

• DFS Namespaces
• DFS Replication
• File Server (the Server service for SMB file sharing)
• File Server Resource Manager (the service used for File Server Resource Manager and File Classification Infrastructure)
• Services for Network File System

It officially supports monitoring Windows Server 2008 R2 (although actually more, see the filecab link below), and is the younger brother of the 2003/2008 DFSR and DFSN management packs for SCOM 2007.

PS: Jonathan’s description below makes me think I’m in the last scene of Raiders of the Lost Ark…

Jonathan: We have top men working on it now.
Mike: Who?
Jonathan: Top... men.

Ned “Indiana” Pyle