Microsoft's official enterprise support blog for AD DS and more
Hi everyone. We have a few new KB articles that came out last week, and a few blog posts of interest.
Article ID
Title
2384558
Inheritance of ownership in Group Policy Management Console does not work as expected
2018583
Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."
909264
Naming conventions in Active Directory for computers, domains, sites, and OUs
981575
A memory leak occurs in a .NET Framework 2.0-based application that uses the AesCryptoServiceProvider class
982861
Availability of Windows Internet Explorer 9 Beta
2078942
The CertEnroll control does not work in Internet Explorer 8 on a computer that is running Windows 7 or Windows Server 2008 R2
2345551
The Active Directory system discovery process cannot detect a client if the DNS suffix of the client differs from its DNS domain name in System Center Configuration Manager 2007 SP2
RODC – Password Replication Policy and Password Management
Override the hardcoded LDAP Query limits introduced in Windows Server 2008 and Windows Server 2008 R2
Enable Change Notifications between Sites – How and Why?
Exploring the User State Migration Toolkit (USMT) 4.0
Hi, Russell here. When installing Active Directory Lightweight Domain Services (AD LDS) instances, it is quite possible to paint oneself into a corner rather quickly. That’s because LDS comes with minimal schema definitions. To truly make LDS useful to your applications, one must have an understanding of how best to take advantage of the included schema definition files.
When performing an LDS installation using the AD LDS Setup Wizard, you are offered several schema options:
When performing an installation using ADAM SP1, the following schema options are presented:
So how do you know which LDF files to select? Well seriously, it all depends upon your intentions, and I’m not talking about whether or not you want to ask our resident Elf out on a date.
Ideally, Schema definition requirements should be defined by your Application Developers. But as an AD or Server Administrator it will greatly benefit you to assist in the decision making process as the choices made during install are permanent. So what to pick?
Let’s start with definitions of the basic LDF files included in ADAM SP1:
I leaned on the word “implementation” in a couple of those definitions. That’s because whenever we discuss Internet RFCs, there is much that’s open to interpretation due to the use of the words “should,” “may,” “shall,” etc. as defined in Key words for use in RFCs to Indicate Requirement Levels. I also pointed out that UserProxy.ldf is one of two ldf files required to use ADAM/LDS for Bind Redirection to Active Directory. That’s because MS-ADAMSyncMetadata.ldf is missing from the ADAM SP1 Setup Wizard. (So is UserProxyFull). Windows Server 2008 and Windows Server 2008 R2 include these additional schema definitions as part of the Setup Wizard:
What? Hidden from the installation wizard you say? How can that be? Easy, there are actually several, optional schema mods contained within the Windows\ADAM installation directory. The LDF Files are coded with “@@UI-Description: @@excludeFromList” to keep them out of the Setup Wizard GUI. In Windows Server 2008 R2, there are four other LDF files hidden from view:
These are actually some of the best files available. It is a shame they are hidden from view:
Now why would you need this enticing new feature in 2008 R2, such as the Recycle Bin? Uh, I don’t know, perhaps you like to see your users disappear with no way to recover? (No system state backup, no recycle bin to catch mistakes.) I work nights; I see many disaster recoveries, not just for AD LDS, but for AD too. This nifty feature can save you time and money – and most importantly – your job. Until next time.
-Russell “Rusty aka R2 aka Spaniard” Despain
2021766
Windows Server 2008 R2 Outbound trusts with Windows NT 4.0 domains do not validate or function correctly
2002584
Unable to select DNS Server role when adding a domain controller into an existing Active Directory domain
2028835
Windows 7 RSAT: Multiple tabs are missing when viewing user properties in Active Directory Users and Computers
983539
MS10-068: Vulnerability in Local Security Authority Subsystem Service could allow elevation of privilege
981550
MS10-068: Description of the security update for Active Directory: September 2010
Author
Friday Mail Sack: Barbados Edition
Pyle, Ned
Hear hear
Putting sites at the center of the browsing experience, using the whole PC: IE9 Beta Available for Download
Parent Child Differencing Disks in Hyper-V
How to delegate AD permission to Organizational Units using the PowerShell command Add-QADPermission
More on searching group policy
UPHClean v1.6 Security Vulnerability Fix
Adam Conkle has published some great troubleshooting, tips and tricks and how to articles on TechNet that should help you in evaluating and implementing Active Directory Federation Services.
AD FS - How to invoke a WS-Federation sign-out
AD FS 2.0 - "An unexpected error has occurred" error or blank page displayed attempting to log on to SharePoint, Event ID 23 logged
AD FS 2.0 - The service fails to start. "The service did not respond to the start or control request in a timely fashion. "
AD FS 2.0 - Query notification delivery failed because of the following error in service broker: 'The conversation handle "{GUID} is not found.'
Windows Identity Foundation (WIF) - FedUtil.exe on Windows Server 2003 fails with "Object Identifier (OID) is unknown."
AD FS 2.0 - Prompted for credentials when you are expecting to be allowed anonymous access
Windows Identity Foundation (WIF) - How to change certificate chain validation settings for web applications
AD FS 2.0 - How to set the Primary Federation Server in a WID Farm
AD FS 2.0 - The Admin event log shows Error 111 with System.ArgumentException: ID4216
Windows Identity Foundation (WIF) throws exception: "ID6018: Digest verification failed for reference"
AD FS 2.0 - Browsing to Federation Metadata fails "Unable to download federationmetadata.xml"
AD FS 2.0 - Continuously prompted for credentials when using FireFox 3.6.3
AD FS 2.0 - How to configure the SPN (servicePrincipalName) for the service account
AD FS 2.0 - Continuously prompted for credentials while using Fiddler Web Debugger
AD FS 2.0 - "Script is disabled. Click Submit to continue."
AD FS 2.0 - How to enable and immediately use AutoCertificateRollover
AD FS 2.0 - How to perform an unattended installation of an AD FS 2.0 STS or Proxy
AD FS 2.0 - The AD FS 2.0 Windows Service fails to start - Event 102 and 220 logged
AD FS 2.0 - How to manually run the AD FS 2.0 Initial Configuration
AD FS 2.0 - "ID4037: The key needed to verify the signature could not be resolved from the following security key identifier"
-- Jonathan "Ned's Blog Monkey" Stephens
Kip Ng gives the sometimes unpopular but ultimately best advice:
IT Operations: The Reasons Why You Don’t Want To Be Unique
OpsVault is a newish blog by PFE’s talking about operational best practices; some of it is pretty common sense, some not so much. They raise topics that are worth some lively discussion (I sometimes wish they were a bit longer, commenting might encourage this). Give them a look.
- Ned "ok, now I'm really on vacation, I mean it" Pyle
Hello world, Ned here again. I’m back to write this week’s mail sack – just in time to be gone for the next two weeks on vacation and work travel. In the meantime Jonathan and Scott will be running the show, so be sure to spam the heck out of them with whatever tickles you. This week we discuss DFSR, Certificates, PKI, PowerShell, Audit, Infrastructure, Kerberos, NTLM, Active Directory Migration Tool, Disaster Recovery, and not-art.
Catluck en ’ dogluck!
I need to understand what the difference between the various AD string type attribute syntaxes are. From http://technet.microsoft.com/en-us/library/cc961740.aspx : String(Octet), String(Unicode), Case-Sensitive String, String(Printable), String(IA5) et al. While I understand each type represents a different way to encode the data in the AD database, it isn't clear to me:
Active Directory has to support data-storage needs for multiple computer systems that may use different standards for representing data. Strings are the most variable data to be encoded because one has to account for different languages, scripts, and characters. Some standards limit characters to the ANSI character set (8-bit) while others specify another encoding type altogether (IA5 or PrintableString for X.509, for example).
Since Active Directory needs to store data suitable for all of these various systems, it needs to support multiple encodings for string data.
Management/query/read/write differences will depend very much on how you access the directory. If you use PowerShell or ADSI to access the directory, some level of automation is involved to properly handle the syntax type. PowerShell leverages the System.String class of the .NET Framework which handles, pretty much invisibly, the various string types.
Also, when we are talking about the 255-character extended ANSI character set, which includes the Latin alphabet used in English and most European Languages, then the various encodings are pretty much identical. You really won't encounter much of a problem until you start working in 2-byte character sets like Kanji or other Eastern scripts.
Is it possible / advisable to run the CA service under an account different from SYSTEM with EFS enabled for some files that should not be read by system or would another solution be more appropriate?
No, running the CA service under any account other than Network Service is not supported. Users who are not trusted for Administrator access to the server should not be granted those rights.
[PKI and string type answers courtesy of Jonathan Stephens, the “Blaster” in our symbiotic “Master Blaster” relationship – Ned]
Tons of people asking us about this article http://blogs.technet.com/b/activedirectoryua/archive/2010/08/04/conditions-for-kerberos-to-be-used-over-an-external-trust.aspx and if it is true or false or confused or what.
It’s complicated and we’re getting this ironed out. Jonathan is going to create a whole blog post on how User Kerberos can function perfectly without a Kerberos Trust, or with an NTLM trust, or with no trust. It’s all smoke and mirrors basically – you don’t need a trust in all circumstances to use User Kerberos. Heck, don’t even have to use a domain-joined computer. For now, disregard that article please.
I followed the steps outlined in this blog post: http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx. Works like a champ and I see the data correctly in the Event Viewer. But when I try to use PowerShell 2.0 on one of those Win2003 DC’s with this syntax:
Get-EventLog -logname security -Newest 1 -InstanceId 566 | Where-Object { $_.entrytype -match "Success" } | Format-List
A bunch of the outputs are broken and unreadable (they look like un-translated GUID’s and variables). Like Object Type and Object Name, for example:
Ick, I can repro that myself.
This appears to be an issue in PowerShell 2.0 Get-EventLog cmdlet on Win2003 where an incorrect value is being displayed. You can’t have the issue on Win2008/2008 R2, I verified. Hopefully one of our Premier contract customers will report this issue so we can investigate further and see what the long term fix options are.
In the meantime though, here’s some sample workaround code I banged up using an alternative legacy cmdlet Get-WmiObject to do the same thing (including returning the latest event only, which makes this pretty slow):
Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent Where Logfile = 'Security' and EventCode=566" | sort timewritten –desc | select –first 1
Slower and more CPU intensive, but it works.
A better long term solution (for both auditing and PowerShell) is get your DC’s running Win2008 R2.
Do you have suggestions for pros/cons on breaking up a large DFSR replication group? One of our many replication groups has only one replicated folder. Over time that folder has gotten to be a bit large with various folders and shares (hosted as links) nested within. Occasionally there are large changes to the data and the replication backlog obviously impacts the ENTIRE folder. I have thought about breaking the group into several individual replication folders, but then I begin to shudder at the management overhead and monitoring all the various backlogs, etc.
There’s no real easy answer – any change of membership or replicated folder within an RG means a re-synch of replication; the boundaries are discrete and there’s no migration tool. The fact that a backlog is growing won’t be helped by more or fewer RG/RF combos though, unless the RG/RF’s now involve totally different servers. Since the DFSR service’s inbound/outbound file transfer model is per server, moving things around locally doesn’t change backlogs significantly*.
So:
* As a regular reader though, I imagine you’ve already seen this, which has some other ways to speed things up; that may help some of the choke ups:
http://blogs.technet.com/b/askds/archive/2010/03/31/tuning-replication-performance-in-dfsr-especially-on-win2008-r2.aspx
Is there an Add-QADPermission (from Quest) equivalent command is in AD PowerShell?
There is not a one-to-one cmdlet. But it can be done:
http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
It is – to be blunt – a kludge in our current implementation.
I am working on an inter-forest migration that will involve a transitional forest hop. If I have to move the objects a second time to get them from a transition forest into our forest then will I lose the original SID History that is in the SID History attribute.?
You will end up with multiple SID history entries. It’s not an uncommon scenario to see customers would have been through multiple acquisitions and mergers end up with multiple SID histories. As far as authorization goes, it works fine and having more than one is fine:
http://msdn.microsoft.com/en-us/library/ms679833(VS.85).aspx
Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property.
The real issue is user profiles. You have to make sure that ADMT profile translation is performed so that after users and computers are migrated the ProfileList registry entries are updated to use the user’s real current SID info. If you do not do this, when you someday need to use USMT to migrate data it will fail as it does not know or care about old SID history, only the SID in the profile and the current user’s real SID.
And then you will be in a world of ****.
Picture courtesy of the IRS
Do you know if there is any problem with creating a DNS record with the name ldap.contoso.com name? Or maybe there will be some problems with other components of Active Directory if there is a record called “LDAP”?
Windows certainly will not care and we’ve had plenty of customers use that specific DNS name. We keep a document of reserved names as well, so if you don’t see something in this list, you are usually in good shape from a purely Microsoft perspective:
909264 Naming conventions in Active Directory for computers, domains, sites, and OUs http://support.microsoft.com/default.aspx?scid=kb;EN-US;909264
This article is also good for winning DNS-related bar bets. If you drink at a pub called “The Geek and Spanner”, I suppose…
This is not that pub
I'm currently working on a migration to Windows Server 2008 R2 AD forest – specifically the Disaster Recovery plan. Is it good idea to take one of the DCs offline, and after every successful "adprep operation" bring it back online? Or in case if something will go bad use this offline one to recreate domain?
The best solution is to put these plans in place:
Planning for Active Directory Forest Recovery http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(WS.10).aspx
That way no matter what happens under any circumstances (not just adprep), you have a way out. You can’t imagine how many customers we deal with every day that have absolutely no AD Disaster Recovery system in place at all.
How did you make this kind of picture in your DFSR server replacement series?
[From a number of readers]
MS Office to the rescue for a non-artist like me. This is a modified version of the “relaxed perspective” picture format preset.
1. Create your picture, then select it and use the Picture Tools Format ribbon tab.
2. Use the arrows to see more of the style options, and you’ll see the one called “Relaxed Perspective, White”. Select that and your picture will now look like a three dimensional piece of paper.
3. I find that the default is a little too perspective though, so right-click it and select “Format Picture”.
4. Use the 3-D Rotation menu to adjust the perspective and Y axis.
You can get pretty crazy with Office picture formatting.
Why yes sir, we do have plastic duck eight-ball clipart. Just the one today?
See you all in a few weeks,
Ned “please don’t audit me, I was kidding” Pyle
Only one new KB article of interest this week:
2157973
The Security event that has Event ID 4625 does not contain the user account name on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
And the only blogs to note are Ned’s series on Replacing DFSR Member Hardware or OS:
Hey all, Ned here again. A few of you asked if the series around DFSR server replacements would have a “portable” version. I banged those up in DOCX, XPS, and PDF formats. Pick your poison below.
And just so you have one spot to link in Favorites, here are all five parts:
Thanks and I hope you enjoyed the series.
- Ned “holy crap, this was 54 pages with thinned margins” Pyle