Friday Mail Sack: Not Particularly Terrifying Edition

Friday Mail Sack: Not Particularly Terrifying Edition

  • Comments 4
  • Likes

Hiya folks, Ned here again. In today’s Mail Sack I discuss SP1, DFSR, GPP passwords, USMT, backups, AD disk configurations, and the importance of costumed pets.

Boo.

Question

Should it be safe to use the Windows 7 and Windows Server 2008 R2 Service Pack 1 Release Candidate builds in production? They came out this week and it looks like it’s pretty close to being done.

Answer

No. This build is for testing only, just like the beta. The EULA specifically states that this is not for production servers and you will get no support running it in those environments.

For more info and test support:

Question

I need to ramp up on USMT for our planned Windows 7 rollout early next year. I’ve found a lot of documentation but do you have recommendations on how I can learn it progressively? I know nothing about USMT so I’m not sure where to start.

Answer

I would recommend going this route:

Intro

  1. What Does USMT Migrate?
  2. Common Migration Scenarios
  3. Quick Start Checklist
  4. Step-by-Step: Basic Windows Migration using USMT for IT Professionals
  5. Step-by-Step: Offline Migration with USMT 4.0
  6. How USMT Works
  7. Requirements

Intermediate

  1. ScanState Syntax
  2. LoadState Syntax
  3. Config.xml File
  4. Create a Custom XML File
  5. Customize USMT XML Files
  6. USMT Custom XML the Free and Easy Way
  7. Exclude Files and Settings
  8. Include Files and Settings
  9. Reroute Files and Settings
  10. Migrate EFS Files and Certificates
  11. Offline Migration
  12. USMT, OST, and PST
  13. Understanding USMT 4.0 Behavior with UEL and UE
  14. Controlling USMT Desktop Shell Icon Behavior from XP (and how to create registry values out of thin air)
  15. Get Shiny with USMT: Turning the Aero Theme on During XP to Windows 7 Migration

Advanced

  1. Conflicts and Precedence
  2. Recognized Environment Variables
  3. USMT and /SF
  4. XML Elements Library

Troubleshooting

  1. Common Issues
  2. USMT 4.0: Cryptic Messages with Easy Fixes
  3. Don’t mess about with USMT’s included manifests!
  4. Log Files
  5. Return Codes
  6. USMT 4.0 and Custom Exclusion Troubleshooting
  7. USMT 4 and WinPE: Common Issues

Question

Is there a way to generate a daily DFSR health report?

Answer

You can use DFSRADMIN.EXE HEALTH NEW <options> as part of a Scheduled Task to generate a report every morning before you get your coffee.

image

Question

Is there any good reason to separate the AD Logs, DB and SYSVOL onto separate drives? Performance maybe?

Answer

Thomas Aquinas would have made a good DS engineer:

"If a thing can be done adequately by means of one, it is superfluous to do it by means of several; for we observe that nature does not employ two instruments [if] one suffices."

We’ve not really pursued that performance line of thinking as it turned out to be of little value on most DC’s: AD’s database and logs are mostly static. In most environments for every write to an AD DB, there are thousands of reads. If your average disk read/write is under 25ms for any disks that hold the AD database and its transaction logs you are in the sweet spot. LSA tries to load as much of the DB into physical RAM as possible and it also keeps common query and index data in physical memory, so the disk perf isn’t super relevant unless you are incredibly starved for RAM. Server hardware is so much better now than when AD was invented that it’s just hard to buy crappy equipment – this isn’t Exchange or SQL where every little bit counts.

Guidance around separating the files for SYSVOL was always pretty suspicious. That data is glacially static (in most environments it might only see a few changes a year, if ever). It has almost no data being read during GP processing either so disk performance is almost immaterial. I have never personally worked a case of a slow disk subsystem making GP processing slow.

We still provide plenty of space guidance though, and that might make you need to separate things out:

http://technet.microsoft.com/en-us/library/cc753439(WS.10).aspx

Since Win2008 and later made it so easy to grow and shrink volumes though, even that is not a big deal anymore.

Question

We are looking to make some mass refreshes to our local admin passwords on servers and workstations. Initially I started looking at some 3rd party tools, but they are a little pricey. Then I recalled the "Local Users and Groups" option in Group Policy preferences. However, I have seen some rumblings on the Internet about the password stored in the XML being not completely secure.

Answer

We consider that password system in GPP XML files “obscured” rather than “securely encrypted”.

The password is obfuscated with AES-256 (i.e. encrypted but with a symmetric public seed). If you were to control permissions to that GP folder (so that it no longer had “Authenticated Users” or any other user groups with READ access) containing the policy as well as use IPSEC to protect the traffic on the wire, it would be reasonably secure from anyone but admins and the computers themselves. Alan Burchill goes into a clever GPP technique for periodic password changes here:

How to use Group Policy Preferences to set change Passwords

He also makes the excellent point that a reasonably secure periodic password change system is better than just having the same password unchanged for years on end! Again, I would add to his example that using IPSEC and removing the “Authenticated Users” group from that group policy’s folder in SYSVOL (and replacing it with “Domain Computers”)  is healthy paranoia.

Official ruling here, regardless of above:

http://blogs.technet.com/b/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx

Try to not get spit all over me when you scream in the Comments section…

Question

Can DFSR read-only folders be backed up incrementally? Files Archive bits never change when I run a backup, so how can the backup software know to only grab changed files?

Answer

Absolutely. And here’s a treat for you:

The Archive bit has been dead since Windows Vista.

If you run a backup on a non-read-only replicated folder (or anywhere else) while using Windows Server Backup you will notice that the Archive bit never gets dropped either. The Volume Shadow Service instead uses the NTFS USN journal to track files included in incremental backups. Some backup solutions might still use Archive bits, but Windows does not – it is dangerous to rely on it as so many third party apps (or even just users) can clear the attribute and break your backups. There’s next to no TechNet info on this out there, but SriramB (the lead developer of DPM) talks about this at length:

http://social.technet.microsoft.com/Forums/en-US/windowsbackup/thread/df7045fb-9d88-453c-93c0-5e0613107d89

Now obviously, you cannot restore files directly into a read-only replicated folder as the IO blocking driver won’t allow it. If you try with WSB it will report error “Access is Denied”.

image

If you are restoring a backed up read-only replica, you have two options:

  1. Convert that replicated folder back to read-write temporarily, restore the data and allow it to replicate out, then set the folder back to read-only.
  2. Restore the data to an alternate location and copy or move it into the read-write replicated folder.

 

As for other randomness…

Best Comeback Comment of the Year

From our recent hiring post:

clip_image001 Artem -

Crap. You know, I've recently joined Microsoft here in Russia. And guess what? No free Starbucks!

clip_image002 NedPyle -

Congrats on the job. Sorry about the Starbucks. I'm sure there's a vodka dispenser joke here somewhere, but I'll leave that to you. :-P

clip_image001[1] Artem -

Yep, it's in the Samovar right in the lobby hall. The problem is like in any big company there's a policy for everything. And in today's tough economy, free vodka is reserved for customer meetings only. Usually a policy is not a big problem, but not this one. It is enforced by bear guards.

    Halloween

    For those of you that aren’t from the US, Ireland, Canada, and the Isle of Limes: this week marks the Halloween holiday where kids dress up in costumes and run around getting free candy from neighbors. If you get stiffed on candy, it’s your responsibility to burn down that neighbor’s house. Wait, that’s just Detroit.

    It’s also an opportunity for people who were born without the shame gene to dress up their animals in cute outfits. Yay Internet! Here are some good ones for the dog lovers.


    (from http://www.dogbirthdaysandparties.com)


    (from http://www.premierphotographer.com)

     dog_sleepyhollow
    (from http://www.dreamdogs.co.uk)

    potterdog 
    (From http://www.gearfuse.com)

    Cat lovers can get bent.

    And finally, don’t forget to watch Night of the Living Dead, courtesy of the excellent Archive.org and the public domain law. Still Romero’s best zombie movie ever. Which makes it the best zombie movie ever. You must do it with all lights off, preferably in a house in the woods.

    - Ned “ghouls night out” Pyle

    • At customers who have distributed local admins doing GP adds/changes I've been putting their SYSVOLs on a seperate volume only to protect the OS and DIT/TX logs from an inadvertent (or adverent) DDOS when someone fills up the volume by putting <insert junk> in their policy's sysvol folder.

    • Great post!!!

      I benefited from all 6 Q&A’s

      I would like to see the destination directory removed from the next version of the DCpromo Wizard.  There are a lot of old rumblings out there about moving the NTDS folder and this prompt reinforces this confusion.  Or perhaps only show it when the advanced checkbox is selected on screen 1.

      I follow the Exchange Server best practice of ensuring your DC’s have enough RAM to load the entire AD database – not hard with x64 servers.

    • Have you looked at using FSRM quotas bdesmond? It won't stop admins totally, but it will stop these kinds of "accidents".

      Thanks Mike :). That's an interesting idea and I'd tend to agree (why show a UI that you recommend and expect no one change by default). I'll look into that.

    • My personal favorite for setting local passwords is the passgen tool. The only disadvantage of this tool is that it's obviously not supported. All other characteristics are superior. It's free. It's rather trustworthy since both its authors were both MS employees and security MVPs in the past. It provides many interesting options -- from setting completely random passwords within predefined length and character sets (my favorite) to generating custom unique passwords for every machine, which are both secure and backward-restorable (if you know the key, of course).