When I was younger, I heard a phrase “The cobbler’s children have no shoes” and similar things which implied that frequently, people within a particular industry are less likely to want to utilize their skills as home when they’re not working. I was reminded of this a few weeks ago while I was on vacation. I logged onto my work computer and noticed that I was unable to connect to work via DirectAccess. Upon further investigation, I noticed that the IP Helper Service wasn’t running and that there did not appear to be any settings for DirectAccess present on the computer.
“No Problem,” I thought, I’ll just connect via VPN, run “klist –li 0x3e7 purge” to flush my computer’s Kerberos tokens, and refresh GPOs via “gpupdate /force”. Instead of success, I see the following:
C:\windows\system32>gpupdate /force Updating policy...
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure. User Policy update has completed successfully.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f rom the command line to access information about Group Policy results.
C:\windows\system32>
Since I was able to accomplish what I needed over VPN and wanted to get back to not working, I decided to just leave the computer connected over VPN, cross my fingers, and look back on it in a few days. Things always work better after being left alone, right? The next day, I rebooted and tried again, but saw the same message. This left me with a difficult decision, spend vacation time troubleshooting my own computer, or turn it off and deal with it later. I turned it off.
A few days later, I powered on the computer again and found that things hadn’t changed yet. I connected via VPN and tried another “GPUPDATE /force”, and found that things were still no different. This time I had some time that I could spend on troubleshooting the problem and decided to take a look. In the Event Logs, I see an SCECLI 1704 telling me that the GPOs applied successfully.
Frustrated that I’m getting an error in one window while another tells me that everything is fine, I do what anyone troubleshooting while on vacation does…I powered off the computer and went back to not working.
A couple of days later, I powered on the laptop and found the symptoms had not yet changed. This time, I decided that I needed to fix the problem. I opened up a browser and went to bing.com so that I could do a search for the error. Between the first three results, I was able to find my solution. I found two hits to TechNet articles which described the same message, but had a variable listed where mine had “LocalGPO”, and I also did not have the event log entries that they referred to. Those entries were:
http://technet.microsoft.com/en-us/library/dd392577(v=ws.10).aspx http://technet.microsoft.com/en-us/library/dd392529(WS.10).aspx
The other link was more helpful and contained the exact error, including that the problem was with “LocalGPO”. That post was:
It directed me to the file registry.pol under C:\Windows\System32\GroupPolicy. I looked into that directory and found the following:
C:\windows\system32>cd GroupPolicy\machine
C:\Windows\System32\GroupPolicy\Machine>dir Volume in drive C is OSDisk Volume Serial Number is 38AD-4B6E
Directory of C:\Windows\System32\GroupPolicy\Machine
10/09/2012 05:18 PM <DIR> . 10/09/2012 05:18 PM <DIR> .. 10/09/2012 05:18 PM 552 comment.cmtx 12/13/2012 03:29 PM 0 Registry.pol 08/29/2012 11:55 AM <DIR> Scripts 2 File(s) 552 bytes 3 Dir(s) 5,458,456,576 bytes free
C:\Windows\System32\GroupPolicy\Machine>
Since I was using an elevated command prompt, I tried a rename of the registry.pol file followed by re-applying of the GPOs:
C:\Windows\System32\GroupPolicy\Machine>ren registry.pol registry_pol.bak
12/27/2012 11:20 PM <DIR> . 12/27/2012 11:20 PM <DIR> .. 10/09/2012 05:18 PM 552 comment.cmtx 12/13/2012 03:29 PM 0 registry_pol.bak 08/29/2012 11:55 AM <DIR> Scripts 2 File(s) 552 bytes 3 Dir(s) 5,458,456,576 bytes free
C:\Windows\System32\GroupPolicy\Machine>gpupdate /force Updating policy...
Computer Policy update has completed successfully. User Policy update has completed successfully.
Finally, the GPOs applied successfully. I was then able to start the IP Helper service and it stayed running. I looked and saw that my computer was now connected to work via DirectAccess.
So after trying the tried and true troubleshooting techniques of rebooting and ignoring the problem, I was finally able to do a web search and had my answer in just a few minutes. Maybe I should have started with that. Maybe next time. But spending time troubleshooting computers at home, even work computers, is just not how I wanted to spend my time-off. The old adage is true: The Cobbler’s children have no shoes.
This week I was onsite with a customer performing a visit called the Risk and Health Assessment Program for Active Directory (ADRAP). Within the ADRAP, we collect data on many aspects of their Active Directory environment and discuss a wide variety of topics. One of the things that we look at is the membership of the various Built-In administrative groups which exist within an Active Directory domain. One of the conversations which I nearly always am having with customers as we discuss their members of these groups are what sorts of strategies that they can leverage to reduce the number of members in groups such as Administrators and Domain Admins and being able to delegate the permissions that classes of users need when possible instead of placing them into groups which grant them more rights and privileges than they actually need to perform their functions. This holds as true of accounts which are used by flesh-and-blood users as it is with Service Accounts. We discuss that if accounts need to be part of the local group Administrators on a subset of machines, don’t place those accounts into Domain Admins, leverage Group Policy Preferences to add it to the local group Administrators and target the GPO to the desired subset of machines. We discuss delegating specific rights within Active Directory as necessary, and a variety of other strategies that they can leverage in order for accounts to have the rights and privileges required for them to function without giving them additional rights or paths to escalation. We will discuss the rights granted to the Default Built-In Groups and how and when those can and should be leveraged.
With this particular customer, they have a need for the users who work within their Network Operations Center (NOC) to be able to handle that front-line sorts of tasks of the end-users within the environment. This includes tasks such as unlocking accounts, changing passwords, joining computers to the domain, etc. One of the steps that they took to provide these users the rights that they needed was to leverage the built-in group Account Operators. They also have a need for users in the NOC to be able to perform these same functions against their peers. What they discovered was that while membership in Account Operators met their needs for being able to manage the general end-users, it did not, however, meet their need of being able to manage their peers. They also recognized that they would have benefits if the NOC could unlock the accounts of Domain Admins when those users locked themselves out. (As happens in many customers, they admittedly have more accounts in the Domain Admins group than they would prefer and some of these accounts are only periodically used and the users with those accounts do not always remember their password.) Their solution to these shortcomings of the Account Operators group was one faced by many customers, and generally not considered an optimal solution; they added the accounts of the NOC Leads to the Domain Admins group. Let’s put that another way, in order to be able to manage the accounts which they’d prefer to have not put into the Domain Admins group in the first place, they put more accounts into the Domain Admins group. If this sounds familiar to you, it is likely because you’ve either seen or worked in an environment where this same decision was made, or know someone who has. (No judgments from me about this sort of situation, I’ve worked in places with even worse reasoning for putting massive numbers of accounts into Domain Admins.)
We decided to break their two requirements into each part and look at them individually. There is a common component to both aspects, but we addressed them as separate parts.
First we looked into why the people in their NOC were unable to manage their coworker’s accounts. This is because these accounts had transitive membership into the built-in group Account Operators. It was the membership in the Account Operators group which caused the SDProp process to run for these accounts and remove the inheritance which would have normally allowed Account Operators to manage user accounts. But without the inheritance, they could not manage their peers and it was because of this that their NOC Leads were added into Domain Admins. We discussed SDProp and AdminSDHolder and they decided that to meet their business need of having these accounts be able to manage each other when required, we would leverage the dsHeuristics attribute to exclude Account Operators from AdminSDHolder. We leveraged KB 817433 as our guide and set dsHeuristics to a value of 0000000001000001. This excluded the accounts from the SDProp thread setting their ACE to match that of AdminSDHolder every time the thread runs on the PDC Emulator. We then had to set the adminCount attribute of the accounts from 1 to 0 (Zero) so that SDProp would stop running for the accounts, and then finally re-enable inheritance on the accounts. This we did in their test forest with some test accounts, but the process will be repeatable for them in their production forest. We were then able to verify that these accounts with membership in Account Operators could now manage each other, but had no rights for any of the other protected groups (such as Domain Admins).
Before we move onto the second half of our solution, I want to share some links and references to the words SDProp, AdminSDHolder, and dsHeuristics which I so casually threw around in that previous paragraph.
adminCount, adminSDHolder, SDProp and you! http://theessentialexchange.com/blogs/michael/archive/2008/10/22/admincount-adminsdholder-sdprop-and-you.aspx
Delegated permissions are not available and inheritance is automatically disabled http://support.microsoft.com/kb/817433
AdminSDHolder, Protected Groups and SDPROP http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx Description and Update of the Active Directory AdminSDHolder Object http://support.microsoft.com/kb/232199
AdminSDHolder Thread Affects Transitive Members of Distribution Groups http://support.microsoft.com/kb/318180
DS-Heuristics attribute http://msdn.microsoft.com/en-us/library/windows/desktop/ms675656(v=vs.85).aspx
Default groups http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx
After that bit of fun reading, we then started to look at their second business requirement. They wanted the staff of their NOC (who are members of Account Operators) to have the ability to unlock the accounts of Domain Admins should these people find themselves needing such a task performed. This was the last reason why their NOC Leads were members of Domain Admins. We looked at KB 279723 for guidance and used the following command to grant the Unlock right to the AdminSDHolder object so that the SDProp process would set it onto the members of Domain Admins (and the other protected groups):
We couldn’t use the Account Operators group in that dsacls command, so we used the group of their NOC Users which was nested within it. At this point, once SDProp ran again, the users could then unlock the Domain Admins but could do no other management tasks for these accounts. This met their needs and allowed us to remove their NOC Leads from the Domain Admins group.
The customer was then able to begin looking at the other accounts within the Domain Admins group and begin to plan out ways to delegate the required rights so that many of those accounts could be removed as well.
(NOTE: IP Addresses changed to protect the innocent)
I was onsite with a customer recently who asked me a question:
I explained that this is a 6to4 address and is automatically assigned to the client because they use a globally routable IPv4 range for their IPv4 address range. I pull up calc.exe and in a couple of moments ask if the IPv4 address of his system was 131.107.15.30. After having a brief shocked look, his response was:
“Of course,” I say, “but how close did you read 929852?” We pull up the KB and look at the start of the “More Information” section (included below):
IPv6 can be disabled either through the DisabledComponents registry value or through the check box for the Internet Protocol Version 6 (TCP/IPv6) component in the list of items on the Networking tab for the properties of connections in the Network Connections folder. The following figure shows an example.
The DisabledComponents registry key affects all interfaces on the host. However, the check box on the Networking tab affects only the specific interface. The DisabledComponents registry value does not affect the state of the check box. Therefore, even if the DisabledComponents registry key is set to disable IPv6, the check box in the Networking tab for each interface can still be checked. This is expected behavior.
There is one very fine point often overlooked in that second paragraph, it is the second sentence: “However, the check box on the Networking tab affects only the specific interface.” (emphasis mine) What is meant by “affects only the specific interface” is exactly what it says, it unbinds IPv6 from ONLY that particular interface, leaving IPv6 enabled within the IP stack. The result of this is that for systems with a non-Private IPv4 address, a 6to4 address will still be assigned to the system. It also means that other aspects of IPv6 are still enabled and running within the system.
So if your end goal of clearing the checkbox was to disable IPv6 across the entire system, you did not meet your goal. Don’t believe me? Run “netstat –ano” from an elevated command prompt and you’ll see your system listening to the unspecified IPv6 address (::). If you insist that you must disable IPv6, use the DisabledComponents registry key as defined in KB 929852. However, as the KB article says, “We (Microsoft) do not recommend disabling IPv6.”
After this discussion as to why he needed to use DisabledComponents instead of just clearing the checkbox, he asks me how I knew what his IP address was. I explained that the 6to4 address is of the format 2002:WWXX:YYZZ::WWXX:YYZZ where WW, XX, YY, ZZ are the hex representations of the octets of his IPv4 address. We looked back at calc.exe and changed it to “Programmer” under the View menu. This allows us to select Hex and enter 8b, clicking on the Decimal (Dec) radio button displays that the decimal value of 0x83 is 131. Repeating this, we determined that 0x6b is 107, 0F is 15, and 0x1E is 30. So 131.107.15.30 would be 2002:836B:0F1E::836B:0F1E.
This got us back to the discussions about how they can prevent 6to4 Addresses from being generated on their systems. There are 4 methods which could be used to disable IPv6 on their systems: The DisabledComponents key with a value of 0x1, The DisabledComponents key with a value of 0xffffffff, Group Policy, or manually via use of the netsh command. We discussed the pros & cons of these methods. Setting DisabledComponents to 0x1 will disable all tunneling adapters (ISATAP, 6to4, Teredo, IP-HTTPS) on the system, but leave the system capable of leveraging Native IPv6 addressing once they begin deploying it within their infrastructure; setting DisabledComponents to a value of 0xffffffff will disable all of IPv6 on the systems (except for the loopback adapter), but will have to be changed to 0x1 or deleted when they begin an IPv6 deployment within their infrastructure; Group Policy allows for any of the tunneling adapters to be disabled independent of the others and provides the most flexibility for the future of their infrastructure; Utilizing netsh to disable 6to4 would be a manual process which would not easily scale across multiple systems and would be a manual process to re-enable in the future.
We setup a GPO so that they could begin testing the behavior of their systems with 6to4 being disabled via GPO. The setting we defined in the GPO was “6to4 State” with a value of “Disabled”. We then re-selected the IPv6 checkbox on the properties of the NIC on the system we targeted the GPO to. The setting was located under:
As illustrated above, the state of the other Transition Technologies can also be controlled via GPO.
After this GPO applied to the computer, the computer was behaving as they had originally intended them to be behaving; there was no 6to4 Address present. Because we had replaced the IPv6 checkbox on the properties of the NIC, the system did have a Link Local Address (one which begins FE80::/64), but these are not routable addresses and do not register in DNS.
If you MUST insist on disabling portions or all of IPv6, consider either using Group Policy to disable the individual Transition Technologies which you wish to have disabled or leverage a value of 0x1 for the DisabledComponents key to disable all Transition Technologies. NOTE: Avoid deploying a value of 0x1 to mobile workstations if they will be leveraging DirectAccess as this will prevent them from having the ability to connect to the DirectAccess server as they would have leveraged these tunneling mechanisms for that connection; if it is only the 6to4 Addresses which are of a concern while on the corporate network, then disable only these adapters via GPO to these clients so that they can still leverage ISATAP, Teredo, and IP-HTTPS to connect to DirectAccess. If you MUST insist on disabling ALL of IPv6, then use 0xffffffff for DisabledComponents; the same caveat for mobile workstations attempting to leverage DirectAccess applies here as well.
The customer then asked me what can they do to prevent visiting computers which are on their network from being able to connect to DirectAccess servers from their own networks. We discussed how the connections to a DirectAccess server will connect to their own DirectAccess server via IPv6 and that they would require either a Native IPv6 address or a Transition Address to connect to their DirectAccess infrastructure. Since the customer’s network isn’t yet providing Native IPv6 addresses, they only have to worry about people leveraging Transition Technologies. Both ISATAP and 6to4 utilize IP Protocol 41 to encapsulate the IPv6 packets as payload of the IPv4 packets, so blocking outbound IP Protocol 41 at their network egress points will prevent ISATAP and 6to4 connections originating from their network. Teredo utilize UDP packets at port 3544, so blocking outbound UDP 3544 packets will block Teredo traffic from originating from their network. IP-HTTPS encapsulates the IPv6 packet as SSL encrypted payload of HTTPS packets (port 443), since their network allows for unfiltered outbound SSL traffic, IP-HTTPS connections could originate from their network. We discussed utilizing things such as either a separate VLAN for guests/vendors which doesn’t route to the corporate network and leveraging IPsec within their corporate network to provide domain isolation as some possible methods of protecting the internal network from unmanaged computers (but that sort of planning is another topic for another day).
Before I left, the customer asked me how they’ll be able to re-check the IPv6 checkbox on their systems once they’ve deployed a GPO with their desired settings for IPv6. This was one of those times when I did not have good news to give a customer. There is no programmatic way that I know of to directly determine the value of the checkbox and no programmatic way to toggle the value of the checkbox. They will be manually placing the checkbox back over time as they connect to systems and update their system images to no longer have the checkbox unchecked.
While I did include this link on one of my previous posts, I’m including it again because I’ve seen many questions asking about Microsoft products and their support for IPv6. Here is the link to the Common Engineering Criteria:
Microsoft Common Engineering Criteria Overview http://www.microsoft.com/CEC/en/us/cec-overview.aspx#data-ipv6
Microsoft Common Engineering Criteria Scorecards (IPv6 Support is under "Data Center and Enterprise Readiness") http://www.microsoft.com/CEC/en/us/cec-scorecards.aspx?display=tech#
As someone who works with computers, I’m often getting calls from my family and friends asking me to clean viruses off of their computers. Generally, they’ve avoided my earlier encouragement to install Microsoft Security Essentials and now they find themselves dealing with computers that are not behaving as they should (they also ignore my other encouragements about using “In-Private Browsing” in IE8 & IE9 to browse to sites that are questionable, not running attachments, etc.). So for this reason, I keep a DART CD (Diagnostics and Recovery Toolkit) from MDOP (Microsoft Desktop Optimization Pack) so that I can run Microsoft Standalone System Sweeper.
Well, starting today, my life should become a lot easier. A beta of a standalone version of System Sweeper was available here: http://connect.microsoft.com/systemsweeper and is now available here: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline In conjunction with Microsoft Safety Scanner (which released last month) from http://www.microsoft.com/security/scanner/en-us/default.aspx, I’ve now got places to point people that hopefully means I won’t have to head over to as many houses.
I ran across this info when an e-mail at work referenced a ZDNet posting about the release of the beta of System Sweeper.
In my mind, the cool thing about our AV products is that they all share the same AV engine, be it Windows Defender, Microsoft Malicious Software Removal Tool, Windows Live OneCare (retired), Forefront Client Security, Forefront Endpoint Protection, the MS AV engine in the Forefront Server Security for <insert app here> products, Microsoft Security Essentials, or Microsoft Standalone System Sweeper. So once the AV team includes something in the appropriate portion of the definitions leveraged by that particular product, all the products leveraging that portion of the definitions can detect/remove the offending software. Why reinvent the wheel and make inefficiencies that don’t need to exist. When I go to fix a friend’s computer, I’ll just download the full definitions for Microsoft Security Essentials from here via the Microsoft Security Portal and load them into System Sweeper once it is running.
This will save me a TON of time with my friends & family able to solve their own problems.
UPDATE: 4/13/2012 The Beta of System Sweeper has now released and is called Windows Defender Online. URLs in the post updated to reflect this change.
As a follow-up to my earlier post about leaving IPv6 enabled in the OS and bound to the NICs, I wanted to share some additional resources from my IE bookmarks:
Arguments against disabling IPv6 http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx
How will it affect your business if you do not embrace IPv6? http://blogs.technet.com/b/erenturk/archive/2010/11/17/how-will-it-affect-your-business-if-you-do-not-embrace-ipv6.aspx
IPocalypse Now http://blogs.technet.com/b/canitpro/archive/2011/01/31/ipocalypse-now.aspx
IPv6 Forums http://social.technet.microsoft.com/Forums/en-US/ipv6/threads
US Federal Directive to Support IPv6 http://blogs.technet.com/b/ipv6/archive/2010/10/01/us-federal-directive-to-support-ipv6.aspx
Why do I need to care for IPv6? http://blogs.technet.com/b/erenturk/archive/2010/10/22/why-do-i-need-to-care-for-ipv6.aspx
Also be aware of World IPv6 Day and Windows post from the IPv6 team.
A common paradigm in the technology field is, “If you’re not using it, uninstall or disable it.” While that can be an excellent way to reduce the surface area of a system by removing components that you don’t need and may never use, there are going to be times when that paradigm doesn’t turn out to be the right decision. An excellent example of that is IPv6. Nearly every week when I’m onsite with a customer, the topic of “what should they do about IPv6” comes up, and I end up saying the same thing time and time again. I’ve been saying it so much that I’ve previously written the remaining contents of this post as a document that I’ll give out as a reference whenever the topic has come up. So finally, I decided to post it so that more people can benefit from the information and take corrective actions in their systems before my phone rings at 3AM and I find myself getting on an airplane.
On the properties of the NICs, removing the checkbox binding the IPv6 protocol to the network interface should not be cleared as it will cause IPv6 to become unbound from the network interface. In addition, the Link-Layer Topology Discovery Mapper I/O Driver and Link-Layer Topology Discovery Responder protocols should also not be uninstalled from the systems. While this is often done with the desired effect being to disable IPv6 on the systems, this behavior does not have that effect on the systems. This action only unbinds the IPv6 protocol from the physical network interface while still leaving it enabled within the Operating System, which continues to attempt to utilize IPv6 for communications and can experience unexpected and unpredictable behavior without IPv6 bound to a physical network interface. Link Layer Topology Discovery provides device discovery via the data-link layer to determine the topology of the subnet. While the results obtained from LLTD is similar to those obtained via the ARP protocol, LLTD provides additional information.
Versions of the Windows operating system beginning with Windows Vista prefer the use of IPv6 over IPv4. However, if IPv6 is not utilized within the network infrastructure, leaving IPv6 enabled on the systems will not have an impact on internet communications, web browsing, etc. as the NIC would only be configured with a Link Local address, which is a non-routable address and can only communicate with systems on its same subnet, bounded by a router. IPv6 is an integral part of the operating system and several Windows components rely on it. IPv6 should be left enabled. While KB 929852 describes the use of the DisabledComponents registry key to disable specific IPv6 components, most environments should leave all IPv6 components enabled. The tunnel interfaces can be disabled while leaving the native IPv6 components enabled by using a value of 0x1 for the registry key, however, as discussed below, blocking the tunneling protocol at the point of network egress will be a more effective way to prevent the tunneling interfaces from establishing connections with their particular relay on the Internet.
The checkbox binding IPv6 to the network interface should remain checked on all systems running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and any future version of the Windows operating system.
Another type of IPv6 address that may be present on the systems are either 6to4 or Teredo addresses. These are tunneling protocols that are used to allow for connection to an IPv6 network over an IPv4 routing infrastructure. These 6to4 and Teredo addresses are routable addresses and will be registered in DNS.
When the IPv4 address is in the public IPv4 range, a 6to4 adapter would be leveraged to communicate to IPv6 over an IPv4 infrastructure. This is done via IP Protocol 41 and will be calculated without any external network connectivity. Systems with a 6to4 address will be able to communicate to other systems within your IPv4 network that also have 6to4 addresses, but do not use this address to communicate to external IPv6 resources as the default 6to4 server utilized by Windows systems is only a 6to4 Server and not also a 6to4 Relay. The easiest solution to prevent the establishment of 6to4 connections is to either set the DisabledComponents registry key or leverage the netsh.exe command to disable the 6to4 adapter. (http://en.wikipedia.org/wiki/6to4)
When the IPv4 address is in the private IPv4 ranges and when 6to4 is unavailable when a system is in a public IPv4 range, a Teredo adapter would be leveraged to communicate to IPv6 over an IPv4 infrastructure. This is done via UDP packets at port 3544 to the Teredo server teredo.ipv6.microsoft.com. Systems with a Teredo address will be able to communicate to other systems within your IPv4 network that also have Teredo addresses, but do not use this address to communicate to external IPv6 resources as the default Teredo server utilized by Windows systems is only a Teredo Server and not also a Teredo Relay. The easiest solution to prevent the establishment of Teredo connections from the internal network is to block UDP 3544 at the point of network egress. (http://en.wikipedia.org/wiki/Teredo_tunneling & http://tools.ietf.org/html/rfc4380)
The 6to4 & Teredo adapters can also be disabled by running the following from an elevated command prompt: netsh int 6to4 set state state=disabled netsh int teredo set state type=disabled
The MSPress book Understanding IPv6 (Second Edition) is a great read for learning more about IPv6.
Additional Resources: Disabling IPv6 Doesn't Help, by Sean Siler, IPv6 Program Manager http://blogs.technet.com/ipv6/archive/2007/11/08/disabling-ipv6-doesn-t-help.aspx
Development and Deployment of IPv6: Good for Internet, Technology http://technet.microsoft.com/en-us/library/bb726954.aspx
Link Layer Topology Discovery Protocol Specification http://www.microsoft.com/whdc/connect/Rally/LLTD-spec.mspx
929852 - How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008 http://support.microsoft.com/kb/929852
IPv6 Blog http://blogs.technet.com/ipv6
IPv6 for Microsoft Windows: Frequently Asked Questions http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx
The Cable Guy - Support for IPv6 in Windows Server 2008 R2 and Windows 7 http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
I’ve been meaning to write this post for a few weeks, but only now have finally gotten around to it. I should start with some history of my experiences with Windows Media Center.
My first Media Center PC was home-built using Windows Media Center Edition 2004 using a Dell desktop computer and a Hauppauge analog tuner card that was connected to Time Warner Cable in the Cincinnati suburb that we lived in at the time. This system was later upgraded to Media Center Edition 2005 and a dual-tuner Hauppauge analog tuner was installed. This system became my platform for testing Windows Vista and began running the first Public Beta of Vista and later was weekly reinstalled with the current Daily Build of Vista as we moved closer to RTM. After the RTM build was installed, this system also became my test platform for pre-release builds of SP1 and later SP2. Once the public builds of Windows 7 were released, the system continued its function as my test platform running public builds of that as well.
Throughout this entire time, my Media Center box has been physically located in my home office. Shortly after I began running the beta builds of Windows Vista, I obtained an XBox 360 and began using it as an extender for Media Center. This allowed my son to watch the recorded episodes of Thomas the Tank Engine and Bob the Builder on the TV downstairs instead of in my office. Its native ability to function as an extender for Media Center was the primary reason I purchased the XBox 360. Once I began using the XBox as an extender, I began running the Media Center machine headless (ie. without a keyboard or monitor).
The system continued in its configuration as we moved home to the Seattle area and connected the Media Center PC via Comcast cable. When Comcast stopped broadcasting their signals for the Extended Basic channels in analog, I made 2 changes to my configuration. The first change was that the original single-tuner Hauppauge card was brought out of storage and connected with an IR Blaster to the Comcast Digital Tuning Adapter so that I could continue to tune all of the Extended Basic channels in their analog format within Media Center. The second addition was a SilconDust HDHomeRun dual-tuner device so that I could record the ClearQAM signals for the local HD channels. I also added a 1.5TB hard drive that I had acquired online at a Black Friday sale.
For the most part, the system has served me well. Except for the new hard drive, the computer is over 6 years old and performs its duties well. Its only limitation that I have experienced with it was unable to record multiple Extended Basic channels because I had no more single-tuner Analog Tuners and no more IR Blasters. This led to missed recordings of some shows due to schedule conflicts. It also only had 2GB of RAM and a single-core Hyper-threaded CPU. While it performed its function well, it did not have enough power to do any transcoding when I was testing out MyMovies.
My concept of what a Media Center system could do improved greatly when Ceton Corporation announced that they were in development of what would become known as the InfiniTV product line. These cards utilize a single CableCARD m-card to decrypt the signals for multiple tuners. The current cards have 4 tuners on a single card. The card utilizes a PCI-e slot to connect to the PC and is automatically detected as a CableCARD tuner by Media Center once it and its drivers are installed. I placed my pre-order for the InfiniTV 4 and anxiously awaited their release and the shipment to arrive. When the card arrived last month, I found myself needing to leave the card sitting unopened in its box for about a week. This delay was due to me traveling for work to customer sites, and that my current Media Center system pre-dated PCI-e slots and another piece of hardware was going to need to be repurposed as my new Media Center PC. I had previously purchased a Quad-Core HP desktop with 4GB of RAM which I decided to rebuild. I installed another of the 1.5TB hard drives that I had previously purchased and hadn’t installed anywhere yet to provide me storage space for the recordings.
I performed a clean install of the x64 edition of Windows 7 Ultimate onto the system. I then installed the Ceton card and its drivers. While out running errands the next day, I went to the local Comcast Customer Service Center and picked up the M-Card CableCARD and brought it home. I inserted the card and powered up the system. I opened the Ceton configuration utility and called Comcast with the information for the system so that the card could be paired. This process took about 5-minutes to complete. Once the configuration utilities showed the card properly paired with Comcast, I opened Media Center, ran the Digital Cable Advisor, and began the TV Setup wizard. It automatically detected the Ceton as 4 CableCARD Tuners and downloaded the guide data for my area. I spent a few minutes disabling the channels that I do not subscribe to, and began watching TV channels from the Extended Basic lineup that I subscribe to. Much to my surprise, in addition to being able to tune the SD versions of the channels, I was also able to tune their HD versions as well.
I disconnected my XBox 360 from the previous Media Center system and paired it with the new one. I am now able to watch the HD streams of all of the Extended Basic channels downstairs on my 47” LCD TV using the XBox 360 as an extender. I also record the HD versions of the shows I watch and stream them to the TV via the XBox as well. Since the channels I receive are not premium content, the signal is sent with the Copy Freely bit set, so the recordings are not protected and I can also copy them to my laptop to view while I am traveling. It has been nice watching the Star Wars: The Clone Wars (and everything else) in HD. I now use my XBox 360 as a Set-Top-Box for watching Live TV as well (and honestly, I prefer the guide in Media Center over the one in the Comcast STP anyhow).
Overall, I am EXTREMELY SATISFIED with my Ceton InfiniTV 4 and Windows 7’s Media Center. For anyone with Digital Cable or FIOS, the Ceton card is something you should be considering. The ability to leverage a Ceton card is what will keep me on Cable vs. Satellite. I am seriously thinking about returning my current STB as it is no longer being used on the main TV as well as the DTAs used elsewhere around the house and replacing them with XBox 360’s. The new Kinect bundle could replace the 360 on the downstairs TV and allow me to move the current XBox upstairs for that TV.
The only remaining steps for me to complete is to decommission the previous Media Center PC and install the HDHomeRun drivers on the new one so that it can leverage those two tuners for the ClearQAM HD signals freeing up the Ceton’s tuners for the other channels.
This week I’m attending the TechReady conference. For those of you who have never heard of TechReady (which is probably 99.999+% of you), it is an internal version of the Microsoft TechEd conference.
Here on Day 1 I’ve seen some interesting things about Windows Phone 7, and I think I’ve found my next favorite thing…Windows Intune!!!!! Checkout the homepage for Windows Intune at http://www.microsoft.com/windows/windowsintune/default.aspx for additional information about the product, and to sign-up for the beta. Just about every one of the customers that I’ve visited over the past year or so could have benefited from Intune.
As with everything else at TechReady, it is up to the appropriate Product Groups to release information about their particular product, so you won’t get any secrets from me. But if I see something cool this week, I’ll post links to the public information here.
In addition to some sessions on Windows Phone and Intune, I’m also going to be attending sessions on Hyper-V (W2K8, W2K8 R2, and what is coming in W2K8 R2 SP1), as well as DirectAccess (both with & w/o using UAG). More to come later in the week…
I seem to have a habit of alternating between technical and non-technical posts, and this seems to be little different. I was scheduled to fly up to Anchorage Alaska on Sunday to visit a customer. Last Friday I was talking to one of my teammates who was onsite with the same customer 3-weeks ago and asked how the weather was. He said that the lows were in the upper 30’s and highs in the mid 40’s. I should have gone online to lookup the weather, but I didn’t. So much to my surprise, when I arrived on Sunday evening, there was about 3 inches of snow on the ground and another couple still waiting to fall over the rest of the night. This was the first snow of the year and a friend of mine who lives in Anchorage is blaming me for bringing the snow in from Seattle (I promise, it isn’t my fault…Seattle’s recent storms have all been coming in from Alaska, so if nothing else, all I did was bring it back). The highs while I’m here this week should remain below freezing and they are expecting more snow before I leave on Thursday evening.
Since I should have some semblance of a technical slant in the post, I’m passing along some pictures that I took from my hotel room and used Windows Live Photo Gallery to create some panoramic photos from the individual stills that I took.
Here are some of the pictures. The first is the photosynth of the mountains from my hotel, this was about a 120 degree view:
And the same picture cropped:
Some of the mountains a little closer:
And some lighted trees in what might be a park a couple of blocks south of my hotel:
All of these photos were stitched together with Windows Live Photo Gallery.
I’m hoping that my next post will be about why you should leave IPv6 enabled on your Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2 systems (my fingers are crossed that the IPv6 team will have their post or whitepaper out soon so you have more than just my word to take on it). But in the mean time, I’m happy to have seen this post about the Digital Cable Advisor being released and making OCUR tuners available to Windows 7 media center machines. I’m still using my HDHomeRun tuners for the ClearQAM channels and am looking forward to the release of the Ceton tuners.
One of the great things about the Premier Field Engineering group at Microsoft is that we have a fairly aggressive hardware refresh cycle for our engineers in the US. To keep us with a solid experience as road warriors, our laptops are refreshed approximately every 2-years. When luck is on our side, we can even manage to get a refresh a couple of months early.
This was the situation for me this time around, my previous laptop hits its 2-year mark in December of this year, but I was pleasantly surprised when in early October I get an e-mail letting me know that I was due for a refresh and to please reply back to the e-mail and let them know which of the 5 models to choose from that I had decided on. My first reaction was, “But my current laptop is working out fine for me, well OK, the battery is past its shelf-life and can’t hold a charge as long as it used to, but other than that, it is still rock solid.” For about 2 weeks I held off on replying because I was still happy with my current machine. But then I realized that Microsoft is little different than any other corporation and that if I didn’t utilize the allocated budget for my laptop within the quarter it was budgeted for, I’d likely be using my current laptop for quite awhile. So I chose the HP EliteBook 8530w from the list of choices that are available to my team. It arrived on Friday afternoon.
My first task after unpacking it was to burn a Windows 7 x64 ISO file to a DVD so that I could do the install. My current machine is running the x86 installation of Windows 7 and I had decided that the next time I installed the OS on my laptop, I’d give x64 a shot. Much to my surprise, the early refresh allowed me a chance to do this. Last week I had finally gotten around to updating my Hyper-V host with Windows Server 2008 R2 and had been pleasantly surprised to find that fully functional color print drivers for my HP Color LaserJet 2840 were included in-box, so I knew that going with x64 for my laptop would still allow me to print in color while at home. That printer was a big splurge for me a couple of years ago and the lack of x64 drivers had been holding me at x86 for quite awhile to avoid turning it from a nice networked Printer/FAX/Scanner into a giant paperweight. While onsite with customers, I find many of them making the same x86 decision on their print servers for the same reasons; lack of x64 drivers for some printer models.
So as evening approaches, my son & I are watching Star Wars – Episode I and as he drifts towards sleep I head upstairs to grab the laptop and the DVD I burned. I boot to the DVD and begin the install while the cast is still on Coruscant, by the time they’re back on Naboo, the install is finished. Enough of the major hardware devices had in-box drivers, and by the end of my visit to Microsoft Update, I had nearly all of the rest. The only 2 devices that didn’t have drivers after that were the media card reader and the hard drive shock protection device. But both of those were easy to get. I was happy that the wireless drivers were in-box because the docking station was on back-order and I was doing the install without a wired connection. Even the SmartCard reader worked fine. We have the option of logging into our workstations with the SmartCard on the back of our badges, and I’ve gotten in the habit over the past year of doing that instead of using my username/password.
Once the OS was installed, I downloaded Forefront Client Security and the VPN software so that I could connect to work and join the domain. I installed the Office 2010 Technical Preview, Streets & Trips 2010, and a few other applications that I use for work. I configured BitLocker and set it to leverage the TPM chip + a PIN. Nearly everything is working as well or better than it did on my old x86 Windows 7 laptop. While I didn’t install it that first night, I’ve also installed Windows XP Mode so that I could install the software to allow for network scanning using my LaserJet 2840. The Vista version of the software did not consistently function as expected on the x86 installation of Windows 7 and I had previously resorted to this method for being able to scan receipts when I get back from customer visits. And they do not yet have x64 drivers, so XP Mode provides me with the ability to continue to benefit from running x64 Windows 7 while still utilizing applications that work best under older versions of Windows. I leverage Microsoft Office 2007 and the Microsoft Document Imaging application from Office to do my scanning from within XP Mode.
With the exception of XP Mode, I had finished the installation of the software on Friday night before going to bed. On Saturday evening after my son went to bed I was able to give the new installation its first real test of practical use…Writing the ADRAP report from my visit earlier in the week. While I had heard from other engineers that they had experienced no issues running the tools for this under x64, I didn’t want to get too comfortable with the installation if I was going to then have to re-format and re-install with x86. I was thrilled to see that with the x64 OS and the x64 installation of Office 2010, I was able to complete my reports for the customer without any issues. It was because of that success that I took the time this morning to complete the move-in process by installing XP Mode and configuring that VM.
As I said at the beginning, I’m still happy with my previous laptop. That Lenovo T61P w/4GB of RAM has served me well. I’m now debating on if I will keep it as x86 Windows 7 or if I will install Windows Server 2008 R2 and use it as a mobile Hyper-V host. I may utilize Boot From VHD and have it do both. But I see another 2-years of good experiences ahead of me with this HP 8530w. It looks like I’m 3 for 4 on work-issued laptops that have gotten a thumbs-up by me; my original Toshiba M1 that I was issued in March ‘04 ran great and I almost didn’t want to replace it (but its video card has no Vista drivers), another model which I was less thrilled with, the T61P which couldn’t come fast enough to replace its predecessor, and now my 8530w.
While teaching the Windows Server 2008 Directory Services workshop this week a student asked me, “How can I grant access to the DNS MMC to a user that I don’t want to put into the DNS Admins group because I only want them to be able to view the contents of the zones?” He mentioned that he had been looking for this solution off and on for about a year or so. As it turns out, I’ve been asked a similar question by a few other customers in the past. To help make it easier for others to find this same solution, I figured that it would be a good topic for a blog post.
DISCLAIMER: This information is provided as-is with no warrantee expressed or implied. To the best of my knowledge, the techniques included are not endorsed by the product group and nor supported by Microsoft.
Traditionally, to grant a user the ability to use the DNS Management MMC (DNSMgmt.msc) to view a Windows DNS server, the user had to be a member of an elevated group such as DNS Admins, Domain Admins, or Enterprise Admins. The following steps will discuss how to grant access via the DNS Management MMC to a user that is not a member of these groups, nor has any elevated rights on the domain controllers with which DNS is installed. These steps have not been validated against a DNS server that is not a domain controller.
I began by creating a user named Joe User (JLOLAB1\JoeUser) and granted the user rights to logon to a member server via RDP. This member server has the DNS Management MMC already installed. When Joe User launches the MMC and attempts to connect to the Domain Controller, he receives the error “Access is Denied” as illustrated below:
Clicking Yes brings me the MMC:
As you can see, he is unable to see any information about the DNS Server.
To allow this user the ability to access the DNS Server, I created a group that I called “DNS MMC Read” and placed the user into this group. I then performed a logoff/logon and verified with “whoami /groups” that the user contains “DNS MMC Read” in its token.
At this point I begin the process of granting access to the MMC to this non-admin user.
What happened in the background is that it granted this group Read permissions onto the object CN=MicrosoftDNS,CN=System,DC=lab1,DC=jlo:
Now when JoeUser connects with the DNS Management MMC he sees the following:
This non-admin user is able to view the contents of the Forward and Reverse Lookup Zones. He is able to view the properties of the server, but receives an “Access is Denied” error when attempting to change those settings. He also receives an “Access is Denied” error while trying to view the Event Logs of the DNS server. These “Access is Denied” errors are expected because the user only has read access to the zones, but not any additional permissions to the server.
I hope you found this post informative and can assist you with managing your DNS infrastructure.
Since this blog is hosted on Technet, it is probably good to talk about technologies from time to time. So I wanted to mention some things that I’ve come across recently. While some of these are anything but new pieces of information, sometimes you don’t come across them until well after they’re available on the net.
The first thing I wanted to mention was WinRE, the Windows Recovery Environment. While it is available to you by booting to a Vista/W2K8/Win7/W2K8R2 DVD, it is also possible to build and customize your own WinRE environment. If you’ve tried searching for documentation on this, you’ve probably noticed that it seems a bit lean. A friend pointed me towards one of the best WinRE resources I’ve seen so far on the net: http://blogs.msdn.com/winre I particularly like their post on how to make a bootable WinRE partition on the hard drive. Granted, the post is a couple of years old already, but the steps are still great.
Within the e-mail distribution lists for our team, a topic that comes up about every 3-6 months is, “What are the recommendations for page files?” Here are the resources that we usually pass around for understanding page files and determining the size you need to set them to:
An important thing to remember about page files is that while Windows may not need to have a page file defined, the applications running on your system may require one. Domain Controllers require a page file because the algorithm used to determine the memory available to allocate to caching the AD Database expects a page file because it uses the size of the page file as a variable in the calculation. This is mentioned in the second paragraph in the Summary section of KB 889654.
One of the most overlooked capabilities made available when installing the Group Policy Management Console in Windows Server 2003 was the “Scripts” directory located within the installation location. With Windows Server 2008, installing the GPMC does not install the scripts. The GPMC scripts are available as a separate download. You can find them here at download.microsoft.com and searching for “GPMC Sample Scripts”. I was recently onsite with a customer evaluating their current GPOs and the scripts provided us with excellent information that was invaluable to our work.
As you’ve no doubt heard by now, Windows 7 and Windows Server 2008 R2 reached RTM today. More info on that at the Windows 7 & Windows Server 2008 R2 Team Blogs. So what does this mean for me? Well, I’m thrilled about the new version of Hyper-V, the new version of Media Center, and especially Direct Access. What else does it mean to me? Over the next few weeks I’ll be spending some time at home doing some new OS Installs. I’ve got 2 virtualization hosts that will now need Windows Server 2008 R2 so that I can setup Live Migration with Hyper-V, my Media Center PC needs to be rebuilt with Windows 7 so that I can take full advantage of the new HDHomeRun digital TV tuners that arrived today, my work laptop and old work tablet need to be reinstalled at Windows 7, and my wife has decided that the 7+ year old computer she is running has finally gotten too slow, so I’m going to be ordering her something and installing Windows 7 on it as well (once it hits the Company Store).
I’m booked solid for 8 of the next 10 weeks. The next 4 weeks in Portland Oregon, a week not currently dispatched, a week in Boise Idaho, a week not currently dispatched (with the Company Meeting this week and then a family camping trip the following weekend), 2 more weeks in Portland, then a week in Lima Peru. I’m sure I’ll find time somehow to get all of those OS installs done somehow. I’ll likely be doing installs while I’m home between trips, then configuring the machines remotely in the evenings from my hotel.
But before all that can start, I still have to finish out this week. I’m attending a training class this week on Microsoft Forefront Protection Suite (formerly known as Microsoft Forefront Codename “Stirling”). Since Forefront Client Security is one of the technologies that I support, this week on what is coming in the next version is a good thing for me. But I��m not much of a morning person, and traffic between my house and the training room on the Redmond Campus has been horrible. It has taken me an average of more than 90-minutes to get there in the mornings and about 90-minutes each evening to get home. This might not be so bad, except that the class starts at 8AM. Did I mention that I’m not a morning person???
In between everything else, I’ll also try to update this blog with more tech info on what I’m doing, what is new, and what you should be doing (or not doing, depending on the particular thing). To start off that line of thinking…Remember, Windows Server 2008 R2 is 64-bit only, so only x64 and Itanium versions are available. If you’re not already installing x64 editions of Windows Server 2003 or Windows Server 2008, you need to be whenever possible. x64 gives you much greater limits on Paged Pool memory, Non-Paged Pool memory, and System Page Table Entries. If you’re running a DC, File Server, or pretty much anything else, you should be doing it on x64. Exceptions to this would be things that do not run on x64 (Exchange 2000/2003, ISA 2006, SQL 2000, etc.), but for things that do (File Servers, DCs, SQL 2005, Exchange 2007, etc.) you should be giving x64 a shot and enjoy the benefits of x64. For more about why you should be running x64 instead of x86: http://blogs.technet.com/cotw/archive/2008/04/07/symptoms-lack-of-free-system-page-table-entries-ptes-system-wide-delays-i-o-request-failures-and-low-on-paged-pool-memory-and-or-non-paged-pool-memory-on-32-bit-windows.aspx
I almost titled this “My 4th of July was better than you’re 4th of July” but thought better of it.
So I realize that it has been awhile since I last posted on this blog…OK, ‘awhile’ is an understatement, the first two posts were in April 2007 and there has been nothing since then. But I figured I’d try a making a new post and see if maybe this helps drive traffic. Using keywords like “fireworks”, “ordinance”, “explosives”, & “Benihana” should help me in the Bing search results.
My July actually started out in mid-June when as a combined Birthday & Father’s Day gift, my wife & Son got me the “You Be The Chef” experience from Benihana. In my travels as a Premier Field Engineer, I’ve somehow managed to dine at nearly every Benihana that has been near any of the customer sites I’ve visited. I nearly always get the same thing: an Ala-Carte Hibachi Chicken, an Ala-Carte Hibachi Chateaubriand, and 2 orders of the Chicken Fried Rice. I’m not a fan of veggies, shrimp, or the soup (I’m told they are great at Benihana, I just avoid those things in general), so ordering ala-carte allows me to only get what I want, avoid wasting food that I won’t eat, and saves quite a bit on the bill. For the “You Be The Chef” everyone at the table received “Land ‘N Sea” and we added the Chicken Fried Rice. On the afternoon of June 30th, I arrived at my local Benihana for my training. I spent about 90 minutes with my chef who helped me learn the finer points of providing The Benihana Experience to my guests, this included the right way for preparing the shrimp appetizers, the steak, the scallops, the fried rice, as well as proper use of the spatula, fork, and knife. I also was able to practice flipping the shrimp tales into my hat. This is not only much harder than it looks, but at 6’3”, I was a bit taller than the bottom of the range hood and had to work extra hard to get the shrimp tale all the way to the top of the hat. I returned the following evening (July 1st) with my wife, my son, and my mother so that I could cook the dinner for the 4 of us. Everyone said that I did a great job with the presentation and the cooking, though to be honest, with the high quality of the ingredients that they use, it would be extremely difficult to have had it taste anything but fabulous. Pictures of the event are posted at my SkyDrive.
My July continued being great because of this blog post that I ran across in May. I was able to assist with the setup of the 4th of July Fireworks Show at the Des Moines marina, which is about 30-minutes from my house. We worked for about a half-day on July 3rd getting the pier prepared for the fireworks by setting up the mortars and such, and then all day on July 4th loading the ordinance into the mortars and wiring the mortars and the other fireworks up to the firing board so that Greg could shoot the show. We had many mortars as well as boxes called “cakes” which are pre-configured with various types of explosives similar to those little multi-shot boxes you’d find at a fireworks stand, only these are much larger with many more rounds. Once we had finished testing all of the connections, we patiently waited until it became dark and the show could start a little after 10PM. I’ve posted my still pictures of the event here, and the two videos I took are here (two of the three videos are mine, the third is one that Greg took) and embedded below.
Here is my tour of the Fireworks Pier after we finished setup:
My video from the shore during the fireworks show:
And what has to be one of the most amazing camera angles was this one that Greg took with a camera that was next to the 3” mortars and looking skyward as the fireworks went off all around it:
So while I can’t say “My 4th of July was better than your 4th of July” and have it be true 100% of the time, my July has definitely stated off with a bang. My July will conclude with me attending a week-long class on Microsoft Forefront Protection Suite (FPS) (formerly known as Microsoft Forefront Code Name “Stirling”) in Redmond, WA, and delivering a Windows Server 2008 Directory Services workshop in Portland, OR. I will endeavor to post a bit more frequently, especially as things like Windows 7 and Windows Server 2008 R2 reach RTM.
And for anyone wondering…YES, I still have all 10 fingers attached where they belong. There were zero injuries sustained at either Benihana or the 4th of July show. The chef was good about teaching me the proper way to prepare the meal safely and Greg was the consummate professional when it comes to the safe setup, handling, and discharge of fireworks.
OK, so while I've mentioned a bit of what I do, I should mention the sorts of technologies that I help customers with. First and foremost, I work with the Windows operating systems and Active Directory. Much of my focus is Active Directory and all the things it depends on (networking, name resolution, etc.). I also do work with other core OS components and look at things like memory and such. Aside from that, I enjoy helping customers with virus infections, WSUS, and Virtual Server.
I'm really looking forward to Forefront Client Security, WSUS 3.0, and multiple things coming up in Longhorn Server. Things I'm looking forward to in LH Server include TS Gateway, Windows Virtualization, Read Only DCs, Server Core, and a few other AD related improvements.
Other future blog postings will likely discuss some of the following: Travel tips, specifics on these tech topics, interesting things I run into while onsite, Thomas the Tank Engine (my son's favorite), life in Bonney Lake, or whatever else comes to mind. If you have any suggestions, please post a comment.
Hello,
After reading so many other blogs, I figured that it was about time for me to start one of my own. Since I'm undertaking this, I should probably introduce myself.
I joined Microsoft as a full-time employee in March 2004 as a Rapid Response Engineer (RRE) as part of the ROSS Team. The ROSS Team provides Rapid OnSite Support to customers. We later merged with the SIE (Solutions Integration Engineering) team and became Engineering Services, but I was still a Rapid Response Engineer. Last year, we merged with the Alliance Team and became Premier Field Engineering and I became a Premier Field Engineer (aka PFE). Same job, different title. Though I am a Seattle native, my wife & I were relocated to Cincinnati, OH in order to take the job as an RRE. Our son was born a few months after we moved to Ohio. We finally moved back to the Seattle area in December 2006, right after the wind storm hit and took out power for most of the area.
Before becoming an FTE at Microsoft, I spent a year working as an "A-" (contingent staffer) on the Directory Services team in PSS providing phone support to customers and supported Active Directory and a few other technologies. Before that, I was a Systems/Network administrator for a company based out of Bellevue, WA and managed their AD Domain, the network infrastructure, the Exchange servers, and other aspects of the IT infrastructure. I've also been the Systems Administrator for a different company in Bellevue and managed both UNIX (Digital UNIX & Solaris) and Windows machines (NT4 & W2K) and was a developer at that company as well. Originally, I was supposed to be a high school math teacher, but graduated the one summer when no districts were looking for math teachers.
So, back to being a PFE...We are the onsite arm of Microsoft's Customer Support Services. I do onsite visits ranging from CritSits through AD RAPs, and many things in between. A CritSit is a "Critical Situation" case opened by a Premier Customer with CSS that is a Sev-A (Severity A) case and a server is down. If the case isn't resolved, someone from my team may end up being dispatched to go onsite and assist with resolution. These are last-minute requests that cause my cellphone to ring at all hours of the day & night that would require me to get onto the next airplane to head onsite. We also can be requested by a customer's Technical Account Manager to help with other reactive issues that aren't a CritSit as well as to assist with proactive sorts of things. One of the proactive visits that I do is an AD RAP (AD Risk Assessment Program), where we run some tools to help customers identify potential issues with their AD environment, help teach them about AD, and help to make their AD environment as resilient and redundant as possible.
While I tend to do a lot of traveling for work, I am usually at home about 2.5-3.5 days per week.
More ramblings to come...
John