Kevin Remde's IT Pro Weblog
As many of you know, or will know by reading this, Windows Vista (and future OS's and Apps from Microsoft) requires Activation; and a new functionality that is very good, and very important to understand, is how the new "Activation 2.0" affects volume licenses of Windows Vista Business versions (Standard and Enterprise).
CLICK HERE For more information about it.
Seriously - If you're an IT Pro who manages the licensing and deployment of your desktops, you're going to need to understand this stuff. It's not rocket science, but there are many questions that can arise. In fact, I was e-mailed a couple of them just today.
Chris says..
"I was reading an article in Windows IT Pro about KMS and it mentions you need have 25 licenses of Vista or 5 Windows server licenses. Does that mean if I install Vista for only a handful of users initially that I can’t use KMS? Or do I need to get 25 users up and running to use KMS? 25 users are half of my desktop licenses and I’d rather upgrade a smaller number of systems initially."
Yes, KMS (the Key Management Service) is only available to use if you're maintaining 25 or more activations. The KMS service makes itself known in DNS (a special SRV record), and business clients automatically find this server when they start up if they need activation. After the KMS sees the first 25, it then starts activating clients (including those first 25). But not before.
So.. because clients have a 30 day grace period to get activated, you basically have that long to bring up at least 25 clients.
The alternative to KMS activation is MAK (Multiple Activation Key) activation, which activates to Microsoft rather than to a local KMS service. If you have the KMS key, you also have the MAK key. (You get one of each from the same Volume License key source.)
Chris also says...
"Also, the article mentioned I need a 'Longhorn' server to use KMS or I could use an add-on for Windows 2003, which isn’t out yet. Am I understanding this correctly, or am I missing something?"
You understand correctly. Support for the KMS isn't available yet in Windows Server 2003 or earlier. You can install it on a Windows Vista machine, or on Longhorn (which is only in beta now). But yes, you should expect to see an update for Windows Server 2003 sometime in the first quarter of 2007.
Any other questions?
I fired up my tweetdeck just a minute ago and saw this tweet from Jeffrey Snover (the architect of PowerShell):
“What does it mean?
It means that the new version of PowerShell (version 2.0) is now RTW (Released to Web). And not only PowerShell 2.0, but also WinRM 2.0 and BITS 4.0. It’s called the “Windows Management Framework”.
“But aren’t those already included in Windows Server 2008 R2 and Windows 7?”
Yes.. but you who are running Windows Server 2008, Windows Server 2003, Windows Vista, or even Windows XP would like to (or need to) take advantage of this powerful new management platform as well. And now you can!
Here’s the link to the PowerShell Blog that Jeff’s tweet mentions above: http://blogs.msdn.com/powershell/archive/2009/10/27/windows-management-framework-is-here.aspx
And here’s the KB where you can learn more about it, as well as download these tools: http://support.microsoft.com/kb/968929
Oh.. and one more link – this one to the Windows Management Infrastructure team blog: http://blogs.msdn.com/wmi/
From the “OOOoops!” department..
(click to show the full picture)
This apparently is a new wireless multimedia keyboard. See if you can spot the problem…
"Can I slipstream Windows Vista SP1 into an existing install image?"
Nope. Well, not directly, anyway.
"Um.. but when I get SP1, I want to upgrade my deployable .WIM images with the new bits. I can't do that in an offline way like I can with other updates?"
Sorry. No.
"Are you going to tell me why?"
Absolutely! You don't think I would have opened up this nasty can of worms without giving you a good explanation, did you?
"Well..."
Okay. So here's the deal**. And those of you who have experienced the SP1 installation have experienced this as well. When you do the SP1 installation, even if it's from Windows Update (when available), you're going to see your machine shutdown and restart on it's own several times. That's to be expected.
See, there's this important part of the OS known as the "servicing layer" in Windows Vista and Windows Server 2008. This is the part of the OS that allows for easy update installation with minimal disruptions, allows for an update to be applied to an offline captured image that's within a .wim file, among other things.
Well.. let's say that that servicing layer ALSO needed to be updated? What then?
"Oh.. I get it. You can't update the thing that makes the updates happen smoothly, because the thing that makes updates go smoothly is itself being updated!"
Bingo. You got it. So hopefully the news that you can't just do an offline upgrade to an image .WIM file won't be too tragic.
"So.. what do I do instead?"
You are going to have to install your image to a machine. Install the Service Pack. Then re-capture the image.
"Simple!"
Not so simple. There are additional steps that involve some cleanup once you've sysprepped your newly updated SP1 machine. Detailed steps are available in the new WAIK documentation.
"Won't I lose a valuable re-arm to my image when I apply the service pack this way?"
No. SP1 grants you an additional re-arm. We don't want you to be penalized for having to generalize a system that additional time.
"Wait.. there's a new WAIK?"
If you're using the WAIK (Windows Automated Installation Kit), you will definitely want to get the new version that has support for both the original Vista as well as the new servicing layer that's in both Windows Vista SP1 and Windows Server 2008.
Of course, the easiest way to do this all would be to get a copy pre-slipstreamed SP1 version of Windows Vista from Microsoft when it becomes available, and start with that as your new installation base. If you're not doing any other custom image management, that's definitely the easiest solution. Just add it to your own Microsoft Deployment workbench or use it to build your new images from there.
---
** I can never say "here's the deal" without thinking of former teammate-turned-security-guru, Kai "the Security Guy" Axford.
Happy Friday!
I thought I’d just take this opportunity to again share my three-part screencast series with you; this time all in one place.
The topic: System Center 2012 Unified Installer
The goal: Help you prepare for and use the Unified Installer to build your lab for testing and trying the System Center 2012 components out
The added benefit: You get to see my pretty metro-style (I like to call them “metrofied!”) PowerPoint slides.
Enjoy. And enjoy even more in full-screen, and 1280x768 if you can…
Here is Part 1:
Here is Part 2:
And here is Part 3:
This is a really cool screencast - definitely worth sharing. It shows off some exciting new technologies coming in the next version of Windows Server (still codename "Longhorn").
Can you say "8 core"?
"8 core?!"
I knew you could. We're showing off for the first time support for an 8 core virtual machine. NOBODY else can do that.
Last August I had the pleasure of speaking with Jeff Woolsey about Windows Server Virtualization for TechNet Radio.
Happy Grouping!!
What a great session! I hope you’ll agree that this Part 4 session on Group Management had some real gems in it – even if you thought you already knew it all about groups!
Here, as usual, is the “best of” Q&A log from the webcast. Sincere thanks again to my teammates for doing such a great job helping to answer questions! I give them the credit for the information in this document. Outstanding!
Also I want to make sure also have the link to the Session Resources I posted for Part 4, and the homework assignment also.
—
Series Part 4 Webcast Q&A
“Is there a way to register for ALL of the events at one time instead of having to register each week?”
“How can we sign up to the whole server webcast in one go? I was only able to register for each event one at a time!”
Currently, that is the process. I know that the webcast team is working on implementing a more seamless, single sign up process moving forward.
“Can we get the presentation WMV in ZIP format for down-loading?”
It's available as a .wmv download about 72 hours after the event - go back to the event page then and a link to download the file will be sent to you. I don't think a .zip is available however.
“In addition to these level 100 webseminars on Windows Administration, is there a "next level" (ie., 200 or 300 level) series of Windows Administration webseminars?”
Yes, starting with the next part they go up in level, 200 then to 300 by the end of the series.
“It is possible to convert a distribution group to security group or reverse?”
Yes, http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dsadmin_groups_convert_group_type.asp describes how. This link will appear on www.microsoft.com/technet/tnt4-04 for this part.
“Do you have to have exchange to mail to a security group?”
There probably is a product but cannot find one right now that has the same functionality.
“Where can I find info for setting up VPN with my service provider - Quest and what Groups setttings should be setup..roles, permissions, etc...”
Here is a great location to start: http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx
“In a small network (single domain), what is the best practice as far as group types are concerned? Should they all be domain local, universal, global? Or does it matter?”
You could just use domain local groups in a single domain; but if you ever someday decide to add another domain, you’d be better of to still adhere to using Global Groups and assigning those into Domain Local Groups; and then granting permissions to the Domain Local Groups.
“How can I get the power-points for the previous webcast I missed?”
If you go to http://www.microsoft.com/technet/community/events/windows2003srv/tnt4-04.mspx and register for the archived webcasts, you will receive a confirmation email which will include links to the downloads.
“Cool. Thanks!”
No problem.
“How do you know if your domain is set to mixed or native mode?”
If you go to the Active Directory Users and Computers snap-in, right-click the Domain name and select Domain Functional level, the resulting dialog will tell you what level you are at and what levels you can go to.
“Can we get the questions and answers?”
Undock the Q&A panel and periodically copy and paste the contents into a document file. Or if you just want the BEST of the Q&A, you’re already here.
“Is there a good place to find best practices in regards to shared folders. (I'm using multiple security groups and have multiple shared folders on my server)”
Please refer to this link on the best practice for managing groups in Windows Server 2003: http://support.microsoft.com/kb/816302
“Is there a way for you to have the links in the PDF live so you do not have to retype them when you wish to use them. This seems to work in most pdfs except the ones from these seminars.”
Unfortunately we don't have any control about how these PDFs are created. That said, if you can wait 72 hours, the hot links in the PowerPoint version will be made available on the event page for this event.
“After migrating from exchange 5.5 to 2003 the public folder permissions were assigned based on the distribution group that were migrated over from 5.5. permissions are not taking effect. I had to add individual users to each folder in order for them to access the folders. How to I get back my group permissions instead of individual accounts.”
Distribution groups cannot be used to assign permissions. Assign the permissions using security groups. Security groups can be used to assign permissions and be used as Distribution Groups, as well.
“Is there any disadvantage if we use the only Security Groups, make them mail enabled, and use them as exchange email distribution lists instead of using Distribution Groups? We can only use the Security Groups to assign permissions to Public Folders in Exchange 2000/2003.”
There's no reason you can't do it that way, especially in a smaller environment. In larger environments, where you want to have more control, creating Groups that are specifically Distribution Groups only, prevents unauthorized use of the group in order to access resources.
“Is there a way to dump the users / groups in AD to a text file to look at the data in a spreadsheet? I have used the net user 'userid' /domain command in dos but some of our group names are long and there is some truncation happening in the results.”
Dsquery.exe is a command line tool that would do this.
“Is there a tool built into AD that will provide me a list of users and all the permissions they have on our network?”
Not built in, no. By assigning permissions to groups, rather than users, and documenting those permissions assignments you can track permissions assigned against your defined security policies.
“Does the query based distrib group update dynamically when you add a new user?”
Actually, if you create a new user with attributes that match what a Query-Based Distribution Group would include, nothing happens. It’s only when the list is used and evaluated, which is every time mail is sent to it, that the “members” are there. It is truly dynamic.
“What is the problem with using a domain local group to control access to a resource instead of a local group?”
I think you are discussing the same thing, unless you are talking about a local group you created on a server?
“I was told that Best practices called for creating a local group on a server and putting domain groups into the server local group and using the server's local group on the server to control access. Is this better that using a domain local group and adding other groups or users to it and using this domain local group to control access?”
Yes, you were told that back in the NT 4.0 days because there was no such thing as a group that was local to the entire domain. You had local groups on the domain controllers, or you had server local groups. So your member servers (file servers?) had local groups on them into which you put Global Groups. With Active Directory, now you have domain-wide groups that are local to the domain, managed in Active Directory for the sake of the domain, without having to create local groups on a server-by-server basis.
“Is ldifde command available in W2k native domains?”
Yes. It's available in Win2k regardless of the domain functional level.
“What is a good ldifde resource?”
You should find some good ones at http://search.microsoft.com/search/results.aspx?view=en-us&st=b&na=82&qu=ldifde
“The icon of query based distr list of that list is not displayed correctly in some computers. it is displayed correctly on the machine with exchange but when i use ADUC on a different machine the icon is displayed like the icon of the unknown file. why is that?”
That sometimes happens when the Exchange Administration tools are not installed on the system. To fix that if you install just the Exchange admin tools on that administrative
“Can I do a trusted domain on SBS 2003 to NT4 server?”
No-the answer is at http://support.microsoft.com/kb/842690
“In a small and single domain environment, is it better to make all groups Domain Local Groups? Do I gain performance for doing that?”
You don't and, in fact, you lose manage-ability. Why? Because if I have multiple domain local groups that I use to control access to specific resources and then populate those Domain Local groups directly with Users, there will likely be multiple occurrences of the same user assigned to multiple Domain Local groups. Now, If I have a new hire, I have to put that user into each Domain Local group that I need the user in. However, If I have created Global Groups and populated Domain Local Groups with the Globals, it is likely that the Global group is assigned to multiple Domain Local groups. Now I can just add the user to the appropriate Globals and the User has access to all resources the global group has been assigned to. You can do what you're saying, but this recommendation is a better long term solution, that will maximize manageability and account for growth.
“I was in a meeting and late for this webcast. Can I see this webcast later?”
Yes, it will be available to view as a webcast stream about 24-48 hours from now, and available for download in about 72 hours. Start at http://www.microsoft.com/webcasts and click on the On-demand Webcasts link at the top of the page.
“Does this get easier when you work with it all day or are u guys showing off features you only use once in a blue moon?”
ldifde, and all command line utilities usually need research to use them properly and would want to be used more than once a year.
“Are the DS(Add, Move...) commands limited to modifying/creating groups in the same domain? If not, can the DSMOVE be used to move objects from one domain to another?
The DSMove command can only move objects within OU's in the same domain. To move objects between domains use the MoveTree utility. See kb/238394 at http://support.microsoft.com/kb/238394
“Will the movetree retain the groups that the user is part of or would i have to use one of the methods shown today to export the group membership, movetree the user, then modify the users group membership?”
Global Groups, by definition, can only contain users from the domain the global group is created in, therefore when I move the object to a new domain I lose all global group memberships and need to re-assign that user to the appropriate globals in the new domain.
“Say you add a computer object to a group (to filter Group Policy). How long before that gets reflected in the token of the computer? Is a reboot required? Will restarting NETLOGON work?”
I talked with an engineer in PSS and he believed reboot, but please review this site for a 100% answer. http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsce_ctl_fvlv.asp
And finally – in reference to “Tequila-Kitty”…
“That was good!!”
Don’t encourage him. lol :-) Have a great day!
And the best comment of the day:“It's a good thing he didn't use a lemon with that poor cat... he'd have created a sourpuss!”
OHHHHHH- that's bad!
Greetings!
Here are the resources relating to the TechNet Webcast: “Automating Windows 7 Deployments using System Center Configuration Manager 2007 R2 SP2”, delivered November 11, 2009.
I hope you find them useful!
-Kevin
___
Demo Screencasts
“Best of” Q&A
Best of Q&A post is now available here!
Related Resources
System Center Configuration Manager 2007 http://www.microsoft.com/sccm
Asset Intelligence in Configuration Manager 2007 http://technet.microsoft.com/en-us/library/cc161988.aspx
Inventory in Configuration Manager 2007 http://technet.microsoft.com/en-us/library/bb632437.aspx
Modifying Task Sequences http://technet.microsoft.com/en-us/library/bb978347.aspx
Windows 7 Deployment http://technet.microsoft.com/en-us/library/dd349337(WS.10).aspx
Step-by-Step: Windows 7 Upgrade and Migration http://technet.microsoft.com/en-us/library/dd446674(WS.10).aspx
U.S. Live, In-Person TechNet Events http://www.technetevents.com/KevinRemde
Hurry! Save $$$ on a TechNet Plus Subscription! http://blogs.technet.com/kevinremde/archive/2010/01/20/TNITE04.aspxIMPORTANT UPDATE: This promotion and promotion code have expired.Please CLICK HERE for the most current promotion.
IMPORTANT UPDATE: This promotion and promotion code have expired.Please CLICK HERE for the most current promotion.
Whenever I present a live TechNet Event, I ask my audience to raise their hands if they are a TechNet subscriber. Usually about 1/3 of the audience raises their hand. Considering that this is typically a Microsoft-friendly audience, I'm a little shocked that there aren't more hands going up. The TechNet Subscription is such a great resource for IT Pros, for these reasons:
For all of those reasons (Heck, for any ONE of those reasons), a TechNet Plus subscription is worth the yearly investment.
"Cool, Kevin. But how do I save $$$s?"
For new subscriptions, from now until June 2009, you can save 15% on any version of a TechNet Plus subscription.
UPDATE: The discount offer has expired. I do hope you were able to take advantage of it.
Watch my blog for any new offers that may be coming.
UPDATE TO THE UPDATE: There is an even bigger discount from now 'til December 2009! Click HERE for details!
“Why new subscriptions only? Why not a discount renewals?”
Renewals are already automatically discounted. Besides.. we’re honestly trying to promote TechNet Subscriptions to those who haven’t yet benefited from it. We’re pretty confident that if you try it, you’ll see enough value in it to renew your subscription.
Write down or copy this promotion code to your clipboard: TMSAM08 (That's zero-eight. Not the letter O. Think of 2008.)
Then GOTO the TechNet Subscription Center (CLICK HERE), and use the code to get your savings.
Hey all,
Last week I delivered a couple of TechNet Webcasts, the first of which was on Windows 7. It was the first of a whole series of Windows 7 TechNet Webcasts. Immediately prior to the delivery of the webcast, I recorded my demos. I’m finally done editing/rendering them, so I thought you might find them useful. They’re up on TechNet Edge:
If you’re interested in seeing the entire webcast, you can see it HERE.
The resource page I put together for the webcast is HERE.
And HERE is the “Best of Q&A” from the webcast.
I hope you find these resources useful!
Kevin
...and the world will beat a path to your door!
Okay - it's really "mouse-trap"... but today our family is going out to get a natural Christmas tree, and after searching for our old one we realized (and remembered) that last year our tree stand broke. So this year we have to buy a new one.
As I was putting up some lights outside our house (and as kids were decorating Christmas cookies inside), it got me to thinking... if someone were to ask me what I wanted in a tree stand, I would have to say, "A lot!".
I think the perfect stand could simply be placed on the bottom end of the tree, and it would automatically make a thin fresh cut, and latch itself into place. When you stood the tree on end, little sensors and gyros would send commands to the stand's CPU informing the processor of places currently out of balance, and the processor would send commands to mini servo motors driving hydrolic-powered lifts to re-align the tree. A triangulating lasor would be able to align the trunk as upright as possible, while coordinating with the other processes to find a happy medium in case the tree is somewhat naturally lopsided.
Once positioned the tree would be automatically fed nutrients, and water that is distilled right out of the surrounding air.
And that's just standard model, of course. The deluxe model would also have a plug for special lighting that would then be driven by the CPU for a lighting display of your choice... all the while slowly spinning your now "wireless" tree to the time of the music. Oh.. the music would of course be uploaded via the WiFi connection to your home network, or for a monthly charge you could add the XM Radio adapter.
Okay... I've designed it. Which of you will be brave enough to build it so we can make millions?! <chuckle>
Happy Holidays!
I screwed up and deleted the original Part 2 Q&A document when uploading the Part 3 Q&A over the top of it in my blog. That will teach me not to retrieve old articles and expect that saving them with changes will cause a new one to be created. <sigh>
Anyway – here is now the Q&A again from Part 2 of our webcast Series.
Thanks again to my teammates for doing such a great job helping to answer questions! I give them the credit for the information in this document. Outstanding!
Also I want to make sure also have the link to the Session Resources I posted for Part 2.
Series Part 2 Webcast Q&A
“Where do I find the homework again?”
I’ve posted the homework on my blog. Here is the homework for Part 2.
“I wasn't here for last week, is it available to view later?”
You can go to http://www.microsoft.com/seminar/events/series/windowsserver2003admin.mspx and view last weeks webcast in the on-demand section (bottom of the page). You can register for last weeks on demand webcast and you will be sent an email with links to download the WMV and the PPT file. Thanks and enjoy!
“Do I need a computer to watch this WebCast?”
Um…
“Is there a particular time to log in? How early are we allowed to log in to the webcast?”
You can log in from 1/2 hour before the webcast starts, throughout the time of the webcast
“Are local users on Windows XP assigned to the power users group by default?”
No, you need to assign them to the group
“When you demo you have 3 Virtual PCs running. I would like to duplicate this and load an ISO file for Exchange, Win2003 and XP. I think this is the three you are running. Where can I get the ISO files ?”
Think of each Virtual machine as if it were a physical node on your network. You need a licensed copy of the installation CD for each of the OS's and Application servers you want to use and you need to install each of them to create the VM's. These are not available for public consumption.
“Is there any issues with removing the domain admins from the local administrators group for a workstation in the domain?”
No – unless you consider now that you may be removing necessary administrative access for your administrators.
“What's the difference between a group and ou?”
A group is for assigning permissions. Group memberships help make it easier to grant rights of access to resources to users and computers. OUs (Organizational Units) are for grouping objects within an Active Directory domain, and are mainly beneficial for assigning Group Policies to the objects within an OU, or delegating administrative authority over those objects within the OU.
“In SBS 2003, local users are automatically added to the Local Admin account. Is this a good idea? Should the users always be a member of the local administrators?”
No, users should not be members of the administrators group unless there is a pressing need.
“If I am using Password never expires and I want to change that for all users in my domain, can I change that option for all users at one time or do I have to change it one by one?”
Select all the users and make the change. Or better yet, use Group Policy at the domain level to not have expiring password. But… it’s really a good idea to have passwords expire. It has big benefits relating to security.
“Have seen from time to time that the computer when added to the domain, does not appear in the Computers container. Why is that?”
It’s just an occasional thing? I’m not sure why that is, unless there are DNS or other issues with how certain computers are not able to see a DC, or perhaps replication isn’t happening the way it should.
“Can you leverage any other products besides Exchange for user creation/integration? Or is it because AD and Exchange are both loosely coupled under LDAP to allow for this? Reason I ask was for something like say SharePoint. Thanks”
Most of our products can use AD for permissions. Account creation is typically a separate process.
“When you do not select ‘Password never expires’, how long/often does it force a password change from the user?”
By default, never. You need to configure the maximum password age setting in Group Policy at the domain level Computer Configuration==>windows settings==>securitysettings==>account policies==>password policies
“Does this Exchange mailbox option appear only on the Exchange server or on all servers?”
On all Domain Controllers in a domain in which Exchange has been installed or connected to an Exchange 5.5 organization via the ADC.
“Can additional fields be added to the user properties pages in Active Directory Users and Computers, such as a field bound to the employeeID attribute?”
Yes, almost all objects are extensible.
“How/where can we get Windows Admin Tools?”
They are on the CDROM, resource kits, microsoft.com, etc.
“Is there a place to find out what rights are assigned with each standard user groups (ie Remote Desktop).”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_adgroups_9builtin_intro.asp
“At what number of users AD is a good solution for management?”
It's not really just a matter of number of users. Number of computers, file servers, assigning permissions to resources like a file share all come into play when deciding to move from a peer to a domain model.
“Is there a way on an xp desktop to have the exchange options like you do on the exchange server”
Yes, you can install the adminpak.msi from the Windows server CD to get the AD management tools and you can install the Exchange management tools on your XP machine as well, so that you can manage AD and Exchange from your workstation rather than from the server. see http://support.microsoft.com/kb/834121 and related links
“When accounts expire, are they deleted or disabled?”
disabled
“What time of the day do accounts expire on the day that you put in for the expiration?”
12 am midnight on the date specified
“Can the Log On To feature be assigned to an OU or Group?”
No
“What is an admin share?”
It’s a hidden share. Any share who’s name ends in a “$” to hide it. Example: ADMIN$ is actually c:\winnt shared out for administrators to have access to.
“Is there an add-in to show you last login or the users sid in the ADUC?”
I am unaware of one.
“Can you use the Remote Control tab settings without selecting ‘Require users permission’ for an Administrator to view a users desktop without their knowledge?”
Unfortunately not.
“Is there a way to ‘dump’ (in an ‘offline’ readable format) all non-default settings in ADUC?”
Yes, you can use the resultant set of policy tools to build reports.
“The exchange server comes within the win2000 server operating system?”
It integrates with it, AD is the Directory service for Exchange, but Exchange is a separate application that needs to be purchased and licensed separately.
“Are these exchange tabs available with win 2000 server also?”
yes
“What is the password for an Admin share?”
Shares don't have passwords, they have permissions lists. Access Control Lists, if your account is on the list you get in, if not you don't
“Does adminpak.msi include exchange properties? how do you enable these?”
By installing the schema for Exchange into active directory via the Exchange forest and domain prep process.
“How much account specific information about the user is available to other in the domain? Can the amount of information about a user be limited to others in the domain should they search Active Directory?”
Use ADSIEdit to check. You can modify what is replicated. Be careful with the tool. http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/adsiedit.asp.
“How can you disable ‘Outlook Web Access’ by default?
You could create your users with a template that has this disabled. Or better still, you can manage it through the properties on the Exchange Server directly.
“Can the user have a different logon name from the e-mail account name”
Yes
“Are the Exchange features general attributes or can you add to the listings?”
When Exchange is installed there are a default set of Exchange attributes that can be managed from the ADUC, however, the AD Schema is extensible, so you can create your own custom attributes and replicate them throughout AD see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/active_directory_schema.asp and related links
“If you disable a user account, will it still accept email to the account in Exchange?”
“What does dsmod stand for? thanks”
DSMOD is a utility to modify an existing object of a specific type in the directory. DS=Directory Services, MOD=Modify
“How do you use the user template to copy to make many users?”
Create the template with the fields populated with your generic data (the account should remain disabled) then in the ADUC right click and say copy.
“Is there a way to export user information into a tab formatted file like Kevin is showing?”
Absolutely. See CSVDE and LDIFDE as tools to allow you to do this..
“In creating a group container, is there a area where you can put the name of the owner on the display?”
The answer is yes. It is a property for the group although it isn't commonly exposed in our tools UI.
“After migrating from exchange 5.5 to 2003 I can't seem to find where to make changes to the ‘assistant’ field?”
That may have been folded into the Direct reports field on the organization tab
“Is there a way to see all the Q&A later?”
Yep. You’re looking at it! J
“What tool that we use to rename user account in AD and Exch?”
Just right click the account in the Active Directory Users and Computers console
“With command line, if you have permission rights to only a part of the AD tree, will the command line be intuitive enough to add to your privilege level or is it an all or nothing meaning you must have enterprise level access?”
“Is cn short for common name?”
“Isn't there going to be a problem in AD for Exchange with the capitalized OU object in that command line?”
“Has mail delivery changed in 2003? because in 2000 mail sent to a disabled user is refused and generates an NDR to the sender”
Hmmm. You may be correct but I thought it still delivered the mail in the event the account with assigned permissions needs to be changed.
“Can you find out through AD what computer(s) the user is logged on to?”
No, but you can enable am audit policy on the DCs that records authentication requests in the Security log of the event viewer.
“Where can I find a list of all these commands that are being used to query and add accounts from the command line?”
A lot of the commands are in the Help area of Windows Server 2003 (under the start button). Many are also in the deployment and operation guides.
“Are this commands only for win2003?”
Some are new, yes.
“Why would an Administrator use the command prompt to add users with the dsadd command? Multiple Adds? Faster than ADCU?”
For some people it's faster, for people who write their own scripts, also, if you're just deploying AD and you're testing, it's easy to create the scripts as you go and then just run them when you're ready to deploy as I did in the demo.
“Will these commands {line} be able to be used from a remote machine or only on a DC?”
You can do these remotely also.
“Can I create two folders in AD Users & Computers under my domain to separate my groups & users or do I have to create two OU's?”
The folder IS an OU
“Is there a way of forcing the address book in each users outlook to refresh?”
Yes, there are Outlook 2003 registry settings that control automatic or manual download and update of the OAB. I don't recall how many of them are exposed via group policy but I know there are reg settings you can implement.
“This might be coming, but is there a way to randomly generate an initial password for all of the users at once?”
DSadd includes a command line switch to set a password, but not to randomly generate one.
“Can you please repeat the Blog Address?”
http://blogs.msdn.com/KevinRemde - but you knew that.
“Can the whole presentation be saved or just the PP?”
In 72 hours you will be able to register for this webcast and will be sent an email with links to download the PPT and WMV files.
“If you are a local admin on Windows server 2003 and Windows 2000 Server - Can you use those commands on those servers?”
Not on 2000, only 2003
“Not really a question: You did great today, guys! Bravo!”
Thanks much!
“Once a computer has been added to a domain, should the local Administrator account be disabled?”
No, but you may want to change its name. And you should definitely assign it a a strong password.
“I'm sorry if this was asked, but where do we find homework?”
I’m posting all of the homework assignments to my blog. Here is where you’ll find the homework for this week (week #2).
“Which username will the variable %username% return? The full username or the pre-windows 2000 username?”
Pre-windows 2000 username
“Are you sure DSADD isn’t in Windows 2000?”
My esteemed colleague, Keith Combs, pointed out that indeed DSADD and DSMOD were supported in Windows 2000 – perhaps as part of the Resource Kit. See http://support.microsoft.com/kb/320187
“Will you cover changes in scripting for user profiles in 2003 next week?”
No scripting for profiles. We talk about User Profiles in great detail – what they are and what they are for, and the different types of Profiles and their implications.
You can see the series and topics covered at http://www.microsoft.com/seminar/events/series/windowsserver2003admin.mspx
“Our users home drives are names with there usernames. Is there a way to record this in a template account? IE..\\server\%username%”
Yes... That will work there also.
“I use the command line mail tool Blat in some batch files. It requires an user name/password so it can authenticate so send email. Obviously, being in a batch file, the password is plain text. What's the best way of having an user account that no one can take advantage of?”
Encrypt the file, or create a folder and enable encryption on that folder. Put all such sensitive files in the encrypted folder.
“Can these command be use on Windows Small Business Server 2003?”
Yes!
“Does the Remote Control option under user properties affect the computer RC setting?”
You can override it on the computer side. That wins over the user settings, I believe.
“hahahaha! ROFL. That picture was soo funny! Kind of looks like Rob Westover! :-)”
This one?...
Glad you liked it! (And I’m sure Rob will be glad, too!)
UPDATE: This promotion has expired. Please click here to see details on the current promotion.
UPDATE: This promotion ends on June 30, 2010 October 31, 2010.. and will still save you 25% on the newly named "TechNet Subscription Professional" (same price). Just substitute "TechNet Plus Direct" with "TechNet Subscription Professional" in all that you read below.
Whenever I present a live TechNet Event, I ask my audience to raise their hands if they are a TechNet subscriber. Usually about 1/2 to 2/3 of the audience raises their hand. Considering that this is typically a Microsoft-friendly audience, I'm a little shocked that there aren't more hands going up. The TechNet Subscription is such a great resource for IT Pros, for these reasons:
For new subscriptions, from now until June 30, 2010, you can save 25% on the TechNet Plus Direct subscription. What would have cost you $349 will now only cost only $261.75.
"That's nearly $100!"
Bingo!
"Is this worldwide, or U.S. only, or what?"
This is for residents of the U.S. only.
Renewals are already automatically discounted, even more than you get with this code. Besides.. we’re honestly trying to promote TechNet Subscriptions to those who haven’t yet benefited from it. We’re pretty confident that if you try it, you’ll see enough value in it to renew your subscription.
Write down or copy this promotion code to your clipboard: TNITQ404 (That's four-zero-four. Not the letter O.)
“If you weren’t a Microsoft employee, Kevin, would you buy this for yourself?”
Without hesitation, YES. I use the software I download so much; for personal education as well as testing, $261.75 is a small price to pay for the value I receive. Absolutely.
“Hey Kevin, didn’t you have some other codes we were using before?”
Yes. The “TMSAM08” and “TNITE04” codes are no longer valid. You need to use this new TNITQ404 code now.
As promised, here are the best of the questions (with answers) from our November 11, 2009 “TechNet Webcast: Automating Windows 7 Deployment Using System Center Configuration Manager 2007 R2 SP2”
BIG THANK YOU to John Weston, John Baker, and Dan Stolts for handling the Q&A during the live event. Most of what follows started with their answers to these very good questions.
PS – The resources, including links to screencast recordings I did of the complete demos for this content, are available HERE.
Questions and Answers
“Is it possible to manage Blackberry devices with SCCM?”
No. Only the following devices are supported: Windows Mobile 2003 Smartphone Windows Mobile for Pocket PC 2003 Second Edition Windows Mobile for Pocket PC 5.0 Windows Mobile for Pocket PC Phone Edition 5.0 Windows Mobile 6 Standard Windows Mobile 6 Professional Windows Mobile 6 Classic
“How well does this integrate into MDT 2010?”
The two actually share some technology. Both use tools from the Windows Automated Installation Kit (WAIK) for portions of their solution. Both create and drive task sequences.
But as far as integration, they are different tools. The Microsoft Deployment Toolkit (MDT) is free, and is purely for addressing the creation and management of Operating System deployment. System Center Configuration Manager 2007 (SCCM) is not free, but does deployment of applications, updates, operating systems, as well as collection and management of computing inventories (hardware and software) and licensing. SCCM is also scalable to support the largest of any businesses out there, with an architecture that lets you define and distribute roles across large geographic boundaries.
So.. if you are a small-to-midsized business who just need a toolset to drive deployment, and if you don’t already have SCCM, you’ll want to look at the MDT.
“How do you capture an image?”
You can capture images using ImageX, which is a part of the Windows Automated Installation Kit. Instructions are here: http://technet.microsoft.com/en-us/library/cc749003(WS.10).aspx
You can also use SCCM 2007 to build a deployment of your “reference computer”, so that your task sequence will install the OS, install apps, drivers, packages, and then capture the image for you. A description of this, plus instructions, can be found here: http://technet.microsoft.com/en-us/library/bb632585.aspx
“Can you have a SEPARATE server added into SCCM that can host the PXE environment... we have a separate MDT2010 server stood up today...”
MDT and SCCM can be integrated in the sense that you can use either to build deployments, and to take advantage of the same capture, PXE, WDS, and image tools. They also natively support the same boot and os image files (.wim files – the first containing WinPE, and the second having the captured OS).
At the end of the session, could you go over implementation costs for this new system before logging off? Also could you address user licence agreements. I have three office locations in the US and Canada with 15-20 computers.
These webcast are so packed full of information, and with one hour to fill, we really can’t get into these kinds of details. Certainly this information is available either online, or from your local reseller or Microsoft Partner.
If you only have a total of 15-20 systems, you might want to just use the MDT 2010. (http://www.microsoft.com/downloads/details.aspx?familyid=3bd8561f-77ac-4400-a0c1-fe871c461a89&displaylang=en )
Here’s the licensing information for SCCM: http://www.microsoft.com/systemcenter/configurationmanager/en/us/pricing-licensing.aspx
“Why is he using a winpe boot.wim made from build 7100? doesnt sp2 install a boot.wim that build 7600?”
These images were created before RTM occurred.
“How do you find the smbios guid on a machine?”
“Where does SMBIOS GUID come from? How do you know it from a bare metal ws?”
“Where did he get the guid for his bare metal pc?”
“How did he come up with an SMSBIOS GUID for the machine provisioning when it is bare metal system and has never been an SCCM client? I can see how you can give it a NetBIOS name and a MAC address but how do you pre-determine an SMSBIOS GUID?
One way against a running machine would be to use WMI and the .\root\cimv2 namespace “Win32_ComputerSystemProduct” class. Or using PowerShell, you can run this command:
Get-WmiObject Win32_ComputerSystemProduct uuid
But if, as in the example I demonstrated, the machine doesn’t have an OS installed yet, that’s not going to help much. What you’ll do in that case is boot into the system settings. You should be able to find it there. (On my Lenovo, the UUID is right there on the first screen in the BIOS info.)
“In SCCM 2007 R2 SP1, you could also advertise the task sequence and packages to unknown computers. Is this option still available in SCCM 2007 R2 SP2?”
Yes. Here’s a really good post on how to enable and use this:
http://www.deploymentforum.com/Community/Forums/tabid/124/forumid/23/postid/2133/view/topic/Default.aspx
“What are the options for advertising a task sequence via PXE to all KNOWN computers without advertising the task sequence to a collection?”
SCCM advertises to collections only, but that certainly that collection could contain all of your KNOWN computers.
“If the image is captured using standard TS, the Configmgr client is installed into the WIM image. Why therefore does the deployment TS install the client if it is already there?. I believe the capture TS "prepares" the SCCM client i.e. removes sitecode, stops ccmexec service and removes cetificates so I would expect the deploy task sequence running ccmsetup to realise client is already present and just activate it - instead it does a reinstall which wastes time - why?”
Good point. If your captured image already has the client, then I don’t see why another install would be necessary. My image didn’t have it.
Remember also that you could use the ‘intall.wim’ file directly off of the Windows OS DVD, which has absolutely nothing in it. In that case your deployment would include the ConfigMgr Client, as well as any-and-all other drivers, updates, and applications.
“Is there any advantage to importing the computer information vs. using R2's ‘Unknown Computer’ support?”
The only advantage I can see is to restrict just anyone from being able to start an installation.
“I missed the first part. Did he talk about configuring WDS and the PXE for SCCM?”
Yes, I did briefly. Basically I just showed where in the Server Manager you add the WDS server role. I took the defaults. And then I showed where I added the PXE Service Point site server role in SCCM.
“What version of WinPE are supported with SCCM?”
Configuration Manager 2007 requires Windows PE 2.0. Configuration Manager 2007 SP1 requires Windows PE 2.1. Configuration Manager 2007 SP2 requires Windows PE 3.0.
“For WDS, do we need to configure it to reply to PXE boot? Do I need to configure any options in WDS or i just install the feature and only do the configuration on the PXE site system in SCCM?”
The default in WDS it to respond to Known and Unknown computers. But in my demonstration, I didn’t do anything at all in WDS, other than add the role. The PXE Service Point, and allowing only known or unknown computers support, is where this happens in SCCM.
“Where do i get the USMT for windows 7?”
It is part of the Windows AIK http://go.microsoft.com/fwlink/?LinkId=136976
“Where does USMT store the data it gathers? How do you set that up?”
Here is the User Guide: http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx
“Can you use the SCCM tools to add an image to an existing wim or do you have to use something else for that?”
I don’t think there is a way to have SCCM do that automatically for you – unless perhaps you could add a custom step to a task sequence that drives the ImageX tool to merge a newly captured image into another file. (“I’ll leave that for you as an exercise.”)
“How do i install USMT on Windows XP?”
You can install the WAIK on Windows Vista and later, and then copy the USMT files over. NOTE that you can only run the ScanState utility on XP. You can’t use LoadState. (And why would you?)
Check out Dan Stolt’s excellent blog post and video: http://blogs.technet.com/danstolts/archive/2009/09/02/migrate-windows-xp-to-windows-7-using-usmt-user-state-migration-tool-upgrade-xp-or-vista-step-by-step.aspx
“Can you put the Product Key in there? Do you need KMS server?”
You can do either.
“Can i use the USMT if i have a x86 XP but want to image/migrate over to x64 Win7 PC?”
Yes. You can use USMT to migrate x86 to x64. You can’t go 64-bit to 32-bit, though.
“What does the USMT4 Hardlinking feature do with the data on disc during the OS installation?”
It simply keeps it in a folder that it doesn’t touch during the installation. Starting with Windows Vista, these “image-based” installations are non-destructive by default, as a benefit of the fact that the image is a file-based image and not an image that simply throws bits on a disk. So if you don’t partition and/or format the drive, and if you have sufficient space on the disk for the installation files on top of your existing disk, then you can keep the data on the local disk.
“For OEM editions that do not require a product key (Dell DVD's for example), does licensing carry over in the imaging process?”
You don’t have a distributable OS with just the copy that comes on your computer. The OEM copy is firmly linked to the hardware it was sold on. To do what we’re discussing here, you have some kind of volume licensing on top of this that allows you to create and deploy OS installations onto those boxes.
“Do I need to configure any options in WDS or i just install the feature and only do the configuration on the PXE site system in SCCM?”
The WDS role is simply added to the server. You'll do all you configuration from within SCCM.
“Do we install the PXE role on secondary servers and primary servers or just the central server?”
PXE service point is configured on a site system. It doesn’t have to be a primary or secondary site server and definitely shouldn’t be put on the Central Site server. It will however, be servicing a primary or secondary site.
“Leveraging the new Virtual Windows XP Mode available in Win7 Pro and Ultimate, would it be possible to deploy that along with the Windows 7 image, and simultaneously create a virtual machine running Windows XP for legacy applications?”
It would be a rather fat image, but I don’t see why you couldn’t build a reference system that included the XP mode .vhd, and Windows Virtual PC already configured. There’s nothing special about the XP machine (it’s just a .vhd after-all). Don’t boot it before capturing the image. Leave it be in a pre-run state.
“Where do i get the Windows PE 3.0?”
Windows Automated Installation Kit
Where does USMT store the data it gathers? How do you set that up?
Two choices: You can point the scanstate tool to the destination using command-line parameters, or you can configure the appropriate .xml files to make these designations.
See the User State Migration Tool “components” page for more details: http://technet.microsoft.com/en-us/library/dd560755(WS.10).aspx
“Where can you configure USMT like what files,settings get backed up?”
See the User State Migration Tool “components” page for details on how you can specify such things: http://technet.microsoft.com/en-us/library/dd560755(WS.10).aspx
“Does the USMT copy all the multiple users info?”
It can, yes. In my demo, it did (though I only had the one user).
“Can i have your email?”
Can I have yours?
“How do you capture data and save it locally instead of on the server?”
In my last demo that’s exactly what I did. I configured the task sequence to store the users settings locally. If you’re just using USMT from the command-line, you can do that in options for the scanstate tool.
“The last demo - Was it using USMT hard links”
Yes. It’s a very fast restore.
“Is SCCM SP2 supported in windows 2008 R2?”
Yes.
“How to you create a wim image for Windows 7”
See the WAIK and the documentation on the ImageX tool. But if you simply want to have an OS image to deploy (with nothing extra installed within the image), you can just use the install.wim file found on the Windows 7 DVD, or in the Enterprise installation you got with Volume Licensing.
“What is the difference between SCCM and MDT 2008?”
http://www.bing.com/search?q=What+is+the+difference+between+SCCM+and+MDT+2008%3F&src=IE-SearchBox&FORM=IE8SRC
“When the LTI deployment fails, where are the log files stored?”
A list of the log files in SCCM and where they’re found can be found here: http://technet.microsoft.com/en-us/library/bb892800.aspx
Wow!
Frustrating Audio!
First of all – sincere apologies to all of you who weren’t able to get audio early-on in our webcast. The webcast producers are currently working with the streaming audio vendor to determine where the problem was, and how we can be assured that it won’t happen again. I’ll post an update here as I find out. But again – I’m very sorry for the confusion and frustration this caused, and I hope you will take advantage of the On-Demand webcast viewing for this session when it’s available.
Another note… and this relates to something Jason (webcast producer) mentioned. Some of you have registered for the On-Demand webcast when it became available (after 24-48 hours) and did NOT receive emailed links to where you could get the PowerPoints and the .WMV downloadable version. This is because those resources are not available until 72 hours after the event. So… if you’re interested in getting those, make sure you re-register for the On-Demand event after 72 hours have passed. (Sunday morning should just about do it, but wait ‘til the following Monday if you want to be sure.)
Also I want to make sure also have the link to the Session Resources I posted for Part 5, and the homework assignment also.
Series Part 5 Webcast Q&A – Disk Management
“Where is the On-Demand Webcast found?
Part 5 “Disk Management” is found HERE.
“Why is Microsoft software so expensive?”
It’s not. Not for the value it gives. (My humble opinion. )
“Will the recorded meeting contain the audio?”
Yes, the recording will.
“NO AUDIO!!!!!!!!!!!!!!!”
Yep… Sorry.
“Are dynamic disks special disks or just software based?”
Software based
“Can a spanned array of dynamic disks be moved to another computer?”
See the following article on moving disks from one computer to another. http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prkb_cnc_ykyz.asp
“What advantage is there (if any) to using dynamic disks when using hardware based RAID?”
“I use hardware RAID5 on all my servers - the RAID BIOS 'presents' the logical drive to Windows as a single drive. Would there be any advantage or disadvantage to converting them from basic to dynamic?”
Some would argue that there are no benefits using software vs. hardware because supposedly hardware is lower-level and therefore faster. There are a few benefits, however, mainly having to do with total cost and ease of administration. See the following article: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/sdcbc_sto_vlfo.asp
“Do you know when clustering will support dynamic disks?”
There are no plans at this time. This does not mean it will never happen, but it is hard to say when and if this will be available in the future.
“Can I revert a dyn. disk to basic?... without losing data or will I lose all data on the disk after proceeding so?”
It is possible to go back but not directly. see the following article:http://support.microsoft.com/default.aspx?scid=kb;en-us;309044&sd=tech
“Are you going to be going over any of the DFS functionality being released with 2k3 Service Release 2?”
Probably not in this web cast but keep looking at this web site when R2 is released: http://www.microsoft.com/WindowsServer2003/technologies/fileandprint/file/dfs/default.mspx. Hopefully it will have something for you
“I have a few PC-class ‘servers’ (desktop PC running Windows Server 2003 and a single server-based service or function). Is there any advantage of converting its single hard disk to dynamic?”
All of the benefits I was highlighting would be available.
“So conversion of a basic disk to a dynamic disk does not damage the data on the disk?”
No, it doesn't.
“What if you have dual boot system with a Win2000 Srv instance and a Win2003 Srv instance.. could they both access the same dynamic disk volume ?”
Dynamic disks cannot be directly accessed by MS-DOS, Windows 95, Windows 98, Windows Millennium Edition, Windows NT, or Windows XP Home Edition, so you cannot start these operating systems on dynamic disks, so Windows 2000 should be ok...Check this link for info:http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DISKconcepts_10.asp
“Is it recommended to convert the system volume to a dynamic volume in a Windows Server 2003 environment?”
You can but read this first. http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dm_dynamic_overview.asp
“Is there a performance hit for converting to dynamic?”
Actually the performance can be increased if you do something like a stripe volume.
“Can the system (boot) volume be mirrored? Are there any issues with that?”
It can be mirrored. see the following link for more info.:http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dm_dynamic_overview.asp
“What is the difference again between a Quick Format and a Format?”
Mainly it is a difference between whether or not the format process also performs diagnostics and checks for bad sectors. Check this kb out: http://support.microsoft.com/kb/302686
“Is there any difference between a newly created dynamic disk and a basic disk upgraded to dynamic? I recall reading something about Windows setup being able to install if the dynamic disk was upgraded from a basic one.”
You can perform a fresh installation of the Windows Server 2003 family of operating systems on a dynamic volume only if that volume was converted from a basic boot volume or basic system volume. If the dynamic volume was created from unallocated space on a dynamic disk, you cannot install the Windows Server 2003 family of operating systems on that volume.
“Someone asked earlier if the boot partition can be converted to a dynamic disk. The answer given was "No". I thought it was possible.”
Yes, this is possible, please see the following article for clarification: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dm_dynamic_overview.asp.Just be sure the drive on which the boot partition has enough free unallocated space.
“Does a spanned volume have to use extra space on only one server or can it be spanned across several servers?”
It is has to be on the local server only
“When you are using a striped disk set, if you copy a file to a stripped volume, does it copy that same file to all three of the disks if that’s the case?”
No. There is an algorithm that stripes the data across the drives. Users don’t have to know or care how the file is stored.
“Can you mirror a spanned or striped volume?”
No, neither can be mirrored.
“Can your C: drive be a dynamic drive.”
Yes. Check this link for more info.... http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dm_dynamic_overview.asp
“If you're using hardware RAID (with onboard cache memory), do you recommend selecting ‘Enable Write Caching on the disk’ and ‘Enable advanced performance’ on your (virtual) disks?”
You should really use the recommendations of the manufacturer. An interesting article you might enjoy is at the following. http://sr5tech.com/write_back_cache_experiments.htm
“On spanned volume if a disk goes bad you lose the whole volume?”
Correct. Spanned volumes are not fault tolerant.
“Can the boot partiton be expanded/spanned?”
If performing an upgrade, you can use the strategy listed in the following articles: http://support.microsoft.com/kb/325857and http://support.microsoft.com/kb/289876
“Is there any point converting to dynamic disks if I have hardware RAID”
There is. See the links to the same question earlier in the queue
“Is it mandatory to have same make, model and manufacturer, wont it work if its different , in case it perhaps discontinued from vendor?”
No, it’s not mandatory. Just highly recommended.
“How many dynamic drives can be used in a spanned volume configuration?”
It's more a question of size than number of physical disks see http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/sdcbc_sto_cokp.asp
“For a mirrored volume, does it matter if one physical disk is SCSI and the other IDE?”
In that case the disks need to be identical. See the following http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dm_dynamic_overview.asp
“Where I can find a Guide to build up RAID in windows 2003?”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dm_raid5.asp
“If you add a mirror to an existing drive, does the OS automatically copy all of the then existing data content to the mirror drive? If so, how long does this take?”
Yes. The creation of the mirrored volume will duplicate the data on the mirror. How long it takes is dependent on the disk I/O and amount of data to be synched.
“Win2k3 software not support raid50, raid50 only supported when using a hardward level raid configuration?”
2003 does support software based raid in a limited capacity and hardware based raid. http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dm_dynamic_overview.asp
“Is raid 5 better than mirrored?”
It all depends on your definition of "better". RAID 5 gives you a lower cost per mb (gb) due to the ability to use more than just 2 disks. There is a performance hit on write functions in a RAID5.
“What happens if run out of letters to assign to volumes?”
You can assign them names, or use volume mount points. http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_ddisk_what.asp
“Is there a performance issue in software vs. hardware mirroring, raid-5 etc.”
Yes. When using software, you take a hit due to the use of system memory as well as system processor to perform the work. A hardware RAID subsystem will usually be better performing.
“Are you notified which disk on a mirror is corrupt if you have problems?”
Normally this will show in the event viewer. If it is the primary disk the system will most likely fail, it is the secondary mirror the system will still function but you will traditionally see errors in the event viewer.
“How much data will u loose when you break the mirror?”
Generally you don't actually break the mirror unless you don’t plan on using it anymore. In any case the mirror is the link between the disks so data is not lost in breaking the mirror. It is simply no longer recorded on both disks.
“Is RAID 5 the same as mirror?”
No. RAID5 is a a stripe set with parity and requires 3 or more disks. A mirror is RAID1, which can only have 2 disks - whatever is written on one disk, is written on the other. So you have fault tolerance, but no speed improvement.
“Can Windows create RAID 10 sets?”
No. That requires a hardware RAID controller.
“Is it safe to hot swap a mirrored drive for a sort of a backup option? Say you have two HD set up as mirrored disk 0 and disk1, disk1 is mirroring disk 0, can you swap out another HD with disk1? Can you provide a link on doing this?”
In order for this to work you would nee to reconfigure the mirror set. It is not a hot swappable option. http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/core/fndd_flt_DSVC.asp
“So the system and boot partition cannot exist on a RAID-5 volume?”
It can if the RAID5 volume is created via a hardware RAID set.
“I plan on setting up 5 SMS secondary servers - is there a Microsoft recommendation configuration for disk layout?”
It depends on what’s going to be running on the Site Servers. Are they going to have all roles on there? If so, RAID 0 for the DP would help, but other than that there aren’t really any specific recommendations.
“What’s the I/O penalty with raid 6?”
Depends on the manufacturer. There is no software based raid 6 in win2k3.
“Any possible loss of data during a defrag?”
If you are defragging a running database you could get into data loss issues, but generally no real troubles with defrag.
“What about Defrag on Hardware raid, good idea or not?”
Generally no but see the manufacturers recommendations.
“I see you say NO, it is not recommended to run defrag on a hardware stripe; is it recommended to run defrag on a hardware raid 5?”
“Why isn't it recommended to run defrag on a hardware stripe?”
Serves no purpose. The files are spread over the drives in the stripe via an algorithm.
“Any problem using defrag on an Exchange box?”
“Is it safe to defrag drives on a Exchange 2003 server?”
Please keep in mind that the defragmentation process cannot defragment a file that is open (locked). The Exchange database will be locked by the Exchange Information Store service and will not allow the database to be defragmented. So long as you are not looking to defragment the Exchange database, you should be fine. I would perform the deframentation during "off" hours as the process will negatively affect the performance of Exchange since you will be doing quite a bit of disk IO during the defrag process and Exchange is quite disk IO intensive iteself.
“Will you have the links to the next webcast in this series?”
The next webcast (and the rest in the series) live here: http://www.microsoft.com/events/series/windowsserver2003admin.mspx Part 6 is here: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032267249&Culture=en-US
“A free third-party tool that defragments the registry hives and pagefile can be found here: http://www.sysinternals.com/ntw2k/freeware/pagedefrag.shtml”
Thanks for the tip. Love that great Sysinternals stuff.
“Unable to copy question section using Ctrl-c plus Shift-Ins will this be available later?”
This “how do I copy the Q&A?” question comes up a lot. If you want to copy to Q&A from the Live Meeting Interface, you can drag that Q&A panel off and make it larger. Then using your mouse, select text you want to copy. Press CTRL+C. Then go to some other application (Word or Notepad) and CTRL+V to paste.
“Check disk for errors? This demo is misleading a bit since it sets a flag and performs this on reboot. Am I correct?”
You can run chkdsk without having to reboot. If you perform this on a partition that chkdsk cannot grab exclusive access to (such as a drive the the swapfile), then it does flag the registry and performs the task during the reboot process.
“Do we have to worry about a spam filter killing the e-mail notification if we have won?”
Boy - I hope not. :)
“Can you explain the difference between what was presented today and hardware based RAID?”
Discussed early in the webcast. Software RAID is controlled and managed by the Windows operating system. Hardware RAID is controlled and managed by the controller. In fact, if it’s hardware-based RAID, it will likely appear and behave to the Operating System as if it were just one physical disk. I would consider Software RAID the "poor man's" RAID; hardware RAID being more expensive but better performing.
“Do you know of a way to migrate from a Windows NT 4.0 volume set to Windows 2003?”
I wasn’t able to find a way to do this. I tried to create one using Windows Server 2003, but I couldn’t. I don’t have a Volume Set available to see if Windows Server 2003 will recognize it, but I’m betting it would. Worst case, you will want to back up the data and move it to a new dynamic disk or disks under Windows Server 2003.
“I'm having trouble getting to the evaluation, even by copying the link into my broswer.”
You might have to refresh the browser a couple of times. everyone's hitting the page at the same time.
“If you have bad sectors and run chkdsk .. the system freezes because it can't read the data, yes? How can it recover it then?”
Hmm... So - chkdsk just hangs? Have you tried some other chkdsk options at the commandline? Short of calling PSS or a professional disk recovery service, I don't know what other options you have. It may truly be failed hardware that is not recoverable. Sorry.
And finally…
“Can you share those fun photos?”
Absolutely!
Have a great rest-of-the-week!
For new subscriptions, from now until December 30, 2009, you can save 25% 28% on any version of a TechNet Plus subscription.
This is for residents of North America. So, if you're in the U.S. or Canada, this is for you.
Write down or copy this promotion code to your clipboard: TMSAM08 (That's zero-eight. Not the letter O.)
Hi!
Below I’ve pasted an edited and cleaned up copy of most of the Q&A from today’s webcast on Exchange Server 2003 Performance Tuning.
BIG thank you to John “no, I’m from GREAT Britain” Baker for handling the Q&A on the backend, and who’s work this really represents.
“Will the expta be covered in this session?”
The Performance Tuning Analyzer? Not today, no. That was discussed (briefly, though not demonstrated) in a session I did last week on Exchange Tips, Tricks, and Shortcuts.
“You keep cutting in and out and I can't hear anything. Is there a number to dial into this conference?”
Sorry about that. Yes, there is always a number you can ask for. Between you and me, I sincerely with the LiveMeeting folks would get that audio problem figured out.
And I’m told that sometimes the audio delay is around 10 seconds. Any delay greater than a second or two is just unacceptable. My $0.02.
“Can the tools be used for Exchange 2000?”
There are Exchange 2000 versions of the tools.
“What is the difference between LoadSim and ESP?”
ESP simulates large numbers of client sessions by concurrently accessing one or more protocol servers. Loadsim simulates the performance load of MAPI clients with this benchmarking tool, which allows you to test how a server running Exchange 2003 responds to e-mail loads.
“Would you use Jetstress or loadsim in a production environment (after hours of course...)”
Neither. They should only be used in test/lab environments
“If you are running Windows 2003 Server, can Exchange 2003 benefit from 4 gigs of memory?”
Yes. (referenced later when discussing the /4GB and the /USERVA switches)
“Will you be covering the Exchange Server Performance Troubleshooting Analyzer? Is that a good tool to get a quick overview of how well a server is handling the load?”
No, we didn’t cover it in this session – and yes, that’s exactly what it does. It programmatically collects configuration data, performance counters and live tracing information from an Exchange server. The tool analyzes each subsystem to determine individual bottlenecks, and then aggregates the information to provide root cause analysis.
“SBS2003 installs SQL, ISA, Sharepoint, and Exchange 2003 on the same server and the license does not allow relocating the applications to other machines. With 10 users the Exchange Best Practice Analyzer recommends setting the 3GB switch. I feel like my system is running fine without it and it might have adverse side effects since I have all the standard SBS applications plus CRM and LCS on the same box. Do I need to use the 3G switch if I have 4G of RAM?”
You don’t need to use it, if you’re happy with the current performance then you’re fine. However, it’s not just Exchange that benefits. /3GB reserves more user virtual memory for ALL user mode applications. However – you need to be careful, and KNOW the applications you’re running will support this well. (Example: Many people think “Cool, I’ll make my Virtual Server machines run better because they’ll have more memory.” But in truth, Virtual Server uses a lot of Kernel memory also, which is lost when you use that switch. So.. be careful. J (See “the Virtual PC Guy”s WebLog for this info.)
“What is the best way to find out if a PRODUCTION server can handle more users? (just pile on users until you see smoke?;-)”
Test in a lab environment with a similar server, or as close as possible, using the tools discussed. If the server is in production that’s a little late in the game for doing sizing.
There you should look at using the ExPTA: http://www.microsoft.com/downloads/details.aspx?familyid=4BDC1D6B-DE34-4F1C-AEBA-FED1256CAF9A&displaylang=en
“Can the /3GB switch be used on servers running SBS 2003?”
Yes it can.
“Best Practice Analyzing Tool recommends to set also the /3GB at the GC what's the impact on exchange?”
It could, probably will, affect performance.
“FYI, http://support.microsoft.com/kb/815372 is the ultimate article which covers all the 2003 server settings Kevin just went through”
Yes, thanks.... http://support.microsoft.com/kb/815372
“Should /3GB switch be used if i have 2 GB of memory in the server?”
Yes. It’s all a matter of how the server allocates the 4 GB of virtual memory space – whether or not the machine physically has 4GB. The recommendation is to use /3GB if you have 1GB or more of physical memory.
“Is the ‘/nopae’ switch a useful switch when optimizing the server? (Per KB827281)”
It’s recommended that you disable PAE mode only to work around a hardware issue or to troubleshoot a specific issue that involves PAE or Address Windowing Extensions (AWE).
“Will an offline copy of this presentation be made available? Can I have the URL for it?”
It will be available in 24 hours at www.microsoft.com/webcasts in the on demand section
“Does Exchange 2k3 Standard Edition allow you create multiple storage groups?”
One Storage group in Standard.
“I have read that WINS is suggested for large subnetted networks but it was not clear as to what issues are caused by not having WINS and only using DNS. Are issues seen on on the clients like outlook or only see on the server side in form of performance issues?”
Where did you read that?
“http://blogs.technet.com/eileen_brown/archive/2006/01/26/exchange_wins.aspx”
In mixed enviroments it is used and helps. Check http://support.microsoft.com/Default.aspx?id=837391
“The following Exchange functionality still depends on WINS name resolution: • The Exchange Server 2003 Setup program and the Exchange 2000 Server Setup program, especially on clustered servers. • Exchange Mailbox Merge Wizard (ExMerge) on an Exchange 2003 computer and on an Exchange 2000 computer. • Changing a password for an Exchange 2003 mailbox or an Exchange 2000 mailbox through Microsoft Outlook Web Access (OWA). • Exchange System Manager on an Exchange 2003 computer and on an Exchange 2000 computer. Note Additionally, Microsoft Outlook clients that are earlier than Microsoft Office Outlook 2003 also require NetBIOS name resolution.”
“How do you determine that you should be indexing a particular schema attribute?”
Check this link http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3Perf_ScalGuide/aacaf4d8-a0c1-42d0-8eda-1c410177a7ce.mspx?mfr=true
“Isn't it better to set MinUserDC value to 1? This way as long as there is at least one DC available, Exchnage will not use PDCE?”
Check http://support.microsoft.com/default.aspx?scid=kb;EN-US;298879
“Is there any consideration when I use specific tips in a cluster environment?”
I'm sure there are, and the information is typically included with each article or chapter.
Here is my blog resource page for this session again: http://blogs.technet.com/kevinremde/archive/2006/03/29/423267.aspx
On June 11, 2009 I delivered part 2 of a 2 part TechNet Webcast Series on Windows Server 2008 R2. It was the second of a series of Windows Server 2008 R2 TechNet Webcasts. Lately, as you may know, I’ve also been recording the webcast demos as screencasts.**
I thought you might find them useful. They’re up on TechNet Edge:
**PS - If you’re interested, here are the other sets of screencasts I’ve done recently:
Over the past couple of days I've been really turned on to voice commands and speech recognition in Windows Vista. In fact I'm so amazed by it that I decided to create this post entirely using my voice.
Several of my teammates have been doing demos of speech recognition in their live events. I did the same thing yesterday at Dunwoody Institute here in Minneapolis. Naturally, there's always some clown in the room who decides to shout out "Format C: Enter!". (just kidding) It all started out with Chris Henley's amazing screencast of his first experiences with speech recognition.
In the past I was always curious about speech recognition, but whenever I tried it, I always found that it was still faster to type than to have to go back and correct mistakes that were made with the recognition process. However, this is amazingly accurate. In this paragraph, for example, I have only had to make one correction, and it is also very easy to do with your voice. It's simply a matter of speaking clearly, and it just works. Just as it should.
Now, but let's see if I can insert a picture. I'm using Windows Live Writer. Here we go...
Well, that took some doing. But I was able to navigate around and make it work. Worst case, I'm able to use the "mouse-grid" functionality that allows me to target a specific point on the screen, and then click it, double-click it, or even select and drag it.
I may never need to use my keyboard again. Seriously, I might be able to work really fast using just my mouse and my voice. I'll take care of the more difficult tasks with a mouse, and enter any text using my voice. I can select areas on the screen with my voice quickly, or rapidly select emails with a mouse and say delete to each one. Wonderful!
Now let's see if I can post this baby...
"$100? One-hundred dollars? Really?"
Yes, you read me right. From now through May 2008 you can save $100 on any TechNet subscription. ANY TechNet subscription.
All you need to do is use this special promotion code when you place your order at the TechNet Subscriptions page: TMSAM08
That's a T, then MSAM (for MicroSoft across AMerica), the number 0 (zero), and the number 8 (eight). Enter it carefully!
CLICK HERE to go to the subscription page and order yours now! ...or to at least read about all you get for your money before making your decision.
Fine Print: I'm sorry to report that this offer is currently for U.S. residents only. If it is expanded, I'll let you know here first.
-----
Are you a TechNet subscriber? What's your favorite benefit? Is it all the downloadable non-timeout evaluation software? The included technical support calls? If you're not a subscriber, why not? Leave a comment here...
Below I’ve pasted an edited and cleaned up copy of most of the Q&A from today’s webcast on SQL Server 2005 Management Administration. Big BIG thank you to Bryan von Axelson for handling the Q&A on the backend, and who’s work this really represents.
“As a technet subscriber I have been watching the development of SQL2k5 and have participated in some of the beta / ctp iterations, now I seem to be having problems eliminating those installs from my computer and am having problems installing SQL2k5 developers edition from my technet subscription, the install seems to see a nonexistent ‘default instance’ has this been an ongoing problem and is there a quick and fast solution?”
I have experienced the same thing, here is a link to thread on microsoft.com looks like Dan Jones might have a script for you, see his response and try e-mailing him for the script - http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=150545&SiteID=1
“If you installed SQL Server in Windows Authentication mode can you go back and change it to mixed mode later?”
Yes, you go into the properties of the Server, and there is a checkbox to add mixed mode
“If I have different domains which has different password policy exists. Which password policy will be used for SQL authentication logins if I opt Enable password policy.”
The domain that the SQL Server is a member of.
“Can you backup database and transaction log in the same backup job?”
“What are the advantages to registering servers, instead of just connecting to them in the object explorer?”
Registered Servers are just a way to manage or maintain the list of servers you’re responsible for and can easily connect to. You may not want to connect to all servers. But if they are registered and something happens (it goes offline or is otherwise unavailable) you will see it in registered servers window.
“Are the backups stored on the SQL server itself, when using the backup and restore tool?”
If you choose it, it can be stored on a disk on the SQL Server, another server, or go to tape. This is setup when creating the backup job. I typically will back it up to a different disk than the database files are on during the day, and then these backup files will go to tape at night during the server backup.
“There are 2 data centers. both data centers have sql server, clusters, SAN. what kind of disaster recovery strategy will guarantee 0% data loss in case if data center 1 goes down (power outage or some other trouble). All the users are working with data center 1, what is the safest and the fastest way to deliver data to data center 2? SAN replication ms mirroring (not released till March if I’m correct), log shipping will not insure 0% data loss. between data centers is OC3 (155 Mb/s) ~45 ms latency typical.”
You are on the right track. Mirroring will address this because you can put it in a mode that the data has to be written to both servers until it tells the application it can continue. You might want to look at Peer to Peer Replication, it is transactional based replication and can eliminates distance, there still is a latency so it won't be 0 %.
“Is there a functionality that will create a data dictionary for me on all the tables and view that i have?”
You should be able to pull this with one of the new DMV (Dynamic Management Views).
“What command did you type to get an editor? And is that editor part of SQL Server 2005 install?”
The editor he used was the old ED editor. It’s not included with SQL, but an old DOS-like tool. You can set what your editor is in an environment variable and then launch it from within SQLCMD interactive mode.
“I may have missed this but - to connect from one dbserver to another does a link have to be registered or can a connection be set up via a connection string only?”
You can connect without registering a server, by selecting Connect in the Object Explorer.
“Does SQLCMD replace OSQL?”
Yes – but don’t fear. OSQL is still in SQL 2005 and available to use your current scripts with. It might not be in the next version of SQL, however. This is so you’ll have time to migrate your scripts to SQLCMD.
“But can you connect via a script, like you would in c#. If there is a global reporting server and maybe 30 sql servers in the field and want to have a script to run that programatically connects to the 30 servers and performs query. I was hoping to do this via a dynamic script - everything runtime.”
Yes you could create a script to connect
“How can I use SQLCMD to update record to related tables in one cmd.”
Check out - http://msdn2.microsoft.com/en-us/library/ms170207.aspx
“I didn't follow the reason why I should use config manager instead of service manager to manage SQL-related services. Could you elaborate more? thanks very much.”
There are hooks into the SQL Service and operating system, it has been recommended by the SQL Product group to use the SQL config tool, because this tool has been developed to manage these services. The Service Manager does not, for example, know which registry areas also need to have special permissions granted to your service account chosen.
EXTRA: Cool Tutorial on SQLCMDhttp://msdn2.microsoft.com/en-us/library/ms170207.aspx
“What is Physical Design Structure - is it like a Diagram in SQL Server 2000?”
Is it partitions, indexes... - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsql90/html/sql2k5partition.asp
“Does online indexing effect the SQL DB peformance?”
A little, yes. Minimally, it will take longe to index it as opposed to offline indexing, but that is okay because we are online.
“If I have bad clustered index, [Database Tuning Advisor] will recommend I drop that clustered index”
“The Tunning advisor is available just in 2005 version how about the 2000?”
In SQL Server 2000 we had the Index Tuning Wizard. And yes, you can run the new DTA against a SQL Server 2000 served database.
“Is xp_sqlmaint still supported?”
Yes - http://msdn2.microsoft.com/library/ms188408.aspx
“What is the better way to setup report server? Snapshot, or backup and restore the database to report server?
I would prefer the backup/restore. Database Snapshot is only available in the Enterprise Edition of SQL Server 2005, so you may only have backup/restore as an option.
“Is Analysis Manager Built in to the Management Studio as well?”
“Are there any tools to analize statistics, like space usage by database, table, how do they grow, the same for log, amount of connections, cpu usage, I/O, etc. any reports that allow to see how does the statistic change?
Yes. Look at the new DMV (Dynamic Management Views) as well as in the management studio you have some reports on the summary view.
“Will we be going over Analysis Services?”
No that is considered BI. Here are some links for you to start with - http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=SQL+Server+2005+Analysis+Services
“Is ED editor part of SQL Server 2005?”
No, thank goodness.
“Can you talk about enhancements to SQL Agent Centralized management (MSX/TSX) in 2005?”
A lot of changes focused around security, and performance - Here is a great link on the changes - http://www.microsoft.com/technet/prodtechnol/sql/2005/evaluate/newsqlagent.mspx
“Does SQL Server have Database event alerts?”
“Is operation manager [MOM 2005] part of the SQL 2005 Install or is it an extra add on?”
Microsoft Operations Manager 2005 is a separate product. http://www.microsoft.com/mom
“Good show.”
Thanks!
“In profiler can we trace activity based on Database_role?”
There are numerous settings in profiler, but I am not aware of a "Role"
“What was the blog URL again, please?”
http://blogs.technet.com/kevinremde (but you already knew that)
“How do you setup database mail?”
Wow.. big question. But you'll find it under Management. Just right click on Database Mail and "Configure Database Mail". :)
Below I’ve pasted an edited and cleaned up copy of most of the Q&A from today’s webcast on Active Directory Fundamentals.
HUGE thank you to Chris Henley, John Baker, John Weston for handling the Q&A on the back-end, and who’s work this really represents.
Also – here is the resource page I put together for this topic also.
"Where can I find a step by step guide to setup this on my network?"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/default.mspx is the best place to start for step by step guides
"One thing I did not understand is which machine do you use to manage the active directory. Is it a seperate server which has access to all machines on network?"
You can manage AD from any DC or any workstation or server that has the Adminpak installed and has access to a DC. http://www.microsoft.com/downloads/details.aspx?familyid=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en
"Doesn't the OU security customization defeat the overall purpose of AD? restriction vs. transitive trust?"
Good Question. The OU customization does not defeat the purpose because of the heirarchical structure of AD. Each Level of OU structure can provide the benefits of inheritance and granular control for security purposes while the trust relationships can provide access at the forest and domain levels above.
"What are the differences between OU's and Containers?"
An organizational unit is a heirarchical object component of Active Directory while a container is simply a holding area for objects until we decide which OU they should be a part of. Another benefit of OUs over Containers is that OUs can have policy (Group Policy) applied to them; containers can not. And you can delegate administration to OUs, but not to containers.
"Where can I download the GPMC?"
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en
"So we might have objects that reside both in OU's and Containers or can they be present only in one of these at any point in time ?"
Object can only reside in ONE OU or container at any time. It can't exist in both places.
"Is the extention .com required or necessary in AD naming? Is .you or .org allowable? .com implies an HTTP protocol, doesn't it?"
There are several schools of thought on this. The reality of it is that there is no restriction on what you use for your AD domain names. Many companies use their DNS namespace as a part of their AD domain name root. For example, Contoso might have Contoso.com as their external domain space for their WWW site and other applications, but internally they may have "corp.Contoso.com" as the root of their Active Directory namespace.
"Is there a way to get a report on who is in which OU?"
I think you'd have to create a custom script. Check this link for scripts for managing OU's http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/default.mspx
"Back to group policy for a moment... I understand distributing software packages via the AD infrastructure is also supported. What are the possible deployment targets? Only OUs, or can these packages be targeted at single users or computers, or the entire domain?"
Group Policy can be applies at 3 levels. Sites, Domains, or OU's. When planning software deployments generally we deploy them to the OU level. It is possible to filter group policies so that only a single user or group of users receive the software you are deploying.
"I just missed the part of how to create the active directory, can you give the direction?"
Active directory can be installed by using the "dcpromo" command from a command line.
"AD replication site need ports ???"
Check this link and scroll down to Active Directory Communication http://www.microsoft.com/technet/prodtechnol/exchange/DE/Guides/E2k3FrontBack/f9733398-a21e-4b40-8601-cfb452da82ad.mspx?mfr=true
"There's a minimal number of DNS server that I must have in my infraestructure, or only one by domain is the recommended ?"
The minimum number of DNS servers necessary to allow active directory to function is 1. Depending on the structure and connectivity of your organization you might implement any number of strategies to supply DNS resolution for Active Directory. There is no specific rule on number of DNS servers per domain.
"What kind of objects can dynamically register in DNS?"
Forests, Domains, and computers from the active directory. Other services might also register such as the Kerberos Key distribution Center.
"What is a cost value?"
A site link is a connection object between two or more sites. A site link allows the administrator to assign cost, a replication schedule, and a transport for replication. Cost is an arbitrary value selected by the administrator to reflect the relative speed and reliability of the physical connection between the sites; the lower the cost, the more desirable is the connection. See link and scroll to "Site Links" http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/adplan/adpch03.mspx?mfr=true
"Is there a way to assign static IPs to workstations through AD or GPOs?"
No, how would the machine be able to get GPO if is didnt already have an IP address? You need to do this using DHCP.Another option, though a bit odd (not sure why you would need to do this) would be to use a WMI script - maybe as part of the startup or login script. You can use WMI commands to configure the NIC. But.. again, the first time it's run you'd have to first have it dynamically get an address, then the script could launch to reset it to a static address.
"Can you give a typical rule of thumb figure in bps of how much BW is used for intersite replication?"
It really depends on the number of changes that are made at each individual site and the replication interval between the sites. There is really no standard figure.
"Can users and computers be migrated from one domain to another?"
"Has anything changed around Active Directory in Vista? Is there anything to mention about any of the following scenarios? (1) Connecting Vista clients to Win2k3 DCs (2) Connecting XP/Win2k3 clients to Vista Server DCs (3) Connecting Vista clients to Vista Server DCs.”
Watch some of the great webcasts on Windows Vista that are currently available on the webcast archives, or in up-coming webcasts.
"Is the KCC automatically run or is there some manual process that needs to occur there?"
Automatic.
“Is there a ‘best practices’ guide on how to audit Active Directory?”
I would use the active directory deployment guides here http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx
"Thanks Kevin - Great talk! Although not necessarily within the scope of the talk, I do have some additional questions around how flexible the software deployment options are through Active Directory. Are there ways to deploy things other than single MSI packages? What are .ZAP files, and what does AD do with them?"
As promised, here are some software deployment resources for you:Using Active Directory - http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/instmain.mspxUsing Microsoft Systems Management Server 2003 (SMS 2003) - http://www.microsoft.com/smserver/evaluation/capabilities/appdeploy.mspx
"I'm running classrooms and a lab in an elementary school, and wanadd a file server. Do I lose anything if I don't use Active Directory?"
I guess it depends on how you're handling authentication for the sake of securing the files or other resources. If you're okay with leaving things wide open, then you're fine. If you're only managing a few computers, then doing peer-to-peer authentication is okay. But any more resources than that become difficult to manage without some central directory. I highly recommend you look at Small Business Server 2003.
"What are the core differences between Win2k and Win2k3 AD features based on today's presentation?"
GREAT question. Here's a really good "What's new" chat, with additional links to resources that should make it pretty clear: http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet0630.mspx
Breaking Virtualization News
Now, like Virtual Server 2005 R2, you can download and use Virtual PC 2004 (SP1 version) for free.
“No way.”
Way. But I understand your disbelief. That’s what I said when I heard the news late yesterday. And by the time you read this it will be true.
[I see the VirtualPC home page is already announcing it prior to the official 9:00am PST launch time, so I will insert the Microsoft PressPass Link here when it’s live.]
“Awesome!”
And it gets better.
“There’s more?”
Yep. We’re announcing that the next version of Virtual PC (2007) will be free also. So now you folks looking to use Virtual PC Express (the limited version that was going to come as a part of Windows Vista Enterprise) will be able to use the full-blown Virtual PC product instead… and with an additional benefit. If you’ve purchased Windows Vista Enterprise, you are now allowed to run 4 additional copies of Windows Vista Enterprise guests on your Windows Vista Enterprise host. So whereas previously you would have had to buy those licenses for your guest machines; now they’re INCLUDED, as long as your host is Windows Vista Enterprise edition. And that’s also true if you’ve purchased Windows Vista Ultimate edition with SA (Software Assurance).
“But I suppose I can’t run those additional licenses if I’m using VMWare or some other product, right?”
Wrong. But I’m not surprised you would think that. This is a little confusing to a lot of people who assume Microsoft is trying to use this to push it’s own virtualization stack.
So here it is in a nutshell: The licensing benefit isn’t tied to the virtualization technology you’re using, but to the OS version you’ve purchased.
So that means that, yes, you will have the right to run 4 additional copies of Windows Vista Enterprise edition on top of your Windows Vista Enterprise desktop, laptop, or tablet, and you WILL NOT have to be using Virtual PC to do it.
“So – What happens to Virtual PC Express?”
It is gone. There’s now no longer any need for it. Virtual PC does all of what Express was going to do, and more. And did I mention that it’s free?
“When can I get Virtual PC 2007? And what will it do that 2004 doesn’t?”
It’ll be out in the first part of 2007, and include being able to run it on a 64–bit host machine. There are also said to be performance and virtualized memory-allocation improvements.
And it’s free.
Here’s the thing that I think is the most interesting about this change (other than it’s just very good news for virtualization as a whole): Microsoft is once again reacting to the great competition that is out there. One of the big value propositions of Windows Vista Enterprise was that it included the virtualization (VPC Express) needed for the sake of application compatibility scenarios, among others. But other virtualization products are out there now that are free and would do the same or more, so the “perceived value” of Windows Vista Enterprise took a big hit.
So now that we’re giving the full Virtual PC away for free, and we’re including the additional licensing perks for Windows Vista Enterprise, it again becomes a very valuable reason to go there in the enterprise.
What do you think? Are you heading off to download your free copy of Virtual PC 2004 now? I hope so!
This week, as I mentioned in a previous post, I’m at the Microsoft “TechReady” conference in Seattle. We’re having some great technical training and informational sessions, as well as some inspiring keynote addresses.
Yesterday, during the Q&A session with Kevin Turner (COO) and Steve Balmer (CEO), my friend, coworker, and uber-blogger Rory Blyth asked Steve a very direct question about the state of the browser and upcoming versions.
Out of respect for Rory, I won’t tell you specifically what his question was or what Steve’s answer was. I’ll leave it to him (Rory OR Steve) to post it on his own blog if he chooses. (And I’ll let them link to MY blog.. because only in my wildest dreams could I maintain the readership that Rory’s blog enjoys.)
Here’s a picture of Rory,
and a picture of the Q&A panel.
Just wanted to answer a question here that I and my team mates have received many times...
"What's the status on a Server AdminPak version that will work on Windows Vista? Are they going to have one soon?"
Initially, they were working on it. However, the final word on the subject is: No. Unfortunately not.
The recommendation is that you use Remote Administration (Terminal Services) to a server in order to do that work now.
--
HAPPY UPDATE / CORRECTION:
This debate has been going on within Microsoft in various e-mail threads. The final word was finally passed down from the group who are building a new tool to replace the AdminPak for running on Vista, and I have received their permission to repeat it here. Here is the verbatim quote:
“The new feature with codename “Remote Server Administration Tools” (RSAT – Client) for managing WS08 from Vista SP1 Business, Enterprise and Ultimate will be released as an OOB component shortly after Vista SP1 RTM. In the meantime, you can leverage the Admin Pack for managing WS03 servers remotely (Instructions Here: http://support.microsoft.com/kb/930056). The old Admin Pack will not work against WS08, though.”