Scott Goad's WebLog

Looking into how Microsoft does IT

2010-02-04T18:25:00Z

Have you ever wondered how a large enterprise handles it’s IT infrastructure and deployment?

Now you can look at how Microsoft IT handles our very own IT rollouts. Check out the link here:

http://technet.microsoft.com/en-us/library/bb687780.aspx

Topics are broken out by product and by subject.

+sgoad

Wrapping up 2009, looking forward to 2010

2009-12-31T22:34:27Z

When it comes to the end of the year, it’s often a time to look back on what’s happened to bring us where we are. Not only are we nearing the end of another year, but we are closing out the first decade of the new millennium. It’s funny to think that 10 years ago, today, we were fretting over Y2K and if the world would still function at 12:00:01 AM on 1/1/00.

A lot of astounding technology has come about during the last 10 years as well. Even more interesting, we have seen over 30 years of Moore’s Law, and continue to see it apply to everyday technology. Technology has continued to become increasingly smaller and faster. More on Moore’s Law at the Wikipedia page here.

Taking a quick survey from friends at work, it’s amazing to think about how things have transformed during the last decade. How readily available was broadband Internet 10 years ago? Now you can find high speed Internet available via cable, DSL, fiber optics, satellite, cellular and many others. We’ve gone from 2MP digital cameras that ran on AA batteries, to digital SLRs with the ability to record 1080p digital video.

Ten years later, and we are upon some of the most exciting times, technologically speaking. It’s amazing to see how a world of consumers has been revolutionized and empowered by technology. No longer is the cell phone a piece of equipment for the elite, but now a must have item for living in the modern day. It has transformed from a device that we use to talk on, to a portal to the Internet and an entirely new way to communicate.

Looking back also takes us to the present, and looking into the future. What will we be doing 10 years from now? How will we communicate? Will the craze around social networking still be all the rave, or will we look back and say, what were we thinking? Personally, I think we’ve just started upon the road to generating a social network that allows us to communicate in ways that we would not begin to think about.

No matter where you are or what you’re doing, take a moment and enjoy.

Happy New Year!

+sgoad

Cross-Post from AskDs – Windows Event Log Service is Starting… and my domain is down!

2009-12-03T16:26:06Z

I sometimes write content for the AskDS blog site, Microsoft's Official Directory Services Weblog. Here is a cross-post of an article I wrote, which can be viewed in its original context here.

---------------------------------------

Hi everybody, Scott Goad here to discuss an issue that I worked recently where the customer was unable to logon to the domain. The end result was a group policy preference setting, so enjoy the read.

The issue occurred after a change was made to set a group policy preference item to change the clock display setting, but at first glance this was unrelated. The scenario:

Change made to group policy preferences.
No one could logon to the domain, regardless of Operating System.
Windows Event Log service would not start on Windows Server 2008 servers.

Knowing this information, it was time to start investigating why no one could logon. The usual items were checked, with running DCDIAG /v /e and checking the servers for errors. There were only 2 domain controllers, so we started with the first. We gathered the DCDIAG output and tried to open Event Viewer to see if there were any outstanding errors reported, but we could not launch the MMC. This was interesting, but still not the focus of the investigation.

The next step was network connectivity – could we ping the DCs in question? Checking this allowed us to learn that the DNS Server Service was stopped, and trying to start the service resulted in:

Error 1722: The RPC server is unavailable.

Since the Event Log service would not start, this was the only error information reported from the OS. The Services snap-in shows that the Windows Event Log service was “Starting…”, and the Task Scheduler service and DNS Server Service were set to automatic, but not able to start.

In discussing with the customer, it was apparent that they had set Locale-specific information via group policy preferences, and now had this issue. It turns out that there’s a known issue in group policy preferences, as outlined in KB:

951430 A non-administrator user cannot log on to a domain from a computer that is running Windows Server 2008 if you set the locale information for the user by using a Group Policy preference setting

http://support.microsoft.com/default.aspx?scid=kb;EN-US;951430

As the article describes, the issue is within group policy preferences, but what is missing is the workaround information. To resolve the issue, you have to set the following registry value:

HKEY_USERS\.Default\Control Panel\International
Locale (REG_SZ)

Set Locale to: 0000409 (Default for English – United States)

Additional Locale IDs can be found here:
http://msdn.microsoft.com/en-us/goglobal/bb964664.aspx

The hotfix from the KB article will prevent this issue from happening in the future; however, to resolve the situation, the customer had to set the registry value and reboot. Once this had been set, the servers came back and were functional again.

The KB 951430 has been rewritten to better identify this scenario, and will be published with the new content, similar to this article.

If any of these symptoms sound familiar, check the version of gpprefcl.dll and gppref.dll and be sure it’s at least as high or newer as mentioned in the KB.

Scott “Red Herring” Goad

2010 Beta goes public – come and get it!

2009-11-30T04:00:00Z

Office 2010 Beta has been released to the public. To get the goods (or to learn more), go to:

http://www.microsoft.com/2010

Enjoy!

+sgoad

Cross-post blog from AskDS - The Strange Case of Unenforced Password Complexity

2009-06-24T17:56:00Z

I sometimes write content for the AskDS blog site, Microsoft's Official Directory Services Weblog. Here is a cross-post of an article I worked with David Everett on, which can be viewed in its original context here.
-----------------------------
Hello everyone, David Everett and Scott Goad here to discuss a recent issue that we thought you might find interesting. We were working with a customer that was trying to implement password complexity, but they were not seeing the behavior that we would normally expect.

The issue came about when trying to apply password complexity requirements, and having existing users change their password. This should force the complexity at password change, but in this customer’s case, complexity was not being enforced. Looking into the issue further, we tested with a new user account we created in DSA.MSC and noticed that password complexity worked as expected.

Lab time! We tested the password complexity requirements and started to look at one of the problem users. We were able to compare an LDIFDE dump, of the problem user with one taken from our lab that was not having the issue. At first glance, nothing looked awry, but digging deeper, we soon realized that the displayName attribute was not populated in the LDIFDE dump.

We investigated as to how the user accounts were provisioned, to better understand why this attribute was missing. The user accounts were created using SUN Identity Manager and then sync’d to Active Directory.

Why does this matter? Password complexity evaluates the sAMAccountName and displayName attributes and builds “tokens” that are used to check the password that is being presented against complexity requirements. These two attributes, in combination or separately, are used to build the tokens which are compared against the password that the user enters. In this case, having an empty displayName attribute caused password complexity to be relaxed. The policy was in place and working as expected, since it was still evaluating the sAMAccountName. Here is a sample of what you can see in the LDIFDE dump:

dn: CN=Test User 1,OU=staff,DC=top,DC=contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Test User 1
sn: User
givenName: Test
distinguishedName: CN=Test User 1,OU=staff,DC=top,DC=contoso,DC=com
instanceType: 4
whenCreated: 20060817140027.0Z
whenChanged: 20090518142050.0Z
uSNCreated: 693960
uSNChanged: 12104216
name: Test User 1
objectGUID:: a2dz2ugl0xGQeQCAXzH4Jg==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
homeDrive: U:
badPasswordTime: 128856853740701244
lastLogoff: 0
lastLogon: 128856853892263744
pwdLastSet: 128871300501924190
primaryGroupID: 513
accountExpires: 9223372036854775807
logonCount: 1
sAMAccountName: t_tUser
sAMAccountType: 805306368
userPrincipalName: t_tUser@top.contoso.com
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=top,DC=contoso,DC=com

Based on this LDIFDE dump the only “token” that was being monitored for complexity was t_tUser in the sAMAccountName attribute. The admin was able to pass Test and User in the password. When password complexity is enforced, displayName and sAMAccountName attributes are checked. The new password is checked for “tokens”. It is important to note that a “token” must be three or more characters in length. Even then, only the whole “token” is used in the complexity check, not portions of the tokens. This comes into play when trying to evaluate tokens against displayName.

At this point, password complexity is being enforced as designed, but not what we would expect to see based on the user’s account information. The action plan that was provided to the customer was to populate the displayName attribute and test. This worked in testing, but ultimately the customer had to work with their vendor to resolve the issue with the sync process, allowing the displayName attribute to be populated from the SUN Identity Manager to Active Directory.

For more info on Password Complexity rules, see the recent blog post Understanding Password Policies.

- David Everett and Scott Goad

Bad Blogger....BAD!

2009-05-21T22:48:00Z

I've not been updating as oft as I should, but wanted anyone / everyone to check out my most recent post at the Microsoft official Enterprise Platform Support DS blog - http://blogs.technet.com/askds/archive/2009/05/21/temporary-user-profiles-and-the-citrix-ica-client.aspx

It's a good read about temporary profile issues that can arise as the result of single sign-on with the Citrix 10.2x client installed.

This is a great blog to follow, as lots of people from the Directory Services specialty post information you might find helpful.

Also, my friend Russell Despain (aka Spaniard, aka R2) has started a blog specific to LDAP, and it's sure to be a good read!

http://blogs.technet.com/ldap

+sgoad

Windows Home Server Power Pack 2 Released!

2009-03-25T03:01:00Z

I absolutely love my Windows Home Server -- it has made my life easier! If you don't know about WHS, please visit the Windows Home Server page, which has great details about the product. My favorite feature is the automated backup. No more reloading PCs in my house, I just restore to one of the recent backups that happens automatically, and I'm good to go. It's also great to have all of my media in one central location.

On to the update...the Windows Home Server team blog announced (yesterday) that Power Pack 2 will be available via Windows Update, and will install today (3/24/09) automatically, if automatic updates are enabled.

For more information about the update, visit the WHS Team Blog. This is a great source of information for WHS enthusiasts.

+sgoad

Proud of your MCP status? How about a chance for a free trip to Tech-ED?

2009-03-24T05:05:00Z

Get on the Bus! is an eleven-day cross-country odyssey across the U.S aboard the Career Express tour bus. Our Microsoft Learning community leads and evangelists will be holding community events at partner and IT Academy locations in each city, highlighting individuals and organizations doing innovative and inspiring things to help our customers advance their careers with Microsoft training and certification. The trip will be live-blogged with GPS locations sharing and tagging en route. Our goal is to raise awareness for the career resources and opportunities that Microsoft is offering during a difficult economic time and drive some excitement in the process.

At six key cities along the way, we’ll be holding competitions in which community members will attempt to convince the MCP community at large that they’d be outstanding community ambassadors. The community will vote for one winner in each city, who will immediately get on the bus and join us as we continue on to TechEd, where they will attend the conference for free!

More info on TechEd 2009 can be found here - http://www.microsoft.com/events/TechEd2009/

+sgoad

Return of the Blog

2009-02-08T01:35:00Z

It has been too long since I have posted on this blog. When I started the site I had envisioned creating a post weekly, but this has not been the case. I’m turning a new leaf, as they say, and am making a personal commitment to keep the site up to date. I will be posting anything and everything on this site relating to technology, and some things not.

So let’s start with the technology. I have returned from spending the week in Seattle, where I was attending an internal Microsoft technical readiness event. I must say it was just what I needed. The week was spent seeing colleagues from the world over, catching up with old friends, and making new ones. It is always amazing, and humbling, what you can learn when you get so many smart people together in one room. I was fortunate enough to spend some time with the people who write and support the code for the products we support.

Windows 7 Beta is going strong, and it’s amazing. I personally run Windows 7 Beta on my laptop, which is the machine that I use daily. I have also converted several computers at the office to Windows 7 and Windows Server 2008 R2. If you haven’t downloaded a copy for yourself, please do so and let us know what you think. This is a great opportunity to try the product out and really see the difference.

Download details:

http://technet.microsoft.com/en-us/windows/dd353205.aspx

Act soon – the download will not be available after February 12th.

TechNet Plus subscribers will be able to download the beta after the cutoff on February 12th, through their TechNet subscription.

One last note – I was able to hear Mark Russinovich this week, and I highly recommend that you catch one of his webcasts, speaking engagements or roundtables. He will be hosting a virtual roundtable on Thursday, Feb. 12th at 11:00 am Pacific Time. Details can be found here:

https://ms.istreamplanet.com/springboard/

Happy downloading!
+sgoad

UPDATED: 2/8/09 12:10PM to fix formatting issue

Designing an OU Structure

2008-08-15T04:01:00Z

Designing the Organizational Unit (OU) structure for your environment is not a task to take lightly. Some administrators will simply group all users in one OU and forget about them, while others may take the OU design to an extreme, often ending up with unnecessary OUs. For an administrator, the first tendency when creating the OU hierarchy may be to mimic the company's organization chart, but this often isn't the ideal setup. OUs are generally created with a specific purpose - to group a collection of objects together for administration.

One might look at the company's organizational chart to start designing the OU structure. Many times this is inefficient because the organization chart has no regard for where employees may be physically located. You may have offices across the globe and need to be able to manage the groups accordingly, applying policy or delegating administration to a particular site. If you chose to follow the organizational chart, this could prove quite difficult. If you are centralized and care to deploy policy or administration by group or business unit, then this model could prove quite helpful. Consider all of the options and plan before deploying an OU structure.

As you begin the design, you should begin with the top-level OUs first. Top level OUs should be based on something that is relatively static in the organization, such as the geographic locations or business units. Once you have established the top-level OUs, it is best to not change them later unless absolutely necessary.

Why create an organized OU structure? The answer to this can be many, but we will specifically look at two: Design based on delegation of administration, and design based on Group Policy application.

The first design is based on delegation of administration. This is a common task, and one that is relatively easy to setup. Think of your OU structure like a folder structure, where you are setting specific permissions for users on those folders, and the ones below. This is great for allowing a user, or group of users, the ability to administer all or specific settings for an OU.

How would this work? Say you have three offices, one being your corporate office where the majority of your staff works, and two satellite offices with a small number of users. You decide that your junior members of the IT staff should be able to change passwords for the satellite offices, but you aren't ready to allow them to be members of the Domain Admins group. If you have designed your OU structure to reflect the geographical location of your offices, you can simply delegate the administration of those OUs to the junior members of the IT staff, either specifically by name, or creating a group and delegating those OUs to the group. You can pick specific administrative items to delegate, so you don't have to delegate full control of the OU.

The second design is based on application of group policy. This can also be thought of as a file structure, where you inherit settings from the parent. You will create and link group policy objects (GPOs) that you want to apply to everyone at the top of the domain, and this will be inherited by child objects. There is a caveat to this - you can always block inheritance on an OU. This will keep inherited GPOs from applying to the user and computer objects in the OU.

Much more information is warranted to be able to truly grasp the ins and outs of planning and implementing your OU structure. A good article was written in the May 2008 issue of TechNet Magazine, which can be read here - Designing OU Structures that Work - http://technet.microsoft.com/en-us/magazine/cc462797.aspx

There's also a great deal in information readily available on the Microsoft TechNet site:

http://technet.microsoft.com/en-us/library/cc770806.aspx

+sgoad