Hi,
Sorry for the delay since my last post. I have been Mad busy but things are getting onto a bit more of an even keel. Anyway alot of us within Premier Field Engineering use our Laptops for Everything including Demos utilising a range of Vhds. Plus we are all ensuring we are fully ramped up on all the 2008 technologies. It is essential of course that we use Bitlocker which is mandatory for us so what is the best way to have a dual booting Laptop using Vista and Windows Server 2008 with Hyper-V plus ensure that our Data is secure.
Well thanks to my colleague Richard Macdonald he has come up with a strategy to approach this. However I must inform you that this is an approach that you must test thoroughly on your brand of Laptop. Ensure you are at the latest Hardware Bios and have the acces to all the latest drivers for your make of Laptop.Also backup any critical data prior to doing this. This is not a "recommended" solution but an approach that many of us have adopted to give us the flexibility of a dual booting machine to utilise Vista and 64 bit Windows 2008 on the same machine but keep our data secure.
Overview of Steps
1. Installed Vista in C:
2. Installed Server 2008 on D: (note that the drive letters change between the two Oss, so be careful to work on the correct one)
3. Created a small bitlocker partition (S:) that remains unencrypted. Do this manually or use the Bitlocker Drive Preparation tool to do it (available as an Ultimate Extra). Note this is available if you choose Windows Update Online and download the Bitlocker and EFS enhancements.
4. Created an E: partition for shared data
5. Boot into Vista and encrypt C:, saving my recovery key on a USB key and setting a PIN for boot
6. Boot into Server 2008 and encrypted D:, saving my recovery key, etc as before – boot PIN is not shared between the two Oss, but you can set the same one for both if you want
7. Booted into Vista and encrypted E:
At this point when I boot into Vista I can access C: (vista partition) and E: (data partition), but get access denied to D:. If I boot to Server 2008 I can see D: (server 2008 partition), but have no access to C: and E:.
To access E: in both Oss, simply do this:
8. Boot into Server 2008, open the bitlocker tool and select “unlock” for the E: partition
9. Provide the USB stick with your recovery key when prompted and select “save key ...”
Now each OS can see its own drive and the data drive, but not each other and you do not need to supply the recovery key in future during a normal boot (but obviously will for recovery reasons). I deliberately left it that way so that the two OS partitions were not accessible to each other, to prevent any accidental changes, but you can follow the “unlock” steps above to make all partitions visible to all Oss
It is amazing how new gadgets when they are really useful really catch on. Since I have been totally Unified Communicated with my mailbox and phone it has been great. I have been using it Anywhere and Everywhere. It was especially useful out in Teched in Orlando. It saved me\Microsoft an absolute fortune in phonecalls back to the U.K. especially when my Internet connection was free in the Hotel I was in.
Well Eileen made me chuckle with this blog entry. I thought she was joking when she said she was going to screen capture me chatting over video phone......god I look a bit knackered and jet -lagged......thanks Eileen ! :)
http://blogs.technet.com/eileen_brown/archive/2008/06/24/office-communicator-on-voice-and-video.aspx
Well I have finally gone bonkers and anyone who knows me personally knows what a determined tenacious person I am . On September 27th 2008 I am partaking in a Computer Aid International Event across Madagascar. So what is this amazing event.
I am taking part in the computer aid Madagascar Cycle Challenge in September 2008 to raise money for Computer Aid International (http://www.computer-aid.org/madagascar.htm) and would really appreciate your support. For those of you that have already contributed – THANKYOU – to those who have been meaning too, here’s how you can help :)
I have agreed to cycle, with 14 Premier Field Engineers of Microsoft from the entire EMEA region, 420km in only 4 days across Madagascar, one of the most ecologically rich and unique countries on the planet, whilst helping Computer Aid International deliver vital IT education to communities in real need. All the money donated by you will help us to provide professionally refurbished PCs to schools throughout the developing world – where IT skills are now just as important to school-leavers as they are here in Europe. We will visit a school in Madagascar and see at first hand the very real and positive impact of IT education on these disadvantaged children.
By completing the challenge I aim to have personally raised enough money to provide an entire 10-machine computer lab to a school in need – and with it IT education to 1,000 children who would otherwise be denied this opportunity.
I cannot do this alone, I NEED YOUR HELP NOW in form of an online, secure donation – however large or small – EVERYTHING you donate will go directly to the computer-aid charity involved, and the children who need it most. Plus also Microsoft in the U.K. will match your donation.
WHAT YOU CAN DO TO HELP – follow the link at the bottom of this email and make a donation, we each have a huge target to hit before September, so EVERY donation counts towards the final group total.
Please Sponsor the PFE team who are cycling across Madagascar for Computeraid @ http://www.justgiving.com/msmadagascar2
Hi a few weeks ago I blogged about recommended best practises of Virtualizing your Domain Controllers environment. I am currently working with a customer on quite a complicated scenario that touches on virtualization and through my research and pointers from my Colleague Mark Empson have come across an excellent Blog Post posted by Gavin Mcshera of Premier Field Engineering in Ireland.
http://blogs.technet.com/pfe-ireland/archive/2008/05/08/virtual-domain-controllers-and-time-synchronisation.aspx
Please also find another great collection of links as put together by my friend a colleague Mark Empson and other colleagues Rick Stone and Ned Pyle all of Microsoft.
KB897615 Support policy for Microsoft software running in non-Microsoft hardware virtualization software
http://support.microsoft.com/default.aspx?scid=kb;EN-US;897615
KB: 897613 Microsoft Virtual Server support policy
http://www.support.microsoft.com/kb/897613
KB: 897614 Windows Server System software not supported within a Microsoft Virtual Server environment
http://www.support.microsoft.com/kb/897614
KB888794 Considerations when hosting Active Directory domain controller in virtual hosting environments
http://support.microsoft.com/default.aspx?scid=kb;EN-US;888794
KB320220 Support policy for Exchange Server 2003 running on hardware virtualization software
http://support.microsoft.com/default.aspx?scid=kb;EN-US;320220
KB909840 Hardware virtualization support for SharePoint products and technologies
http://support.microsoft.com/default.aspx?scid=kb;EN-US;909840
KB953797 Time Synchronization issue in Windows Server 2003 systems running as VMware Guests
http://support.microsoft.com/default.aspx?scid=kb;EN-US;953797
KB888746 You may experience time-related issues with programs that run in a virtual machine in Virtual Server 2005
http://support.microsoft.com/default.aspx?scid=kb;EN-US;888746
KB887727 Time synchronization settings in Virtual Server 2005
http://support.microsoft.com/default.aspx?scid=kb;EN-US;887727
KBVMware Time Sync and Windows Time Service
http://kb.vmware.com/selfservice/viewContent.do?language=en_US&externalId=1318
KB888794 Considerations when hosting Active Directory domain controller in virtual hosting environments
http://support.microsoft.com/default.aspx?scid=kb;EN-US;888794
Running Domain Controllers in Virtual Server 2005
http://www.microsoft.com/downloads/details.aspx?familyid=64db845d-f7a3-4209-8ed2-e261a117fc6b&displaylang=en
For pre-deployment of virtualized DCs, you can try the MAP 3.0 tool at;
www.microsoft.com/map
Well I was lucky enough to be at both Teched in Orlando last week and also at Teched I.T. Forum Last November. One of the things that really put a smile on my face in both places was the speaker Idol contest. Last November a friend of mine Ilse Van Criekinge won speaker idol contest @ Teched I.T. Forum, which was a great result for all technical females as on 3% of the attendees were girls. Now last week the girls won it again !. Rhonda Layfield won Speaker Idol in Orlando !. This means that both girls will have a speaker slot at the next respective Techeds which is a highly sort after prize.
Congratulations to both girls you really have set a wonderful example to aspiring Women in Technology.
Well here I am with my colleague Mark Empson busily preparing for our Session "Power of Windows 2008" at Teched in Orlando Florida. So Please have a quick prayer on our behalf to the Demo Gods so they will look kindly down on us. I am also working on the TLC Demo Booths for Server Core plus in the Bloggers Lounge at different times during the week.
See below for pics of the Bloggers Lounge. Maybe I will see you there !
If you are going to be utilising RODC in mixed environment (XP and 2003 ), then you need to download the Windows 2008 RODC Compatibility Pack. The Product Group and Dev Team, have been working exceedingly hard to get this released. It addresses the following issues as described by Product Group.
"To provide support for mixed mode operations (Win2003 & Win2008) in domains involving Win2008 DCs, all the features are made available for downlevel clients (XP and Win2003) also. However, since XP and Win2003 were not developed to support the additional checks and flags introduced in RODC, some of the features fail to work with downlevel clients are interacting with RODC. This is more apparent in Demilitarized (DMZ) networked branch offices . In this kind of setup, the clients are restricted access ONLY to RODCs and not other write-able DCs, outside the network."
So the download is available now from HERE - Enjoy !
Apologies for not posting for a couple of weeks but I have been head down doing lots and lots of 2008 preparation for a series of gigs I have had coming up over this month and early next month.
Last Friday 23rd May I spent a great day @ Microsoft Ireland. This was partaking in a deep dive Operations Day on 2008 presented to our Premier Customers in Microsoft Ireland. My sessions were on;
- Windows 2008 Directory Services Real World Features
- Deep Dive on Read only Domain Controllers
I was pleased how my session went. The Audience were very good and asked some great questions. Plus the Demo gods were kind !
What was interesting about the day was the reaction to the Server core portion of my sessions and a Colleagues of mine Deep Dive Session on Server Core . I think we possibly have some work to go to encourage people to think of this as a benefit to their environment and we are not "taking away" features. However I do recognise not everyone has the command line background that some of us have from working on DOS or Unix. However the important thing to note is that the command line can be kept down to an absolute minimum and you can very quickly get up and running by managing Server Core remotely. Please find some great information on this below;
Andrew Mason Program Manager of Server Core has done some great Webcasts around this very subject.
Remember the core tenant of Server Core. It is designed to be a bare metal, bare headed minimalist installation option of Windows Server 2008. Used in a specific job role, out in perhaps an insecure Branch office environment. Thus by minimising its footprint and attack vector we are providing a low overhead higher security platform from which to choose what various roles you wish to install on it. See below for Slide Screenshot that I feel encapulates Server Core well.
http://blogs.technet.com/server_core/
http://technet2.microsoft.com/windowsserver2008/en/library/47a23a74-e13c-46de-8d30-ad0afb1eaffc1033.mspx?mfr=true
By the way. If you are lucky enough to be going to Teched 2008 in Orlando Florida in a couple of weeks. Come and look for myself and Wayne Richards on the Ask the Experts stand and chat to us about Server Core and all other 2008 information. We will be happy to chat.
Hi,
I have been doing allot of Research around Rodc Servers in recent weeks.
I have in my studies come across a new switch for Repadmin.
Repadmin /prp
This switch reveals a huge subset of commands enabling you to fully control modify add list and delete your Password Replication Policy's.
For example the following command lists the Useraccounts whose passwords are "allowed" to be replicated to the RODC server in the Branch Office Location.
REPADMIN /PRP VIEW RODC REVEAL
Reveal List (msDS-RevealedList):
RODC "CN=RODC,OU=Domain Controllers,DC=contoso,DC=com":
CN=krbtgt_64304,CN=Users,DC=contoso,DC=com
CN=RODC,OU=Domain Controllers,DC=contoso,DC=com
CN=RodcAdministrator,CN=Users,DC=contoso,DC=com
If I wanted to "add" to this list of "allowed" passwords then I would type the following command;
repadmin /prp add Rodc allow cn=jlewis,cn=users,dc=contoso,dc=com
For RODC "CN=RODC,OU=Domain Controllers,DC=contoso,DC=com", "CN=jlewis,CN=Users,DC=contoso,DC=com" added to the allow list.
This looks a really useful addition to Repadmin . See below for the list of full switches;
Type Repadmin /prp from a Windows 2008 Domain Controller with the Support Tools installed to see the full list of switches.
Hello,
I have had a few people expressing difficulty in finding the download site for Windows XP SP3.
Here tis !
http://technet.microsoft.com/en-us/windowsxp/0a5b9b10-17e3-40d9-8d3c-0077c953a761.aspx
Sorry for the break in blogging. However I have been away on my holidays to a lovely part of the U.K. Lincolnshire Wolds. Very nice but very cold.
Good news for RSAT Client is that it is available in all languages now. Please see below table for details of downloads.
I was asked by a Customer recently does 2008 support for "Services for Macintosh" so I did a bit of routing around.
So see below for the list of Networking Services that are no Longer Supported on a Windows Vista and Windows 2008 platform.
- Bandwidth Allocation Protocol (BAP)
- X.25
- Serial Line Interface Protocol (SLIP)
- SLIP-based connections will automatically be updated to PPP-based connections.
- Asynchronous Transfer Mode (ATM)
- IP over IEEE 1394
- NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
- Services for Macintosh (SFM)
- Open Shortest Path First (OSPF) routing protocol component in Routing and Remote Access
- Basic Firewall in Routing and Remote Access (replaced with Windows Firewall)
- Static IP filter APIs for Routing and Remote Access (replaced with Windows Filtering Platform APIs)
- The SPAP, EAP-MD5-CHAP, and MS-CHAP (also known as MS-CHAP v1) authentication protocols for PPP-based connections
http://technet.microsoft.com/en-us/library/bb726965.aspx#ECAA
I have seen quite alot of Windows 2003 Active Directories recently where all the Domain Controllers are Windows 2003 and all the Domain Functional Level are set to Windows 2003. However one key part has been overlooked that is the FOREST Functional Level. This is often been left at Windows 2000 mixed.
So what is the significance of this ?
Well one of the most important things you can take advantage of is LVR (Linked Value Replication). This is particularly significant when restoring Multivalued Linked attributes such as Groups for example with Forward links and Users with Back Links.
Please reference the following two articles for more information.
http://technet2.microsoft.com/WindowsServer/en/library/4a589ca2-b572-48cd-94d2-7d5b0c817f411033.mspx?mfr=true
and the following article
http://support.microsoft.com/kb/322692
This is where it is changed in Domains and Trusts. Remember this is a ONE Way Operation.
Being a school Governor I am always interested in great offers for Software now
Staff at colleges and Universities can take advantage of a Great Offer which was formerly only open to Students. If you are interested Read On !
Students of colleges and universities have been able to buy Office 2007 Ultimate Edition for £38.95, in an online promotion that ends on the 30th April.
We’ve just announced that staff at colleges and universities now qualify for the same offer, as long as they have a .ac.uk email address.
The deal ends in 3 weeks (on 30th April), and until then staff who meet the criteria on the small print on the eligibility page can buy online at the same price as students.
There’s more info on the folllowing blogs, http://blogs.msdn.com/ukfe, or on the site itself http://www.theultimatesteal.co.uk/?cid=edublog
Well I am sat in the departure lounge of Aberdeen Scotland Airport after a really interesting and enjoyable Customer Engagement around all things Active Directory. Aberdeen has enjoyed some lovely Spring Weather,while I have been there and is very pretty in the Sunshine. Anyway I have also been doing some studying and deeper research around a great new feature in Windows 2008 Branch Office Deployment, specifically Read Only Domain Controllers. So I thought I would put together a Tick List of considerations you should reference to ascertain whether your particular Branch office would satisfy the criteria for deployment. This is not an exhaustive list but is a good starting point. I recommend downloading the step by step guide on RODC servers for an in depth guide.
Plus also read a great entry from this blog, and also this interview with Gregoire Gutat Program Manager Microsoft plus this RODC FAQ
Tick List for RODC Deployment
| Criteria | RODC Justification | Additional Support information if Applicable |
| Low Security In Branch Office | RODC Never Originates Changes
It only receives Inbound Replication from a R/W copy at the Hub site. This is for DNS, AD DS, and Sysvol replication
Limit and define exactly which credentials are cached locally on the RODC to minimize exposure in the eventuality the RODC is stolen via Password Replication Policy
| Note:
RODC cannot be a replication bridgehead server if placed in a site with other RW Domain Controllers. (The above is not a recommended configuration)
RODC cannot hold any FSMO roles |
| RODC compatible Roles | AD DS (New name with Active Directory in Windows 2008)
DNS server Role | |
| Reduced Management and Technical competance Level in Branch Office | No "Full" Domain Administrators in Branch Office required.
Delegated Administration.
Performs only local Admin Tasks on RODC
No need to be a Domain Admin
NO PERMISSIONS elsewhere in domain.
Each RODC has a different KRBTGT Account
| |
| Lower Specification Kit in Branch Office | RODC can be deployed as a Role on a Server Core platform. This has a minimal footprint and minimal attack vector. Plus this can be coupled with Bitlocker. | |
| Less load on Bridgehead Servers Required in Branch Office | This is because of inbound replication only and filtering what is actually replicated to RODC.
"Filtered Attribute Set" | |
| Define what applications can be supported by an RODC in Branch office | Application needs to be able to do a write referral.
.
| See TechNet articles on RODC compatibility Applications That Are Known to Work with RODC Application Compatibility with RODC Testing Application Compatibility with RODC |
| Awarenes of Known Compatibility Issues | Please refer to right hand column for more info. | 1.Not compatible with Exchange 200X Servers deployed in a site with only a RODC.
2.Issues with AutositeCoverage in a Windows 2003 domain. See following TechNet article.
4. Issues around Optimisation of Group Policy processing & WMI filters from a client running Windows 2003 Server
http://support.microsoft.com/kb/931753
|
| Client Compatibility | Requires Windows XP, Vista, Windows Server 2000 or later | |
| | | |
