October 2008 - Posts - Mark Parris

New Active Directory features in Windows Server 2008 R2

Whilst going through my RSS feeds I came across the Windows Server 2008 R2 Reviewers Guide.

It details some new Active Directory functionality including.

Improvements for All Active Directory Server Roles

Windows Server 2008 R2 includes the following identity management improvements that affect all Active Directory server roles:

· New forest functional level. Windows Server 2008 R2 includes a new Active Directory forest functional level. Many of the new features in the Active Directory server roles require the Active Directory forest to be configured with this new functional level.

· Enhanced command line and automated management. PowerShell cmdlets provide the ability to fully manage Active Directory server roles.

· Improved automated monitoring and notification. An updated System Center Manager 2007 Management Pack helps improve the monitoring and management of Active Directory server roles.

Improvements in Active Directory Domain Services

The Active Directory Domain Service server role in Windows Server 2008 R2 includes the following improvements:

· Recovery of deleted objects. Domains in Active Directory now have a Recycle Bin feature that allows you to recover deleted objects. If an Active Directory object is inadvertently deleted, you can restore the object from the Recycle Bin. This feature requires the updated R2 forest functional level.

· Improved process for joining domains. Computers can now join a domain without being connected to the domain during the deployment process, also known as an offline domain join. This process allows you to fully automate the joining of a domain during deployment. Domain administrators create an XML file that can be included as a part of the automated deployment process. The file includes all the information necessary for the target computer to join the domain.

· Improved management of user accounts used as identity for services. One time-consuming management task is the maintenance of passwords for user accounts that are used as identities for services, also known as service accounts. When the password for a service account changes, the services using that identity also must be updated with the new password. To address this problem, Windows Server 2008 R2 includes a new feature known as managed service accounts. In Windows Server 2008 R2, when the password for a service account changes, the managed service account feature automatically updates the password for all services that use the service account.

More information:

http://download.microsoft.com/download/F/2/1/F2146213-4AC0-4C50-B69A-12428FF0B077/Windows_Server_2008_R2_Reviewers_Guide_%28BETA%29.doc

Posted Oct 30 2008, 12:05 PM by Mark Parris with no comments

Filed under: ADUG, R2, Windows Server 2008, Windows Server, Active Directory, Blogging, Windows 7, Administration

Confidence

It takes a certain kind of person who has the natural confidence to stand up and talk in front of a group and after the [ADUG] meeting on Thursday is was obvious to me and I am sure to those present that I am not the world's greatest public speaker but the one thing I intend to gain from organising the ADUG is the confidence to stand up at the front and talk confidently.

Posted Oct 27 2008, 07:18 AM by Mark Parris with 2 comment(s)

Filed under: ADUG, London, Blogging, confidence

* UPDATE * Microsoft Support does not recommend a lag site as a disaster recovery strategy - Reasons 123...

At the end of the Article there are several interesting comments and insights from Guido Grillenmeier and Joe Richards, which makes even more interesting reading.

http://blogs.technet.com/askds/archive/2008/10/20/lag-site-or-hot-site-aka-delayed-replication-for-active-directory-disaster-recovery-support.aspx

Interesting article on the "Ask the Directory Services Team" blog,

Hi, Gary from Directory Services here and I’m going to talk today about the concept of “lag sites” or “hot sites” as a recovery strategy. I recently had a case where the customer asked if the replication interval for a site link could be set higher than 10,080 minutes (7 days). The quick answer was that Active Directory only supports values from 15 up to 10,080 minutes and the schedule is based on a week. If the replinterval attribute on the site link is manually set to something lower than 15 it will use the default of 15. If it is set to something higher than 10,080, it will be ignored and 10,080 will be used.

But the underlying question kept coming back to the recommendation of a latent “lag site”.

First let me give a quick definition of a lag site or hot site and its general intended purpose. A lag site is just an Active Directory site that is configured with a replication schedule of one, two or maybe three days out of the week. That way it will have data that would be intentionally out-of-date as of the last successful inbound replication. It is sometimes used as a quick way to recover accidentally deleted objects without having to resort to finding the most recent successful backup within the tombstone lifetime of the domain that has the data.

This sounds like a decent idea, in theory. However, Microsoft Support does not recommend a lag site as a disaster recovery strategy. Servicing products such as hotfixes and service packs not recognize quasi-offline DC state monitoring software may also detect the state of a lag site DC as malfunctioning and attempt to re-enable it (or tell an unwitting administrator to do so). Microsoft makes no guarantees that the servicing and monitoring products would not re-enable Netlogon and KDC services in a lag site. In addition, other Microsoft products, such as Exchange Server, are not designed to operate in a lag site and they may not function properly with lag site DCs.

The following lists some reasons why lag sites should not be relied upon as a disaster recovery strategy, especially in lieu of proper Active Directory System State backups:

Lag sites are not guaranteed to be intact in a disaster:

If the disaster is not discovered in time before replication occurs, the problem is replicated to the lag site, and the lag site cannot be used to undo the disaster. A lag site typically needs to be three days latent in order to cover situations that occur during the weekend where visibility is low. However this means that you are actually forced to ‘lose’ more changes than a reliable daily backup being run on domain controllers.
Thus, the administrator must act immediately when a disaster occurs: inbound and outbound replications must be disabled and repadmin /force must be forbidden.

Replicating from lag site might have unrecoverable consequences:

Since a lag site contains out-of-date data, using it as a replication source may result in data loss depending on the amount of latency between the disaster and the last replication to the lag site.
If something goes wrong during recovery from a lag site, a forest recovery might be required in order to rollback the changes.

Lag sites pose security threats to the corporate environment:

For example, when an employee is fired from the company, his/her account is immediately deleted (or disabled) from Active Directory, but the account might still be left behind in the lag site. If the lag site domain controllers allow logons, this could potentially lead to unauthorized users with access to corporate resources during the lag site replication delay “window”.

Careful consideration must be put in configuring and deploying lag sites:

An Administrator needs to decide the number of lag sites to deploy in a forest. The more domains that have lag sites, the more likely one can recover from a replicated disaster. However, this would also mean increased hardware and maintenance costs.
An Administrator needs to decide the amount of latency to introduce. The shorter the latency, the more up-to-date and useful the data would be in the lag site. However, this would also mean that administrators must act quickly to stop replication to the lag site when a disaster occurs.

The above list is not exhaustive, and there could be other unseen problems with deploying lag sites as a disaster recovery strategy. It has always been strongly recommended that the best way to prepare for disasters such as mass deletions, mass password changes, etc. is to backup domain controllers daily and verify these backups regularly through test restorations.

Finally, keep in mind that testing your disaster recovery routine is vital both prior to beginning to rely on that routine in case of failure as well as once you begin to use it as your recovery strategy. Surprise is never good when a disaster strikes.

http://blogs.technet.com/askds/archive/2008/10/20/lag-site-or-hot-site-aka-delayed-replication-for-active-directory-disaster-recovery-support.aspx

Posted Oct 20 2008, 06:42 PM by Mark Parris with 1 comment(s)

Filed under: ADUG, Best Practice, Active Directory, Blogging, Administration, Replication

Active Directory Delegation? - Expand the delegation of control wizard.

One of the huge benefits of Active Directory is the ability to delegate administration to a very granular level. The basic tasks can be easily completed through the delegation of control wizard, but beyond that you have to understand what you are trying to delegate sometimes to quite an indepth level.

Attached is a new delegation of control wizard template file which expands the basic wizard to 70 tasks that you may wish to delegate.

To install the wizard,

On your admin console, navigate to the <Windows installation directory>\Inf folder.

Back up the existing Delegwiz.inf file by copying it and renaming it to Delegwiz_old.inf.

Copy in the file, attached file and save as Delegwiz.inf (remove the .TXT).

Now when you run the delegation of control wizard on an OU, you will see an expanded list of tasks that the wizard can perform.

Posted Oct 19 2008, 03:39 PM by Mark Parris with no comments

Filed under: ADUG, Windows Server, Active Directory, Administration, Delegation of control

Windows Server 2008 SP2 - What can we expect?

Microsoft has started to send out to the select few, an invitation to the Windows Server 2008 and Windows Vista SP2 beta program, but what can we expect?

I believe there will be no major changes to the product, but rather bug fixes and enhancements to the existing features.

Listed is a snippet from the invitation.

Service Pack 2 has been developed primarily for Windows Server 2008, with improvements for Windows Vista included. This is the first service pack that takes advantage of both the single service model and improvements from early customer deployments. These include improvements in the following:

Backwards compatibility with Terminal Services licensing keys
Better manageability features with DFS/FRS console, and Storage Resource Manager (i.e.: Quota Filter and File Screening Filter, and so forth),

Print Server and Spooler performance improvements for printers in Windows Vista and Server 2008,

Improved error reporting in DFSR to help identify incorrectly configured deployments which lead to failed replication.

In addition, some of the improvements to notable inclusions for Windows Vista are the following include:

Additional Application Compatibility updates,

Windows Search 4 for improved search performance and relevance,

Support for emerging Hardware trends (primarily Bluetooth Wireless, latest BT 2.1 fixes, and support for new VIA 64-bit CPU), and

Fixes addressing the top support call issues as reported by Microsoft and Computer Manufacturers

As with previous Service Packs, Service Pack 2 includes all previous Windows Updates to create a more convenient updating experience for customers with new PCs.

Posted Oct 19 2008, 11:57 AM by Mark Parris with no comments

Filed under: ADUG, Windows Server 2008, Active Directory, Blogging, SP2, Windows Vista

Free MSPress ebook - Windows Server® 2008 TCP/IP Protocols and Services by Joseph Davies

Celebrating 25 years of MSPress.

"For 25 years, Microsoft Press books have focused on helping you take your skills and knowledge to the next level. Celebrate our 25th Anniversary with a "Free E-Book of the Month" offer! Simply sign up for the Microsoft Press Book Connection Newsletter for notification of offers, register, and download the selection of the month. "

http://csna01.libredigital.com/?urws8un4p7

Posted Oct 19 2008, 11:38 AM by Mark Parris with no comments

Filed under: Windows Server 2008, Trivia, Free stuff, How it works

Prevent "Fat Fingered" deletion of OU objects.

Fat fingered administration is one of the main causes of OU deletion and subsequent “Authorative Restores” and the associated aggravation. In Windows Server 2008 in Active Directory Users and Computers there is a check box titled “Protect Container from accidental deletion”, this check box, sets two ACES on the OU to prevent as the box says accidental deletion.

This functionality can also be set on Windows Server 2000/2003 but it is a manual process.

To protect the OU called “Members” in the domain “adug.co.uk” from accidentally being deleted (or moved ) from its parent OU “ADUG” implement the following:

For the “ADUG” OU, add DENY ACE for Everyone to DELETE CHILD with the This object only scope: DSACLS "OU=ADUG,DC=adug,DC=co,DC=uk" /D "EVERYONE:DC"

For the “Members” OU, add DENY ACE for Everyone to DELETE and DELETE TREE with the This object only scope: DSACLS "OU=Members,OU=ADUG,DC=adug,DC=co,DC=UK" /D "EVERYONE:SDDT"

Note The Advanced Features option must be enabled.

Although you can configure every object in Active Directory by using these ACEs, this configuration is best suited for OU’s.

These two ACE’s prevent accidental deletions or movements. When it is deemed necessary to delete or move an OU by using such a configuration, the two Deny ACEs must be removed.

Posted Oct 19 2008, 08:39 AM by Mark Parris with no comments

Filed under: ADUG, Windows Server 2008, Best Practice, Windows Server, Command Line, Active Directory, Blogging, Administration, Fat Fingers

RODC's and legacy Windows infrastructure

Whilst researching some of the finer points of Windows Server 2008 Read Only Domain Controller's (RODC's), I have been reading knowledge base article (KB944043) which details what happens if an RODC is in the environment and the legacy Windows infrastructure does not have the compatibility pack installed.

I found it quite interesting reading as I have heard in many presentations that apart from extending your schema and the introduction of a Windows Server 2008 DC - nothing else needs to be done to support an RODC. Issue 10 could cause hours of fun if you are not aware.

Issue 1

Symptom
If a client can access only read-only domain controllers, Windows Management Instrumentation (WMI) filters that are configured for Group Policy are not applied. Additionally, the Gpsvc.log file contains the following information:

GPSVC(410.8ec) 15:17:45:808 FilterCheck: Found WMI Filter id of: filter ID

GPSVC(410.8ec) 15:18:21:838 FilterCheck: Filter doesn't exist. Evaluating to false

GPSVC(410.8ec) 15:18:21:838 ProcessGPO:CheckFilterAcess failed for <cn=GUID,cn=policies,cn=system,DC=name,DC=name,DC=name,DC=com>. Filter not found

GPSVC(410.8ec) 15:18:21:838 CGPAdminEventInitFailure::Initialize(): FormatMessage failed to look up error code (0x80041002) due to error 317. Can not log error description.

GPSVC(410.8ec) 15:18:21:838 ProcessGPO: The GPO does not pass the filter check and so will not be applied.

Scenario and affected clients
This issue affects clients in a site that has only read-only domain controllers available.

Influence
The Group Policy object to which the WMI filters are linked may not be applied.

Workaround
No workaround is available for this issue if the compatibility pack is not installed

Issue 2

Symptom
Internet Protocol security (IPsec) policies cannot be applied and Win32 error code 8219 (ERROR_POLICY_OBJECT_NOT_FOUND) is returned when only Windows Server 2008 read-only domain controllers are available.

Scenario and affected clients
This issue affects clients in a site that has only read-only domain controllers available. Typically, this issue occurs in a branch office scenario.

Influence
Computers that are running Windows 2000, Windows XP, or Windows Server 2003 do not receive IPsec policies that are applied by a read-only domain controller.

Workaround
No workaround is available for this issue if the compatibility pack is not installed

Issue 3

Symptom
Windows Server 2003 member computers and Windows XP member computers do not synchronize Win32 time with Windows Server 2008 read-only domain controllers.

Scenario and affected clients
This issue affects clients in a site that has only read-only domain controllers available. Typically, this issue occurs in a branch office scenario or in a perimeter network scenario in which a writable domain controller cannot be contacted.

Note A perimeter network is also known as "DMZ," "demilitarized zone," and "screened subnet."

Influence
If the time of services is severely asynchronous, you may receive error messages when you try to access resources on the network.

Workaround
To work around this issue, configure the client computers to synchronize time from another domain controller that is available on the network.

Issue 4

Symptom
Computers in a perimeter network cannot join the domain.

Scenario and affected clients
This issue affects clients in a site that has only read-only domain controllers available. Typically, this issue occurs in a branch office scenario or in a perimeter network scenario.

Influence
Computers cannot join the domain even though the computer account and the password are pre-populated on the read-only domain controller.

Workaround
To work around this issue, create firewall rules to enable a writable domain controller to be contacted or bridge the perimeter network and intranet networks.
Do this only when your organization's policies allow for this operation.

Issue 5

Symptom
In a site that has only read-only domain controllers available, users try to change their passwords on computers that are running Windows 2000, Windows XP, or Windows Server 2003. When the users do this, the password change operation fails.

Scenario and affected clients
This issue affects clients in a site that has only read-only domain controllers available. Typically, this issue occurs in a perimeter network scenario.

Influence
Users cannot change their passwords.

Workaround
To work around this issue, create firewall rules to enable a writable domain controller to be contacted. Or, have the users change passwords by using a computer that is running Windows Vista or Windows Server 2008.

Issue 6

Symptom
Windows Server 2008 read-only domain controllers cannot retrieve or create the public key certificate by using the LsaRetrievePrivateData function or the LsaStorePrivateData function.

The call to the LsaRetrievePrivateData function finishes. However, a NULL value is returned for the private data.
The call to the LsaStorePrivateData function fails, and error code 0xc0000034 is returned.

Scenario and affected clients
This issue affects clients in a site that has only read-only domain controllers available. Typically, this issue occurs in a branch office scenario or in a perimeter network scenario.

Influence
The Data Protection API (DPAPI) on clients that can access only read-only domain controllers cannot decrypt master keys unless these clients previously contacted a writable domain controller and retrieved a public key certificate. Even though a writable domain controller is available, the DPAPI still cannot decrypt master keys if the nearest domain controller is a read-only domain controller.

Workaround
When the DPAPI tries to decrypt master keys, make sure that the client has access to only a writable domain controller.
Note Typically, the DPAPI tries to decrypt master keys during password changes.

Issue 7

Symptom
When you try to publish a printer, the published printer may not work correctly.

Scenario and affected clients
This issue affects clients in a site that has only read-only domain controllers available. Typically, this issue occurs in a branch office scenario.

Influence
If a read-only domain controller receives a request to publish a printer, the read-only domain controller forwards the request to a writable domain controller. The spooler tries to read from the read-only domain controller immediately after the write action is implemented. However, the spooler does this before the printer publish information is replicated to the read-only domain controller. Therefore, the publish operation fails.

Workaround
No workaround is available for this issue if the compatibility pack is not installed

Issue 8

Symptom
In a site that has only read-only domain controllers available, you use the Find Printer dialog box on a client computer that is running Windows 2000, Windows XP, or Windows Server 2003. When you do this, the Find Printer dialog box stops responding.

Scenario and affected clients
This issue affects clients in a site that has only read-only domain controllers available. Typically, this issue occurs in a branch office scenario.

Influence
Users cannot find printers that are published in Active Directory Domain Services.

Workaround
No workaround is available for this issue if the compatibility pack is not installed.

Issue 9

Symptom
Active Directory Service Interfaces (ADSI) API functions in Windows Server 2003 and in Windows XP always send requests to a remote writable domain controller instead of to a local read-only domain controller.

Scenario and affected clients
This issue affects clients in a site that has only read-only domain controllers available. Typically, this issue occurs in a branch office scenario.

Influence
This issue causes unnecessary network traffic and access latency.

Workaround
Make sure that all clients have connectivity to a writable domain controller when these clients call ADSI API functions. Do this even if the function calls make only read operations.

Issue 10

Symptom
Domain controllers that are running Windows Server 2003 perform automatic site coverage for sites that have read-only domain controllers.

Scenario and affected clients
This issue affects domain controllers that provide automatic site coverage for other branch office sites. Typically, this issue occurs in a branch office scenario.

Influence
A domain controller that is running Windows Server 2003 may register its DNS SRV resource records for a site that contains a read-only domain controller. Therefore, the clients may not authenticate as expected with the local read-only domain controller.

Workaround
To work around this issue, use one of the following methods:

Make sure that only domain controllers that are running Windows Server 2008 are present in the site that is closest to the read-only domain controller site.
Disable automatic site coverage on domain controllers that are running Windows Server 2003.
Configure the weight or the priority of the DNS SRV records so that clients are more likely to authenticate with the read-only domain controller than with a remote Windows Server 2003 domain controller.
Use Group Policy settings to configure domain controller locator DNS records.

Posted Oct 16 2008, 08:02 AM by Mark Parris with no comments

Filed under: ADUG, Windows Server 2008, Best Practice, Active Directory, Blogging, Administration, RODC

Active Directory and user self management

A topic that is close to my heart is the enablement of users to self manage, I have had this discussion with TL¹on numerous occasions and whilst he agrees with me in principal he fears that within his organisation it would be difficult to adjust the mindsets of the end users.

An example that is very simple to use as an example is Distribution Lists,

Scenario 1

TL gets a phone call from the HR Directory who is livid and calling for heads to roll, they explains that HR have just emailed the payroll details to the Senior Managers Distribution List, but IT have added by mistake the entire sales force to the distribution list and the sales force now know who gets what Salary and there is anarchy, TL spends hours apologising and assures the Director that it will not happen again. IT are made to look very foolish.

Scenario 2

TL gets a phone call from the HR Directory who is livid and calling for heads to roll, they explains that HR have just emailed the payroll details to the Senior Managers Distribution List, but IT have added by mistake the entire sales force to the distribution list and the sales force now know who gets what Salary and there is anarchy, TL spends 5 minutes explaining to the HR Directory that IT do not manage distribution lists and the only two people that can manage the distribution list are “The Two HR Secretaries²” Tony asks the HR Director if they would like any more details and the HR Director hangs the phone up and TL smiles.

I know this example is very simplistic and blasé but the emphasis is on the end users and not on IT, IT only get involved when it goes wrong and not when basic administration needs to be completed. There are multiple other examples such as end user provisioning with workflows (Identity Management), an example could be:

A new user is expected to join Finance

HR adds the user to the HR system

The HR system creates the user in Active Directory

The Workflow system recognises there is a new Finance user in the Active Directory and emails the “The Owner” of the finance data as such.

The Finance “data owner” then selects from within the email form the directories that the new starter can access and the distribution lists the user is a member of.

The new user is now fully provisioned within the Active Directory and IT have not had to get involved.

This scenario would also work in reverse, HR stop paying someone, their account is disabled!!!

Is this the future of IT User Administration? I hope so.

Has anybody implemented self management, any stories to share?

What was the end user perception and was there a change in mindset?

¹TL pays for my time.

² The ACL’s have been modified to ensure IT do not make changes by mistake and Operations Manager will detect if anyone makes any changes on the DACL and alert IT.

Posted Oct 15 2008, 03:47 PM by Mark Parris with no comments

Filed under: ADUG, Active Directory, Blogging, IdM, Administration, workflow

Windows 7 will be called...............Windows 7

Something quite interesting that I picked up on today, I wonder if they will do the same with server ???

..... And, as you probably know, since we began development of the next version of the Windows client operating system we have been referring to it by a codename, "Windows 7." But now is a good time to announce that we've decided to officially call the next version of Windows, "Windows 7."

Hi there, Mike Nash here.

For me, one of the most exciting times in the release of a new product is right before we show it to the world for the first time. And that time is right now.

In a few weeks we are going to be talking about the details of this release at the PDC and at WinHEC. We will be sharing a pre-beta "developer only release" with attendees of both shows and giving them the first broad in-depth look at what we've been up to. I can't wait for them to see it.

And, as you probably know, since we began development of the next version of the Windows client operating system we have been referring to it by a codename, "Windows 7." But now is a good time to announce that we've decided to officially call the next version of Windows, "Windows 7."

While I know there have been a few cases at Microsoft when the codename of a product was used for the final release, I am pretty sure that this is a first for Windows. You might wonder about the decision.

The decision to use the name Windows 7 is about simplicity. Over the years, we have taken different approaches to naming Windows. We've used version numbers like Windows 3.11, or dates like Windows 98, or "aspirational" monikers like Windows XP or Windows Vista. And since we do not ship new versions of Windows every year, using a date did not make sense. Likewise, coming up with an all-new "aspirational" name does not do justice to what we are trying to achieve, which is to stay firmly rooted in our aspirations for Windows Vista, while evolving and refining the substantial investments in platform technology in Windows Vista into the next generation of Windows.

Simply put, this is the seventh release of Windows, so therefore "Windows 7" just makes sense.

We are very excited about the opportunity to tell you more about Windows 7 in the coming weeks, and show you how we have continued to build on investments begun in Windows Vista to deliver on the next release of the Windows operating system.

I look forward to sharing more with you in the coming weeks and months.

--Mike

http://windowsvistablog.com/blogs/windowsvista/archive/2008/10/13/introducing-windows-7.aspx

Posted Oct 13 2008, 06:48 PM by Mark Parris with no comments

Filed under: ADUG, R2, Blogging, Windows 7, Client OS

Active Directory - Cosmetic Forestry

Everyday day in the newspapers or what seems like every minute on the internet, there are reports of companies facing impending doom and government bailouts to ensure the global economy does not implode. Hopefully actions that are happening over the coming weeks will bring confidence and stability back to the stock markets.

Once the dust has settled and lawsuits filed, there may be a manager who during logon notices a domain name is XYZ.com but realises his company is ABC.com and issues an edict to rename the XYZ.com environment or remove it, stating we bought them; I don’t want to see their name everyday when I log on.

How to convince the suits that it is purely cosmetic?

Trying to explain the technical issues around renaming an Active Directory environment to someone holding the budget for I.T. who is not necessarily technical is a major challenge, but associate costs to making the change and suddenly you are speaking the same language.

So what costs are involved?

The costs involved can be huge for very little gain, if any. Try to associate a value to each of the listed challenges.

Challenges

Domain Rename

To rename the domain one would have to rename all the domain controllers and touch all domain joined machines.

Exchange

If Exchange is in the environment, you face multiple challenges.

Exchange 2007 – Does not even support a domain rename if installed; KB925822
Exchange 2003 > SP1 Supports domain rename but needs additional administrator intervention KB842116
Exchange 2003 RTM - Does not even support a domain rename; KB822590
Exchange 2000 All Versions - Does not even support a domain rename; KB822590

Certificate Services

The entire PKI infrastructure would have to be uninstalled and started afresh.

Now some key challenges have been identified, consider COTS applications, bespoke applications and custom code that all may use Active Directory. All of this would need testing and then consider the impact to the business if it went wrong?

Toolset

http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx

Conclusion

Having worked in IT for a number of years, what often appear to be simple changes to the environment are the most complex and ones that you wish you had never started. If the boss does shout and asks why he can see XYZ.com? Perhaps with these few identified challenges you can have a starting point in your defence as to why it has not been done.

To follow - The preferred approach, Migration (dust off the NT4.0 to 2000 skills, they are still of use).

Posted Oct 13 2008, 03:35 PM by Mark Parris with 1 comment(s)

Filed under: ADUG, Windows Server, Active Directory, Blogging, Rename Active Directory, Domain Rename, Cosmetic Forestry

Totally useless, but free - Server 2008 AD Exams

Registration is open until October 25th for testing New Virtual Lab based Exam

70-113: TS: Windows® Server 2008 Active Directory - Configuring

The new pilot exam “70-113: TS: Windows® Server 2008 Active Directory - Configuring” tests candidate’s abilities to actually perform tasks and solve problems in virtual lab environment like they would do it normally in a real world. We are pleased to offer you the opportunity to experience this pilot exam at no charge (Where's the catch?).

This pilot exam will not provide you with a score as with normal beta exams. This pilot is a test of the exam experience, so only a portion of the final exam will be presented to you during this pilot. (Aha!!)

This pilot exam will not be added to your transcript and you will need to take the exam in its released form in order to be awarded the credential.
Find exam preparation information: http://www.microsoft.com/learning/exams/70-640.mspx

Upon completion of this pilot exam, the first 3000 candidates will receive 3 free exam vouchers (Nice!!!) that can be used to register for any Microsoft Certification exam delivered at a Prometric testing center. The voucher(s?) will be distributed electronically 4 weeks after end of Pilot.

You must register at least 7 days prior to taking the exam. Register before October 25th to take the exam before October 31st.

Go to the Prometric Website: http://www.register.prometric.com/ClientInformation.asp

Find Microsoft exam 70-113: TS: Windows® Server 2008 Active Directory - Configuring
Use Promo Code H640 (promo code is active till October 31st)

Send your opinion about exam experience to: http://blogs.technet.com/betaexams/ and to: pbexam@microsoft.com

Posted Oct 10 2008, 10:03 AM by Mark Parris with no comments

Filed under: ADUG, Certification, Windows Server 2008, Active Directory

Slow Link Detection - interesting snippet

A couple of years ago I was at TechED USA, listening to a pre-conference session by Corey Hynes and he asked a question around slow link detection and if anyone knew how they did it? Nobody answered and he then revealed that it was done my sending a JPG over the wire and measuring the time it took.

I posted the question on the ActiveDir mailing list and Joe Richards (Joeware fame) came back with the answer that is was indeed a JPG file. it is simply 2048 bytes of info that is a partial black and white Microsoft Logo file called wang2.jfif.

The full article can be found here. http://blog.joeware.net/2007/06/05/910/

Posted Oct 09 2008, 02:43 PM by Mark Parris with no comments

Filed under: ADUG, Active Directory, Blogging, Group Policy, Trivia

Next [ADUG] meeting?

I am starting to think about the next [ADUG] meeting after the 23rd October (and beyond) , does anyone have a suggestion for the meeting or who they would like to hear talk?

Let me know via the website ( or email me at info@adug.co.uk)

Mark

Posted Oct 09 2008, 11:13 AM by Mark Parris with 3 comment(s)

Filed under: ADUG, Meeting, Active Directory

Members who wish to Blog

If anyone wishes to blog about Active Directory (or technology), there is a blogspace for members that I can permission up and enable you to blog.

Let me know if you would like to do this (I can't give you a blog each as the version I am currently using of Community Server does not allow me that many).

Mark

Posted Oct 09 2008, 05:44 AM by Mark Parris with no comments

Filed under: ADUG, Active Directory, Blogging

[ADUG]

Mark Parris