My blog about Active Directory and everything else

Outstanding Cloud & Identity Talk

2012-05-24T06:42:00.000-07:00

I generally don't post videos or presentations as blog entries but this is one I haven't seen posted by a lot of folks and is a must watch for anyone in the Identity, Active Directory, Directory Services field.

The main reason I love this talk is because the presenter. Microsoft's Kim Cameron Kim is the Chief Architect of Identity in the Identity and Access Division at Microsoft. In other words when it comes to anything Active Directory/DS. Kim is "the man"

Vittorio had an excellent blog about Kim (Kim was retiring when that blog was written but has come back and he talked about that in this presentation)

This is a twenty minute Kim's keynote from the European Identity & Cloud Conference 2012.

Some things I liked

Use the efficiencies of the cloud to enable efficiencies in identity
The Cloud Motor Runs on Identity
Identity Management as a service is an inevitability
There ae other vendors who have similar directories...not as good of course :)

There are a lot of people that talk about the cloud and give talks. This is one from a guy who truly knows his stuff. Kim also has an excellent blog entry that goes with this video.

I'm personally excited that AD and Directory Services types can evolve our skills and have work for years to come.

New MCSE - Personal FAQs

2012-04-16T05:34:00.000-07:00

As most blog readers know Microsoft has brought back the MCSE & MCSA certifications and titles. For those newer to the field the MCSE was one of Microsoft's most popular certifications and tracks. I'm on the AD/Server side of the house so for me this goes back to an MCSE in Windows NT, 2000, & 2003.

With the 2008 tracks Microsoft did away with the MCSE & MCSA and introduced the MCITP an MCTS tracks and certifications.

The MCSE and MCSA are back again but this time they stand for

Microsoft Certified Solutions Expert
Microsoft Certified Solutions Associate

The Microsoft Learning team has put together a nice page with a lot of information.

MSCE: Reinvented for the Cloud

There are also some good videos on the site and the Microsoft Learning YouTube Channel

There was a lot of great information on the site, but I still had questions and after asking around I noticed others had the same questions. MSLearning has a Twitter Account and that is where I learned a lot more about the new certs and the future. I compiled some of my FAQs here:

MK FAQ 1 : What happens if I have the MCITP:SA do I need to start from scratch?

So that was good news, as you can see the MCITP:SA will automatically receive the new MCSA: Windows Server 2008 Certification.

MK FAQ 2 : What happens if I have the MCITP:EA?

This was interesting because the MCITP: EA and MCITP: SA will both have the same MCSA: WS2008 title. I was hoping for two certs as I have both :)

Note: It was common for people to get both the MCITP:EA and MCITP:SA certifications.

MK FAQ 3 : When will our transcripts be updated?

According to the twitter conversation above transcripts should change on April 24, 2012.

UPDATE: Blog reader let me know in the comments that his transcript was updated on 4/17/2012. Nice job by Microsoft getting ahead of schedule.

MK FAQ 4 : What happens to our old certifications?

This one I really like a lot! I like that old certs will enter a legacy state and be stated that way on the official Microsoft transcript.

I also like that new exams and certifications will also retire. It makes people need to stay somewhat current and re-certify. Other companies already use the model the most famous probably being Cisco.

I know there are going to be cynics out there that remember MCSE's being referred to as "paper tigers" or MCSEs that got their certs through brain dumps and that made us all look bad but Microsoft is definitely moving in the right direction in my opinion.

I'll take an analogy from the Army. Every Army soldier goes through bootcamp and has "basic" skills but there is a lot more training and experience needed to become a Ranger or Special forces and deal with the advanced issues/topics. That is how I look at a lot of these certs (from any company). They are a good step but getting an MCSA or MCSE doesn't mean someone knows everything....it is an ongoing process.

One of my AD Heroes is Joe Richards and he once rated himself a 6 out of 10 in AD. Again it is a lifelong learning process...no one knows it all not even a guy like Joe (love how humble and cool he is)

I'd like to hear from the community. What do you think about the new changes and updates?

Security Compliance Manager 2.5 Released

2012-04-04T05:00:00.000-07:00

Ned Pyle wrote a blog entry in January on the Microsoft askds blog about Security Compliance Manager 2.5 Beta

The tool has been officially released and is no longer in beta.

From the download center

We are pleased to announce that version 2.5 is released and now available for download from the Microsoft Download Center!

Download SCM 2.5 now

I've been testing 2.5 Beta and really glad that it is now out of beta as it will be much easier to get the tool approved for use where I work.

You can read about the key features & benefits on the Microsoft site so I won't copy and paste them again here.

There will be follow up blog posts with more info and screen shots from the tool.

Active Directory Administrative Center Twitter Question

2012-03-30T08:00:00.000-07:00

I recently saw a question on Twitter about the Active Directory Administrative Center (ADAC)

Twitter is a site everyone knows but more and more it is a great place for tech information and sharing in the community. There are a lot of good tweets on Active Directory and links to information. There is also a fair amount of spam/bad links. Those are usually easy to spot though (picture is a "sexy" model for example)

Thanks a lot to @SamErde for letting me use his post for this blog.

ADAC was released with Windows 2008 R2. It has gained some traction but currently it is definitely still not the GUI tool of choice for Active Directory Administration. AD Users & Computers still wins but that may change in Windows 8 when features like the AD Recycle Bin and Fine-Grained Passwords are brought into ADAC giving both of those features a much needed GUI.

In order to truly test I created three forests in my lab and created a forest trusts between the first forest and the other two forests. I did see TechNet articles that this could be done but I like to verify.

I'm not just a blogger I also work in this world and I know setting up the trusts can be a pain. You have to have proper ports open That is often easier said than done. Become friends with the firewall admins :) You also need to ensure that name resolution is working. I used conditional forwarders to resolve the domain names in DNS. Stub zones and secondary zones would also work.

There are a lot of posts and resources about setting up trusts. If you run into issues look at the basics first

For potential port blockages tools like telnet, portqry, wireshark, and netmon are really good starting points.
For DNS issues nslookup is a good place to start troubleshooting. (wireshark/netmon are good there too)

At this point the forest trusts have been setup and the two way trusts are functional. The first thing we need to do is to try and add one of the other domains in ADAC.

Add Navigation Nodes in ADAC - Windows Server 2008 R2

Add Navigation Nodes in ADAC - Windows Server 8 Beta

I added the screenshot from a Windows Server 8 Beta box just to show that the location for adding the Navigation Nodes has changed.

I'm going to use Windows 2008 R2 for the rest of the examples. I select add navigation nodes from there I can add another domain.

Adding domain in another forest to ADAC via Navigation Node

Once I add the domain from the trusted forest I can now see it in ADAC

Remote domain from trusted forest now appears in ADAC

That is great but what does that really get me? I am able to view objects in the remote domain due to the default nature of AD allowing read access to most objects.

I'm not able to make any changes which is a good thing. The fact that the forest trust exists doesn't give any rights to administer the remote domain.

Notice in the screenshot below, I attempt to update/edit a user in the remote forest/domain. I'm unable to make any changes but can read his info.

Attempting to update a user

Without any rights I can't really do much. In this case I want the same account to be able the objects in both forests.

There are several options here but I added my admin account into the Built-In Administrators group in the remote domain.

My admin account has been added into the Administrators group in the remote domain

After the addition has replicated I then try to update the user account from ADAC again. This time you will notice that the fields are not grayed out and I can make changes.

Wishlist: I would like the ability to add another domain in the navigation node but also specify alternate credentials when I do that. That would be handy if an admin has a separate admin account in the remote forest/domain. I'm still researching that and will update the blog if I find something.

There is a good article about ADAC on TechNet that is worth reading.

What are your thoughts on ADAC. For those at 2008 R2 is it gaining traction in your environments?

LastLogonTimestamp for Group Members

2012-03-22T07:00:00.000-07:00

I was recently working in a secure environment and one of the issues was way too many domain admin accounts. This is not a problem just in secure environment. I've yet to encounter a federal organization that does an outstanding job of limiting the number of domain admins. I've seen Joe Richards write about working at a Fortune 5 company where they ran with less than 5 domain administrators. More and more organizations are trying to limit domain admins. I doubt we will ever get to a point where less than five is the norm but things are getting better...slowly but surely.

The first step the security team took was to identify members of the domain admin group and the last time they logged in. This is a good initial step to remove those that haven't logged on or used their accounts. If someone hasn't used their domain admin account in 120 days or longer then I would question if they need the account.

Some folks on the security team were manually going and using a box that had the additional account info tab from the acctinfo.dll. They were then looking at lastlogon box within the tab and manually entering that into a spreadsheet. I knew there were easier ways to do this so I stepped in to help out.

For this exercise I keyed off the LastLogonTimeStamp (LLTS) The lastlogontimestamp can be off by 9-14 days. The link to the askds blog entry on LLTS does a great job of explaining it. If 9-14 days is not acceptable then you would have to query lastlogon on every DC. Lastlogon does not replicate and that is why every DC would have to be queried.

For the examples I'm in my lab domain which is mkw2k8R2.com and I only have three users in the domain admin group. I've only logged in with one of those users.

Method 1 - Using ADFIND

Regular blog users will not be surprised to find out that I used adfind from Joe Richards for method 1.

adfind -default -f "memberof=cn=domain admins,cn=users,dc=mydomain,dc=mysuffix" samaccountname lastlogontimestamp -tdc -nodn -csv

Method 2 - Using Quest AD Powershell Cmdlets

Many people that started with powershell and AD years ago are probably familiar with the free AD cmdlets from Quest.

get-qaduser -memberof "domain admins" | select-object samaccountname, lastlogontimestamp

Method 3 - Using Microsoft's AD Powershell v2 Cmdlets

With the introduction of Windows 2008 R2 and Windows 7 Microsoft introduced the AD module for Windows Powershell. There is already a lot of good information about the AD Module for Powershell so I won't go over that here. I also admit I'm not a powershell master/guru.

get-aduser -LDAPFilter "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -property lastlogondate | ft samaccountname, lastlogondate

If you noticed I used lastlogondate which is not an actual AD attribute. My friend Richard Mueller had a good writeup on lastlogondate. See the link and Richard's answer for more info on lastlogondate which is essentially the same as lastlogontimestamp

Method 4 - Using CSVDE

CSVDE is what you call an old school tool. Those that have been around AD for years have definitely used the tool at some point. It was around before adfind and powershell.

csvde -f c:\userslogon.csv -r "(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" -l samaccountname, lastllogontimestamp

One problem with the CSVDE method is how it handles the output. LastLogonTimeStamps are Integer8 (64-bit numbers) that CSVDE can't handle. You will notice in methods 1-3 those tools did a good job of decoding the attribute.

Elizabeth Greene has a really good blog entry that has a formula you can use in excel to convert it into a readable date.

Notice in the screenshot the difference between the native format in cell C2 and what it looks like after I applied the formula

Method 5 - Using Repadmin

This method I first saw used in the blog from the askds team that I linked to earlier and I'll link to again here

repadmin /showattr dc1root dc=mkw2k8r2,dc=com /subtree /filter:"(memberof=cn=domain admins,cn=users,dc=mkw2k8r2,dc=com)" /attrs:lastlogontimestamp

Other Methods

I really like methods 1-3 the best. There are other methods that I have not included here but I figured five is a good start for anyone. Some other things you might see out there

VBScript - Richard is the king in this category and if you want to use VBScript I recommend testing his scripts out.
Powershell v1 without AD cmdlets - remember when I said I was not a powershell guru yet. I'm guessing that is something that can be done but haven't tried to do it yet. The AD cmdlets from Microsoft and Quest both work for me so I try to stick to them.

You can use these examples and modify them if you are looking for other groups. There are other/better ways to identify old/stale accounts in a domain if you want to do it domain wide. More to come on that.

I'm really looking forward to hearing from readers and the community on other methods for doing this. If there are better ways to do it in Powershell please leave a comment and I'll definitely update the blog.

Inactive Domain Admins beware....you will be removed :)

Windows Server 8 AD Cloning, Virtualization, and Snapshots Warning

2012-03-19T13:55:00.008-07:00

Windows Server 8 Beta has a lot of nice features. Two features that are getting a lot of buzz in the Active Directory World are the ability to easily clone domain controllers and the support to restore Active Directory using snapshots.

Using snapshots can cause USN Rollback and other problems. Mark Ramey from the Microsoft AD team has an excellent blog entry that you can read for more info.

I added the word Warning to the title of this blog because I've seen a few blogs, posts, and articles that may lead people to believe that this can all be done with a few mouse clicks. This is not the case, it is not hard but there are some major prerequisites and steps that people have to be aware of.

A few screenshots from my lab using VMware workstation. These options exist in most hypervisor products.

Cloning in VMware Workstation 8

Snapshot in VMWare Workstation 8

***WARNING*** You can't just use the GUI and start cloning and taking snapshots without causing issues in a domain/forest with multiple DCs. You can't manually copy the virtual machine files. VMWare workstation 8 and the current VMWare products don't support these features.

To take advantage of these features the virtualization host must support VM Generation ID. I'm guessing by the time Windows 8 is released all major vendors will support this but that means most folks will have to upgrade their hypervisor.

Microsoft currently has two really good documents that are a must read for anyone interested in these new features

Test Lab Guide: Demonstrate Virtualized Domain Controller (VDC) in Windows Server "8" Beta

Understand and Troubleshoot Virtualized Domain Controller (VDC) in Windows Server "8" Beta - written by Ned Pyle - Outstanding document!!

I won't repeat the documents but some important sections

Steps to deploy a cloned virtualized domain controller

1. Create the customized DcCloneConfig.xml file on a source domain controller

2. Detect incompatible programs on the source domain controller

3. Ensure the PDC emulator runs Windows Server "8" Beta, is not the clone source, and is available

4. Authorize the source domain controller for cloning

5. Shutdown the source domain controller and copy its disk

6. Create a new clone virtual machine using the copied disks

7. Start the source and cloned domain controller, then allow cloning to occur

For those that are fans of the GUI
There is no task-oriented graphical management program for VDC cloning in Windows Server "8" Beta; the provisioning steps are performed manually or using Windows PowerShell

Steps to restore a DC snapshot

1. Take snapshot of DC

2. Create a new Group Policy

3. Validate GP replication (SYSVOL replication)

4. Restore DC Snapshot

You can read the the documents to get a lot more info. Ned's document is 162 pages...Ned is the king of documentation and writing :)

As I start using this feature more and eventually use this in production in the future I hope to write more on these features. I won't try to replicate Ned's excellent document but there is going to be more to come.

HSPD-12 and Active Directory Domains -Documents Updated

2012-03-15T08:15:00.008-07:00

Microsoft has updated their documentation regarding HSPD-12 Logical Access Authentication and Active Directory Domains

These documents are probably going to be more valuable to those that support federal customers in the US but they are a good read for anyone planning to deploy smart cards in their environment.

For those not familiar with HSPD-12 in a nut shell it is a mandate for federal organizations to issue common ID/Smart cards to their users. This comes into play in the Active Directory arena as the cards are used for login using two-factor authentication/smart card login. The two-factors in this case are:

Something the user has - the smart card
Something the user knows - PIN

Everyone has seen this referenced in the Account tab of a user in AD Users & Computers.

Those in the military or who have supported US Military customers will hear the term CAC Card used for their smart cards. Those supporting civilian agencies/.gov will hear the term PIV Card for their smart cards.

You can get the updated Microsoft documentation here:

HSPD-12 Logical Access Authentication and 2008 Active Directory Domains

Kurt Hudson has a good quote about the documents on the Windows PKI Blog

Included within this document are detailed steps to configure Windows Server 2008 R2 Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), Windows® 7, and Microsoft® Office 2010 to perform traditional UPN based smart card logon, explicit smart card logon (client authentication certificate mapped to multiple accounts), explicit cross-forest smart card logon and NIST SP800-78-3 compliant S/MIME email exchanges.

Smart card/HSPD-12 adoption within agencies varies. DoD has definitely been the leader in this space. There are other agencies that I've been at that are also rolling but there are also those that haven't even started issuing smart cards to the majority of their users yet. I'm not naming names here :)

Windows Server 8 Member Server - ADAC Recycle Bin

2012-03-13T18:27:00.007-07:00

Windows Server 8 Beta was released a few weeks ago and I understand that many organizations may be hesitant to start deploying domain controllers.

One nice thing is that some of the new features can easily run on a member server or workstation and work fine in your current domains. You don't need to convince anyone about a schema update or new Windows 8 Domain Controllers right now. Enjoy the new features with no risk (I'd argue there is not a lot of risk in adding a domain controller but I understand leadership wanting to wait on domain controllers)

One of those features is the AD Recycle Bin GUI. That is a nice addition that system administrators have been asking for since 2008 R2 was released. Your forest does have to be at 2008 R2 Forest Functional Level to enable the recycle bin.

Many people enabled and used the AD Recycle Bin in 2008 R2 There are even some 3rd party tools that can help and put a GUI front end around the Recycle Bin. In my opinion the GUI in Windows Server 8 is much nicer and is definitely a reason to add a Windows Server 8 member server now.

In my lab I have a 2008 R2 (forest functional level 2008 R2) Domain Controller and a Windows Server 8 Beta member server.

Windows 2008 R2 Domain

SIDE NOTE: As you can see my test domain is named USMCThanksForYourService.mil I've heard there might be some Marines stationed in Afghanistan reading this entry so a heartfelt thanks for all you all do. It takes a lot of courage to be in the military right now and you all are on the front lines. THANK YOU!!

SIDE NOTE II: Although I'm an Army vet I support all branches of the military. Any other military members reading my blog? Leave a comment, I'd love to hear from you.

So people don't think I'm cheating I'll first verify that the Recycle Bin is not enabled by using the powershell command Get-ADOptionalFeature -Filter {name -like "*Recycle Bin*"} If EnabledScopes is empty that indicates the Recycle Bin has not been enabled.

AD Recycle Bin not enabled

I also join the Windows Server 8 Beta machine to the domain.

Adding Windows 8 Server to the domain

Once the server is added to the USMCThanksForYourService.mil domain I have to install the Remote Server Administration Tools (RSAT) Feature for Active Directory so I can have access to the necessary AD tools and fetures.

Adding Roles and Features in Server Manager

Adding RSAT Features

Adding RSAT Features Part II

Once the RSAT tools have been installed you are ready to use Active Directory Administrative Center (ADAC) against your 2008 R2 domain.

You can enable the AD Recycle Bin from the GUI now instead of the old way using Powershell

Selecting ADAC from Server Manager in Windows 8

Enabling the AD Recycle Bin from Windows Server 8 Member Server ADAC

AD Recycle Bin Confirmation 1

AD Recycle Bin Confirmation 2

Just want to confirm that the AD Recycle Bin has been enabled. Notice this time the same command yielded an entry in "EnabledScopes"...success

AD Recycle Bin Enabled - Confirmation

A quick tutorial of the new feature now that it is enabled and the member server is up and ready to go.

As you can see there is a user named Dakota Meyer who is in the group "MedalofHonor"

A young contractor was really excited and lost his mind and accidentally deleted the account. Luckily the USMC leadership had allowed this Windows 8 Member Server and Dakota's account would be restored in a few clicks.

In ADAC Navigate to the Deleted Objects Container

Notice the deleted user is listed. Right click on the user for Restore Options

In ADAC we confirm that the user has been successfully restored

On the 2008 R2 DC the restore is confirmed using ADUC

Windows Server 8 Beta - Schema Version - Update

2012-03-13T11:55:00.001-07:00

I previously posted a "quick-hitter" blog about the Active Directory Schema version in Windows 8 Developers Preview.

Windows Server 8 Beta has been out for over a week now and I have a domain controller in my lab for testing. The schema version is now 52

I once again used adfind to quickly find the schema version.

I've updated the Active Directory Schema version table below.

Windows Server 8 Beta	52
Windows 2008 R2	47
Windows 2008	44
Windows 2003 R2	31
Windows 2003	30
Windows 2000	13

Windows Server 8 Beta and VMware Tools

2012-03-13T07:33:00.001-07:00

I am running VMware workstation 8.0.2 build-591240 to test Windows Server 8 Beta. I'm doing this on my Windows 7 machine. Right now there is no Microsoft hypervisor that runs on top of Windows 7/client OS that will support a 64 bit operating system (that changes with Windows 8)

The installation of Windows Server 8 Beta went fine and I had no issues with that. I then tried to install VMware Tools

After the installation of VMWare tools the Windows Server 8 Beta box became unresponsive and the screen was black and the VM was unusable. I had a snapshot so I went back to that and was able to work and test.

I looked around the VMware site and found a blog entry about running Windows 8 CP in Workstation 8

That didn't really help because my issue is with Windows Server 8. I started reading the comments and noticed that there were others having this exact issue. Some folks suggested enabling 3D Acceleration on the VM.

I enabled the feature and then installed VMware tools again and this time the VM booted up fine. No black/unresponsive screen.

I hope this helps others trying to install VMWare tools with Windows Server 8.

Windows Server 8 DCPromo Error - FIXED

2012-03-09T09:18:00.003-08:00

In a previous post I showed that there was an error if trying to set the forest and domain functional levels to Windows 8 during DCPROMO using Windows 8 Developers Preview.

Now that Windows Server 8 Beta/Consumer Release Preview has been released I tested the promotion process again.

I once again selected Windows Sever 8 for my functional levels

I am very pleased to report that I no longer receive the same error that I mentioned with Windows Server 8 Developers Preview.

After the promotion is done the Functional Levels are set to Windows Server 8

Nice job with the fix Microsoft AD Team!

I don't have a comprehensive list of features that are dependent on Windows Server 8 functional levels (forest & domain). When I have that list I'll post it.

Enjoy Windows Server 8 Beta!

Goodbye Old Friend

2012-02-03T09:52:00.000-08:00

Last night I had to do one of the toughest things any pet owner ever has to do and that is to make the decision to put my cat down.

My cat was 20 years old and I'd had her for the last 12. She was battling the final stages of kidney failure and had deteriorated badly over the last few days. She also had a small mass in her stomach that was probably cancer. I could have tried to give her more time by giving her IV fluids at home but nothing was guaranteed and I didn't want to put either of us through that.

Growing up I always thought of myself as a dog person. My good friend John and his wife were starting a family in the late 90's and had two cats that they could no longer give all their attention to. I'm not sure how the discussion happened but my brother and I took them both in. At the time we were living in a shitty apartment but had room for them. It ended up being one of the best decisions I've ever made.

Growing up as dog owners we didn't know what cats were like but they both ended up being really great pets. Cats are definitely easier than dogs to take care of and yes although they worked and played on their schedule they still gave the same unconditional love that any beloved pet gives. That is probably the greatest thing about a pet. You give them some attention and care for them and they return it back ten fold.

Max is one of the final links to my youth. When we got her I was recently out of the Army. My brother and I were both starting out with entry level jobs at the time and 12 years later so much has changed but Max was the one constant and I'll miss that a lot. Looking back Max and her sister who died four years earlier taught me that I'm actually a dog & cat person.

I don't know when or if I'll get another pet. Losing them is so tough. I hate going through this every time but I remember all the good years.

My girlfriend Michelle went with me last night and I can't repay or thank her for doing that. It's tough times like that when you really see what a person is made of and she was there for me. Also a special thanks to Dr. Reese at TLC in Leesburg, VA Dr. Reese is a cat owner and lover herself and was very caring and compassionate with Max until the end. I have no idea how Vets deal with that day in and day out but I'm very glad there are those that go into that profession.

Goodbye Old Friend...Thanks for always being there.

Max
1992 - Feb 2, 2012

Find Non Replicated Attributes in Active Directory

2011-10-18T11:01:00.000-07:00

The quick hitter series is back and this entry was inspired by a colleague (thanks Funk!)

If you are querying AD you may get inaccurate results if you are querying an attribute that is not replicated between all domain controllers. Two common attributes I see people having issues with are lastlogon and whenchanged. The issue here is suppose you query for lastlogon and get a value. That may not be accurate as there may be a newer value on another DC. On a side note for that issue lastlogontimestamp is usually good enough for most folks...but I digress.

Is there a way to find what attributes are not replicated between DCs? The answer to that is yes and there are various methods to find this information. I once again go to the great ADFIND tool from MVP Joe Richards Joe was recently awarded the MVP for the 10th straight year and that is well deserved.

Adfind has a ton of great shortcuts and one of them is to find non-replicated attributes.

adfind -sc norepl cn -nodn

I only outputted the cn of the object and didn't need the distinguished name so left that off with -nodn

You can see part of the output below. Notice the whenchanged attribute that was mentioned earlier.

systemFlags contains a flag that defines if an attribute is replicated. As you can see in the link if the value 1 is applied to an attribute it will not be replicated. So you could also get fancy with adfind and do something like

adfind -schema -bit -f "&(objectclass=attributeschema)(systemflags:AND:=1)" cn -nodn

That should give you the exact same result as the previous command. I'd personally always go with the shortcuts...they are there to make things easier...thanks Joe :)

Windows Server 8 - GUI on GUI Off

2011-09-26T12:17:00.000-07:00

Before I start I'd love to hear comments on this feature in Windows 8. Do you all think it is a feature that will be widely adopted?

This entry is about a new feature in Windows Server 8. The ability to turn on and turn off the graphical shell.

Prior to Windows 2008 there was no Windows OS that didn't feature a full GUI. Linux folks would often criticize Windows admins for not being talented around the command line. That was true to some extent but there are a lot of Windows admins/engineers who are comfortable around the command line but there were tasks that could only be done via the GUI or were much easier from the GUI.

In Windows 2008 a new feature was introduced called server core

The Server Core installation option is an option that you can use for installing Windows Server 2008 A Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles

Server core was intimidating to a lot of Windows admins not used to administrating or configuring servers from the command line.

Server core was also available in 2008 R2 and introduced a tool called sconfig which made configuration much easier. Other features such as powershell were also added in 2008 R2.

There was no way to convert a server core to a full server if there was a feature that needed to be installed that core didn't support. I'm not sure what the server core adoption rate was. I've seen people speculate 10-15% but have not seen official numbers from Microsoft.

There are a lot of beneifts to server core including greatly reducing the number of reboots and patches needed. MVP Brian McCann has an excellent blog entry on Server Core with stats.

“In some cases, customers can see up to a 60% reduction in patch requirements and the number of reboots on a monthly basis” These are the numbers that back up statements such as that.

Server core is still an option in Windows Server 8.

However for those that still are not comfortable with core there is an option to remove the GUI from a full installation of Windows 8.

As Ned Pyle pointed out in the comments of this AskDS blog this feature is not quite server core. Meaning using these steps doesn't turn your server into core but it does remove many of the GUI features. You will no longer need to worry about admins surfing the internet from your servers. This may end up being the preferred method for deploying Windows Server 8....time will tell.

I first noticed the Server Graphical Shell in the Features list in Windows Server 8. I had not seen this feature in the past.

The feature can be removed by just clearing the check box in the roles and features wizard from server manager.

I've unchecked the box in order to remove the Graphical Shell.

After the server is rebooted and comes back up the GUI shell is gone. Server manager is still available. Things like the MetroUI are now gone.

For fun I tried to surf the net using Internet Explorer

Items like the MMC and snap-in can be added. The server can also be manged remotely.

Suppose an admin later decides later that they want this feature back. It is just as easy as removing except this time the box is checked to add the feature

After a reboot the GUI shell is back.

For those that prefer PowerShell this can also be done in a few lines via PowerShell

I import the server manager module and viewed the features (not required)

From there it is as simple as remove-windowsfeature server-gui-shell

Adding it is just as easy...you guessed it

add-windowsfeature Server-Gui-Shell

Again I'd like to hear comments on this feature. Was it needed since we already have server core or is this a nice middle ground that will be widely adopted?

Thanks for reading.

Windows Server 8 - DNS Management Console

2011-09-21T09:08:00.000-07:00

I have to begin this post with the normal caveat that this is only the developers preview build that I'm testing with and things may change.

When I promoted my Windows Server 8 to become a domain controller I also installed DNS. As most people know AD has to have DNS in order to work. Most places use Microsoft DNS but you can also use BIND and others but I decided to stick with Microsoft.

After the DC was installed and rebooted I was able to access all the normal AD management consoles such as AD Users & Computers, Sites and Services, Domains and Trusts, AD Administrative Center and others.

I went to look at DNS and could not load the DNS management console.

I verified that the DNS feature had been installed.

I tried to add the DNS console via the MMC snap-in but it was missing.

I tried to run the dnsmgmt.msc command and again no luck

This could not be right and I had to be missing something. I decided to go look into the roles and features. Once again I verified that DNS was installed

I went into the features and looked at the Remote Server Administration Tools(RSAT) settings. I noticed that the DNS Server Tools were not checked/installed.

I checked the box to install the tools and just had to verify and install. This feature did not require a server reboot.

I once again tried to add the DNS tools via the MMC snap-in and this time voila it was there

I verified that dnsmgmt.msc would also work from the command line.

As you can see below the DNS management tools are now accessible and this is what it looks like in Windows Server 8 Developers Preview.

Windows Server 8 - Schema Version Quick Hitter

2011-09-20T14:10:00.002-07:00

THERE IS AN UPDATE TO THIS BLOG ENTRY

After being put on ice the quick hitter series is back.

I downloaded one of my favorite active directory tools called ADFIND from MVP Joe Richards

So far adfind seems to work great with Windows Server 8. I have not tested every switch but so far so good.

I really like the adfind shortucts and it is a great way to do things like quickly find the schema verision. adfind -sc schver

As you can see the schema version in Windows Server 8 Developers Preview is 51

There are other ways to find the schema version if you don't have adfind installed. Santhosh has a good blog entry where he outlines other methods such as adsiedit and dsquery.

If you are keeping track or are asked in a trivia/interview situation here are the AD schema versions throughout the OS Versions

Windows Server 8 Developers Preview	51
Windows 2008 R2	47
Windows 2008	44
Windows 2003 R2	31
Windows 2003	30
Windows 2000	13

Windows Server 8 & VMware Workstation

2011-09-16T12:08:00.000-07:00

In a previous post I outlined installing Windows Server 8 Developer preview and all the current testing and screenshots have been done in a virtual box environment.

I also run VMware workstation and was running VMware workstation 7.1. I currently don't have a dedicated Hyper-V box at home but that will change in the future when I'm running Windows 8 as my desktop OS.

I tried installing Windows Server 8 on VMware 7.1

Initially it looked like it was going to start installing. Since Windows 8 was not an option I chose Windows 2008 R2 as the OS.

As you can see I also tried Windows 7 with no luck. I also tried other scenarios and they all didn't work. I figured this was a pre-beta release of Windows 8 so no big deal but I was a bit disappointed. If anyone has gotten this to work please comment.

On Septmember 14 VMware released Workstation 8

I decided to spend the $99 for the upgrade. Once I received the verification email I went to the download site and noticed there was only one executable for the full version and no upgrade version.

I wasn't sure if the full version would work or even let me download it. The VMware workstation team on twitter was really helpful and let me know to install the full version. It would uninstall 7.1 and then install 8.0 without losing any virtual machines. That worked fine so now the moment of truth would VMware workstation 8 support Windows Server 8 Developers Preview.

I started off with a typical install

This version still could not detect the OS but I'm guessing that will change in future release and as Windows 8 gets close to RTM.

I chose Windows Server 2008 R2 as my guest OS.

There is no license key for this version of Windows 8 so that is left blank.

I named my machine and set the location. I just use an external drive attached via USB 3.0. I would like a better storage system but I also don't want to break the bank.

I gave myself 40 GB and finished the process of configuring the virtual machine.

After reboot I was stuck in an endless loop telling me that the product key could not be read from the answer file. This had me worried as there is no product key

The endless loop was no fun so I shut the machine down and looked at the configuration again. I noticed the floppy drive there and I definitely don't need that. I removed the floppy drive

After removal of the floppy drive the installation proceeded with no issues.

There are some features such as cloning that I like in VMware that I don't get in Virtualbox but both are adequate for testing Windows 8 right now.

Thanks to the @vmw_workstation guys for their tips.

The normal caveat applies and that is that this is still a pre-beta release of Windows 8....but have fun.

Not sure if I'll be going to VMware workstation 9 down the road. I may have all Windows 8 boxes with Hyper-V by then :)

Windows Server 8 - Fine-Grained Password Policies

2011-09-15T12:05:00.000-07:00

BACKGROUND

In the old days (Windows 2000 and Windows 2003) an Active Directory domain could only have one password and account lockout policy per domain for domain accounts.

The group policy with the password settings had to be linked at the domain level(common method people used was to set the policy in the default domain policy).

What options where there if you wanted a different policy for certain users or certain groups? For example what if you wanted service accounts to have a stricter policy? There were not many options. Organizations could try and create their own filter (not recommended) or use a third party tool (not native, not cheap, and needs plenty of testing).

In some cases organizations would create a new domain because they wanted different policies. I was never involved in a new domain just for a password policy but I've heard of it happening.

PASSWORD POLICIES IN WINDOWS 2008

Microsoft introduced a new feature in Windows 2008 called Fine Grained Password Policies (FGPP). The domain functional level has to be at Windows 2008 for this feature to work.

FGPP's allowed organizations to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of groups and users in a domain.

The link above is a step by step guide for configuring FGPP's. There are also some other good FGPP references that I refer to.

Sean's FGPP Walkthrough
Florian's Windows Server 2008 And Its FGPP's
Florian's How To Create FGPP Setting Objects

As you can see in Florian and Sean's great blog entries setting up fine-grained passwords was not the easiest thing to do. Admins had to use ADSI Edit to configure it and the entire process was not admin/user friendly.

There were some third party tools that could make this process easier but again that involved another tool.

WINDOWS SERVER 8 FGPP IMPLEMENTATION

As noted in my previous post there are a lot of improvements in Windows Server 8. Once again a feature is now exposed using the Active Directory Administrative Center (ADAC).

To start open ADAC and navigate to the System container. From there navigate to the Passwords Settings Container and right click and select New > Password Settings

As you can see I named my Password Setting Object(PSO) and I set a precedence level. Precedence is used if there are multiple PSO's applied, the lower precedent will win. I'd try to limit the number of PSO's in a domain.

I've set the minimum length at 14 which is more stringent/strict compared to my normal domain policy which is 8 characters. I want the service accounts to have stronger passwords.

Next I'm going to select "Add" in the Directly Applies to box. In this example I am going to apply the PSO to a group named ServiceAccounts. I could have also selected user accounts here.

Once I'm done with creating and applying the PSO to the group I can verify that the password is set. I navigate to my Service account user that is a member of the ServiceAccount group. I right click and select "View resultant password settings"

The resultant password setting box is presented. It returns the Service Accounts PSO that I created.

There is also another option for user accounts. In ADAC you will notice a Password Settings pane.

PSOs can be directly assigned to user accounts. I'd recommend using groups when possible but the option is there.

So now the PSO is created in applied...but does it work. Can I still use an 8 character password for this account? If it worked correctly the 8 character password should no longer be accepted. I tried a 10 character complex password

Success Full Success!! It would be nice if the error message was more verbose. For example telling the user that they need a 14 character password based off the PSO settings.

One other area I think admins will continue to ask for is the ability to have a different password policy per OU (not just users and groups).

They can't get every feature into every release but this is a huge step forward. Nice job Microsoft AD Team! I think this will help organizations and now more folks will use FGPP. (just remember the domain functional level has to be at 2008 or higher)

Also remember this is a pre-Beta release so things can change. Having said that Steve Ballmer said over 500,000 copies have already been downloaded....the WIndows 8 buzz is on for sure :)

Windows Server 8 - Active Directory Recycle Bin

2011-09-14T13:30:00.001-07:00

The active directory recycle bin was a welcome addition in 2008 R2. Prior to Windows 2008 R2 there were no easy ways to fully restore an AD object and keep all their attributes intact.

There was the system state/authoritative restore method
There was the tombstone reanimation method that didn't restore all the attributes but it was fast.
There were also some third party tools that could help.

So the options were not great and recovering deleted objects could be a pain. Admins rejoiced when they first heard of the AD recycle bin. The forest functional level had to be at Windows 2008 R2 but it was a major incentive to get there.

The AD recycle bin had to be enabled using Powershell and objects could only be restored using Powershell. Microsoft released a good AD recycle bin step by step guide for 2008 R2

Ned Pyle from the Microsoft AD team also had a great blog entry on the askds blog

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting
Notice how to enable the feature and restore objects.

There were third party tools that put a GUI wrapper around the recycle bin but I'm referring to a native build.

So as you can see the AD Recycle Bin in 2008 R2 was very good step forward but it could be better. The Microsoft AD team heard the need for improving the feature and the feature has been improved.

It gets much better in Windows Server 8. The Active Directory Administrative Center (ADAC) has a lot of improvements and one of the big ones is being able to restore objects from the GUI. Powershell still works too but this will be easier for a lot of folks.

The AD Recycle Bin can now be enabled from ADAC

It can also be enabled by right clicking the domain and enabling it there

Warning alerting the user that once the Recycle Bin is enabled it can't be disabled...no turning back.

Note: In a production Windows Server 2008 R2 domain at Microsoft, the Active Directory Recycle Bin feature increased the size of the AD DS database by an additional 15 to 20 percent of the original database size.

I'm guessing those stats are still accurate and will update the blog if I find out anything new.

Once the enable recycle bin is chosen and the changes have replicated then the feature will work after a refresh of ADAC.

I have a test user with many attributes populated and a member of a group that I'm going to delete.

So now the user is deleted but how do I get it back. In ADAC I navigate to the Deleted Objects Node. As you can see the deleted user is there. I can right click and restore the object, restore to another location, locate parent, or view properties.

The deleted objects node in ADAC is the new hotness :)

As you can see I restored the object back to its original location and it is back with all attributes populated.

Anyone who has been in a pressure filled situation trying to get a user or object back in a hurry (especially if a VIP is involved) will really like this.

There will be follow ups to this post about other new features in ADAC and other test scenarios. Job well done Microsoft AD Team!!

Windows Server 8 - Active Directory DCPROMO error

2011-09-14T09:15:00.001-07:00

UPDATE: THIS HAS BEEN FIXED WITH THE RELEASE OF WINDOWS SERVER 8 BETA

In my previous post I went over installing my first Windows Server 8 box.

Since one of my skill sets is Active Directory my next step was to promote this box to become a domain controller.

As noted in the previous post this is an early pre-Beta release so there are going to be features that are not fully developed.

During dcpromo you can select your domain and forest functional levels.

Initially I was ready to go straight to Windows Server 8 levels and why not, it is a lab and we are all learning at this point.

Windows Server 8 Functional Levels selected

Before dcpromo completes a prerequisite check is conducted. As you can see I receive an error

The error is

The specified value '5' is not valid for the argument 'Domain level'

I then went back and changed the functional levels to 2008 R2

Once that is done the promotion did complete and I now have my first Windows Server 8 Domain Controller.

This is a known bug so no reason to report it up the Microsoft chain. Again...this is an early pre-Beta release.

Enjoy and have fun with your new Windows Server 8 Domain Controller :)

Installing Windows Server 8 Developer Preview

2011-09-14T07:18:00.000-07:00

The Microsoft BUILD Conference is happening this week out in California.

Microsoft is using this conference to mainly talk about the next version of Windows which is Windows 8. There have been some leaked copies of Windows 8 but this week Microsoft released the first official release.

The release is a pre-beta released called the Developers Preview and it is not feature complete and still has some things that need to be fixed but it does give us an image to download and start testing and having fun with.

You can download the image from Microsoft.

I don't have a dedicated hyper-v box at home so I'm using VirtualBox I did try and install it using VMWare Workstation 7.1 but had errors. I may write another blog just on that experience. Again important to note again this is an early version.

If you are running Windows 7 you can also boot into Windows 8 and Scott Hanselman has a great blog entry on setting that up.

Guide to Installing and Booting Windows 8 Developer Preview off a VHD

I personally prefer virtual machines so that is the method I used.

So off we go for the screenshots of the install

Three Options to select from; for this initial install I'm going with the full install. Future posts will focus on the Server Core and Features On Demand versions.

Obligatory EULA which I fully read :)

Choose Custom (advanced installation)

I usually use around 40 GB for my virtual machines but you technically only need 32 GB of disk space. Additional information on the system requirements can be found here:

Windows Server 8 Developer Preview - System Requirements

The familiar installing Windows dialogue box. Glad some things don't change.

Getting close to being finished.

Enter a password

Moment of truth has arrived, initial screen for Windows Server 8. It gets me excited as I know I'll be spending years of my life using this OS but this is my first install.

There are two screens you will see when initially working with Windows 8. The first is the MetroUI that a lot of people have seen in previews on the Windows 8 blog and other sources. This is the tile interface

MetroUI GUI in Windows Server 8 Developers Preview

You can use the Windows Key to get to the more familiar desktop

It is a new OS with a lot of graphical changes that are going to take time to get used to it. For old timers over 35 like me the transition from NT to Windows 2000 was also dramatic. Remember going from server manager and user manager to AD Users and Computers.

I'm guessing there is a Group Policy to disable MetroUI and that will be a future posts but for now I'm leaving it on and getting used to it.

Group Policy for Beginners

2011-04-28T08:10:00.000-07:00

I previously blogged about resources to learn more about Group Policy.

Microsoft released a 26 page document today titled

Group Policy for Beginners

Looks really good, and a great way for those new to group policy to start learning. I still recommend the books and links that I previously outlined.

I know not everyone that works with AD also does Group Policy work but a large majority do.

Thanks

Mike

Microsoft Premier Field Engineering Platform Reporting Tool

2011-03-09T08:47:00.000-08:00

Microsoft has released an updated MPS Reports Tool.

Microsoft Premier Field Engineering Platform Reporting Tool

If you open a call with Microsoft you will often be told to upload the MPS reports. The reports can take a while to run to I always recommend running them before hand or as you are calling.

Password Hotfix from Microsoft site not working

2011-02-14T13:57:00.000-08:00

Just wanted to post this for those that are not on the AD/TechNet Forums daily

This is just a repost from the moderators; I'll update the blog posting when the issue is fixed

Password for hotfix downloaded from Microsoft website is not working

When you try to download a hotfix from Microsoft web site, the hotfix may not be able to be extracted properly with the password included in the email from hotfix@microsoft.com.

We apologize for the inconvenience that this issue may have brought to you. Microsoft is aware of this problem and is trying our best to fix it as soon as possible. You may wait for a while and then try to download hotfix again. If it’s urgent, please contact us by calling:

ITPro 800-936-4900
Consumer 800-936-5700

Or visit http://support.microsoft.com for regional support phone numbers. Hotfix request is free of charge.

When this issue is resolved, we will also update it in the forum.

THANK YOU AGAIN - MVP Award

2010-07-02T08:12:00.000-07:00

I found out yesterday that I was awarded the MVP for Active Directory/Directory Services again.

I thanked the world last year so I won't do that again but just read that post and I'll say "ditto".

The first year of being and MVP was really great with the highlight definitely being the MVP summit and I'm looking forward to that again in early 2011.

Thanks to everyone on the TechNet Forums and the Experts Exchange forums that helps and contributes to this great community. I try my best to help but I also learn a ton which is great for me.

Also again thanks to all the smart people within Microsoft and the MVP community that inspire me. People like joe, Laura, Brian D., Jorge, Sander, Mark P, Paul, Marcin, Chris D, Meinolf, Brandon, Dean, Florian, Darren, Eric J, Crandall brothers, Mark H, Rick S, etc....the list goes on and on and on.

Thanks to everyone again and see you all here on the blog or on one of the forums.