Exchange 2010 SP2 was released earlier this week and one of the new features seems very interesting for those who are planning hybrid deployment of Exchange 2010 with Office 365.
Exchange 2010 SP2 introduces the hybrid configuration wizard which replaces approximately 50 of the manual steps to configure hybrid deployment with a few inputs and just six clicks of your mouse.
More information about the new wizard can be found from Technet.
I have to definitely try it myself when I get some spare time to play around with SP2 and Office 365 again.
Saturday, December 10, 2011
Wednesday, November 30, 2011
Technical documentation for Windows Server Protocols and authentication 101
Yesterday I rediscovered a great resource about Windows Server protocols when I was debugging SMB2 and Kerberos V5 traffic between Windows 7 client, Netapp filer and DC on Windows Server 2008 R2.
I found out a page on MSDN that contains the technical documents for the Windows Server Protocols (WSPP) documentation set. Especially [MS-SPNG]: Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Extension, [MS-KILE]: Kerberos Protocol Extensions and [MS-SMB2]: Server Message Block (SMB) Version 2 Protocol Specification
I also found helpful blog post on Microsoft Open Specifications Support Team Blog explaining authentication in Windows.
I found out a page on MSDN that contains the technical documents for the Windows Server Protocols (WSPP) documentation set. Especially [MS-SPNG]: Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Extension, [MS-KILE]: Kerberos Protocol Extensions and [MS-SMB2]: Server Message Block (SMB) Version 2 Protocol Specification
I also found helpful blog post on Microsoft Open Specifications Support Team Blog explaining authentication in Windows.
Thursday, November 24, 2011
FIM 2010 R2 Release Candidate available
Forefront Identity Manager 2010 R2 Release Candidate is announced.
FIM 2010 R2 RC can be downloaded from Connect web site.
Technical information and release notes are available in TechNet Library.
Saturday, November 19, 2011
64-bit DirSync now available from Office 365 portal
64-bit version of Directory Synchronization tool is released. 64-bit DirSync is based on FIM 2010 when the old 32-bit version was based on ILM. You need to have 64-bit standard or enterprise edition of Windows Server 2008 or Windows Server 2008 R2.
More information can be found from Office 365 blog.
Friday, October 14, 2011
Security Compliance Manager version 2.0.20.0 released
Long time no post... No explanations this time. ;)
Microsoft Security Compliance Manager version 2 has been released few weeks ago. Take a look at it if you want to access and automate all of your organization’s security baselines in one centralized location.
The tool allows you to implement security baselines for Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2003 SP2, Hyper-V, Windows 7, Windows Vista SP2, Windows XP SP3, BitLocker Drive Encryption, Windows Internet Explorer 9, Windows Internet Explorer 8, Microsoft Office 2010, and Microsoft Office 2007 SP2. Tool allows you to compare your own production GPOs against Microsoft's guidance. You can export either tested Microsoft's baselines or your own customized baselines directly to group policies which you can import to your AD.
Microsoft Security Compliance Manager version 2 has been released few weeks ago. Take a look at it if you want to access and automate all of your organization’s security baselines in one centralized location.
The tool allows you to implement security baselines for Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2003 SP2, Hyper-V, Windows 7, Windows Vista SP2, Windows XP SP3, BitLocker Drive Encryption, Windows Internet Explorer 9, Windows Internet Explorer 8, Microsoft Office 2010, and Microsoft Office 2007 SP2. Tool allows you to compare your own production GPOs against Microsoft's guidance. You can export either tested Microsoft's baselines or your own customized baselines directly to group policies which you can import to your AD.
Thursday, August 11, 2011
Vacation is almost over and time to start evaluating FIM 2010 R2
It's been a while since the last post. I've been on vacation pretty much the whole summer so no new work related entries here.
But now I decided to post links to FIM 2010 R2 beta program and FIM 2010 resources, including FIM 2010 R2 beta docs.
But now I decided to post links to FIM 2010 R2 beta program and FIM 2010 resources, including FIM 2010 R2 beta docs.
Tuesday, June 14, 2011
Free online course on Implementing Forefront Identity Manager 2010
Our organization is evaluating Forefront Identity Manager 2010 (R2 when released) to see if it could be our new IdM solution. So today I was searching for some basic background information and how to implement FIM and found this free online Ramp Up course on implementing Forefront Identity Manager 2010. That course was published a year ago but on a quick look the content seems to be still valid.
Course introduces and explains the features and capabilities of FIM, and provides an overview of the solution scenarios that FIM addresses. As the course is intended for persons who have no previous experience on FIM it begins from the basics. Every topic has an article describing the module content, a video presentation on each topic as well as virtual lab which can be run directly on browser. Looks like a great resource to learn about FIM 2010!
Course introduces and explains the features and capabilities of FIM, and provides an overview of the solution scenarios that FIM addresses. As the course is intended for persons who have no previous experience on FIM it begins from the basics. Every topic has an article describing the module content, a video presentation on each topic as well as virtual lab which can be run directly on browser. Looks like a great resource to learn about FIM 2010!
Monday, June 6, 2011
TechEd NA 2011 sessions online and Threats and Countermeasures Guide published
Finally recoved the flu I had when got back home from TechEd North America. TechEd Sessions can be seen on TechEd website even you did not attend to the conference. Signing up is needed though but it's worth it (it is free ;).
One thing I came across today was that the Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2 was published. It provides a reference to security settings that provide countermeasures for specific threats against current versions of the Windows operating systems. That is 387 pages of information about Windows 7 and 2008 R2 security settings worth of reading.
One thing I came across today was that the Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2 was published. It provides a reference to security settings that provide countermeasures for specific threats against current versions of the Windows operating systems. That is 387 pages of information about Windows 7 and 2008 R2 security settings worth of reading.
Thursday, May 5, 2011
Resolving computer object replication conflicts
Today I had the opportunity to resolve a replication conflict on a computer object of one of our servers. Since it was quite a show I decided to share it with you all.
First some basic background information how AD handles objects and their replication. Objects in AD are uniquely identified by their distinguished name (DN). DN is formed by using a relative distinguished name (RDN, CN=computername) plus the names of container (OU=someOUname) and domain (DC=your,DC=domain,DC=com) that contain the object so the example DN is CN=computername,OU=someOUname,DC=your,DC=domain,DC=com. If the DN is required to be unique there cannot be two objects that share the same RDN in the same container, right?
Right. When ever a attribute is modified this modification is marked with a change stamp. The change stamp contains version number, last write time and originating server. When domain controllers receive conflicting updates DCs check change stamp and will accept the update with higher version number. If the version numbers are equal DCs examine the last write time and will accept the one with the more recent time stamp. Last thing to resolve which update is accepted if version number and time stamps are identical is the server database globally unique identifier (GUID). The change for coming from the higher GUID server will be accepted. When the DCs are added to the domain these GUIDs are assigned and the assignment is arbitrary.
But since AD supports multimaster directory object replication between domain controllers in the domain changing data at the same time (in the same replication interval) on different DCs can still result in having two objects with the same name (RDN) in the same container (RDN). This is most likely to happen in replication between different sites when the replication interval is 180 minutes by default or atleast the minimum of 15 minutes (unless tweaked from registry). How does AD cope with this?
When the RDN collision occurs DC will automatically change the relative distinguished name of the object with the lower GUID to a unique name. The object with higher GUID is kept with the original name. This event might be logged in the system event log with event ID 12292 or in directory service log with event id 1226. The unique name is formed by using the GUID of the object. The format for new RDN is <objectname>\0ACNF:<objectguid> where \0A is a reserved character representing a line termination character (Line Feed), CNF is the constant that indicates conflict and ObjectGUID a printable representation of the objectGuid attribute value. Our examples DN would then look like CN=computername\0ACNF:<objectguid>,OU=someOUname,DC=your,DC=domain,DC=com. But when you try to move that object in AD it tells you that you cannot move it because the attribute syntax specified to the directory service is invalid. That is caused by that reserved character which is not shown in RDN or name attributes but can be seen in DN attribute.
OK, now we know how these conflicts are born. Next we have to find out how to resolve them. If the renamed object is needed it can be renamed to somethinh different. However you cannot rename computer object using the Active Directory Users and Computers. One way is to manually delete AD objects and rename and rejoin computers to the domain:
I played safe and waited for the replication to happen. Of course I could have manually triggered replication but I chose to wait since replication interval is set to 15 minutes in our environment.
The other way I know of and which I chose not to follow would be as described in KB 297083. Haven't tested it myself but I would image that it should still work on 2008 and 2008 R2 domains as well.
And now you want to check your own domain if it contains replication conflicts. You may wonder how can you identify those objects. You can find conflicting objects in your domain by running a dsquery looking for objects containing that \0ACNF: in objects name:
First some basic background information how AD handles objects and their replication. Objects in AD are uniquely identified by their distinguished name (DN). DN is formed by using a relative distinguished name (RDN, CN=computername) plus the names of container (OU=someOUname) and domain (DC=your,DC=domain,DC=com) that contain the object so the example DN is CN=computername,OU=someOUname,DC=your,DC=domain,DC=com. If the DN is required to be unique there cannot be two objects that share the same RDN in the same container, right?
Right. When ever a attribute is modified this modification is marked with a change stamp. The change stamp contains version number, last write time and originating server. When domain controllers receive conflicting updates DCs check change stamp and will accept the update with higher version number. If the version numbers are equal DCs examine the last write time and will accept the one with the more recent time stamp. Last thing to resolve which update is accepted if version number and time stamps are identical is the server database globally unique identifier (GUID). The change for coming from the higher GUID server will be accepted. When the DCs are added to the domain these GUIDs are assigned and the assignment is arbitrary.
But since AD supports multimaster directory object replication between domain controllers in the domain changing data at the same time (in the same replication interval) on different DCs can still result in having two objects with the same name (RDN) in the same container (RDN). This is most likely to happen in replication between different sites when the replication interval is 180 minutes by default or atleast the minimum of 15 minutes (unless tweaked from registry). How does AD cope with this?
When the RDN collision occurs DC will automatically change the relative distinguished name of the object with the lower GUID to a unique name. The object with higher GUID is kept with the original name. This event might be logged in the system event log with event ID 12292 or in directory service log with event id 1226. The unique name is formed by using the GUID of the object. The format for new RDN is <objectname>\0ACNF:<objectguid> where \0A is a reserved character representing a line termination character (Line Feed), CNF is the constant that indicates conflict and ObjectGUID a printable representation of the objectGuid attribute value. Our examples DN would then look like CN=computername\0ACNF:<objectguid>,OU=someOUname,DC=your,DC=domain,DC=com. But when you try to move that object in AD it tells you that you cannot move it because the attribute syntax specified to the directory service is invalid. That is caused by that reserved character which is not shown in RDN or name attributes but can be seen in DN attribute.
OK, now we know how these conflicts are born. Next we have to find out how to resolve them. If the renamed object is needed it can be renamed to somethinh different. However you cannot rename computer object using the Active Directory Users and Computers. One way is to manually delete AD objects and rename and rejoin computers to the domain:
- First you should know or reset the local administrator password so that you can log in if something goes wrong and you cannot log in anymore with domain accounts.
- Log in as admin, join the computer to a workgroup, do NOT restart the computer!
- Delete conflicting AD objects and wait that deletion to replicate to all DCs in the domain.
- Join the computer to domain and move the new AD object to OU where you want it to be located, do NOT restart the computer until you read further.
- Now you have option to wait for replication of newly created (and moved) object in the domain
- or just simply restart the computer. :)
- Then verify that replication is working and evaluate your AD management procedures and processes. ;)
I played safe and waited for the replication to happen. Of course I could have manually triggered replication but I chose to wait since replication interval is set to 15 minutes in our environment.
The other way I know of and which I chose not to follow would be as described in KB 297083. Haven't tested it myself but I would image that it should still work on 2008 and 2008 R2 domains as well.
And now you want to check your own domain if it contains replication conflicts. You may wonder how can you identify those objects. You can find conflicting objects in your domain by running a dsquery looking for objects containing that \0ACNF: in objects name:
dsquery * forestroot -filter "(name=*\0ACNF:*)"and then looking for the same DN without that CNF part for those objects that where not renamed.
Saturday, April 30, 2011
Group Policy for Beginners
Before preparing to celebrate the first of May I just wanted to note make a short note of Microsoft's new Group Policy for Beginners guide released just two days ago. Since we have new admins in our company I think that they might want to read this through.
"This white paper introduces Group Policy, provides an overview of what you can do with Group Policy, describes essential concepts that you must know, and provides step-by-step instructions for the most common Group Policy tasks."
"This white paper introduces Group Policy, provides an overview of what you can do with Group Policy, describes essential concepts that you must know, and provides step-by-step instructions for the most common Group Policy tasks."
Friday, April 29, 2011
Windows PowerShell resources
While looking AD troubleshooting wiki page I came across some great PowerShell resources:
Windows PowerShell Survival Guide
Windows PowerShell Security Survival Guide
Exchange 2010 Powershell Scripting Resources
Common Exchange 2010 cmdlets
Some of them looks to be for beginners but there are some gold nuggets hidden amongst them. Especially I look forward reading those PoSH MVP's blogs.
Windows PowerShell Survival Guide
Windows PowerShell Security Survival Guide
Exchange 2010 Powershell Scripting Resources
Common Exchange 2010 cmdlets
Some of them looks to be for beginners but there are some gold nuggets hidden amongst them. Especially I look forward reading those PoSH MVP's blogs.
Active Directory Domain Services Troubleshooting Survival Guide
Just found out that Active Directory Documentation Team is working on an Active Directory troubleshooting guide on the TechNet Wiki. Have to check it out later.
Friday, April 22, 2011
List of AD FS 2.0 related content
Looking for something completely different I happened to come across something that seems great source of information on AD FS 2.0. A wiki page of AD FS 2.0 content on MSDN, Technet, Microsoft Downloads etc. Have to dig in more carefully later.
Thursday, April 14, 2011
How to update computers group memberships without reboot
I have been running in to this command few times now so I thought I should blog this (it has been already blogged in various blogs but you never find them when you need them):
This way you can get computers to refresh their group policies that are targeted by security groups without having to reboot those computers.
klist -li 0x3e7 purgeThis allows administrators to flush the systems Kerberos TGT (as well as all other tickets). The system process is always 0x3e7. You have to run this from an elevated command prompt otherwise it won't work.
This way you can get computers to refresh their group policies that are targeted by security groups without having to reboot those computers.
Wednesday, April 13, 2011
How to find active computers
Today I was asked how many active (not just enabled) client computers there are left in our old domain waiting to be migrated to a new one. The builtin tools provide easy way to find out inactive computers but not the active ones. By default computers are required to changed their password every 30 days so we can use that information to determine which are the active ones. There are actually couple of ways to find active computers in the domain. The hard way is that you could find all client computers in the domain and then compare the list to all inactive computers which you can find by using:
I figured out that the easiest way to find out which computers have changed their passwords within specified period is to use PowerShell:
And if we are only interested in the number of active computer objects we can just count them:
Pretty cool, right?
For Get-ADComputer cmdlet to work you'll need to have first imported Active Directory module by running
dsquery computer [<startnode>] -inactive <number of weeks>to get computers that have been inactive (stale) for the number of weeks that you specify or
dsquery computer [<startnode>] -stalepwd <number of days>to find computers whose passwords have not changed for the specified number of days. This comparison requires some manual work and since we are looking for a solution that can be easily reproduced we are not satisfied. So it would be easier to just query for all computers whose password have not changed since some day:
dsquery * [<startnode>] -filter "&(objectCategory=computer)(pwdLastSet>=date/time in Integer8-format)"But since in the pwdLastSet attribute value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC) you have to know how to convert the last password reset date to same format before you can use it as a search condition. This conversion can easily be done by using vbscript for example. I'll leave that a homework for you to find out how this is done.
I figured out that the easiest way to find out which computers have changed their passwords within specified period is to use PowerShell:
$d = [DateTime]::Today.AddDays(-60); Get-ADComputer -Filter 'PasswordLastSet -ge $d' -Properties PasswordLastSetThese two commands show you all computers that have changed their passwords within last 60 days. And you can run them on one line instead of having to do any comparisons or date/time conversions.
And if we are only interested in the number of active computer objects we can just count them:
@($d = [DateTime]::Today.AddDays(-60); Get-ADComputer -Filter 'PasswordLastSet -ge $d' -Properties PasswordLastSet).Count
Pretty cool, right?
For Get-ADComputer cmdlet to work you'll need to have first imported Active Directory module by running
Import-Module ActiveDirectorywhich contains a lot of useful cmdlets to manage AD.
It's alive!
Hi all,
Welcome to our windows blog. The primary function of this blog is to be our notepad for windows related things. Introductions will be done later...
Most likely posts handle Active Directory especially scripts and commands to modify it but once in a while there might be a post about new product releases or other cool windows related stuff.
If you find it useful or to contain inaccurate information then feel free to comment.
Welcome to our windows blog. The primary function of this blog is to be our notepad for windows related things. Introductions will be done later...
Most likely posts handle Active Directory especially scripts and commands to modify it but once in a while there might be a post about new product releases or other cool windows related stuff.
If you find it useful or to contain inaccurate information then feel free to comment.
Subscribe to:
Posts (Atom)