Entries tagged with ad - TechNet Edge

Server 2008 and Active Directory snapshot software at QBranch

extreme — Mon, 04 Aug 2008 07:01:00 GMT

Joachim Nasslander, Solution specialist at QBranch in Sweden, starts off by telling us about their own company's ~50 server and ~5,000 customer server environment which has been running Windows Server 2008 since 2006.

At 02:27 Fredrik Lindstrom, Developer at QBranch, tells us about active directory snapshot software he wrote to compare the snapshot versions and restore deleted objects and their values in AD. He tells us about some of the limitations and plans for the program moving forward.

At 4:06 Fredrik gives us a demo of the software.

You can download Fredrik's program here:
http://lindstrom.nullsession.com/?page_id=11

Learn more about Server 2008
Learn more about AD snapshots

Server 2008 - AD Backup and Restore PM interview

extreme — Fri, 11 Apr 2008 06:59:00 GMT

I met up with Stephanie Cheung, the program manager for active directory backup and recovery and we discuss:

What restartable AD is and when it is appropriate to use it
- Good for usage when you want to recover deleted objects without rebooting
- Bad for when you need to do a "bare metal" restore or have database corruption
Thoughts around when to do a "Dcpromo /forceremoval" versus restoring from backup. This includes discussion of restoring using install from media (IFM) and IFM for an RODC.
What the database mounting tool (DMT - old name "snapshot" tool) does and some ideas on what we're going to do to make recovery of deleted objects easier using DMT.
A best practice around preventing deletion of objects in AD (including the new "Protect object from accidental deletion" checkbox for objects).
Future thoughts for AD backup and restore, such as reducing forest recovery time
General disaster recovery tips

Windows Server 2008 - AD RODC PM interview

extreme — Wed, 19 Mar 2008 06:59:00 GMT

I met up with Gregoire Guetat, a program manager (PM) who has worked on Dcpromo, ADPrep, Replication Engine, and RODC. In this video, he tells us why the team decided to create the RODC, recommendations for best practices with RODC (RODC + Server Core and Bitlocker), his take on virtualization of DCs, why "USN Bubbles" are bad and why you can't have one on a RODC, tip on where the RODCs should point for DNS, explanation of details for two-staged DC promotions & Install from Media (IFM). Also, the DS team is planning on coming out with a white paper for guidance on having RODCs in the DMZ. He also tells us a couple other things which are coming up on the DS team and explains what interoperability there is currently with RODC and Exchange.

If you decide to tune into "Over the Edge" at ~20:45, you'll hear about where he's from in France, what are the best places to visit there, and also hear about his Whirlyball experience.

Windows Server 2008 Active Directory Auditing and FGPP PM Interview

extreme — Fri, 29 Feb 2008 07:59:00 GMT

Hear about Windows Server 2008 AD auditing and FGPP directly from the source! In this interview with Siddharth Bhai the program manager (PM) for this AD functionality, he gives us a bunch of great information.

For instance he:
- Explains the recommended practices on how to create password settings objects (PSOs) and delegate the permissions for these.

- Gives numerous reasons as to why the team made the decision for PSOs being assigned via groups and not OUs

- Tells us why the team didn't produce a more rich GUI tool to create PSOs (instead of the manual creation using ADSIedit)

- Describes why they made the decisions to include the new auditing features in WS08

- Simplifies the areas how to apply auditing (Global auditing, Schema, specific ACE per object)

- Shares thoughts on what might be coming up next with auditing and FGPP

Some resources referenced in this interview:
Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide
Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration

Server 2008 Active Directory IPD guide

extreme — Fri, 22 Feb 2008 07:59:00 GMT

In this interview, I met up with Charles Denny on the solutions accelerator team who is in charge of the infrastructure and planning guide for AD (this is the next generation of the (WSSRA) guides. We talk about the purpose of this guide and dig into information in the guide which might be useful to you such as his viewpoint on one of the most difficult business decisions which need to be made in an AD environment.

There is tons of documentation out there on how to technically do things with AD, but until now with the IPD, there is not very much with how to successfully design your infrastructure and the decisions which need to be made along the way. For instance, divestitures in deciding what forest design to choose is one important factor to consider. This guide will help you in migrating to Windows Server 2008 from a needed angle.

To take a look at the beta to the TS and AD guides, go to the Connect site by clicking here if new or here if already enrolled.

Also, the guides for the below can be found here:

Infrastructure Planning and Design Series Introduction

Selecting the Right Virtualization Technology

SoftGrid Application Virtualization

Windows Server Virtualization (for Windows Server 2008 virtualization and Virtual Server 2005 R2 SP1)

Linux / Samba / Unix and Microsoft Integration chat with Ralf Wigand

extreme — Thu, 29 Nov 2007 18:00:00 GMT

While I was at IT Forum, I attended Ralf Wigand's IDA406 session entitled: "Broaden your Active Directory Horizon – Linux Authentication" and thought it would be great to interview him. Ralf is on the IT staff from the University of Karlsruhe and has worked with Linux since the days of Minix.

In this interview we talked about where he currently commonly sees environment integration with Linux / Unix and Services for Unix (SFU), the benefits of each operating system platform, and where he would like to see the Microsoft / Linux integration story moving forward. He gives tips on common mistakes and best practices with integration of Linux/Samba and Microsoft servers and resources on where to go to make this happen.

What are your thoughts on Microsoft and Linux / Unix integration?

Windows Server 2008 - Active Directory Auditing Enhancements

extreme — Thu, 29 Nov 2007 01:00:00 GMT

I hope this post will act as a good reference point to be able to quickly understand the good and bad about new AD auditing enhancements and then enable you to dive deeper at will using the links in this article.

There’s nothing more exciting than auditing right? Well, check this out and hopefully it will spark some interest.

In Windows Server 2003 R2 and prior, the auditing of active directory certainly has not been a strong point. You would enable or disable global AD auditing for success or failures, set a SACL on the objects you wanted to monitor, and then typically one or both of the following would happen:

Your security event log fills up with way more security events than you’d ever hoped for, possibly wrapping or ballooning the size of the security log.
Auditing doesn’t actually provide enough information for you to make any use of the events which are recorded in the security event log. i.e. it only says who was successful at modifying the object, but nothing on the details of the value(s) which were changed.

In Server 2008, we are on a good path to fix this pain. Some of the key improvements to AD auditing are as follows:

You can limit the number of attributes which are audited for object types. For instance, you only want to know if the Employee’s Pay Level attribute is modified for all user accounts and nothing else.
Auditing is now broken into four categories: Access (same as 2000/2003), Changes, Replication, and Detailed Replication. The most interesting come from the new changes category:
- AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.
- If a new object is created, values of the attributes that are populated at the time of creation are logged.
- If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain.
- If an object is undeleted, the location where the object is moved to is logged.

What are the downfalls?

You have to modify the schema in order to limit the number of attributes which are audited per object type. This isn’t really difficult, but it would be nice if there were some friendlier type way to do it.
You cannot view or modify the audit policy subcategories with the Local Group Policy Editor (GPedit.msc). You can only do this with the command-line tool Auditpol.exe.
As far as I can tell, you can’t limit auditing to different specific attributes for a subset of the same type of object. For instance, you would like to audit attributes X, Y, Z for all admin user accounts, but only attribute X for all regular user accounts. Of course you have some control over this with your SACLs…

Get Started:

A screencast on How to enable granular AD auditing in WS08 (coming in the future from me)
Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide
TechNet - AD DS: Auditing
Windows Networking Site AD enhancements overview
MS Directory Services Team Blog Post on WS08 Auditing Enhancements

Microsoft IT Active Directory Interview with Brian Puhl

extreme — Wed, 28 Nov 2007 00:00:00 GMT

We sat down with Brian Puhl who has been working for Microsoft IT (MSIT) on the deployment, maintenance, planning of their active directory infrastructure since around Windows Server 2000. Learn about how Microsoft does AD from the source and also the projects they're working on. A seamless experience for your corporate users inside the corporate network and out on the internet, without using a VPN? Smartcard login/authentication for all MS employees? Average of 1 Schema change every 4 months?