Tag: Active Directory

More “RTM” Documentation For Windows Server 2012 Appeared Overnight

You know that an RTM is coming when the trickle of final documentation becomes a stream out of Microsoft.  We had a few guides appear last week; 3 appeared overnight:

  • Microsoft Multipath I/O (MPIO) Users Guide for Windows Server 2012: This document details changes in MPIO in Windows Server 2012, as well as providing configuration guidance via the GUI, or via our new MPIO module for Windows PowerShell, which is new for Windows Server 2012.
  • Combined Active Directory Schema Classes and Attributes for Windows Server: his download contains the classes and attributes in the Active Directory schema for Windows Server. It contains the classes and attributes for both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). There are individual text files in LDIF format, which are also bundled into an archive file for single download, if desired. Each file contains the classes or attributes, as appropriate, for the entire Active Directory schema, although system-generated (or instance-specific) properties have been removed to simplify machine parsing. The file names indicate the following: whether a file is for AD DS or AD LDS, whether it contains classes or attributes, and the version of Windows Server for which the file is intended.
  • Application Compatibility and API Support for SMB 3.0, CSVFS, and ReFS: The Application Compatibility with Resilient File System document provides an introduction to Resilient File System (ReFS) and an overview of changes that are relevant to developers interested in ensuring application compatibility with ReFS. The File Directory Volume Support spreadsheet provides documentation for APIs support for SMB 3.0, CSVFS, and ReFS that fall into the following categories: file management functions, directory management functions, volume management functions, security functions, file and directory support codes, volume control code, and memory mapped files.

Won’t be long now Smile

Virtual Domain Controllers and Windows Server 2012 Improvements

There have been a number of concerns when it comes to virtualising domain controllers.  The biggest of these is KB888794, which is an updated version of an article that I first encountered years previously, maybe in 2004.

USN Rollback

Basically, we had to treat any virtual domain controller like it was a physical installation.  That meant:

  • No snapshots
  • No recovering the DC from VM (host/storage level) backups
  • Don’t do anything to manipulate the virtual DC’s VM storage, such as copy/clone/etc

This was because the VM would “time travel”, effectively screwing up the USNs that are used to track AD object replication and possible cause the reuse of RID pools – in other words, completely frakking your AD and making you wish that you had paid up for that Microsoft Premier support contract.

Physical DC Required

One of the frustrating things, especially for small medium enterprises (SMEs) or smaller branch offices was that they need a local physical domain controller to enable a Hyper-V cluster.  This company might only need to hosts, but had to add another physical machine (small as it was) to enable the cluster to function.

That was the scenario up to now.  Enter Windows Server 2012.

Bootstrapping

Windows Server 2012 Failover Clusters have a new feature called bootstrapping.  It’s been mentioned in public but I’ve not seen any documentation on it yet.  In short, this allows a failover cluster to power up and start working without the presence of a physical domain controller.  The premise is that you instead run virtual domain controllers, hosted on the Hyper-V cluster itself.

That means that you don’t need the physical domain controller.  That’s a major saver for the SME or the branch office.

Virtual DCs are OK

If we’re OK with the idea of virtual domain controllers, then how do we deal with them?  How do we back them up easily?  In a true cloud where there might be a one-size-fits-all backup policy, how do admins (with zero knowledge of VM contents/roles) safely backup virtual domain controllers that might be created legitimate by the cloud’s tenants?

VM-GenerationID and Safe DC Virtualisation

Microsoft has come up with a new mechanism called VM-GenerationID (also seen documented on TechNet and blogged as Generation ID, VM Generation ID, VM-Generation ID and GenID).  It is an attribute called msDS-GenerationID of the DC’s computer object in AD.  This is normally kept in sync with the directory information tree (DIT) if everything is OK with the replication of the DC.

If something happens to the DC VM like a snapshot is applied or a backup of the VM is restored, then the VM effectively travels back in time, potentially causing a USN rollback and enabling RID reuse.  But, the DC compares the VM-GenerationID and the DIT version number.  If they are different then the DC is aware there is a problem.  The RID pool is discarded, a new one created, and a USN rollback is prevented.

Windows Server 2012 Hyper-V is the only hypervisor at this time to support this feature, and the virtual DCs must be running Windows Server 2012.

But There’s More – Rapid Deployment of DCs

Wouldn’t it be nice if you could clone domain controllers?  Normally you cannot.  But this new VM-GenerationID feature, combined with some other work done by Microsoft in WS2012, enabled you to export/import virtual DCs to clone new DCs with very little effort.

The process is simple enough:

  1. Have a PDC Emulator that is running WS2012.  This DC will not be cloned.
  2. Create a new virtual DC running WS2012. 
  3. Add the new template DC to a domain security group called Cloneable Domain Controllers.  This allows domain admins to restrict which (if any) DCs can be cloned.
  4. On the template DC Run Get-ADDCCloningExcludedApplicationList to see if any installed programs/services on the DC can be cloned (check with vendors).  Uninstall any that cannot support cloning.
  5. Run Get-ADDCCloningExcludedApplicationList –GenerateXml on the template DC
  6. Back on the template DC, run New-ADDCCloneConfigFile to create an XML answer file to configure name, IP, etc, for the new DC VM that you are about to create.#
  7. The last step creates a file called DCCloneConfig.xml.  Place this in either the directory where the DIT resides, %windir%NTDS, or the root of a removable media drive (maybe a SCSI attached blank VHD?)
  8. Stop and export the template VM.
  9. Import the VM to crate a new DC VM.
  10. Start the new VM, and you should now have a new DC.

I haven’t had a chance to try this out yet.  I’ll try to update this if I find the MSFT TechNet page is lacking.

Summary

What all this means is that with Windows Server 2012 and a hypervisor that is VM-GenerationID aware (WS2012 Hyper-V) then you can safely virtualise your domain controllers, and treat them just like any other VM, something that is of great importance in a true cloud.

 

Windows Server 8 Beta Downloads and Documentation

Microsoft released a lot of documentation/downloads to go with the Windows Server 8 beta release of last week.  Here’s your chance to start learning and playing:

  • Understand and Troubleshoot Virtualized Domain Controller (VDC) in Windows Server "8" Beta: Windows Server "8" Beta introduces the first specific virtualization capabilities to Active Directory Domain Services. Virtualized Domain Controller (VDC) takes lessons learned from twelve years of virtualizing Active Directory and makes a more supportable, more flexible, more intuitive administrative experience for architects and administrators.
  • Test Lab Guide: Demonstrate Virtualized Domain Controller (VDC) in Windows Server "8" Beta: This document contains instructions for setting up the Virtualized Domain Controller test lab through: • Deploying a virtualized domain controller through cloning • Safely restoring a domain controller snapshot
  • Test Lab Guide: Base Test Lab Guide for Windows Server "8" Beta: This Microsoft Test Lab Guide (TLG) provides you with step-by-step instructions to create the Windows Base Configuration test lab, using computers running Windows 8 Consumer Preview or Windows Server “8” Beta. With the resulting test lab environment, you can build test labs based on other Windows Server "8" Beta-based TLGs from Microsoft, TLG extensions in the TechNet Wiki, or a test lab of your own design that can include Microsoft or non-Microsoft products. For a test lab based on physical computers, you can image the drives for future test labs. For a test lab based on virtual machines, you can create snapshots of the base configuration virtual machines. This enables you to easily return to the base configuration test lab, where most of the routine infrastructure and networking services have already been configured, so that you can focus on building a test lab for the product, technology, or solution of interest.
  • Creating Continuously Available File Shares with Windows Server “8” Beta: Windows Server “8” Beta contains a set of continuously available storage solutions that provide a cost effective alternative to an expensive storage area network (SAN) without sacrificing availability and performance. These solutions are targeted towards both traditional information worker workloads and application workloads, and they span the scalability and price point needs for different market segments, with systems going from entry-level sub-$10k solutions to scale-out solutions with up to 400 drives. These solutions are based on software developed by several teams at Microsoft, hardware that is already in the market and hardware that is being developed in cooperation with industry partners. This white paper introduces the reader to these new and enhanced features of Windows Server “8” Beta.
  • Understand and Troubleshoot Scale-out File Servers in Windows Server "8" Beta: This Understanding and Troubleshooting Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Scale-Out File Servers in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot Storage Spaces in Windows Server "8" Beta: This Understanding and Troubleshooting Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Storage Spaces in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot Microsoft Online Backup Service in Windows Server "8" Beta (!?!?!?!?): This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Microsoft Online Backup Service in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Test Lab Guide: Demonstrate DNS Security Extensions (DNSSEC) in Windows Server "8" Beta: DNS Security Extensions (DNSSEC) is a suite of extensions that add security to the DNS protocol. RFCs 4033, 4034, 4035, and 5155 specify the core DNSSEC extensions and add origin authority, data integrity, and authenticated denial of existence to DNS. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces new resource records (DNSKEY, RRSIG, NSEC, NSEC3, and DS) to DNS.
  • Test Lab Guide: Demonstrate IP Address Management (IPAM) in Windows Server "8" Beta: Internet Protocol Address Management (IPAM) is a framework for discovering, monitoring, auditing, and managing the Internet Protocol (IP) address space used in a network. IPAM in Windows Server "8" Beta provides components for IP address space management, audit of configuration changes, monitoring and management of DHCP and DNS services, and IP address usage tracking.
  • Understand and Troubleshoot DHCP Failover in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for DHCP Failover in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Test Lab Guide: Demonstrating DHCP Failover in Windows Server "8" Beta: Dynamic Host Configuration Protocol (DHCP) failover in Windows Server "8" Beta provides the ability for administrators to deploy a highly resilient DHCP service to support a large enterprise. The main goals of the feature are the following. • Provide DHCP service availability at all times on the enterprise network • If a DHCP server is no longer reachable, the DHCP client is able to extend the lease on its current IP address by contacting another DHCP server on the enterprise network.
  • Understand and Troubleshoot Printing in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Printing in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Test Lab Guide: Demonstrate Windows Server "8" Beta Print and Document Services:

    This paper contains an introduction to Windows Server "8" Beta Printing and step-by-step instructions for extending the Test Lab Guide Base Configuration to demonstrate Printing Services in Windows Server "8" Beta.

  • Understand and Troubleshoot High Availability Printing in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for High Availability Printing in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot Activation Technologies in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Activation Technologies in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot AD DS Simplified Administration in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for AD DS Simplified Administration in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Test Lab Guide: Demonstrate ADDS Simplified Administration in Windows Server "8" Beta: This document contains instructions for setting up the AD DS Simplified Administration test lab through: • Graphically upgrading an existing Active Directory forest by adding the first Windows Server "8" Beta GUI domain controller • Adding an additional Windows Server "8" Beta Core domain controller using Windows PowerShell • Adding an additional Windows Server "8" Beta Core domain controller using Windows RSAT from a Windows 8 Consumer Preview computer • Decommissioning the original legacy domain controller • Using new AD DS graphical and Windows PowerShell features for further configuration and administration
  • Understand and Troubleshoot Dynamic Access Control in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Dynamic Access Control in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot Cluster-Aware Updating (CAU) in Windows Server "8" Beta: This Understanding and Troubleshooting Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Cluster-Aware Updating in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot Hyper-V Replica in Windows Server "8" Beta: This Understanding and Troubleshooting Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Hyper-V Replica in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot Remote Desktop Services Desktop Virtualization in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Desktop Virtualization in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot DNS Security Extensions (DNSSEC) in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for DNS Security Extensions (DNSSEC) in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot IP Address Management (IPAM) in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for IP Address Management (IPAM) in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot Remote Access in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Remote Access in Windows Server "8" Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Test Lab Guide: Demonstrate DirectAccess Single Server Setup with Mixed IPv4 and IPv6 in Windows Server "8" Beta: DirectAccess provides users with the experience of being seamlessly connected to their intranet any time they have Internet access. When DirectAccess is enabled, requests for intranet resources (such as email servers, shared folders, or intranet websites) are securely directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside of the office. The Windows Routing and Remote Access Server (RRAS) provides traditional VPN connectivity for legacy clients and non-domain members. RRAS also provides site-to-site connections between servers. RRAS in Windows Server 2008 R2 cannot coexist on the same edge server with DirectAccess, and must be deployed and managed separately from DirectAccess. Windows Server "8" Beta combines the DirectAccess feature and the RRAS role service into a new unified server role. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote access services. Additionally, Windows Server "8" Beta DirectAccess provides multiple updates and improvements to address deployment blockers and provide simplified management. This guide provides step-by-step instructions for configuring DirectAccess in a single server deployment with mixed IPv4 and IPv6 resources in a test lab to demonstrate functionality of the deployment experience. You will set up and deploy DirectAccess based on the Windows Server "8" Beta Base Configuration using five server computers and two client computers. The resulting test lab simulates an intranet, the Internet, and a home network, and demonstrates DirectAccess in different Internet connection scenarios.
  • Test Lab Guide: Demonstrate High Availability Printing in Windows Server "8" Beta: This paper contains instructions for setting up a test lab based on the Test Lab Guide Base Configuration and deploying a highly available Windows Server "8" Beta Print Server using three server computers and one client computer. The resulting High Availability Printing test lab demonstrates Windows Server "8" Beta Print Server functionality.
  • Understand and Troubleshoot BitLocker in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for BitLocker in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Understand and Troubleshoot Servicing in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Servicing in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Test Lab Guide: Demonstrate Remote Desktop Services Desktop Virtualization in Windows Server "8" Beta: This paper contains instructions for setting up a test lab based on the Test Lab Guide Base Configuration and deploying Remote Desktop Services Desktop Virtualization using four server computers and one client computer. The resulting Remote Desktop Services Desktop Virtualization test lab demonstrates Desktop Virtualization functionality.
  • Understand and Troubleshoot Remote Desktop Services in Windows Server "8" Beta: This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality, and troubleshooting methods for Remote Desktop Services in Windows Server “8” Beta. This UTG provides you with: • A technical overview and functional description of this feature. • Technical concepts to help you successfully install, configure, and manage this feature. • User Interface options and settings for configuration and management. • Relevant architecture of this feature, with dependencies, and technical implementation. • Primary troubleshooting tools and methods for this feature.
  • Test Lab Guide: Demonstrate Remote Desktop Services in Windows Server "8" Beta: Remote Desktop Services (RDS) in Windows Server "8" Beta provides the ideal platform for companies to implement a centralized desktop strategy, helping organizations improve flexibility and compliance while improving data security and IT’s ability to manage desktops and applications. RDS is a centralized desktop and application platform solution that uses Desktop Virtualization and VDI technologies, offering powerful opportunities for IT to deliver and manage corporate desktops and to respond to users’ needs in a flexible way. Remote Desktop Services is the new name for Terminal Services, and reflects the expanded role in Windows Server "8" Beta so that you can run the desktop or applications in the datacenter while your users can be anywhere. This paper contains instructions for setting up a test lab based on the Test Lab Guide Base Configuration and deploying Remote Desktop Services Desktop Virtualization using four server computers and one client computer. The resulting Remote Desktop Services Desktop Virtualization test lab demonstrates Desktop Virtualization functionality.
  • Test Lab Guide-Deploying RD Licensing: Use this test lab guide to install Remote Desktop Services client access licenses (RDS CALs) for Windows Server “8” Beta. This test lab guide uses the VDI standard deployment test lab as a starting place. Complete the steps in Test Lab Guide: Virtual Desktop Infrastructure standard deployment before you proceed with the remainder of the steps in this guide.

Before You Install System Center … Clean Up Those Computer Accounts

First, I hope you’ve done some planning/architecture/proof of concept.  Next, clean up the environment.  Products that deploy agents, such as System Center Essentials (SCE), Configuration Manager (SCCM/ConfigMgr), and Operations Manager (SCOM/OpsMgr), will allow you to track the success of agent deployment.  And if your network is like most others I’ve encountered over the years, nobody has bothered to clean up the inactive/obsolete computer accounts.  The computer discovery process will use some sort of discovery process, most likely based on computer accounts found in Active Directory.  It may find computer accounts that have been there since 2000 and no longer are valid.  It may find 50% more computer accounts than actually exist.

Before you deploy agents you need to do some spring cleaning.

Computer Accounts

My favourite tool for this in the past was oldcmp.  The page doesn’t list Windows 2008 or 2008 R2.  I last used it with Windows Server 2008 in a lab and it worked fine.  It allowed you to work with user and computer accounts:

  • Report only
  • Disable
  • Move and disable (to a “disabled” OU)
  • Delete

The last time I was an admin of a large environment I was very fussy about inactive accounts.  We used to run oldcmp as a scheduled task on a monthly basis.

If you want something that is supported then try this.  Identify & disable computer accounts that were inactive for the last 4 weeks:

dsquery computer -inactive 4 | dsmod computer -disabled yes

Then you can identify and delete computer account that have been inactive for the last 8 weeks:

dsquery computer -inactive 8 | dsrm computer

Put that in a script and run it every month and you’ll automate the cleanup nicely.  Inactive machines for the last 4 weeks will be disabled and you can re-enable them if a user complains.  After 8 weeks, they get completely removed.  If you have people away for longer periods then you can extend this, e.g. disable after 26 weeks and delete after 52 weeks.  Or you might bundle that caution about deleting with a secure mindset, e.g. disable after 4 weeks and delete after 52 weeks.

Note: dsquery, dsmod, and dsrm can be easily used for lots more, e.g. user accounts. Check the help (at command prompt) and test-test-test before putting it into use.  You probably can do all of this with PowerShell and the useful –whatif flag.

DNS Records

I hate stale DNS records because they can lead to all sorts of false positives when there is IP address re-use, especially when trying to remotely manage/connect to PCs in a DHCP environment.  You can configure DNS scavenging of stale records on a DHCP server (for all zones) or on a per zone basis.

image

Be careful with this one.  I’ve been especially careful with the intervals since the 2003 days when I had a Premier support call open.  Scavenging didn’t like me using smaller intervals, even if they were correctly configured.

Once you have the environment cleaned up, you can start deploying agents.  Now when you see a “failed” message, you know you can take it seriously and schedule a human visit.

Note: I don’t think I’ve ever used ConfigMgr to build collections of users.  Users roam and I don’t want to install software needlessly.  But ConfigMgr 2012 will have a more reliable user-centric approach that detects a user’s primary PC.  Therefore, you’ll want to do a user clean up before deploying it … and that should be standard security practice anyway.

Microsoft IT Environment Health Scanner

Credit to John McCabe for finding this useful looking tool. 

“The Microsoft IT Environment Health Scanner is a diagnostic tool that is designed for administrators of small or medium-sized networks (recommended up to 20 servers and up to 500 client computers) who want to assess the overall health of their network infrastructure. The tool identifies common problems that can prevent your network environment from functioning properly as well as problems that can interfere with infrastructure upgrades, deployments, and migration.
When run from a computer with the proper network access, the tool takes a few minutes to scan your IT environment, perform more than 100 separate checks, and collect and analyze information about the following:

  • Configuration of sites and subnets in Active Directory
  • Replication of Active Directory, the file system, and SYSVOL shared folders
  • Name resolution by the Domain Name System (DNS)
  • Configuration of the network adapters of all domain controllers, DNS servers, and e-mail servers running Microsoft Exchange Server
  • Health of the domain controllers
  • Configuration of the Network Time Protocol (NTP) for all domain controllers

If a problem is found, the tool describes the problem, indicates the severity, and links you to guidance at the Microsoft Web site (such as a Knowledge Base article) to help you resolve the problem. You can save or print a report for later review. The tool does not change anything on your computer or your network”.

More Microsoft Downloads to Consider

Windows Server 2008: Planning for Active Directory Forest Recovery

“This guide contains best-practice recommendations for recovering an Active Directory forest, if forest-wide failure has rendered all domain controllers in the forest incapable of functioning normally”.

iSCSI Initiator Users Guide for Windows 7 and Windows Server 2008 R2

“Users Guide for the iSCSI Initiator”.

Holistic Approach to Energy Efficieny in Datacenters

“The Datacenter Efficiency whitepaper discusses Microsoft’s holistic approach”.

RD Virtualization Host Capacity Planning in Windows Server 2008 R2

“This white paper is intended as a guide for capacity planning of RD Virtualization Host in Windows Server 2008 R2”.

Microsoft Application Request Routing Version 2.5 for IIS 7 X86 & X64

“Microsoft Application Request Routing (ARR) for IIS7 is a proxy based routing module that forwards HTTP requests to application servers based on HTTP headers and server variables, and load balance algorithms. ARR Version 2.5 improves the performance and scalability of disk caching features in ARR”.

Mastering Hyper-V Deployment Excerpts

Sybex, the publisher of Mastering Hyper-V Deployment, have posted some excerpts from the book.  One of them is from Chapter 1, written by the excellent Patrick Lownds (Virtual Machine MVP from the UK).  As you’ll see from the table of contents, this book is laid out kind of like a Hyper-V project plan, going from the proposal (Chapter 1), all the way through steps like assessment, Hyper-V deployment, System Center deployment, and so on:

Part I: Overview.

  • Chapter 1: Proposing Virtualization: How to propose Hyper-V and virtualisation to your boss or customer.
  • Chapter 2: The Architecture of Hyper-V: Understand how Hyper-V works, including Dynamic Memory (SP1 beta).

Part II: Planning.

  • Chapter 3: The Project Plan: This is a project with lots of change and it needs a plan.
  • Chapter 4: Assessing the Existing Infrastructure: You need to understand what you are converting into virtual machines.
  • Chapter 5: Planning the Hardware Deployment: Size the infrastructure, license it, and purchase it.

Part III: Deploying Core Virtualization Technologies.

  • Chapter 6: Deploying Hyper-V: Install Hyper-V.
  • Chapter 7: Virtual Machine Manager 2008 R2: Get VMM running, stock your library, enable self-service provisioning.  Manage VMware and Virtual Server 2005 R2 SP1.
  • Chapter 8: Virtualization Scenarios: How to design virtual machines for various roles and scales in a supported manner.

Part IV: Advanced Management.

  • Chapter 9: Operations Manager 2007 R2: Get PRO configured, make use of it, alerting and reporting.
  • Chapter 10: Data Protection Manager 2010: Back up your infrastrucuture in new exciting ways.
  • Chapter 11: System Center Essentials 2010: More than just SCE: Hyper-V, SBS 2008 and SCE 2010 for small and medium businesses.

Part V: Additional Operations.

  • Chapter 12: Security: Patching, antivirtus and where to put your Hyper-V hosts on the network.
  • Chapter 13: Business Continuity: A perk of virtualisation – replicate virtual machines instead of data for more reliable DR.

User State Virtualization

What the hell is USV?  It’s simple; it’s using technologies to unbind user data from the PC.  You’re talking about features like roaming profiles, redirected folders and offline files.

Believe it or not, most companies I encounter have not done this.  For them, a PC repair is the timely process.  A PC upgrade is a potentially nasty piece of work to use USMT to capture a user state and restore it.

That’s why MS has released a Planning and Designing Guide for Windows User State Virtualization (USV).  Reading this, you can enjoy the tech that the rest of us have been using since the mid 1990’s.  Some of us stated using redirected folders and offline files back with W2003 and XP.  Admittedly, I disabled Offline Files when managing XP because it was a royal PITA (not a good thing).  Vista/Windows 7 appear to have solved that.

Getting the user state off of the PC is invaluable:

  • Windows upgrades are simple and quick.
  • PC repair which might take more than 10 minutes can be replaced by PC rebuild.
  • User data is centralized and easier to back up.
  • Those worried about regulators can do archiving.

Microsoft Active Directory Design Guide

Microsoft has published an Active Directory design guide

“This guidance provides general recommendations for the design, deployment and management of an Active Directory environment in a healthcare organization according to current best practices. The purpose of this guidance is to accelerate Active Directory design and deployment in a healthcare organization, and provide a framework for a more consistent network operating environment”.

Hyper-V: Can I Virtualise Everything: Domain Controllers?

I’ve seen this one a few times on forums and I’ve been asked it at sessions I’ve presented at.  People are deploying Hyper-V in medium and large businesses and they are wondering if they should virtualise absolutely everything in their data centre.

The answer is no. 

Let’s start with the obvious.  Some applications or operating systems may not have vendor support for virtualisation.  If that’s the case then you shouldn’t virtualise them.  However, many still do and they get by with no negative impacts.  Okey dokey.

Some servers just require too many resources to consider for virtualisation.  Consider a data warehouse application.  If you virtualise it, it might require a 1 VM per host deployment.  For the vast majority of us that’s a bad idea.  However some might like it because it means the machine is abstracted from the hardware.  But remember that you can only have a maximum of 4 virtual processors in a Windows Server VM on Hyper-V.  That likely won’t be enough for any machine that needs 32GB or 64GB RAM.

Then there’s domain controllers.  You can virtualise domain controllers but you have to be very careful.  Basically you have to treat them as you would physical domain controllers.  Checkpoints/saved states and host level backup is a bad idea for domain controllers because of the risks of AD corruption, e.g. USN rollback.  Microsoft takes the idea of virtual domain controllers very seriously and has a very long support article on it.

Should you virtualise all of your domain controllers?  Typically I will say no to this.  There’s a few exceptions, e.g. virtualised SBS running on a workgroup member Hyper-V host.  But take a Hyper-V cluster.  The presence of AD is a requirement of a Hyper-V cluster.  What happens if you need to power down your entire cluster for maintenance or power suddenly cuts out.  These things happen.  Electricians might need to work on power board or a UPS/generator might fail to kick in.  I’ve seen both take place in the past.  What happens to that cluster if all of the DC’s are virtualised on the cluster?  The cluster relies on AD for authentication/authorization.  Things will fail.  It’s a chicken and egg scenario.

Microsoft recently blogged about this.  The workaround solution is to find the LUN where the VHD(s)  for a DC with DNS role installed and configured is located, copy that to a temporary workgroup Hyper-V server and set it up to boot up.  Now you can power up the cluster.  But you have to be really careful and make sure that original DC VM doesn’t start up and cause a mess.

The advice is to have at least one physical DC.  When I did my ESX 3.X training a few years ago the advice was the same when running Virtual Center.  I recommend having 2: Murphy tends to like to mess up plans and wouldn’t it be a bad day if both the cluster powered down and your lone physical DC wouldn’t start up?  Alternatively you can run those DC’s on a separate workgroup host but that just complicates things in terms of virtualisation management.  I like to keep things simple so I’d go the 2 physical DC route.  Then you can safely virtualise other DC’s while sticking to Microsoft’s advice on the subject.