Windows 2008 Server Admin Tools: March 2009

Wednesday, March 25, 2009

Book Review- Windows Server 2008- Definitive Guide- OReilly

Read the entire book here for Free. Link

O'reilly does a wonderful job writing books in a logical well organized manner.
For a first edition I was hard pressed to find many obvious mistakes. They did their due diligence.
This book is written for the IT PRO, not someone looking to learn Active Directory or other services in Windows Server 2008 hoping to pass a paper cert test. It's assumed you have a broad understanding of Microsoft's culture and product lines and are looking for a practical review of technologies in 2008.
You don't have to be a AD guru to get a lot out of this book either. I would actually recommend it above Microsoft Press books, because instead of trying to indoctrinate you on a set of "standards" Hassell simply gives you a working set of parts under the hood. He doesn't get caught up on the politics or test taking.
I do not recommend this book as a project management guide to upgrading from 2003 to 2008. This isn't one of "those" books. Instead, it's a good book for someone exploring the idea and reasons for upgrading, by being exposed to what is inside 2008 Server first.
As with almost any O'Reilly book, I think this is a definite buy for your IT library. It's well priced too.

Tuesday, March 24, 2009

Great Internet Information Service (IIS) 7.0 Resources

Resources

Internet Information Service (IIS) 7.0 Resources

Technical Resources

IIS Download Center
IIS TechCenter
IIS Events
Windows Server 2008 TechCenter
Windows Server 2008 Technical Library
Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008
Windows Server 2008 Release Notes

Webcasts

IIS 7.0 Overview
IIS 7.0 - Writing Custom Modules
The .NET Show: IIS 7.0
Live From Redmond: Getting Started with Microsoft's IIS 7.0
Windows Server 2008: Webcasts
Windows Server 2008 Webcast Express Demo Videos
Events and Webcasts Overview
Windows Server 2008 Virtual Labs
Windows Server 2008 Podcasts
Windows Server 2008 Chats
Windows Server 2008 Webcasts and Chats

Authors' Blogs

Bernard Cheah
Brett Hill
Carlos Aguilar Mares
Steve Schofield
Mike Volodarsy

Communities and Newsgroups

IIS Forums
IIS Blogs
Windows Server 2008 Web Forums
Windows Server Community
Community Centers for Windows Server Technologies
Windows Server Division Weblog

Training and Certification Resources

Windows Server 2008 Learning Portal

Evaluation Resources

Windows Server 2008 Evaluation Software

Windows Administration Resource Kit: Productivity Solutions for IT Professionals

Evaluation Resources

Windows Server 2008 Evaluation Software
Windows Server 2008 Beta Central Windows Server 2008 Resources Page
Windows Server 2008 TechCenter: Evaluate Windows Server 2008
Windows Server 2008 Webcast Express Demo Videos
Windows Server 2008 System Requirements
Windows Server 2008 Datasheet
Windows Server 2008 Frequently Asked Questions

Technical Resources

Windows Server 2008 TechCenter
Windows Server 2008 Technical Library
Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008
Windows Server 2008 Release Notes
What's New in Failover Clusters for Windows Server 2008
What's New in Terminal Services for Windows Server 2008
Microsoft SCEP Implementation Whitepaper
Hypervisor Functional Specification
The Encrypting File System
Scripting with Windows PowerShell

TechNet Event Review Webcasts

Server Role Management Windows Server 2008 (Session ITPROADD-201)
Server Core Running a Minimal Windows Server 2008 (Session ITPROADD-202)
UNIX Interoperability in Windows Server 2008 (Session ITPROADD-203)
PKI Enhancement in Windows Vista and Windows Server 2008 (Session ITPROADD-204)
Windows Server 2008 Technical Overview Part 1 (Session ITPROADD-300)
Windows Server 2008 Technical Overview Part 2 (Session ITPROADD-301)
Windows Server 2008 Network Access Protection (NAP) Technical Overview (Session ITPROADD-302)
Next Generation Networking with Windows Vista and Windows Server 2008 (Session ITPROADD-303)
Windows Vista and Windows Server 2008 Branch Office Technology (Session ITPROADD-304)
BitLocker Deployment (Session ITPROADD-305)
Active Directory Domain Services (AD DS) in Windows Server 2008 Technical Overview (Session ITPROADD-306)
Windows Server 2008 Terminal Services Technical Overview (Session ITPROADD-400)

Windows Server Update Services Resources

WSUS 3.0 Usability Improvements whitepaper
Step-by-Step: Getting Started with Microsoft Windows Server Update Services 3.0
Release Notes for Microsoft Windows Server Update Services 3.0

Webcasts

Windows Server 2008: Webcasts
Windows Server 2008 Webcast Express Demo Videos
Events and Webcasts Overview
Windows Server 2008 Virtual Labs
Windows Server 2008 Podcasts
Windows Server 2008 Chats
Windows Server 2008 Webcasts and Chats
Windows PowerShell: Next Generation Command Line Scripting (Level 300)

Training and Certification Resources

Windows Server 2008 Learning Portal
General IT Training and Certification Resources

Communities and Newsgroups

Windows Server 2008 Web Forums
Windows Server Community
Community Centers for Windows Server Technologies
Windows Server Division Weblog
ActiveDir.Org

Guides

Windows Server 2008 Networking and Network Access Protection (NAP)

Understanding IPv6, Second Edition

Thursday, March 19, 2009

Windows Server 2008 Activation Nightmare

Piracy is a significant problem that persists worldwide. The Business Software Alliance and market research firm IDC reported in the Global Software Piracy Study ^{^[1]} that 35% of the software installed in 2006 on personal computers (PCs) worldwide was obtained illegally, amounting to nearly $40 billion in global losses due to software piracy. Often, counterfeit copies are bundled with malicious, unwanted code that can lead to system crash, data loss, and even stolen identity, and are difficult to detect.^{^[2]}

Many consumers who end up with a counterfeit copy of Microsoft software are unwitting victims of a crime. They believe they purchased a properly licensed copy and often have documents to back this up, but their copy of Windows or Office is actually not properly licensed.

For these reasons, Microsoft continually invests in technologies and programs to protect its intellectual property, and to help protect its customers from the risks and the hidden costs of running counterfeit software. Throughout this document the term Windows is used to refer both Windows Vista and Windows Server 2008.

Windows Product Activation

All editions and distributions of Windows Vista and Windows Server 2008, including those obtained through a volume license program, are required to complete activation within the first 30 days of using Windows Vista or the first 60 days of using Windows Server 2008. Product activation establishes the relationship between the product key (obtained through appropriate licensing) and a copy of the software on a device to which the licensing rights are applied.^{^[3]} Completing the activation process allows a user continued access to full Windows functionality. After initial installation (or 30 or 60 days after installation depending on the operating system), product activation will be required.

Product activation uses several methods and technologies to help achieve Microsoft’s goals of protecting intellectual property rights by making it easy for users to comply with the terms of the EULA and reducing software piracy.

In order to help customers and partners better understand the technologies used by product activation, and their unobtrusive and anonymous nature, we will outline in this bulletin:

How activation works for Windows acquired through:
1. A computer manufacturer (Original Equipment Manufacturer, or OEM)
2. A retail store (where customers buy “boxed” software product)
3. A volume licensing agreement (customers who acquire their licenses through programs such as Microsoft Open, Enterprise, or Select licensing).
How the hardware hash component of the installation ID is created and the scenarios in which a copy of Windows may have to be re-activated due to a substantial hardware modification.

A Note About Privacy

Protecting our customers’ privacy is very important to Microsoft. Product Activation is built with privacy in mind and is implemented in accordance with a clear privacy policy. Microsoft does not use any information collected through product activation to identify or contact customers.

Product Activation and volume licenses

Volume Activation 2.0 is a configurable solution that helps IT Pros automate and manage the product activation of systems licensed under volume licensing. The benefits of Volume Activation 2.0 include transparent activation experience for the end-users, no need for handling product keys during installation, better protection and management of customer specific license keys, and avoid the risks associated with running non-genuine software.

Multiple activation options are available using two types of customer specific keys: Multiple Activation Key (MAK) and Key Management Service (KMS) key. Multiple Activation Key as the name implies can be used on multiple systems to activate the corresponding system against Microsoft activation service by online, phone or proxy methods. Volume Activation Management Tool (VAMT) available at http://go.microsoft.com/fwlink/?LinkID=77533 enables proxy activation of systems using Multiple Activation Key. Key Management Service (KMS) enables organizations to perform local activations of systems in a managed environment without connecting them to Microsoft individually. A KMS key is used to enable the Key Management Service on a system controlled by an organization’s system administrator.

Product Activation and new pre-loaded Computers

The majority of customers acquire Windows with the purchase of a new computer, and most new computers pre-loaded with Windows will already be pre-activated. Microsoft provides OEMs with the ability to “pre-activate” Windows in the factory and estimates that upwards of 80% of all new PCs will be delivered to the customer pre-activated.

“Pre-activation” of Windows by the OEMs will be done in one of two different ways depending on the OEM’s own configuration options and choices. Some OEMs may protect Windows using a mechanism which locks the installation to OEM-specified BIOS information in the computer. This technology is an improvement over the existing technology used in Windows XP called “System Locked Pre-installation,” or SLP. The improved product activation technology used in Windows is called “OEM Activation 2.0,” or OA 2.0.

OEM Activation 2.0 uses information stored in an OEM computer’s BIOS and Hard Disk Drive (HDD) to protect the installation from casual piracy. No communication by the end customer to Microsoft is required and no hardware hash is created or necessary. At boot, Windows compares the computer’s BIOS to the OA 2.0 information on the HDD. If it matches, activation is successful.

Every single piece of hardware could be changed on a computer with OA 2.0 and no reactivation would be required – even the motherboard could be replaced as long as the replacement motherboard was original equipment manufactured by the OEM and retained the proper BIOS. In the unlikely scenario that the BIOS information does not match, the computer would need to be activated by contacting the Microsoft activation center and requesting activation with a customer support representative.

OEMs may also activate Windows by contacting Microsoft in the same way the consumer would activate. Activation done in this way is the same as activating a retail boxed version of Windows. This is discussed in more detail below.

For OEMs who do not employ either of the above two methods of pre-activation, a new computer acquired with Windows Vista or Windows Server 2008 preinstalled must be activated by the customer. This activation is completed in the exact same way as would someone who acquired Windows Vista or Windows Server 2008 by purchasing a boxed version at a retailer.

Product Activation and retail boxed software product

Product Activation can be done in two ways; Phone activation and Online Activation.

Phone activation relies on the submission of the Installation ID. The Installation ID is specifically designed to guarantee anonymity and is only used by Microsoft to deter piracy. The Installation ID is comprised of two different pieces of information – the product ID and a short hardware hash value (a hash value is a digital fingerprint of the data that is derived through a mathematical formula, or hash function). The product ID is unique to the installation of Windows and is created from the product key used during installation. Each product key delivered with retail boxed software is unique, and the product ID it creates is unique. Microsoft uses the product ID for product activation. The product ID can be found by viewing the Properties of My Computer (an example of a product ID is 12345-123-1234567-12345).

The short hardware hash value is an eight byte value that is created by running ten different pieces of information from the computer’s hardware components through a one-way mathematical transformation This means that the resultant hash value cannot be backwards calculated to determine the original values. Further, only a portion of the resulting hash value is used in the hardware hash in order to ensure complete anonymity.

Example: A processor serial number is 96 bits in length. When hashed, the resultant one-way hash is 128 bits in length. Microsoft uses only six bits from that resultant hash in activation’s hardware hash. Due to the nature of the hashing algorithm, those six bits cannot be backwards calculated to determine anything at all about the original processor serial number.

Moreover, six bits represent 64 (2^6) different values. There were over 100 million PCs sold last year worldwide. From those 100 million PCs sold, only 64 different hardware hash values could be created as part of activation.

Microsoft developed the hardware hash in this way in order to maintain the user’s privacy.

Additionally, whether or not the PC can be put into a docking station or accepts PCMCIA cards is also determined (the possibility of a docking station or PCMCIA cards existing means that hardware may disappear or seem changed when those devices are not present). Finally, the hardware hash algorithm has a version number. Together with the general nature of the other values used, two different PCs could actually create the same hardware hash. The different hardware values used to create the hash are outlined in the table below:

Table 1: Hardware hash component values (phone activation)

Component Name	Example Hash Value (#of bits)
BIOS ID	000000 (6)
RemovablePolicy (One bit per component; Network Card, CD-ROM, Audio, SCSI, and IDE Adapter)	11111 (5)
Network Adapter MAC Address	1001011000 (10)
CD–ROM / CD-RW / DVD-ROM	0101111 (7)
IDE Adapter	0011 (4)
Audio Adapter	100100 (6)
Physical OS Drive Serial	1101100 (7)
SCSI Adapter	00011 (5)
Display Adapter	00010 (5)
Processor Type	011 (3)
RAM Amount Range (i.e. 0-512mb, 512mb - 1 GB, etc)	101 (3)
“Dockable” flag	011 (3)

The product ID (nine bytes) and hardware hash (eight bytes) are used by Microsoft to process the phone activation request.

Online activation over the internet can be accomplished automatically or manually. During setup the user can select automatic activation, which will result in automatic activation three days after running setup. If the user chooses manual activation, then at some point over the next 30 or 60 days depending on the operating system, the user will need to activate their system by either responding to one of the activation prompts or by invoking the product activation wizard. The product ID information sent to the server is the same as in Phone Activation. But the hardware ID sent during online activation is different. Microsoft collects 2 bytes of hash information from all the hardware instances that are in the table above. Again these 2 bytes of information will not uniquely identify a customer. It is to differentiate between different hardware devices. These two values (product ID and hardware ID (long) are sent along with request header information directly through secure sockets (SSL in HTTP) to the Microsoft activation system in a binary format. There are three communications made to complete Internet activation:

Handshake request: Contains product ID, hardware hash, and request header data such as request ID (for linking the handshake, request, and acknowledgement) and activation technology version. 262 bytes total.
License request: Contains product ID, hardware hash, and customer data structure for holding voluntary registration information if provided. If registration is skipped, this structure is empty. Also contains request header data such as request ID and the PKCS10 digital certificate request structure. The PKCS10 structure can vary slightly based on the inclusion of voluntary registration information; about 2763 to 3000 bytes total.
Acknowledgement request Contains certificate ID (returned to user’s machine after license request), issue date, and error code. 126 bytes total.

If Internet activation is successful, the activation confirmation is sent directly back to the user’s computer as a digital certificate. This certificate is digitally signed by Microsoft so that it cannot be altered or counterfeited. The confirmation packet returned as part of Internet activation is approximately 9 kbytes in size (the digital certificate chain accounts for most of the confirmation data packet size).

If activation is done by telephoning a customer service representative, the product ID and short hardware hash are automatically displayed to the user as the Installation ID; a 50 digit decimal representation. The data is encoded and has check digits so that it cannot be altered. Telephone activation is a four step process:

Selecting the country from which the call is being made so that an appropriate phone number can be shown in the product UI.
Dialing the phone number
Providing the Installation ID to the customer service representative
Entering the Confirmation ID provided by the customer service representative.

The confirmation ID is a 42-digit integer containing the activation key and check digits that aid in error handling. Both the installation ID and confirmation ID are displayed to the user in easily understandable segments in the product UI.

Impact of Hardware Modifications to Activation

At each login, Windows Vista or Windows Server 2008 checks to see that it is running on the same or similar hardware that it was activated on. If it detects that the hardware is “substantially different”, reactivation is required. This check is performed after the OA 2.0 BIOS check discussed above, if the OA 2.0 BIOS check fails. This means that if your computer is pre-activated in the factory using the OA 2.0 pre-activation method, all the components in the computer could be swapped, including the motherboard, so long as the replacement motherboard was genuine and from the OEM with the proper BIOS.

The retail activation hardware check is accomplished by assigning each of the ten hardware elements a weighting factor. The sum of the weighting factors for the unchanged elements must exceed a threshold, otherwise reactivation is required. Microsoft changes the ten weighting factors and threshold value on its product activation servers periodically based on product activation and product support data. These changes on the activation server only impact online activation. Phone activation is still controlled by the weighting factors and threshold values maintained in the Windows client code. For example, the weighting factor for the HDD on Windows XP required the end user to reactivate whenever the HDD was replaced. Product support data showed that many of these reactivations were due to failed hard drives or user initiated upgrade to a higher capacity hard drive. Prior to Windows Vista consumer launch, the HDD weighting factor on the activation servers was reduced slightly to allow the end user to replace the HDD without requiring reactivation.

The actual weighting factors and threshold value are not published by Microsoft, since computer hardware is constantly evolving and real life data is utilized to adjust these values for the best user experience possible, but at the same time protecting Microsoft’s intellectual property by reducing piracy.

Installations of Windows Vista or Windows Server 2008 using Volume Activation are now subject to reactivation if the hardware changes. MAK activation utilizes the same reactivation rules as retail activation. KMS activation only requires reactivation if the HDD has changed.

Scenario A:

Computer One has the full assortment of hardware components listed in Table 1 above. User swaps the CPU chip for an upgraded one, swaps the video adapter, adds a second hard drive for additional storage, doubles the amount of RAM, and swaps the CD ROM drive for a faster one.

Result: Reactivation is NOT required.

Scenario B:

Computer Two has the full assortment of hardware components listed in Table 1 above. The HDD fails and the user replaces the failed drive with a new HDD. The user loads the new HDD from a backup or from the original installation media.

Result: Reactivation is NOT required.

Scenario C:

Computer Three has the full assortment of hardware components listed in Table 1 above. The motherboard fails, and the user is forced to replace the failed motherboard with a new one.

Result: Reactivation is required. Why? Changing the motherboard results in a hardware configuration that is substantially different, since several of the ten hardware elements change when installing a new motherboard.

The change of a single component multiple times (e.g. from video adapter A to video adapter B to video adapter C) is treated as a single change. The addition of components to a computer, such as adding a second hard drive which did not exist during the original activation, would not trigger the need for a reactivation nor would the modification of a component not listed in the above table. Reinstallation of Windows Vista or Windows Server 2008 on the same or similar hardware and a subsequent reactivation can be accomplished five times.

Conclusions

Software piracy is a persistent and evolving crime. Each year, the software industry, businesses, and consumers are harmed by counterfeit software. Microsoft has increased its investments to address this challenge and help to protect businesses and consumers from the risks of counterfeit and unlicensed software. With Windows Vista and Windows Server 2008, a markedly different experience is offered as these operating systems are the first products from Microsoft to take advantage of the Software Protection Platform, an innovative platform from Microsoft that strengthens anti-piracy technologies to help better protect customers and improve the overall licensing experience.

Microsoft is strengthening its commitment to make progress against software piracy with technologies to identify counterfeit software built right in to new software products. Windows Vista and Windows Server 2008 have new built-in anti-piracy technologies making it more difficult to pirate, providing a superior experience for customers who do pay, and creating consequences for those who pirate – including diminished functionality if the software is detected to have been tampered with or is counterfeit. A key goal is to maintain a great experience for our customers using genuine software. Another important goal is fairness; we have taken steps to make it easy and convenient for victims of counterfeit to obtain a genuine copy. All in all, Microsoft would like customers to expect fairness, great service, and a positive experience in the implementation of our anti-piracy measures.

[1] See a study of the piracy summary at http://w3.bsa.org/globalstudy/

[2] See a summary or access the complete the white paper at http://www.microsoft.com/protect/promotions/us/wga_idc_us.mspx

[3] Learn more about volume activation at http://www.microsoft.com/technet/volumeactivation

Wednesday, March 18, 2009

Enable MSMQ On Windows 2008 Server

Run: ServerManagerCmd.exe -install MSMQ-Services

Enable Microsoft Message Queuing (MSMQ)

Microsoft Message Queuing (MSMQ) technology enables applications running at different times to communicate across heterogeneous networks and systems that may be temporarily offline. MSMQ provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It can be used to implement solutions for both asynchronous and synchronous messaging scenarios.

Enable MSMQ during an unattended installation

There are several ways you can enable MSMQ during an unattended Windows installation by adding the required MSMQ package actions to your answer file.

Create a FirstLogonCommand that runs ServerManagerCmd.exe

For Windows Server 2008, you can create a FirstLogonCommand that runs ServerManagerCmd.exe in your answer file that specifies the proper parameters for configuring MSMQ.

note Note

ServerManagerCmd.exe is only included with Windows Server 2008.

For additional information about using FirstLogonCommands to configure a Server Role, see Configure Server Roles.

For information about the syntax of ServerManagerCmd.exe, see Server Manager Command-Line Tool.

The following answer file snippet shows the ServerManagerCmd.exe syntax for installing MSMQ services.

Copy Code

<FirstLogonCommands>
   <SynchronousCommand wcm:action="add">
      <Order>1</Order>
      <CommandLine>ServerManagerCmd.exe -install MSMQ-Services -allSubFeatures -resultPath C:\Admin\MSMQServer.xml -restart</CommandLine>
      <Description>Configure MSMQ Services</Description>
   </SynchronousCommand>
</FirstLogonCommands>

Add Packages to an Unattended Setup Answer File

This procedure can be used for both Windows Server 2008 and Windows Vista. You can enable MSMQ on a Windows installation by enabling MSMQ packages during Windows Setup.

Use Windows SIM to add the Microsoft-Windows-Foundation-Package to the answer file, and then specify the Action field to Configure.

For more information about adding and configuring packages, see Add a Package to an Answer File and Understanding Settings and Properties.

Select to Enable or Disable each of the MSMQ features that you want to configure.

The following MSMQ packages are available.

Name of feature displayed in SIM

Command-Line Name

Notes

Microsoft Server Message Queue (MSMQ) Server

MSMQ-Container
- This package is available in all Windows Vista editions. This package is required to configure MSMQ in all Windows Vista editions.
- This package is not available in Windows Server 2008 editions. If this feature is present in an answer file, installation on Windows Server 2008 may fail.
Microsoft Server Message Queue (MSMQ) Server Core

MSMQ-Server

This package is available in all the Windows Vista® family and Windows Server® 2008 family editions.

MSMQ Active Directory Domain Services Integration

MSMQ-ADIntegration

This package is available in all the Windows Vista® family and Windows Server® 2008 family editions.

MSMQ downlevel client server

MSMQ-DownlevelClient

This package is available only in Windows Server® 2008 family editions.

MSMQ routing server

MSMQ-RoutingServer

This package is available only in Windows Server® 2008 family editions.

MSMQ HTTP Support

MSMQ-HTTP

This package is available only in Windows Server® 2008 family and Windows Vista® Business, Windows Vista® Enterprise, and Windows Vista® Ultimate editions.

Because MSMQ HTTP support depends on Internet Information Services (IIS) and Windows Activation Services (WAS), these features must be installed before the MSMQ HTTP feature can be enabled.

For more information about these features, see the Unattended Windows Setup Reference.

MSMQ Triggers

MSMQ-Triggers

Multicasting Support

MSMQ-Multicast

MSMQ DCOMProxy

MSMQ-DCOMProxy

Rights Management Services

RightsManagementServices

Enable MSMQ on a running Windows system by using OCSetup

You can enable MSMQ on a running Windows system by using the OCsetup.exe command line tool. There are two ways to use OCsetup to configure MSMQ:

Use the MSMQ command-line names as arguments for OCSetup. The command line names are case sensitive.

For example, to install only the MSMQ Core functionality, you can execute OCsetup.exe from a command prompt and specify MSMQ-Server as a parameter:

Copy Code
```
ocsetup MSMQ-Container;MSMQ-Server
```
Conversely, to uninstall MSMQ Core functionality, at a command prompt, run OCsetup.exe and specify MSMQ-Server as the argument for the <component> parameter and specify the /uninstall parameter:

Copy Code
```
ocsetup MSMQ-Container;MSMQ-Server /uninstall
```

Use an answer file with OCSetup. By using the /unattend parameter, you can specify an unattended answer file to use to configure the Windows system. Use Windows SIM to create this answer file. Only package actions listed in the <servicing> section in the answer file are processed. All other settings in the answer file are ignored.

Before running OCSetup with an answer file, ensure that any features listed in the answer file are available on the edition of Windows on which you are running OCSetup. If a feature is in the answer file and is not available in the Windows image, installation might fail. For example, if you attempt to run OCSetup with an answer file on Windows Vista Home Basic Edition and the answer file lists the MSMQ-HTTP feature, then installation fails because Windows Vista Home Basic Edition does not include MSMQ HTTP support.

Use Windows SIM to validate an answer file against a Windows image.

For more information about the command line syntax for OCsetup, see OCSetup Command-Line Options.

For Windows Server 2008, the recommended way to configure Server roles is to use the Server Manager User Interface or Command-line tool.

Using Server Manager Command Line Tool

After Windows is installed, you can use the Server Manager command-line tool, ServerManagerCmd.exe, to configure MSMQ on Windows Server 2008. For more information, see Server Manager Command-Line Tool.

MSMQ Installation Limitations

The following sections describe some of the limitations and workarounds for configuring MSMQ.

Installing Active Directory on a Domain Controller

To configure Windows Server 2008 domain controller for MSMQ, you must add Network Service to the domain controller computer object in Active Directory.

Click Start, point to Administrative Tools, right-click Active Directory Users and Computers, and then click Run as administrator.

Click View, and then click Advanced Features.

Expand your domain's node, click the Domain Controllers node, right-click the Computer object, and then select Properties.

Click the Security tab.

Add Network Service and grant Full access, or, optionally, grant read/create or delete child objects/allowed to authenticate.

Apply changes.

After Network Service is added, install MSMQ, Active Directory integration, and the downlevel service. If MSMQ is installed before the domain controller is promoted, then verify that the Workgroup registry key under HKLM\Software\Microsoft\MSMQ\Parameters\ is set to 1, and then restart MSMQ.

Verify that MSMQ is running in Domain mode after this procedure. In Computer Management, confirm that Message Queuing has a node called Public Queues.

Installing Routing on a Non-Domain Controller

To install routing on a computer that is not running as a domain controller, use the following procedure:

Click Start, click Administrative Tools, and then right-click Active directory Sites and Services.

Expand the Sites node.

Expand the site node where the computer you want to configure is located.

Right-click the server node of the computer you want to configure, and then click Properties.

In the Security tab, add the following permissions for the computer. You may need to search for the computer.
- Read
- Write
- Create all child objects

Enable inheritance for the permissions:
1. On the Security tab, click Advanced.
2. For the computer object, click Edit.
3. On the Object and Properties tabs, change the Apply to fields to This object and all descendant objects.
4. Click OK twice to accept the settings.

Click OK.

Install the routing service on the computer.

Thursday, March 5, 2009

As I've matured...

As I've Matured...

I've learned that you cannot make someone love you. All you can do is stalk them and hope they panic and give in.
I've learned that one good turn gets most of the blankets.
I've learned that no matter how much I care, some people are just jackasses.
I've learned that it takes years to build up trust, and it only takes suspicion, not proof, to destroy it.
I've learned that whatever hits the fan will not be evenly distributed.
I've learned that you shouldn't compare yourself to others - they are more screwed up than you think.
I've learned that depression is merely anger without enthusiasm.
I've learned that it is not what you wear; it is how you take it off.
I've learned that you can keep vomiting long after you think you're finished.
I've learned to not sweat the petty things, and not pet the sweaty things.
I've learned that ex's are like fungus, and keep coming back.
I've learned age is a very high price to pay for maturity.
I've learned that I don't suffer from insanity, I enjoy it.
I've learned that we are responsible for what we do, unless we are celebrities.
I've learned that artificial intelligence is no match for natural stupidity.
I've learned that 99% of the time when something isn't working in your house, one of your kids did it.
I've learned that there is a fine line between genius and insanity.
I've learned that the people you care most about in life are taken from you too soon and all the less important ones just never go away. And the real pains in the ass are permanent.

Wednesday, March 4, 2009

Active Directory Deployment Notes

Overview of Deploying Active Directory in Branch Office Environments

To meet the special requirements of the branch office scenario, deploying the Active Directory® directory service in a branch office environment requires additional configuration beyond that of a normal Active Directory deployment. The Planning section of this guide describes how to examine your needs and use the recommendations provided to create a deployment plan for your branch office environment. This section of the document describes the process of implementing the deployment plan.

This section uses the same sample company as the Planning section. The procedures outlined here are based on deploying the sample company Contoso Pharmaceuticals based on the model established in the Planning section.

This guide is intended for network managers, system integrators, and consultants who are involved in Active Directory branch office implementations, either in their own organizations or for client companies. By implementing the procedures in this document, you should be able to deploy and maintain Active Directory in a large branch office environment. For the purposes of this guide, a large branch office environment is considered to be a deployment in which at least one data center is attached to 100 or more branch offices.

This section of the guide breaks down the deployment process into seven phases. Each chapter covers one phase, beginning with the creation of your forest, and provides the steps necessary to create your sites, deploy the staging servers, and deploy your branch office domain controllers.

Resource Requirements

As with any large technology project, having the right resources for planning and deployment is essential. The resources that you will require for an Active Directory branch office deployment fall into three categories: hardware, software, and personnel. Your specific resource requirements will depend on a number of factors, including project scope, solution features, implementation schedule, and budget. In addition, the skill level and makeup of your existing Active Directory services team will affect your needs for team training and external resources.

Hardware Requirements

The specific hardware requirements for Active Directory depend on the expected service level and load that are defined in the Vision Scope and other planning documents. For example, the number of branches that will be serviced by each bridgehead server and the expected replication load during each replication connection will impact the processor and memory requirements for the bridgehead servers. In addition, the load generated by client and server DNS queries and the number and frequency of directory look-ups from directory-enabled applications will impact hardware requirements in terms of configuration and quantity. Additional help for capacity planning can be found in the Microsoft® Windows® Server 2003 Deployment Kit on the Web at http://go.microsoft.com/fwlink/?linkID=8022.

Software Requirements

The following table lists the software required for deploying Active Directory in a branch office environment.

Table .1 Software Required to Deploy Active Directory in a Branch Office Environment

Item	Description	Details
Microsoft® Windows Server™ 2003, Standard Edition, Windows Server Enterprise Edition, or Windows Server Data Center Edition operating system	The version of Windows Server 2003 you require will depend on the size of your organization or the installed base in your datacenter. All editions of the Windows 2003 Server family are capable of providing Active Directory services in your branch office environment.	Note that Enterprise Edition is required for the ADS server in the staging site (discussed later in this document). For all other installations, the version you choose for the domain controllers can be based on your requirements.
Microsoft Windows Server 2003 Resource Kit Tools	This collection of tools (included with the Windows Server 2003 Deployment Kit) can help you deploy, configure, maintain, and troubleshoot Windows Server 2003:	Download the Windows Server 2003 Resource Kit Tools from the Microsoft Download Center on the Web at http://go.microsoft.com/fwlink/?LinkID=20334
Windows Server 2003 Deployment Kit	This kit delivers additional information and tools for deploying the Windows Server 2003 operating system.	Download the Windows® Server 2003 Deployment Kit on the Web at http://go.microsoft.com/fwlink/?linkID=8022.
Automated Deployment Service (ADS)	ADS is used for the automated partitioning and setup of branch office domain controller operating systems.	The ADS server, located in the staging site, requires Windows Server 2003, Enterprise Edition.
Active Directory branch office installation files	These files are downloaded with this guide and are stored in a self extracting executable named ADBranch03.exe.	When the files are extracted they are stored in the c:\ADBrancho3 folder.

The following table lists the software that is recommended for monitoring.

Table .2 Recommended Software to Monitor the Branch Office Deployment

Item	Description	Details
Microsoft Operations Manager (MOM)	Microsoft Operations Manager is used for monitoring in the Hub-Site site.
Branch Office Monitor	Branch Office Monitor is used to run some of the monitoring tools and ensures the monitoring in the Branch Offices.
Ultrasound and Microsoft Windows File Replication Service Management Pack	Ultrasound is a robust tool for monitoring and troubleshooting FRS. The Microsoft Windows File Replication Service Management Pack is a bridge from Ultrasound to the MOM console	Ultrasound can be found at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=26675. The Microsoft Windows File Replication Service Management Pack can be found at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=26677
Active Directory Management Pack (ADMP)	ADMP is the management pack that allows Active Directory monitoring in a MOM environment.	The Active Directory Management Pack (ADMP) can be downloaded from the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=26678
Microsoft SQL Server™ 2000	Microsoft SQL Server is needed to host the MOM database
Microsoft SQL Server 2000 Service Pack 3	Service Pack 3 is required to install Microsoft SQL Server 2000 on a Windows Server 2003 domain controller	Service packs for SQL Server can be downloaded from the Microsoft SQL Server web site at http://go.microsoft.com/fwlink/?LinkId=26680

Base Operating System Installation

The procedures in this guide assume that you are starting with a server that already has the base operating system installed. For a branch office deployment, the operating system can be Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Data Center Edition. This guide assumes that you are using Windows Server 2003 Standard Edition with one exception: The server running Automated Deployment Services (ADS) must be running Windows Server 2003 Enterprise Edition.

Important

This guide assumes that all available Service Packs and any outstanding critical updates have been installed. Please contact Microsoft Product Support Services to acquire the updates associated with the Knowledge Base articles listed in this section.

The recommendations in this guide require the installation of the updates in the following articles, which can be found in the Microsoft Knowledge Base. To find these articles, see the Microsoft Knowledge Base on the Web at http://go.microsoft.com/fwlink/?LinkID=4441:

· 823230 - “Issues That Are Resolved in the Pre-Service Pack 1 Release of Ntfrs.exe”

· 824333 - “DNS records used for AD replication may not register on desired DNS Server”

· 824334 - “Branch Office Mode May Not Result in Balanced Connections”

· 824335 - “Hub site domain controllers may not perform inbound replication according to schedule“

· 830092 - “W32Time frequently logs Event ID 50 and poor time synchronization occurs on Windows Server 2003”

In addition to the operating system, this guide assumes that the Windows Server 2003 Support Tools have been installed from the product CD, as well as the Windows Server 2003 Resource Kit Tools, which are available from the Microsoft Download Center on the Web at http://go.microsoft.com/fwlink/?LinkID=20334.

Monitoring Solutions

Three monitoring solutions are discussed in this guide. Based on the decisions you make for your monitoring options you will need access to the installation files for one or more of these solutions. The installation files for these solutions can be found at the following locations:

Branch Office Monitor - Included in the self extracting exe file accompanying this guide.

Ultrasound - Go to www.microsoft.com and search on “FRS Monitoring”

Active Directory Management Pack - Go to www.microsoft.com and search for “Microsoft Operations Manager Downloads”. Note: Microsoft Operations Manager is required in order for you use the Active Directory Management Pack.

Notes Regarding Specific Versions of Tools

Throughout this guide you will find procedures requiring the use of the following tools:

· ADLB.exe

· Dcdiag.exe

· Repadmin.exe

Although versions of these tools are available through the Windows Server 2003 Resource Kit Tools (ADLB) and the Windows Server 2003 Support Tools (Repadmin and Dcdiag), updated versions have been included in the self-extracting executable file that accompanies this guide.

All procedures in this guide assume you are using the version that is included with the guide.

Important

After installation of the scripts that accompany this guide, which occurs in Chapter 2 of this guide, the updated versions of ADLB.exe, Dcdiag.exe, and Repadmin.exe are located in the C:\ADBranch03\Bin\Tools\x86 folder. A procedure is included in this guide to copy ADLB.exe to the appropriate folder. However, to ensure that you are using the proper version of Repadmin and Dcdiag, you must first install Windows Support Tools and then copy the updated versions of Repadmin.exe and Dcdiag.exe from C:\ADBranch03\Bin\Tools\x86 to C:\Program Files\Support Tools.

Personnel

Active Directory affects your entire organization, so it should not be surprising that the personnel involved in its deployment will cross all boundaries in a company. It is necessary to establish typical roles within an Active Directory environment and within a project team.

Typical roles within the Active Directory environment are:

· Service Administrators

· Data Administrators

· Forest Owner

· Active Directory DNS Owner

· Site Topology Owner

· OU Owner

The roles and responsibilities within a project team are:

· Architects

· Project Manager

The preceding is only a short overview of the personnel who should be involved in deploying Active Directory in a branch office environment. For a detailed description of how to identify project personnel, see “Identifying the Deployment Project Participants” in Chapter 2, “Designing the Active Directory Logical Structure” in the Windows Server 2003 Deployment Kit.

Topology Overview

This guide walks you through the process of building the branch office architecture shown in Figure 1.

Figure 1 Sample Branch Office Environment

This architecture is based on the sample used in the Planning portion of this guide and is designed using the recommendations outlined in the Planning section. The features in this model include:

· The root domain, corp.contoso.com, has two domain controllers in the hub site. Both domain controllers are DNS servers. The first domain controller is also a global catalog server. The second domain controller holds all operations master roles.

· The HQ office domain, hq.corp.contoso.com, has two domain controllers in the hub site. Both domain controllers are DNS servers. The first domain controller holds all domainwide operations master roles. The second domain controller is a global catalog server.

· The branch office domain, branches.corp.contoso.com, starts with seven domain controllers. All domain controllers are DNS server. The first two domain controllers are not used for intersite replication with the branch sites. The other five domain controllers are used as bridgehead servers. Each bridgehead server is a global catalog server.

· The staging site has a domain controller that is the replication source for the staging process. It also contains the ADS server that is used for the process to build new branch office domain controllers. The staging domain controller is a global catalog server.

· The branch office sites.

The example architecture includes five bridgehead servers. Based on the decisions you made in the Planning Guide, you will need to create the number of bridgehead servers that you determined are necessary for your environment.

This guide will walk you through the configuration of this scenario by giving you instructions for every phase of the deployment. By repeating the domain controller staging process in “Chapter 7 – Installing the Branch Office Domain Controller in the Staging Site,” you can scale out the number of branch offices to meet the requirements of your organization.

The chapters in this guide use the domain names and Internet Protocol (IP) addresses shown in the previous diagram whenever an example is appropriate. Therefore, you will want to have a copy of this diagram available as you go through the chapters and substitute the information in the diagram with your domain name and IP addresses.

The Branch Office Deployment Process

During the deployment process some of the steps, such as building the forest root domains and setting up the domain controllers in the hub site, are performed manually by members of the deployment team. Other steps, such as building the branch office domain controllers, use scripts and are almost fully automated.

By following the instructions described in this guide you will perform the following procedures:

· Build the forest root domain

Start by building the first domain controller to establish the forest root domain. Install the DNS Server service and create the DNS environment needed to support the new forest. Add a second domain controller and make it a DNS server also. After the domain controllers have been built and you have verified that Active Directory and DNS are functioning properly, create the hub site that will be used to represent all of the domain controllers located in the data center. Then move the new domain controllers into the new site.

· Build the headquarters domain

Start by building the first domain controller to establish the headquarters domain. This domain is used to represent the head office or the portion of the organization that is located in the hub site of your model. Install the DNS Server service and integrate this domain into the existing DNS environment that has been created for the forest. Add a second domain controller and install DNS on this server also. After the domain controllers have been built, verify that Active Directory and DNS are functioning properly and verify that they are in the hub site.

· Build the branch office domain

Build the first domain controller to establish the domain that will be used by your branch offices. This domain will be represented in the hub site and the branch office sites. It will contain all the branch office domain controllers and the bridgehead servers used to replicate with the branch offices. Install the DNS Server service and integrate the new domain into the existing DNS environment that has been created for the forest. Add a second domain controller and install DNS on this server also. After the domain controllers have been built, verify that Active Directory and DNS are functioning properly. After the new domain is installed and functioning properly, build the domain controllers that will be designated as the bridgehead servers. Build each bridgehead server and verify that it is functioning properly before proceeding with the next server. After all of the bridgehead servers are built, create a Group Policy object to suppress service (SRV) locator record registration and apply it to all the domain controllers in the branch office domain. Then set permissions on the Group Policy object to prevent the policy from being applied to the domain controllers in the hub site.

· Build the staging site

Create the staging site and then build a domain controller that will be used for staging the branch office domain controllers. After you have tested and verified that the new domain controller is working properly, prepare the server for its role as the staging server. Configure it as a DHCP server and use it to allocate IP addresses to the new branch office domain controllers that are built in the staging site. Use the staging server to create the media backup set that will be used during the Install From Media process during the branch office domain controller build process.

· Prepare Automated Deployment Services

Add another server to the staging site. Install a database engine and Automated Deployment Services (ADS). Install the tools and scripts that accompany this guide. Add another server to the staging site. Configure it to represent a typical server used to build a domain controller that will be placed in a branch office location. This server will be used as a model to create the image used by ADS to build the branch office domain controllers. You must customize some of the DNS settings on the server so that when a new domain controller is built from the image, it is preconfigured to fit into the branch office environment. Also, if there are any additional files you want distributed on all the branch office domain controllers, make sure you copy them onto the server at this time. If you are planning on implementing a monitoring solution that needs to have components distributed to the branch office locations, such as the Branch Office Monitor, install the necessary files. Once the new server is properly configured and you have installed your additional files, run SYSPREP and then use ADS to create an image of the server. Create an ADS job template and you are ready to begin deploying branch office domain controllers.

· Build the Branch Office Domain Controllers

Most of the process required to build the branch office domain controllers is automated and managed by either ADS or scripts that are included with this guide. Once the job has been created on the ADS server, the process is initiated by using Preboot Execution Environment (PXE) technology to start a new server that you want to turn into a branch office domain controller. When the new server is started, ADS uses PXE to detect the new computer and if the computer is listed in a defined job, ADS begins the build process. ADS uses the server image that was created earlier and builds a new server. Once the build process is complete, the new server is rebooted and scripts automatically start the Active Directory installation process. Using the media backup set, IFM is used during the directory installation process. If any problems occur during this process, information is written to log files that can be used to troubleshoot the problem. The process will continue to automatically restart until no problems are encountered and the process has completed successfully. Details about the scripts that are installed and their individual functionality can be found in commented text inside each of the script files. An overview of how the scripts work together can be found in the Readme.txt file located in the folder C:\ADBranch03\adbodg that gets created when you extract the files from the ADBranch03.exe file accompanying this guide.

· Ship the branch office domain controller

When the build process is complete the scripts will automatically reconfigure the networking settings on the new domain controller so that it is ready to be installed in its branch office location. At that point new domain controller should be shut down and immediately boxed and shipped to its new location. It is best to minimize the amount of time the new domain controller is disconnected from the network during the shipping phase of the deployment. If it is disconnected for too long, it will not replicate with other domain controllers when it is turned back on.