Been there, done that. Next hype plz.
May 28th, 2011 by alt-92
RSAT for Windows 7 SP1 available
April 8th, 2011 by alt-92
The Ask the Directory Services Team Blog posted some goodness:
The Remote Server Administration Toolkit update to support Windows 7 Service Pack 1 has been released.
See http://blogs.technet.com/b/askds/archive/2011/04/07/rsat-for-windows-sp1-is-now-available.aspxor get it at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d
Windows Server 2008 CAs and Server 2003 DCs – are you seeing event ID 13 popping up every eight hours?
March 15th, 2011 by alt-92
Be careful when implementing a Windows 2008 based Certificate Authority in a mixed 2003R2 and 2008(R2) environment. By default, the installation of the ADCS Role on a 2008 Server selects SHA2 type algorithms which are not quite compatible with Server 2003R2 SP2 or XP SP3.
You will need a hotfix.
While waiting for a new hardware setup I decided to jump the gun and upgrade my old 2003CA to 2008 in advance – a pretty straightforward process of decommissioning and deploying a new CA on a fresh 2008 install. Both my Home Theatre setup and laptop are running Vista or 7, and there’s a virtualized Core 2008 Domain Controller as well. No problems there.
However, there is still one slight snag as I’m still using a 2003 machine as second physical DC (which hosts my DFS namespace and I haven’t gotten around to upgrading that one).
After a couple of days, that machine started spewing Event ID 13 errors every eight hours in the Application log:
Event Type: Error Event Source: AutoEnrollment Event Category: None Event ID: 13 Date: 28-2-2011 Time: 18:14:37 User: N/A Computer: MYDC Description: Automatic certificate enrollment for local system failed to enroll for one Domain Controller Authentication certificate (0x80092009). Cannot find the requested object. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Secure Channel for LDAP over SSL also breaks because of this, so you’ll see those warnings as well.
A quick look in the ADCS Snapin confirmed both the Directory Email Replication and Domain Controller Authentication certificates were trying to autoenroll but failing every 8 hours.
A search for "cannot find the requested object" quickly resolved that, pointing the way to http://support.microsoft.com/kb/968730.
After requesting the hotfix and rebooting, AutoEnroll properly processes the request again, and SSL enabled LDAP connections are restored.
More information is also available on the Windows PKI Technet Blog: http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx
Windows 7 Action Center prompts and GPO Preferences
November 2nd, 2010 by alt-92
On a regular Windows 7 install, Action Center in Control Panel notifies the user in case settings are not set to defaults or if maintenance settings are not set – for instance, if you’ve configured Windows Update to prompt for install (and not automatically install available updates on shutdown), or Windows Backup.
Notifications are presented by means of the little Action Center flag in the systray, and a popup window: 
You can disable these messages normally in the Action Center either by clicking the links provided or by changing the Action Center settings on the left. 
On most Corporate networks however, Control Panel entries are either limited to user specific settings or even blocked altogether, in which case Action Center is not available but the notification will still bug you about the settings – like when you’re using SCCM for instance to install updates.
That’s not a bad thing per se, as Antivirus products also use the Action Center to notify you in case something is wrong.
Simply hiding the Action Center flag may not be the solution, that’s like sticking your head in the sand saying neenerneenerneener and waiting for that freighttrain to hit you head-on.
In that case, Group Policy Preference allows you to enter presets and disable the abovementioned prompts.
I’ve used Process Monitor to filter on the exact registry entries used to configure the settings. 
Then, create a GP preference and snapshot* the disabled items.
*These are REG_BINARY keys, the valuefield is too short to enter the values manually.
For reference, these are the exact keys and binary values used.
Windows Update: 
Windows Backup:
Once applied to your User OU, these settings ensure the Action Center will still prompt for any other mishaps but ignore Windows Update or Backup.
Managing DFS namespaces from the command line
February 10th, 2010 by alt-92
Last year, I posted about the DFS Modlink utility which you need if you want to manipulate DFS link states against DFS-N – Windows 2003 didn’t have any non-GUI tooling to do that, except for the Win32_DFSnode WMI properties.
Windows XP however does not support that particular interface, which leaves only modlink as a way to disable or enable a DFS link.
From Windows 2008 onward, that sorely missing functionality is available in the revamped dfsutil commandline tool. And as an added bonus, changing the TTL for a link is also possible.
Even more, dfsutil in 2008R2 (and therefore Windows 7 clients with RSAT installed) lets you set the Access Based Enumeration property.
Below are the property commands:
1: E:\>dfsutil property 2: 3: DESCRIPTION: 4: Displays or modifies the properties of a folder target (link target) or 5: namespace server (root target). 6: 7: ------ PROPERTY Commands Supported ------ 8: 9: Sitecosting Displays or modifies site costing for a namespace.
10: RootScalability Displays or modifies the namsespace polling mode. 11: ABE Enable/Disable/View ABE property of a namespace.12: Insite Displays or modifies the in-site property.
13: TargetfailBack Displays or modifies client fail back. 14: SD Set/Get Security Information on the folder. 15: State Displays or modifies a folder target or namespace server. 16: TTL Displays or changes client referral caching. 17: PriorityRank Displays or changes the ordering method (priority rank). 18: PriorityClass Displays or changes the target priority.19: Comment Sets or displays the comment for a namespace or link.
So, what do we do with this? Let’s say you’re migrating your DFS-Namespace enabled* Datashares to a newer fileserver with more storage capacity.
*no DFS-R , in case you’re wondering, because the original server might be a Windows 2003 non-R2 install.
A default link timeout is 7200 seconds or 2x60x 60 seconds = 2 hours, meaning your DFS client will check for changes in state after that time. During your migration window, you’ll want to ensure that any changes are picked up within a shorter time.
1: E:\>dfsutil property ttl \\alt-92.net\data\share1
2: The timeout for \\alt-92.net\data\share1 is 7200
First, we’ll change the timeout setting to a 5 minute setting:
1: E:\>dfsutil property ttl set \\alt-92.net\data\share1 300
2: 3: Done processing this command. 4: 5: E:\>dfsutil property ttl \\alt-92.net\data\share1
6: The timeout for \\alt-92.net\data\share1 is 300
Then, using both dfscmd and dfsutil, we’ll add our new fileshare to the link AND set it offline:
1: dfscmd /add \\alt-92.net\data\share1 \\newserver\data\share1
2: dfsutil property state offline \\alt-92.net\data\share1 \\newserver\data\share1
After syncing the content with robocopy (be sure to check the /MT switch for multithreading on Windows 2008R2 or Windows 7) we now flip the link state on both shares and restore the timeout value to its former setting:
1: dfsutil property state offline \\alt-92.net\data\share1 \\oldserver\data\share1 2: dfsutil property state online \\alt-92.net\data\share1 \\newserver\data\share1 3: dfsutil property ttl set \\alt-92.net\data\share1 7200After that, we’ll decommission the old fileserver, by taking the shares offline and removing the old links from the DFS Namespace with dfscmd:
1: dfscmd /remove \\alt-92.net\data\share1 \\oldserver\data\share1Et voila: we’ve migrated our DFS enabled fileshares to a new server with minimal downtime.
Fully scripted, its now feasible to migrate a DFS Namespace root with hundreds of links in just a few hours (including the final replication with robocopy – the bulk copy we’ve started a couple of days in advance) .
