Thursday, December 5, 2013

Complete Windows 2012 & 2012 R2 Documentation

I generally don't write posts that link to docs but this one is really good and I haven't seen a lot of traffic on it. Microsoft has released the entire contents of the Windows Server 2012 and Windows Server 2012 R2 sections of the TechNet Library.

You can find it here:




 From the Details:
This download is an Adobe® PDF of the entire contents of the Windows Server 2012 R2 and Windows Server 2012 section of the Microsoft TechNet Library, for the convenience of Windows Server users who have limited Internet access, or require a portable version of the Windows Server 2012 R2 and Windows Server 2012 documentation. The PDF is 116 MB, and 7,970 pages in length.

That's right folks that is almost 8,000 pages.   This is not something you are going to read cover to cover quickly but it is a great reference and ctrl+F always works.   I really like that the document also points you to other great sources like the askds blog.   The next version will have askpfe entries as they are taking over much of the on-prem blogging these days.  There is a lot of Active Directory content but there is a lot more in this document.

I also posted this to reddit/sysadmin a few days ago and it received a good response.  One of the comments said that we also need a similar PDF for exchange.

There are not many companies that document and provide anything this thorough so a huge thanks to all the Microsoft teams that have worked to make this happen.  Anyone that has been involved in writing documents or tech writing knows that this takes a lot of time and effort.



Sunday, October 27, 2013

Active Directory Demo Fail Club Lessons Learned

Earlier this year I was speaking at a Microsoft event in the Washington DC area (Reston, VA to be exact).   During this talk I was talking about Windows Server 2012 and Active Directory.   I always like to have demos during the talks so people can actually see what the features look like.

In previous talks I only had a single DC and the demos always work great in that environment.   This time I decided to go with multiple DCs and two domains to make it more realistic.  As anyone that does live demos knows the picture below says it all.  We want our demos to be smooth and to have no issues.

What Every Presenter Thinks

I'll go over what happened and point out lessons learned (good and bad) and hopefully this will help others. I do highly recommend going out and speaking and being involved in the community.  I'm not saying try for the national conferences first but there are usually local events that people can get involved with.  I'm still at the regional level (DC area).

My talk started and I was rolling along and had my slides working fine and showed the audience about the changes in the domain controller promotion process and that went well with no hiccups.   Then I get to the Recycle Bin feature in 2012 using Active Directory Administrative Center (ADAC).  My environment consisted of two 2012 domain controllers in the root domain and one DC in the child.

I show the slide and then I switch to the demo to show everyone how it works since most have not seen it. The first thing I do is go into ADAC and try to enable the recycle bin.  This is where the demo fail club starts

I received several errors when I tried to enable the AD recycle bin




The Good
The first thing I did was take a second to look at what the errors were telling me. I calmly typed services.msc to verity the Active Directory Web Services were running.  

The next thing I did was a quick netdom query fsmo.  All my FSMOs were on my current DCs.

I also verified replication with repadmin.

The So-So
While this was going on I had a single DC/VM that I turned on.  It is much harder for things to go wrong in a single DC demo environment.  I've lately been staying away from this as this doesn't simulate any real production environment.   I should have turned this machine on the second something went wrong or even better just had this machine on the entire time "just in case"

The Bad
After checking the services/replication using repadmin I next went into the event logs.   As I was typing e..v..e..n..t..v..w..r..m..s..c I knew this was a wrong move but kept doing it anyway.  The audience is not there for me to go through an entire troubleshooting course.  The Internet connection was spotty so what if I would have found something useful in event viewer then what?  Would I have also sat there and looked it up and found a KB and taken the time to read that.   You get the point, I only had limited time and this was going to take way too long.

After Action Report/Lessons Learned

I ended up going into my single machine and showing them the features and then continued the rest of my presentation.  The entire incident took less than 5 minutes but it feels a lot longer when 100 people are staring at you.   Some things I learned and have used in subsequent talks

  1. Always have a backup presentation on an external drive and even a backup laptop if possible.  At a minimum a backup on a USB flash drive because if the laptop dies someone will most likely let you borrow their laptop.
  2. If you encounter an error remember that these are mostly IT Pros listening to your IT pro talk so they deal with errors and issues all the time.  That is the reason they hire us
  3. Don't expect to fix every issue in a few minutes; time is usually not on your side.
  4. Always have a backup plan.  In my case it was a backup VM.  I've seen some folks just skip the planned demo.
  5. Remember that you are not the first one to encounter "demo fail"   Some very high visible examples below.  The first is Bill gates at CES 2005 and the second is Steve Jobs showing off iPhone 4 features.   The point I'm making is it doesn't matter who you are; if you speak at enough events and give enough demos you will eventually join the "Demo Fail Club".   It's sort of like a comedian...there is no comedian no matter how funny that has not bombed at some point.
  6. The fail is usually not as bad as you think and the audience is usually forgiving and wants to see you succeed and they want to learn.
  7. Microsoft has since asked me to speak at several events and I've taken these lessons learned and have yet to encounter another demo fail club...knock on wood.

I'm in very good company.  Gates & Jobs are also members of this club.








PostScript

When I got back to my desk I left my VM's on but didn't work on them.  That is extremely rude in my opinion.  Give the next speaker respect and listen if you are going to sit in the room.  During the next break an hour later I logged on and enabled the recycle bin and of course it worked then after I gave it a few minutes.











Tuesday, October 22, 2013

Active Directory Powershell Cmdlets in 2012 R2

Windows Server 2012 R2 was released on Oct 18, 2013.   Last Friday was a big day for everyone in the Microsoft community.   In future blog posts I'll be going over some of the new features available for Active Directory in 2012 R2.   I first want to get to know the features well before I blog about them :)

One area that most Active Directory admins are familiar with is PowerShell.   Not everyone is a PowerShell Expert but I'm seeing a lot of folks trying to learn PowerShell and this is definitely true in the Active Directory community.

Windows 2012 R2 and Windows 8.1 introduced PowerShell version 4.   This blog goes over the various versions of PowerShell and what is included for Active Directory in each version.

It is also important to know that you can run various versions of the AD cmdlets against DCs with the Active Directory Web Services running  Ashley McGlone aka GoateePFE has an excellent blog on how to use the PowerShell v 3.0 cmdlets from Windows 7.   I'd personally use a Windows 8 or 8.1 admin workstation if possible.

PowerShell was known by the Code Name "Monad" and first shown off publically in 2003.  It has come a long way since then.   In PowerShell version 1.0 there were no native Active Directory cmdlets.   Quest released PowerShell cmdlets that worked in version 1.  The Quest cmdlets are still used today and also work in versions 2-4.

Starting with PowerShell version 2 the Microsoft Active Directory team introduced a native AD module. The initial native AD module contains 76 cmdlets and deals with many common tasks that AD admins deal with including object manipulation (users, groups, computers).

For this blog I'm focusing on the ActiveDirectory module and not other modules such as ADDSDeployment, DNS, and GroupPolicy that are also heavily used by AD admins.

Getting the total number of AD cmdlets is a quick one liner:





The picture below is a snapshot of the different versions and what is included in each version.  If anyone wants the slide please let me know and I'll send you the PowerPoint.


Active Directory PowerShell Modules through the years



The 76 Active Directory cmdlets introduced in version 2.0 are listed below.  Jeffrey Snover is the inventor of PowerShell (Thanks!).  He often says his favorite cmdlet is Get-Help.  I  agree with that and find it very useful.  Linux types "man" also works.  I use the example switch the most but you can self discover and learn more about any of these cmdlets.  There is also a lot of great material on the web for learning PowerShell.  I recommend the Microsoft Virtual Academy courses on PowerShell.





ACTIVE DIRECTORY POWERSHELL CMDETS VERSION 276 TOTAL AD CMDLETS IN v2
Add-ADComputerServiceAccountNew-ADGroup
Add-ADDomainControllerPasswordReplicationPolicyNew-ADObject
Add-ADFineGrainedPasswordPolicySubjectNew-ADOrganizationalUnit
Add-ADGroupMemberNew-ADServiceAccount
Add-ADPrincipalGroupMembershipNew-ADUser
Clear-ADAccountExpirationRemove-ADComputer
Disable-ADAccountRemove-ADComputerServiceAccount
Disable-ADOptionalFeatureRemove-ADDomainControllerPasswordReplicationPolicy
Enable-ADAccountRemove-ADFineGrainedPasswordPolicy
Enable-ADOptionalFeatureRemove-ADFineGrainedPasswordPolicySubject
Get-ADAccountAuthorizationGroupRemove-ADGroup
Get-ADAccountResultantPasswordReplicationPolicyRemove-ADGroupMember
Get-ADComputerRemove-ADObject
Get-ADComputerServiceAccountRemove-ADOrganizationalUnit
Get-ADDefaultDomainPasswordPolicyRemove-ADPrincipalGroupMembership
Get-ADDomainRemove-ADServiceAccount
Get-ADDomainControllerRemove-ADUser
Get-ADDomainControllerPasswordReplicationPolicyRename-ADObject
Get-ADDomainControllerPasswordReplicationPolicyUsageReset-ADServiceAccountPassword
Get-ADFineGrainedPasswordPolicyRestore-ADObject
Get-ADFineGrainedPasswordPolicySubjectSearch-ADAccount
Get-ADForestSet-ADAccountControl
Get-ADGroupSet-ADAccountExpiration
Get-ADGroupMemberSet-ADAccountPassword
Get-ADObjectSet-ADComputer
Get-ADOptionalFeatureSet-ADDefaultDomainPasswordPolicy
Get-ADOrganizationalUnitSet-ADDomain
Get-ADPrincipalGroupMembershipSet-ADDomainMode
Get-ADRootDSESet-ADFineGrainedPasswordPolicy
Get-ADServiceAccountSet-ADForest
Get-ADUserSet-ADForestMode
Get-ADUserResultantPasswordPolicySet-ADGroup
Install-ADServiceAccountSet-ADObject
Move-ADDirectoryServerSet-ADOrganizationalUnit
Move-ADDirectoryServerOperationMasterRoleSet-ADServiceAccount
Move-ADObjectSet-ADUser
New-ADComputerUninstall-ADServiceAccount
New-ADFineGrainedPasswordPolicyUnlock-ADAccount




An additional 59 Active Directory cmdlets were introduce with version 3.0 bringing the total to 135.  As you would expect the new cmdlets in v3 are centered around the new features introduced for Active Directory in Windows Server 2012 such as Dynamic Access Control

There are also new cmdlets in v3 that can be used to for Replication and Topology Management   They are not a complete replacement for the powerful repadmin tool but they are another excellent resource for AD admins.




59 ADDITIONAL AD CMDLETS POWERASHELL VERSION 3.0 135 TOTAL AD CMDLETS IN v3
Add-ADCentralAccessPolicyMemberGet-ADResourcePropertyValueTypeRemove-ADReplicationSiteLinkBridge
Add-ADResourcePropertyListMemberGet-ADTrustRemove-ADReplicationSubnet
Clear-ADClaimTransformLinkNew-ADCentralAccessPolicyRemove-ADResourceProperty
Get-ADCentralAccessPolicyNew-ADCentralAccessRuleRemove-ADResourcePropertyList
Get-ADCentralAccessRuleNew-ADClaimTransformPolicyRemove-ADResourcePropertyListMember
Get-ADClaimTransformPolicyNew-ADClaimTypeSet-ADCentralAccessPolicy
Get-ADClaimTypeNew-ADDCCloneConfigFileSet-ADCentralAccessRule
Get-ADDCCloningExcludedApplicationListNew-ADReplicationSiteSet-ADClaimTransformLink
Get-ADReplicationAttributeMetadataNew-ADReplicationSiteLinkSet-ADClaimTransformPolicy
Get-ADReplicationConnectionNew-ADReplicationSiteLinkBridgeSet-ADClaimType
Get-ADReplicationFailureNew-ADReplicationSubnetSet-ADReplicationConnection
Get-ADReplicationPartnerMetadataNew-ADResourcePropertySet-ADReplicationSite
Get-ADReplicationQueueOperationNew-ADResourcePropertyListSet-ADReplicationSiteLink
Get-ADReplicationSiteRemove-ADCentralAccessPolicySet-ADReplicationSiteLinkBridge
Get-ADReplicationSiteLinkRemove-ADCentralAccessPolicyMemberSet-ADReplicationSubnet
Get-ADReplicationSiteLinkBridgeRemove-ADCentralAccessRuleSet-ADResourceProperty
Get-ADReplicationSubnetRemove-ADClaimTransformPolicySet-ADResourcePropertyList
Get-ADReplicationUpToDatenessVectorTableRemove-ADClaimTypeSync-ADObject
Get-ADResourcePropertyRemove-ADReplicationSiteTest-ADServiceAccount
Get-ADResourcePropertyListRemove-ADReplicationSiteLink


Windows Server 2012 R2 introduced an additional 12 AD cmdlets bringing the total up to 147 AD cmdlets. The 12 new cmdlets are centered around Authentication Policies and Authentication Policy Silos.   If you haven't seen them then open up the AD Admin Center on a 2012 R2 box




I'm personally still learning about these new features myself.   Authentication policies can control which hosts an account can sign into. Windows Server 2012 R2 is also being called the "CloudOS" so many of the new features are based around Azure and the cloud.


12 ADDITIONAL AD CMDLETSPOWERSHELL VERSION 4.0147 TOTAL AD CMDLETS IN v4
Get-ADAuthenticationPolicyNew-ADAuthenticationPolicySiloSet-ADAccountAuthenticationPolicySilo
Get-ADAuthenticationPolicySiloRemove-ADAuthenticationPolicySet-ADAuthenticationPolicy
Grant-ADAuthenticationPolicySiloAccessRemove-ADAuthenticationPolicySiloSet-ADAuthenticationPolicySilo
New-ADAuthenticationPolicyRevoke-ADAuthenticationPolicySiloAccessShow-ADAuthenticationPolicyExpression

Monday, July 8, 2013

20 Years Ago - Army Boot Camp

It was 20 years ago this week that I left my home in Virginia and headed to Ft. Jackson, SC for Army boot camp  I didn't know what to expect because I didn't know anyone in the Army at the time.  I had a good friend in the Marines and another who had gone to the Navy around the same time but this was a new adventure.

I was a very naive 19 year old leaving for boot camp.  I thought I should be in college and that was the only road to success.  I couldn't have been more wrong. The problem with college is that it cost money and I didn't have enough.  In 1993 things were also much different.  I did join after the first World Trade Center bombing but we didn't have war to truly worry about.  I was also involved in Operation Joint Endeavor  but again not the same fear of war that exists for a young person joining today.  I truly admire the post 9/11 military generation.  Joining during two major wars takes a lot of courage.

By the way I'm not saying school is not important I also went to George Mason after I got out but I would not be where I am today without my service.

Looking back 20 years later it was one of the best decisions I ever made.  I met some great people and the entire experience expanded my view of everything.  You will often hear guys in the military talk about fighting/serving with their brothers.  I can attest to that being true.  In my case Daryl Penn, Todd Hurley, and Will "Big Perm" Forbes are my brothers.  Todd ended up going back in and fighting post 9/11.  In addition to those three guys there were countless other people.  The list is way too long for this blog but a heartfelt thank you to those I served with.

Everyone joins for different reasons but the military fraternity and camaraderie  is something that will stay with you forever.  I'm now in IT and a few years ago I got to go back to Ft. Huachuca for work with the Army.  I had gone to MOS (job) training there and all those years later I still carry many of the lessons with me.

Hooah! and thanks to all that are serving or have served!

Laid back off-duty look...I wish I was that thin and in-shape now


Post Gas Chamber...old school BDU 

Monday, July 1, 2013

Microsoft MVP Year 5

I received an email this morning letting me know that I have been renewed as a Microsoft MVP in Directory Services for the fifth year.



I get excited every time I receive the award and I'm so humbled to be in such great company.  The five year mark is an important mark.  I'm glad that I have been able to make a contribution to the community which has helped me much more than I've helped it.

I previously thanked a lot of people.   I won't go through the list again but the same things I said before still apply.

I would like to thank a few new folks this year.  DeLise and everyone at the Microsoft Reston and Chevy Chase Offices.  This is the first year that I started speaking and it is something that I've come to enjoy.  I'm glad to be part of the events.   Shameless plug for TechGate 2013

I've also been a part of several book projects and want to thank the folks at Packt Publishing and O'Reilly Publishing for letting me be a part of them.

Lastly all the people on Twitter working with Active Directory.  I really like the interaction on Twitter and I've met some great and passionate people over there.

Active Directory is starting to make a shift to the cloud (slow shift; it won't happen tomorrow). I'm hoping to turn and pivot as the product evolves (hint everyone learn ADFS).  There are some very smart people in Redmond working on AD and lots of great PFEs in the field.  Active Directory is not going anywhere so stay tuned for more ADISFUN.




Tuesday, June 25, 2013

Windows Server 2012 R2 Preview - Schema Version

I previously posted  a "quick-hitter" blog about the schema version in Windows Server 2012

Windows Server 2012 R2  preview was released today! The current version is 69 

I once again used adfind to quickly find the schema version.




For those that prefer to use powershell; you can also find the object version that way. 




The current (as of 25 June 2013) Active Directory Schema version table is listed below.

Windows Server 2012 R2 Preview
69
Windows Server 2012 
56
Windows 2008 R2
47
Windows 2008
44
Windows 2003 R2
31
Windows 2003
30
Windows 2000
13


You can download an evaluation copy of Windows Server 2012 R2  and go start to learn and have fun.  Thanks to all the hard work put in by the many people at Microsoft that made today happen.

Thursday, May 2, 2013

Software and Security on Domain Controllers

This post was inspired by someone who I consider a friend and a mentor in the Active Directory world...11 time AD MVP Joe Richards

Microsoft recently published an excellent Active Directory Security document.   Laura Robinson is the lead author of the document and there are serious heavy hitters in the acknowledgements section including Laura Hunter, Dean Wells, and others.   You can download the document using the link below:

Best Practices for Securing Active Directory

Joe brought up an excellent point on the DS-MVP list stating that we all know that best practice is to not run additional and unnecessary software on domain controllers but was this documented.   The document above addresses this.

From page 27 of the document:


Protecting Domain ControllersDomain controllers should be treated as critical infrastructure components, secured more stringently and configured more rigidly than file, print, and application servers. Domain controllers should not run any software that is not required for the domain controller to function or doesn’t protect the domain controller against attacks. Domain controllers should not be permitted to access the Internet, and security settings should be configured and enforced by Group Policy Objects (GPOs). Detailed recommendations for the secure installation, configuration, and management of domain controllers are provided in the Securing Domain Controllers Against Attack section of this document.

Microsoft also recently released a shorter document that is worth downloading and reading.

Securing Active Directory: An Overview of Best Practices 

I appreciate Microsoft and everyone who took time to write, edit, and review this important document..  Many times we can tell our customers best practices but they often don't believe it unless they see it come from a Microsoft site or document.

If you have worked around Active Directory long enough this is a common problem.  Domain Controllers used as file servers/app servers/etc.  This is simple, reduce your attack vectors don't install unnecessary software on your DCs.  Also look into RODCs and Server Core as other easy ways to help secure DCs.

You may also see similar posts on other MVP blogs. Joe has asked us to get the word out about this.