File Replication Service Problems

Situation:
Your Active Directory environment seems to be working fine. Yet you discover that policies are not always being executed. Sometimes they are, sometimes they're not.
When you check AD replication everything is ok and new objects are replicated to all of the domain controllers. But when you check the Sysvol, one of your DCs seems to be out of date.
After testing Sysvol replication (by adding a file to the sysvol on a good DC and forcing replication to the outdated DC) you discover that this domain controller never receives group policy updates.

Problem:
When you check the Event Viewer on the problem DC, you see the following error message:

Event Id 13561: The File Replication Service has detected that the replica set "Sysvol" is in JRNL_WRAP_ERROR.

A replica set hits JRNL_WRAP_ERROR when the record it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons: ...

Solution:
You will have to remove the server from the Replica Set and then add it again. This will cause the DC to replicate the entire Sysvol again. To accomplish this, do the following:

1. Start Registry Editor.

2. Find the following key: HKEY_LOCAL_MACHINE\System \CurrentControlSet\Services\Ntfrs\Parameters

3. Add a new Dword value: Enable Journal Wrap Automatic Restore

4. Set the value to 1.

5. Wait for the Sysvol to get replicated. During this time you will see the following events in the Event Viewer:

13560: FRS is deleting the computer from the replica set.
13553: FRS has added the computer to the replica set.
13516: FRS is no longer preventing the computer from becoming a DC.

At that moment everything should be fine again!

Remark:
Do not forget to change the value of the Journal Wrap Automatic Restore back to 0!

Bitlocker for Data Partitions

Vista does not support encryption of data partitions using BDE. (Longhorn server will have full support for this feature.)

But if you really want to protect your data with Bitlocker, there is a way! You have to use the same method as described in my previous post: manage-bde.

And what about unlocking this encrypted data drive?
That will not happen automatically. If you reboot your machine after the encryption process, you will no longer be able to access your files.

Your decryption options:

1. Manually
   cscript manage-bde.wsf -unlock E: -rk "path to encryption key (.bek file)"
   You will have to run this command after every reboot.
   
2. Automatically
   cscript manage-bde.wsf -autounlock -enable E:
   This command will create an external key protector on the data volume and stores the associated external key onto the bitlocker-protected OS volume. For this to work, your OS volume has to be encrypted with BDE too.

Happy encrypting!

Bitlocker Drive Encryption (without TPM)

Most of you have probably already heard about Bitlocker. But for those of you who don't know it, here's a short overview.

Bitlocker is a data protection feature available in Windows Vista and Longhorn Server. It is implemented to address the threats of data theft or exposure from lost or stolen PCs.

Bitlocker prevents a thief who boots another operating system or runs a software hacking tool from breaking Windows Vista file and system protections or performing offline viewing of the files stored on the protected drive.

Bitlocker enhances data protection by bringing together two major sub-functions: full drive encryption and the integrity checking of early boot components:

• Drive encryption protects data by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. This protection is achieved by encrypting the entire Windows volume. With Bitlocker all user and system files are encrypted including the swap and hibernation files.
• Integrity checking the early boot components helps to ensure that data decryption is performed only if those components appear unmolested and that the encrypted drive is located in the original computer.

The feature ideally uses a Trusted Platform Module (TPM 1.2) to protect user data and to ensure that the PC has not been tampered with while the system was offline.
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys.

Now what if you do not have a TPM, but you would like to use Bitlocker Drive Encryption?
No problem, BDE is supported on machines without TPM. The only tricky part is that you cannot enable it using the GUI. In Control Panel (where you would normally enable Bitlocker), you'll see the following:

So, how do you enable bitlocker then?
You will have to use manage-bde, a cscript tool that works with Bitlocker through the WMI interface.

This is what you do:

• Open a Command Prompt as administrator! (Rightclick the cmd shortcut in the Start menu and choose "Run as administrator".)
• cscript manage-bde.wsf -on C: -sk h: -rp -rk f:

Command	Explanation
-on C:	Enable BDE on drive C:
-sk h:	Create a startup key and save it on drive h:  Drive h: will normally be a USB key
-rp	Create a recovery password
-rk f:	Create a recovery key and save it on drive f:  Drive f: can be a USB key, hard drive, network drive

• Save the numerical recovery password in a save place!
• Insert your USB drive.
• Restart your computer for a hardware test.
• Use manage-bde -status to check whether the test was successful. If it was, encryption will begin. You can use the same command to keep track of the encryption progress.

ADMX files

Using Administrative Templates in Group Policy you can change lots of the default Windows settings, like the Desktop, the Start Menu, Windows Explorer, ...
The settings that can be altered are described in .adm files. One of the benefits of these .adm files is that they can be adjusted. By modifying an .adm file, an administrator can manage almost every registry setting using a friendly interface and deploy these settings using Group Policy.

But there are a few disadvantages as well.

1. .adm files are stored in individual GPOs.
   For organizations with lots of GPOs, this means that every policy has a copy of every .adm file used in the policy. And these policies, including the .adm files are replicated to all domain controllers in the environment. If you know that the .adm files take about 4 Mb of a policy's size, you can do your own math.
2. .adm files are added in a specific language.
   This can be annoying in an environment where administrators speak different languages and would like to see the templates in their own language.

Vista and Longhorn Server introduce a new format for registry-based policy settings: ADMX files (in XML format) to address these issues.

ADMX files are divided into language-neutral and language-specific resources, available to all Group Policy administrators. These factors allow Group Policy tools to adjust their UI according to the administrator's configured language. Adding a new language to a set of policy definitions is achieved by ensuring that the language-specific resource file is available.

File Type	File Location
ADM	C:\inf
ADMX language neutral	C:\policydefinitions
ADMX language specific	C:\policydefinitions\en-us  for the US English ADMX language

One of the main benefits of using the new ADMX files is the central store. This option is available when you are managing domain-based GPOs, although the central store is not used by default.
In Vista and Longhorn the GPO Editor will no longer copy the adm files to each edited GPO, but will provide the ability to read from either a single domain-level location on the domain controller's Sysvol or from the local administrative workstation when the central store is unavailable.

1. To create the central store:
   1. Create the root folder for the central store:
      C:\Sysvol\domain\policies\PolicyDefinitions on your DC
   2. Create a subfolder in the central store for each language your Group Policy administrators will use. Each subfolder is named after the appropriate ISO-style Language/Culture name. For example, to create a subfolder for US English:
      C:\Sysvol\domain\policies\PolicyDefinitions\en-us

 

1. Populate the central store:
   1. Copy all the language-neutral ADMX files from your Vista workstation to the central store on your DC using the xcopy command:
      xcopy c:\PolicyDefinitions\*
      %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions
   2. Copy all the ADMX language resource files from your Vista workstation to the central store on your DC:
      xcopy C:\PolicyDefinitions\en-us\*
      %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\en-us

Important factors:

• New Vista or Longhorn-based policy settings can only be managed from Vista or Longhorn-based computers. These policies are defined only in ADMX files and, as such, are not exposed on the Windows Server 2003, XP or 2000 versions of the group policy management tools.
• The Vista and Longhorn version of the GPMC can be used to manage all OS systems that support Group Policy.
• In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks.

Print Management in Windows Vista

Print Management is an MMC snap-in that enables you to install, view and manage all of the printers in your organization from any computer running Windows Vista or Windows Server 2003 R2.

You can use Print Management to install printer connections to a group of client computers simultaneously. It can help you find printers that have an error condition by using filters. It allows you to send e-mail notifications or run scripts when a printer or print server needs attention. On printer models that provide a web page, Print Management has access to more data, such as toner and paper levels, which you can manage from remote locations.

 

But one of the best features of Print Management is that you can use it to deploy printers to users or computers using Group Policy.

To do this, you use the Deploy with Group Policy dialog box to automatically add a printer connection to an existing GPO. You simply right click the printer you wish to deploy and select deploy with Group Policy. When group policy processing runs on client computers, the printer connection settings are applied to the users or computers associated with the GPO.

To enable this feature on computers running versions of Windows earlier than Windows Vista, you must use a utility called PushPrinterConnections.exe.
Add this utility to a startup script or a logon script for all computers or users that will get the GPO with the printer settings.
Use the same policy for the script and the printer connection settings.
You can find the PushPrinterConnections.exe in the following directory: %Systemdrive%\Windows\PmcSnap on a Windows Server 2003 R2 machine.

 

Remarks:

1. On computers running Windows 2000 only per-user printer connections are supported. For computer policies, you need at least Windows XP.
2. Before you can use Group Policy to deploy printers this way, your Active Directory environment has to support these features. That means that you will have to update your AD Schema to match the R2 version using the following command: adprep.exe /forestprep.
   (Adprep can be found on the R2 CD in the following directory: Cmpnents\r2\adprep.)

Booting from USB Stick

Most computers don’t have floppy drives anymore these days. But every now and then, I bet you still wish you had one!

A USB stick is a great and far better alternative, but you can’t boot from your stick. And in some cases that is exactly what you need.

After some searching and testing, I now have a bootable USB Stick. I use it to boot into Windows PE and from there you can start a complete OS install, troubleshoot a system, install additional drivers, …

First thing you need: a number of freeware tools.

• Bootpart (http://www.winimage.com/bootpart.htm)
  
• HP USB Stick Format Tool (http://www.pctipp.ch/downloads/dl/32594.asp)
  
• Virtual Floppy Driver (http://chitchat.at.infoseek.co.jp/vmware/vfd.html#download)
  

Step 1: Format a floppy as DOS boot disk

Don’t worry; you don’t need a real physical floppy drive. Instead we will create a virtual floppy using ‘Virtual Floppy Driver’.

Install the Virtual Floppy Driver:

c:\VirtualFlop\vfd.exe install

c:\VirtualFlop\vfd.exe start

c:\VirtualFlop\vfd.exe link a /L

c:\VirtualFlop\vfd.exe open c:\flop.img

When the system asks you to create the file, say yes.

If you check Windows Explorer now, you should see the A: drive. Rightclick drive A: and choose format. Format the floppy as a DOS startup disk.

Step 2: Format your USB stick as a bootable device

Install the HP USB Disk Storage Format Tool. Then run the tool with the following options:

Device: USB Device

File system: FAT 16

Deselect Quick format

Select Create a DOS startup disk using DOS system files located at A: (virtual floppy drive)

Step 3: Copy Windows boot files to the memory stick

This depends on the version of Windows that you would like to boot in of course.

For XP, Windows 2003 and Windows 2000, you need the following boot files:

• Ntldr
  
• Ntdetect.com
  
• Boot.ini
  

For Vista, you need the following files:

• Bcd
  
• Bootfix.bin
  
• Bootmgr
  

Then copy Bootpart to your memory stick and the Windows PE image that you want to boot into.

Step 4: Set your BIOS to boot from USB

Make sure your USB stick is plugged in, restart your computer and enter the BIOS. There move USB device to the top of the boot order list.

On most Dell systems you can simply press F12 during the Dell screen and the list of available boot devices will show up. Select your USB device and press enter.

At this moment you are booting from your USB stick, but since you made a DOS boot stick, you boot in DOS.

To boot in Vista or XP or Windows 2003: at the DOS prompt, go to the bootpart directory and type the following:

C:\Bootpart\bootpart <part_type> boot:c:

where <part_type> is DOS622 – Win95 – Winnt – Vista. This will rewrite the bootsector on the C: drive to boot under the OS that you need.

Reboot your machine, boot from the USB stick again and the Windows boot process will start.

By the way, I am blogging in Word 2007 here. Pretty cool, isn’t it?

Just open a new document, choose new blog entry. Then select your blog provider from the list. You will be asked for your blog credentials and when you are ready you can just publish your blog!

Simple.

I’ll do that now.

Vista deployment

The last few days I've been looking at Vista deployment methods.
And today I'll share some of my experiences with you.

There are quite some tools available for you to deploy Vista to your client machines.

• Windows Deployment Services (the next version of RIS)
• BDD 2007 Beta 1 (Business Desktop Deployment)
• WAIK (Windows Automated Installation Kit)
• Windows System Image Manager (the new Setup Manager)
• Windows Image Format or WIM files
• ImageX

Using BDD you can perform what is called a Lite Touch Installation. You can prepare almost everything on the server and only minimal user interaction will be required on the client.
To boot the client, you can use a CD containing a Windows PE image that you created with BDD.
When the client starts, this image will be loaded and it will ask you for credentials, a computername and whether you want to join a domain or not. Then you select an image from the list of available images, you choose extra applications to install and that's it. Everything else will happen automatically and after a few minutes your new Vista machine is up and running!

The images used are all Wim images, the new image file format for Vista.
By the way, even a normal manual Vista install uses Wim images. If you extract the Vista iso, you'll see that all there is in the iso is a bunch of Wim files.
So everything is Wim.

Since most IT Pros are lazy by default, we don't like to create boot CDs for every image that we need. No, it would be so much better if we could just boot from the network and start downloading the necessary image files.
That's what you need Windows Deployment Services for. As I said it is the next version of RIS and it works almost the same way. The only difference is that you can deploy Wim images with WDS. (In mixed mode it still supports deploying RIS and Riprep images too.)
With WDS you use a PXE boot to start the client, press F12 when the system tells you to and load a Windows PE image. From within the Windows PE environment, you select the correct image to load and there you go, Vista will be installed and ready to use in no time.

I do have 1 remark here, I keep wondering why Microsoft did not use ADS as a basis for WDS? I like ADS so much more than RIS.
It has everything you need (ADS already uses XML files, it uses imaging, task sequences, ...), all they had to do is make it support Wim images.
And it does not require you to do anything on the client, not even press F12!
So why???
If anyone has the answer, please enlight me!

Next week I hope to give you a detailed description on how to use all the tools I just mentioned and the steps to take.

By the way, during my experiments, I also tried to boot Windows PE from my USB stick. After a lot of googling, swearing and testing, I finally succeeded.
I can boot into Windows PE from my USB stick now, but I can't download the full Vista image.
Anyway, since I saw how many people have questions on how to boot from USB (for Vista or XP or whatever), I'll give you the details on how to accomplish this tomorrow!