Els's blog

File Replication Service Problems

2006-12-13T22:14:00.001+01:00

Situation:
Your Active Directory environment seems to be working fine. Yet you discover that policies are not always being executed. Sometimes they are, sometimes they're not.
When you check AD replication everything is ok and new objects are replicated to all of the domain controllers. But when you check the Sysvol, one of your DCs seems to be out of date.
After testing Sysvol replication (by adding a file to the sysvol on a good DC and forcing replication to the outdated DC) you discover that this domain controller never receives group policy updates.

Problem:
When you check the Event Viewer on the problem DC, you see the following error message:

Event Id 13561: The File Replication Service has detected that the replica set "Sysvol" is in JRNL_WRAP_ERROR.

A replica set hits JRNL_WRAP_ERROR when the record it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons: ...

Solution:
You will have to remove the server from the Replica Set and then add it again. This will cause the DC to replicate the entire Sysvol again. To accomplish this, do the following:

1. Start Registry Editor.

2. Find the following key: HKEY_LOCAL_MACHINE\System \CurrentControlSet\Services\Ntfrs\Parameters

3. Add a new Dword value: Enable Journal Wrap Automatic Restore

4. Set the value to 1.

5. Wait for the Sysvol to get replicated. During this time you will see the following events in the Event Viewer:

13560: FRS is deleting the computer from the replica set.
13553: FRS has added the computer to the replica set.
13516: FRS is no longer preventing the computer from becoming a DC.

At that moment everything should be fine again!

Remark:
Do not forget to change the value of the Journal Wrap Automatic Restore back to 0!

Bitlocker for Data Partitions

2006-12-04T20:16:00.001+01:00

Vista does not support encryption of data partitions using BDE. (Longhorn server will have full support for this feature.)

But if you really want to protect your data with Bitlocker, there is a way! You have to use the same method as described in my previous post: manage-bde.

And what about unlocking this encrypted data drive?
That will not happen automatically. If you reboot your machine after the encryption process, you will no longer be able to access your files.

Your decryption options:

Manually
cscript manage-bde.wsf -unlock E: -rk "path to encryption key (.bek file)"
You will have to run this command after every reboot.
Automatically
cscript manage-bde.wsf -autounlock -enable E:
This command will create an external key protector on the data volume and stores the associated external key onto the bitlocker-protected OS volume. For this to work, your OS volume has to be encrypted with BDE too.

Happy encrypting!

Bitlocker Drive Encryption (without TPM)

2006-11-27T08:56:00.001+01:00

Most of you have probably already heard about Bitlocker. But for those of you who don't know it, here's a short overview.

Bitlocker is a data protection feature available in Windows Vista and Longhorn Server. It is implemented to address the threats of data theft or exposure from lost or stolen PCs.

Bitlocker prevents a thief who boots another operating system or runs a software hacking tool from breaking Windows Vista file and system protections or performing offline viewing of the files stored on the protected drive.

Bitlocker enhances data protection by bringing together two major sub-functions: full drive encryption and the integrity checking of early boot components:

Drive encryption protects data by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. This protection is achieved by encrypting the entire Windows volume. With Bitlocker all user and system files are encrypted including the swap and hibernation files.
Integrity checking the early boot components helps to ensure that data decryption is performed only if those components appear unmolested and that the encrypted drive is located in the original computer.

The feature ideally uses a Trusted Platform Module (TPM 1.2) to protect user data and to ensure that the PC has not been tampered with while the system was offline.
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys.

Now what if you do not have a TPM, but you would like to use Bitlocker Drive Encryption?
No problem, BDE is supported on machines without TPM. The only tricky part is that you cannot enable it using the GUI. In Control Panel (where you would normally enable Bitlocker), you'll see the following:

So, how do you enable bitlocker then?
You will have to use manage-bde, a cscript tool that works with Bitlocker through the WMI interface.

This is what you do:

Open a Command Prompt as administrator! (Rightclick the cmd shortcut in the Start menu and choose "Run as administrator".)
cscript manage-bde.wsf -on C: -sk h: -rp -rk f:

Command Explanation

-on C: Enable BDE on drive C:

-sk h: Create a startup key and save it on drive h:
Drive h: will normally be a USB key

-rp Create a recovery password

-rk f: Create a recovery key and save it on drive f:
Drive f: can be a USB key, hard drive, network drive

Save the numerical recovery password in a save place!
Insert your USB drive.
Restart your computer for a hardware test.
Use manage-bde -status to check whether the test was successful. If it was, encryption will begin. You can use the same command to keep track of the encryption progress.

ADMX files

2006-11-24T09:07:00.001+01:00

Using Administrative Templates in Group Policy you can change lots of the default Windows settings, like the Desktop, the Start Menu, Windows Explorer, ...
The settings that can be altered are described in .adm files. One of the benefits of these .adm files is that they can be adjusted. By modifying an .adm file, an administrator can manage almost every registry setting using a friendly interface and deploy these settings using Group Policy.

But there are a few disadvantages as well.

.adm files are stored in individual GPOs.
For organizations with lots of GPOs, this means that every policy has a copy of every .adm file used in the policy. And these policies, including the .adm files are replicated to all domain controllers in the environment. If you know that the .adm files take about 4 Mb of a policy's size, you can do your own math.
.adm files are added in a specific language.
This can be annoying in an environment where administrators speak different languages and would like to see the templates in their own language.

Vista and Longhorn Server introduce a new format for registry-based policy settings: ADMX files (in XML format) to address these issues.

ADMX files are divided into language-neutral and language-specific resources, available to all Group Policy administrators. These factors allow Group Policy tools to adjust their UI according to the administrator's configured language. Adding a new language to a set of policy definitions is achieved by ensuring that the language-specific resource file is available.

File Type	File Location
ADM	C:\inf
ADMX language neutral	C:\policydefinitions
ADMX language specific	C:\policydefinitions\en-us for the US English ADMX language

One of the main benefits of using the new ADMX files is the central store. This option is available when you are managing domain-based GPOs, although the central store is not used by default.
In Vista and Longhorn the GPO Editor will no longer copy the adm files to each edited GPO, but will provide the ability to read from either a single domain-level location on the domain controller's Sysvol or from the local administrative workstation when the central store is unavailable.

To create the central store:
1. Create the root folder for the central store:
  C:\Sysvol\domain\policies\PolicyDefinitions on your DC
2. Create a subfolder in the central store for each language your Group Policy administrators will use. Each subfolder is named after the appropriate ISO-style Language/Culture name. For example, to create a subfolder for US English:
  C:\Sysvol\domain\policies\PolicyDefinitions\en-us

Populate the central store:
1. Copy all the language-neutral ADMX files from your Vista workstation to the central store on your DC using the xcopy command:
  xcopy c:\PolicyDefinitions\*
  %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions
2. Copy all the ADMX language resource files from your Vista workstation to the central store on your DC:
  xcopy C:\PolicyDefinitions\en-us\*
  %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\en-us

Important factors:

New Vista or Longhorn-based policy settings can only be managed from Vista or Longhorn-based computers. These policies are defined only in ADMX files and, as such, are not exposed on the Windows Server 2003, XP or 2000 versions of the group policy management tools.
The Vista and Longhorn version of the GPMC can be used to manage all OS systems that support Group Policy.
In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks.

Print Management in Windows Vista

2006-11-23T11:29:00.001+01:00

Print Management is an MMC snap-in that enables you to install, view and manage all of the printers in your organization from any computer running Windows Vista or Windows Server 2003 R2.

You can use Print Management to install printer connections to a group of client computers simultaneously. It can help you find printers that have an error condition by using filters. It allows you to send e-mail notifications or run scripts when a printer or print server needs attention. On printer models that provide a web page, Print Management has access to more data, such as toner and paper levels, which you can manage from remote locations.

But one of the best features of Print Management is that you can use it to deploy printers to users or computers using Group Policy.

To do this, you use the Deploy with Group Policy dialog box to automatically add a printer connection to an existing GPO. You simply right click the printer you wish to deploy and select deploy with Group Policy. When group policy processing runs on client computers, the printer connection settings are applied to the users or computers associated with the GPO.

To enable this feature on computers running versions of Windows earlier than Windows Vista, you must use a utility called PushPrinterConnections.exe.
Add this utility to a startup script or a logon script for all computers or users that will get the GPO with the printer settings.
Use the same policy for the script and the printer connection settings.
You can find the PushPrinterConnections.exe in the following directory: %Systemdrive%\Windows\PmcSnap on a Windows Server 2003 R2 machine.

Remarks:

On computers running Windows 2000 only per-user printer connections are supported. For computer policies, you need at least Windows XP.
Before you can use Group Policy to deploy printers this way, your Active Directory environment has to support these features. That means that you will have to update your AD Schema to match the R2 version using the following command: adprep.exe /forestprep.
(Adprep can be found on the R2 CD in the following directory: Cmpnents\r2\adprep.)

Booting from USB Stick

2006-07-07T15:37:00.000+02:00

Most computers don’t have floppy drives anymore these days. But every now and then, I bet you still wish you had one!

A USB stick is a great and far better alternative, but you can’t boot from your stick. And in some cases that is exactly what you need.

After some searching and testing, I now have a bootable USB Stick. I use it to boot into Windows PE and from there you can start a complete OS install, troubleshoot a system, install additional drivers, …

First thing you need: a number of freeware tools.

Bootpart (http://www.winimage.com/bootpart.htm)
HP USB Stick Format Tool (http://www.pctipp.ch/downloads/dl/32594.asp)
Virtual Floppy Driver (http://chitchat.at.infoseek.co.jp/vmware/vfd.html#download)

Step 1: Format a floppy as DOS boot disk

Don’t worry; you don’t need a real physical floppy drive. Instead we will create a virtual floppy using ‘Virtual Floppy Driver’.

Install the Virtual Floppy Driver:

c:\VirtualFlop\vfd.exe install

c:\VirtualFlop\vfd.exe start

c:\VirtualFlop\vfd.exe link a /L

c:\VirtualFlop\vfd.exe open c:\flop.img

When the system asks you to create the file, say yes.

If you check Windows Explorer now, you should see the A: drive. Rightclick drive A: and choose format. Format the floppy as a DOS startup disk.

Step 2: Format your USB stick as a bootable device

Install the HP USB Disk Storage Format Tool. Then run the tool with the following options:

Device: USB Device

File system: FAT 16

Deselect Quick format

Select Create a DOS startup disk using DOS system files located at A: (virtual floppy drive)

Step 3: Copy Windows boot files to the memory stick

This depends on the version of Windows that you would like to boot in of course.

For XP, Windows 2003 and Windows 2000, you need the following boot files:

Ntldr
Ntdetect.com
Boot.ini

For Vista, you need the following files:

Bcd
Bootfix.bin
Bootmgr

Then copy Bootpart to your memory stick and the Windows PE image that you want to boot into.

Step 4: Set your BIOS to boot from USB

Make sure your USB stick is plugged in, restart your computer and enter the BIOS. There move USB device to the top of the boot order list.

On most Dell systems you can simply press F12 during the Dell screen and the list of available boot devices will show up. Select your USB device and press enter.

At this moment you are booting from your USB stick, but since you made a DOS boot stick, you boot in DOS.

To boot in Vista or XP or Windows 2003: at the DOS prompt, go to the bootpart directory and type the following:

C:\Bootpart\bootpart <part_type> boot:c:

where <part_type> is DOS622 – Win95 – Winnt – Vista. This will rewrite the bootsector on the C: drive to boot under the OS that you need.

Reboot your machine, boot from the USB stick again and the Windows boot process will start.

By the way, I am blogging in Word 2007 here. Pretty cool, isn’t it?

Just open a new document, choose new blog entry. Then select your blog provider from the list. You will be asked for your blog credentials and when you are ready you can just publish your blog!

Simple.

I’ll do that now.

Vista deployment

2006-07-06T21:06:00.000+02:00

The last few days I've been looking at Vista deployment methods.
And today I'll share some of my experiences with you.

There are quite some tools available for you to deploy Vista to your client machines.

Windows Deployment Services (the next version of RIS)
BDD 2007 Beta 1 (Business Desktop Deployment)
WAIK (Windows Automated Installation Kit)
Windows System Image Manager (the new Setup Manager)
Windows Image Format or WIM files
ImageX

Using BDD you can perform what is called a Lite Touch Installation. You can prepare almost everything on the server and only minimal user interaction will be required on the client.
To boot the client, you can use a CD containing a Windows PE image that you created with BDD.
When the client starts, this image will be loaded and it will ask you for credentials, a computername and whether you want to join a domain or not. Then you select an image from the list of available images, you choose extra applications to install and that's it. Everything else will happen automatically and after a few minutes your new Vista machine is up and running!

The images used are all Wim images, the new image file format for Vista.
By the way, even a normal manual Vista install uses Wim images. If you extract the Vista iso, you'll see that all there is in the iso is a bunch of Wim files.
So everything is Wim.

Since most IT Pros are lazy by default, we don't like to create boot CDs for every image that we need. No, it would be so much better if we could just boot from the network and start downloading the necessary image files.
That's what you need Windows Deployment Services for. As I said it is the next version of RIS and it works almost the same way. The only difference is that you can deploy Wim images with WDS. (In mixed mode it still supports deploying RIS and Riprep images too.)
With WDS you use a PXE boot to start the client, press F12 when the system tells you to and load a Windows PE image. From within the Windows PE environment, you select the correct image to load and there you go, Vista will be installed and ready to use in no time.

I do have 1 remark here, I keep wondering why Microsoft did not use ADS as a basis for WDS? I like ADS so much more than RIS.
It has everything you need (ADS already uses XML files, it uses imaging, task sequences, ...), all they had to do is make it support Wim images.
And it does not require you to do anything on the client, not even press F12!
So why???
If anyone has the answer, please enlight me!

Next week I hope to give you a detailed description on how to use all the tools I just mentioned and the steps to take.

By the way, during my experiments, I also tried to boot Windows PE from my USB stick. After a lot of googling, swearing and testing, I finally succeeded.
I can boot into Windows PE from my USB stick now, but I can't download the full Vista image.
Anyway, since I saw how many people have questions on how to boot from USB (for Vista or XP or whatever), I'll give you the details on how to accomplish this tomorrow!

Lingering Objects

2006-07-03T11:30:00.000+02:00

Last week I taught my Active Directory In-Depth course, so today one more blog on AD.

This one is about lingering objects, an annoying phenomenon that could cause deleted objects to return in your Active Directory database.

Lingering objects will appear if one of your domain controllers hasn't been able to synchronize with its replication partners during a tombstone lifetime.

This is what happens: you create a number of objects. These objects will nicely replicate to all your DCs. Then, for some reason 1 of the DCs can no longer replicate with the others (due to a network problem, DNS failures, issues with time synchronization, ...).
In the mean time you delete a user from your database. The problem DC does not replicate this change however and the object still exists in that database.
After a tombstone lifetime (default 60 days, and 180 days if the forest was created on Windows Server 2003 SP1) the deleted objects are actually removed from the AD database on the good DCs, but the bad one still sees these objects as normal objects.
At that moment, you become aware of the problem. You solve the issues and try to replicate with the bad DC to get it up to date again.

Then, one of two things can happen.

If your DC is a Windows 2000 server, the bad DC will replicate with the good ones and the deleted objects will return in your environment.
If your DC is a Windows Server 2003 machine, the bad DC will not be allowed to replicate because it has been out of date for more than one tombstone lifetime.

How do you fix this?

Use repadmin (Support Tools) to remove the lingering objects from the bad DC.
repadmin /removelingeringobjects 'DNS name bad DC' 'GUID good DC' 'Directory partition DN' /advisory_mode
For example: repadmin /removelingeringobjects dc1.example.com A0AE6093-15F5-4DB8-836B-4495E3A15396 dc=example,dc=com /advisory_mode
This will display a list of lingering objects in the Directory Services event log (look for event id 1946). Then you can run the same command again, this time without the advisory_mode switch. This will actually remove all lingering objects from the problem DC (look for event id 1945).
At this point, you still won't be able to replicate with the bad DC. To fix this, add the following registry key:
HKEY_LM\System\CurrentControlSet\Services\Ntds\Parameters
Allow Replication With Divergent and Corrupt Partner
REG_DWORD
1
Force replication: everything should be fine now.
After replication succeeded, do not forget to reset the above registry key to 0!!

This week, I'll be looking at Vista again. So you can expect more Vista blogs!

Recovering from USN Rollback

2006-06-26T09:04:00.000+02:00

A bit later as promised, but here it is: part 2 on the USN Rollback.
Enjoy!

There are 3 methods to recover from a USN Rollback.

Reinstall AD.
Use Dcpromo to remove AD from the faulty DC and demote the machine to a standalone server. Clean up all references to the DC, if this DC was hosting FSMO roles, make sure to transfer them to another (healthy) DC.
Restore the system state.
If a valid system state backup was made before the rolled-back DC was restored from image, restore the system state from the most recent backup.
Fool your image-restored DC (requires Windows Server 2003 SP1!).
- Restore your image.
- Start the DC in Directory Services Restore Mode. Do NOT start normally or it’s all too late!!!
- Open Registry Editor and look for the value ‘DSA Previous Restore Count’ (HKEY_LM\System\CurrentControlSet\Services\NTDS\Parameters). Make a note of this value. If the entry is not there, assume a value of 0. Do not add the entry.
- Add the registry entry ‘Database restored from backup’ in HKEY_LM\System\CurrentControlSet\Services\NTDS\Parameters
Data type: REG_DWORD
Value: 1
- Restart the DC normally.
- Check the registry to be sure that the value of ‘DSA Previous Restore Count’ is equal to its previous value plus 1.
- In the Directory Service event log, check to see that Event ID 1109 or 1587 appears.
- This event confirms that AD has been restored and that the Invocation ID has changed.

USN Rollback

2006-06-21T21:17:00.000+02:00

Lately, the only thing I've talked about is Vista. And although there is a lot more, today I would like to discuss something else: USN Rollback.

When talking about backup and restore of Active Directory, a question that I get regularly is: can we restore a Domain Controller from an image?
At first sight you might say: why not?
Restoring a system state backup to get Active Directory back to a previous state, or restoring a disk image you took a few days ago: the end result will be the same.

And that would be true in an environment with only 1 domain controller.
But in most situations there will be multiple DCs and then you will encounter a serious, yet very difficult to troubleshoot, problem: USN Rollback.

When you restore a DC by performing a system state restore, AD will change the database Invocation ID. The Invocation ID identifies the version of the database. After a correct system state restore this ID is reset before AD starts. (Event ID 1587 of source Replication will be logged in the Directory Services event log.)
For the other DCs this indicates that the database version has changed and in response they reset their high-water marks and update the restored DC with changes that occurred after the backup.

If you restore a DC from an image on the other hand, the Invocation ID will not be reset and noone will be aware of the fact that one of the DCs actually rolled back to a previous state. This will lead to inconsistencies in the database, since the restored DC will not get any updates that were taken since the backup and never will.
Why is this?

AD replication is triggered by comparing USNs (Update Sequence Numbers). Every DC has a USN table for every attribute. In that table it keeps track of the highest USN it received for this attribute from a given replication partner. If the current USN on the replication partner is higher than the one in his list, the DC knows that a change has been made and that it still has to copy these changes.

Imagine the following scenario: You have a domain containing 3 domain controllers DC1, DC2 and DC3.

You create 10 new users on DC1 corresponding to USN 1 through 10. These user accounts replicate to DC2 and DC3.
At this moment an image is created on DC1.
You make more changes to AD: you reset the passwords on the 10 user accounts (USNs 11 to 20), you create 10 computer accounts (USNs 21 to 30), you create 10 security groups (USNs 31 to 40). All these changes replicate to DC2 and DC3.
Then DC1 encounters a hardware or software failure. The image that was created is used to restore DC1. DC1 now uses a database that has a record of USNs 1 to 10 when AD starts.
DC1 maintains its original invocation ID and DC2 and DC3 maintain their original up-to-dateness vector of USN 40 for DC1.

As a result DC1 will never receive the changes for USNs 11 to 40 and its database will be inconsistent (resulting in logon failures and other problems).
A second problem arises when new objects are now created on DC1.
If you create a new user, that account will be given the next unused USN on DC1: USN 11.
Since DC2 and DC3 think that they already have every update from DC1 up until USN 40 they will not do anything and the new changes are not replicated.
All changes created on DC1 with USNs 11 to 40 will never be available on DC2 and DC3.

In case of a proper system state restore these problems do not arise, since the reset of the Invocation ID informs the replication partners of the restore and causes them to reset their up-to-dateness vector for the restored DC.

A USN rollback can be very difficult to detect, since no errors are logged in the Event Viewer (unless you are running W2003 SP1 or hotfix 875495, then Event ID 2095 is logged).

One way to detect a USN rollback is running the following command on a DC and its replication partners: repadmin /showutdvec.
If the USN for the DC on the replication partners is higher than the one the DC has for itself and no replication errors are reported, you are probably dealing with USN rollback!

Tomorrow: Recovering from USN rollback!

Multiple Local Policies in Windows Vista

2006-06-19T16:00:00.000+02:00

Group Policy is for sure one of the best inventions in Windows. Configuring multiple client computers has never been easier. And with Vista and Longhorn numerous extra settings will be available.

Group Policy really has only one limitation: it requires Active Directory.

And sometimes you can't (or you don't want to) use Active Directory, but you would like to create policies to control the things people can change or have access to on your pc.
For example, a kiosk computer, PCs in a cybercafé, your home machine (especially when the children are using it more and more).

In XP it is possible to use the Local Computer Policy to make changes to a single computer that is not part of a domain. And while you can implement the exact same settings as with group policy, there is one serious drawback.
You cannot make exceptions to policy settings for individual users. Once the policy is applied, it will enforce restrictions for everyone, including the Administrator.

But now there is Vista!
And one of the great new things in Vista is that you can create multiple local policies! Different policies per user. Or you could create 1 policy for the Administrators and another one for the Non-administrators.
It is very easy to limit everyone accessing your computer, except for yourself!

This is the way to go:

Open a Management Console.
Add the Group Policy Object Editor snap-in.
In the "Local Computer" policy window, click Browse.
Click on the Users tab.
Select the user that you want to create a policy for.
Configure the settings that you want to apply for this individual user.

Note: the only users you see are local users. Besides the users you will also find the local Administrators group and the non-administrators group.

If multiple policies apply, the end result wil be a combination of these policies and the user policy will win in case of conflicts.
For example: User 1 is a normal user (no administrator). You create an individual Local policy for user 1 that prohibits access to the Control Panel and explicitly allows him to access Search from the Start Menu.
You also create a policy for the Non-Administrators, that removes the Search from the Start Menu.

When user 1 logs on, both policies will be applied, but user 1's policy will override the conflicting Search setting in the Non-Administrators policy.
End result: user 1 has no access to Control Panel, but he will be able to use the Search from the Start Menu.

Disk management in Windows Vista

2006-06-14T16:48:00.000+02:00

In earlier versions of Windows it was not possible to extend your system and boot partition. You can extend data partititons in Windows Server 2003, even on a basic disk (using diskpart), but system/boot is not an option unless you turn to some third-party tool.
And shrinking partitions was completely impossible.

Up until now!

In Vista, you can do it all:

You can shrink any partition.
You can extend any partition.
Including system and boot partition.
Both on dynamic and on basic disks.
Using Disk Management (GUI) or Diskpart (cmd).

There is only 1 limitation: when you try to extend a partition, you'll see that it is still only possible to extend with contiguous free space.
Thus, let's say you have the following situation:

C: drive (50 Gb)
D: drive (50 Gb)
Free space (100 Gb)

Then you will be able to extend drive D: but you will not be able to extend drive C: since the last one does not have any white space directly following the partition.
If you're in this situation, you still need a third-party tool.

Another thing that seems to have changed, has to do with the types of partitions.
When you try to create a new partition in Vista, you'll see that the only thing you can create is a "volume".
What happened to primary and extended partitions?

Let's take a look at Windows Server 2003.
There are 2 types of disks there: basic disks and dynamic disks.
On a basic disk, you create partitions (primary or extended). On a dynamic disk, you create volumes.

How does this work in Vista?
The only thing you can create here on a basic disk is a volume. But in fact you are creating a primary partition. Vista does not give you the choice anymore, it decides for you.
The first 3 volumes that you create, are actually primary partitions. When you create a fourth volume, Vista will automatically create 1 extended partition using the remainder of the free space on the disk. Within that partition a logical drive will be created with the size you specified in the new volume wizard.

So, basically nothing has really changed there, you just don't get to choose the type of partition to create anymore.

Log on as builtin administrator in Vista

2006-06-13T15:06:00.000+02:00

The builtin administrator is disabled by default in Windows Vista.

If you want to use this account, the first thing you'll have to do is enable the administrator using Computer Management.

But then it still does not show up on the Welcome Screen.
Like in XP, you have to add a registry key to accomplish this.

Start the registry editor.
Browse to HKEY_LocalMachine\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\
Create a new key: SpecialAccounts
In the SpecialAccounts key, create another new key: UserList
In this key, create a new DWORD value: Administrator
Set this value to 1

Then you should be able to logon with the builtin administrator.

Vista, Longhorn and Office 2007

2006-05-30T20:38:00.000+02:00

These days everyone at Microsoft is very busy and so they are keeping us busy as well.
Yesterday I downloaded and installed Windows Vista Beta 2, Windows Longhorn server Beta 2 and Office 2007 Beta 2.

Now, the testing can begin.
It all looks very good at first sight. The Vista Aero Glass is nice, Internet Explorer 7 has some great features (tabbed pages - search - rss feeds) and for the gadget freaks there is the Sidebar: here you can add all kinds of gadgets like a clock, a slideshow, postits, ...
But of course there is much more to Vista than good looks. So in the next weeks we'll take a closer look at all the exciting new stuff Microsoft has to offer.

Office is nice too, by the way. I think it's going to take some getting used to, but at the first glimpse I like it.

Everyone seems to be very caught up in the Vista mania, and I feel that noone is ever talking about Longhorn server. I know that it's still a long time before the server is released and Vista will be available a lot sooner, but still, it's worth looking at the server as well.

And for all the Unix and Linux fans and everyone else that is fond of commands, when you install Longhorn Server, you can choose to install the full package (Windows as we know it) or you can install the LonghornserverCore only. This is a basic server that can only host a limited number of server roles and after installation all you have is a command prompt (well, 2 actually, that's even better!)!

Over the next days and weeks, I'll be checking out Vista and Longhorn and I'll let you know what I find!

ABDE

2006-05-29T20:49:00.000+02:00

Last week, someone asked me if it was possible to show only the folders that users actually have permissions on in Windows.
This is a comment most Novell people have as well, since Novell automatically only shows folders that you can access.
And you must admit that it is annoying to see an entire list of directories, but when you click on them, you receive "Access Denied" over and over again.

Well the solution came with SP1 of Windows Server 2003. One of the features listed is called Access-based Enumeration.
There is not much to explain, by enabling Access-based enumeration, users will only see those folders they have permissions on. Simple.

The only problem is that SP1 doesn't really provide an interface to enable this feature, only the API is available.
Luckily for us, in the mean time Microsoft has made both a graphical and a commandline tool available for Abde. You can download these tools here: http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en

So from now on, you can make sure that a user will only see the folders he/she actually has access to!

First post

2006-05-23T21:45:00.000+02:00

Today I started my own blog, like so many others out there.
It is surprisingly simple to do anything on the internet nowadays and so was setting up this blog.
The hardest thing I had to do was come up with a name.
That took me like 10 minutes, and as you can see, it is not that original.
But I've never been a very creative mind.

As a Microsoft trainer, I work with Microsoft products every day, and in this blog I will try to share the things I experience and learn with you.
The technologies I work with most are R2, Active Directory, DNS, Exchange and clustering.
And of course, Vista and Longhorn are also on my list.

See you tomorrow, for my first real post!

Note to Hans: I hope you're happy now and you'd better read my blog!

Command	Explanation
-on C:	Enable BDE on drive C:
-sk h:	Create a startup key and save it on drive h: Drive h: will normally be a USB key
-rp	Create a recovery password
-rk f:	Create a recovery key and save it on drive f: Drive f: can be a USB key, hard drive, network drive