BUBBLE

With Windows 2008 Microsoft introduce a new tool called Active Directory database mounting tool (Dsamain.exe) This was referred as Snapshot viewer and Active Directory data mining tool during the early release of the Windows 2008. The cool thing about this tool is you can take snapshots of your AD database and view it offline.

As for Microsoft explanation this is really helpful in Forest recovery and AD auditing purpose. In the case of AD objects deletion you can load a snapshot and compare your current AD alone with it.

Before the Windows Server 2008 operating system, when objects or organizational units (OUs) were accidentally deleted, the only way to determine exactly which objects were deleted was to restore data from backups. This pain behind this is:

• Active Directory had to be restarted in Directory Services Restore Mode to perform an authoritative restore.
• An administrator could not compare data in backups that were taken at different points in time (unless the backups were restored to various domain controllers, a process which is not feasible).

but one thing to notice is this is not a method to recover deleted objects but merely a method to show to you what has happened by doing a comparison. Apart from that you’ll need to be a member of the Enterprise admins or domain admins group, or else given particular rights for a user account.

Now getting back to the actions, to get snapshot, mount them and view them you need to know about 3 tools,

1. NTDSUTIL – Create, delete, mount, list the snapshot.

2. Dsamain.exe – This will allow us to expose snapshot to LDAP servers.

3. LDP or Active Directory Users and Computers MMC to view the mounted snapshot.

So the steps going to be as follows,

1.    Manually or automatically create a snapshot of your AD DS or AD LDS database.
2.    Mount the snapshot.
3.    Expose the snapshot as an LDAP server.
4.    Connect to the snapshot.
5.    View data in the snapshot.

Manually creating the snapshot of the AD DS

1. Logon to a Windows Server 2008 domain controller.
2. Click Start, and then click Command Prompt.
3. In the Command Prompt window, type ntdsutil, and then hit Enter.
4. At the ntdsutil prompt, type snapshot, and then hit Enter.
5. At the snapshot prompt, type activate instance NTDS, and then hit Enter.
6. At the snapshot prompt, type create, and then hit Enter.
7. Note down the GUID return by the command.

Mount the snapshot

1. If you didn’t close the previous window just go for it again and type list all and press enter.
2. Once you get the list of the snapshots you can select a snapshot to mount. In this scenario type mount 2 and press enter.
3. If the mounting was successful, you will see Snapshot {GUID} mounted as PATH, where {GUID} is the GUID that corresponds to the snapshot, and PATH is the path where the snapshot was mounted.
4. Note down the path

Expose the snapshot as an LDAP server

Ok so far we manage to create a snapshot and mount it. Now we need to expose the snapshot so we can view it from LDP utility or by using ADUC mmc. In this scenario we’re going to use the second utility (Active Directory Users and Computers)

1. Open a new command prompt

2. In the Command Prompt window, type dsamain /dbpath C:\$SNAP_201001281107_VOLUMEC$\WINDOWS\NTDS\ntds.dit /ldapport 51389 (instead of using the default 389 port we’re using a alternative port the snapshot to minimize any conflicts with the live AD DS)
note: “C:\$SNAP_201001281107_VOLUMEC$” is the path we got few steps before and represent the snapshot mounted path in our system.

3. "Microsoft Active Directory Domain Services startup complete" will appear in the Command Prompt window after running the above command. This means the snapshot is exposed as an LDAP server, and you can proceed to access data on it. NOTE: Do not close the Command Prompt window or the snapshot will no longer be exposed as an LDAP server. 

Connect to the snapshot

We can use any utility which can read the LDAP data. In this demonstration as I mention earlier I’ll go ahead and use the Active directory Users and Computers snappin.

1. Open the ADUC.
2. Right click the ADCU and select “Change domain controller” option.
3. Type the domain name with the custom port number eg “CONTOSO-DC:51389”
4. Now you’re looking at the data in the snapshot. Go ahead and open a another ADCU window and that will open the current AD DS.
5. Go ahead and do a change on the live AD DS and then check the 2 MMC’s again. You’ll see the snapshot data is not getting changed.

So as I mention this is really cool feature and saves lot of time. If you don’t like creating snapshots manually you can create a schedule task and automate this to create snapshot automatically. Once concern is these snapshot are not encrypted so if this gets to wrong hand it is bad for you guys. So try to keep them in a safe location and try to encrypt them for added security.

I’ve been meddling with some GPO issues and then came across these 2 commands. These commands has been the with Windows 2000 and 2003. So what bring my attention to these commands is how can you use them to comply with Security auditing. More information about how to use this commands can be found over here.

Well first we’ll take an example about an Enterprise company. Most of the time AD admin will get a mail or a request from HR or from a relevant department requesting to create a new user account. Once you get that request you’ll create those user accounts and by default they will be going to the Users section in ADUC. Due to your busy schedule you’ll forget to transfer the relevant user account to the correct OU. Event though this will be a matter of few hours or few days delay moving the account to relevant OU in computer security wise big risk!

One way I can think of eliminating or minimizing is whenever you create new user account or new computer added to the domain they will be moved to a different OU which have unique GPO’s assign to them. So in that particular GPO you can edit the security setting which will comply with the company IT security policy and give minimal user rights until user account moved to correct OU :)

In a nutshell this will be seen as a simple thing but overall compared to IT security a big step. So go ahead roll your sleeves and give it a try in your company network and be safe!

Well this has been once debatable question or rather I would say adoptable method carried out by some companies. Microsoft,Intel & Citrix are some companies who adopt this and they have already carried it out in several region offices. Recent economic situation has given most employees green light for this. In a way I see this as a good thing and I started adopting this almost before big companies decide about it. Actually in year 2007 :)

We as technical persons cannot be locked down for 8 –5 usual office work hours, sometimes we work from home and until late night. Apart from that companies prefer to get maximum benefits out of the employees apart from that HR keeps on trying making the life comfortable for the work force. (Weather they success or not is a different question) My point is everyone want to be happy and still not compromise the rules right? Well in that case BYOC is a good method for several reasons,

1. Employees will have their personal laptop and can work from anywhere, which I call freedom and flexibility

2. Employer cannot afford all the latest hardware to be given to employees all the time to carry out their work and replacing the hardware annually. But they can lend some money to employees to have their own machine with certain legal condition, and this will be fraction of the cost of their annual IT budget.

3. Employees have the flexibility to work and same time have break and use it more meaningfully to interact with friends and colleagues via MSN, other IM’s and social networks. (Eg: Face Book) I know some companies will see FB as a bad thing but again fundamental rules work out over here, trust between employee and the employer. I also agree not wasting time on FB doing farming or playing games in office working hours. Keep that for OOOH (Out Of Office hours)

So on even you’ll can figure out various benefits which is good for both parties. With every new concepts comes some raised concerns and same goes over here.

1. Security – Well this is something for the IT department to come up with. Do you really think BYOC is the only major issue? think about the other methods your network can compromise. What we should really care about is how to make sure company main servers and confidential data can be secured properly. I have seen many times it comes to the boiling point of servers not been secured with the recommendation security patches and security policies. Now it’s time to go and have  a second look at the security aspects more deeply.

2. Cost – As I mention this will be lot less if you plan if carefully. Since you’re not going to spend so much money but lend some money for the employee to buy his/her own machine with relevant terms and condition. But please remember this option is not applicable for all the companies and this has to be evaluated even department level as well.

3. Security Policy – Well companies can have that hefty security policy guideline books with them still :) Well my point is you can still apply some general rules and terms and evaluate your security polices and try to balance everything. If you’re so much concern about the desktop environments then this is the time you can even evaluate the VDI (Virtual Desktop Interface) Microsoft and Citrix is offering pretty cool solutions for this. I think the way we moving forward with year 2010 VDI will be a good option for companies to consider.

So in a nutshell those are my opinions about BYOC and I agree with this trend and the question is do you? Share your thoughts about it and see if we can change the working environment for more friendly flexible and sexy!!!! I mean with cool laptop models people :)

With introduction of the Windows Vista Microsoft introduce the image capturing method. Earlier we used to reply on Symantec ghost, Acronis…etc. Now Microsoft has given complete free tool set to do image capturing and deployment. One advantage I see in this method is the images going to be captured using the Microsoft given tools are,

• One image for many hardware configurations
• Multiple images in one file
• Offline servicing of the image file
• Installation on partitions of any size
• Bootable image support for Windows PE
• Modification of image files using APIs

Of course if you do further search you’ll find many more options and advantages. In this article I’ll guide you how to capture Windows 7 installed PC using Imagex command and then deploy it to different PC. Of course this can be customize and make it Zero touch deployment with advance tools like SCCM, but that will be another article :)

Ok to start first you’ll need following items,

• Active Directory environment (DC with DHCP, DNS roles enabled)
• Windows 7 PC installed with Windows 7 AIK (Automated Installation Kit)
• Windows 7 Pc with all the necessary software preinstalled to be captured as reference image.
• Another PC ready ready without any OS. Network card need to support PXE.

In my article the above mention lab has been carried out on HYPER-V environment. All of them are virtual PC’s. The power of virtualization really shines over here :)

Now I assume you’ve already setup the Domain Controller with functioning DNS and DHCP and also one Windows 7 PC installed with downloaded Windows AIK. (since that part is easy)

Now back to work. First I took a virtual PC with windows 7 and MS office 2007 preinstalled. In your case you can install all the application you normally use in your production environment.

Once all the applications has been installed go ahead and remove the static IP settings and configure to get an IP from the DHCP server. Since we plan to do a image capturing we don’t want the same IP to be duplicated to all the PC, right?

After that go ahead and launch the sysprep command. This command will make sure all the unique data and settings will be removed from that reference PC.

once the PC has been generalized go ahead and start it from the Windows PE CD. How to create a Windows PE cd can be found over here. Since I’m doing everything in Virtual environment these pics will show how to assign the iso image and also how configure a legacy network adapter for that image. In HYPER-V only legacy network adapter will support getting IP from DHCP when booting.

now once booted from the PE cd we’ll go ahead and map a network drive to export the capturing image. After that run the imagex command to capture the image.

Once the image capture is completed (how long will it take to capture the image will depend on the amount of data you have in the reference PC) Take the same Windows PE CD and boot the machine which is not having any operating system. One you boot to the command prompt again map the network drive by using net use command and then import the captured image using the imagex command.

Well once that completed you can restart the PC and start the PC with OOBE (Out of the Box Experience) In that scenario you can provide a computer name, user name..etc. So as you can see the entire process is that that difficult and compared with the benefits you can get out of image based deployments. Microsoft MDT 2010 is a good tool to use to automate this process if you have a requirement to deploy Windows XP, windows 7 or Windows 2008 for few hundred computers. Apart from that have a look into the following TechNet articles as well,

DISM , MDT2010 , SCCM

Enjoy with these tools and doing your own experiments.

Normally when you have top many options in the same products it makes too much confusing. Sometime this is given for you to make your life easier but still there are chances it can burden you when you don’t have proper instructions and guidance. Same story goes in HYPER-V as well. Microsoft offer HYPER-V in several editions and knowing which version to purchase or get free depend on what are you going to do with it. Apart from that I wanted to highlight the new command available in HYPER-V for server configuration in Windows 2008 R2. “sconfig.cmd” is a graphical command available in the server core to configure server. This is updated with new sets of commands which make HYPER-V managing administrator’s life easier.

Now without further due let me introduce one of the charts available in the Microsoft web site which explains which edition to choose.

HP company has been agreed to promote the HYPER-V product along with their new release of HP LeftHand iSCSI SAN. HP has acquired LeftHand Networks company. This company is famous for providing software based iSCSI solutions. Now HP is offering entry level SAN solutions integrated with this technology.

HP and Microsoft target SMB market for rapid virtualization movement armed with this technology. In a way this is something interesting for SMB and SME marketing since solution will be coming under one roof (HP) But if you look the price information over here you’ll understand it is not that cheap as we expect. But considering the regional pricing scheme I expect we’ll get reasonable pricing scheme for Sri Lanka as well.

If you’ve been following my blogs you’ll understand that I gave an indication of software based iSCSI solutions will become popular. As for Sri Lanka we’ll have good reason to go after a solution like that for SMB and SME market wise.

As an indication I’ll tell you guys some of these features might be visible in Tech.Ed 2010 in Sri Lanka as well. So see ya all in there :)

Hi everyone, we’re so proud to present Tech.Ed in Sri Lanka. Microsoft Sri Lanka has taken great initiate step organizing this event. We believe year 2010 going to be the ICT year and there will be so much improvement in our ICT sector in Sri Lanka. Same time we expect a boom in the Enterprise sector the usage of IT to increase their productivity and reduce the cost.

Tech.Ed will be starting on Feb 09th. Currently registration is open to everyone. This is one of the updated news I received via FB.

“Tech.Ed Sri Lanka 2010 standard price: SLR 12000/=
Register for Tech.Ed Sri Lanka now and save 10% on the standard price. Don’t delay… This Offer Expires 25th of January 2010.
http://www.teched.lk/register.aspx”

So go ahead and grab your seat guys. As I mention this will be a great opportunity to experience a whole new level of Microsoft Technology and get in touch with industry experts and raise your questions.

If you’re using Microsoft HYPER-V  as you main stream virtualization platform then you know SCVMM is the centralized management console to mange several HYPER-V hosts.  Apart from that is have the capability to manage cross different virtualization technology hosts as well (Eg: ESX)

Since SCVMM is a dynamic product which keeps on evolving all the time new updates and hot-to guides appear frequently. Microsoft team recently released some of the documentation updates. You can reach them here. Apart from that one of the best place to hang around and get the latest info would be HYPER-V @ TechNet.

As per my personal view year 2010 –2012 would be the peak time Sri Lankan market would adopt Virtualization. Most of the time Enterprise companies has been in the observation and internal review about virtualization and how to adopt for that. Since virtualization is a vast area ISV’s will have a great opportunity to provide the ideal solutions.

HAPPY VIRTULIZATION YEAR TO ALL!

Beginning of the 01st January 2010 Microsoft has started the rental scheme of their Operating system and Office products. If you’re a partner who is renting or lending machine to customers for projects or for training this will be a good news for you. You don’t have to put a hefty price on your rental price tag for the OS you’re preinstall and delivering. As per Microsoft resellers advantages are as follows,

Rental Rights licensing offers Microsoft resellers a range of benefits, including:

• Customer satisfaction. You now have a way to sell licenses that fit your customers’ business models, help ensure their compliance, and solidify your role as a trusted advisor.

• Convenience. No special tools, processes, reporting, or paperwork are necessary; the transaction works like any other license transaction.

• Revenue. Selling the new licenses means new revenue.

• Flexibility. Just like with other Volume Licensing SKUs, you have the flexibility to determine the pricing for your customers and to run promotions.

In way this is a welcome method to reduce the piracy of software and give the freedom to comply with licensing as well. More information can be found over here.

Apart from that their are certain restrictions for this scheme as well, Those are as follows,

Rental Rights licenses are user rights licenses only (they do not include software), so no media fulfillment is involved. The following important limitations apply to the Rental Rights licenses:

• Perpetual license. A Rental Rights license is permanently assigned to a specific device and may not be reassigned to another device. When the device reaches its operational end-of-life, so does the license.

• Remote access. Rental Rights do not allow for remote access to software.

• Separate devices. Use of additional copies of the qualifying software on a separate portable device or a network device is not allowed.

• Additive license only. Rental Rights licenses are not stand-alone product licenses and do not replace customers’ underlying Windows desktop operating system or Office system licenses; Rental Rights are additional licenses that modify the underlying license terms, allowing for rental, lease, and outsourcing of desktop PCs with licensed, qualifying Windows desktop operating systems and licensed, qualifying Office systems.

• Virtual machines. Rental Rights do not account for software used within a virtual (or otherwise emulated) hardware system. In other words, the primary customer may not create and rent virtual machines.

Despite of the number of people in a company business perspective SMB and Enterprise have similar requirements request from the Information Technology. They all expect the service continuity, anywhere access and low cost! During this time period every company dream is to get maximum out of the IT investment and still reduce the cost without loosing the functionality. Business continuity is a key factor for survival of any business. Service disruption for few minutes to few days impact can be devastating depend on the business nature. So how can SMB market segment overcome these limitations with fraction of the cost where Enterprise companies invest on?

To make things simple in this article I’ll focus on Microsoft products and the features offered by them. But as usual hints will be provided for the similar feature products as well :)

1. Which Operating Systems to invest on by SMB customers – My 2 cents advise goes for SBS 2008 or EBS 2008. There are significant advantages on these operating systems once properly configured and used. Less attention is been given due to the nature of the product names. Small business Server itself is not a product to be taken lightly, the solution is far more complex than the out of the box. If you’re company fallen under SME segment then consider the scale out product like Essential Business Server which can be spanned into 3 physical servers or virtual servers. Again these are Enterprise class ready product which has been limited only be the CALS and not by reducing any FEATURES. (Period)

2. Cost cutting on Hardware and software purchases – Consider HYPER-V for server virtualization. It will be ideal if you can consider few of your legacy applications to run in their own OS environment to make them less conflict with the latest operating system. Believe me Virtualization will be the ideal solution for this.

What ever your next purchase make sure it is 64bit and Virtualization capable. Always make sure you have enough hardware expansion room. (Eg: Buy 2 processor socket system with one physical processor, buy RAM with enough RAM slots.) Make sure your existing hardware can be utilized as Storage systems. There are easy ways to convert your existing servers into cost effective SAN storage and make maximum out of it. Microsoft offering of SAN software will be coming on OEM so you can consider a product like StarWind iSCSI storage. (more information about how-to articles in future)

3. Backup and Protect you data – This is part of your service continuity and availability plan. If you’re going to have HYPER-V as your virtualization option consider how to backup the virtualized environments as well. From Microsoft point of view DPM 2007 (Data Protection Manager) will be the ideal solution to protect your physical and virtual environments. DPM 2010 can be expected around Q2 in year 2010 with lots of new improvements along with desktop backup and offline laptop backup as well.
when it comes to DR solution and high availability options SMB market has been backed away by the pricy hardware devices and software. Thanks for various replication technologies and offline backup options this is becoming reality to SMB market as well. Microsoft is working closely with ISV partners to make sure software solutions exist for data replication with DR sites. As I mention StarWind is a very popular company coming up with these solutions. Best of all these solutions are costing a fraction of price of DAS or Hardware SAN with HBA adapters.

Let me know if anyone interested on these solutions and would be glad to provide more information.