The Blackbird Group is raffling off a 1,000 user license including a 1st year maintenance (total value 7,200 USD) for Blackbird Auditor for Active Directory. The deadline of this contest is June 27, 2012. If you want to take part, please send an email with the subject Blackbird to .

In Microsoft Windows Active Directory administration nomenclature, auditing refers to the capture and display of user- and/or system-generated activity.

Many systems administrators are required by governmental and/or industry regulations to track changes on our domain systems to a fine degree of granularity. Some of these regulatory laws include the following:

• FISMA
• HIPAA
• PCI
• SOX

As you know, Windows Server 2008 R2 includes a built-in auditing framework that can help to determine the so-called “4 W’s” of audit policy:

• What was the change?
• Where was the change made?
• When was the change effected?
• Who made the change?

Traditionally, we enable auditing in one or more Group Policy Objects (GPOs) that we deploy to our domain. We then use Event Viewer to analyze local and remote auditing events. We can even leverage event log forwarding and subscriptions to aggregate audit log data from multiple systems across the domain or forest.

The main downside to Windows Server 2008 R2 audit policy is that it is quite cumbersome to manage, especially when we aggregate data from multiple sources.

With respect to GPO reporting, Windows Server 2008 R2 provides us with the Resultant Set of Policy (RSoP) tools that are baked into the Group Policy Management Console. Again, though, the tools scale poorly and are relatively inflexible.

To attain a deeper appreciation of the limitations inherenet in traditional Windows auditing, I encourage you to read the white paper “The Tradeoffs and Risks of Traditional Windows Auditing” from the Blackbird Group’s Web site.

Speaking of the Blackbird Group, today’s blog post centers upon their Blackbird Auditor for Active Directory solution, which is software aimed squarely to replace the aforementioned auditing toolset.

In this article we will examine Blackbird Auditor for Active Directory from the following angles:

• Software Setup
• Using Built-in Audit Views
• Analyzing and Exporting Captured Audit Data
• Rolling Back Changes with RSAT Extensions

Let’s get started!

Setting up the Software

The Blackbird Management Suite is a Microsoft Management Console (MMC) snap-in that relies upon a SQL Server database for AD metadata storage. Therefore, a local or remote instance of SQL Server is a prerequisite to installing this software.

NOTE: You can use SQL Server Express if you want to; you are not required to have a full edition of SQL Server to run Blackbird Auditor for AD.

After you have SQL Server installed and ready to accept incoming remote connections, you can download the binaries and obtain your license code from the Blackbird Group’s Web site.

The order in which you install the software is significant. Here is the nutshell workflow:

1. Install the 32-bit or 64-bit Blackbird Management Suite Server
2. Install the Blackbird Management Suite Console on the Blackbird server
3. Install the Blackbird RSAT Extensions on your other domain controllers
4. Install the relevant extension packages on the Blackbird server

Heads-up: Blackbird says that only one Blackbird Management Suite server is allowed per forest. Each extension package (also called a module) enables Blackbird Management Suite to capture particular types of data from domain member computers. These modules are named as follows:

• Blackbird Auditor for AD
• Blackbird Auditor for File System
• Blackbird Event Vault
• Blackbird Privilege Explorer
• Blackbird Privilege Manager for AD
• Blackbird Recovery for AD

In this review, we are concerned only with the Blackbird Auditor for AD module.

Administrators can license as many or as few of these modules as their systems management needs dictate. Licensing is calculated per “heartbeat,” which means that you pay only for the number of human users (and not service accounts) that are embraced by the software’s functionality.

Using Data Handlers and Audit Views

In Blackbird Management Suite terminology, Data Handlers represent the rough equivalent of agent software. Specifically, Data Handlers allow the Blackbird Collector component to retrieve Active Directory data from each domain controller. Ideally, you should deploy the Data Handler to all of the domain controllers in your organization.

To deploy Data Handlers, we open the Blackbird Management Console, right-click the Domain Controllers node and select Deploy data handler from the shortcut menu.

In the Deploy Data Handler dialog box (shown in the next screenshot), we can install the agent bits on some or all domain controllers within the forest.

Deploying data handlers

NOTE: Blackbird Management Suite requires the use of several service accounts that need administrator-level access to your domain controllers as well as to SQL Server. During setup you’ll also be asked to specify a communications TCP port; keep this in mind as you plan your Blackbird implementation.

Our next task is to specify auditor accounts. These are Active Directory users who are allowed to configure Blackbird Auditor for AD and to view audit report data.

Now that we’ve deployed the Data Handlers and specified our auditor accounts, we can turn our attention to Audit Views. Audit Views are the (very) rough equivalent of the Custom Views that are found the Windows Server 2008 R2 Event Viewer.

Specifically, an Audit View filters the retrieved AD audit data according to pre-defined criteria. Blackbird Auditor for AD provides us with several pre-built Audit Views that cover the most common administration and regulatory compliance scenarios; these are shown in the following screenshot:

Built-in Audit Views

Of course, we can build our own Audit Views from scratch if we wish. As you can see in the following figure, we define an audit view by scoping data retrieval according to the “4 Ws” of audit policy.

Defining a new Audit View

In practice, these Audit Views give administrators quick insight into specific changes occurring in Active Directory over time. As we shall see a bit later in this article, Blackbird Auditor for AD allows for full previous/current value comparisons as well as selective or full rollback to previous states.

Analyzing and Exporting Audit Data

To view captured audit data, we can simply expose a predefined or custom-created Audit View in the Blackbird Management Console, right-click the appropriate view, and select Open from the shortcut menu.

This action launches the Audit Viewer tool, a standalone application that includes the “you either love it or you hate it” Ribbon UI introduced in Microsoft Office 2007.

The Audit Viewer displays each audit entry in three simultaneous views. The Summary pane gives you a simple list of all audit entries scoped in that Audit View. What’s cool about this view is that we can see both previous and current values for audit entries that involve a change.

In the following figure we see the results of the “All User Creation in the Last 30 Days” built-in Audit View on my test domain controller. If the Audit View contents included changes in addition to object creations, then we would see before and after data values as well.

Audit Viewer results

The Activity pane shows high-level audit statistics. For instance, in the following screenshot, we see a breakdown of the specific types of AD activity recorded by the tool over the past 24 hours. Be aware that these views are eminently customizable. For instance, we can edit this view on-the-fly to show account activity over the past month, and so on.

Activity view

Finally, the Details pane shows (a) a summary report of the entry; and (b) which specific Active Directory schema attributes were involved in the audited action.

Audit details view

Rolling Back Object Data with RSAT Extensions

As I mentioned earlier, the Blackbird Data Handler and Collector components work together to aggregate and store Active Directory metadata in the Blackbird Auditor SQL Server database.

What this means for us administrators is that:

• Blackbird Auditor for AD does not rely upon AD itself for the storage of schema information
• We can undo changes and perform restores directly from the Blackbird backup repository

For example, we can examine the Blackbird Management Suite Recycle Bin to enumerate and potentially recover deleted AD objects.

The Blackbird RSAT Extensions serve to integrate Blackbird auditing, analysis and recovery features into other core Windows AD management consoles. For instance, we can view the audit trail and/or roll back changes to an AD user object from Active Directory Users and Computers simply by right-clicking the object in question. This is shown in the following figure:

Blackbird RSAT extensions in action

You might have also noticed other Blackbird-related entries in previous screen capture. For instance, we can quickly generate a report of all of that particular user’s activity, and optionally roll back any changes made to the object’s schema properties.

We can also track the evolution of our GPOs by accessing the Rollback shortcut menu item in Group Policy management console (GPMC). As you can see in the following figure, Blackbird enables us to quickly compare the current state of a GPO with a previous incarnation that is stored in the Blackbird backup repository.

GPO change analysis

The Rollback functionality in Blackbird Auditor for AD is very impressive. With a few mouse clicks you can undo the most potentially damaging of AD object changes. For example, if a junior-level administrator inadvertently deleted an OU and is unable to regenerate the lost objects by using standard Windows tools, you can easily perform the restore from within the Blackbird Management Console.

Conclusion

In my opinion, Blackbird Auditor for AD is an extremely easy to use product. As busy systems administrators, we often don’t have time to spend performing elaborate setups and slogging through steep learning curves when implementing management software.

I think that those of you who are hit by compliance regulations can derive special benefit from this software. Please feel free to leave any questions in the comments portion of the post. If I cannot answer them directly, I will forward them to the Blackbird team.

If you want to take part in this raffle and have the chance to win a 1,000 user license (total value 7,200 USD) for Blackbird Auditor for Active Directory, please send an email with the subject Blackbird to . The deadline of this contest is June 27, 2012.

• FREE: ManageEngine Free Active Directory Tools (0)
• Microsoft Exam 70-640 – Operations Masters – Sample question (3)
• Microsoft Exam 70-640 – The Global Catalog – Sample question (0)
• Microsoft Exam 70-640 – The Global Catalog (3)
• Automatically fill the computer description field in Active Directory (9)

This feature goes by the name of “Windows To Go.” Windows To Go is intended for systems administrators to build system images that are then loaded onto a USB disk. End users can then take the USB disk and boot any system from it.

We can build the images in the exact same way as we would do if we were deploying any other Windows 8 system. We can also preload the image with any specific business applications or resources that our users may require, and we can still manage it via our usual tools.

There are many scenarios where I can see a good use for Windows To Go.

• Staff can work from home on their own hardware. By using Windows To Go, we instantly turn their systems into a trusted/managed corporate system.
• A classroom could have a room full of diskless systems where each student is issued a Windows To Go USB drive.
• You can have a dual boot OS, without the risk of trashing your main OS installation!
• In a disaster recovery scenario, we could keep a box of 500 disks at our DR site and then hand them out to staff when disaster strikes.

To keep things simple and similar to the environment end users are used to, when we boot a system from a Windows To Go disk, any drives in the host system are automatically hidden; just a single drive (C:) for the Windows To Go system is shown. Things are similar the other way around too. If we insert the Windows To Go disk into a system that is already running Windows, the disk will not show because drive letters are not assigned by default.

While on the topic of keeping things simple for end users, I thought that showing people how to reconfigure your BIOS boot order across a huge array of varying hardware might be a bit of a mammoth task! For host computers that are running Windows 8, this seems to have been taken care of for us, as there is a new “change Windows To Go startup options” applet in Control Panel. By using this applet, we can essentially change our boot order to try USB devices first.

While running Windows To Go, removing the USB disk is essentially the same as pulling your hard drive out of a regular system (not a good idea!). If this does happen for any reason, the kernel will freeze the system for up to 60 seconds, allowing you to reinsert the USB drive and continue working without any loss of data. If it is not reinserted within this time, the system shuts down. This is a security measure in case you have left confidential information displayed on the screen.

Windows To Go looks at each system’s SMBIOS UUID when it starts. When it sees a new system that it has not booted on before, it detects devices and installs drivers as required, similar to when you boot the first time from a sysprepped image. Once it has finished this process, it will remember that system; therefore, when you return to a system you have previously booted from, the startup times should be much faster.

In my next article, I will explain how to install Windows To Go on a USB drive.

• How to install Windows To Go (0)
• Windows 8 new features – The complete list (0)
• Windows 8 Hyper-V (0)
• Windows 8 Metro – Disable in Windows Server 2012? (0)
• Domain join behavior in Windows Server 8 (0)

At the time of this writing, the feature list is probably not yet complete. I will update this list whenever I stumble upon a new feature and post the update in the 4sysops news streams (Twitter, Facebook, RSS, newsletter).

If you know of a new Windows 8 feature that is not listed here, please leave a comment or send me an email. I will then update the list. It would be great if you add a short description of the feature and, if available, a reference where the feature has been described in more detail.

Please notice that this list not ordered. I will add new features I find at the top of the list.

Metro

There is no doubt that the new Metro UI, which some of us know already from Windows Phone, is the most prominent and controversial enhancement. The main point about Metro is that its user interface and the corresponding apps are optimized for touch screens. Cche

Windows 8 Metro

Designing for Metro style and the desktop

Designing the Start screen

Evolving the Start menu

Designing search for the Start screen

Reflecting on your comments on the Start screen

Microsoft account integration

You’ve probably heard that Microsoft gave up the Windows Live brand. Windows Live accounts are now called Microsoft accounts. You can either log on to Windows 8 with a local/domain account or with a Microsoft account. The latter allows you to store personal data and app settings in the cloud.

Windows 8 – Microsoft account

Signing in to Windows 8 with a Windows Live ID

Windows Explorer

Most visible is the new ribbon, which Microsoft introduced with Office 2007. What may be more interesting are the new file management features, such as improved duplicate file identification, multiple channel support in the Server Message Block (SMB) protocol, and better handling of confirmations and interrupts. IT pros in particular will love that they can now mount ISO and VHD files directly in Windows Explorer. There are many more new Windows Explorer features.

Windows 8 Explorer

Acting on file management feedback

Improvements in Windows Explorer

Windows to Go

Windows to Go allows you to boot up Windows 8 from a flash drive. This feature is more powerful than you might think. We will soon have a review on 4sysops that will cover this feature in detail.

Hyper-V Client

Thus far, Microsoft’s OS virtualization solution Hyper-V was only available for Windows Server. In the workstation edition of Windows 8, Hyper-V will replace XP Mode of Windows 7. Aaron Denton reviewed Windows 8 Hyper-V for 4sysops.

Bringing Hyper-V to “Windows 8”

Fast boot

Microsoft claims that Windows 8 boots up 30-70% faster than Windows 7. This is still not instant-on, but it is certainly a great improvement. I have been working with Windows 8 on a netbook for a few weeks and Microsoft’s claim appears to be true.

Delivering fast boot times in Windows 8

Performance

Reports indicate that Windows 8 is considerably faster than Windows 7. In the 4sysops Windows 8 feature request poll, more than 4000 people chose better performance as the most important new feature. Good that Microsoft listens to their customers.

Windows 8 preview beats Windows 7 in most performance tests

SkyDrive integration

I could have added this feature to the Windows Explorer or the Microsoft account sections. But I think the integration of Microsoft’s cloud storage service SkyDrive in Windows 8 is important enough to have its own heading. If you still think that “the cloud” is only a buzz word, think again. Or as Steve Ballmer would put it: “We will all be in.”

Connecting your apps, files, PCs and devices to the cloud with SkyDrive and Windows 8

Unified Extensible Firmware Interface (UEFI)

This feature caused a lot of stir in the Linux community because many Open Source guardians feared that Unified Extensible Firmware Interface (UEFI) would prevent people from installing Linux on computers that are delivered with Windows 8. These fears were unjustified. Essentially, UEFI uses public key cryptography to allow secure boot-ups by reducing the risk of boot loader attacks.

Protecting the pre-OS environment with UEFI

Malware protection

Hard times are to come for malware programmers (and third-party antivirus vendors). It appears that Microsoft Security Essentials won’t be integrated into Windows 8. However, Windows Defender will become full-blown antivirus software as it will not only protect Windows 8 from spyware, as in Windows 7, but also from viruses and worms. It will also feature real-time protection. SmartScreen, Microsoft’s reputation-based malware protection, will now protect not only Internet Explorer but also Windows 8. Windows 8 will also be hardened with an enhanced Address Space Layout Randomization (ASLR), kernel improvements, and a new Windows heap.

Windows 8 – Antivirus

Protecting you from malware

Large disk support

Windows 8 will support partitions larger than 2TB, which will be important for the next netbook and tablet generation. There are ways to use more than 2TB volumes in Windows 7, for instance with RAID, but I guess this wouldn’t be an option in tablets.

Enabling large disks and large sectors in Windows 8

Storage Spaces

Storages Spaces allow you to combine multiple disks into one storage pool. The new technology is comparable to RAID, but it is more flexible and easier to configure. Probably the coolest thing is that disks can be of different size and connected through USB, SATA, and SAS (Serial Attached SCSI). Storage pools support thin provisioning (physical space is only used when the capacity is needed) and resiliency (mirroring for fault tolerance).

Windows 8 Storage Spaces

Virtualizing storage for scale, resiliency, and efficiency

Setup experience

I already covered the main new features of the Windows 8 setup process. Certainly most interesting is the new web setup, which allows you to install Windows 8 through the Internet.

Improving the setup experience

Fewer restarts

If you ever lost data because of an automatic restart, you might be interested to know what Microsoft has to say about this kind of “user experience” (link below). The major improvement in Windows 8 is that security-related restarts will happen only once a month (on the second Tuesday). The only exceptions are critical security updates—for example, if a computer worm is spreading. Microsoft also introduces a few changes in the way users will be informed about updates and restarts.

Minimizing restarts after automatic updating in Windows Update

Power management

In every Windows version, Microsoft tries to improve power management. However, major advances in recent years were developed by the hardware industry—in particular, the battery makers. But Windows 8 comes with a promising new concept that is known from smartphones. Apps in the background are suspended, thereby consuming no more energy. This feature will only work for Metro apps and not for legacy Windows desktop applications.

Building a power-smart general-purpose Windows

Updating live tiles without draining your battery

Improving power efficiency for applications

New Task Manager

The new Task Manager in Windows 8 is nice, but I guess most IT pros will barely appreciate it considering that free tools like Process Explorer and Process Hacker have much more to offer. However, whenever you have to troubleshoot a Windows machine and you didn’t bring your tool box, you will like new features such as resource usage light-ups, process type grouping (applications, background processes, Windows processes), friendly names for background processes, and top-level grouping windows by app. Interesting for server admins is the new heat map of logical processors.

Windows 8 Task Manager

The Windows 8 Task Manager

Using Task Manager with 64+ logical processors

Windows Store

The new Windows Store for Metro apps is certainly a Windows 8 highlight. The fact that you won’t be able to buy and update legacy desktop applications through the Windows Store could be the major driving force for software vendors to focus on Metro and give up the old Windows application paradigm altogether.

Windows 8 Store

Previewing the Windows Store

Picture password

I hate it when people say they hate something, but I really do hate passwords. Secure passwords are hard to memorize. And, even if you use a password management tool, you need to at least be able to log on to your Windows machine before you can use it. With Windows 8, you can perform gestures on a picture of your choice to log in. Such a gesture is probably easier to memorize but still hard to crack with a brute force attack. The only problem I see is that gestures are easy to spot by someone at your back.

Windows 8 Picture Password

Signing in with a picture password^

PC Reset and PC Refresh

Many PC vendors have their own tool to reset a PC to the state it was delivered. It is good that Microsoft integrates this functionality now into Windows because it standardizes PC troubleshooting. However, more interesting is the PC Refresh feature of Windows 8, which allows you to keep specific settings such as user names and passwords, data, and installed apps. You can create a base image to which users can go back if they have messed up their PC.

Windows 8 Reset / Refresh

Refresh and reset your PC

Sensors

A better tablet user experience is certainly a key functionality in Windows 8. Support for sensors such as accelerometers is therefore a must.

Supporting sensors in Windows 8

Windows 8 on ARM / Windows RT

There has been lots of confusion since information leaked that Windows 8 will run on ARM devices. I am not sure if the term “Windows on ARM” still makes sense because ARM devices will only support Metro apps and no Windows desktop applications. I am afraid that the confusion will continue once the first Windows ARM tablets become available. Many will notice only when they unpack the device that it is not really a Windows machine since the vast majority of Windows applications won’t run on it. The awkward name “Windows RT” for the corresponding OS doesn’t make things better. For ISVs, this will be another reason to dump Windows desktop mode and concentrate on Metro.

Building Windows for the ARM processor architecture

Narrator

Windows 8 also has some enhancements to offer for people with disabilities: Narrator with improved performance, more languages and voices for the Narrator, and more Windows components and applications that can make use of the Narrator.

Windows 8 Narrator

Enabling accessibility

Internet Explorer 10

The most noteworthy Internet Explorer enhancement is the new Metro version. It is optimized for touch and comes with many of the features you know from the browser of your smartphone: double tap, default full screen mode, touch keyboard, and touch optimized tab bar. Of course, the old style desktop Internet Explorer is still available in Windows 8. This could be a role model for many software vendors. I think many ISVs will have to offer two versions of their applications. I wonder if it wouldn’t have been better if Microsoft introduced a new abstraction layer that allowed applications with two types of user interfaces.

Windows 8 – Internet Explorer 10

Metro style browsing: one engine, two experiences, no compromises

• How to install Windows To Go (0)
• Windows To Go introduction (0)
• Windows 8 Hyper-V (0)
• Windows 8 Metro – Disable in Windows Server 2012? (0)
• Domain join behavior in Windows Server 8 (0)

SmartDeploy is raffling off 50 end-point licenses with 1 year of basic support (value $1610 USD). The deadline for this contest is June 1, 2012. If you want a chance at winning this license, please fill out this form.

SmartDeploy Enterprise is a powerfully simple deployment suite. In fact, it is so simple that the entire process can be summed up in five steps, with steps 1 and 2 being covered in the previous post. In short, the steps are:

1. Building the image
2. Capturing the image
3. Packaging the drivers
4. Creating the PE media
5. Deploying the image

We have already built and captured our image. Now we face a humongous hurdle with driver management. In nearly every organization, model sprawl reigns. Even in organizations where machines are regularly replaced, some department will buy a make and model that wasn’t previously supported. This is the area where SmartDeploy Enterprise really shines.

In the past, most images stored drivers on the local drive in a manually arranged system. Enter the Platform Pack—a completely prepackaged set of drivers for deployment available through their website. To show how much time a Platform Pack will save, I tested our environment. We have 27 different models, including some old POS machines. SmartDeploy had Platform Packs for all of them! Even better, some models (like a Dell Latitude D610) only have Windows XP available for download from Dell’s Support page. SmartDeploy had the Windows 7 drivers already packaged along with the Windows XP drivers.

Platform Packs come in nearly every make and model.

Now that I have finished saturating my bandwidth with Platform Packs, let’s look into altering and merging the downloaded Platform Packs. This is done within the Platform Manager where, once opened, Platform Packs may be added as needed. A Platform Pack could be created for a universal image or as granular as needed. In my environment, the Platform Pack was organized based on make, model, operating system, and hardware type. To make driver updating easier, I left the default driver names that were created in the import process.

Platform Packs are scoped based on automatically configured WMI filters.

A very cool bonus feature is a WMI Filter Wizard, which is included in the Platform Manager. It allows for the quick scoping of drivers to specific make and models. It could also be quite useful when creating WMI filters for a GPO.

In this example, a WMI filter could be created to apply certain drivers when a machine’s memory exceeds a determined amount.

Now that the Platform Pack has been created, altered, and saved, we need to associate it with boot media. Our boot media of choice is a Windows PE image that is WDS compatible. This will allow us to network boot our machines to an imaging server. To do this, we will launch the Media Wizard and proceed through the steps. Because we will be using multicasting, the wizard will enable that option.

If physical media is desired, the Media Wizard can create a completely standalone boot image.

In the Media Wizard, two features stand out. The first is the ability to integrate a VNC service for remote imaging monitoring. This seems similar to DaRT Remote Connection integration in Microsoft Deployment Toolkit 2012. The second feature is the ability to deploy images over disconnected networks. Although I did not have a chance to test this feature, it seems very cool!

For remote or dispersed organizations, the Cloud Services add-on would be a life saver.

Now that we have created the SmartDeploy media, all that is left is to deploy the image to machines. For those familiar with the Out of Box Wizard, SmartDeploy is easy. After booting of deployment media, the machine image can be selected. Other settings, such as resolution or domain information, can also be entered.

If your organization already has a robust imaging solution, SmartDeploy Enterprise may not be a solution for you. For organizations with a smaller IT staff (or those one-man shops) looking for a very simple extendible imaging suite, SmartDeploy Enterprise becomes very appealing.

If you want a chance to win 50 end-point licenses with 1 year of basic support (value $1610 USD), please fill out this form.

• Raffle: SmartDeploy Enterprise – Easy OS deployment – Part 1 (0)
• Windows deployment preflight checks – Part 2: The script (0)
• Windows deployment preflight checks – Part 1: Introduction (2)
• MDT Workbench and Windows deployment (0)
• MDT (Microsoft Deployment Toolkit) prerequisites and add-ons (0)

Extending Orchestrator 2012

When the standard activities aren’t enough to accomplish the automation you need, the next step is to turn to Integration Packs (IP). Currently there are IPs available from Microsoft for the System Center 2012 suite as well as for earlier SC versions, there is also IPs for HP iLO hardware and HP Operations and Service Manager; IBM Tivoli and VMware vSphere. There are also community IPs available on TechNet Gallery and Codeplex for various tasks (see resources). Configuration management tools such as Remedy and CA are also slated to have integration packs. Today there are also community IPs for SharePoint and VMware’s vSphere but I would expect more IPs, from Microsoft, third parties and the community to be published as SC 2012 gains market share.

Extending Orchestrator with IPs involves several steps: download the IP(s), register them using the Deployment Manager and then deploy them to the relevant Runbook servers. Finally they need to be configured using the Runbook Designer.

Orchestrator 2012 – the glue in System Center 2012

Orchestrator is at the center of the System Center suite – bringing what are essentially separate islands of data and functionality together to work in unison. For proof you need to look no further than the recently added Unified Installer which is an Orchestrator Runbook that automates (to a degree) the installation of all the other components of the SC suite.

Another benefit Orchestrator has over Opalis is the introduction of monitor activities, Opalis used polling monitors that were constantly checking for activity to see if a runbook should be started, with the tighter integration in SC 2012; other parts of the SC suite (particularly SCSM) can notify Orchestrator and initiate runbooks.

The amount of control that Orchestrator runbooks can exert over the other SC 2012 suite programs is remarkable, on the right hand side you can see a few of the activities that are available for SCVMM 2012.

The new Web service – Orchestrator’s secret weapon?

The authoring experience and how you work with Orchestrator is virtually unchanged from Opalis; in contrast the new feature is the Orchestrator web service. This exposes the functionality of Orchestrator through an OData / REST based interface and lets other programs see and use runbooks which may eventually lead to Orchestrator fading into the background and being the engine that orchestrates behind the scenes whilst being controlled by other applications.

Conclusion

System Center 2012 is a major revamp of the whole suite, and whilst the components are still separate, Orchestrator and the SC 2012 IPs bring them closer than ever before. For this reason alone, adding Orchestrator to your list of must have skills for the future is a good idea but when you take into account the extensive reach of Orchestrator to automate across many other disparate systems my conclusion is that getting the hang of it is crucial for the future.

Playing with Orchestrator 2012 is a lot of fun, and I must say that the visual part of me is certainly picking up how to do things quicker than when struggling in the light blue sea of PowerShell.

Resources

• Overall list of Integration Packs available for Orchestrator 2012
• List of System Center (both earlier and 2012 versions) Integration Packs available for Orchestrator 2012
• Detailed Data Manipulation functions descriptions
• Orchestrator open source Integration Pack projects on Codeplex
• SC2012 Solution Runbook Examples on Codeplex
• Orchestrator Integration Pack projects on TechNet
• Orchestrator Jump Start by Pete Zerger – in five parts
• TechNet Virtual Lab: Opalis: Incorporating Advanced Logic into Your Policies
• TechNet Virtual Lab: Opalis: Building Advanced Policies

• System Center 2012 – Orchestrator 2012 – Runbooks best practices (0)
• System Center 2012 – Orchestrator – Creating Runbooks (0)
• System Center 2012 – Orchestrator – Installation (0)
• System Center 2012 – Orchestrator Review (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)

SmartDeploy is raffling off 50 end-point licenses with 1 year of basic support (value $1610 USD). The deadline for this contest is June 1, 2012. If you want a chance at winning this license, please fill out this form.

SmartDeploy Enterprise Architecture

Let me start off by saying that I am a huge Microsoft Deployment Toolkit (MDT) fan! I love the granular control, the nifty wizards, and the extensive logging. But MDT is a pain to set up and a bear to learn. Between the barrage of terminology, layers of components, and simple confusion over when a deployment share needs to be updated, an overworked admin in an overstretched shop could not dedicate the time needed to master MDT. Simplicity is where SmartDeploy Enterprise succeeds.

The entire image creation and deployment process can be summed up in five steps.

1. Building the image
2. Capturing the image
3. Packaging the drivers
4. Creating the PE media
5. Deploying the image

As we progress through each of these steps, we will cover the actual process, best practices, and some time saving tips.

Step 1: Building the Image

When installing the SmartDeploy Enterprise suite, be sure to use a physical machine. The setup will only continue if the machine is not virtual. A well-known best practice of image creation is the use of virtual machines for the master image. This practice allows for changes, such as software installation or Windows updates, to be captured in snapshots. If problems are found in the image, the image can be reverted instantly to the clean state.

SmartDeploy wisely enforces this best practice in their deployment suite. To simplify the image building process, SmartDeploy Build Wizard allows for the selection of multiple virtualization products. The Build Wizard will even go so far as to automatically create the needed VM files. When building my image, I used VMware Workstation 8, but I selected Workstation 7 as my virtualization platform.

To simplify deployment, the Build Wizard supports a variety of virtualization products.

Step 2: Capturing the Image

After the image has been created, configured, and finalized, the image can now be captured. Unlike some image management tools, SmartDeploy will automatically scan your virtual hard disks (which were created in Step 1) for operating systems. If your virtual hard disk contains multiple partitions, be sure to uncheck all but the primary partition if WDS will be used.

Direct integration with Windows Deployment Services is provided in the Capture Wizard.

When manually managing an image, one would normally alter the Unattended.XML file to enter the product key or default local administrator password. The Capture Wizard provides the ability to directly inject this information.

The Capture Wizard simplifies the management of the Unattended.xml file.

A feature that sets SmartDeploy apart from the pack of deployment suites is the ability to deploy a standard image or a differencing image. A standard image is a normal captured image in a .WIM format. A differencing image is a captured image that only deploys the differences between the new captured image and a previously captured image. For example, an organization could create a differencing image on a quarterly basis that wraps up all updates published. This granular approach cuts down on wasted space by only capturing the changes to an image. It also safeguards the original clean image by adding distinct layers.

If capturing as a differencing image, you have to select an existing previous image.

After the image has been named and the save location selected, the Capture Wizard will generate the image file.

One of the most challenging portions of image creation is driver management. To ease the pain of driver management, SmartDeploy has an innovative solution using prepackaged platform packs.

In the next post, we will cover driver management (Platform Packs), deployment media, and deployment.

If you want a chance to win 50 end-point licenses with 1 year of basic support (value $1610 USD), please fill out this form.

• Raffle: SmartDeploy Enterprise – Easy OS deployment – Part 2 (1)
• Windows deployment preflight checks – Part 2: The script (0)
• Windows deployment preflight checks – Part 1: Introduction (2)
• MDT Workbench and Windows deployment (0)
• MDT (Microsoft Deployment Toolkit) prerequisites and add-ons (0)

Considerations for creating a good runbook include knowing when and how often it’s going to run, which steps to include, how it’s going to start, what data is passed along from activity to activity and what’s the end result as well as how you are going to report on the results? Good design includes handling failures and warnings of activities, clear naming conventions, using link colors wisely and splitting long and complex runbooks into parent and child tasks that pass data to each other. Establishing a good naming convention and an agreed upon folder structure will minimize confusion and exporting your runbooks regularly for backup purposes is prudent.

Permissions can be set at the individual runbook level or you can group runbooks together and control security at the folder level. Read permissions let a user run and view runbooks, write makes changing possible and with full control users can alter the permissions. Security can also be controlled at the IP level, for instance you could have three different configurations for connecting to a ticketing system to match permissions for level 1, 2 and 3 help desk staff. Orchestrator provides simple version control; once a particular user has checked out a runbook for editing, no one else can alter it until it’s checked in again.

To control what systems are targeted by a runbook you can use Computer Groups in Orchestrator and these in turn can be based on AD queries, ensuring that new Exchange servers end up in the right group for example.

An example Runbook that’s part of a set of SC 2012 runbooks recently published on Codeplex.

There are several types of logging to see how Runbooks and Orchestrator is doing, I find that turning on object level logging for a Runbook gives enough insight when I’m creating and testing Runbooks. There’s both a Real time log for currently executing runbooks as well as a historic log. For each runbook you can set logging to include the values of the Published Data; either Activity specific data and / or Common Published data. There are also the Audit Trail text log files that detail the interaction of Orchestrator with external systems; this is not enabled by default. Logging can add substantial amounts of information in your database, a scheduled job can either purge this data regularly or you can manually purge runbook logs.

You can set up a runbook to notify you when it takes longer to execute than a threshold you’ve specified as well as control how many instances of a specific runbook is allowed to run simultaneously. Be careful if your runbook has a modify counter activity not to run several instances at the same time. For robustness it’s also a good idea to have an activity early in a runbook that detects if there was an earlier instance of the runbook that was terminated (server crash or other mishap) so this can be handled smoothly.

A key consideration in automation is that when things “just happen by themselves” it’s crucial to keep an eye on the environment through monitoring and reporting; there’s an Orchestrator management pack for Operations Manager that’ll help in this regard.

In this part four of five we looked at best practices for runbook creation, in the next and final part we’ll look at extending Orchestrator with Integration Packs as well as how Orchestrator fits into the System Center 2012 suite.

• System Center 2012 – Orchestrator 2012 – Integration Packs (0)
• System Center 2012 – Orchestrator – Creating Runbooks (0)
• System Center 2012 – Orchestrator – Installation (0)
• System Center 2012 – Orchestrator Review (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)

I recently attended the Microsoft Management Summit in Last Vegas with 5,000 fellow admins and engineers who specialize in the System Center product line. In its 14th year, MMS is still a unique Microsoft conference for sysadmins in that it’s focused exclusively on systems management using a pure Microsoft stack.

Good News! If you missed MMS, nearly all the sessions and keynotes are free online at the Digital MMS site (over 150 hours worth!). If you want to take the videos offline, someone’s written a PowerShell script to download them. Common topics beyond System Center 2012 include Hyper-V, PowerShell, Windows 7 deployment, MDT, and many more.

When you see session ID’s like EC-B101 in this article, search that ID on the Digital MMS site to watch it.

System Center 2012 is now a suite of eight products, but licensed as one suite. Even though Microsoft would like you to think it’s one product, they are still deployed as separate server apps… that is, you don’t have to deploy all of System Center 2012 to use just one component:

• Configuration Manager (SCCM. getting started: CD-B207, what’s new: CD-B330)
• Operations Manager (SCOM, what’s new: FI-B317)
• Virtual Machine Manager (SCVMM, what’s new: SV-B206)
• Data Protection Manager (SCDPM, what’s new: FI-B405)
• App Controller (VMM self-service portal plus. intro session: AM-B305)
• Orchestrator (task/job automation)
• Service Manager (user service desk)
• Endpoint Protection (previously Forefront. what’s new: CD-B332)

The Private Cloud

Microsoft is claiming that if you implement most of these products, then you’ll be on your way to enabling the “Private Cloud” in your sever room. Checkout session SV-B308 where Young Chou details what the private cloud really entails, which I found enlightening. The key takeaway for me is that virtualization of your servers is just the first piece in making your own Cloud infrastructure. You also need:

• Self-Service (Limited number of clicks to deploy a new system, high level of OS and server app deployment automation)
• Resource Pooling (Standardization plus optimization plus systems management)
• Elasticity (Grow and shrink number of virtual machines based on demand)

If you’ve ever seen the 4 stages of the Infrastructure Optimization Model (Basic, Standardized, Rationalized, Dynamic) which is a way to rate the maturity of your systems and processes, then just know that Private Cloud likely starts in the Rationalized stage. If your shop spends most of your days controlled by support tickets (reactive), and it takes you a day or more to set up a new virtual machine, then you’re likely in Basic (hey we all start there). Implementing the System Center suite could be one of the steps you take to mature your IT org toward the more advanced and automated stages where system admin life gets easier.

A few popular sessions

Are you a SCCM guru? Then Configuration Manager “State of the Union” CD-B102 will catch you up, and they also pitted common scenarios in SCCM 2007 R3 against SCCM 2012 (spoiler: 2012 killed it). A little quirky and fun.

• For OS deployment, a good bet is to search sessions by Michael Niehaus and Johan “I write a script” Arwidmark.
• In the troubleshooting arena (a skill I am always trying to hone) you want to check out Laura Chappell’s SV-B407 “Top 10 Reasons the Network is Slow” for some Wireshark kung-fu, and CD-B347 Troubleshooting Windows 7 Deployments for a exhaustive list of MDT and SCCM log locations and tips by Ben Hunter.
• Vlad Joanvic and Matt McSpirit have a unique session “Understand How Hyper-V and System Center Stand Up against the Competition” AM-B323.

The key takeaway is that all these products are “better together” as Microsoft likes to say: Data Protection Manager uses Operations Manager as a Central Console for multiple DPM servers. Orchestrator makes heavy use of Service Manager and Operations Manager. Service Manager pulls data from Configuration Manager for support tickets and some automation. The list goes on and on.

Further learning

Microsoft has a Virtual Academy with a growing System Center syllabus of documents and videos.

“How do I evaluate System Center now?” you might ask. Microsoft has an Eval Center where you can download a trial of System Center 2012 and get a summary of all the pieces to this expanding puzzle. The bundled download includes a Unified Installer that lets you run the System Center suite installer on one server, and remotely installs the components on other servers. MS says the Unified Installer is only for simplifying test environment installs.

Each product requires its own Windows Server OS (or more) so you’re looking at a minimum of 9 (yep) lab virtual machines to test out the full suite. The User’s Guide and MMS Sessions FI-B330 “System Center 2012 Unified Installer” and FI-B328 “How to Build a Microsoft Private Cloud…” can help you out.

Have you been at the MMS 2012? Please share your impressions!

• Will Windows 8 be a mess or a success? Vista or Windows 95 successor? (14)
• The evolution of Microsoft certification (2)
• What does the ‘R2′ mean in Windows Server 2008 R2? (1)
• Windows 8: The PC is dead, long live the PC (5)
• Windows Server 2008 Certification – A quick guide (0)

Once you’ve worked through with the business which processes to automate the actual steps in Orchestrator are easy and the user experience is almost identical to Opalis. You drag Activities from panes on the right into your workspace. These activities are either Standard Activities (known as Foundation Objects in Opalis) that are available out of the box or they come from Integration Packs (IPs) that you’ve installed.

You then configure each activity to accomplish what you want and link the activities together, taking into account branching for different outcomes. Activities can also take into account variables and counters that you’ve configured as well as perform manipulation of data; this is then passed onto the next activity on the shared data bus as Published Data.

Once you have created a runbook you’ll want to test it and the Runbook Tester provides the ability to debug, including setting breakpoints. Be aware that the Tester isn’t a simulated environment, the activities are actually executing on your live data. Another gotcha is that runbooks run under your account in the Runbook Designer but in the Tester they run under the Runbook Server service account.

The Runbook Tester lets you step through your runbooks activities and make sure it’s all working as expected. Remember, it’s a live environment, not a simulated test!

Standard Activities are available for system process and SNMP, scheduling, monitoring, file management, email and other notification options along with utilities for invoking web services or querying databases. For Linux integration Orchestrator comes with standard activities for Telnet and SSH workflows. The .Net script activity can run scripts in VB.Net, Jscript, C# and PowerShell.

The links between activities can be formatted with colors and widths as well as letting you control the data that flows between activities with Include and Exclude options (with the latter taking precedence over the former) to filter out data for the next activity. For branching logic you can control what happens for success, warning and failed conditions in activities. You can also use regular expressions to filter the output data as well as perform functions and calculations on numerical values. Activities can be looped with precise control over the exit condition.

Runbooks can be scheduled with control over when they’re allowed to execute (perhaps some should never execute during business hours), and each Runbook can be associated with a particular schedule. Within a runbook, you can use the Check Schedule activity to retrieve time data for individual activities. Monitors are a type of activity that waits for a particular event to happen to start the processing of a runbook and these runbooks “run” continuously, waiting for the event to happen.

In this part three of five we looked at the steps involved in creating runbooks, in part four we’ll cover permissions for runbooks as well as best practices for creating them.

• System Center 2012 – Orchestrator 2012 – Integration Packs (0)
• System Center 2012 – Orchestrator 2012 – Runbooks best practices (0)
• System Center 2012 – Orchestrator – Installation (0)
• System Center 2012 – Orchestrator Review (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)

Orchestrator 2012 Overview

Orchestrator is made up of the Runbook Designer, where IT Pros create runbooks by dragging activities into the workspace, configuring and linking them, in a similar way to how Visio works. The Runbook Server is the central hub that runs the actual tasks, the Orchestration Console is a web based interface that tracks the execution of runbooks and the new web service lets you access Orchestrator functionality from other programs. The Deployment Manager is used for registering Integration Packs (IPs) as well as deploying them to your runbook servers.

The Orchestration Console, for checking on Runbooks and their statistics as well as executing of runbooks by non-administrators.

Orchestrator caters for different roles of people in IT organizations; IT Professionals will spend their time in the Runbook Designer (known as the Operator Client in Opalis) creating workflows whereas IT Managers will visit the Orchestration web console (known as the Operator Console in Opalis) to check statistics on how the runbooks (known as Policies in Opalis) are performing. Certain end users might approach Orchestrator as a one button “fix” for something – running a clean-up job in an ERP system for example– again through the Orchestration console. Developers on the other hand use the Orchestrator Integration Toolkit (known as the Quick Integration Kit, QIK, in Opalis) to create custom activities and Integration Packs to integrate with other systems.

Orchestrator lets you connect to web services and systems across platforms and then execute system level tasks in those systems or execute scripts (PowerShell, .NET, Jscript, VB etc) and then communicate results via email or published notifications.

Scalability for Orchestrator is difficult to gauge, the overall rule is that if you expect to have more than 50 runbooks executing concurrently, you need another server as the jobs will queue up. You can create a very processor and memory intensive runbook with only a few activities or a very light runbook with many complex tasks involved, it all depends on exactly what the runbook does. Specific runbooks can be assigned to a particular server if necessary. As your IT team come to rely more and more on Orchestrator you’ll definitely want to add more Runbook servers (called Action servers in Opalis) to provide availability. When a Runbook server is unavailable, runbooks will automatically run on the next available server.

There’s a bit of overlap between the Service Manager 2012 (SCSM) and Orchestrator 2012 products but the way to understand the difference is that SCSM is all about automating and standardizing business processes whereas Orchestrator is about IT processes and workflows.

Installation of Orchestrator 2012

You need a machine with at least 1 GB of memory, 2 GB or more is recommended, with a dual core CPU, and at least 200 MB of free disk space. All components require Windows Server 2008 R2; you also need to have IIS (for the Orchestration Console); the install program can enable this automatically, along with .NET Framework 3.5 SP1. You also need to install .NET Framework 4. Orchestrator requires a SQL 2008 R2 database, either local or remote. Finally the Orchestration Console relies on Silverlight 4 which you’ll be asked to install the first time you open the Console if it’s not installed. The Runbook Designer can be installed on a Windows 7 client as well as on the server.

As in the other System Center 2012 installers, Orchestrator comes with a pre-requisite checker and a simple installer that makes installation a snap.

For old hands with Opalis 6.3 the installation is a lot smoother, compared to the many steps involved in downloading the Java components / JBoss for the Opalis installation. If you already have Opalis in your environment the “upgrade” to Orchestrator 2012 is a matter of exporting your runbooks from Opalis and importing them into Orchestrator.

In this second part of five in the overview of Orchestrator 2012 we looked at the components of Orchestrator and the installation experience. In part three we’ll look at the steps involved in creating Runbooks.

• System Center 2012 – Orchestrator 2012 – Integration Packs (0)
• System Center 2012 – Orchestrator 2012 – Runbooks best practices (0)
• System Center 2012 – Orchestrator – Creating Runbooks (0)
• System Center 2012 – Orchestrator Review (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)

Many years ago telephone switchboard operators were made redundant by automation and this is exactly what’s happening in the IT world. Don’t worry, this isn’t going to be another rant about how the cloud is going to do all us IT Professional’s out of a job but it is a reminder that the times are changing.

The Orchestrator 2012 Runbook Designer – a lot easier to become friends with than PowerShell.

In my close to 20 years’ experience as an IT consultant I’ve learnt many things, the most important is that what requires specialist knowledge and time today will be easy tomorrow and automated next week. Installing a network card in 1995 was a challenge (jumpers to configure, IRQ levels to consider etc.), a few years later plug and play made it a mostly painless experience and now it’s simply a check box in a VM’s configuration. I’m sure you can think of many other similar examples from your own experience.

This automation of tasks is now spreading to interconnected systems and that’s why it’s so important for IT Pros not to dismiss the overhyped cloud / private cloud idea as a fad. Because if most of your job consists of repeated, simple tasks, you’re going to be replaced by Orchestrator 2012 or similar products. My advice is to learn what Orchestrator is all about and become the hero in the team who automates the boring tasks; becoming invaluable instead of replaceable.

Runbook Automation

System Center 2012 Orchestrator (Orchestrator from now on) grew out of Microsoft’s acquisition of Opalis Integration Server. It’s a Runbook Automation (RBA) tool, sometimes called IT Process Automation (ITPA). The term runbook (in IT at least) stems from the days of mainframes – where thick volumes of technical documentation defined the manual steps to take to remedy a particular issue. The next step was to automate those steps – hence runbook automation.

Seasoned sysadmins might think– why bother, I can use (Perl, Python, PowerShell – delete as appropriate) to automate tasks. Yes you can, but writing scripts is time consuming, especially if your scripts need to be robust and check for different conditions. Furthermore scripts that are shared amongst IT staff may be altered with no real way of tracking changes. Finally scripts only work in environments where they can reach systems they need to alter, one really big strength of Orchestrator is the many systems it can “talk” to. There’s still a place for scripts in the Orchestrator world, they can be part of a runbook, it’s just a matter of using the best tool a particular job.

The thing to keep in mind when exploring Orchestrator is that just because you can automate a particular process (and almost anything can be), should you? After all, if you automate a bad process you’ve only achieved a very fast way of doing something in a bad way. It’s been said that a day of meetings and decisions about processes results in an hour of work in Orchestrator. In other words, implementing Orchestrator isn’t about the technology, it’s about getting IT and the rest of the business to sit down and nut out their processes so that they can be automated in the best way.

Look at the most time-consuming current processes, or where service levels suffer the most, or common problems that take a long time to resolve; they’re good candidates for automation. A practical example could be that instead of being woken up in the middle of the night when you’re on emergency duty to fix a critical service, System Center Operations Manager has already picked up the failure; a runbook has attempted to restart the service twice and pinged the server in question before notifying you. The standard troubleshooting steps have already been taken and only after that are you involved – with a bit of luck you won’t even be woken up!

In this first part of five where we look at Orchestrator 2012 we covered what Runbook automation is and how Orchestrator fits into it. In the next part we’ll delve into the different pieces of Orchestrator and the installation experience. 

• System Center 2012 – Orchestrator 2012 – Integration Packs (0)
• System Center 2012 – Orchestrator 2012 – Runbooks best practices (0)
• System Center 2012 – Orchestrator – Creating Runbooks (0)
• System Center 2012 – Orchestrator – Installation (0)
• FREE: SCCM Client Actions Tool (SCCM CAT) – Manage Configuration Manager clients (4)

An organization deploying Windows 7 can be daunted with many issues. User training, setting migration, and application compatibility can all keep a Windows administrator up at night! The first two can be easily surmounted with proper planning. The third can prove a bit more difficult. While technologies, like the Microsoft’s Application Compatibility Toolkit, make this simpler; a critical application refusing to work with Windows 7 can completely derail a migration schedule.

Microsoft’s Enterprise Desktop Virtualization (MED-V) can solve nearly any compatibility problem. MED-V is the enterprise version of Microsoft’s XP Mode. Choosing between XP mode and MED-V can be a bit difficult though. The table below breaks down the major differences between MED-V and XP Mode to make selection easier.

If an organization has one or two incompatible applications that are used by a small group of consistent users, XP Mode would be the way to go. An organization with widespread incompatible applications or a few incompatible applications used by many users, MED-V will be the preferred solution.

In order for a client to use MED-V, two installations and a first run setup must take place. All three can be completely automated though. The first installation is Windows Virtual PC. For specific instructions on deploying and updating Windows Virtual PC, please see this. It is a best practice to update Window Virtual PC after the second installation and first run setup. This ensures that update will not interfere due to a required restart. The second installation is the MED-V Host Agent. Documentation for automatic deployment can be found here. The final setup is the MED-V workspace. The MED-V workspace packager allows for the automation of the first time application and VM setup.

The MED-V workspace packager simplifies the configuration of an XP VM and the installation of applications into six steps. Most administrators will want to review the planning steps and to prepare a baseline Windows XP image that is compatible with MED-V beforehand. Documentation for these steps is provided in the Workspace packager.

Microsoft simplifies the MED-V lifecycle by centralizing workspace package creation and management.

When creating a MED-V workspace package, the first dialog prompts for a workspace name and location. To make workspace management easier, it is wise to give each workspace a unique name that logically links it to the incompatible application.

Step 1 of the Workspace Package Wizard

After selecting an XP image that has been customized for MED-V, the workspace package wizard allows for the customization of first time use. This step automates one of the biggest inconveniences of XP Mode. Because the complete customization can be automated, end users need not be aware that a critical application is running under a virtual machine.

Some organizations may want for a completely unattended setup without any notification. Zero user interaction = happier users.

One particular note of interest in the workspace package wizard is the ability to manage the Startup options. If an application is used at regular intervals (ex: a direct deposit application that is only used once a month), a Windows administrator may want to let end users manage the workspace startup as opposed to automatically starting the application at user logon.

The Startup and Networking page on the workspace package wizard allows for the customization of workspace initiation.

After all settings have been configured, the workspace package can be created. The biggest factor in creation time is the size of the XP image. Most workspace packages are created and compressed in ten or so minutes.

With 38 Microsoft seconds remaining, the workspace package creation makes for a good coffee break.

After finishing the workspace package creation, the wizard will display any errors found. The test package completed successfully.

All portions of package creation completed successfully.

The final step is to deploy the workspace package to end user machines. While the deployment of the workspace package is beyond the scope of this article, specific instructions can be found here. MED-V, the final piece of the Microsoft Desktop Optimization Pack is certainly the most difficult to setup. However, it is a crucial tool for the successful migration to Windows 7.

• Microsoft Desktop Optimization Pack (MDOP): Application Virtualization (App-V) (1)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)
• Microsoft Desktop Optimization Pack (MDOP): Asset Inventory Service (AIS) (0)
• Microsoft Desktop Optimization Pack (MDOP): Overview (0)
• Raffle: ManageEngine Desktop Central – Part 2: Features (2)

What do you think of the new Start Screen in Windows 8? Does the touch-centric Metro user interface (UI) throw you for a loop, are you a fan, or do you really care at all?

Those of us who have used Windows for several years remember the days before the Start Screen or even the Start menu. For instance, who recalls the Program Manager in Windows 3.1?

Windows 3.1 program group

The Windows 3.1 Program Manager was problematic for many of us because we could wind up with a screenful of overlapping windows with just a few mouse clicks. This was pretty messy, confusing stuff.

The release of Windows 95 on August 24, 1995 marked a watershed moment in user interface design. The Start menu aggregated installed programs and user data into a single, easy-to-navigate menu system. The Start menu existed in one form or another in every version of Windows ever since. That is, until Windows 8 came along.

Windows 95 Start menu

In this blog post we will review some advantages and disadvantages of the Metro UI. We will then examine a Windows Server 8 Group Policy control to restrict Metro UI access for Active Directory Domain Services (AD DS) member systems.

Some advantages of the Metro UI

For some reason, the Metro UI, with its Start menu successor Start Screen, tends to strike techie types in one of the following two ways:

• “Meh. It’s okay.”
• “I hate it!”

Personally, I feel that much of the Metro hate is based in simple human nature. For most people, once we learn computer navigation tasks and become settled into those patterns, any drastic revision of those long-established habits (especially when the previous path is removed from the system) is bound to produce resistance.

Windows 8 Start screen

The Metro UI is optimized for touch interfaces. Metro’s touch navigation focus produces some initial head-scratching by folks accessing Windows 8 by using traditional desktop PCs with keyboards and mice. However, the bottom line is that Metro Live Tiles look and behave exceptionally well in a tablet PC environment. Moreover, Microsoft is bound to improve Metro screen navigation for keyboard and mouse users as the Windows 8 code evolves over time.

Live Tiles provide a true dashboard environment. It is important to note that those pretty, colorful tiles that represent applications and services in Metro don’t exist simply to provide the user with eye candy. In Windows 8 Consumer Preview, for instance, the Weather Live Tile displays the current temperature for your location. The Mail Live Tile gives you a running total of unread e-mail messages. (You can see some of this in action in Figure 3.)

By contrast, in Windows Server 8 Beta we can use Live Tiles to obtain real-time server status reporting. In my view, we Windows systems administrators must become comfortable with the fact that touch interfaces and tablet PCs are here to stay; they are not a passing fancy. The day of our managing our server farms by using a tablet device are not too far off. In point of fact, some administrators are leveraging this technology now.

NOTE: To me it is problematic and incongruous that Windows 8 Active Directory, at least as of this writing, is not supported on Windows on ARM (WOA) tablet devices. How much sense does Microsoft’s decision NOT make, given what’s we’ve been discussing in this article?

Some disadvantages of the Metro UI

Did you encounter any user learning curve issues when you migrated your organization from Office 2003 to Office 2010? Yeah, I thought so. Significant application user interface changes strike fear into the hearts of systems administrators because we know that we will be flooded with user support requests. “I knew how to get around with the old version. Now I can’t do my work! Help!”

The Metro UI represents a significant learning curve for users. In my previous example, you probably embraced the learning curve and end-user training opportunities inherent in an Office 2003 – Office 2010 migration because the benefits of the new software features outweighed the increased support load.

On the other hand, we must ask the question, “Does the Metro UI really represent a worthwhile step forward for our business users?” This issue is especially pertinent if your users have no touch-aware hardware available to them.

Metro apps require a new development paradigm. Metro-style apps are constructed by an altogether different technology stack and design focus than are traditional Windows desktop apps. Thus, businesses who develop internal (or commercial, for that matter) line-of-business software need to buy into a brand-new programming paradigm.

Disable Metro UI by using Group Policy (theoretically)

In Windows Server 8 Beta, Microsoft offers a Group Policy setting that is supposed to control the appearance of the Metro UI on at least Windows Server 8 Beta-based domain member computers.

To start the Group Policy console in Windows Server 8 Beta domain controller, open Server Manager and select Group Policy Management from the Tools menu. This user interface is depicted in Figure 4.

Windows Server 8 Beta Server Manager

Open up a new or existing Group Policy Object (GPO) and navigate to the Do not show the Start Menu when the user logs in policy, located in the following path:

User Configuration\Policies\Administrative Templates\Start Menu and Taskbar

This Group Policy appears to affect the DontShowStartMenuOnLogin DWORD value in the Windows Registry; the relevant Registry path is:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer

Fasten your seat belts, friends: this is where the “Beta” in Windows Server 8 Beta becomes apparent. Take a look at the Do not show the Start Menu when the user logs in policy setting in Figure 5. Although the Supported on: field lists At least Windows 8 Consumer Preview, the text in the Help: dialog says:

This group policy only applies to the Windows Server 8 Beta with the Desktop Experience Pack installed.

Controlling the appearance of Metro UI in Group Policy

What in the world is going on here? Does this Group Policy setting disable the Metro UI in Windows 8 Consumer Preview domain workstations? No (I tested this).

To test this Group Policy setting in Windows Server 8 Beta, let’s fire up Server Manager, start the Add Roles and Features Wizard, and install the Desktop Experience feature. This is shown in Figure 6:

Adding the Desktop Experience feature to Windows Server 8 Beta

In my testing, I found that even with the Desktop Experience feature installed, disabling this Group Policy setting in Windows Server 8 Beta still resulted in the machine booting to the standard Desktop.

NOTE: Don’t be put off by the reference to “Start Menu” in this and several other Windows Server 8 Beta Group Policy settings. Microsoft may adjust this terminology in the final release code of Windows Server 2012. By contrast, Microsoft may want us to think of the Metro environment as the “new” Start menu.

In conclusion, I found that Windows Server 8 Beta always bypassed the Start Screen and booted to the traditional Desktop, regardless of how that particular Group Policy setting was configured. It remains to be seen whether Microsoft will broaden the scope of this policy such that it affects Windows 8 client systems.

Conclusion

In this blog post we listed some advantages and disadvantages to the Windows 8 Metro user interface. We are interested to gather your feedback on the subject. To that end, please feel free to leave your thoughts in the comments portion of this post. Thanks for reading!

• How to install Windows To Go (0)
• Windows To Go introduction (0)
• Windows 8 new features – The complete list (0)
• Windows 8 Hyper-V (0)
• Domain join behavior in Windows Server 8 (0)

While server virtualization and desktop virtualization have been dominant technologies over the last few years, software virtualization has yet to be so widely adopted. The benefits of hardware virtualization are constantly touted but software virtualization has a persuasive list of merits. The main benefits of software virtualization are to ensure conflicts never arise between programs, real time software usage metrics, and for ease of upgrading.

In this package, some shell extensions were found to be unsupported.

Software virtualization allows you to take any interference that a machine or user could have out of the equation. Essentially, the software is transformed into an on-demand service instead of being an integrated part of the operating system. Microsoft’s solution to software virtualization is called App-V. In App-V, this process is called sequencing.

In order to create a virtualized version of a particular piece of software, the Microsoft Application Virtualization Sequencer is ran on a sequencing machine. It is a best practice to use a clean virtual machine as a sequencing computer. Virtual machines allow for snapshots to be quickly taken at any point. After the successful creation of a virtualized package, the VM can be instantly reverted back to a clean state.

The Application Virtualization Sequencer is designed for simplicity.

New virtual applications can be created by either using the default setting or choosing a package accelerator. Package accelerators are essentially pre-defined settings necessary for package creation that have been published for you to use. Creating a virtual package is as easy as installing the software while App-V monitors. After the application is installed, App-V captures the changes into a virtual package. App-V even allows for the configuration of first run settings. This allows for default settings and software activations to be deployed with the package for all users. Upon finishing the package, the Sequencer will automatically present any issues seen with the package.

After the package has been created, the package is then copied to the Content share. The Content share allows for the central management of all App-V packages. The package can then be be published. Publishing a package is done in the Application Virtualization Management Console. This console can either be installed on an App-V server or an administrator computer.

Selecting Import Applications will allow you to publish packages in the content share.

An important feature of App-V is the ability to manage licenses. When importing a package, the software can be linked to an Application License group. This License group can be setup as a site/unlimited license, concurrent license, or as a named (managed) license.

One of the greatest features of App-V is the reporting mechanism. Windows administrators tasked with license upkeep or software updates are plagued by the inability to monitor software usage based on time, computer, or user. When a virtual application is executed at a client, the usage metrics are automatically recorded. This reporting allows for a more knowledge based approach in licensing management or software upkeep. Organizations may find that fewer licenses are needed for some software and that other software isn’t even used anymore.

An application report for 7-Zip can be generated for a variety of time frames, this one is for a single day.

While App-V consists of more steps than simply installing software on a client, the centralized deployment, license management, and usage reporting makes a compelling case to virtualize. Organizations may find that the vast majority of software could be virtualized with App-V. This would lead to quicker mass deployments, faster application upgrades, and better software usage. App-V adds to the already strong suite of MDOP products.

• Microsoft Desktop Optimization Pack (MDOP): MED-V (0)
• How to move an App-V database to another SQL server (1)
• Microsoft VDI – Resources (2)
• Microsoft VDI – Interview with Jeff Alexander (0)
• Microsoft VDI – Interview with Michael Kleef (0)

BitLocker, introduced in Windows Vista/Server 2008, addressed the lack of hardware level encryption desired by many organizations. BitLocker initially proved valuable on laptops and tablets. As more devices became equipped with a TPM module, a chip required for BitLocker implementation, organizations began to enable BitLocker on a larger scale through the encryption of desktops. Hardware level encryption protects user created data, secures against boot sector viruses, and allows for machines to be decommissioned without formatting the hard drive first.

With the release of Windows 7/Server 2008 R2, Microsoft made strides in BitLocker implementation and administration. The deployment, management, and reporting features still lacked though. While BitLocker could easily be setup on a case by case basis, wide scale distribution was difficult. Microsoft’s BitLocker Administration and Monitoring tool (MBAM) addresses the three biggest pitfalls with a wide scale BitLocker implementation. These are: Deployment/Management, Reporting, and Cost of Support.

MBAM consist of a several server side pieces and a client side component. The sever side is made up of: the Recovery and Hardware Database, Compliance Status Database, Compliance Audit and Reports, Administration and Monitoring, and the policy templates. The features can be installed on one server or multiple servers but must be installed in the order listed above. When configuring MBAM, the server side install will default to all components on a single server.

When configuring the MBAM client, most organizations will choose to deploy the software before end users have access to the computer. This can be accomplished by including the client in an image or configuring the client for deployment during the imaging process by using Microsoft Deployment Toolkit or System Center Configuration Manager. A final option is to deploy the client using a Group Policy object. Because the client is an MSI and receives all configurations through Administrative Templates, this option is the easiest for new and existing machines. One important note is that any existing GPOs containing BitLocker configurations should be disabled as the MBAM client uses specific MBAM GPO component settings.

a

In the test environment above, the BitLocker GPO has been disabled. A new MBAM GPO has been created.

The MBAM configuration GPOs allow for granular control of BitLocker settings. The MBAM client is able to enforce BitLocker encryption methods (TPM Only, PIN, USB key, or a combination), recovery methods, backup locations, and reporting locations. The use of multiple MBAM GPOs allows for specific enforcement containing more rigorous standards. For example, desktops could be configured with BitLocker using just TPM enforcement while laptops containing sensitive data could require a complex PIN.

A sample of a MBAM configuration GPO

A big issue with deploying BitLocker on a wide scale was the cost of deployment. BitLocker keys could be stored manually, backed up to the Active Directory computer object, or saved locally. Automatically backing up to the AD computer object ensures a recovery key was always available but proved troublesome for some IT environments. The complexity of retrieving a recovery key and the delegation required to view it often proved too complex without the involvement of a system/server administrator.

The MBAM web interface allows for key recovery delegation and end user simplicity. When BitLocker locks a drive, a user can call a helpdesk technician and provide just the first 8 characters displayed. The technician can then retrieve the recovery key and document the reason the key was needed in one step.

A test recovery shows the recovery and documentation in a single page.

MBAM plugs the gaps that Windows Administrators face in their deployment of BitLocker. With the ability to encrypt machines before or after deployment, zero physical interaction is required. The MBAM client even provides the ability to manage the TPM chip directly! For all those considering a rollout of BitLocker in any sizable number, MBAM is a must for configuration and maintenance.

• Active Directory and BitLocker – Part 7: Tips and troubleshooting (0)
• Active Directory and BitLocker – Part 6: View recovery information (3)
• Active Directory and BitLocker – Part 5: BitLocker to Go (4)
• Active Directory and BitLocker – Part 4: Encrypting hard disks (2)
• Active Directory and BitLocker – Part 3: Group Policy settings (0)

SolarWinds, the new owner of DameWare NT utilities, raffles off a two 2-seat license worth $680 USD. If you want to take part in this contest, please fill out this form. Notice that your data will be submitted to SolarWinds. The deadline of this contest is May 22, 2012.

DameWare NT Utilities

The Microsoft Management Console (MMC) Active Directory management utilities that are included in Windows Server 2008 R2 are okay, but the tools are somewhat scattered and non-intuitive to use. Windows PowerShell 2.0 is certainly a potent method for administering Active Directory. However, who has time to learn the cmdlet syntax?

In the name of addressing these frustrations, please allow me to introduce the DameWare NT Utilities (NTU) and DameWare Mini Remote Control (MRC) software. These products represent a unified Windows systems administration solution in a lightweight, easy-to-use package.

By using a single Windows Explorer-style interface, we can manage every single one of our domain servers and workstations. Moreover, the NTU utilities give us power to query, manage, and export just about every conceivable hardware or software-related statistic from our server and client systems.

The NTU product family also includes a powerful configuration export tool called Exporter, as well as a lightweight, world-class remote access platform called Mini Remote Control (MRC).

Let’s have a closer look at what could prove to be the most frequently accessed utility in your AD administration tool belt.

Software setup

DameWare NT Utilities is a simple 32-bit or 64-bit server/agent software solution. The software setup workflow looks like this:

• Install the management binaries on your administrative server or workstation
• Install the client agent binaries on every system to be monitored by NTU

The NTU management tool is nothing more than a small-footprint Windows application and corresponding service. Accordingly, there is no need for a cumbersome SQL Server back-end, application server middle tier, and IIS front end. What a luxury this is!

Specifically, two agent services comprise the client side of the equation. One service allows for NTU management, and the other service hosts incoming MRC connections from a management console.

What’s cool is that you don’t even need to download the agent software separately from the DameWare Web site. Instead, we can simply fire up the NTU management console, select the appropriate workstation from the Browser tree, and then click either Install NTU Service or Install MRC Service from the Service menu. This interface is shown in the following screenshot.

Installing the NTU service

Note in the screenshot that you can use built-in batch processing tools to deploy the agent services to multiple target systems at once.

NOTE: Alternatively, we can use the DameWare Mini Remote Control Installation Package Builder utility to build a Windows Installer (MSI) package that installs or removes the DameWare Mini Remote Control Client Agent service.

DameWare NT Utilities

So what exactly can we do with DameWare NT Utilities? Well, let’s begin by reviewing some of the tasks that we Active Directory administrators do every day.

Find and manage AD user and computer accounts? Check.

Manage Microsoft Exchange Server mailboxes for our AD users? Check.

Administer Group Policy. Check. Et cetera et cetera. The theme here is that after you begin using NTU, you should only very rarely (if ever) need to use an in-box MMC console ever again.

Take a look at the following screenshot and behold the depth to which we can access NTU-enabled workstations.

NTU object browser

With a few clicks of the mouse, we can accomplish the most advanced of client management tasks, such as:

• Executing remote PowerShell cmdlets
• Issuing remote Windows command shell operations
• Manipulating Registry entries
• Enumerating client-side processes
• Managing remote services and installed software
• Creating, editing, and deleting Task Scheduler tasks
• Listing full hardware and software metadata

This final point concerning NTU’s ability to enumerate agent system metadata bears further discussion. Your shop may be required to account for the hardware and software profiles of all systems; typically this requirement arrives by dint of government/industry regulation or internal inventory control processes.

The DameWare Exporter utility included with NT Utilities address this very issue. Let’s have a look at this tool next.

DameWare Exporter

DameWare Exporter is a GUI tool with which we can build and export reports that display the following system property types:

• AD schema properties
• Standard Windows properties
• WMI hardware properties

From the DameWare Exporter we can click Tools => Options to open the Exporter Options dialog. We can then navigate to the appropriate tab (Active Directory, Standard, or WMI) to select a default output type for each data classification. Choices include the following file formats:

• UTF-8 or UTF-16 XML
• Comma-delimited text
• Tab-delimited text
• Unicode text

The DameWare Exporter user interface is shown in the following screenshot:

DameWare Exporter

DameWare Mini Remote Control

Remote access of client systems gives us Windows systems administrators, as well as our help desk personnel, far more efficiency in helping our users. You are probably leveraging Microsoft Remote Desktop Protocol (RDP) to some measure already, whether through the Remote Desktop Connection utility, or via Windows Remote Assistance.

Although DameWare Mini Remote Control fully supports Microsoft’s Remote Desktop Protocol (RDP), MRC actually uses a proprietary remote access protocol that is evidently called MRC.

Helpfully, the MRC agent auto-configures an appropriate exception in the client’s Windows Firewall. You can read a comparison between the two protocols on the DameWare Web site.

Here are some reasons why I prefer the MRC to traditional RDP:

• Support for end-to-end data encryption
• Support for interactive and remote smart card logon
• Screenshot capture and save
• File transfer
• Chat
• Multi-monitor support
• Support for more than one active client connection
• Support for IPv4 and IPv6

Those of you who have used Windows Remote Assistance may immediately see some similarities between it and MRC. That is certainly true, although I dare say that you can’t beat the elegance of the MRC solution. For instance, to establish a MRC remote session with a target host, we can simply right-click the target system and select Mini Remote Control from the shortcut menu; this is shown in the following screenshot:

Making a remote connection to a client

This action opens the Remote Connect dialog box, from which we can set our connection properties and establish the remote access connection. A live MRC connection between two Windows Server 2008 R2 systems is depicted in the following screenshot.

A live MRC remote session

Licensing Model

DameWare includes MRC within the scope of its NTU license. However, you can purchase standalone MRC licenses if this is your preference.

The NTU license model is interesting to me because NTU is licensed per administrator, not per computer. Moreover, there is no cost for agent licenses. To those of us who are accustomed to the blisteringly expensive license requirements of, say the Microsoft System Center suite, this licensing friendliness comes as great news.

DameWare customers are also granted 12 months of software assurance. Thus, we won’t get dinged for an upgrade charge if SolarWinds revises the software within that year period.

DameWare allows a licensed administrator to install the NTU software on up to three devices. Thus, a shop with 5 administrators and 1,000 client systems requires 5 NTU licenses. Moreover, each administrator can install the management tools on (for example) their administrative workstation, their home computer, and one additional station.

Criticism

If there exists one weakness in this software, it is its sparse documentation. The application help does a passable job at describing in brief the functionality of every NTU and MRC user interface control. However, fundamental questions like, “How do I install the agent software on client devices?” and “How do I query AD schema properties with NTU?” appear to be completely missing from the documentation. Frankly, I was unable to find good, general answers on the DameWare Web site, either.

Conclusion

All things considered, I am a devoted user of the NTU and MRC tools. As far as I am professionally concerned, NTU is a must-have utility for any Windows Server 2008, Windows Server 2003, or Windows Server 2000 Active Directory administrator.

Looking forward, what is interesting to me is to observe how SolarWinds plans to evolve the NTU and MRC tools in order to accommodate the PowerShell-centric Windows Server 8 administration model. The SolarWinds people strike me as extraordinarily intelligent, dynamic people–I’m sure they are figuring this out at this moment.

If you have any questions, curiosities, or personal experiences to share concerning this software, please be sure to leave a comment and I will respond.

If you want to have the chance to win a two 2-seat license of the DameWare NT Utilities, worth $680 USD, please fill out this form. Notice that your data will be submitted to SolarWinds. The deadline of this contest is May 22, 2012.

• Windows-to-Mac remote management with VNC and SSH (1)
• FREE: PAExec – Run programs on remote Windows servers (0)
• Query free disk space details of remote computers using PowerShell (3)
• FREE: EMCO Remote Console – Remote command tool for Windows (0)
• FREE: Remote Desktop Manager – Manage remote connections (4)

Have you had the chance to evaluate the recently released Windows Server 8 Beta and Windows 8 Consumer Preview software? More to the point, how familiar are you with Microsoft’s changes to Active Directory Domain Services (AD DS) in Windows Server 8?

Well, that is precisely what we are concerned with in this blog post. By the end of this lab, you’ll know how to:

• Set up a Windows Server 8 Beta computer as a domain controller
• Join a Windows 8 Consumer Preview computer to the domain
• Experiment with Windows Server 8 Beta AD administration tools

Building a Windows Server 8 Beta Domain Controller

As I described in my Windows Server 8 Installation notes blog post, in Windows Server 8 we use the completely revamped Server Manager as our GUI hub for managing server roles and features. As Figure 1 shows, we can launch the Add Roles and Features wizard by clicking Add roles and features from the Server Manager Dashboard.

Windows Server 8 Beta Server Manager

NOTE: The Windows Server 8 Beta Server Manager is a PowerShell host application. Therefore, when you issue commands through the Server Manager GUI, you actually instruct Windows to issue Windows PowerShell 2.0 cmdlets.

The Add Roles and Features Wizard in Windows Server 8 behaves basically the same way as it does under Windows Server 2008 R2. As you can observe in Figure 2, Microsoft has streamlined the interface, combining the “Add Roles” and “Add Features” functionality—this is a convenient and thoughtful improvement!

Adding the AD DS role

To create a Windows Server domain controller, we must not only install the AD DS binaries with the Add Roles and Features Wizard, but we must also run the Active Directory Domain Services Configuration Wizard.

NOTE: The Active Directory Domain Services Configuration Wizard is the latest version of the Active Directory Installation Wizard (Dcpromo) in Windows Server 2008 R2.

Take a look at Figure 3: Microsoft has redrawn the interface to include more options per dialog box page and make the overall AD installation process more straightforward than it used to be.

The New DCPROMO in Windows Server 8 Beta

After you reboot the server, the box is thereafter an AD DS domain controller. Now let’s turn our attention to client device configuration.

Joining a Windows 8 Workstation to the an Active Directory domain

The process of joining a Windows 8 Consumer Preview workstation to a Windows Server 8 Beta domain is exactly the same as it is under Windows 7 and Windows Server 2008 R2.

Log into Windows 8, switch from Metro to the traditional Desktop, and fire up the System Control Panel item. As you can see in Figure 4, the controls for joining an AD domain should look very familiar to Windows Server 2008 systems administrators.

Joining an AD domain from Windows 8 Consumer Preview

After you reboot the client, we can now submit a domain username and password instead of local or Microsoft Account credentials.

Domain logon in Windows 8 Consumer Preview

Our salient question now is, “Okay, so far, so good. Now how can we manage Active Directory from our Windows Server 8 Beta computer? Let us address this question next.

Managing the Active Directory domain with Windows Server 8

As I told you earlier, your choices for administering a Windows Server 8 Beta domain controller consist of the following options:

• Server Manager GUI
• Windows PowerShell

Note that in Figure 6, label A, any installed roles or features on a target server are listed in the Dashboard. Interestingly, this dashboard view only displays metadata related to the role or service.

To launch the familiar role and service administration consoles, we can open the Tools menu (labeled B in Figure 6) and make a selection from the drop-down menu.

Accessing admin tools from the new Server Manager

Figure 7 demonstrates that Windows Server 8 Beta still leverages a lot of “legacy” Microsoft Management Console (MMC) technology. I have no earthly idea if MMC consoles will exist in the final RTM code.

Active Directory Users and Computers in Windows Server 8 Beta

Disabling the Metro UI in Windows 8 domain members

The new, touch-centric Metro user interface (UI) exists in both Windows 8 Consumer Preview as well as is Windows Server 8 Beta. The general consensus among Windows Server 2008 administrators is they either like the new interface or they loathe it–there does not appear to be much middle ground.

To this end, a very common and popular question is, “How can we disable the Metro UI for Windows 8-based domain member workstations?”

The answer to that question, of course, lies in Group Policy. Specifically, we are concerned with the Do not show the Start Menu when the user logs in policy, located in the following Group Policy path:

User Configuration\Policies\Administrative Templates\Start Menu and Taskbar

The Windows Server 8 Beta Group Policy Editor is shown in the screenshot below.

Controlling the appearance of Metro UI in Group Policy

NOTE: As of the Beta release, this Group Policy setting affects only Windows Server 8-based computers. Frankly, I don’t know if this behavior is by design or if it is a bug.

Conspicuously absent in the Windows Server 8 Beta Group Policy repository are policy settings to control Windows on ARM (WOA) tablets and PCs. This speaks to the common knowledge that Microsoft is targeting WOA devices for “unmanaged environments.” In point of fact, WOA devices are unable to perform a domain join in the first place.

Conclusion

Today we learned how to install Active Directory on a Windows Server 8 Beta computer. We also joined the new domain from a Windows 8 Consumer Preview workstation. Finally, we spent a little time getting to know how the administrative tools work in Windows Server 8. Please feel free to share your experiences with these pre-release software products in the comments portion of this post. Thanks a lot for reading.

• How to install Windows To Go (0)
• Windows To Go introduction (0)
• Windows 8 new features – The complete list (0)
• Windows 8 Hyper-V (0)
• Windows 8 Metro – Disable in Windows Server 2012? (0)

In terms of desktop management, Group Policy is the cornerstone of a Windows administrator’s arsenal. With Group Policy, you can deploy software, printers and drive mappings. You can configure default settings and manage client behavior. But how do you manage Group Policy? The built-in mechanics for managing Group Policy are simply inadequate for most organizations. Windows administrators either have complete access or no access by their addition and removal from the Group Policy Creator Owners Security Group. Further, Group Policy Object (GPO) management lacks in terms of change control, automated backups, and role based delegation. Microsoft’s Advanced Group Policy Management (AGPM) addresses all of these issues.

AGPM is comprised of a server side component and a client. The component will add a Change Control Node to the Group Policy Management Console (GPMC) on the AGPM server.

The Change Control node within the GPMC

When configuring the server side component, you will need to configure a Group Policy service account. This Active Directory account is placed in the Group Policy Creator Owners Security Group and acts as a middle-man between you and the GPOs. When your GPMC makes a request to edit a policy, the AGPM server checks to make sure your AD account has the correct permission to do so. Those changes are then made by the AGPM service account. These permissions are specified in the Domain Delegation tab within Change Control and are divided into four roles.

The Domain Delegation tab allows for the granular delegation of Group Policy Permissions.

These roles are: Full Control, Approver, Editor, and Reviewer.

The table outlines the permissions each role has.

By separating GPO management into distinct roles, IT administrators can properly delegate permissions accordingly. For example, a first level support personal would probably be granted the reviewer role. Second tier level support or Organizational Unit administrators would probably be given the Editor role, Approver role, or both. While only a few trusted individuals would have full control. The approval request field (under the Domain Delegation tab) even allows for automated requests to be sent to a group of approvers or administrators.

To make the GPMC easier to navigate, you can use the Production Delegation tab to give all helpdesk personal read. To ensure that Editors/Administrators cannot edit GPOs outside of the Change Control node, you should remove them from Group Policy Creator Owners and remove their ability to edit settings, delete, and modify security from the Production Delegation tab. Existing GPOs will need to have their Delegation permissions modified as well to ensure a consistent environment. To make this task easier, use the GrantPermissionOnAllGPOs script which is in the Group Policy script pack.

Once your GPOs have the correct Delegation permissions and your environment is setup according to the roles above, you can begin managing GPOs. One of the first tasks is to take Control of existing GPOs. In Change Control, under the Contents tab, exist all GPOs that AGPM is aware of. By default, all GPOs are left in the Uncontrolled node. To import a GPO (or multiple GPOs), highlight the object – right click – and select Control. This will move the GPO to the Controlled node.

Importing an Uncontrolled GPO

Once a GPO is in the Controlled node, you can then have a proper change control management of policies. The process of deploying a GPO is:

1. Creation

1. To create a new GPO, right click on Change Control and select “New Controlled GPO” where you will be prompted for a name and to add a comment.
2. If you are using anything beside the default empty GPO template, select it now.

The New Controlled GPO prompt allows for the creation of controlled policies.

2. Checking-Out

1. Before a policy is checked out, it is wise to import it from production. This ensures that any changes made to the live GPO in the past, such as linking to OUs, are kept when the GPO is deployed again.
2. This ensures that changes are documented and only one person is changing the policy at one time.
3. To check out a policy, right click the GPO and select Check Out.
4. An offline copy (beginning with AGPM) is created for editing. You can view this GPO under the Group Policy Objects Container.
   
   A checked out GPO under Group Policy Objects
5. If changes aren’t made, select Undo Check Out. This will delete the offline copy.

3. Applying security filtering/WMI filtering to the GPO

1. If you need to make a WMI filtering change, you can select the GPO under Group Policy Objects and set the WMI filter.
2. Security Filtering Scope options should be modified by going to Action and then properties (within the Group Policy Management Editor).

4. Editing the GPO: This is the same process without AGPM.

5. Checking-In

1. After editing, check back in the policy to merge changes. To do so, right click on the policy and select Check in.
2. Checking-In the policy allows for reports to be ran and for the GPO to be edited by another technician.

6. Request for Approval/Approval

7. Deployment

The Advanced Group Policy Management console solves many of the problems IT administrators have with Group Policy such as tracking changes, automatically backing up/restoring GPOs, and granular delegation of GPO management. Although it does require additional effort in configuration, the results are well worth it!

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

You are the administrator for a single Active Directory domain that consists of two Windows Server 2008 R2 domain controllers named DC01 and DC02.

DC02, which holds the schema master role, has gone unexpectedly offline. You need the schema master role in order to be available in the domain. You log onto the domain by using the domain Administrator account.

A. Add your domain user account to the Schema Admins built-in group.

B. Register the Schmmgmt.dll dynamic link library.

C. Transfer the schema master role to another domain controller.

D. Seize the schema master role to another domain controller.

The Correct Answer and Explanation

The correct answer is D. The practical difference between transferring and seizing an operations master role is that transferring is by far the preferred choice, although it assumes that both domain controllers (the giver and the receiver of the role are online.

In this case, the domain controller DC02 has gone offline unexpectedly and we don’t know when (or if) the computer will return to action. Thus, we need to fire up an administrative command prompt, start Ntdsutil, and perform a seizure of the schema master role, specifying DC01 as the target.

Seizing an operations master role

Analysis

By closely reading the item stem, we know that the root question is “Which of these answer choices gets us closest to accomplishing the goal of recovering the schema master role to DC01?

The first content that we need to have under our conceptual belts is the difference between operations master role transfer vs operations master role seizure. If we understand this difference, then we immediately know that choice D looks good and choice C can be dismissed.

Choice A is tricky because it requires that we have closely read the item stem. Some candidates might mistakenly select this answer choice, thinking “I know that your domain account must be a member of the Schema Admins built-in group in order to perform any schema-related actions.” This is true, but remember that the domain Administrator account in the forest root domain is the sole member of the Schema Admins group. In this scenario we have a single forest root domain.

Choice B is accurate inasmuch as we need to use regsrv32.exe to register the Schmmgmt.dll dynamic link library and thereby gain access to the Active Directory Schema Microsoft Management Console (MMC) console. However, this action alone will not accomplish the goal of placing the schema master role on our sole remaining domain controller.

Conclusion

I hope that you found working through this sample practice question to be helpful to your certification studies. If you remain unclear on the “hows and whys” of the operations master roles, then see the companion piece that I mentioned at the beginning of this blog post. You are also free to leave your questions, comments, and concerns in the comments portion of this post. Happy studying!

• Raffle: Blackbird Auditor for Active Directory – Real-time Active Directory auditing (0)
• FREE: ManageEngine Free Active Directory Tools (0)
• Microsoft Exam 70-640 – The Global Catalog – Sample question (0)
• Microsoft Exam 70-640 – The Global Catalog (3)
• Automatically fill the computer description field in Active Directory (9)

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

Microsoft Exam 70-640 – Configure operations masters / Domain 2, Subobjective 6

For each exam domain, I will compose two blog posts. One blog post represents a nutshell summary of the content underlying a particular subobjective from the 70-640 certification exam outline. The second blog post offers a representative practice exam question that covers the same topic from that content domain.

The screenshot above shows the relevant section from the 70-640 exam blueprint on configuring operations masters.

Today’s subobjective centers upon the operations master roles. Operations master roles are special, well, roles that domain controllers are assigned in order to ensure the consistency of the Active Directory Domain Services (AD DS) database.

NOTE: Operations master roles used to be known as flexible single master operations (FSMO, pronounced FIZZ-moh) roles.

Operations master roles are either forest-wide or domain-wide; the following list summarizes the scope and primary purpose of each of the five roles:

• Schema Master (1/forest): Performs updates to the AD DS schema
• Domain Naming Master (1/forest): Manages the addition of domains and directory partitions
• Relative Identifier (RID) Master (1/domain): Allocates RIDs to each domain controller in the domain
• Primary Domain Controller (PDC) Emulator (1/domain): Preferred administration point for Group Policy, DFS, password management
• Infrastructure Master (1/domain):Updates object references between domains

Before you even think about registering to take the 70-640 exam, please ensure that you are very comfortable with all of technologies and procedures that are referenced in this subobjective:

• Seize and Transfer
• Back Up Operations Master
• Operations Master Placement
• Schema Master
• Extending the Schema
• Time Service

Seize and Transfer

The first domain controller in each domain automatically inherits all domain-level operations master roles. The first domain controller installed in the forest receives the forest-wide operations master roles as well.

However, administrators can transfer roles from one domain controller to another. This process can be accomplished by using one of the built-in Active Directory administrative consoles or the Repadmin command-line utility.

We’ve summarized the tool to use to transfer each operations master role:

• Transfer the schema master: Active Directory Schema console
• Transfer the domain naming master: Active Directory Domains and Trusts console
• Transfer the RID master, PDC emulator, or infrastructure master: Active Directory Users and Computers console

If a domain controller that hosts an operations master role goes unexpectedly offline, you may need to seize that role by forcibly transferring the role to another domain controller. We use the Ntdsutil command-line tool in order to seize an operations master role.

Relevant Links:

• What are Operations Masters?
• Transferring an Operations Master Role
• Seize Operations Master Roles

Back Up Operations Master

Stated very simply, when we back up a domain controller, we also back up any operations master roles that the server owns. However, Microsoft advises against restoring a RID Master or a Schema Master to avoid the possibility of introducing corruption into the Active Directory Domain Services database.

Relevant Links:

• Examining Operations Master Technical Details
• Active Directory Backup and Restore

Operations Master Placement

First of all, recall that two operations master roles are forest-wide, and the other three roles are domain-specific. Remember also that of all the roles, the PDC Emulator role requires the highest number of CPU cycles. Thus, consider the network connectivity and hardware profile of the domain controller to which you want to assign the PDC Emulator role.

Of course, it (almost) goes without saying that you want to spread operations master roles across separate domain controllers. Generally speaking, only the smallest of domains can practically have a single domain controller host multiple operations master roles.

Speaking of the PDC Emulator role, Microsoft recommends that you ensure that the PDC Emulator is placed in a well-connected location so as to minimize latency when password changes are propagated among domain controller within a domain.

Microsoft’s biggest suggestion with regard to the infrastructure master is to avoid placing this role on a domain controller that is also a global catalog server. If you do so, the infrastructure master will quite simply cease to function.

NOTE: Because read-only domain controllers (RODCs) possess a read-only copy of the Active Directory database, RODCs cannot be operations master role holders.

Finally, Microsoft strongly recommends that the same domain controller host both of the forest-wide operations master roles (schema master and domain naming master). In addition, this domain controller must also be configured as a Global Catalog server.

In all but the largest domains, Microsoft recommends assigning the RID Master and PDC Emulator roles to the same domain controller.

Relevant Links:

• Planning Operations Master Placement
• FSMO placement and optimization on Active Directory domain controllers
• Placing Operations Master Roles

Schema Master

The schema master is the only domain controller in the entire AD DS forest that can write changes to the AD DS schema. The current schema master can be identified by opening the Active Directory Schema MMC snap-in, right-clicking the Schema node, and selecting Operations Masters from the shortcut menu. This is shown in the following exhibit.

Identifying the schema master role holder

Your domain user account must be a member of the Schema Administrators built-in group in order to make changes to the schema.

Relevant Links:

• Identify the Schema Master
• How Operations Masters Work

Extending the Schema

The Active Directory schema describes the master list of object classes and attributes that comprise the AD DS forest. When you examine the properties of a domain user account, for instance, you are viewing the attributes of the user class. This is shown in the following graphic.

Mapping a user account property to the AD DS schema

To extend the schema means to define new object classes and/or attributes to the schema. Sometimes enterprise applications extend the schema as a part of their installation (Microsoft Exchange is a good example). Forest administrators can also manually add new data to the schema and even optionally replicate the new schema data to the Global Catalog.

Specifically, we can manually extend the schema by using one of the following methods or tools:

• Active Directory Schema MMC snap-in
• LDIFDE
• CSVDE
• ADSI script
• Ldp
• ADSI Edit

Relevant Links:

• Extending the Schema
• Methods for Extending the Schema

Time Service

For the exam, you need to remember that it is the domain controller that holds the PDC Emulator role that is the default Windows Time Service (W32time) time source for the forest.

I discussed Active Directory time synchronization in another blog post; please check that out if you desire additional information on this subject.

Relevant Links:

• Introduction to Administering Operations Master Roles
• Configuring a Time Source for the Forest

Conclusion

I hope that you find this approach to 70-640 exam preparation to be beneficial. Please feel free to leave your questions, comments, and exam experiences (no brain dumps, please) in the comments portion of this post.

In the next post I will provide a sample practice question for the “Configure operations masters” subobjective.

• No related posts.