Windows for the Enterprise

Everything You Wanted to Know and Ask about Windows Deployment

DavidNudelman — Sat, 28 Apr 2012 19:24:46 +0000

With the release of Windows 8 approaching, many questions are still unanswered. One of them is “What are the changes on the deployment methods for Windows 8″?

Well, the good news is that Microsoft is organizing 2 webcasts to talk about that.

Don’t miss it!

TechNet Webcast: Everything You Wanted to Know and Ask about Windows Deployment (Part 1)

Registration URL: http://go.microsoft.com/?linkid=9807963 or http://bit.ly/JLTQLM

Date/ Time: Tuesday, May 15, 2012 – 9-10am (Pacific)

Abstract: In this demonstration-rich, question and answer webcast, Windows Product Manager Stephen Rose moderates an open conversation with Microsoft Deployment Toolkit Product Manager Michael Niehaus and deployment guru Johan Arwidmark. They discuss the new Microsoft Deployment Toolkit 2012 release as well as tips and tricks from the experts about using the Windows Deployment Toolkit.

__________

TechNet Webcast: Everything You Wanted to Know and Ask about Windows Deployment (Part 2)

Registration URL: http://go.microsoft.com/?linkid=9807964 or http://bit.ly/Kgny8y

Date/ Time: Thursday, May 17, 2012 – 9-10am (Pacific)

Abstract:In this demonstration-rich, question and answer webcast, Windows Product Manager Stephen Rose moderates an open conversation with Microsoft Deployment Toolkit Product Manager Michael Niehaus and deployment guru Johan Arwidmark. They discuss the new Microsoft Deployment Toolkit 2012 release as well as tips and tricks from the experts about using the Windows Deployment Toolkit.

Exam 70-659: Windows Server 2008 R2, Server Virtualisation – Virtual Exam Preparation Workshops

DavidNudelman — Tue, 03 Apr 2012 14:15:28 +0000

Want to go for the 70-659 exam? Microsoft is offering a great opportunity to get it done! They are providing FREE workshops to get you prepared.

The 2 day online workshop covers 4 modules of 2.5 hours each, covering all the content of the exam. Get ahead of the crowd, don’t miss it!

Dates available:
18 & 19 April – 9:30 to 14:30
20 & 21 April – 9:30 to 14:30

Register at:
https://msevents.microsoft.com/cui/SearchDisplay.aspx?culture=en-gb#culture=en-gb;kwdAny=44WW092;eventType=0;searchcontrol=yes;s=1

Good luck!

Bitlocker Password Recovery Viewer for Windows Server 2003

DavidNudelman — Tue, 03 Apr 2012 11:03:38 +0000

Bitlocker was designed to work with Windows Vista and Server 2008 and newer versions, but unfortunately some companies are still administering their environments with back ends based on Windows Server 2003 and Helpdesk staff using Windows XP.

In order to do a proper Bitlocker Administration, access to the Password Recovery keys for Bitlocker is critical. It took me a long time to gather all the information required to have access to the Bitlocker keys on Windows Server 2003, so I decided to share it with you!

1. The first step is to extend the Schema of your 2003 Domain to support the Bitlocker AD Attributes.

If you enable Bitlocker on machines before extending the schema the key will not be stored on Active Directory.
Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information:
http://www.microsoft.com/download/en/details.aspx?DisplayLang=en&id=13432
This download includes a guide, the schema extention and a few additional scripts you will need to run to allow machines to auto-update TPM information.
2. The second step is to install the SP1 for the Windows Admin Tools Pack

Install Windows Server 2003 Service Pack 1 Administration Tools Pack
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3725
3. The third step is to install the actual Bitlocker Password Viewer for Active Directory.
In this case we are talking about a Windows Server 2003 SP1 or later. Unfortunately there is no direct link for this download. The only official way to get that is to log a support call with Microsoft. You might be lucky and find it somewhere else ;D

BitLocker Recovery Password Viewer for Active Directory Users and Computers
http://support.microsoft.com/kb/928202

Extract:
Note: This article also provides information about optional use of the BitLocker Recovery Password Viewer for XP-based computers. If you want to obtain the BitLocker Recovery Password Viewer tool for Windows XP/Windows Server 2003, please contact a Microsoft Support Professional.

The final result – You will get a tab for Bitlocker Recovery on the COMPUTER objects in Active Directory:

Disable Authenticated User from beeing able to join computers to the domain

DavidNudelman — Thu, 15 Mar 2012 11:25:05 +0000

One of the things I still can’t understand is why users should be allowed to join computers to the domain. One Best Practice I always follow is to change the maximum number of machines an authenticated user can join to the domain to ZERO.

Users with permissions to create objects on specific OUs, by being Domain Admins or through delegated rights (use the delegation wizard) will still be able to create computer objects, and join computers to the domain.

To accomplish that follow the procedure bellow:

ADSIedit > Default Naming Context > “DC=domain,DC=com” > Properties > Attribute Editor:

Set: ms-DS-MachineAccountQuota to 0

Summary:
ms-DS-MachineAccountQuota stores a numeric value of the number of computers that a user is allowed to join to the domain (actually it is the number of computer objects that that user is allowed to create in a domain). When a machine is joined to the domain, the authenticating Domain Controller searches the domain for all computers previously added by this user and compares that number against the value defined in ms-DS-MachineAccountQuota. If the number of computers created is less than the value defined in ms-DS-MachineAccountQuota then the operation succeeds. If not, the operation fails. Administrative users and delegated users are exempt from this quota because they have the necessary permissions to create computer objects anywhere in the domain, therefore the initial permissions checks succeed. By default, any authenticated user can join up to ten computers to the domain. This is because Authenticated Users has the right “Join workstations to the domain” by default, and because the default value for ms-DS-MachineAccountQuota is 10. Setting ms-DS-MachineAccountQuota to zero, stops authenticated users from joining workstations to the domain.

Requirments: at least 2003 Domain functional level

Reference: http://www.msresource.net/knowledge_base/articles/info:_how_does_ms-ds-machineaccountquota_work.html

Exchange 2007 – MapiExceptionADNotFound: Unable to mount database

DavidNudelman — Fri, 10 Feb 2012 00:46:43 +0000

It is almost 1 am. I’ve been resolving an Exchange2007 issues since 9 am. Everything is going as planned until I hit a strange behaviour. I couldn’t mount an Exchange 2007 database that was recently created.

The error was: Error code: MapiExceptionADNotFound: Unable to mount database.
To be more specific, the wizard created the database on AD but couldn’t mount it. After doing some troubleshooting I found out that Exchange was writing to one Domain Controller and reading from another, therefore, it wasn’t an Exchange issue, just needed to wait (or force) replication between DCs.

Forced replication between the DCs on Active Directory Sites and Services and the database mounted instantly. Another thing that you can do is sit back and wait for it to replicate.

I hope this helps you! If it does, please leave a comment.

Hyper-V Hands on training for I.T. Professionals

DavidNudelman — Tue, 31 Jan 2012 14:58:41 +0000

Virtualising Servers with Hyper V

Date: Tuesday, 28 February 2012Topic: Cloud

User: IT Pro

Location: Park Plaza, Plaza 3-6 Room, Boar Lane City Square, Leeds, LS1 5NS

Synopsis

The aim of this camp is to provide a practical introduction to Hyper-V, for
people new to server virtualisation or those experienced in other server
virtualisation technologies.

The exact content of each camp is driven by you, the delegate. However, we
will follow some broad topics around virtualisation such as:

• Virtual networks in Hyper-V
• A first look at System Center Virtual Machine Manager 2012
• Installing Hyper-V
• Hyper-V licensing and licensing virtual machines
• Microsoft support for virtualisation

Source: http://uktechdays.cloudapp.net/it-pro-camps.aspx

ADMT 3.1 error – ERR3:7075 Failed to change domain affiliation

DavidNudelman — Thu, 26 Jan 2012 12:01:33 +0000

I migrated a few machines using ADMT 3.1 from a source Domain A.local to target Domain B.net
I had a few errors with the Agent and it took me a long time to find the solution.

It looked like a DNS issue, as it is the most common cause for failed ADMT agent operations.
The error was ERR3: 7075 (“ERR3:7075 Failed to change domain affiliation”), which drove me to this KB – http://support.microsoft.com/kb/929493
But that was not the solution, as the problem was caused by a specific setting on the Server 2008 Domain Controller policies.

1. The solution: Log on to a Windows Server 2008-based domain controller.

2. Click Start, click Run, type gpmc.msc, and then click OK.

3. In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

4. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.

5. In the Properties dialog box, click the Enabled option, and then click OK.

Source: http://support.microsoft.com/kb/942564

Happy Migration!

Path to Windows 7 – Part III. Application Compatibility

DavidNudelman — Wed, 09 Nov 2011 11:14:41 +0000

One of the main reasons why companies are delaying their migration from Windows XP to Windows 7 is the lack of compatibility with business critical applications, and sometime it can be a show stopper. There are a few tools and application delivery mechanism that can solve those issues.

Now that we have a complete inventory and rationalized our applications with MAP and Centrix WorkSpace iQ, we are left with a list of application that will be delivered to the Windows 7 users. The next step is to assess the compatibility of those applications on Windows 7 and on the platform that will deliver the application. There are a few different options here. The first decision to make is “32 or 64 bit” version of Windows 7, this decision will imply changes on the application compatibility results. The recommended platform is 64 bit, and it is recommended to companies without a complex application stack and even more important, no legacy applications.

The second decision is on how to deliver the applications. Will it be installed directly to the physical machine through a MSI? Will it be virtualized with App-V and delivered via streaming? Will it be installed on a Remote Desktop pool and the application will be delivered through presentation virtualization? This is also important, as standards for compatibility for App-V and Servers are different from the OS.

Some of the new security features introduced in Windows Vista and Windows 7 may cause the lack of compatibility. Common issues are Session Zero Isolation, 16 bit components, legacy drivers, hardcoded paths, and application that require to run as administrator. There are different ways to test for application compatibility. Microsoft has a very nice tool called ACT – Application Compatibility Toolkit that will help you run applications on a Standard User Mode (non-admin). It will flag all the issues that are preventing the application to run correctly to help you fix the issues. It will also provide a list of potential fixes and will work with Shims.

But the process with ACT can be very lengthy and painful as the amount of information provided is low the tasks are very manual. An alternative is to use AppTitude by App-DNA (now part of Citrix). App-Titude allows you to import applications and it will run code and behaviour analysis based on the application’s MSI. It will run compatibility analysis and give you results for Windows 7, 64 bit, App-V, XenApp, Server 2008, Server 2008 R2. It will also help you choosing the best option to deploy that application, physical, virtual or hosted on a server. All the results are displayed on a RAG status and in case it is amber or red it will give you remediation guidelines, suggest shims and even propose auto fixes with MSTs. App-Titude will also automate packaging for App-V to help you accelerate the deployment. The greatest advantage of this tool is that you can send all the application that come out as Green straight to UAT and focus your packaging team on the applications that require remediation. It will also tell you how complex it is to fix a specific app so you can easily manage your internal resources or take the decision to use an external packager for that.

Internet Explorer compatibility is also something worth looking at. Some websites where coded a long time ago and might have components that will not run on Internet Explorer 8 or 9. AppTitude can handle analysis of web applications. Another way to solve web application issues is Browsium, a nice piece of software that integrates legacy browser tabs on your current Internet Explorer version, so you can run web application in IE6 mode inside IE9.

There are other methods to solve compatibility issues. For very small companies or departments, you can use Med-V, but you will still need to manage the Windows XP running under Windows 7 and it will also be out of support soon.

Dealing with applications is the lengthiest process on the path to Windows 7 and that is the main reason why you should at it sooner rather than later on the migration journey. The next step is to consider how to deliver Windows 7 to the end user.

Resources:
ACT – Application Compatibility Toolkit

AppTitude by App-DNA

Browsium

Med-V

The Springboard Series

Share your connection through a virtual wireless Access Point with Windows 7

DavidNudelman — Tue, 08 Nov 2011 13:09:22 +0000

Windows 7 offers a very cool feature where you can connect multiple devices to any wired and wireless network connection (hotel, cable, 3G, UMTS, EDGE, WIFI, RJ45, Ethernet, etc.) by turning your own laptop into a wireless AP (Access Point) to relay those devices not directly connected to the internet.

For this just enter these two commands to an elevated (right click on CMD.EXE, run as administrator):

netsh wlan set hostednetwork mode=allow ssid=YOURFRIENDLYSSID key=SOMEPASSWORD

netsh wlan start hostednetwork

At this point, if Internet Connection Sharing (ICS) is setup, anyone can connect to your SoftAP (if they know the PWD of course) and the traffic will be sent through whatever adapter you want. You can actually bridge it across an entirely different adapter… or the same on a different Wifi LAN.

A GUI to set this up can be downloaded for free here: http://www.connectify.me/

Path to Windows 7 – Part II. Application and Hardware Discovery

DavidNudelman — Tue, 08 Nov 2011 10:43:29 +0000

The first step to get ready to migrate to Windows 7 is to understand your environment very well. You will probably want to start identifying your applications and hardware. It is also a good time to consider improving some of your internal procedures such as OS deployment and application distribution, as well as improvements on user experience.

You should start with a hardware and software inventory. I recommend using MAP, the Microsoft Assessment and Planning Toolkit. MAP is an agentless application that will take an inventory of machines on your network and tell you what hardware they have. It will also tell you what software is installed on the machines. It will go even further and tell you if the machines are ready to run Windows 7 and Office 2010, based on a few pre-defined factors. Make sure you take out DVD Drive as a requirement (this is a default value), as you will probably use something like WDS and/or MDT to deploy Windows 7. MAP can do much more; check the resources at the end of this article.

MAP will provide the inventory, but it is still hard to understand how the applications are being used. Having an application installed does not mean that the users actually use it. Furthermore, do they use the application when they are at the office or when they work from home? How many concurrent users do you have for an application? Those answers can seriously affect the price you will pay for your licences. To tackle this problem I recommend Centrix WorkSpace iQ. It will monitor application usage on workstation with the agent installed. It can also help you understand how laptops are used. I had a client to run the laptop analysis in 700 laptops and after 3 months we found out that only 96 of them where ever taken away from the docking station, which means that potentially 604 of them can be replaced by a desktop on the next hardware refresh cycle.

Once you understand your hardware and software current state you will need to rationalize the software that is used on your company. It is a great time to remove old versions and retire legacy software. On average each retired application can save up to 3000 dollars during a migration. Choose carefully with software will be delivered on your new Windows platform and work to solve potential application compatibility issues.

Make a list of the hardware that needs to be replaced and find a solution for it, If you have the budget get new machines. If you are tight in budget but have a decent licence agreement give Windows ThinPC a try.

Resources:

Microsoft Assessment and Planning Toolkit

Centrix WorkSpace iQ