Weblog.BassQ.nl

I am pleased to announce the availability of the Remote Desktop Load Simulation Toolset.   Many customers have asked us to provide the specific number and type of servers to use for Remote Desktop Services scalability.  This is a difficult question to answer without more complete information given the variation in use cases and the impact on server loading.

To help answer that question, the RDS team created a toolset to create and measure load when using Remote Desktop Services.  We believe this toolset will also be useful for customers that wish to conduct their own scalability testing.

It’s important to note that this is one tool to help answer this question, but not the only one.  In addition to using this toolset, measuring and understanding your own environment and usage cases is very important.

The Remote Desktop Load Simulation Toolset is now available for download at http://www.microsoft.com/downloads/details.aspx?FamilyID=c3f5f040-ab7b-4ec6-9ed3-1698105510ad&displaylang=en

If you’ve got servers still running Windows 2000 Server in your enterprise, your robot will be blaring this warning ever more urgently the closer we get to July 13, 2010.  That’s the end-of-support date for the Windows 2000 Server platform. Servers still running Windows 2000 after this date will be doing so without security hotfixes, patches or service packs. But there is more,

There are two important events that will happen to the support policy for Windows 2000 after June 30th of this year.

First, support for both IE 5.01 SP3 and IE 6 SP1 on Windows 2000 SP3 will expire. Users running IE 5.01 or IE 6 SP1 on Windows 2000 should upgrade to Windows 2000 SP4 in order to continue to receive security updates.

Second, Windows 2000 SP4 moves from mainstream to extended support. The key difference between mainstream support and extended support which I think is most relevant to this audience is this quote from the lifecycle site: “Microsoft will not accept requests for warranty support, design changes, or new features during the Extended support phase.” We will of course continue to keep our Windows 2000 SP4 customers secure with security updates through the life of Windows 2000 (through 2010). There are a few other differences between the two support models which you can read about at the lifecycle site. You may also want to read my previous post about Windows’ lifecycle.

It should be no surprise that we do not plan on releasing IE7 for Windows 2000. One reason is where we are in the Windows 2000 lifecycle. Another is that some of the security work in IE7 relies on operating system functionality in XPSP2 that is non-trivial to port back to Windows 2000.

Please note that these lifecycle changes are only for IE on Windows 2000. For questions about other versions of IE (IE for PocketPC, IE for Mac), please consult the lifecycle site for the latest expiration dates.

That said, migrating servers is no one’s idea of a party. If you’re worried about your migration project generating migraines, make sure you leverage all the resources Microsoft is making available to Windows 2000 Server end of lifers:

Your first stop should be the Windows 2000 End-of-Support Solution Center, a new site loaded with migration planning and technical tools. Check out the Windows Server 2008 R2 Upgrade Paths as well as the Windows Server Migration Tools, the Assessment and Planning Toolkit and the Microsoft Deployment Toolkit. The site also has great guidance on migration planning as well as technical guidance on migrating specific server roles.

Look for more tools and guidance around Windows 2000 Server end of life in the coming months, both here and on www.microsoft.com/windowsserver.

Source; http://blogs.technet.com/windowsserver/archive/2010/01/14/windows-2000-server-approaching-end-of-life.aspx

Source: http://blogs.technet.com/softgrid/archive/2009/11/19/announcing-app-v-4-6-rc-and-integration-with-office-2010-beta.aspx

First of all, we are excited to announce the availability of App-V 4.6 RC! In August we announced the App-V 4.6 Beta. Since then we have taken in lots of customer feedback and continue to refine the App-V 4.6 release so that we can deliver a great product!  We invite you to check out the RC release by registering and downloading the App-V 4.6 RC release via Microsoft Connect, where you can also submit feedback directly to the team.

We’re not done though, in addition we’d like to share some great news and also announce our integration with Office 2010 Beta:

Microsoft Office 2010 Beta, Ready to be Sequenced With the Microsoft Office 2010 Beta Deployment Kit for App-V

As you know the Office team just completed a major milestone Microsoft Office 2010 Beta, congrats to the team!  Throughout the process of building Office 2010 the App-V and Office teams have been working very closely to make sequencing Office 2010 Beta possible with App-V 4.6 RC!  We have taken the feedback and requests from post-Office 2007 and App-V 4.5 releases, and have been hard at work implementing a solid integration experience for Office when App-V 4.6 releases in H1 2010.

So what’s Different when using Microsoft Office 2010 Beta and App-V 4.6 RC together?

Office 2010 has introduced a new piracy protection initiative, the Software Protection Platform (SPP) service.  This service uses a machine’s hardware characteristics and product key to activate the installation, which is performed during the first Office application launch.

Since the Office 2010 product activation is linked to the hardware on which Office is originally installed, customers who wish to deploy Office 2010 using App-V must physically install the SPP service on the sequencer machine before beginning the sequencing process – and on any client machines that will stream and run Office 2010.

Our engineering teams have collaborated to address the top customer issues that people were running into when virtualizing past versions of Office.   As a result, Office 2010 has a much more integrated user experience.  The Office 2010 integration delivers key productivity enhancements and a seamless user experience by enabling the following::

· Microsoft SharePoint Integration – You can open, edit, and save Microsoft Office documents using Microsoft SharePoint.

· Microsoft Outlook Fast Search – You can use Microsoft Windows Desktop Search to find specific messages in your inbox.

· MAPI Proxy – You can connect to your inbox using Microsoft Outlook Send To functionality.

· Microsoft Office Document Indexing – You can index your documents so that you can use Microsoft Windows Search to locate files.

· Virtual Mail Control Panel icon – You can use the Email icon in Control Panel to perform advance mail configuration.

· URL protocol handler – You can configure links in the browser and specify the appropriate associated Microsoft Office application.

· Send to Microsoft OneNote Printer driver – You can print documents to Microsoft OneNote.

To help customers facilitate this process, we have created the Microsoft Office 2010 Deployment Kit for App-V (Beta). The Deployment Kit contains both the required SPP licensing component and Office 2010 integration features.

And what’s even more exciting, you can get your hands on it now.

How Do I Sequence Microsoft Office 2010 Beta for App-V 4.6 RC?

1. Download Office 2010 Beta here

2. Download the Microsoft Office 2010 Deployment Kit for App-V (Beta)

3. Download App-V 4.6 RC on Microsoft Connect

4. Read the App-V recipe for sequencing Office 2010 Beta on Microsoft Connect.

For detailed information on whether your environment meets the requirements of Office 2010 and App-V 4.6 RC, please refer to the App-V recipe.

Please note: We are providing a recipe to support the sequencing and testing of these pre-release products on Microsoft Connect.  Please provide feedback via Microsoft Connect, by choosing FEEDBACK once logged into the App-V 4.6 Program.

We look forward to hearing about your App-V 4.6 RC and Office 2010 experience!

Source; http://blogs.technet.com/virtualization/archive/2009/12/10/Offline-Virtual-Machine-Servicing-Tool-v2.1-.aspx

Virtualization affects how we plan, build, deploy, operate, and service workloads. Customers are creating large libraries of virtual machines containing various configurations. The patch-state of these virtual machines are not always known. Ensuring that offline virtual machines are properly patched and won’t become vulnerable the instant they come online is critical.

I am therefore very pleased to state that the Offline Virtual Machine Servicing Tool v2.1 has now been released!

Congratulations to the Solution Accelerator team for this release!

The Offline Virtual Machine Servicing Tool 2.1 has free, tested guidance and automated tools to help customers keep their virtualized machines updated, without introducing vulnerabilities into their IT infrastructure.

The tool combines the Windows Workflow programming model with the Windows PowerShell interface to automatically bring groups of virtual machines online, service them with the latest security updates, and return them to an offline state.

What’s New?

Release 2.1 is a direct response to customer and Microsoft field requests to support the R2 wave. Offline Virtual Machine Servicing Tool 2.1 now supports the following products:
· Hyper-V-R2
· VMM 2008 R2
· SCCM 2007 SP2
· WSUS 3.0 SP2
· OVMST 2.1 also supports updates to Windows 7 and Windows Server 2008 R2 virtual machines.

Download here; Offline Virtual Machine Servicing Tool  2.1
More info; http://technet.microsoft.com/en-us/library/cc501231.aspx

VMware and Microsoft are ramping up their virtualization games with relatively new releases. Scott Lowe compares and contrasts some of the major features in vSphere and Hyper-V R2.

Source: http://blogs.techrepublic.com.com/datacenter/?p=1820

Microsoft was late to the virtualization game, but the company has made gains against its primary competitor in the virtualization marketplace, VMware. In recent months, both companies released major updates to their respective hypervisors: Microsoft’s Hyper-V R2 and VMware’s vSphere. In this look at the hypervisor products from both companies, I’ll compare and contrast some of the products’ more common features and capabilities. I do not, however, make recommendations about which product might be right for your organization.

Table A compares items in four editions of vSphere and three available editions of Hyper-V R2. Below the table, I explain each of the comparison items. (Product note: With the release of vSphere, VMware has released an Enterprise Plus edition of its hypervisor product. Enterprise Plus provides an expanded set of capabilities that were not present in older product versions. Customers have to upgrade from Enterprise to Enterprise Plus in order to obtain these capabilities.)

Table A

(continue reading…)

This poster provides a visual reference for understanding key technologies in Windows Server 2008 R2. It focuses on Active Directory Domain Services, Hyper-V, Internet Information Services, Remote Desktop Services (including Virtual Desktop Infrastructure (VDI)), BranchCache, and DirectAccess technologies. In addition, updates to core file services and server management are illustrated. You can use this poster in conjunction with the previously published Windows Server 2008 Component Posters.

Download here as PDF: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=64a5cc28-f8a1-4b30-a4a2-455c65bda8d7

Following quickly on the heels of the Windows 7 and Windows Server 2008 R2 launches (they have PowerShell 2.0 built in), Microsoft has released version 2.0 for all flavors of Windows since XP:

Windows Management Framework, which includes Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0, was officially released to the world this morning. By providing a consistent management interface across the various flavors of Windows, we are making our platform that much more attractive to deploy. IT Professionals can now easily manage their Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 machines through PowerShell remoting – that’s a huge win!

PowerShell v2 has finally been released for ‘legacy’ OSes (Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008)! I’m saying legacy OSes because the latest OSes are Windows 7 and Windows Server 2008 R2. You could also say the out-of-band releases have been released. This happened somewhere in the end of October 2009.

If you are having a hard time finding those, that’s because it is in included in the Windows Management Framework.

The Windows Management Framework includes:

• Windows Remote Management (WinRM) v2.0
• Windows PowerShell v2.0
• Background Intelligent Transfer Service (BITS) v4.0

Read more about it here.

Windows Management Framework Core (WinRM 2.0 and Windows PowerShell 2.0)

• Download the Windows Management Framework Core for Windows Server 2008 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=863e7d01-fb1b-4d3e-b07d-766a0a2def0b)
• Download the Windows Management Framework Core for Windows Server 2008 x64 Edition package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=d37e25cf-db05-4b23-a852-cdf865d81b82)
• Download the Windows Management Framework Core for Windows Server 2003 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=f002462b-c8f2-417a-92a3-287f5f81407e)
• Download the Windows Management Framework Core for Windows Server 2003 x64 Edition package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=909bbcf1-bd78-4e03-8c83-69434717e551)
• Download the Windows Management Framework Core for Windows Vista package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=f2fa1227-9a34-4e29-aa03-62f5c00e16f2)
• Download the Windows Management Framework Core for Windows Vista x64-based systems package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=0f73efa2-f8d6-45f3-a8f8-5cdc205b119a)
• Download the Windows Management Framework Core for Windows XP package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=60cb5b6c-6532-45e0-ab0f-a94ae9ababf5)

Windows Management Framework BITS (BITS 4.0)

• Download the Windows Management Framework BITS for Windows Server 2008 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=e77925a9-58a2-428b-bb4f-714d49d0b889)
• Download the Windows Management Framework BITS for Windows Server 2008 x64 Edition package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=e749f4cd-74db-404a-bc30-765137cd3804)
• Download the Windows Management Framework BITS for Windows Vista package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=d7ae9660-bb13-4f0c-816b-85de3980ec1b)
• Download the Windows Management Framework BITS for Windows Vista x64-based systems package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=173c8a2d-b264-49ca-8d35-b6f234cbdaeb)

Thanks much to the Microsoft Learning and MS Press folks for such a fantastic giveaway. I remember getting the pre-cursor for this book, Introducing Microsoft Windows Server 2008, before I joined Microsoft and it was a huge help in getting grounded with the then-new OS. Introducing Windows Server 2008 R2 is a deep-dive work, that’ll get you up to speed on how R2’s new features and capabilities work, including Hyper-V and RDS virtualization, management, IIS and the new Web application platform and, of course, all the synergistic goodness between Windows Server and Windows 7. Free for a click, so don’t miss out.

Download Here; http://download.microsoft.com/download/5/C/0/5C0BD0AB-040D-4C56-A60B-661001012DDA/Windows_Server_2008_R2_e-book.pdf

The Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations. MBSA 2.1.1 is a minor upgrade to add support for Windows 7 and Windows Server 2008 R2.

To easily assess the security state of machines in an environment, Microsoft offers the free Microsoft Baseline Security Analyzer (MBSA) scan tool. MBSA includes a graphical and command line interface that can perform local or remote scans of Microsoft Windows systems.

MBSA 2.1.1 builds on previous versions by adding support for Windows 7 and Windows Server 2008 R2. As with the previous MBSA 2.1 release, MBSA includes 64-bit installation, security update and vulnerability assessment (VA) checks, improved SQL Server 2005 checks, and support for the latest Windows Update Agent (WUA) and Microsoft Update technologies. More information on the capabilities of MBSA 2.1 and 2.1.1 is available on the MBSA Web site.

MBSA 2.1.1 runs on Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP and Windows 2000 systems and will scan for missing security updates, rollups and service packs using Microsoft Update technologies. MBSA will also scan for common security misconfigurations (also called Vulnerability Assessment checks) using a known list of less secure settings and configurations for all versions of Windows, Internet Information Server (IIS) 5.0, 6.0 and 6.1, SQL Server 2000 and 2005, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003 only.

To assess missing security updates, MBSA will only scan for missing security updates, update rollups and service packs available from Microsoft Update. MBSA will not scan or report missing non-security updates, tools or drivers.
Choose the appropriate download below for English (EN), German (DE), French (FR) and Japanese (JA) for x86 (32-bit) or x64 (64-bit) platforms.

Download details Microsoft Baseline Security Analyzer 2.1.1 (for IT Professionals)
Source: http://bink.nu/news/microsoft-baseline-security-analyzer-2-1-1.aspx

New Enhancements

The upcoming RDP 7 enhancements discussed are as follows:

• Windows 7 Aero support
• Direct 2D & Direct 3D 10.1 application support
• True multi-monitor support
• RDP Core Performance Improvements
• Multimedia enhancements
  • Media Foundation support
  • DirectShow support
• Low Latency audio playback support
• Bi-directional audio support

Anyone who has been doing server-based computing, remoting, terminal services, Citrix or whatever you want to call it for any period of time.  In this portion they show a 1080p high definition (HD) video being remoted from a Windows Server 2008 R2 Terminal Services.

WOW, is all I can say!  I was left speechless.  It was beautiful, not a single skip or hiccup, and it was beautiful.   Microsoft accomplishes this not through virtual GPUs or server-side GPUs but by sending commands (code) from the server to the client.  The commands are then executed on the local client’s graphics cards vs. the servers which Microsoft calls this, “RDP Client Rendering”.

The following image is a screen shot from the HD movie played over RDP 7.  You will notice the resolution is very high and rich, now imagine it running in full motion with the audio synced.   I never thought I would see the day.

Through RDP Client Rendering the amount of server-side resources are cut drastically.  This eliminates the classic problem where one or two users running a graphics application at any given time renders the Terminal Servers box unusable.  Not anymore.  As the HD movie played, Gaurav showed us that both the server’s CPU and the network bandwidth utilization were running around 1%.   Again, WOW is all I can say!

In the following image you will you will notice the Windows Task Manager’s CPU Usage and Memory Usage are very low considering a HD move is being remoted.  Heck, mouse movements almost add more CPU…

Once they were done wooing us with the amazing eye candy in the demo, Nadim Abdo came back to discuss RDP Graphics Internals, the RDP graphics architecture, and which RDP rendering method was used by which applications.

Applications Supported?

As mentioned earlier, in Windows 7 and RDP 7 Microsoft has added the ability for the server to send commands to the Remote Desktop Client and have those commands executed by the local client’s graphics card vs. being required to have them rendered on the server, thus gaining the benefits we talked about above.  But this is not always the case, and it was pointed out in the presentation where applications that run through and/or somehow embed Windows Media Player will take advantage of client -side rendering, called RDP Client Rendering, but that all others methods will not.  For example, Flash media.  We all know there are tons of Flash videos and banners all over the web today.  Even DABCC.com has Flash.  Microsoft commented that in the future we might see other graphics version move from a host rendering solution to a client rendering model.

The following chart shows the media types and whether they are rendered on the server and/or the client:

RDP 7 Graphics: Bringing it All Together

In the finial demo of the presentation, Gaurav Daga revisits the Direct X 2D and Direct X 3D applications shown earlier in the presentation, but this time he runs them both at the same time, side by side on the screen.

You will also notice the full Aero glass effect is present and running over RDP 7, notice the translucencies?  Gaurav even showed off the eye candy “Flip 3D” support and it all worked flawlessly over a remote desktop session.  Yes, a RDP session…

Virtual Desktop Support

One of the more interesting points Gaurav Daga made, which I found very compelling, was around virtual desktops.   He made the point that today most virtual graphics adapters found on virtual desktops do not support truly rich DirectX and Direct 2D / 3D applications but with Windows 7, Windows Server 2008 R2, and RDP7, it won’t matter due to the fact the features are built into the operating system (Windows 7) and do not require heavy use of the server side graphics driver.  This also means it does not matter what hypervisor Windows 7 runs on.  All you need is a virtual Windows 7 desktop along with the Desktop Client for RDP7 and the user experience will be all that and a bag of chips.

This makes me think.  VMware and a slew of other desktop virtualization venders use RDP as the remoting protocol for their VDI solutions so in theory they will be able to take advantage of these upcoming features.  But the problem is solutions such as VMware View (formally known as Virtual Desktop Manager (VDM)) have a custom client.  This being said, the VDI brokers will be required to update their current clients to support the upcoming RDP 7 enhancements.  Only the upcoming Microsoft Desktop Services connection broker will be able to take advantage of these features by default.

What Clients will be supported?

At launch time and I can only expect for some time afterwards, the following clients will support all the new graphics and multimedia enhancements:

• Windows 7
• Windows Vista (Direct X remoting will not work)

The Bottom Line:

The bottom line is that Microsoft is stepping up the game with Windows 7, Windows Server 2008 R2 Remote Desktop Services, and RDP 7.   The enhancements discussed and shown in the demos will go a long way to enhance the “user experience” in both Presentation Virtualization and Virtual Desktop worlds thus allowing wider adoption due to less pushback from users.  (We all know user pushback matters…and delivering an amazing user experience is the key to overcoming user pushback.)

The only big drawback I saw was the fact that Microsoft is still using host rendering for a slew of common formats.  For example, Flash.   Needless to say Flash tends to be everywhere and typically does not perform well on my TS boxes…   These new features will not directly benefit Flash video and the other formats of videos still using host based rendering.

Although at the end of the day for me it is simple….. when I can get my hands on this I will be retiring my MacBook Pro notebook and will be replacing it with a laptop running Windows 7!   Sorry Apple… Put that in one in an upcoming “PC vs. Mac” commercial because “I’m a PC”!

I am a big fan of sysinternals tools and I use these tools quite often to debug OS related issues. These tools are quite useful when you want to understand internals of OS. Mark and his team has been doing a great job in keeping these tools up to date and adding new features once in a while. One such new tool that got released yesterday is Disk2VHD. You can download it here. Here is how TechNet link decribes this new tool.

Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted)

I downloaded this tool in the morning and experimented a bit on my Windows 7 system. Usage of this tool is straight forward. You see a dialog with all disk partitions as listed in the screen shot here. All you need to do is select all the partitions you want to export to a VHD and click “Create”. The VHD export will take sometime based on the overall disk size you selected. For my experiments, I just selected first two partitions. This is because I have all the BCD information on partition 1 and without that my new VHD will be meaningless. You may see lot of CPU/memory utilization while the export is in progress. On my system, it looked something like this.

Once the export is complete, I rebooted my system in to Windows Server 2008  R2 and created a virtual machine and attached the exported VHD. That is it. My virtual machine is ready with installed OS and all the applications I was running on the physical Windows 7 system.

As I powered on the VM, the first screen showed me the boot menu I usually see on my physical machine. This is because I never removed the additional multi-boot entries I had in the BCD stored on first partition.  This entries — if selected — won’t work because I did not export the partitions containing those OS images to the VHD.

At this point, I continued selecting the Windows 7 entry and started booting OS. Within a few seconds, I could see the user selection screen and after I logged in using my regualr user account, I could see all the applications working as usual. I also have Windows Virtual PC with WinXP mode in the VHD image. But — as I expected — that did not work as it requires hardware assisted virtualization which is something that will not be availble inside a virtual machine.

Source: http://www.ngn.nl/ngn/STEVEKEYNOTE

On the 8th of October Technet_live was being held in The Hague, this included the Windows 7 introduction in the Netherlands. Steve Ballmer, CEO of Microsoft presented the Keynote. NGN-member Alex Warmerdam filmed the whole keynote with his mobile phone, and got to ask Steve Ballmer a question as well.

The Active Directory Recycle Bin in Windows Server 2008 R2 by Jonathan Medd : http://www.simple-talk.com/sysadmin/exchange/the-active-directory-recycle-bin-in-windows-server-2008-r2/

Since Active Directory was included as part of Window Server 2000, administrators have often asked for  a simple way to roll back mistakes, whether that is the incorrect deletion of the wrong user account to the accidental removal of thousands of objects by deleting an OU. Before the release of Windows Server 2008 R2 there were a number of ways using built-in or third-party methods to restore Active Directory objects, but typically they were not as quick or complete as say retrieving a deleted email or file.

Microsoft has included with their release of Windows Server 2008 R2 the facility, under the correct conditions, to enable a Recycle Bin for Active Directory and allow simple restoration of objects which have been erroneously removed. In this article we will briefly cover some of the options prior to 2008 R2 and then examine how to enable the new Recycle Bin and restore objects from it.

Pre-Windows Server 2008 R2

The 2008 R2 Recycle Bin for Active Directory is a great motivating point for upgrading your forest and domain(s) to the latest version, but this is not always a quick process in many enterprises so it is worth knowing what options are available prior to this version. Like many things it’s a lot better to examine and plan for possible resolutions before a significant mistake happens that you need to deal with. Retrieving Active Directory objects typically falls into two available categories, authoritative restore from a backup or tombstone reanimation.

Authoritative Restore

The Microsoft KB article 840001(http://support.microsoft.com/kb/840001) details how to perform the restoration of a user account using a system state backup of a domain controller. Typically, you would use a global catalog so that you can also restore all group membership information.

Tombstone Reanimation

The above article also details how to recover an account when you don’t have a system state backup by using tombstone reanimation which was introduced with Windows Server 2003 – you can retrieve objects from the Deleted Objects container where they are kept after deletion until their tombstone period expires. Obviously regular system state backups of Active Directory are critical for your full disaster recovery procedures, but taking advantage of tombstone reanimation means you can get objects back quicker than having to go through the full authoritative restore process.

You could use the procedure in the article which utilises the ldp.exe tool, but there are other methods around which you may find simpler.

• The article itself links to a Sysinternals tool, ADRestore (http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx), which is a command line tool for reanimating objects.

• The free ADRestore.Net, a GUI tool made by Microsoft PFE Guy Teverovsky. http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx.

• Quest produces a freeware product Object Restore for Active Directory, an easy to use GUI tool. http://www.quest.com/object-restore-for-active-directory/ (Note: there is a commercial version with more features, Recovery Manager for Active Directory.)

• Quest also produces a cmdlet library for managing Active Directory with Windows PowerShell (http://www.quest.com/powershell/activeroles-server.aspx). As of version 1.2 a number of the cmdlets had a Tombstone parameter added to them so that a search of objects would also include items which have been tombstoned. These results could then be piped through to the new cmdlet Restore-QADDeletedObject to undelete the object represented by the tombstone.  For instance the command Get-QADUser –Tombstone -LastChangedOn  ((Get-Date).adddays(-1)) | Restore-QADDeletedObject would restore all user accounts deleted yesterday.

The drawback with tombstone reanimation is that because most of the object’s attributes are removed at the time of the object’s deletion, a restored object using this method requires many properties of the account, such as address fields and group membership, to be manually repopulated. Whilst this is obviously preferable to re-creating an account from scratch it does not make for a quick overall process. However, you will at least get back the objectGUID and objectSid attributes which means there would be no need to re-configure a user’s workstation profile.

The original release of Windows Server 2008 introduced snapshot backups for Active Directory. You can take point-in-time snapshots of your Active Directory with the NTDSUTIL command line utility which utilizes Volume Shadow Copy to provide a snapshot. It is then possible to mount this snapshot using different ports on the same domain controller as the live Active Directory database and use standard tools to compare the two. This could really make the tombstone reanimation a lot simpler because after restoring the object you could view two versions of Active Directory Users and Computers side by side and view the properties of the restored object from a previous time, so making it simpler to repopulate properties.

The Directory Service Comparison Tool (http://lindstrom.nullsession.com/?page_id=11) takes advantage of these snapshots and makes the repopulation process more streamlined.

For those with Microsoft Exchange messaging environments, once you have the Active Directory account back, you can use the Reconnect Mailbox feature within Exchange to tie the restored account back up with the mailbox. This is of course providing you have a similar tombstone retention period for mailboxes that you do for AD accounts.

Active Directory Recycle Bin

The real reason you decided to read this article though was not so that we could spend time going over all the possible options for how you can piece together restored AD objects, but rather to find out how the Recycle Bin is going to make your life as an Active Directory administrator easier without necessarily the need for these different tools. The key differences from previous versions of Windows Server are that by default you get all of the attributes back and the tools to use are PowerShell cmdlets, which are quickly becoming a more essential part of every Windows administrator’s standard toolkit.

Firstly though the Active Directory Recycle Bin is not enabled by default and has certain domain and forest wide requirements before it can be enabled.

• Firstly, all domain controllers within the Active Directory forest must be running Windows Server 2008 R2.
• Secondly, the functional level of the Active Directory forest must be Windows Server 2008 R2.

Naturally organizations are typically cautious when upgrading Active Directory and these types of infrastructure projects don’t tend to happen quickly, but the Recycle Bin could be one of the features which gives you more weight behind a decision. You should also be aware though that enabling the Recycle Bin is a onetime only move, there’s no easy way to disable it again, so careful consideration of this decision must be taken.

It’s worth noting that if you are making a fresh forest install of Windows Server 2008 R2 the Active Directory schema will already include all of the necessary attributes for the Recycle Bin to function. If however you are upgrading your domain controllers from previous versions of Windows Server then you will need to run the well known procedure of adprep /forestprep and adprep /domainprep (for each domain) and possibly adprep /domainprep /gpprep (for Group Policy preparation)

before you can introduce Windows Server 2008 R2 domain controllers into the environment.

So let’s go ahead and run through all the steps we need to get the Recycle Bin enabled. Firstly, ensure that all of your domain controllers are running Windows Server 2008 R2 and then we need to use PowerShell; the great news with Windows Server 2008 R2 is that version 2 of PowerShell is installed by default and is placed directly on your taskbar.

After you have installed Active Directory Domain Services the Active Directory specific cmdlets are available to use via a module; modules essentially are the evolution of snapins from version 1 of PowerShell. To access these cmdlets you can either open the Active Directory specific version of the PowerShell console from the Administrative Programs menu, or the method I would prefer, use the Import-Module cmdlet. (Tip: You could add the below expression to your PowerShell profile so that the cmdlets are available every time you open PowerShell)

PS> Import-Module activedirectory

Once complete all of the Active Directory cmdlets will be at your fingertips. As previously discussed we now need to get the functional level of the forest up to the level of Windows Server 2008 R2. The most common way to do this previously was through Active Directory Domains and Trusts.

Now though we can do this through PowerShell. The Get-ADForest cmdlet will return information about your forest and the Set-ADForestMode cmdlet will enable you to raise the current functional level – since it is such a significant change to your environment you will be prompted to confirm that you wish to go ahead.

Now that our forest is at the correct functional level we can enable the Recycle Bin, to do so we use the Enable-ADOptionalFeature cmdlet. This must be either run on the DC with the Domain Naming Master FSMO role or directed at that server with the –server parameter. Again you will be prompted to confirm your command since the action is irreversible.

(continue reading…)