Hey all, Rob here again. It’s been a while since I have written a blog post, and this one was too interesting to pass up.

I recently worked a case around deploying certificates to Apple iPhones and iPads to secure their network communications. The investigation uncovered that Apple devices can get certificates via the Simple Certificate Enrollment Protocol (SCEP), also known in the Microsoft world as Network Device Enrollment Service (NDES) in Windows Server 2008/R2.

Extreme Disclaimer Warning!!!

Microsoft obviously does not directly support Apple products of any kind. Your first stop when troubleshooting or configuring any Apple product is:

http://www.apple.com/support/

Now that that is out of the way, let’s continue.

I was unable to find any true corporate support information on Apple’s webpage for the iPad or iPhone, only sales goo. If someone has a proper support link and phone number please send it along so I can update this post. Obviously, we’d rather have you talking to Apple about the iPhone or iPad as they are the authority on how those products should consume certificates.

Strangely, Apple doesn’t appear to document a step-by-step process for certificate enrollment, so on behalf of some Microsoft customers we had to figure it out. Bear in mind, there may be some changes to this article later.

Most of this blog is going to be covering the setup and configuration options with NDES to support the solution. If you have worked with MSCEP in the past, not much has changed other than some new registry keys to manage SCEP certificate enrollment. Enrolling for certificates against the old Windows Server 2003 SCEP-Add On utility does not work with Apple devices so Windows Server 2008 or later is required.

NDES Requirements:

• Only available on the Enterprise Edition of the Windows Server 2008 or Windows Server 2008 R2 operating systems.
• Can be installed on the same server as the CA, or on another member server. If you install it on another member server you can configure NDES to use a Windows Server 2003 CA.
• Requires the installation of the Certification Authority Web Enrollment role service on the NDES Server.

Installation:

The Installation of NDES is straight forward, however the steps below assume that you are installing the NDES role for an Enterprise Certification Authority rather than for a Standalone CA. If you are installing this for a Standalone CA certain settings should be skipped. I would encourage you to review the NDES whitepaper for more information.

1. Launch Server Manager.

2. Click on Add Roles.

3. Click the Next button.

4. Check Active Directory Certificate Services.

5. Click the Next button twice.

6. If you are installing the NDES Server on a separate server from the CA, uncheck Certification Authority.

7. Check Certification Authority Web Enrollment, and Network Device Enrollment Service.

NOTE: If you see a dialog box about adding required role services for Web Server (IIS), click the Add Required Role Services button.

8. Click the Next button.

9. If you are not installing the role on a CA, you will be prompted with the screen shown below. You will need to select the Enterprise CA that should be used for the CA Web Enrollment pages. Click the browse button, and select the appropriate CA. If you want to use CA Web Enrollment Pages on a non-CA, see this blog about web enrollment proxy.

10. Click the Next button.

11. Provide a user account under which to run the IIS application pool account for the NDES web application. It is strongly recommended that you create a domain based service account. This account must be given the Enroll permissions on the certificate template(s) that NDES will use. This gives you the ability to lock down the certificate template so that only devices that use NDES can enrollment for certificates based on this template.

NOTE: The service account used MUST be added to the IIS_USRS group before attempting to use the account in the wizard.

12. Click the Next button.

13. If you are installing NDES on a server other than the CA, you will be presented with the below screen to select the CA that the NDES web application will submit the requests it receives. Click the Browse button, and select the appropriate CA.

14. The next step is to provide information for the Registration Authority certificate to be issued to the web application pool account that we defined at step 11.

NOTE: The RA Name can be anything you like. The default is the computer’s name concatenated with ”–MSCEP-RA”. This becomes the subject line of the RA certificates.

15. Click the Next button.

16. Select the Signature and Encryption key CSPs to be used, as well as the Key length for the Registration Authority certificates. The default will work fine. If you later decide that you want to change this, review the following blog by Jonathan Stephens.

17. Click the Next button twice.

18. Click the Install button.

NDES Configuration settings:

NDES configuration settings are stored in the registry. I cover some of the more commonly modified registry keys; for a complete listing of configuration settings please read the NDES Whitepaper.

The base registry key location NDES reads is:

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP

All the registry values referenced below are set in this registry key.

Template Settings

Use these settings to customize the certificate templates used by NDES.

SignatureTemplate (REG_SZ)
EncryptionTemplate (REG_SZ)
GeneralPurposeTemplate (REG_SZ)

These three registry keys hold the LDAP name of the template that should be issued for each type of key that the SCEP client could possibly request. There are three types of keys that can be specificed.

SignatureTemplate: The private key can only be used for creating a digital signature. In the certificate template configuration, this is denoted by the Purpose, Signature, on the Request Handling tab.
EncryptionTemplate: The private key can be used for encryption. In the certificate template configuration, this is denoted by the Purpose, Encryption, on the Request Handling tab.
GeneralPurposeTemplate: The private key can be used for both encryption and for creating a digital signature. In the certificate template configuration, this is denoted by the Purpose, Signature and encryption, on the Request Handling tab.

Here is a screen shot of a certificate template to show where the template name is that needs to be populated in the registry values. In the below figure it is IPSecIntermediateOffline (the default template used by NDES).

NOTE: If you decide to use a custom certificate template there are more requirements:

• The NDES application pool identity needs enroll permissions on the template; this is set on the Security tab when looking at the properties of the template.
• The template must be valid for computer and not user accounts. You can find out the template type by looking at the properties of the template and clicking on the Extensions tab. Then select the extension Certificate Template Information and you will see Subject type: Computer.
  
  
• Template Subject Name should be set to Supply in the request. This can be seen by click on the Subject Name tab.
  
  

Now, let’s continue to look at the NDES configuration settings.

Password Settings

Use these settings to configure some of the password behavior in NDES.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP
Value: PasswordValidity
Type: REG_DWORD
Data: Default 60 (decimal)

PasswordValidity sets the amount of time (in minutes) for which the NDES admin-supplied password is valid. The default value is 60 minutes, but most admins change this value to something that accommodates the time it takes to communicate the password to the device owner. The device owner enters this password on the device in order to enroll for a certificate.

A good value might be 0x78h (120 decimal). This will give the owner of the device 2 hours to get through the iPhone configuration utility and set the challenge password. If the validity period expires, and the device owner has failed to obtain a certificate, then the SCEP Admin will need to generate a new challenge for the user.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\PasswordMax
Value: PasswordMax
Type: REG_DWORD
Data: Default 5

PasswordMax sets the number of passwords that the service will track once the NDES admin starts generating passwords. This means that the NDES Admin can get X unique passwords generated at one time. Once the number has been reached the NDES admin will not be able to generate any further passwords until the old ones have been utilized by a device or the password validity has expired.

You can change the behavior of NDES to force the service to use only one password for all client certificate enrollments. This is used with the UseSinglePassword registry value added in the following hotfix:

959193 Two improvements are available that shorten the time that is required to manage SCEP certificates by using the Network Device Enrollment Service in Windows Server 2008
http://support.microsoft.com/kb/959193

IIS configuration change:

By default, IIS 7/7.5 security is too restrictive to permit these Apple devices to enroll via SCEP. With the out-of-the-box settings enrollment will fail with the following error in the Application event log:

Log Name: Application
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Date: {DATE}
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: {COMPUTERNAME}

Description:

The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag.

The IIS logs will show the following line when the iPad device attempts to send its certificate enrollment to the NDES server:

2010-11-04 12:43:38 10.28.40.27 GET /certsrv/mscep/mscep.dll operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJGSIb3DQEHAaCAJIAEggSTMIAG%0 . . . {Shortened for the blog} . . . EMPlcwhmd8c1XAAAAAAAAA%3D%3D%0A 80 - 10.188.117.101 Settings/1.0+CFNetwork/467.12+Darwin/10.3.1 404 15 0 812

This is a 404.15 (Request Filtering: Denied because query string too long) error and it means that the amount of data being sent in the HTTP URL is larger than what is allowed by default. In the scenario above, the iPad was sending a string over 2700 characters, but the default size allowed by the request filtering is 1024. This is so in order to mitigate against buffer overrun attacks. To change the value you will use the following IIS appcmd.exe command:

%systemroot%\system32\inetsrv\appcmd.exe set config
  /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"3072"
  /commit:apphost

The command above has been wrapped for clarity.

Generating the enrollment challenge password:

Alright, now that you have gone through the effort of configuring NDES you can generate the challenge so that you can add it to the iPhone / iPad configuration.

1. Launch Internet Explorer and go to:

http://<NDES Server’s DNS FQDN>/CertSrv/MSCEP_Admin/.

So you would type something like:

http://2k8r2-mem1.fabrikam.com/CertSrv/MSCEP_Admin.

2. You will then see the following screen with the provided challenge:

Now you are ready to put the challenge password into the iPhone configuration utility.

iPhone / iPad configuration:

Alright, now we get to the “fun” section. As stated earlier, we do not support any of the applications or features shown in this section. If you try things the exact way that I show in this blog and it fails or if the utility is totally different a year from now, or whatever: don’t call us, call Apple. This blog post is about giving our best effort to be helpful, not for Microsoft to become Apple’s support and documentation channel.

Download and install the iPhone Configuration Utility 3.1 for Windows (never mind the name, it is for iPads also). Now you have an application where you can configure the SCEP settings. After this you will have to deploy the configuration settings to the iPhone / iPad device. Don’t ask us how to do this; Like Melinda, I don’t own any Apple devices for a repro and my customers had to figure it out. Or, step up to the Genius Bar.

Below is the configuration utility screen with highlighting of the SCEP configuration settings.

Here are the settings you should use:

URL: http://yourNDESServerName.domain.com/certsrv/mscep/mscep.dll

The URL field should be the DNS name of the NDES server. So if the NDES server name is 2k8r2-mem1.fabrikam.com then the URL should be: http://2k8r2-mem1.fabrikam.com/certsrv/mscep/mscep.dll

NAME: YOUR CA-NAME

This should be the CA’s name from which you are requesting a certificate. Keep in mind that most CA names are really friendly names and usually are different than the CA’s computer name. For example: Fabrikam Issuing CA1.

Subject: O=Fabrikam,OU=IT,CN=Robs IPad

This is the subject field of the certificate issued to the iPhone/iPad device. It’s is backwards from the usual canonical form you are familiar with but that is the way Apple wants it.

Subject Alternative Name Type:

Leave this blank, unless you need some kind of Subject Alternative Name (SAN) on the issued certificate. If you plan on using a subject alternative name, then you will need to run the following commands on the CA before issuing certificates.

CertUtil -SetReg Policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc & net start certsvc

Challenge:

This is the password that is given to you from the NDES administrator. If you are the NDES administrator this is the password that you get from visiting the site: http://yourNDESServerName.domain.com/certsrv/mscep_admin/

Key Size:

This is the key size of the certificate you are requesting. This value has to be set to the value set in the certificate template.

Use as digital signature and Use for key encipherment checkboxes:

Checking / unchecking of these values determines which certificate template is specified by NDES when sending the request to the CA. These are directly related to the registry value settings of SignatureTemplate, EncryptionTemplate, and GeneralPurposeTemplate. What boxes to check depends on the application that needs the certificate.

Fingerprint:

Leave this blank.

Final Thoughts

Hopefully between this blog and the configuration utility you will be able to successfully issue certificate to the iPhone or iPad. Please keep in mind that we have not discussed anything advanced with NDES, nor have we talked about how to secure this powerful service. Please review the NDES Whitepaper to learn more about these topics.

Oh….and one last thing. If you have problems or issues with the iPad or iPhone, call Apple.

Rob “I know the turtle neck comments are coming” Greene

Hello folks, Ned here again. It’s been a while since I’ve blogged, mainly due to me being a huge dirtbag. Today I discuss USMT, certificates, service packs, DFSR, and other random goo.

Before I get rolling though:

Don’t forget to give to the US Marine Corps Toys for Tots campaign. They distribute new toys to needy children and have been doing it since 1947. Unlike many charitable organizations, the gifts you give to them go right to kids. No monetary donations go to salaries or manpower costs either, so if you give cash you know it’s going to the right place and not to pad some “executive’s” pocket. They usually need more toys for ages 1-3 and 10-14.

You can find a list of toy drop off points here or you can donate cash that they will use to buy toys on your behalf here. Spending ten bucks on a toy at Target will really turn a kid’s Christmas around.

Onward!

Question

Does USMT 4.0 migrate all certificates or just EFS certificates? What about computer certificates? What about from XP? The TechNet docs are kinda vague.

Answer

• Does USMT 4.0 migrate all user certificates or just the EFS certificate?

USMT 4.0 migrates all user certificates regardless of type. This capability is implemented in the included manifests "capi2_certs-dl.man" and "capi2_certs-repl.man" plus in the “crypto_keys-dl.man”. For example:

<rules context="User">
<include>
  <objectSet>
   <pattern type="File">%CSIDL_APPDATA%\Microsoft\SystemCertificates\My\Certificates[*]</pattern>
   <pattern type="File">%CSIDL_APPDATA%\Microsoft\SystemCertificates\Request\Certificates[*]</pattern>
   <pattern type="Registry">HKCU\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\*[*]</pattern>
   <pattern type="Registry">HKCU\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\*[*]</pattern>
   <pattern type="Registry">HKCU\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\*[*]</pattern>
   <pattern type="Registry">HKCU\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\*[*]</pattern>
  </objectSet>
</include>
</rules>

These user certs are 100% functional and work fine.

• Does USMT 4.0 migrate computer certificates?

Yes and no:

1. Yes, the certificates are partially migrated over.
2. No, the certificates are not functional.

While the manifests do copy the registry data for computer certificates, the private keys are not copied - this renders those certs useless. Additionally, computer certificates are often based on matching the computer's name - that subject and SAN will not change so the certificates would not chain even if the private key existed. This was not intentional, it’s a bug that was overlooked for a few years as no customers reported it.

Practically speaking, USMT does not migrate computer certificates. New certs must be issued to the new computers, hopefully using autoenrollment.

Note: the certificates snap-in will claim that the computer certs have a private key, but it is wrong. If you use the command:

      CERTUTIL.EXE -VERIFYSTORE MY

... you will see that those certs return error "cannot find the certificate and private key for decryption".

• Does USMT 4.0 migrate certificates from XP (as USMT 3.01 did not)?

Yes, via manifests "capi2_certs-dl.man" and “crypto_keys-dl.man”. There is no need to export certificates or manually decrypt files when running scanstate on Windows XP, unlike with USMT 3.01.

Question

Can DFSR limit the size of file that is replicated by DFSR? For instance, to ignore any files larger than 100MB.

Answer

If the names of the large files are in a predictable format then a filter could be used – i.e. as long as all 100MB files are called “BIG*.*” or “*.BIG” or the like. You can wildcard any form of the name in DFSR file filters. But you cannot filter based arbitrarily on size.

Question

Is there a master list of all the specific individual settings that USMT 4.0 migrates by using the CONFIG.XML file?

Answer

Many things can be reverse engineered from examining the included manifests and matching them up with the entries in CONFIG.XML. For example, let’s say I generated a config.xml with /genconfig and I am interested in what “Microsoft-Windows-feclient-DL” is doing.

I would locate that manifest within USMT:

C:\Program Files\Windows AIK\Tools\USMT\amd64\DlManifests
C:\Program Files\Windows AIK\Tools\USMT\amd64\ReplacementManifests

I can use FIND.EXE to do this:

<snipped out a long list>

Aha! It’s implemented in “feclient-dl.man”. Which does all of this:

      <rules context="User">

        <include>

          <objectSet>

            <pattern type="Registry">HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS\* [*]</pattern>

          </objectSet>

        </include>

      </rules>

      <rules context="System">

        <include>

          <objectSet>

            <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\* [*]</pattern>

          </objectSet>

        </include>

      </rules>

Looks this copies over your customized EFS settings. Nifty. I better not turn that one off, I reckon.

And yes, having all these described is on my to-do list. But since there are 350 manifests and various other plug-ins, it will be awhile. In the meantime you will be forced to earn that big salary of yours. :)

Question

Is there any way to join a computer to a domain , where the computer account gets created in a specific OU using PowerShell or other command?

Answer

Yes, when you join a computer to a domain there are a few options to specify account location:

1. Use NETDOM.EXE JOIN /OU This tool is included with Win2008/2008 R2/Win7 RSAT/Vista RSAT/Win2003 Support Tools/XP Support tools.
2. Use PowerShell cmdlet “Add-Computer -Domain -OUPath”. This is included with PowerShell 2.0, the version included with Win7/2008R2 and available as a download for other OSs.
3. Use DJOIN.EXE PROVISION /MACHINEOU.  This tool is included with Win7/2008 R2 and can be used for offline domain joins.
4. Pre-create computer accounts wherever you want – when the same named computer is joined to the domain it will use that computer object (as long as the user doing it has permissions).

Question

When is Windows 7 and Windows Server 2008 R2 SP1 coming out?

Answer

Please stop asking! I really don’t know!!! I am not keeping it a secret!!!! Arrrgghhh!!!!!!111one.

The only public info I have is first half of 2011. And no, I do not know if there is going to be a Win2008 or Vista SP3 either. And if you ask about Win8 I will just laugh.

Question

I have removed SYSTEM permissions to files being replicated by DFSR, but they are still replicating fine. How can this be?

Answer

DFSR does not use permissions to copy files in and out of staging or to replicate, it uses internal backup and restore privileges. That’s because DFSR is using the BackupRead() and BackupWrite() functionality to guarantee it can access those replicated files without issues. The buried treasure is here. And I do mean buried; that’s the only public reference to this anywhere.

You can remove all permissions altogether and not have SYSTEM listed as the file owner and it will continue to work. There’s no way to remove those privileges from SYSTEM via security policy, so you can’t break it either. Even this will replicate fine:

This does not mean that you can delete SYSTEM’s default FULL CONTROL permissions in the DfsrPrivate folder or DFSR database folders though. Doing so will explode DFSR completely and it will stop replicating.

I love when people wonder about stuff working too well. :)

Other random thoughts

So long Ron Santo.

Best email thread seen this week:

Randy (to everyone in North Carolina): “Did anyone take my headset?”
Sean: “I was wondering why Chris was wearing headphones over his headphones today. He said he was trying to get surround sound to work.”
Chris: “Maybe you should include Texas.  They might help.”

Our very own Rob Greene celebrated his 5th anniversary as an MS employee yesterday. Congrats Yeti! He did a few tours as a contractor here too, so as usual he’s younger than he looks.

Make sure you have any Amazon Kindles you are buying sent to your office and not your house. Otherwise your wife will see a box sitting on the porch that is shaped like a Kindle, comes from Amazon, has the Kindle logo on it, and pretty much just says “ATTENTION, THIS BOX CONTAINS A KINDLE, SORRY I RUINED CHRISTMAS.” Gah.

One of our long time readers and all around good guy Mark Morowczynski got a job at Microsoft a few weeks back. They must not be working too hard in PFE since he’s already had time to set up a new blog. Wish him well. It’s always interesting to read new employee blogs, you get to see the evolution of someone coming into the fold and learning a ton of new stuff, then sharing it out. I like biographies.

Next week I will be getting frickin’ laser beams shot into my eyes to correct my inferior genetics. When combined with our holiday short staff it may be a while before folks reply to your comments and emails. Take a break, whydoncha? Your family and friends probably miss you.

Hopefully things go well

Until next time.

- Ned “MS Office’s included clipart is the greatest thing in the history of the planet Earth” Pyle

Warren here with a quick announcement for those that are running DFSR environments that have Windows Server 2003 R2 and Windows Server 2008 or Windows Server 2008 R2. Microsoft has released a hotfix that you should install on your Windows Server 2003 R2 DFSR servers to address a protocol interoperability issue with up-level DFSR servers. The hotfix is described in KB 2462352:

DFSR fails from a computer that is running Windows Server 2008 R2 to a computer that is running Windows Server 2003 R2
http://support.microsoft.com/default.aspx?scid=kb;en-US;2462352

Warren Williams

Hello all, Ned here again. I have returned from Christmas and New Years and laser eye surgery. A Friday Mail Sack is in your future.

Thanks Sean, I missed you too

- Ned “call -151 * p” Pyle

Hi all, Ned here again. The wonderful folks at RunAs Radio recorded a 30-minute audio interview with yours truly a few weeks ago and it’s now available for streaming and download. RunAs Radio is a weekly Internet audio talk show for MS IT Pros and has been around for almost four years. With nearly 200 broadcasts available as MP3 downloads, they are a great way to use your commute more productively than staring at tail lights.

In the interview I talk about DFSR migrations and other Microsofty stuff. I sound weird and cartoonish, but Richard sounds suave and professional.

Ned “a face for radio” Pyle

Hey all, Ned here again. Welcome back from Christmas, New Years, etc. Today we talk some BitLocker, SSL, DFS, FRS, MS news, and some geeky goo. Despite us being offline for the past few weeks, we weren’t deluged with new questions – glad you took some time off, you deserved it.

Yoink!

Question

Is it possible to have the Windows 7 machines that have been BitLocker’ed before the AD DS backup was setup automatically check in and store their recovery information? I have seen the two manage-bde commands that are needed but I was wondering if there was a script somewhere that could run at logon or system start up to register all those keys.

Answer

Yes, our sister site AskCore has a sample VBS you can use:

http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx

Despite the security and AD nature of BitLocker, it is not supported by us in DS – instead, the core operating system team handles it, as they own storage. Punt!

Question

Please summarize the support (or lack thereof) for receiving fragmented SSL/TLS handshake messages by OS version and service pack. Which, if any, service pack(s) of WinXP or Vista supports receipt of fragmented handshake messages? For each OS/version that supports receipt of fragmented handshake messages:

• What is the size limit for messages fragmented into multiple records?
• What is the size limit for each certificate in a certificates message?
• Would a valid 122K byte certificate with 6700 DNS names in the subject Alt Names extension be honored?
• If not, what are the size and DNS name count limits?
• Must a fragmented message begin at the beginning of a record?
• Or can a record contain the last fragment of one handshake message and the first fragment of the next one

Answer

[From Jonathan, naturally]

Only Windows 7 and Windows Server 2008 R2 have support for SSL record fragmentation, and then only so far as to accept and coalesce fragmented records. This support was introduced in the RTM release, and does not require a service pack update. Previous Windows OS versions do not support SSL record fragmentation of any sort.

Per RFC 2246, message length is an unsigned 24-bit integer, so the maximum message length is 16,777,215 ((1<<24) - 1) bytes.

There is no size limit on a certificate itself, but there is a size limit on each individual extension. On Windows, the size of a certificate extension must not exceed 4096 bytes. For example, 151 25-character DNS name entries, plus the overhead for encoding (~2 bytes per name), comes in at 4,081 bytes, just under the 4KB limit.

Fragmented handshake records are supported (exceptions below), including the following cases:

1. A 1 byte handshake fragment can be included in the end of a record.
2. A client receives 1 byte fragment in a 1 byte record.

The exceptions are:

1. TLS alerts cannot be fragmented.
2. The ClientHello must have at least 6 bytes, otherwise there is insufficient information to determine protocol version.
3. ClientHello must not be fragmented.

Question

I went to add a new server as a DFS replication partner and noticed that on the "Replication Folders" tab is now says "Not Published". I then looked at all the replication objects and they also say "Not Published". The strange thing is our namespaces is still responding and seems to be conforming to the rules in place. Should I go through and republish all the replication groups to the namespace? What would cause this type of thing to happen?

Answer

First, some background. The attribute msDFSR-Dfspath on that replicated folder in AD is what stores a DFS Namespace path and lets the GUI populate those values. This is on the global DFSR RF “content” object within a given replication group. For example, a replicated folder named “primarybit” that exists in a replication group called “warrenpritest1” in the “Contoso.com” domain would show this:

Often though, no one ever set this value and it is only noticed a long time later – a problem that never was. :) The only way this normally gets set is if you use DFSMGMT.MSC to first create a DFS Namespace, create some links, then get prompted to configure replication (or if you create an RG and then select “share and publish in namespace”. If you just setup DFSR by itself, this field doesn’t get populated. It has no real effect on DFSR, DFSN, or end users – the field exists purely as a convenience to the administrator so that they know that the replication and namespace are related; just a visual thing for DFSMGMT.MSC.

You can edit the attribute manually to be the DFS Link path you want using ADSIEDIT, but I recommend instead using:

DFSRADMIN.EXE RF SET /RFDFSPath <other options>

Once that’s done it will all fill in:

If you want to see when it might have been deleted, you can use:

REPADMIN /SHOWMETA <DN of that content set>

It will show when they were modified:

Question

[After a bit further chatting in the above Q & A]

It turns out that happened exactly when I migrated to 2008 mode in DFS. I wonder if I missed a step or something?

Answer

Ah! So that would be expected – when you “migrate” DFSN between modes you are actually recreating them from scratch. When the namespace is deleted that value is being cleaned out, but never put back – because the DFSN migration tools have no idea about DFSR at all. If you wanted to fix that as part of your migration, you can just add the DFSRADMIN command above to your steps.

Question

I was using FRSDIAG to look at a system. The connstat.txt log file it created is blank. Do you know what can cause this?

Answer

Anything that makes the command NTFRSUTIL.EXE SETS not work normally will cause this; FRSDIAG just calls that command-line tool then parses the NTFRS_SETS.TXT output to make connstat.txt.

In this case it was FRS being in Journal Wrap. Since the NTFRS_SETS.TXT log only showed “DOMAIN SYSTEM VOLUME (SYSVOL SHARE) in state JRNL_WRAP_ERROR... DELETED REPLICA SETS” there was nothing useful to parse.

I’ve also seen it when a server had all of its FRS replica registry settings removed from under the Parameters registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets <-- gone

The service will start up and you will get an FRS event 13516. But then nothing will replicate ever. You will have to use a D2 non-authoritative restore to fix the server.

Geeky Time

Want another way to know when the AskDS blog is updated? You can use the NetworkedBlogs Facebook App. This does not mean that I am going to create a Facebook account for myself. Not doing Twitter either. I got into computers 25 years ago to avoid being social.

On that subject, Mark sent in a link that any self-respecting geek should read: “Wake Up Geek Culture. Time to Die”. It’s written by Patton Oswalt, who is awesome and usually totally NSFW; in this case he kept it mostly PG. Just to prime the pump:

When our coworkers nodded along to Springsteen and Madonna songs at the local Bennigan’s, my select friends and I would quietly trade out-of-context lines from Monty Python sketches—a thieves’ cant, a code language used for identification. We needed it, too, because the essence of our culture—our “escape hatch” culture—would begin to change in 1987.

That was the year the final issue of Watchmen came out, in October. After that, it seemed like everything that was part of my otaku world was out in the open and up for grabs, if only out of context. I wasn’t seeing the hard line between “nerds” and “normals” anymore. It was the last year that a T-shirt or music preference or pastime (Dungeons & Dragons had long since lost its dangerous, Satanic, suicide-inducing street cred) could set you apart from the surface dwellers. Pretty soon, being the only person who was into something didn’t make you outcast; it made you ahead of the curve and someone people were quicker to befriend than shun. Ironically, surface dwellers began repurposing the symbols and phrases and tokens of the erstwhile outcast underground.

Fast-forward to now: Boba Fett’s helmet emblazoned on sleeveless T-shirts worn by gym douches hefting dumbbells. The Glee kids performing the songs from The Rocky Horror Picture Show. And Toad the Wet Sprocket, a band that took its name from a Monty Python riff, joining the permanent soundtrack of a night out at Bennigan’s. Our below-the-topsoil passions have been rudely dug up and displayed in the noonday sun. The Lord of the Rings used to be ours and only ours simply because of the sheer ******* thickness of the books. Twenty years later, the entire cast and crew would be trooping onstage at the Oscars to collect their statuettes, and replicas of the One Ring would be sold as bling.

For the record, I know the last words of Roy Batty too and it sickens me.

Next, the best Kinect hack yet – Ultra Seven!

Definitely watch the whole thing. Hopefully there will be no Ultraman versus Spectreman slap fights in the comments section. Tokusatsu always seems to get people’s blood up.

If you don’t follow IO9 and Rock Paper Shotgun you are not maximizing your egghead quotient. They have started off the year with a few must-reads if you are a sci-fi or PC gaming spaz like myself:

• 55 Science Fiction/Fantasy Movies to Watch Out For in 2011
• Ultimate Guide to Science Fiction and Fantasy Television in 2011
• The Exciting List Of 2011′s Excitements

There was plenty of interesting stuff at CES 2011, but the thing that caught my eye was the new Touch Mouse. How exciting can a mouse with no buttons be, right? Watch this video:

Finally, in case you missed it, we are going to start supporting System on a Chip RISC processors in the next version of Windows – specifically ARM. Everything old is new again! According to NVIDIA this is the end of Intel and AMD, but I wouldn’t start throwing away all your x86 motherboards just yet.

Until next time.

Ned “can you at least fry the chicken head?” Pyle

Quick update for everyone – there were two articles released last week:

Hi all, Ned here again. Back in October I joined the Windows Server 2008 R2 Service Pack 1 beta support team. Our job is to support customers in a special early adopters program. As SP1 draws closer to completion, I’m frequently asked about what changes were added for Directory Services. Today I address some specifics:

• What does “Support for Managed Service Accounts (MSAs) in secure branch office scenarios” mean, as stated in the SP1 RC release notes?
• What does “Support for increased volume of authentication traffic on domain controllers connected to high-latency networks” mean, as stated in the SP1 RC release notes?
• What other updates are included in SP1 for Directory Services?

Remember:

• SP1 is not released yet so these details may change (it’s very doubtful that the lists below will be altered much). My details are from the release candidate (RC) and are for you to do some planning and thinking.
• Using the release candidate is not supported in your production networks, but you’re free to test elsewhere.
• The QFEs listed below are all publically available, so if you are skimming the list and have a “oh heck, we’re having that issue” moment you can install anytime. Some of these issues are preventable as well so use your best judgment – an update to prevent NTFS corruption doesn’t fix the damaged files, after all.

Release the Kraken!

The MSA thing

This scenario referenced by the release notes refers to:

You cannot create or delete managed service accounts in a perimeter network in Windows 7 or in Windows Server 2008 R2 - http://support.microsoft.com/kb/978836

In this case you have RODCs in a network that users can directly access, but those same users cannot access writable DCs (a DMZ or oddly configured branch office). After you apply SP1 the RODC will know how to forward the request on to a writable DC for MSA operations.

To fix it is install SP1 (or that hotfix) on all your RODCs.

The authentication thing

This scenario referenced by the release notes refers to:

A time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2, Windows 7, Windows Server 2008, or Windows Vista in a high latency network - http://support.microsoft.com/kb/975363

This one is more complicated. Netlogon has a "throttle" that controls the maximum number of simultaneous calls over a secure channel. On DCs this includes the secure channels of external trusted domains (i.e. not Kerberos forest trusts). On member computers this is to authenticating DCs for intra-forest requests or requests to other domains/forests. On high latency networks with a ton of NTLM authentication, applications could start having issues authenticating, ranging from slow performance to errors. MaxConcurrentAPI controls this through a registry value:

Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value Name: MaxConcurrentApi
Data Type: REG_DWORD

The default value if this registry value name does not exist is 1 if a DC, 2 if a member server, and 1 if a client – it has been since NT 4.0 and that has never changed. Until this update is applied, the maximum value is 10. After the update is installed, the maximum value is 150. Generally speaking, since DCs are authenticating users and most companies are not heavily using local member accounts, it only needs to be set on domain controllers.

For all those folks that got scared when we recommended setting the value to 10 in order to fix your issue, this is the proof that you were being paranoid. :) You will see more DC memory usage when you raise the value, but your alternative is obviously far worse.

This has no effect on Kerberos at all and Kerberos is not restricted in this fashion. If you’re using NTLM unnecessarily (misconfigured app, older version app, crummy app, external trust instead of forest trust, etc.) then getting Kerberos in gear is a much better solution than registry hacking.

Other updates

There are 625 public fixes that were rolled into SP1 and they’re all listed here:

Hotfixes and Security Updates included in Windows 7 and Windows 2008 R2 Service Pack 1 Release Candidate.xls

Of these, 84 can be considered “pure” Directory Services updates if you go off the list of what gets supported by the DS team here in Microsoft. Another 48 updates fix things that victimize DS – stuff like networking, file system, SMB, or backups. There are other fixes in SP1 as well. Sometimes issues never get public attention or a QFE would be too expensive or risky; service pack testing is far more comprehensive. I’m not including security updates, you already have those from Windows Update (right?!)

There are some fairly interesting new things here besides the two arbitrary ones in the release notes, I recommend giving these tables a look. For example:

• 977542 - A hotfix is available to block standard users from logging on to a Window 7-based or Windows Server 2008 R2-based computer in safe mode
• 979294 - The Dcdiag.exe tool takes a long time to run in Windows Server 2008 R2 and in Windows 7
• 980254 - The "dsget user -memberof -expand" command returns incorrect results in Windows Server 2008 R2 and in Windows 7
• 980360 - Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2

Pure DS updates

Secondary DS updates

And the issue you are least likely to hit?

KB980598 - Windows Server 2008 R2 cannot be installed or started on a computer that has 1 TB or more of RAM

Holy Schnike, I wish I had that “problem”…

Until next time.

- Ned “640GB ought to be enough for anybody” Pyle

Hi all, Ned here again. I’ve been asked a few times if other operating systems can utilize DFS Namespaces running on Windows Server. It’s a sticky wicket; as a “voice of Microsoft” my statements carry a lot of weight - deserved or not. It’s not smart or ethical for me to say that something not made by Microsoft works well, works better than something else, or doesn’t work at all. In some cases, lawyers may be summoned from Vhoorl.

With that in mind I am treading lightly. Feel free to discuss further vendor options in the comments area, we have that precedent.

Some background

An OS needs to implement a DFS client to use Namespaces. If the OS doesn’t provide one, you will have to find a third party. It’s one thing to support SMB/CIFS these days –it has become the de facto standard for file servers. But it’s something else to support DFS; this requires new logic and an understanding of the referral process.

Microsoft doesn’t make an out of band DFS client anymore, only the one that comes in Windows itself. Because of the requirement to use DFS in Active Directory (for SYSVOL and group policy processing), we have to guarantee an in-box client exists. We do this through the client redirector and a filtering driver called MUP.SYS. This diagram is a bit out of date but it gives you the gist:

Let’s talk about some others.

Apple

The current Mac OS is based on the UNIX XNU, Mach, and FreeBSD kernels. OS X implements SMB connectivity - but not through Samba. According to the Apple discussion forums, Apple uses a very old version of FreeBSD smbfs and while it lets you connect to a DFS path starting in 10.5, it does not understand permissions or allow you to access files.

You therefore need to purchase a 3rd party add-on. Apple lists a few on their website, so I consider that their answer and I don’t mind feeding you a search link:

http://www.bing.com/search?q=dfs+site%3Aapple.com%2Fdownloads%2F&form=QBRE&qs=n&sk=&sc=8-29

Make sure you read Apple’s fine print before you try to call them for support:

Apple is providing links to these applications as a courtesy, and makes no representations regarding the applications or any information related thereto. Any questions, complaints or claims regarding the applications must be directed to the appropriate software vendor.

I find a few more that are not listed by Apple:

http://www.bing.com/search?q=DFS+support+for+Mac+&form=QBRE&qs=n&sk=

As far as IOS 4.x native support goes, I found nothing at all. You will need a third party add-on to implement SMB/CIFS on iPad, according to Apple. No word on whether that means DFS too.

Linux

By some people’s definition the Linux Kernel does not have a remote file system (or a local file system); it’s all modular goo. In reality, people usually go through a specific distro and in some later kernels CIFS support is becoming standard . In nearly all cases you can use Samba, so I don’t mind pointing you to it:

• http://samba.org
• http://linux-cifs.samba.org/
• http://jcifs.samba.org/

Interestingly, Samba’s website also points to number of other CIFS clients, most of which no longer seem to exist (see the bottom of this page):

http://samba.org/samba/download/

There was also smbfs for Linux but it has been discarded and is no longer maintained (perhaps why Apple’s OS behaves as it does; from looking around this client is not being maintained in other OSs either).

Update: One of our awesome readers had some more distro-specific experience to share with us. Thanks Bill!

Red Hat added DFS support to their kernel-level CIFS driver in Red Hat Enterprise Linux version 5.3, though the feature was rather underreported (one of the few search results I found that reported the change was http://www.h-online.com/newsticker/news/item/What-s-new-in-Red-Hat-Enterprise-Linux-5-3-739737.html). Instructions for for testing it out are at http://blog.evad.info/2009/02/21/how-to-use-cifs-dfs-in-red-hat-enterprise-linux-53/. Apparently the code was checked in the Linux kernel in version 2.6.25 and is also available in the Ubuntu distribution as of version 8.10. I haven't gone back and tested it in quite a while, but from what I recall, it worked fine with stand-alone DFS namespaces; I never tested it with a domain-based namespace.

Google Chrome and Chromium

Google has not released Chrome OS as of this writing (it slipped to sometime in mid-late 2011). Chromium is an open source project you can build yourself but it is so new and so amorphous I can’t find any statements on its support of DFS or even CIFS/SMB. It’s based on BSD so one might assume it will implement smbfs (with the DFS limitations that this entails), but one hopes that Samba would be possible. With the coming of Android Honeycomb the future is looking cannibalistic so Chrome may never get the backing it needs to bother with DFS. And with both OSs being marketed in a very consumer-oriented fashion (much like Apple), your calls for DFS may end up falling on deaf ears. Let us know how it pans out.

Until next time,

Ned “it hurts when I do this” Pyle

Hi folks, Ned here again with your questions and our answers. This is a pretty long one; looks like everyone is back from vacation, winter storms, and hiding from the boss. Today we talk Kerberos, KCC, SPNs, PKI, USN journaling, DFSR, auditing, NDES, PowerShell, SIDs, RIDs, DFSN, and other random goo.

Rawk!

Question

Is NIC teaming recommended on domain controllers?

Answer

It’s a sticky question – MS does not make a NIC teaming solution, so you are at the mercy of 3rd party vendor software and if there are any issues, we cannot help other than to break the team. So the question you need to answer is “do you trust your NIC vendor support?”

Generally speaking, we are not huge fans of NIC teaming, as we see customers having frequent driver issues and because a DC probably doesn’t need it. If clients are completely consuming 1Gbit or 10Gbit network interfaces, the DC is probably being overloaded with requests. Doubling that network would make things worse; it’s better to add more DCs. And if the DC is also running Exchange, file server, SQL, etc. you are probably talking about an environment without many users or clients.

A failover NIC solution is probably a better option if your vendor supports it. Meaning that the second NIC is only used if the first one burns out and dies, all on the same network. 

Question

We used to manually create SPNs with IP addresses to allow Kerberos without network name resolution. This worked in Windows XP and 2003 but stopped working in later operating systems. Is this expected?

Answer

Yes it is. Starting in Windows Vista and forever more, the OS examines the format of the SPN being requested and if it is only an IP address, Kerberos is not even attempted. There’s no way to override this behavior. If I look at it in practical terms, having manually set an IP Address for SPN:

Then I actually try mapping a driver here with an IP address (which would have worked in XP in this scenario):

No tickets were cached above. And in the network capture below, it’s clear that I am using NTLM:

This is why in this previous post – see the “I want to create a startup script via GPO” and “NTLM is not allowed for computer-to-computer communication” sections – I highly discouraged customers from this sort of hacking. What I didn’t realize when I wrote the old post was that I now have the power to control the future with my mind.

Actual MRI of my head, proving that I have an orange (i.e. “futurasmic”) brain

Question

I see that the DFSR staging folder can be moved, but can the Conflict and Deleted (\dfsrprivate\conflictanddeleted) folder be relocated?  If so, how?

Answer

It cannot be moved or renamed – this was once planned (and there is even an AD attribute that makes one think the location could be specified) but it never happened in the service code. Regardless of what you put in that attribute, DFSR ignores it and creates a C&D folder at the default location.

For example, here I specified a completely different C&D path using ADSIEDIT.MSC before DFSR even created the folder. Once I started the DFSR service, it ignored my setting and created the conflict folder with defaults:

Question

We are trying to find the best way to issue Active Directory "User" certificates to iPhones and iPads, so these users can authenticate to our third party VPN appliance using their "user" certificate. We were thinking that MS NDES could help up with this. Everything I have read says that NDES is used for non domain "computer or device" enrollment.

Answer

[From Rob Greene, author of previous post iPad / iPhone Certificate Issuance]

Just because the certificate template that is used by NDES must be of type computer does not mean you cannot build a SCEP protocol message to the NDES Server for use by a user account on the iPhone in question.

Keep in mind that the SCEP protocol was designed by Cisco for their network appliances to be able to enroll for certificates online.  Also understand what NDES means - Network Device Enrollment Service.

Realistically there is no reason why you cannot enroll for a certificate via SCEP interface with NDES and have a user account using the issued certificate.  However, NDES is code to specifically only allow for enrollment of computer based certificate templates.  If you put a user based template name in the registry for it to issue, it will fail with a not –so-easily deciphered message.

That said, keep in mind that the subject or Subject Alternative Name field identifies the user of the certificate not the template. 

So what you could do is:

1. Duplicate the computer certificate template.
2. Then change the subject to “Supply in the Request”
3. Then give the template a unique name.
4. Make sure that the NDES account and Administrator have security access to the template for Enroll.
5. Assign the Template to be issued.
6. Then you need to assign the template to one of the purposes in the NDES registry (You might want to use the one for both signing and encrypting).  See the blog.

Now you have a certificate with the EKU of Client Authentication and a subject / SAN of the user account, I don’t see why you could not use that for what you need. Not that I have tested this or can test this, mind you…

Question

Is there a “proper” USN Journal setting versus replicated data sizes, etc. on the respective volumes housing DFSR data? I've come across USN journal wrap issues (that properly self heal ... and then occur again a month or so later). I’m hoping to know a happy medium on USN journal sizing versus size of volume or data that resides on that volume.

Answer

I did a quick bit of research - in the history of all MS DFSR support cases, it was necessary to increase the USN journal size for five customers – not exactly a constant need. Our recommendation is not to alter it unless you get multiple 2202 events that can’t be fixed any other way:

Event ID=2202
Severity=Warning
The DFS Replication service has detected an NTFS change journal wrap on volume %2.
A journal wrap can occur for the following reasons:
1.The USN journal on the volume has been truncated. Chkdsk can truncate the
journal if it finds corrupt entries at the end of the journal.
2.The DFS Replication service was not running on this computer for an extended
period of time.
3.The DFS Replication service could not keep up with the rate of file changes
on the volume.
The service has automatically initiated the journal wrap recovery process.

Additional Information:
Volume: %1

Since you are getting multiple 2202 occurrences, I would recommend first figuring out why you are getting the journal wraps. The three reasons listed in the event need to be considered – the first two are avoidable (fix your disk or controller and stop turning the service off) and should be handled without a need to alter the USN journal.

The third one may mean you are not using DFSR as recommended, but that may be unavoidable. In that case, set the USN size value to 1GB and validate that the issue stops occurring. We have no real formula here (remember, only five customers ever), but if you cannot spare another 512MB on the drive you have much more important problems to consider around disk capacity. If still not enough, revisit if DFSR is the right solution for you – the amount of changes occurring would have to be so incredibly rapid that I doubt DFSR could ever realistically keep up and converge. And make sure that nothing else is updating all the files outside of the journal on that drive – there is only one journal and it contains entries for all files, even the ones not being replicated!

Just to answer the inevitable question: you use WMI to increase the USN journal size.

1. Determine the volume in question (USN journals are volume specific) and the GUID for that volume by running the following:

WMIC.EXE /namespace:\\root\Microsoftdfs path DfsrVolumeInfo get VolumePath
WMIC.EXE /namespace:\\root\Microsoftdfs path DfsrVolumeInfo get VolumeGUID

This will return (for example:)

VolumePath
\\.\C:
\\.\E:

VolumeGuid
4649C7A1-82D5-11DA-922B-806E6F6E6963
D1EB0B66-9403-11DA-B12E-0003FFD1390B

2a. Raise the USN Journal Size (for one particular volume):

WMIC /namespace:\\root\microsoftdfs path dfsrvolumeconfig.VolumeGuid="%GUID%" set minntfsjournalsizeinmb=%MB SIZE%

where you replace '%GUID%' with the volume GUID and '%MB SIZE%' with a larger USN size in MB. For example:

WMIC /namespace:\\root\microsoftdfs path dfsrvolumeconfig.VolumeGuid="D1EB0B66-9403-11DA-B12E-0003FFD1390B" set minntfsjournalsizeinmb=1024

This will return 'Property Update Successful' for that GUID.

2B. Raise the USN Journal Size (for all volumes)

WMIC /namespace:\\root\microsoftdfs path dfsrvolumeconfig set minntfsjournalsizeinmb=%MB SIZE%

This will return 'Property Update Successful' for ALL the volumes.

3. Restart server for new journal size to take effect in NTFS.

Question

There is a list of DFS Namespace events for Server 2000 at http://support.microsoft.com/kb/315919. I was wondering if there is a similar list of Windows 2008 DFS Event Log Messages?

Answer

That event logging system in KB315919 exists only in Win2000 – Win2003 and later OSs don’t have it anymore. That KB is a bit misleading also: these events will never write unless you enable them through registry settings.

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\MicroSoft\Windows NT\CurrentVersion\Diagnostics
Value name: RunDiagnosticLoggingDfs 
Value type: REG_DWORD
Value data: 0 (default: no logging), 2 (verbose logging)

Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs
Value name: DfsSvcVerbose
Value type: REG_DWORD
Value data: Any one of the below three values:
0 (no debug output)
1 standard debug output
0x80000000 (standard debug output plus additional Dfs volume call info)

Value name: IDfsVolInfoLevel
Value type: REG_DWORD
Value data: Any combination of the following 3 flags:
0x00000001 Error
0x00000002 Warning
0x00000004 Trace

Dave and I scratched our heads and in our personal history of supporting DFSN, neither of us recalled ever turning this on or using those events for anything useful. Not that it matters now, Windows 2000 is as dead as fried chicken.

Question

We currently have inherited auditing settings on a lot of files and folders that live on our two main DFSR servers. The short story is that before the migration to DFSR, the audit settings were apparently added by someone to the majority of the files/folders. This was replicated by DFSR and now is set on both servers. Thankfully we do not have any audit policies turned on for those servers currently.

That is where the question comes in: there may be a time in the relatively near future that we will want to enable some auditing for a subset of files/folders. Any suggestions on how we could remove a lot of the audit entries on these servers, without forcing nearly every file to get processed by DFSR?

Answer

Nope, it’s going to cause an unavoidable backlog as DFSR reconciles all the security changes you just made – the audit security is part of the file just like the discretionary security. Don’t do that until you have a nice big change control window open. Maybe just do some folders at a time.

In the future, using Global Object Access Auditing would be an option (if you have Win2008 R2 on all DFSR servers). Since it is all derived by LSA and not directly stamped, DFSR won’t replicated the file – the files are never actually changed. It’s slick:

http://technet.microsoft.com/en-us/library/dd772630(WS.10).aspx

In theory, you could get rid of the auditing in place currently currently and just use GOAA someday when you need it. It’s the future of file auditing, in my opinion; using direct SACLs on files should be discouraged forever more.

Question

Does the SID for an object have to be unique across the entire forest? It is pretty clear from existing documentation that the SID does have to be unique within a domain because of the way the RID Master distributes RID pools to the DCs. Does the RID Master in the Forest Root domain actually keep track of all the unique base SIDs of all domains to ensure that there is no accidental duplication of the unique base domain SIDs?

Answer

A SID will be unique within a forest, as each domain has a unique base SID that combines with a RID. That’s why there’s a RID master per domain. There is no reasonable way for the domain SIDs to ever be duplicated by Windows, although I have seen some third party products that made it happen. All hell broke loose, we don’t plan for the impossible. :) Even if you use ADMT to migrate users with SID History within a forest, it will not be duplicated as the migration will always destroy the old user when it is “moved”.

The RID Masters don’t talk to each other within the forest (any more than they would between different forests, where a duplicate SID would cause just as many problems when you tried to create a trust). The base SID is a random 48 bit number, so there is no reasonable way it could be duplicated by accident in the same environment. It comes down to us relying on the odds of two domains that know of each other ending up with the same SID through pure random chance – highly unlikely math.

You’ll also find no mention of inter-RID master needs or error messages communication here:

http://msdn.microsoft.com/en-us/library/cc223751(PROT.13).aspx
http://technet.microsoft.com/en-us/library/cc756394(WS.10).aspx

Question

I have this message in a health report:

“A USN journal loss occurred 2 times in the past 7 days on E:. DFS Replication monitors the USN journal to detect changes made to the replicated folder. Although DFS Replication automatically recovers from this problem, replication stops temporarily for replicated folders stored on this volume. Repeated journal loss usually indicates disk issues. Event ID: 2204”

Is this how the health report indicates a journal wrap or can I take “loss” literally ?

Answer

Ouch. That’s not a wrap, the journal was deleted or irrevocably damaged. I have never actually seen that event in the field, only in a test lab where I deleted my journal intentionally (using the nasty command: FSUTIL.EXE USN DELETEJOURNAL). I would suspect either a failing disk or 3^rd party disk management software. It’s CHKDSK and disk diagnostic time for you.

The net recovery process is similar to a wrap for event 2204 ; the journal gets recreated, then repopulated like a wrap recovery (it uses the same code). You get event 2206 to know that it’s fixed.

Question

How come there is no “Set-SPN” cmdlet in AD PowerShell?

Answer

Ahh, but there is… sort of. We hide service principal name maintenance off in the Set-ADUser, Set-ADComputer, and Set-ADServiceAccount cmdlets.

-ServicePrincipalNames <hashtable>
Specifies the service principal names for the account. This parameter sets the ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName) for this property is servicePrincipalName. This parameter uses the following syntax to add remove, replace or clear service principal name values.
    Syntax:
    To add values:
      -ServicePrincipalNames @{Add=value1,value2,...}
    To remove values:
      -ServicePrincipalNames @{Remove=value3,value4,...}
    To replace values:
      -ServicePrincipalNames @{Replace=value1,value2,...}
    To clear all values:
      -ServicePrincipalNames $null

You can specify more than one change by using a list separated by semicolons. For example, use the following syntax to add and remove service principal names.
   @{Add=value1,value2,...};@{Remove=value3,value4,...}

The operators will be applied in the following sequence:
..Remove
..Add
..Replace

The following example shows how to add and remove service principal names.
   -ServicePrincipalNames-@{Add="SQLservice\accounting.corp.contoso.com:1456"};{Remove="SQLservice\finance.corp.
contoso.com:1456"}

We do not have any special handling to retrieve SPNs using Get-AdComputer or Get-Aduser (nor any other attributes – they treat all as generic properties). For example:

get-adcomputer name –properties serviceprincipalnames | selecvt-object –expand serviceprincipalnames

I used select-object –expand because when you get a really long returned list, PowerShell likes to start truncating the readable output. Also, when I don’t know which cmdlets support which things, I sometimes cheat use educated guesses:

Question

I have posted a TechNet forum question around the frequency of KCC nomination and rebuilding and I was hoping you could reply to it.

“…He had made an update to the Active Directory Schema and as a safety-net had switched off one of our domain controllers whilst he did it. The DC (2008 R2) that was switched off was at the time acting as the automatically determined bridgehead server for the site.

Obviously the next thing that has to happen is for the KCC to run, discover the bridgehead server is still offline and re-nominate. My colleague thinks that this re-nomination should take upto 2 hours to happen. However all the documentation I can find suggests that this should be every 15 minutes. His argument is that it is a process of sampling, that it realises the problem every 15 minutes but can take upto 2 hours to actually action the change of bridgehead.

Can anyone tell me which of us is right please and if we could have a problem?”

Answer

We are running an exchange program between MS Support and MS Premier Field Engineering and our current guest is AD topology guru Keith Brewer. He replied in exhaustive detail here:

http://social.technet.microsoft.com/Forums/en/winserverDS/thread/0d10914f-c44c-425a-8344-3dfbac3ed955

Attaboy Keith, now you’re doing it our way – when in doubt, use overwhelming force.

Other random goo

• If you’re going to jailbreak phones, do it with Microsoft – you get a free handset and t-shirt instead of a subpoena.
  
  
• The 2011 CES Innovation Honoree awards are out. Holy crap, the Digital Storm Online gaming rig is nom nom nom. I also want the Recon goggles for no legitimate reason.
  
  
• SlingBox and Win7 Phone have had a beautiful baby.
  
  
• It’s utterly impossible, but Duke Nukem Forever comes out May 3rd. Trailer is not SFW, as you would expect.
  

Unless it doesn’t.

• Star Wars on Blu-ray coming in September, now up for pre-order. Damn, I guess I have to get Blu-ray. Hopefully Lucas uses the opportunity to remove all midichlorian references.
  
  
• The 6 Most Insane Cities Ever Planned. This is from Cracked, so as usual… somewhat NSFW due to swearing.
  
  
• Not sure which sci-fi apocalypse is right for you? Use this handy chart.
  
  
• It was an interesting week for Artificial Intelligence and gaming, between Starcraft and Jeopardy.

Until next time.

Ned “and return to Han shooting first!” Pyle

Ned here. The Windows Server division is looking for your feedback. A snippet from their post:

From our research we have identified 5 areas where our customers have expressed increased concerns:

• Enabling an increasingly mobile workforce
• Working within the constraints of tightening IT budgets
• Disaster recovery and data backup planning
• Providing secure and highly available server operating systems
• Reducing hardware costs and providing more, easily managed, services

We want to help you solve these challenges, but first we want to know if you agree with our initial findings. Over the next several months we will be collecting your feedback and proposing solutions to help solve these challenges. We will also highlight other ideas and solutions that are geared towards helping those managing Branch and Mid-Market IT infrastructures.

Get over there and tell them your field experiences:

Need Feedback on Microsoft Technologies for Branch and Mid-Market IT

If you don’t give them info, you don’t get to complain. :)

- Ned “go Bears!” Pyle

Hello, Dave here. Today I discuss the Access Based Enumeration (ABE) feature in Windows Server and how it may be implemented with Distributed File System Namespaces (DFSN).

First you may ask, "What is ABE, and why would I want to utilize it?" By default, all folders and files will be listed in a folder, even if the browsing user doesn't have permissions to them. For example, three users (Alice, Bob, and Cindy) have folders under a share on file server ‘FS1’.

Each user's folder has permissions such that only the single user has access (icacls.exe output below):

\\fs1\share\Alice CONTOSO\Alice:(OI)(CI)F
\\fs1\share\Bob CONTOSO\bob:(OI)(CI)R
\\fs1\share\Cindy CONTOSO\Cindy:(OI)(CI)R

The following is what user “Bob” observes when browsing the UNC path \\fs1\share:

If a user attempts to open another user's folder or file within that folder, they will be met with an error as they do not have sufficient permissions. Administrators may not desire this user experience, as it may generate helpdesk calls or confuse users.

ABE is Windows Server feature which causes the server to display only the files and folders that a user has permissions to access. Once ABE is enabled on the share mentioned above, users will only see those folders for which they have access. Below is Bob's view of the share's contents, now with ABE enabled:

ABE is enabled for non-DFS shares via the "Share and Storage Management" snap-in. You may be asking if this feature may be utilized by DFS Namespaces as well. Yes it can!

ABE in DFSN has matured considerably since its original implementation in Windows Server 2003. Back then, you had to install a separate add-on component to expose the necessary UI to configure ABE on a shared folder. Then, you had to follow KB article 907458 in order to make it functional within a DFS namespace. Further complications arose from having to utilize cacls.exe on each namespace server to set link permissions and having to repeat the operation should the namespace be modified in various ways. To say the least, there was significant management overhead.

Fortunately, Windows Server 2008 and 2008 R2 supports ABE in DFSN natively. It may be utilized on a domain-based or standalone namespace such that users will only see DFSN folders for which they have permissions. NOTE: ABE requires the namespace to be in "Windows Server 2008 Mode". If you have existing namespaces that are in "Windows 2000 Server mode" (view the properties of a namespace in the DFS Management snap-in), you will need to convert them to 2008 mode. To do so, please follow the information available here.

As an example, the namespace “ns1” was created and contains DFSN folders for the three user folders discussed previously.

The DFSN folder “Bob” is configured with the target \\fs1\share\bob, as seen below:

By default ABE is not enabled on the namespace, and users are able to see all DFS folders within it. When Bob browses the namespace via the path \\contoso.com\ns1, he will see the three DFS folders defined above: Alice, Bob, and Cindy. By enabling ABE on the namespace, the DFSN service of all namespace servers will automatically enable ABE on their local namespace share and enforce the configured permissions of reparse folders automatically. You will not be burdened with having to run cacls.exe manually on each namespace server.

The commands utilized to enable ABE and set the required permissions are as follows:

dfsutil property abde enable \\contoso.com\ns1
dfsutil property acl grant \\contoso.com\ns1\alice contoso\alice:F protect
dfsutil property acl grant \\contoso.com\ns1\bob contoso\bob:F protect
dfsutil property acl grant \\contoso.com\ns1\cindy contoso\cindy:F protect

Note: The 'protect' parameter is important as the reparse folders underneath the namespace shared folder will inherit permissions by default and typically not restrict access to the DFSN folders. Also, the “abde” parameter was changed to “abe” in the 2008 R2 and Windows 7 version of dfsutil.

With a Windows 7 client or a 2008 R2 server running RSAT, enabling ABE and setting permissions may be directly performed via the DFS Management MMC. Simply open the properties of a specific DFS folder in the namespace and click the ‘advanced’ tab:

Bob would have the following view of the “NS1” namespace after ABE is enabled and appropriate permissions are set:

In the end, the permissions configured within the namespace ultimately end up on the special reparse folders found within the namespace server's share. It is the enumeration of these reparse folders which dictates if a DFSN folder is observable by a user as they browse through the namespace.

One final note: Administrators have requested if it is possible to enable ABE on a mixture of 2003 and 2008/2008R2 servers using the method detailed in KB 907458. The answer is no--this is not supported. Because 2008 is "ABE-aware", each time that the DFSN service is restarted on a 2008 server, the reparse folders are processed. Any special permission which may have been previously configured (such as via cacls.exe) will be lost.

I hope the information is helpful as you consider implementation of ABE on a DFS namespace. Happy DFSN'ing!

Dave “Honest ABE” Fisher

Hello, Sean here. I’m a Directory Services engineer with Enterprise Platforms Support in Charlotte. Today, I’d like to talk about the inner workings of Advanced Group Policy Management (AGPM). Let’s begin by discovering what occurs behind the scenes when you take control of a Production GPO using AGPM.

The term “Production GPO” is used frequently in AGPM documentation to describe an existing GPO in Active Directory and differentiate between it and the copy that AGPM stores in the Archive to allow for “Offline Editing”.

For those new to AGPM, it provides many features to help you better manage Group Policy Objects in your environment. Role-based administration allows you to delegate certain actions to users, even those that may not be administrators. The four built-in roles are Reviewer, Editor, Approver and Administrator. Change-request approval helps to avoid unexpected and unapproved modifications to production GPOs. AGPM also provides the ability to edit GPOs offline, allowing for review and approval of the changes before committing them to production. Furthermore, version tracking of GPO changes, the ability to audit/compare versions and the rollback feature can help you recover from GPO changes that need to be revised. The Overview of Advanced Group Policy Management white paper (Link) has information about these features and more.

Environment Overview:

The environment has three computers: a domain controller, a member server, and a client.

• CONDC1 : Windows Server 2008 R2 Domain Controller
• CONAGPM : Windows Server 2008 R2 AGPM Server
• CONW71 : Windows 7 AGPM Client

The AGPM server and client computers are members in the contoso.com domain. This scenario uses the 64-bit version of AGPM for server and client installations, but a 32-bit version is available as well. The AGPM server and client installs were done following the Step-by-Step Guide (Link). This document is also included on the MDOP disk (..\Documents\4.0\AGPM_40_Step-by-Step_Guide.pdf).

Tools Overview:

The following tools will be used to gather data during this exercise:

• Microsoft Network Monitor (Link) will be used to capture the network traffic that is generated between each computer.
• Process Monitor (Link) is a Windows Sysinternals utility that we will use to monitor the activity of individual processes running on each computer during the exercise.
• Group Policy Management Console (GPMC) logging will be enabled (Link), in order to track the operations performed by this MMC snap-in on each computer. This will allow us to point out any differences between the snap-in’s behavior between the different computers.
• Active Directory Object Auditing will be enabled (Link), notifying us of any changes to Active Directory Objects that we configure for auditing. This will generate events in the computer’s security event log.
• Advanced Group Policy Management logging (Link) is configured via Group Policy. This will be enabled in order to see exactly what the AGPM components are doing on each computer.

Prologue:

Before we begin, it’s important to understand how AGPM is able to delegate management of GPOs to non-Administrators. Delegation of the various AGPM roles is done within AGPM itself. All operations performed by AGPM in the domain are handled by the AGPM service account. During the AGPM server installation, you specify what account you wish to use as the AGPM service account. This single account is granted the permissions to create, delete and manage GPOs in the domain. When we start GPMC as a user who has delegated permissions within AGPM, even if the user account has no rights to manage GPOs by itself, AGPM instructs the service account to perform the actions on the user’s behalf.

When performing data collection on multiple systems like this, it’s important to understand how each component works, and under what security context it’s working. For this task, I’m logged into CONW71 with my AGPM Administrator account (agpmadmin). The changes I make through the AGPM console on CONW71 are commands sent through GPMC.msc as the user agpmadmin. Even though I request to change the status of a GPO that is located on a domain controller, the commands sent from CONW71 go to the AGPM service running on CONAGPM. On CONAGPM, the AGPM service receives those commands and evaluates what permissions the submitting user account has been granted.

Based on the role of the user submitting the commands to the AGPM service, the action will be allowed or disallowed. If the user has the appropriate permissions, the AGPM service builds the request to send to the domain controller and forwards it, not as the user who initiated the requests, but as the AGPM Service account. Since the AGPM service account is being used for the request sent to the domain controller, access is based on the permissions assigned to the AGPM service account.

Getting Started:

First, we’ll log into CONDC1 and create a few Organizational Units (OU) named “Development”, “HR” and “Sales”. By right-clicking on the OUs and selecting “Create a GPO in this domain, and Link it here”, we will create the new GPOs that will automatically be linked to their respective OUs. CONDC1 doesn’t have the AGPM server or client installed, so we will use the vanilla Group Policy Management Console (GPMC.msc). For the sake of today’s blog post, we’ll only be working with the “Dev Client Settings” GPO. Let’s add a few drive mapping GP Preference settings, just to make it seem a bit more authentic. Before we do anything further to the GPO, let’s make note of a few key details regarding the GPO.

• The GPO GUID : {01D5025A-5867-4A52-8694-71EC3AC8A8D9}
• The GPO Owner : Domain Admins (CONTOSO\Domain Admins)
• The Delegation list : Authenticated Users, Domain Admins, Enterprise Admins, ENTERPRISE DOMAIN CONTROLLERS and SYSTEM

Second, we want to get each of our data collection tools ready to capture data. Logging options will be configured for GPMC and AGPM. Active Directory Object Auditing will be enabled, and our GPO will have auditing configured to report any attempted change, successful or not. Network Monitor and Process Monitor will be started and tracing on all three computers right before we take control of the production GPO.

Next, we’re ready to take control of the GPO using the AGPM client installed on CONW71. Computers that have the AGPM client installed have a new “Change Control” entry within GPMC. This is where we will perform most of the functions that brought us to install AGPM in the first place. On the “Uncontrolled” tab, we see a list of GPOs in the domain that are not currently controlled by AGPM. Let’s right-click on the “Dev Client Settings” GPO, and bring up a context menu where we select the “Control” option.

If we hold the delegated role of AGPM Admin or Approver, we’ll be prompted to add a comment for this operation. Without Admin or Approver, we’ll be asked to fill out a request form that will be emailed to the AGPM Approvers first. It’s always a good idea to comment with something meaningful, explaining why we’re taking ownership of this GPO. It’s not always obvious why changes were made to a GPO, and the comment is our chance to inform others of the reasons behind our action. If your organization has change control procedures, it would be an excellent place to link the action to the official change request identifier.

Assuming we have the permissions to take control of a production GPO, when we add our comment and click “Ok”, we will see a progress window appear. It will update itself with the progress it’s making on our request. It should report whether the operation was successful or not, and if not it should give us some additional information regarding the problem(s) it ran into.

Simple enough on the front end, but what exactly is taking place behind the scenes while we made those flew clicks? Let’s take a look…

The AGPM Client

Network Monitor on the AGPM Client shows some TCP chatter back and forth between an ephemeral port on the AGPM client, and TCP Port 4600 on the AGPM server. TCP 4600 is the default port when installing the AGPM Server component, but you can change that during the install or after (Link) if you prefer. There is no communication between the AGPM client and the domain controller other than ARP traffic. The process making the calls to the AGPM server is MMC.exe.

Process Monitor on the AGPM Client is similarly sparse on information. MMC.exe accesses the registry and file system briefly as it builds the request to send to the AGPM server, and writes to the agpm.log file under the profile of the logged on user.

GPMC logging (gpmgmt.log) seems to generate many entries, but there were none generated on the AGPM Client during the test.

AGPM logging on the client shows a number of actions being taken between the AGPM Client and AGPM Server. The control operation appears between two [Info] entries, and shows the various functions being called by the AGPM client to process and report the results from the operation to the user.

The AGPM Server

Moving to the AGPM Server, we can see a difference in behavior from nearly every data point.

The network capture from the AGPM Server shows the TCP communication back and forth with the AGPM Client followed by TCP and LDAP packets between the AGPM Server and the Domain Controller. Once the commands have been received from the AGPM Client, the AGPM Server initiates the requested actions with the Domain Controller. The request to change the GPC and its contents comes in the form of SMB SetInfo Requests.

If we drill down into the packet info, into the SetInfo Request… we’ll see the modified object:

And further down, the DACL changes:

The highlighted SID is for the AGPM Service account in our domain. We can get the user account SID for the AGPM service account by looking up the objectSID attribute of that user account within ADSIEdit.msc. 0x001f01ff is the equivalent of Full Control. Notice, the owner is still set to S-1-5-32-544 (Built-In/Administrators). This is the case for every file and folder within the GPT except for the top level folder named after the GPO’s GUID. Here we see the AGPM Service account’s SID again.

After the AGPM Service account has permissions, you can see it start to query the domain controller via LDAP and SMB2, copying over the GPO to the AGPM server. This is the AGPM server creating a copy of the GPO in the Archive you created during installation of the AGPM Server.

Process Monitor on the AGPM Server is very busy. First, the service checks for the Archive path, and reads through the gpostate.xml file, checking to see if it already knows about this GPO. The gpostate.xml file contains a historic view of GPOs known to AGPM. We see some LDAP communication between the AGPM server and the Domain Controller that corresponds to the AGPM server modifying permissions on the portion of the GPO that resides in Active Directory. This is followed by the AGPM service exploring the entire folder structure of the GPO’s SYSVOL component, modifying the DACL and Owner information to include the AGPM service account.

In order to provide the ability to edit GPOs offline, AGPM makes use of the Archive to store a copy of each GPO it controls. The Process Monitor capture from the AGPM Server gives us a very good look at what’s going on between SYSVOL and the archive.

We see it start to dig into the Group Policy Template for the GPO we’re taking control of, reading the information from the folders and files beneath it. In the next image, we see the AGPM service query the registry for the location of the Archive.

We also see below that it reads from a Manifest.xml file. This is a hidden file that has some basic information about every GPO in the Archive. Things like the GPOs production GUID, the domain and domain GUID, as well as the AGPM-assigned GUID.

After this, the AGPM service starts to create a folder structure within the Archive for the GPO. What’s interesting here is, closer scrutiny reveals an uncanny resemblance to a standard GPO backup routine. If you’ve ever backed up a GPO using GPMC, you’ll recognize the files and folder structure created by AGPM when it adds a GPO to its archive.

Notice the GUID in the Archive path. AGPM creates its own unique identifier for the archived copy of the GPO. Process Monitor shows the AGPM service going back and forth between SYSVOL, reading info and writing it into the Archive. The AGPM service pulls the settings from the GPO and creates a gpreport.xml file with that information in it. GPReport.xml also has the following information within it:

• GPO Name, Created Time, Modified Time and Read Time
• Security Descriptor (Security principal SIDs with SDDL permissions)
• Additional info regarding each Security Principal

Two other files in the archived GPO’s folder are Backup.xml and bkupInfo.xml (Hidden). Backup.xml contains the following information:

• The list of Security Principals on the GPO, along with additional information about each
• The actual settings from the GPO itself

• Security Descriptor (in hex)
• Options
• UserVersionNumber
• MachineVersionNumber
• CSE GUIDs

BkupInfo.xml is essentially an excerpt directly from Manifest.xml of the info that pertains to this GPO.

AGPM logging on the AGPM server doesn’t generate many entries during the control operation. It shows the incoming message, identifies the Client/Server SIDs (The user account SIDs of the user initiating the action on the AGPM Client, and the AGPM service account being used by the AGPM Server), and calls the appropriate functions. The control operation has the AGPM Server sending requests to check the GPO’s security (doGpoLevelAccessCheck()) and then take control of the GPO (ControLGPO()).

GPMC logging on the AGPM Server gives us a wealth of information. Without much delay, you see the GPMC log record a LDAP bind and permissions being modified on the GPO objects within Active Directory.

The next thing you’ll notice in the GPMC logging on the AGPM Serer is reference to Backup related functions being called. Remember seeing the AGPM server accessing the Group Policy Template and Container seen in other data collections? When the GPO is copied to the AGPM Archive, this is essentially a GPO backup, very much like the one you can perform in GPMC.msc. The remainder of the GPMC log was dedicated to covering the backup processes.

The Domain Controller

This is the last stop in our data analysis. The network capture shows the traffic from the AGPM Server. Process Monitor, however is a bit different. Where the AGPM Server had a lot of entries specific to our operation to control the GPO, all of the information in Process Monitor on the Domain Controller shows up as reads/writes to the Active Directory Database (NTDS.DIT). Process Monitor does not allow us to see what was being read/written, so they are fairly useless for really seeing what’s going on.

The Security log has generated many events, just in the short time it took to take control of this GPO. We can see the AGPM service account connect and read various attributes of the Group Policy Container from Active Directory. We’ll also see a single event for the actual modification of the Group Policy Container (GPC) replacing the current nTSecurityDescriptor information with one containing permissions for the AGPM Service Account.

The Object Name value in the event data corresponds to the objectGUID of the GPO’s container object within Active Directory.

Since AGPM nor GPMC was utilized on the Domain Controller, there are no corresponding logs to review from those tools.

In Closing

We’ve pulled the curtain away from a very simple procedure of taking ownership of a production GPO, reviewing it from different perspectives using different tools, and found it’s a very simple task that is broken up into a few common subtasks.

• The AGPM service takes ownership of the GPO and adds itself to the DACL with Full Control, both on the Group Policy Container within Active Directory and the Group Policy Template in SYSVOL.
• The AGPM service then performs a GPO backup to a specified location (the Archive).

Once the GPO is controlled by AGPM and backed up to the Archive, a number of other tasks can be performed on it, which we will cover in depth in future blog posts.

Sean “right angle noggin” Wright

Hi, David here. Some of you may have noticed that if you tried to migrate Office 2010 settings using USMT 4.0, the results were often less than ideal. Without going into a very long and ultimately meaningless explanation, this happened because USMT 4.0 didn’t have any of the information needed to know where Office 2010 expected its data to be. Office 2010 is different enough from its predecessors that USMT does need to have that information in order to be able to handle the settings.

Fortunately, I have good news: we have created an update for USMT 4.0 that adds support for Office 2010. USMT 4.0 migrations of Office 2010 are now supported .

You can get the update here: http://support.microsoft.com/kb/2023591

Here are some things you should be aware of:

• Certain settings and customizations in MS Word won’t migrate from any version to Word 2010, because of with the way Word is designed and how data is stored in “HKEY_CURRENT_USER\software\Microsoft\Office\<OfficeVersion>\Word\Data".
• Many Office settings (across all Office apps) won’t migrate when going from 32-bit Office to 64-bit Office. This is due to the way that the settings are stored in 64-bit Office installations.
• If you’ve launched Office on the destination PC as a user before doing the migration of that user’s profile, most of your settings won’t migrate. This happens because Office relies on some code that only runs the first time that an Office app is launched to migrate settings.
• This update isn’t a magic bullet. You may still need to do some customization to make USMT fit your particular configuration.

The update also fixes a couple of issues around hard-link migration performance when copying a folder with a huge number of files and an issue that affected certain time zones.

If you’re doing a migration, make sure you’ve allotted plenty of time for testing and customization, and if you do need help from us, get it early so that you have time to make adjustments to what you’re doing before you start running into deadlines. Make sure you read the KB fully before pinging us!

That said, go get the update. Then go forth and migrate.

- David “Clippy” Beach

Hot enough for ya, Mark?

Update - way more glad now that I saw this:

Ned “drove in with his windows down today” Pyle

Hello all, David here again. If you are reading this post, you likely have Distributed File System Namespaces (DFSN) deployed or are at least considering it. In large environments, DFS Namespaces may stretch across many sites and target tens or hundreds of file servers. Depending on the size and quantity of namespaces, you may be wondering about the methods available to monitor the health of namespaces and ensure their proper function. I have written the information below to provide such methods.

Utilize the DFSDiag.exe utility

First, the administrator of any environment with namespaces should routinely run the DFS Diagnostics (DFSDiag.exe) tool. DFSDiag is available in Windows Vista, Server 2008, 7, and 2008 R2. For any 2008 or 2008 R2 systems not hosting the DFS Namespaces service, you will need to install the Distributed File System Tools found in the Remote Server Administration Tools (RSAT) by using Server Manager. RSAT is a separate download for Vista and Windows 7. In addition, you may leverage the tool in an environment consisting of Windows Server 2003 domain controllers and namespace servers, but you will need at least one of the later OS's to run DFSDiag. If possible, use the Windows 7 or 2008 R2 version of DFSDiag--it contains additional help text describing each option. Lastly, it supports both domain-based and standalone namespaces.

While there have been a few other blog posts about DFSdiag (look here and here), I will mention the key issues it detects within an environment:

• Offline file servers, domain controllers, and DFSN servers (Helpful in detecting retired servers that are still referenced within the namespace!)
• Inaccessible file servers because they have inconsistent NTFS and share permissions when compared to other targets of the DFSN folder
• Invalid site associations of the system running DFSDiag locally or of any targets defined in the namespace
• Inconsistent registry settings for the DFSN service compared between namespace servers
• Inconsistent Active Directory metadata between the domain's domain controllers (may indicate replication latencies or failures)
• Overlapping folders, folder targets, and duplicated folders
• Inconsistencies with Access Based Enumeration (ABE) of the namespace and of the namespace share

Here is a screenshot of DFSDiag output while file server "2008fs1" is offline and the NTFS permissions of the two targets of \\CONTOSO\Namespace1\folder1 are not consistent:

As you can see, checking all these dependencies manually would take an enormous amount of time. So let DFSDiag do all the work and allow you to fix problems before your users have an opportunity to call the helpdesk!

Be mindful when configuring subnets and their site associations within the Active Directory. Clients and servers which cannot be mapped to a site will prevent DFS from referring clients to their local targets. DFSDiag will report a failure to map a server's IP address to a site, but it will not alert you if there are random clients in your environment not belonging to an Active Directory site. For this reason, periodically check if any Netlogon ‘5807’ events have been reported on any domain controllers. If any are found, follow the instructions within the event to review the Netlogon.log debug log file located within "%systemroot%\debug" and search for all occurrences of 'NO_CLIENT_SITE'. These indicate the name and IP address of clients on your network which cannot be mapped to an Active Directory site. Then, create the appropriate subnets.

Event ID: 5807
Source: NETLOGON
Description:

During the past number hours there have been number connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file 'SystemRoot\debug\netlogon.log' and, potentially, in the log file 'SystemRoot\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

Leverage the File Services Management Pack found in SCOM

If you have System Center Operations Manager (SCOM) deployed, you may utilize the File Services Management Pack to retrieve health information from all File Services roles, including DFS Namespaces. Download is available here.

Ready a “toolkit” of common tools and utilities

Troubleshooting DFS Namespace issues can be difficult. It usually makes sense to begin investigations on a client experiencing a specific failure to access the namespace. Consider building a “toolkit” to make it easier to run DFSDiag, DFSUtil, and Network Monitor 3.4 on the problematic client. Otherwise, you will be forced to download and install the Remote Server Administration Tools (RSAT) to the system you wish to diagnose, and then configure the DFSN RSAT component. A much easier method is to copy DFSUtil.exe and DFSDiag.exe (both found in %systemroot%\system32) to a share, to a thumbdrive, or directly to the client. Ensure that you also copy the dfsdiag.exe.mui language file from the '%systemroot%\system32\en-us' folder and place it into an 'en-us' subfolder where you intend to run dfsdiag. Note, you will also need to maintain separate versions of dfsdiag if you maintain both Vista/2008 and Window 7/2008 R2 systems. If you were to rename dfsdiag.exe to 'dfsdiagwin7.exe', ensure you similarly rename the MUI file to 'dfsdiagwin7.exe.mui'.

Create a disaster recovery plan

Do you have a disaster recovery plan in the event all or portions of your namespace are lost due to hardware failures or accidental deletions? If not, strongly consider exporting your namespace using DFSUtil.exe periodically. The XML-based output file may be imported back into the namespace (or a completely new namespace) in the event of a problem, or it may be utilized simply as a historical record of the namespace's design. The export should be considered in addition to regular Active Directory (system state) and namespace server backups (you are backing up Active Directory regularly, right???). Trust me... you won't realize the value of this exported namespace data until you experience a situation where it takes you hours to recover the namespace rather than minutes. A sample command to export a namespace 'sales' in domain 'contoso.com' is:

dfsutil /root:\\contoso.com\sales /export:c:\NameSpaceBackups\sales_namespace_1-10-2011.txt

Install Service Updates

Ensure that you are running the latest version of DFS Namespace-related components. The articles listed in the link below are routinely updated to reflect the latest updates available for both DFSN and DFSR: http://www.microsoft.com/windowsserversystem/dfs/hotfixes.mspx

Increase the scalability of DFSN

If your namespaces host thousands of links and operates in 'Windows 2000 Server mode', strongly consider converting the namespace to 'Windows Server 2008 mode'. You will gain increased scalability and the option to use Access Based Enumeration (ABE). For more information, please see http://technet.microsoft.com/en-us/library/cc753875.aspx.

Utilize the Best Practices Analyzer

Lastly, on Windows Server 2008 R2 DFSN servers run the Best Practices Analyzer for File Services. While it is focused on DFSN settings of the local server, it covers a few scenarios not covered by DFSDiag. More information about the BPA, please visit http://technet.microsoft.com/en-us/library/ff633466(WS.10).aspx and also download an updated version of the BPA here.

Any distributed service can be very difficult to monitor and maintain. My hope is the strategies and methods above keep your DFS Namespaces in tiptop shape. Happy DFSN'ing!

- Dave “Fire Marshall Bill” Fisher

This is a guest post from our friend Keith Brewer, a Premier Field Engineer that recently spent some time with us here in support as part of a “foreign exchange student” program. As you can see, we pay him by the screenshot… :-P

Hi all, Keith here. Recently I answered a forum question on KCC “topology review” frequency. You can read that here.

There were some interesting follow up questions that came from that conversation:

1. How exactly does the KCC behave when a bridgehead goes offline?
2. What is the impact if the bridgehead is the ISTG or if the ISTG goes offline at the same time as one of the domain controllers serving as the bridgehead?
3. Do manually created connection objects change the behavior?

So I thought the easiest way to explain is to walk through it…

The setup is below (don’t worry about Branch1 and the RODC). For the purposes of this example, we will concentrate on the Hub Site HQ, the Branch Site Branch2, and the Backup Hub Site BackupHub.

• FAB-DC3 & FAB-DC4 are Windows Server 2008 R2
• FAB-DC1 & FAB-DC2 are Windows Server 2008 SP2
• Forest & Domain Functional Level is Windows Server 2003

Under normal operation the ISTG builds an automatically-generated connection object to a DC (or DCs) in the HQ Site. Similar to what we see below for the BackupHub site and HQ because of the connectivity described on the HQ-BUHUB Site Link.

I have created a manual connection object between Branch2 DC (FAB-DC3) and the HQ site with FAB-DC2 to speak to question 3 above.

Additionally here are the HQ connections that have both FAB-DC1 & FAB-DC2 acting as bridgehead domain controllers.

Here is the current (truncated) replication information.

@ 14:44 FAB-DC2 goes offline

@ 14:49 FAB-DC3 shows 1^st failure from FAB-DC2

@ 14:54 DC4 follows suit and shows 1^st failure from FAB-DC2

Now we wait for the 2 hour default window. While we wait let’s look at the ISTG election information:

Conveniently the ISTG for HQ Site is FAB-DC2 who as we all know has tragically gone offline @ 14:44

So we know that FAB-DC1 will review its information (contained in the UpToDateness Vector Table) on the validity of DC2 as the ISTG. Seen here:

So then at some point between 16:43 & 16:58 we should see DC1 take over the HQ sites ISTG Role.

JACKPOT!

Looking at the Replication Metadata we can get a clear picture of when the election took place and who wrote the change.

A new ISTG is elected @ 16:44 2 hours from the last successful replication of the old ISTG.

So now we see what the KCC did once we met both criteria…

• # of Failures
• Duration of time since last success

We can see on FAB-DC3 a new automatically created connection was created.

Note the creation time of 4:39 or 16:39 (Which is 2:05 from the last successful Replication which occurred at 14:34 or 2:34.

Now taking a look at FAB-DC4 (similar behavior):

FAB-DC4 created a connection @ 4:45 or 16:45 (Which was 2:02 from the last successful replication which occurred at 14:43 or 2:43

Last but not least we see how the Hub Site Behavior and resulting connections are handled once the new ISTG is elected.

And now connection from Branch2 (FAB-DC3) has been created by the KCC from FAB-DC3 to FAB-DC1 at 4:44pm seconds after the ISTG election took place @ 4:44:37 in response to the # of failures and amount of time since FAB-DC2 last replicated from Branch3.

Note About the use of manual connection objects:

While the question posed involves manual connection objects and the explanation of the behavior includes manual connection objects that is by no means an endorsement of their use.

Careful planning should be invested into designing the Active Directory site & site link configuration.

In most cases it is preferred to allow the KCC to utilize Active Directory configuration information to build and manage all replication connections. Adding manual connection’s adds administrative overhead and limits the KCC’s ability to build and manage the replication topology.

Now how the KCC cleans up the connections on DC4 for DC2 on DC3 for DC2 and in the Hub on DC2 from DC3 is a story for another thread….

-Keith “What’s your vector, Victor?” Brewer

I think people are still digging out of the snow; go enjoy your weekend folks. And remember: no matter who wins, the Packers and Steelers are equally losers.

Face!

- Ned “bitter” Pyle

This part covers the following config.xml components for Windows XP:

--------------------------------------------------------------------------------------------------

    <component displayname="Appearance and Display" migrate="yes" ID="appearance_and_display">

      <component displayname="Taskbar and Start Menu" migrate="yes" ID="appearance_and_display\taskbar_and_start_menu">

        <component displayname="Microsoft-Windows-explorer-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-explorer-dl/microsoft-windows-explorer-dl/settings"/>

      </component>

      <component displayname="Personalized Settings" migrate="yes" ID="appearance_and_display\personalized_settings">

        <component displayname="Microsoft-Windows-shmig-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-shmig-dl/microsoft-windows-shmig-dl/settings"/>

        <component displayname="Microsoft-Windows-shell32-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-shell32-dl/microsoft-windows-shell32-dl/settings"/>

        <component displayname="Microsoft-Windows-CommandPrompt-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-commandprompt-dl/microsoft-windows-commandprompt-dl/settings"/>

      </component>

    </component>

--------------------------------------------------------------------------------------------------

Windows Explorer

Config Entry

<component displayname="Microsoft-Windows-explorer-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-explorer-dl/microsoft-windows-explorer-dl/settings"/>

Config Manifest

"\USMT\x86\DlManifests\explorer-dl.man"

Behavior Synopsis

Migrates per user Windows Explorer shell settings, such as customizations of the file management UI, shell icons, task bar and start menu.

Shell Configuration

Config Entry

<component displayname="Microsoft-Windows-shmig-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-shmig-dl/microsoft-windows-shmig-dl/settings"/>

Config Manifest

"\USMT\x86\DlManifests\shmig-dl.man"

Plugin: "Microsoft-Windows-shmig-DL\shmig.dll"

Behavior Synopsis

There is no practical XML for this manifest, all work done by the plugin SHMIG. It loads each user profile and migrates registry settings for per-user display settings like DPI, screensaver settings, recycle bin usage and confirmation dialogs, the Start Menu, and User Tiles. Also supposed to migrate "Send to" context menu, but bug in XP prevents this from working correctly (see KB2459849). Supports migrating wallpaper settings, but does not do so from XP to later OS for licensing reasons.

Shell Folders

Config Entry

<component displayname="Microsoft-Windows-shell32-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-shell32-dl/microsoft-windows-shell32-dl/settings"/>

Config Manifest

"\USMT\x86\DlManifests\shell32-dl.man"

Behavior Synopsis

Migrates per user shell settings such as recent documents, desktop shell icons, and remembered folder views.

Command Prompt

Config Entry

<component displayname="Microsoft-Windows-CommandPrompt-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-commandprompt-dl/microsoft-windows-commandprompt-dl/settings"/>

Config Manifest

"\USMT\x86\DlManifests\commandprompt-dl.man"

Behavior Synopsis

Migrates limited CMD prompt settings for all users and computers (to include the default user profile settings). There is no UI for these settings.

The Complete List and Downloadable Versions

• Understanding the USMT Config.xml Windows XP Downlevel Manifest Behaviors 1.0.docx (download)
• Understanding the USMT Config.xml Windows Vista Manifest Behaviors 1.0.docx (download)     

• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 1: Introduction)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 2: XP Section A)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 3: XP Section B)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 4: XP Section C)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 5: XP Section D)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 6: XP Section E)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 7: XP Section F)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 8: XP Section G)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 9: XP Section H)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 10: Vista Section A)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 11: Vista Section B)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 12: Vista Section C)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 13: Vista Section D)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 14: Vista Section E)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 15: Vista Section F)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 16: Vista Section G)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 17: Vista Section H)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 18: Vista Section I)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 19: Vista Section J)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 20: Vista Section K)

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows XP:

--------------------------------------------------------------------------------------------------

    <component displayname="Additional Options" migrate="yes" ID="additional_options">

      <component displayname="Windows Core Settings" migrate="yes" ID="additional_options\windows_core_settings">

        <component displayname="Microsoft-Windows-Win32k-Settings-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-win32k-settings-dl/microsoft-windows-win32k-settings-dl/settings"/>

        <component displayname="Microsoft-Windows-Web-Services-for-Management-Core-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-web-services-for-management-core-dl/microsoft-windows-web-services-for-management-core-dl/settings"/>

        <component displayname="Microsoft-Windows-RPC-Remote-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rpc-remote-dl/microsoft-windows-rpc-remote-dl/settings"/>

        <component displayname="Microsoft-Windows-RPC-Local-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rpc-local-dl/microsoft-windows-rpc-local-dl/settings"/>

        <component displayname="Microsoft-Windows-RPC-HTTP-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rpc-http-dl/microsoft-windows-rpc-http-dl/settings"/>

        <component displayname="Microsoft-Windows-RasApi-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rasapi-dl/microsoft-windows-rasapi-dl/settings"/>

--------------------------------------------------------------------------------------------------

Win32 Core

Config Entry

<component displayname="Microsoft-Windows-Win32k-Settings-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-win32k-settings-dl/microsoft-windows-win32k-settings-dl/settings"/>

Config Manifest

"\USMT\x86\DlManifests\win32k-settings-dl.man"

Behavior Synopsis

Migrates Win32 settings, the per-computer specific agnostic service, timeout, system font settings, debug, and error settings (these have no UI). Also migrates per-user CMD prompt customizations and certain customized control panel settings, such as mouse, keyboard, and accessibility.

Windows Remote Management

Config Entry

<component displayname="Microsoft-Windows-Web-Services-for-Management-Core-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-web-services-for-management-core-dl/microsoft-windows-web-services-for-management-core-dl/settings"/>

Config Manifest

"\USMT\x86\DlManifests\web-services-for-management-core-dl.man"

Behavior Synopsis

Migrates the per-computer Windows Remote Management settings that exist if http://support.microsoft.com/kb/936059 is installed (out of band for XP)

RPC Ports

Config Entry

<component displayname="Microsoft-Windows-RPC-Remote-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rpc-remote-dl/microsoft-windows-rpc-remote-dl/settings"/>

Config Manifest

"\USMT\x86\DlManifests\rpc-remote-dl.man"

Behavior Synopsis

Migrate per-computer remote RPC port customizations as defined in http://support.microsoft.com/kb/154596. No UI for these settings.

Local RPC over LPC and Named Pipes

Config Entry

<component displayname="Microsoft-Windows-RPC-Local-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rpc-local-dl/microsoft-windows-rpc-local-dl/settings"/>

Config Manifest

"\USMT\x86\DlManifests\rpc-local-dl.man"

Behavior Synopsis

Migrates per-computer local RPC port customizations. There is no UI for these settings, they do not exist by default, and they are not publically documented.

UseProxyForIPAddrIfRDNSFails

Config Entry

<component displayname="Microsoft-Windows-RPC-HTTP-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rpc-http-dl/microsoft-windows-rpc-http-dl/settings"/>

Config Manifest

"\USMT\x86\DlManifests\rpc-http-dl.man"

Behavior Synopsis

Migrates per-computer HTTP over RPC customization only for value "UseProxyForIPAddrIfRDNSFails" as defined in http://msdn.microsoft.com/en-us/library/aa373592(VS.85).aspx. There is no UI for this setting.

RAS Preferences

Config Entry

<component displayname="Microsoft-Windows-RasApi-DL" migrate="yes" ID="http://www.microsoft.com/migration/1.0/migxmlext/cmi/microsoft-windows-rasapi-dl/microsoft-windows-rasapi-dl/settings"/>

Config Manifest

"\USMT\x86\DlManifests\rasapi-dl.man"

Behavior Synopsis

Migrates customized routing and remote access connection information on a per-user and computer basis. Some of these settings are overridden by Microsoft-Windows-RasConnectionManager-DL (see previous).

The Complete List and Downloadable Versions

• Understanding the USMT Config.xml Windows XP Downlevel Manifest Behaviors 1.0.docx (download)
• Understanding the USMT Config.xml Windows Vista Manifest Behaviors 1.0.docx (download)      

• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 1: Introduction)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 2: XP Section A)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 3: XP Section B)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 4: XP Section C)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 5: XP Section D)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 6: XP Section E)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 7: XP Section F)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 8: XP Section G)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 9: XP Section H)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 10: Vista Section A)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 11: Vista Section B)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 12: Vista Section C)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 13: Vista Section D)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 14: Vista Section E)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 15: Vista Section F)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 16: Vista Section G)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 17: Vista Section H)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 18: Vista Section I)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 19: Vista Section J)
• Understanding what the USMT 4.0 CONFIG manifests migrate (Part 20: Vista Section K)

Ned “better than counting sheep” Pyle