This part covers the following config.xml components for Windows XP:

--------------------------------------------------------------------------------------------------

</component>

</component>

--------------------------------------------------------------------------------------------------

ODBC & MDAC

Config Entry

Config Manifest

"\USMT\x86\DlManifests\odbc32dll-dl.man"

Behavior Synopsis

Migrates per-user and per-computer ODBC settings from registry and file system.

COM+ Applications

Config Entry

Config Manifest

"\USMT\x86\DlManifests\microsoft.windows.com.complus.setup.dl.man"

Plugin: Microsoft-Windows-COM-ComPlus-Setup-DL\commig.dl

Behavior Synopsis

Migrates COM+ application settings per-user and per-system. No UI, these are configured by applications.

Critical note: You should always set to NO in the config.xml, when migrating from x86 to x64 computers due to bug, as per KB2481190.

DCOM

Config Entry

Config Manifest

"\USMT\x86\DlManifests\microsoft.windows.com.base-dl.man"

Behavior Synopsis

Migrates OLE (i.e. DCOM) settings and files for the computer.

Image Color Management

Config Entry

Config Manifest

"\USMT\x86\DlManifests\microsoft-windows-icm-profiles-dl.man"

Behavior Synopsis

Migrates printer system color profiles for the computer, which can be modified by users through the add-on Microsoft Color Control Panel Applet.

EFS

Config Entry

Config Manifest

"\USMT\x86\DlManifests\feclient-dl.man"

Behavior Synopsis

Migrates per-user and per-computer file encryption (EFS) options. These are mainly customized through the registry of act of encryption, there is limited UI, see http://technet.microsoft.com/en-us/library/cc736602(WS.10).aspx.

DPAPI

Config Entry

Config Manifest

"\USMT\x86\DlManifests\dpapi_keys-dl.man"

Behavior Synopsis

Migrates the DPAPI encryption keys for users and computers. There is no UI for these settings and data.

Certificate Private Keys

Config Entry

Config Manifest

"\USMT\x86\DlManifests\crypto_keys-dl.man"

Behavior Synopsis

Copies the certificate private keys for users (but not computer’s private keys, due to behavior described in http://blogs.technet.com/b/askds/archive/2010/12/03/friday-mail-sack-pew-pew-pew-edition.aspx#usmtcert and http://blogs.technet.com/b/askds/archive/2011/05/06/friday-mail-sack-who-am-i-kidding-more-like-monthly-edition.aspx#usmtcert ).

Certificate Public Keys

Config Entry

Config Manifest

"\USMT\x86\DlManifests\capi2_certs-dl.man"

Behavior Synopsis

Copies the certificates with their public keys for users and computers (irrespective of the private keys, as described in http://blogs.technet.com/b/askds/archive/2010/12/03/friday-mail-sack-pew-pew-pew-edition.aspx#usmtcert ).

Accessibility

Config Entry

Config Manifest

"\USMT\x86\DlManifests\accessibilitycpl-dl.man"

Behavior Synopsis

Copies per-user Accessibility settings like color, narrator, and magnifier, plus mouse and desktop windows settings (some of which are duplicated by the Win32 manifest).

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

</component>

--------------------------------------------------------------------------------------------------

Sticky Notes 1

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\stickynotes-replacement.man"

Behavior Synopsis

Creates a per-user virtual upgrade status registry value that will be written to the destination OS, only if the source OS is Windows Vista. If that destination OS is Windows 7, the Sticky Notes tool will read the upgrade value when first started and convert any existing sticky notes to the newer format. Has no effect on Vista to Vista migrations. Used in conjunction with TABLETPCSTICKYNOTES-REPLACEMENT.MAN, which migrates the actual settings (see Sticky Notes 2). There is no UI for this setting.

SYSDM Performance and Recovery

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\sysdm-replacement.man"

Behavior Synopsis

Migrates per-computer settings for the crash dump and page file options.

Private Character Creator

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests\EUDCEDIT-REPLACEMENT.MAN

Behavior Synopsis

Migrates fonts and settings created by the Private Character Creator (eudcedit.exe) for the users and the Windows fonts folder.

WCF Non-HTTP Activation

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\wcf-nonhttp-activation-replacement.man"

Behavior Synopsis

Placeholder, does nothing.

NETFX 3.5

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\microsoft-windows-netfx35cdfcomp-replacement.man"

Behavior Synopsis

Placeholder, does nothing.

Terminal Services Licensing

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\terminalservices-appserver-licensing-replacement.man"

Behavior Synopsis

Does nothing on Windows Vista, these settings are for terminal servers to discover TS Licensing servers. The manifest is incorrectly scoped.

Shell Sounds

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\sounds-migration-replacement.man"

Behavior Synopsis

Migrates user and computer sound scheme settings plus the audio files.

Audio View

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\mmsys-migration-replacement.man"

Behavior Synopsis

Migrates the per-user audio device disconnected and disabled viewing settings.

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------

Terminal Services Manager

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\terminalservices-manager-snapin-replacement.man"

Behavior Synopsis

Migrates per-user Terminal Services Manager RSAT snap-in settings.

Legacy Communication Ports

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\printing-localprinting-replacement.man"

Behavior Synopsis

Migrates the LPT, COM, etc. legacy port settings per-computer. These settings are typically added through the Local Printer wizard.

Remote Desktop Services Web Portal

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\terminalservices-rapwebpart-replacement.man"

Behavior Synopsis

Does nothing on Windows Vista, these settings are for Remote Desktop Services (Terminal Server) web gateway servers. The manifest is incorrectly scoped.

WCF HTTP Activation

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\wcf-http-activation-replacement.man"

Behavior Synopsis

Placeholder, does nothing.

Application Experience Program Compatibility Assistant

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\application-experience-program-compatibility-assistant-replacement.man"

Behavior Synopsis

Migrates per-user and per-computer software compatibility settings.

SuperFetch and ReadyBoost

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\sysmain-replacement.man"

Behavior Synopsis

Migrates per-computer ReadyBoost settings for saved devices. Also creates a SuperFetch virtual upgrade status registry value that will be written to the destination OS and is read only by Windows 7. The settings in "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt" are then upgraded correctly by Windows 7. This upgrade value has no effect on Vista to Vista migration.

Windows Search

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\windowssearchengine-replacement.man"

Behavior Synopsis

Migrates per-computer file indexing options.

WCF Core

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\microsoft-windows-wcfcorecomp-replacement.man"

Behavior Synopsis

Placeholder, does nothing.

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

</component>

</component>

</component>

--------------------------------------------------------------------------------------------------

Tablet PC Input Panel

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.0.6002.18005_none_137a8ed274a4186a.manifest

Behavior Synopsis

Migrates per-user tablet input panel settings.

Sticky Notes 2

Config Entry

Config Manifest

"\USMT\x86\ReplacementManifests\tabletpcstickynotes-replacement.man"

Behavior Synopsis

Migrates per-user sticky notes settings and saved files. Used in conjunction with stickynotes-replacement.man. See Sticky Notes 1.

Snipping Tool

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-tabletpc-snippingtool_31bf3856ad364e35_6.0.6002.18005_none_d19e70e609e24e84.manifest

Behavior Synopsis

Migrates per-user snipping tool settings.

Windows Journal

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.0.6002.18005_none_199d015da1ba0131.manifest

Behavior Synopsis

Migrates per-user journal settings.

Inkball

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-tabletpc-inkball_31bf3856ad364e35_6.0.6002.18005_none_cbf1f985670d2173.manifest

Behavior Synopsis

Migrates per-user Inkball Game preferences and saved scores.

Handwriting Recognition

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.0.6002.18005_none_41978c01c3760094.manifest

plugin="%CommonProgramFiles%\Microsoft Shared\Ink\IpsMigrationPlugin.dll

Behavior Synopsis

Migrates per-user handwriting recognition settings, including the stored database of learned words. The plugin handles correctly detecting and shutting down the Input Personalization service in order to migrate the database successfully.

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

</component>

</component>

</component>

--------------------------------------------------------------------------------------------------

Speech

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-speechcommon_31bf3856ad364e35_6.1.7601.17514_none_d809b28230ecfe46.manifest

Behavior Synopsis

Migrates per-user and per-computer speech writer and speech recognition settings.

Telephony

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-tapisetup_31bf3856ad364e35_6.0.6001.18000_none_69f32ac39b2a05e1.manifest

Behavior Synopsis

Migrates per-user and per-computer telephony settings.

Print Spooler

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6002.22468_none_d882e000d7f61b4c.manifest

Behavior Synopsis

Migrates per-computer and per-user print provider and spooler settings.

Mapped Printers

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6002.22468_none_d882e000d7f61b4c.manifest

Behavior Synopsis

Migrates mapped printer connections with their user-specified settings.

Clustered Printer

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.0.6001.22417_none_30a13292abcd7d6c.manifest

Behavior Synopsis

Does not apply to Windows Vista, as it migrates cluster settings. This manifest is incorrectly scoped.

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

</component>

</component>

</component>

--------------------------------------------------------------------------------------------------

Windows Media Player

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-mediaplayer-migration_31bf3856ad364e35_6.0.6002.18005_none_e00b3823f9132c02.manifest

PLUGIN file="%windir%\system32\migration\MediaPlayer-DLMigPlugin.dll"

Behavior Synopsis

Migrate all per-user and per-computer Windows Media Player settings (stored as XML in %appdata%\local\media player). The USMT plugin is used to migrate downlevel WMP plugins to their newer version's settings.

Windows Address Book

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-wab_31bf3856ad364e35_6.0.6000.16386_none_a491ed325f8b7554.manifest

Behavior Synopsis

Migrates per-user Windows Address Book settings. Also creates a new registry entry for upgrade that is read by Windows Mail on first run by a user, which upgrades certain legacy Outlook Express address book settings. Does not migrate actual contact files, just the registry pointer to them in the user’s contacts shell folder. The Contacts folder is only migrated by migdocs.xml, not migusers.xml.

Windows Mail

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-mail_31bf3856ad364e35_6.0.6000.16386_none_a5db5d4d1eebd273.manifest

Behavior Synopsis

Migrates Windows Mail per-user client registry settings and each user's mail store.

FAX Sender

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-fax-status-monitor_31bf3856ad364e35_6.0.6001.18000_none_89450d8ff77e97b7.manifest

Behavior Synopsis

Migrates per-user fax sender info settings.

FAX Service

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests\MICROSOFT-WINDOWS-FAX-SERVICE-REPLACEMENT.MAN

Behavior Synopsis

Migrates Fax Service per-computer fax files and security settings.

FAX MAPI

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-fax-mapi_31bf3856ad364e35_6.0.6001.18000_none_4fa0047b77e7a12b.manifest

Behavior Synopsis

Does nothing.

FAX Client

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-f..client-applications_31bf3856ad364e35_6.0.6002.18005_none_7ae525732588302d.manifest

Behavior Synopsis

Migrates per-user Fax client settings (limited mainly to UI like column layouts) as well as all personal FAX files for each user.

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

</component>

</component>

</component>

</component>

--------------------------------------------------------------------------------------------------

Remote Assistance

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.0.6001.18000_none_3758172c01e5ce47.manifest

Behavior Synopsis

Migrates per-computer Remote Assistance settings.

Windows Error Reporting for Application Hangs

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-feedback-service_31bf3856ad364e35_6.0.6000.16386_none_7795316593fa8ed5.manifest

Behavior Synopsis

Migrates per-computer Windows Error Reporting service hang settings. There is no UI for these settings, they are undocumented and registry only.

Windows Error Reporting

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.0.6000.16386_none_1e3ff01a08f92b15.manifest

Behavior Synopsis

Migrates per-computer and per-user Windows Error Reporting settings.

EAP Host Service

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests\EXTENSIBLEAUTHENTICATIONPROTOCOLHOSTSERVICE-REP.MAN

Behavior Synopsis

Migrates per computer EAP Service host settings. Blocks migration of computer specific data though, which means this manifest usually migrates nothing. There is no UI for this component.

Offline Files

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests \MICROSOFT-WINDOWS-OFFLINEFILES-REPLACEMENT.MAN

Plugin file="Microsoft-Windows-OfflineFiles-Core\Cscmig.dll

Behavior Synopsis

Migrates per-computer and per-user Client Side Caching (Offline Files) settings. Does not migrate the offline files cache - the settings will allow a re-sync from the server afterwards. It's critical that admins ensure users synchronize data back to the server(s) before starting a migration to avoid data loss.

Shell HTTP Handler

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16386_none_626baaa3b133f875.manifest

Plugin file= ieframe.dll

Behavior Synopsis

Migrates the shell's default HTTP protocol registration information (by default, iexplore.exe and ieframe.dll) and handler information. There is no UI for these settings.

Internet Explorer

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests\MICROSOFT-WINDOWS-IE-INTERNETEXPLORER-REPL.MAN

Behavior Synopsis

Migrates per-user and per-computer settings as well as cached files, such as cookies and browsing history.

Internet Explorer RSS Feeds

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_6.0.6000.16386_none_5dafc8503d8b53ca.manifest

Behavior Synopsis

Migrates per-user internet Explorer RSS feed settings and cached files.

Internet Explorer Networking

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16386_none_ffb23181a4e80112.manifest

Plugin file="%systemroot%\system32\migration\WininetPlugin.dll

Behavior Synopsis

Migrates per-user and per-computer Internet Explorer networking settings, such as automatic proxy configuration and security zones. Redundantly duplicates many of the operations of MICROSOFT-WINDOWS-IE-INTERNETEXPLORER-REPL.MAN, including copying history, cookies, and many user preference settings.

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

</component>

--------------------------------------------------------------------------------------------------

Wireless LAN Service

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.16386_none_9a0d805707fb1064.manifest

Behavior Synopsis

Migrates per-computer wireless settings by rerouting source settings and files to a new location that triggers an upgrade on the new computer, cleanly transitioning settings safely between versions.

Legacy Connection Manager

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.0.6000.16386_none_5ce97d75639a7c1b.manifest

Behavior Synopsis

These are add-on connections, such as legacy ISP networks. There is no UI for these settings.

RAS Connection Manager

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests\RASAPI-REPL.MAN

Behavior Synopsis

Migrates per-user RAS network settings PBKs, typically configured for VPNs.

People Near Me

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-peertopeercollab_31bf3856ad364e35_6.0.6000.16386_none_94fe8c8730377a78.manifest

Behavior Synopsis

Migrates per computer and per-user People Near Me collaboration settings and registered app invite software (by default, Windows Meeting Spaces).

Mapped Drives

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-mpr_31bf3856ad364e35_6.0.6001.18000_none_add5c97257f151a1.manifest

Behavior Synopsis

Migrates per-user mapped drives.

IEEE 802.1X Authentication

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-dot3svc_31bf3856ad364e35_6.0.6000.16386_none_69354ccc76993b26.manifest

Behavior Synopsis

Migrates IEEE 802.1X Authentication per-computer settings. Also migrates group policy settings.

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

</component>

--------------------------------------------------------------------------------------------------

Table Text Services

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..xtservice-migration_31bf3856ad364e35_6.0.6001.18000_none_d6bf66e4415f7ea3.manifest

Behavior Synopsis

Migrates per-computer Text Services customizations, but ignores all default ones installed by the OS. There is no UI for these settings.

Text Services and Input Languages

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..framework-migration_31bf3856ad364e35_6.0.6000.16386_none_eeba79dcbb2f3d70.manifest

Behavior Synopsis

Migrates per-user keyboard layout and language bar settings.

MUI

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-mui-settings_31bf3856ad364e35_6.0.6000.16386_none_ad846632fffb2b2f.manifest

Behavior Synopsis

Migrates the per-user and per-user default OS MUI language selections.

Regional and Language Options

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-international-core_31bf3856ad364e35_6.0.6000.16386_none_e773a28cdcd5ef62.manifest

plugin file="%windir%\system32\migration\nlscoremig.dll"

Behavior Synopsis

Migrates per-computer locale settings, such as customized formats.

Traditional Chinese IME

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_6.0.6000.16386_none_574d3b91040cfc37.manifest

Behavior Synopsis

Migrates per-user traditional Chinese Input Mode Editor customizations.

Simplified Chinese IME

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..lified-chinese-core_31bf3856ad364e35_6.0.6000.16386_none_15da9be54b086d36.manifest

Behavior Synopsis

Migrates a very limited per-user simplified Chinese Input Mode Editor customizations, not including as much as the Traditional Chinese and Japanese manifests.

Japanese IME

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.0.6000.16386_none_6d349b7790bccf3b.manifest

Behavior Synopsis

Migrates per-user Japanese Input Mode Editor customizations.

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

</component>

</component>

</component>

</component>

--------------------------------------------------------------------------------------------------

Rights Management Client

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests\RIGHTS-MANAGEMENT-CLIENT-V1-API-REPLACEMENT.MAN

Behavior Synopsis

Migrates per-user and per-computer DRM settings. There is no UI for these settings.

Credential Manager

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-credential-manager_31bf3856ad364e35_6.0.6000.16386_none_a527dc6f9f86ae33.manifest

Behavior Synopsis

Migrates certain per-computer credman security settings and per-user stored credentials (not cached interactive logon creds).

Games Explorer

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22475_none_4429bb23d7b5279d.manifest

Behavior Synopsis

Migrates per-computer and per-user Game Explorer settings and statistics.

Power Management Notification

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-stobject_31bf3856ad364e35_6.0.6000.16386_none_47ec33cd5890f3d2.manifest

Behavior Synopsis

Migrates customized power management notification area settings. These can only be set through group policy or direct registry editing. This has nothing to do with the actual power management settings.

Windows Explorer

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb.manifest

Behavior Synopsis

Migrates per-user Windows Explorer settings to include taskbar, folder options, notification area, and other shell preferences.

Windows Theme (Current)

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-uxtheme_31bf3856ad364e35_6.0.6001.18000_none_a5e49ad4068f9b12.manifest

Behavior Synopsis

Migrates per-user current appearance scheme selection.

Windows Theme (Customizations)

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-themeui_31bf3856ad364e35_6.0.6002.18005_none_86ea0f7f18a2f487.manifest

Behavior Synopsis

Migrates per-user customizations made to the currently selected theme.

Shell Configuration

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests\SHMIG-REPLACEMENT.MAN

plugin file="Microsoft-Windows-shmig\shmig.dll"

Behavior Synopsis

There is no practical XML for this manifest, all work done by the plugin SHMIG. It loads each user profile and migrates registry settings for per-user display settings like DPI, wallpaper, screensaver settings, recycle bin usage and confirmation dialogs, the Start Menu, and User Tiles.

Shell Folders

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6002.22574_none_6e51988f2874f7b1.manifest

Behavior Synopsis

Migrates per-user shell icon settings and screen positions.

Command Prompt

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-commandprompt_31bf3856ad364e35_6.0.6001.18000_none_8b0cc6bd1a5c896f.manifest

Behavior Synopsis

Migrates select CMD prompt defaults per-user and per-default user, such as the default auto-completion character. There is no UI for these settings, only registry.

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

</component>

--------------------------------------------------------------------------------------------------

Help Client

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-help-client_31bf3856ad364e35_6.0.6001.18000_none_6c1890222e16b0ed.manifest

Behavior Synopsis

Migrates per-user Help customizations, such as size, layout, and online updates.

Win32 Core

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-win32k-settings_31bf3856ad364e35_6.0.6002.18005_none_b326fbadff7217f6.manifest

Behavior Synopsis

Migrates a variety of per-computer settings, such as default font, CMD prompt sizes, and shutdown warning timers (most settings have no UI). Also migrates per-user input and display settings like mouse options and dialog colors (with many exceptions for hardware specific and OS specific settings, such as monitor resolution and screensavers).

Windows Remote Management

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-w..for-management-core_31bf3856ad364e35_7.0.6001.18181_none_bb807475382e6b2a.manifest

plugin file="$(runtime.system32)\WSManMigrationPlugin.dll"

Behavior Synopsis

Migrates per-computer WINRM (Windows Remote Management) settings. There is no graphical UI for these settings, they are configured via winrm.exe command-line tool.

Simple Service Discovery Protocol

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-upnpssdp_31bf3856ad364e35_6.0.6000.16386_none_7d92b0efd44d38e1.manifest

Behavior Synopsis

Migrates certain per-computer Simple Service Discovery Protocol service parameters. There is no UI for these settings.

UPnP Device Host

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.0.6001.18000_none_c1e834753483fdcf.manifest

Behavior Synopsis

Migrates per-computer UPnP Device Host service settings. No UI for these settings, configured via the device software.

UPnP Control Point

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-upnpcontrolpoint_31bf3856ad364e35_6.0.6001.18000_none_32cf6e4430c13212.manifest

Behavior Synopsis

Migrates a subset of per-computer UPnP Control Point settings. There is no UI for these settings.

Remote Desktop Connections

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6002.18005_none_908abad45165e2ae.manifest

Behavior Synopsis

Migrates per-computer default connection settings for remote desktop sessions to the computer. There is no UI for this on Windows Vista (it is usually configured by the remote Desktop Session Host Configuration snap-in on Windows Server 2008)

Remote Desktop Listener

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..nalservices-drivers_31bf3856ad364e35_6.0.6001.18000_none_51501845f67a4a0e.manifest

Behavior Synopsis

Migrates the per-computer remote desktop listener being enabled or disabled. There is no UI for this on Windows Vista (it is usually configured by the remote Desktop Session Host Configuration snap-in on Windows Server 2008)

SQM Unattend

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-sqmapi_31bf3856ad364e35_6.0.6001.18000_none_fe3db30d04ce3dab.manifest

Behavior Synopsis

Migrates the per-computer unattended settings for the SQM (Windows telemetry reporting) client. There is no UI for this setting and by default, the migrated registry key does not exist.

RPC Ports

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-rpc-remote_31bf3856ad364e35_6.0.6000.16386_none_be6271493635f7fa.manifest

Behavior Synopsis

Migrate per-computer remote RPC port customizations as defined in http://support.microsoft.com/kb/154596. No UI for these settings.

Local RPC over LPC and Named Pipes

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-rpc-local_31bf3856ad364e35_6.0.6002.22120_none_b65513a45b6873a4.manifest

Behavior Synopsis

Migrates per-computer local RPC port customizations. There is no UI for these settings, they do not exist by default, and they are not publically documented.

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

This part covers the following config.xml components for Windows Vista:

--------------------------------------------------------------------------------------------------

</component>

</component>

--------------------------------------------------------------------------------------------------

UseProxyForIPAddrIfRDNSFails

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-rpc-http_31bf3856ad364e35_6.0.6002.18005_none_a1e465fc3c75b4fa.manifest

Behavior Synopsis

Migrates per-computer HTTP over RPC customization only for value "UseProxyForIPAddrIfRDNSFails" as defined in http://msdn.microsoft.com/en-us/library/aa373592(VS.85).aspx. There is no UI for this setting.

RAS PPP

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests\RASPPP-REPL.MAN

Behavior Synopsis

Migrates portions of the per-computer RAS PPP settings. There is no UI for these settings.

RAS Authentication

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-rasmprddm_31bf3856ad364e35_6.0.6001.18000_none_99165124cd984b96.manifest

Behavior Synopsis

Migrates portions of the per-computer RAS service authentication settings. There is no UI for these settings.

RAS IP

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-rasbase_31bf3856ad364e35_6.0.6002.18005_none_0fcbe0ed77911065.manifest

Behavior Synopsis

Migrates portions of the per-computer RAS service IP settings. There is no UI for these settings.

ODBC

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-m..c-drivermanager-dll_31bf3856ad364e35_6.0.6002.22555_none_1271c00d00610f35.manifest

Behavior Synopsis

Migrates per-user and per-computer files and registry settings for ODBC. Note that 32-bit ODBC application settings are not migrated from x64 source computers (see example manifest on X64 vista, such as: amd64_microsoft-windows-m..c-drivermanager-dll_31bf3856ad364e35_6.0.6002.18005_none_6e3cc6c99f786050.manifest), due to an oversight in the manifests.

Color Management

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests\x86_microsoft-windows-icm-profiles_31bf3856ad364e35_6.0.6000.16386_none_9728ca2d08c669b6.manifest

Behavior Synopsis

Migrates per-user and per-computer color management customizations.

Accessibility

Config Entry

Config Manifest

C:\Windows\winsxs\Manifests \x86_microsoft-windows-accessibilitycpl_31bf3856ad364e35_6.0.6002.18005_none_5b4939df50fd5bc7.manifest

Behavior Synopsis

Migrates per-user and per-computer accessibility customizations.

Tablet Pen (/TargetVista only manifest)

Config Entry

Config Manifest

C:\windows\winsxs\manifests\x86_microsoft-windows-tabletpc-uihub_31bf3856ad364e35_6.0.6001.18000_none_138913239c3640a9.manifest

Behavior Synopsis

Migrates per-user and per-computer tablet pen settings.

Tablet Input Core (/TargetVista only manifest)

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests\TABLETPCPLATFORMINPUT-CORE-REPLACEMENT.MAN

Behavior Synopsis

Migrates per-user and per-computer tablet input settings (some redundant to TABLETPC-UIHUB-REPLACEMENT.MAN).

Rights Management Client (/TargetVista only manifest)

Config Entry

Config Manifest

\USMT\x86\ReplacementManifests\RIGHTS-MANAGEMENT-CLIENT-V1-API-REPLACEMENT.MAN

Behavior Synopsis

Migrates per-user and per-computer tablet input settings (some redundant to TABLETPC-UIHUB-REPLACEMENT.MAN).

The Complete List and Downloadable Versions

Ned “better than counting sheep” Pyle

Hello AskDS readers, it's Mike again talking about Group Policy Preference targeting items. I posted an article in June entitled Targeting Group Policy Preferences by Container, not by Group. This post highlighted the common problems many people encounter when targeting preferences items based on a computer's group membership, why the problem occurs, and some workarounds.

Today, I'd like to introduce a hotfix released by Microsoft that improves targeting preference items by computer group membership. The behavior before the hotfix potentially resulted in slow computer group policy application. The slowness was caused by the way Security Group targeting applies against a computer account. The targeting item makes multiple round trips to a domain controller to determine group memberships (including nested groups). The slowness is more significant when the computer applying the targeting item does not have a local domain controller and must use a domain controller across a WAN link.

You can download the hotfix for Windows 7 and Windows Server 2008 R2 through Microsoft Knowledgebase article 2561285. This hotfix changes how the Security Group Targeting item calculates computer group membership. During policy application, the targeting item requests a copy of the computer's authentication token. This token is mostly identical to the token created during logon, which means it contains a list security identifiers (SIDs) for every group of which the computer is a member, including nested groups. The targeting item performs the configured comparison against this list of SIDs in the token, rather than multiple LDAP calls to a domain controller. This behavior aligns the behavior of computer security group targeting with that of user security group targeting. This should improve the performance of security group targeting.

Mike "Try, Try, Try Again" Stephens

Hiya folks, Ned back with a palette-cleansing Mail Sack after this monstrosity. This week we talk about:

Let’s get swimmy-headed.

Question

I'm curious to get your feedback on custom AD Schema extensions – those that are created "in house" for a specific need. What is the overall Microsoft stance on the topic? Should we do it, or use AD LDS? We have an app we’re designing and want to do this the “right” way.

Answer

It’s always “safer” to use AD/LDS - as it’s easier to throw that away and start over - but as long as you follow our best practices, we don’t get too bent out of shape if you extend your schema. That’s what it’s there for. The critical piece is that you get your base OID from ISO, or barring that, generate one using our safe script. You can also use proxy accounts to tie AD and ADLDS together, the way that we always intended but which never really caught on.

Some of the best practices:

The tricky part of extending your AD schema is no matter how carefully you do it, some millet-for-brains vendor may not. Then you buy their product and cannot use it, due to duplicate attributes or classes. It’s a lot simpler to fix an AD/LDS schema than your AD forest schema.

Hold payment on the vendor’s check until you are sure it works in your lab.

Question

When we deploy Domain Controllers in our environment (whether its a RWDC or RODC, they all run DNS) we always remove our Root Hints. We do this on our RODCs after the DCPROMO and before the reboot. Is there anyway to remove the Root Hints after the RODC becomes read-only?

Answer

There’s nothing special as part of the RODC promotion process itself that would let you do this, as DNS configuration is quite restricted when you let the DC process handle it. You have a couple workarounds:

1. Configure the root hints via its registry value “isslave”, perhaps run as a batch at the end of promotion. See KB2001154 for more info on configuring this. And no snickering at this Win2008 bug in the comments! Ok, maybe a little.

2. Don’t have the RODC install and configure DNS (in an unattend install, this is “SkipAutoConfigDNS”). Script the DNS installation using DNSCMD to do everything. This seems like overkill, but answers the greater question of controlling RODC+DNS configuration.

It’s critically important to note:

http://support.microsoft.com/kb/818020

Note Microsoft does not support the removal of all root hints from a Microsoft DNS server. A Microsoft DNS server must have at least one root hint. However, you can replace the existing root hints with new root hints. When you replace root hints, the change is permanent, and the old root hints do not reappear. If the DNS server if forwarding, click to select the Do not use recursion for this domain check box on the Forwarders tab in DNS Manager to make sure that the root hints will not be used.

Question

We are performing a USMT migration. On the source machine we generate the config.xml file by using the genconfig switch and we specify the migapp.xml file in the command line.

Scanstate.exe /genconfig:config.xml /i:migapp.xml

This way we can decide if we want to block certain apps from migrating without changing the migapp.xml.

We have Itunes listed in the xml file as well as the application installed on the machine. But it never gets listed in the config.xml file. I’m missing other applications that TechNet says are supported.

Answer

It’s because you have newer, “unsupported” versions of the apps installed – note how the MIGAPP.XML starts each section with a <detect>. For example, here are WinZip and Adobe Reader:

If Adobe Reader 9.X and WinZip 8.*-10.* are installed, they will manifest and migrate:

But if I have the latest Adobe Reader (10.*) and WinZip (15.*) installed, they are not detected and therefore, will not manifest or migrate:

To be more supported by the vendor is to be less supported by USMT as time goes by.

You have several options:

1. Convince the vendor of the USMT-unsupported apps to give you updated migration XML. They created and submitted the previous version requirements for their own app during the USMTdevelopment process – that’s why so few apps are listed and they are so esoteric: Winzip but not WinRar? RealPlayer but not WinAmp? AD-Aware but not a hundred other anti-spyware apps? Microsoft didn’t create the list!

2. Create a copy of the migapp.xml, add detection elements for those newer versions and update any paths necessary, and validate that they see seem to migrate the right settings. Then migrate using that updated XML instead of the shipping XML and cross your fingers, because you are hoping you got it all right and your vendor is going to support it (Microsoft does not care – again, these are not our settings).

3. Migrate older versions of the apps, then update them after the fact (included only for completeness’ sake – this is extremely gross)

You’ll have this issue even if you don’t generate config.xml file, naturally.

Question

I am looking to replicate a folder under the “Windows” folder via DFSR. I found this article http://technet.microsoft.com/en-us/library/cc773238(WS.10).aspx

"When replicating a volume that contains the Windows system folder, DFS Replication recognizes the %WINDIR% folder and does not replicate it.

I was wondering if there is any workaround for this, so we can replicate something under the c:\Windows folder.

Answer

There is no way around this – it is by design and very intentional. Replicating something under %windir% makes me think you want to synchronize things like drivers between servers, which is a no-no. If you try, you get this DFSR event:

Event ID=6410
Severity=Error
The DFS Replication service failed to initialize replicated folder %2 because
the service detected that one of its working folders overlaps a Windows system
folder. This is an unsupported configuration.

Additional Information:
Overlapped Folder: %3
Replicated Folder: %4
Replicated Folder Name: %5
Replicated Folder ID: %1
Replication Group Name: %6
Replication Group ID: %7
Member ID: %8
System Folder:%9

You cannot use DFSR to replicate %systemroot% folders, except for the special case of SYSVOL on Win2008+ DCs.

And while we’re on the subject: while this does not also check %programfiles%, %ProgramFiles(x86)%, or the hidden %programdata%, replicating those folders is just as likely to cause massive issues, to possibly include an unbootable server if you are especially unlucky. Move your data elsewhere.

Question

After discussing the "DC DNS A Records and Web Servers" question from Friday's Mail Sack with my co-workers, I have a question about that question. Let’s say someone changed their (same as parent folder) A record to point at the Virtual IP of a hardware load balancer. This VIP would serve as a content switch that looks at traffic like this: Are you destined for port 80 or 443? If YES -> redirect traffic to web server If NO -> redirect to 1 of x domain controllers. Is this a viable solution?

Answer

The DNS folks and I discussed this option when I was vetting the previous post, and we ultimately decided that it would need some kind of third party device that Microsoft doesn’t make – so we could not speak to its viability, as we had no visibility. In addition, there are legitimate reasons to connect to a DC over web ports – the AD Management Gateway/AD Web Service uses HTTP/HTTPS traffic in order to allow you to use AD PowerShell, for example. So drawing the line would be tricky.

Now I answered on the intornotz so I guess the cat’s out of the bag.

Question

What are the correct settings for DFS Namespace to make client failover occur more quickly? I have tried different cache timeout settings but it always seems to take about 30-45 seconds to get access to files again if a DFS target share goes offline.

Answer

The issue isn’t DFSN; it’s the Redirector and SMB. Since you already had a connection to that server, the redirector tries to reconnect to it in case there was only a temporary network outage –it’s just a UNC path to a share at that point. The same happens if you point to a single share on a single server, and take that server offline – Windows Explorer doesn’t instantly give you an error that the server is unavailable. A network capture shows bursts of “retry” SMB traffic from that client until it finally gives up and says the server is not coming back. This behavior dates back to NT:

148950 Changing the Windows NT Redirector Time-Out Value
http://support.microsoft.com/default.aspx?scid=kb;EN-US;148950

(This registry value isn’t applicable to later OSes; we decided allowing adjustment caused too many issues)

The caching doesn’t change in this scenario either – nothing has changed for the actual link targets in the referral. When SMB gets tired of trying, you move to the next entry in the cache. I can set my client cache timeout to 5 seconds and still see the Redirector sending out retry SMB packets for 30-45 seconds.

The DFSN client connectivity design isn’t for instant failover; it’s for geographical high availability and closest targeting. If you need instant failover, clustering is the way to go. Since the server and connection never goes away due to cluster magic, your users will not see noticeable delays.

If you want the Mack of all solutions, cluster your DFSN link targets. At the very least, your hardware sales rep will appreciate it; he can now afford that Virage he’s been eyeing…

Question

If I search for an object against an AD LDS instance that I know is in AD DS, I get: Error 0x20D6 No superior reference has been configured for the directory service. The AD LDS Server is joined to the AD DS forest that the object I'm searching for is in (I have an application that needs to be restricted to looking at AD LDS, but also have AD LDS send off objects to AD DS that AD LDS cannot find). I found this article, but it doesn't provide any examples of how to configure a crossRef or superior reference, so I'm a little lost.

Answer

You have to configure attribute superiorDnsRoot on the configuration partition crossref object. You can use this technique, but use the AD/LDS config partition path.

That error in AD/LDS instance can also mean:

It doesn’t have a matching schema to your AD DS forest. Use the ADSchemaAnalyzer tool to validate this and sync the differences.
The DN specified is wrong
You are connecting to an ADAM/ADLDS instance on the wrong port (so lame, I know).

Very generic as you can see. If the above KB doesn’t work, I suggest opening a support case to let us really dig in.

Not work

I’ve been teaching the past few weeks and a number of students commented on my rotating Windows 7 wallpaper of mecha. They were all downloaded from the amazing online art site ConceptRobots. They have thousands of these, in many styles. Check out a small sampling:

Go there only if you have hours to waste

We just installed a Coke Freestyle machine at work and it’s seriously cool. I’ve never seen a line at the soda fountain before, and ours are free. You should come see for yourself. Those students admiring my wallpaper were 33 new hires right here in Charlotte.

Like baseball? Add this to your favorites. Not the prettiest site, but if you want amazing details, statistics, and stories, it’s the best.

And finally - I was sitting at a light last week when I noticed this fella. It really sums up my eleven years of living in North Carolina and that my wife is right - I’m still just a damyankee:

Ford F-150, even though he lives in an affluent suburb – check

Aftermarket U-Haul tow-hitch - check

Vanity plate with Larry the Cable Guy catchphrase – check

Bumper sticker affirming that this is not the smallest pickup he will ever own – check

But the icing on the cake:

He bought the truck from NASCAR racing driver Dale Jarrett. Hells yeah.

Have a great weekend folks.

Ned “the ethernet cable guy” Pyle

Hi, Mike here again. Today, I want to write about a common administrative task that can lead to disaster: removing stale computer accounts from Active Directory.

Removing stale computer accounts is simply good hygiene-- it’s the brushing and flossing of Active Directory. Like tartar, computer accounts have the tendency to build up until they become a problem (difficult to identify and remove, and can lead to lengthy backup times).

Oops… my bad

Many environments separate administrative roles. The Active Directory administrator is not the Cluster Administrator. Each role holder performs their duties in a somewhat isolated manner-- the Cluster admins do their thing and the AD admins do theirs. The AD admin cares about removing stale computer accounts. The cluster admin does not… until the AD admin accidentally deletes a computer account associated with a functioning Failover Cluster because it looks like a stale account.

Unexpected deletion of Cluster Name Object (CNO) or Virtual computer Object (VCO) is one of the top issues worked by our engineers that support Clustering and High-Availability. Everyone does their job and boom-- Clustered Servers stop working because CNOs or the VCOs are missing. What to do?

What's wrong here

I'll paraphrase an article posted on the Clustering and High-Availability TechNet blog that solves this scenario. Typically, domain admins key on two different attributes to determine if a computer account is stale: pwdlastSet and LastLogonTimeStamp. Domains that are not configured to a Window Server 2003 Domain Functional Level use the pwdLastAttribute. However, domains configured to a Windows Server 2003 Domain Functional Level or later should use the lastLogonTimeStamp attribute. What you may not know is that a Failover Cluster (CNO and VCO) does not update the lastLogonTimeStamp the same way as a real computer.

Cluster updates the lastLogonTimeStamp when it brings a clustered network name resource online. Once online, it caches the authentication token. Therefore, a clustered network named resource working in production for months will never update the lastLogonTimeStamp. This appears as a stale computer account to the AD administrator. Being a good citizen, the AD administrator deletes the stale computer account that has not logged on in months. Oops.

The Solution

There are few things that you can do to avoid this situation.

Use the servicePrincipalName attribute in addition to the lastLogonTimeStamp attribute when determining stale computer accounts. If any variation of MSClusterVirtualServer appears in this attribute, then leave the computer account alone and consult with the cluster administrator.
Encourage the Cluster administrator to use -CleanupAD to delete the computer accounts they are not using after they destroy a cluster.
If you are using Windows Server 2008 R2, then consider implementing the Active Directory Recycle Bin. The concept is identical to the recycle bin for the file system, but for AD objects. The following ASKDS blogs can help you evaluate if AD Recycle Bin is a good option for your environment.
- Active Directory Recycle Bin in Windows Server 2008 R2
- The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting

Mike "Four out of Five AD admins recommend ASKDS" Stephens

Hiya folks, Ned here again with another week’s questions, comments, and oddities. This time we’re talking:

Let’s get it.

Question

When we change security on our group policies using GPMC, we always get this disturbing message:

“The permissions for this GPO in the SYSVOL folder Are inconsistent with those in Active Directory”

We remove the “Read” and “Apply Group Policy” checkboxes from Authenticated Users by using the Delegation tab in GPMC, then substitute our own specific groups. The policies apply as expected with no errors even when we see this message.

Answer

It’s because you are not completely removing the Authenticated Users group. Authenticated Users does not only have “Read” and “Apply Group Policy”, it also has “List Object”, which is a “special” permission. The technique you’re using leaves Authenticated Users still ACL’ed, but with an invalid ACE of just “List”, and that’s what GPMC is sore about:

Instead of removing the two checkboxes, just remove Authenticated Users:

Better yet, don’t use the Delegation tab at all. The Security Filtering section on the main page sets the permissions for read and apply policy, which I presume is what you want. Just remove Authenticated Users and put in X. It gives you the desired resultant policy application, without any errors, and with less effort.

Delegation is designed for controlling who can manipulate policies. It only coincidentally manages who gets policies.

Question

Is it possible to setup multiple ADMT servers and allow both the ability to migrate passwords? I know during the setup of the PES service on a source DC consumes a key file generated from the ADMT server. I wasn’t sure if this ties only allows that server the ability to perform password migrations.

Answer

You can always have multiple ADMT copies, as long as they point to the same database; that’s where things tie together, not in ADMT itself. You could use multiple databases, but then you have to keep track of what you migrated in each one and it’s a real mess, especially for computer migration, which works in multiple phases. You’d need multiple PES servers in the source domain and would have to point to the right one from the right ADMT DB instance when migrating users. This is highly discouraged and not a best practice.

Question

I was looking at Warren’s post on figuring out how much DFSR staging space to set aside. I have millions of files, how long can I expect that PowerShell to run? I want to schedule it to go once a week or so, but not if it runs for hours and incinerates the server.

Answer

It really depends on your hardware. But for a worst case, I used one of my gross physical test “servers” (it’s really workstation-class hardware) and generated many 1KB files plus 64 1MB files to have something to pick:

500,000+64 files took 1 minute, 45 seconds to calculate
1,000,000+64 files took 3 minutes, 30 seconds to calculate

The CPU and disk hit was negligible, but the memory usage significantly climbed. I would do this off hours if that server is starved for RAM.

Question

Can USMT migrate files that are longer in locations exceeding MAX_PATH rules of 260 characters?

Answer

Both scanstate and loadstate supports paths up to ~32,767 characters, with each “component” (file or folder name) in that path limited to 255 characters.

Question

According to this article, Windows Server 2008 and 2008 R2 DCs use static port 5722 for DFSR. We mainly use Win2008 R2 member servers, so when choosing a port to set DFSR to, should I choose a different port within the range 49152 – 65535? Or would it be OK to set DFSR to 5722 on member servers too, so that all traffic on 5722 will be DFSR regardless of whether it's a DC or a member server involved in the replication?

Answer

Totally OK to use 5722 on members and makes your life easier on the firewall config. Make sure you review: http://blogs.technet.com/b/askds/archive/2009/07/16/configuring-dfsr-to-a-static-port-the-rest-of-the-story.aspx

Question

What are the most common Active Directory-related support cases Microsoft gets? I’m planning some training and want to make sure I am hitting the most powerful topics.

Answer

In no particular order:

Slow Logon (i.e. between CTRL+ALT+DEL and a working, responsive desktop)
Group policy not applying
Kerberos failures (duplicate/missing SPNs and bloated token)
Domain upgrade best practices and failure (i.e. ADPREP, first new DC)
AD replication failing (USN rollback, lingering objects, tombstone lifetime exceeded)

The above five have remained the top issues for 12 years now. Within the rest of Directory Services support, ADFS and PKI have seen the most growth in the past year.

Other Things

In case you live on the Mariana Islands and only got your first Internet connection today, we’ve started talking about Windows 8. Shiny pictures and movies too.

Preemptive strike: I cannot talk about Windows 8.

The power of inspirational infographics, via the awesome datavisualization.ch and from the brilliant H57 Design:

The Cubs were robbed.

It’s time for IO9 2011 fall previews of science fiction and fantasy:

We released the Windows 7 theme you’ve been wanting, Jonathan!

Is this the greatest movie ever created? Certainly one of the most insane. It’s safe for work.

Unless you work in an anthropomorphic cannibalism outreach center

And finally, from an internal email thread discussing some new support case assignment procedures:

From: a manager
To: all DS support staff at Microsoft
Subject: case assignment changes

For cases that are dispatched to the Tier 3 queue and assigned based on an incorrect support topic or no support topic listed. Engineers will do the following:

1. Set appropriate Support topic

2. Update the SR Title-with: STFU\[insert new skill here]

3. Correct support topic for assignment

4. Dispatch the case back to the queue for re-assignment

Five minutes later:

From: a manager
To: all DS support staff at Microsoft
Subject: RE: case assignment changes

Incidentally, the acronym STFU stands for “Support Topic Field Update” :-)

Have a nice weekend, folks.

Ned “the F is for Frak” Pyle

Hi. This is your guest writer Mark Renoden. I’m a Senior Premier Field Engineer based in Sydney, Australia and I’m going to talk to you about the use of Event Forwarding to collect security events. This is particularly useful when:

You have specific events you’re looking for (e.g. account lock out investigations)
You have an aggressive audit policy resulting in rapid security event log roll over
You have a lot of servers (and therefore logs) to watch

Historically, you’d use a tool like EventCombMT to skim the security logs across your servers for the events of interest but in the case where security event logs quickly roll over, it might come too late.

I'll take the account lock out example. Before I dive into the details of Event Forwarding, there’s some preparation you need to do first. These steps are different for Windows Server 2003, and Windows Server 2008/2008 R2.

Preparing Windows Server 2003 SP2

I’ll show you how to prepare your Windows Server 2003 machines so you’re able to collect security events from them.

1. Make sure you have the Windows Firewall/Internet Connection Sharing (ICS) service started and configured to start automatically.

This doesn’t mean you need the firewall configured – only that you have the service running which is required for the Windows Event Collector service. For example, your Windows Firewall/Internet Connection Sharing (ICS) service can be running but your firewall can be off.

2. Download and install the Windows Remote Management package from

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21900

3. Grant the Network Service account READ access to the security event log by appending (A;;0x1;;;NS) to the following registry value:

Key: HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Security

Value: CustomSD

For example, the default security descriptor with READ for the Network Service appended is:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;NS)

The CustomSD registry value accepts a security descriptor using the Security Descriptor Definition Language (SDDL). You can read more about SDDL here:

http://msdn.microsoft.com/en-us/library/aa379567(v=VS.85).aspx

You can deploy this step on a larger scale using Group Policy as detailed in:

How to set event log security locally or by using Group Policy in Windows Server 2003
http://support.microsoft.com/kb/323076/en-au

For Windows Server 2008 or later, you can also use Group Policy Preferences to deploy registry settings

Information about new Group Policy preferences in Windows Server 2008
http://support.microsoft.com/kb/943729

Preparing Windows Server 2008 and Windows Server 2008 R2

Just like Windows Server 2003, you have to prepare your Windows Server 2008/2008 R2 machines for collection of security events. To do this, simply add the Network Service account to the Built-in Event Log Readers group.

If instead, you’d like to be more specific and restrict Network Service account READ access to just the security event log, you can modify the security event log security descriptor as follows.

1. Open up a command prompt and run:

wevtutil gl security

This command tells you the current security descriptor for the security event log – specifically in the channelAccess value. The default value is:

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

Again, you want to append read access for the Network Service. In my example, your new security descriptor will be:

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

2. At the same command prompt, run:

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

Note: This is all one command on the same line.

Configure the Member Server to Collect Events

Now that your server (in my example the Domain Controllers) configuration is complete, you need to configure the member server as the collection point.

1. On the member server that will be collecting the events, open a command prompt and run:

winrm qc

wecutil qc

Answer YES to any prompts you see.

The first command (winrm qc) configures the member server to accept WS-Management requests from other machines while the second command (wecutil qc) configures the Windows Event Collector service.

2. At the same command prompt, execute the following command and record the port:

winrm enumerate winrm/config/listener

3. Open the Event Viewer

4. In the left-hand pane, click Subscriptions, then right-click Subscriptions and then left-click Create Subscription.

5. Specify a subscription name and then select Source computer initiated.

6. Click Select Computer Groups…

7. Click Add Domain Computers… and specify Domain Controllers (or a security group that includes the servers you’re interested in).

8. Click OK and OK.

9. Back on the Subscription Properties screen, click Select Events… and specify the events you wish to capture.

In my example, I’m looking for logon failures leading to account lockouts. These are logged as event 675 on Windows Server 2003 and event 4771 on Windows Server 2008 / 2008 R2.

10. Click OK.

11. Back ok the Subscription Properties screen, click Advanced… and choose Minimize Latency.

12. Click OK and then OK to close the Subscription Properties screen.

13. Open a command prompt, run:

wecutil ss <subscription name> /cm:Custom /dmi:1

Note: This step is only necessary if event collection is time critical.

Policy for Event Forwarding

Having prepared the servers for collection of security events, you now require a Group Policy Object applied to them. This GPO will specify the member server (running Windows Server 2008 or later) where events are collected.

You must create and edit the GPO from a Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 system. These are the only operating systems that provide policy settings for Windows Remote Management and Event Forwarding.

In my example, I want security events collected from my Domain Controllers. My member server is member.contoso.com running Windows Server 2008 R2.

1. Open the Group Policy Management Console (GPMC), create a new GPO and link it to the Domain Controllers OU.

2. Right-click the new GPO and open it for editing.

3. In the GPO Editor, navigate to Computer Configuration | Policies | Administrative Templates | Windows Components | Windows Remote Management (WinRM) | WinRM Service

4. In the right-hand pane, open Allow automatic configuration of listeners.

5. Set the policy to Enabled and set the IPv4 and IPv6 filters to *.

6. Click OK.

7. In the GPO Editor, navigate to Computer Configuration | Policies | Administrative Templates | Windows Components | Event Forwarding

8. In the right-hand pane, open Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager.

9. Set the policy to Enabled and click Show….

10. Add the value Server=<member_server>:<port> where <port> is the port recorded earlier.

11. Click OK and OK.

12. Close the GPO editor.

13. Restart the Windows Remote Management (WS-Management) service on the Domain Controllers.

14. Wait. You need to be patient. Group Policy has to apply, the Windows Remote Management (WS-Management) service on the Domain Controllers has to pick up those policy settings and the Windows Event Collector service on the member server has to start talking to the DCs.

Once all of that settles down, you’ll see the events in the Forwarded Events log on the member server.

Conclusion

Now you’re fully prepared to nail down those troublesome problems in environments with high churn security logs!

- Mark ”If it’s there I’ll find it” Renoden

Your career isn’t win or lose anymore, it is win or die. The days of guaranteed work, pensions, and sticking with one company for fifty years are gone. Success has returned to something Cro-Magnon man would recognize: if you’re good at what you do, you get to eat.

I recently spoke to university graduates about their future as new Microsoft engineers. For the first time, that meant organizing my beliefs. It distills four simple pillars: discipline, technical powerhouse, communication, and legacy. In the tradition of Eric Brechner and in honor of Labor Day, I’d like to share my philosophy.

Discipline

Learn constantly, not just when life is forcing you. Read every trustworthy article you can get your hands on, before you need to know it; the time to learn AD replication is not when its failure blocks your schema upgrade. Understanding architecture is the key to deploying and troubleshooting any complex system. If you get nothing else from this post, remember that statement - it can alter your life. For Directory Services, start here.

Don’t be good at one thing - be amazing at a few things, and good at the rest. We all know someone who's the expert on X. He guards X jealously, making sure he is "indispensable.” Notice how he’s always in a lousy mood: he's not allowing anyone to relieve his boredom and he lives in fear that if anyone does, he'll be replaced. Learn several components inside and out. When you get jaded, move on to a few more and give someone else a turn. You'll still be the expert while they learn and if things get gnarly, you can still save the day. Over time, you become remarkable in many areas. Keep your skills up on the rest so that you can pinch hit when needed. Surround yourself with smart people and absorb their knowledge.

Admit your mistakes. The only thing worse than making a mistake is trying to cover it up. Eventually, everyone is caught or falls under a career-limiting cloud of suspicion. Now colleagues will remember times they trusted you, and won’t make that "mistake" again. Plead guilty and start serving community service, where you help the team fix the glitch.

Get a grip. It's never as bad as you think. Losing your composure costs you concentration and brainpower. Remaining emotional and depressed makes you a poor engineer, and a lousy person to be around to boot. Learn how to relax so you can get back to business.

Never surrender. Your career path is a 45-degree angle leading up to infinity, not an arc - arcs come back down! Keep learning, keep practicing, keep refreshing, keep growing. Keep a journal of "I don't know" topics, and then revisit it weekly to see what you've learned. IT makes this easy: it's the most dynamic industry ever created. In my experience, the Peter Principle is usually a self-induced condition and not the true limit of the individual.

Technical Powerhouse

Figure out what makes you remember long term. There is a heck-of-a-lot to know when dealing with complex distributed systems - you can't always stop to look things up. Find a recall technique that works for you and practice it religiously. You’re not cramming for a test; you’re building a library in your brain to serve you for fifty years. No amount of learning will help if you can’t put it to good use.

Be able to repro anything. When I first came to Microsoft, people had fifteen computers at their desk. Thanks to free virtualization, that nonsense is over and you can run as many test environments as you need, all on one PC. "Oh, but Ned, those virtual machines will cost a fortune!" Gimme a break, it’s walking-around money. A lab pays for itself a thousand times every year, thanks to the rewards of your knowledge and time. It's the best investment you can make. Study and memory are powered by experience.

Know your dependencies. What does the File Replication Service need to work? DNS, LDAP, Kerberos, RPC. What about AD replication? DNS, LDAP, Kerberos, RPC. Interactive user logon? DNS, LDAP, Kerberos, RPC. Windows developers tend to stick with trusted protocols. If you learn the common building blocks of one component, you become good at many other components. That means you can troubleshoot, design, teach, and recognize risks to them all.

Understand network captures. It's hard to find an IT system talking only to itself. Notepad, maybe (until you save a file to a network share). There are many free network capture tools out there, and they all have their place. Network analysis is often the only way to know how something works between computers, especially when logging and error messages stink - and they usually do. I'd estimate that network analysis solves a quarter of cases worked in my group. Learn by exploring controlled, working scenarios; the differences become simple to spot in failure captures. Your lab is the key.

Learn at least one scripting language. PowerShell, CMD, VBS, KiXtart, Perl, Python, WinBatch, etc. – any is fine. Show me an IT pro who cannot script and I'll show you one that grinds too many hours and doesn't get the bonus. Besides making your life easier, scripting may save your business someday and therefore, your career. An introductory programming course often helps, as they teach fundamental computer science and logic that applies to all languages. This also makes dependencies easier to grasp.

Learn how to search and more importantly, how to judge the results. You can't know everything, and that means looking for help. Most people on the Internet are spewing uninformed nonsense, and you must figure out how to filter them. A vendor is probably trustworthy, but only when talking about their own product. TechNet and KB trump random blogs. Stay skeptical with un-moderated message boards and "enthusiast" websites. Naturally, search results from AskDS are to be trusted implicitly. ;-P

Communication

Learn how to converse. I don’t mean talk, I mean converse. This is the trickiest of all my advice: how to be both interesting and interested. The hermit geek in the boiler room - that guy does not get promotions, bonuses, or interesting projects. He doesn't gel with a team. He can't explain his plans or convince anyone to proceed with them. He can't even fill the dead air of waiting… and IT troubleshooting is a lot of waiting. Introverts don’t get the opportunities of extroverts. If I could learn to suppress my fear of heights, you can learn to chat.

Get comfortable teaching. IT is education. You’re instructing business units in the benefits and behavior of software. You're schooling upper management why they should buy new systems or what you did to fix a broken one. You're coaching your colleagues on network configuration, especially if you don’t want to be stuck maintaining them forever. If you can learn to teach effortlessly and likably, a new aspect to your career opens up. Moreover, there's a tremendous side effect: teaching forces you to learn.

Learn to like an audience. As you rise in IT, the more often you find yourself speaking to larger groups. Over time they become upper management or experienced peers; an intimidating mix. If you let anxiety or poor skills get in the way, your career will stall. Arm yourself with technique and get out in front of people often. It's easier with practice. Do you think Mark Russinovich gets that fat paycheck for his immaculate hair?

Project positive. Confidence is highly contagious. When the bullets are flying, people want to follow the guy with the plan and the grin. Even if deep down he's quivering with fear, it doesn’t show and he charges forward, knowing that everyone is behind him. People want to be alongside him when the general hands out medals. Self-assurance spreads throughout an organization and you'll be rewarded for it your whole career. Often by managers who "just can't put their finger" on why they like you.

Be dominant without domineering. One of the hardest things to teach new employees in Microsoft Support is how to control a conference call. You’re on the phone with a half dozen scared customers, bad ideas are flying everywhere, and managers are interrupting for “status updates”. You can’t be rude; you have to herd the cats gently but decisively. Concentration and firmness are paramount. Not backing down comes with confidence. Steering the useless off to harmless tasks lets you focus (making them think the task is important is the sign of an artist). There's no reason to yell or demand; if you sound decisive and have a plan, everyone will get out of the way. They crave your leadership.

Legacy

Share everything. Remember "the expert?" He's on a desert island but doesn’t signal passing ships. Share what you learn with your colleagues. Start your own internal company knowledgebase then fill it. Have gab sessions, where you go over interesting topics you learned that week. Talk shop at lunch. Find a reason to hang out with other teams. Set up triages where everyone takes turn teaching the IT department. Not only do you grow relationships, you're leading and following; everyone is improving, and the team is stronger. A tight team won't crumble under pressure later, and that's good for you.

Did you ever exist? Invent something. Create documentation, construct training, write scripts, and design new distributed systems. Don’t just consume and maintain - build. When the fifty years have passed, leave some proof that you were on this earth. If a project comes down the pipe, volunteer - then go beyond its vision. If no projects are coming, conceive them yourself and push them through. The world is waiting for you to make your mark.

I used many synonyms in this post, but not once did I say “job.” Jobs end at quitting time. A career is something that wakes you up at midnight with a solution. I can’t guarantee success with these approaches, but they've kept me happy with my IT career for 15 years. I hope they help with yours.

Ned "good luck, we're all counting on you" Pyle

Hello folks, Ned here again. This week, we discuss:

Things have been a bit quiet this month blog-wise, but we have a dozen new posts in the pipeline and coming your way next week. Some of them from infamous foreigners! It’s all very exciting, keep your RSS reader tuned to this station.

On to the sackage.

Question

As far as I know, each computer name must be unique within single domain. How do domain controllers check this uniqueness? Most applications (ADUC, ADSIEDIT, etc.) displays entry common name that matches computer account name, which may not be unique.

Answer

The samaccountname attribute – often referred to as the “pre-Windows 2000 name” - is what needs to be unique, as it’s the real “user ID.” That uniqueness isn’t enforced by DCs when you create principals. You can create multiple computers, users, or groups with the same samaccountname. Well-written apps like DSA.MSC or DSAC.EXE will block you, but not because they are abiding by a DC’s rules:

If you use a less polite or more powerful app, a DC will let you create a duplicate samaccountname. At the first logon using that principal though, the DC will notice the duplicate and rename its samaccountname to “$DUPLICATE-<something>”.

If you want to see this for yourself:

1. Configure AD Recycle Bin in your lab.

2. Create a user and then delete it.

3. Recreate the user manually in another OU (same name, samaccountname, UPN – just in a different location).

4. Restore the deleted user to its previous location using the recycle bin.

5. Note how the identical users exist and have an identical samaccountname.

6. Logon as that user and the restored user will have its samaccountname mangled with $DUPLICATE.

The “name” of the object is unique because it has to form a distinguished name, so you get that free thanks to LDAP. Only samaccountname and UPN will allow duplicates. And obviously, while I can create two computers with the same name in different OUs of the same domain, DNS is not going to be pleased and name resolution isn’t going to work – so this is all rather moot.

Question

When you were testing DFSR performance, what size file did you use for this statement?

Turn off RDC on fast connections with mostly smaller files - later testing (not addressed in the chart below) showed 3-4 times faster replication when using LAN-speed networks (i.e. 1GBb or faster) on Win2008 R2. This is because it was faster to send files in their totality than send deltas, when the files were smaller and more dynamic and the network was incredibly fast. The performance improvements were roughly twice as fast on Win2008 non-R2. This should absolutely not be done on WAN networks under 100 Mbit though as it will likely have a very negative affect.

Answer

97,892 files in 32,772,081,549 total bytes for an average file size of 334,777 bytes. That test used a variety of real-world files, so there was no specific size, nor were they automatically generated with random contents like some of the tests.

Question

When using AD Users and Computers, what is the difference for unlocking between this:

And this:

Answer

The first one is sort of a "placeholder" (it would have been better as a button that grayed out when not needed, in my opinion) to let you know where unlocking happens. An actual account lockout raises the extra text and clicking that checkbox now does something.

I prefer the way AD Administrative Center handles this:

Even better, I can just find the locked accounts and unlock them right there.

Or even betterer…er:

Woot, let’s unlock everyone and hit the bar!

Reminder: account lockouts are yuck. It’s just a way to create denial of service attacks. Use intrusion detection with auditing to find villains trying to brute force passwords. Even better, use two-factor auth with smart cards, which chemically neuters external brute force. If your security department thinks account lockout is better than this, get a new security department; yours is broken.

Question

Are RDC Recursion depth, Comparator buffer size, horizon size, hash window size RDC parameters configurable for DFSR?

Answer

No, no, no, and no. :) All you can choose is the minimum size to use RDC, or if you don’t want RDC at all.

That’s a great doc on how to write your own RDC application, by the way. It’s shocking how few there have been; we have an internal RDC copy utility that is the bomb. I wish we’d sell it to you, I like money.

Not as much as this guy, obviously

Question

How can I use USMT offline migration with vendor-provided full disk encryption, like McAfee Endpoint Encryption, Symantec PGP Whole Disk Encryption, Check Point Full Disk Encryption, etc. I already know that with Microsoft BitLocker I just need to suspend it temporarily.

Answer

Any official documentation on making WIN PE mount a vendor-encrypted volume would come from the vendor, as they have to provide a driver and installation steps for WIN PE to mount the volume, or steps on how to “suspend” outside of PE like BitLocker. For example, McAfee’s tool of choice seems to be EETech (here is its user guide). I’d highly recommend opening a case with the vendor before proceeding, even if they provide online documentation. Easy to lose your data forever when you start screwing around with encrypted drives.

USMT does not have any concept of an encrypted volume (any more than Notepad.exe would); he’s a user-mode app.

Question

We use DFS Namespace interlinks, where a domain-based namespace links to standalone namespaces which then link to file shares. When we restart a standalone namespace root server though, clients start trying to get referrals as soon as it is available through SMB paths and not when its DFS service is ready to accept referrals. Is this expected?

Answer

This is expected behavior and demonstrates why deploying standalone DFS root servers on non-clustered servers goes against our best practices. The client bases server availability on SMB, which is ready at that point on the standalone server – it doesn’t know that this is yet another DFSN referral, and it’s not going to work yet. Interlinks are gross, for this reason. If you must use this, cluster the standalone servers so that they can survive a node reboot for Patch Tuesday without hurting your users’ feelings.

This is also why Win2008 (V2) namespaces were invented: so that customers could stop creating complex and fragile interlinked domain-standalone DFS namespaces in order to get around scalability limits. V2 scales nearly infinitely and if you deploy it, you can cut out the middle layer of servers and hopefully, save a bunch of dough.

Question

Have you ever seen the DFSR ConflictAndDeleted folder grow larger than the quota set, even when the XML file is not corrupt? E.g. 5GB when quota is set to the default of 660MB.

Answer

Yes, starting in Windows Server 2008. Previously, a damaged conflictanddeletedmanifest.xml required manual deletion. In Win2008 and later, the DFSR service detects errors parsing that XML file. It writes “Deleting ConflictManifest file” in the DFSR debug log and automatically deletes the manifest file, then creates a brand new empty one. Any files that were previously noted in the deleted manifest are no longer tracked, so they become orphaned in the folder. Not an ideal solution, but now you’re less likely to run out of disk space due to a corrupt manifest. That’s the downside to using a non-transactional file like XML– if there’s a disk hiccup, voltage gremlin, or trans-dimensional rift, you get incomplete tags.

I bet a bunch of DFSR admins are now checking their ConflictAndDeleted folders…

Aha, there’s that spreadsheet I was looking for… eww, it’s got eggshell goop on it.

Other Stuff

Black Hat put up their 2011 USA presentations, make sure you browse around. The ones I found most interesting (and include a whitepaper, slide deck, or video):

How a Hacker Has Helped Influence the Government - and Vice Versa (the writer of L0phtcrack talks about being a PM at DARPA)
Corporate Espionage for Dummies: The Hidden Threat of Embedded Web Servers (endless web servers you didn’t even know you had running)
Killing the Myth of Cisco IOS Diversity: Towards Reliable, Large-Scale Exploitation of Cisco IOS (he who controls the spice, controls the universe!)
Easy and quick vulnerability hunting in Windows (he points out how to examine your vendor apps carefully, as your vendor often isn’t)
Faces Of Facebook-Or, How The Largest Real ID Database In The World Came To Be (or: the reason Ned does not use social media)
OAuth – Securing the Insecure (or: the other reason Ned does not use social media)
Battery Firmware Hacking (Good lord, start FIRES?!)
Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System (Never mind fires, hacking people into diabetic comas!)

There were several Apple and iOS pwnage talks too. I don’t care about those but you might, especially if you’re the new “owner” of those unmanaged boxes in your environment, thanks to the Sales Borgs wanting iPads for no legitimate reason… Another hidden cost of “IT consumerization”.

A few people asked for a DOCX copy of the Accelerating Your IT Career post. Grab it here.

Free Artificial Intelligence class online from a Research Professor of Computer Science at Stanford University. Looks neato for the price.

Did you watch the Futurama season finale last night? The badly dubbed manga was a gigantic trough of awesome. I was right next to Katey Sagal at my hotel at Comic-Con. She is teeny.

Futurama

Space.com has a terrific infographic of the 45 years of Star Trek.

Source: SPACE.com: All about our solar system, outer space and exploration

At Microsoft, you name your own computers and dogfooding means you can join as many to the domain as you like. My user domain alone has 58,420 computers and it’s a “small” one in our forest, so trying to control machine names is counterproductive even for bureaucratabots. I have a test server called Stink, and yesterday I needed to remote its registry. When I typed in the name, I found I wasn't the first to think of smelly nomenclature:

The last one should be a band name

For MarkMoro and all those like him, the 10 best ’80s cop show opening credits (warning: a couple sweary words in the text, but all movies totally SFW; this is old American network TV, after all).

Finally, the best email conversation thread of last month:

Jonathan: Darn you, Ned. I lost track of an hour on this ConceptRobots site.
Ned: I should get a commission from the sites I push in Friday mail sacks.
Jonathan: Yes… you wield your influence so adroitly.
Ned: Or was it… androidly?

ahahHAHAHAHAHAHHAHAHAHHAHAHAHA

Ha.

Jonathan: I'm going to destroy your cubicle when you go to lunch.
Ned: That's fair.

Have a great weekend, folks.

Ned "still has a thing for Stephanie Powers" Pyle

Hiya folks, Ned here again. When interviewing a potential support engineer at Microsoft, we usually start with a softball question like “what are the five FSMO roles?” Everyone nails that. Then we ask what each role does. Their face scrunches a bit and they get less assured. “The RID Master… hands out RIDs.” Ok, what are RIDs? “Ehh…”

That’s trouble, and not just for the interview. Poor understanding of the RID Master prevents you from adding new users, computers, and groups, which can disrupt your business. Uncontrolled RID creation forces you to abandon your domain, which will cost you serious money.

Today, I discuss how to protect your company from uncontrolled RID pool depletion and keep your domain bustling for decades to come.

Background

Relative Identifiers (RID) are the incremental portion of a domain Security Identifier (SID). For instance:

S-1-5-21-1004336348-1177238915-682003330-2100

==>

S-1-5-Domain Identifier-Relative Identifier

A SID represents a unique trustee, also known as a "security principal" – typically users, groups, and computers – that Windows uses for access control. Without a matching SID in an access control list, you cannot access a resource or prove your identity. It’s the lynchpin.

Every domain has a RID Master: a domain controller that hands each DC a pool of 500 RIDs at a time. A domain contains a single RID pool which generates roughly one billion SIDs (because of a 30-bit length, it’s 2³⁰ or 1,073,741,823 RIDs). Once issued, RIDs are never reused. You can’t reclaim RIDs after you delete security principals either, as that would lead to unintended access to resources that contained previously issued SIDs.

Anytime you create a writable DC, it gets 500 new RIDs from the RID Master. Meaning, if you promote 10 domain controllers, you’ve issued 5000 new RIDs. If 8 of those DCs are demoted, then promoted back up, you have now issued 9000 RIDs. If you restore a system state backup onto one of those DCs, you’ve issued 9500 RIDs. The balance of any existing RIDs issued to a DC is never saved – once issued they’re gone forever, even if they aren’t used to create any users. A DC requests more RIDs when it gets low, not just when it is out, so when it grabs another 500 that becomes part of its "standby" pool. When the current pool is empty, the DC switches to the standby pool. Repeat until doomsday.

Adding more trustees means issuing more blocks of RIDs. When you’ve issued the one billion RIDs, that’s it – your domain cannot create users, groups, computers, or trusts. Your RID Master logs event 16644 “The maximum domain account identifier value has been reached.” Time for a support case.

You’re now saying something like, “One billion RIDs? Pffft. I only have a thousand users and we only add fifty a year. My domain is safe.” Maybe. Consider all the normal ways you issue RIDs:

Creating users, computers, and groups (both Security and email Distribution) as part of normal business operations.
The promotion of new DCs.
DCs gracefully demoted costs the remaining RID pool.
System state restore on a DC invalidates the local RID pool.
Active Directory domains upgraded from NT 4.0 inherit all the RIDs from that old environment.

Now study the abnormal ways RIDs are wasted:

Provisioning systems or admin scripts that accidentally bulk create users, groups, and computers.
Attempting to create enabled users that do not meet password requirements
DCs turned off longer than tombstone lifetime.
DC metadata cleaned.
Forest recovery.
The InvalidateRidPool operation.
Increasing the RID Block Size registry value.

The normal operations are out of your control and unlikely to cause problems even in the biggest environments. For example, even though Microsoft’s Redmond AD dates to 1999 and holds the vast majority of our resources, it has only consumed ~8 million RIDs - that's 0.7%. In contrast, some of the abnormal operations can lead to squandered RIDs or even deplete the pool altogether, forcing you to migrate to a new domain or recover your forest. We’ll talk more about them later; regardless of how you are using RIDs, the key to avoiding a problem is observation.

Monitoring

You now have a new job, IT professional: monitoring your RID usage and ensuring it stays within expected patterns. KB305475 describes the attributes for both the RID Master and the individual DCs. I recommend giving it a read, as the data storage requires conversion for human consumption.

Monitoring the RID Master in each domain is adequate and we offer a simple command-line tool I’ve discussed before – DCDIAG.EXE. Part of Windows Server 2008+ or a free download for 2003, it has a simple test that shows the translated number of allocated RIDs called rIDAvailablePool:

Dcdiag.exe /test:ridmanager /v

For example, my RID Master has issued 3100 RIDs to my DCs and itself:

If you just want the good bit, perhaps for batching:

Dcdiag.exe /TEST:RidManager /v | find /i "Available RID Pool for the Domain"

For PowerShell, here is a slightly modified version of Brad Rutkowski's original sample function. It converts the high and low parts of riDAvailablePool into readable values:

function Get-RIDsRemaining

{

    param ($domainDN)

    $de = [ADSI]"LDAP://CN=RID Manager$,CN=System,$domainDN"

    $return = new-object system.DirectoryServices.DirectorySearcher($de)

    $property= ($return.FindOne()).properties.ridavailablepool

    [int32]$totalSIDS = $($property) / ([math]::Pow(2,32))

    [int64]$temp64val = $totalSIDS * ([math]::Pow(2,32))

    [int32]$currentRIDPoolCount = $($property) - $temp64val

    $ridsremaining = $totalSIDS - $currentRIDPoolCount

    Write-Host "RIDs issued: $currentRIDPoolCount"

    Write-Host "RIDs remaining: $ridsremaining"

}

Another sample, if you want to use the Active Directory PowerShell module and target the RID Master directly:

function Get-RIDsremainingAdPsh

{

    param ($domainDN)

    $property = get-adobject "cn=rid manager$,cn=system,$domainDN" -property ridavailablepool -server ((Get-ADDomain $domaindn).RidMaster)

    $rid = $property.ridavailablepool

    [int32]$totalSIDS = $($rid) / ([math]::Pow(2,32))

    [int64]$temp64val = $totalSIDS * ([math]::Pow(2,32))

    [int32]$currentRIDPoolCount = $($rid) - $temp64val

    $ridsremaining = $totalSIDS - $currentRIDPoolCount

    Write-Host "RIDs issued: $currentRIDPoolCount"

    Write-Host "RIDs remaining: $ridsremaining"

}

Turn one of those PowerShell samples into a script that runs as a scheduled task that updates a log every morning and alerts you to review it. You can also use LDP.EXE to convert the RID pool values manually every day, if you are an insane person.

You should also consider monitoring the RID Block Size, as any increase exhausts your global RID pool faster. Object Access Auditing can help here. There are legitimate reasons to increase this value on certain DCs. For example, if you are the US Marine Corps and your DCs are in a warzone where they may not be able to talk to the RID Master for weeks. Be smart about picking values - you are unlikely to need five million RIDs before talking to the master again; when the DC comes home, lower the value back to default.

The critical review points are:

You don’t see an unexpected rise in RID issuance.
You aren’t close to running out of RIDs.

Let’s explore what might be consuming RIDs unexpectedly.

Diagnosis

If you see a large increase in RID allocation, the first step is finding what was created and when. As always, my examples are PowerShell. You can find plenty of others using VBS, free tools, and whatnot on the Internet.

You need to return all users, computers, and groups in the domain – even if deleted. You need the SAM account name, creation date, SID, and USN of each trustee. There are going to be a lot of these, so filter the returned properties to save time and export to a CSV file for sorting and filtering in Excel. Here’s a sample (it’s one wrapped line):

Get-ADObject -Filter 'objectclass -eq "user" -or objectclass -eq "computer" -or objectclass -eq "group"' -properties objectclass,samaccountname,whencreated,objectsid,uSNCreated -includeDeletedObjects | select-object objectclass,samaccountname,whencreated,objectsid,uSNCreated | Export-CSV riduse.csv -NoTypeInformation -Encoding UTF8

Here I ran the command, then opened in Excel and sorted by newest to oldest:

Errrp, looks like another episode of “scripts gone wild”…

Now it’s noodle time:

Does the user count match actual + previous user counts (or at least in the ballpark)?
Are there sudden, massive blocks of object creation?
Is someone creating and deleting objects constantly – or was it just once and you need to examine your audit logs to see who isn’t admitting it?
Has your user provisioning system gone berserk (or run by someone who needs… coaching)?
Have you changed your password policy and are now trying to create enabled users that do not meet password requirements (this uses up a RID during each failed creation attempt).
Do you use a VDI system that constantly creates and deletes computer accounts when provisioning virtual machines - we’ve seen those too: in one case, a third party solution was burning 4 million computer RIDs a month.

If the RID allocations are growing massively, but you don’t see a subsequent increase in new trustees, it’s likely someone increased RID Block Size inappropriately. Perhaps they set hexadecimal rather than decimal values – instead of the intended 15,000 RIDs per allocation, for example, you’d end up with 86,016!

It may also be useful to know where the updates are coming from. Examine each DC’s RidAllocationPool for increases to see if something is running on - or pointed at – a specific domain controller.

Recovery

You know there’s a problem. The next step is to stop things getting worse (as you have no way to undo the damage without recovering the entire forest).

If you identified the cause of the RID exhaustion, stop it immediately; your domain’s health is more important. If that system continues in high enough volume, it’s going to force you to abandon your domain.

If you can’t find the cause and you are anywhere near the end of your one billion RIDs, get a system state backup on the RID Master immediately. Then transfer the RID Master role to a non-essential DC that you shut down to prevent further issuance. The allocated RID pools on your DCs will run out, but that stops further damage. This gives you breathing space to find the bad guy. The downside is that legitimate trustee creation stops also. If you don’t already have a Forest Recovery process in place, you had better get one going. If you cannot figure out what's happening, open a support case with us immediately.

No matter what, you cannot let the RID pool run out. If you see:

SAM Event 16644
riDAvailablePool is “4611686015206162431”
DCDIAG “Available RID Pool for the Domain is 1073741823 of 1073741823”

... it is too late. Like having a smoke detector that only goes off when the house has burned down. Now you cannot create a trust for a migration to another domain. If you reach that stage, open a support case with us immediately. This is one of those “your job depends on it” issues, so don’t try to be a lone gunfighter.

Many thanks to Arren “cowboy killer” Connor for his tireless efforts and excellent internal docs around this scenario.

Finally, a tip: know all the FSMO roles before you interview with us. If you really want to impress, know that the PDC Emulator does more than just “emulate a PDC”. Oy vey.

UPDATE 11/14/2011:

Our seeds to improve the RID Master have begun growing and here's the first ripe fruit - http://support.microsoft.com/kb/2618669

Until next time.

Ned “you can’t get RID of me that easily” Pyle