Improvements in Windows Server 2008 DNS

Posted on By Mark Wilson

Windows administrators have been waiting to see the back of WINS for years but many applications still rely on single name lables (and multiple DNS name suffixes can become unwieldy). Windows Server 2008 DNS will provide an alternative through its GlobalNames zone (one of several improvements in Windows Server 2008 DNS).

Although it’s not listed in the article linked above, I understand (from Scotty McLeod) that Windows Server 2008 DNS allows the application of a conditional forward (globally – i.e. to all DNS servers) at the domain level; unfortunately, forwarder information still has to be defined on a server-by-server basis.

Musing about panoramic image formats

Posted on By Mark Wilson

A few years back, I heard UK-based photographer, Nick Meers speak in general terms about landscape photography saying that in order to capture that special image you need to be passionate – and you can’t come back tomorrow! If you don’t make that image now, then you don’t have the passion… even if you do want to get to supper and don’t want to get the tripod out again!

Unfortunately, I find it hard to reconcile that passion with the demands of a young family, so my photography takes a back seat these days and it seems to me that much of the images I create are distinctly mediocre. Some of that mediocrity can be enhanced post-capture but that’s a time consuming process – and anyway, it’s much better to get it right first time.

But is digital editing is really that bad? After all, with traditional (non-digital) methods, photographers have always used filters and darkroom techniques to enhance their images.

Even the viewfinder acts as a censor, selecting just the part of the overall scene that the photographer wants to appear in the final image. The trouble is that I find that the 3:2 aspect ratio used for 35mm film and by many digital cameras often doesn’t seem “right”. Some photographers (e.g. Charlie Waite) specialise in square images whilst others go for a letterbox format – something that I’ve always been attracted to – largely under the influence of one of my favourite photographers, Australia’s Peter Lik. It’s a pleasing format for the eye because it’s how people see. Consequently it is often used for wide-angle landscapes (and so works well in places with a wide field of view) but it not exclusively a wide angle format and can work well for compressed images with a telephoto lens.

Lik (alond with other notable landscape photographers like David Noton uses expensive 6×17 panoramic format cameras with swing lenses but until recently there was an (almost) affordable way to take panoramic images using multiple frames on standard 35mm film – Hassleblad’s X System. Unfortunately Hassleblad withdrew their excellent XPan II camera from sale last year. I’d wanted one for a while but could never justify the expense (at least not once I purchased a digital camera).

In the end, it was digital photography that killed off the XPan – I’d love for Hassleblad to make a digital XPan but the reality is that image sensors come in a particular size and there would be technical hurdles to overcome that would make the product too expensive. Anyway, single images can be stiched together post-capture and now that the quality of digital image sensors has caught up with (and even surpased) film, it’s hard to deride the convenience and low cost of digital photography.

I’m torn – should I save up for a second-hand XPan, buy a digital body with a higher-quality image sensor (so I can crop a decent quality panoramic photo from a single frame), or take separate images and stitch them together?

Windows Server 2008 read only domain controllers

Posted on By Mark Wilson

This is the last post I’m intending to write based on the content from the recent Windows Server UK User Group meeting – this time inspired by Scotty Mc Leod‘s presentation on read only domain controllers (RODCs), a new feature in Windows Server 2008.

In my post from a few weeks back about some of the new features in Windows Server 2008, I wrote:

Backup domain controllers (BDCs) are back! Except that now they are called read-only domain controllers (with unidirectional replication to offer credential caching and whilst increasing the physical security of remote domain controllers, e.g. in branch offices).

That statement was slightly tongue-in-cheek and, if taken literally would be inaccurate. RODCs are more complex than Windows NT BDCs were. Active Directory still uses a multiple master replication model, but RODCs are really a means of providing a read-only replica of the directory (with outbound replication disabled) – for example at remote sites where to have a fully-functional domain controller would be a security risk. As far as Active Directory is concerned, an RODC is not a domain controller – it actually has a standard workstation account (with some extra attributes).

This has a major advantage in that, unlike a domain controller, an RODC has a local account database, with a local Administrators group (of which Domain Admins will be a member). In effect, this means that a user can be made a full administrator of the RODC, without needing to be a Domain Admin.

In order to create an RODC, the forest and domain need to be at Windows Server 2003 forest functional level with at least one (preferably more) Windows Server 2008 DC present. The forest and domain must also have been prepared for RODCs with adprep /rodc.

The next stage is to provision the computer account, selecting a site, and whether or not DNS/Global Catalog services will be enabled). Control over the information stored on an RODC is controlled with password replications policies – allow/deny lists for replication of passwords based on users, groups or computers. 2 new groups are created – DeniedRODCPassword and AllowsRODCPassword and as for other Windows NT ACLs, deny takes precendence over allow. Next, it’s necessary to define who will manage the RODC – this effectively defines a user account that can administer the server without needing Domain Admins membership (e.g. to apply patches, restart the server, etc.). One gotcha is that this is a user contact (not a group) – many organisations will circumvent this with service accounts, but that’s really not good practice.

Following this, a new computer account should be visible in the directory. The Windows Server 2003 version of Active Directory Users and Computers (ADUC) will see the account as disabled, whereas the Windows Server 2008 tools will report it as an unoccupied DC account. On joining the domain, the computer will be linked with its account and will become an RODC.

The RODC concept relies on a principle called constrained Kerberos delegation, which in turn needs value linked replication – hence the requirement for a Windows Server 2003 domain and forest dunctional level. In addition the requirement for a Windows Server 2008 DC with which to communicate is created as Windows Server 2003 DC will see the RODC as a “normal” computer – e.g. a workstation. Of course, the Windows Server 2008 DC is potentially a single point of failure, so more than one should be deployed.

The constrained Kerberos authentication works as follows:

  • In addition to the krbtgt account that will already exist in the domain (a Kerberos ticket granting service account), each RODC will have its own TGT account created in the form krbtgt_identifier in order to issue its own Kerberos tickets without compromising domain security.
  • If a user attempts to logon at a remote site, their credential
    s will initially be validated by the local RODC.
  • Because password hashes are stripped from RODC replication, if this is the user’s first login attempt, or if they are not in the AllowsRODCPassword group, then the authentication request will be passed across the WAN to a full DC. When the ticket is returned, the RODC asks a full DC running Windows Server 2008 DC replicate a single attribute (the password hash), which is then held for future logins.
  • If a login is authenticated by the RODC then a local Kerberos ticket is issued. This local ticket will not be valid elsewhere on the domain (effectively each RODC becomes a subdomain for authentication purposes) and requests to access other resources will be referred to a full DC running Windows Server 2008.

It is possible to force inbound replication to an RODC for a defined set of users (i.e. to pre-populate the information for users on a particular site); however this information can quickly become stale.

Scotty went on to mention a couple of things to beware of when planning to use RODCs:

  • Because an RODC cannot be written to, some applications will see RODCs as an LDAP server, if an LDAP v3 referral is invoked then many applications will fail.
  • Whilst Exchange Server will treat an RODC as a GC, Outlook will not.