10,000 feet view of Microsoft Active Directory

Posted on By Mark Wilson

Non-technical colleagues, and friends who work with Microsoft products but outside of a corporate environment often ask me “what is Active Directory” (AD). As I’ve blogged a few 10,000 feet views of Microsoft technologies, I thought I’d produce one for AD.

At the Microsoft Technical Roadshow event last May, Paul Brombley (a messaging technology specialist for Microsoft UK) gave a presentation on Exchange and the Active Directory which included an “AD 101”. As I thought it was an excellent overview I haven’t re-invented the wheel and the following is taken from my notes from that presentation, with a few items added from my own experience.

Active Directory is basically a distributed database. It is hierarchical, with a permissions model, includes a common set of objects and is integrated with Windows Security as the primary means of authentication (and hence authorisation).

AD makes use of DNS as a name service. AD cannot be implemented without DNS although it does not require a Microsoft DNS service – in fact, any DNS server supporting SRV records (RFC 2782) and dynamic DNS updates (RFC 2136) can be used to support Active Directory although there are advantages to using the Windows DNS Server (e.g. AD-integrated DNS zones).

This reliance on DNS is apparent when the logical structure of AD is examined. As for Windows NT, domains can be linked using trust relationships. The main differences with AD are that instead of using NetBIOS names, DNS is the naming service for AD domain (with NetBIOS and WINS only supported for legacy purposes) and that default trusts are two-way transitive Kerberos trusts.

Each AD server is called a domain controller (DC) and all DCs can authenticate users.

Each domain must have at least one DC. One or more domains sharing a common schema are referred to as a forest. If these domains also have a contiguous namespace then they are called a tree, and each forest may contain multiple trees; however the first domain in the forest is always the forest root domain. These concepts are illustrated in the Windows 2000 Advanced Server help documentation: understanding domain trees and forests.

DCs replicate data using a multiple master model (although there are five roles known as operations masters, or FSMOs, which dictate the master server for certain operations at domain or forest level – for more information, see Daniel Petri’s description of the FSMO roles).

There are four naming contexts (NCs) which make up AD:

  • The schema NC contains a schema of object definitions. This is common throughout the entire directory and can be changed by a domain administrator running with local system privileges – hence the reason why a forest is a security boundary and not a domain (as is commonly misconceived). The schema NC is replicated between all domain controllers.
  • The configuration NC contains details of the replication technologies, domains and servers. This is replicated to all DCs within a forest.
  • The domain NC contains objects such as users, groups and contacts. This is replicated to all DCs within a domain; however a DC can also have an additional role of a global catalog (GC) server. The GC is a subset of each domain NC in the forest, merged to form a single view of the objects in the directory (albeit without all attributes). Applications such as Microsoft Exchange make heavy use of GC servers, e.g. to create a global address list.
  • The application NC is new to Windows Server 2003 AD and contains volatile application information. This is held on specific DCs within the forest.

An AD site is a group of servers with good connectivity (generally LAN connected). A site can span domains and a domain can cross a number of sites.

In addition to my earlier post on new features in Windows Server 2003 AD include:

  • Schema deactivation, whereby certain attributes (not those added by Exchange) can be blanked out (although they are not deleted and remain present in the database).
  • Group membership replication improvements, whereby only deltas are replicated (with Windows 2000 sometimes the replication took longer than the 15 minute replication interval).
  • Domain renaming (with restrictions).
  • Application naming context (discussed above).

(Some of these features require the domain or forest to be running at Windows Server 2003 domain or forest functional level).

So, that’s AD in a nutshell. For further reading, check out Microsoft’s Windows Server 2003 Active Directory pages or Active Directory forestry: investigating and managing objects and attributes for Windows 2000 and Windows Server 2003 by John Craddock and Sally Storey.

Comparing Intel processors

Posted on By Mark Wilson

I’ve spent most of today comparing a variety of PC workstation specifications from various manufacturers. This isn’t normally a level of detail I get involved in so I found the Intel processor product numbers information particularly useful for comparing features between the various CPU types, particularly the discover processor technologies multimedia presentation.

One method of opening strange attachments from trusted sources

Posted on By Mark Wilson

Whilst I was on holiday last week, a professional photographer friend of ours sent me a list of gear that he is selling now that he has switched from Nikon to Canon (come on Nikon, can we have a full-frame image sensor in a digital SLR please…). Unfortunately, he is a Macintosh user and the attachment arrived in Microsoft Outlook as a a .DAT file. Not having a clue what application he had created this list in, I opened it with Notepad and found the words Microsoft Excel Worksheet contained within all of the binary garbage. I opened the file again (this time in Excel) and hey presto – a list of equipment for sale!

New features for the MSN toolbar

Posted on By Mark Wilson

Last week, Paul Thurrott reported in the Windows IT Pro magazine network WinInfo Daily Update that MSN have begun beta testing of an add-on for the MSN toolbar called roaming favorites, allowing users to manage, search, and access Internet Explorer (IE) favorites whatever PC is in use, as long as it has the MSN toolbar installed (favorites are synchronised with to a central server, accessed from anywhere on the Internet using a Passport logon).

It sounds great (I’ve been thinking of writing a set of scripts to do this for me for some time now as I use at least 3 PCs and start.com didn’t really work out for me as a kind of web-based home page), but I do wish it didn’t rely on the MSN toolbar – why can’t it be a feature within IE7 (for once, one which Microsoft might have thought up themselves).

Meanwhile, in a separate update, Thurrott reports that another piece of new functionality that is intended for IE7 will also be available for IE6 users (again in the MSN Toolbar) – Microsoft’s phishing filter, a feature that helps protect users from scam websites.

Both features sound great, but I’d much rather them available as a download for all Windows XP users without needing the MSN toolbar. On the other hand, it’s only a matter of time before Google (my preferred toolbar) integrates a similar feature…

Vodafone VSPAM

Posted on By Mark Wilson

VodafoneWhen I got my new company mobile a few weeks back, I turned it on and immediately received a couple of spam SMS messages inviting me to call a premium rate number. Of course, I deleted them, but I might not have if I’d known about Vodafone‘s VSPAM initiative.

“When an unsolicited text message is received a Vodafone customer can forward it, free of charge, directly to 87726 or VSPAM on their mobile keypad. Vodafone will then collate a consolidated report of all the unsolicited text messages reported by its customers, which it plans to send directly to mobile messaging regulators… previously customers were advised to contact the Independent Committee for the Supervision of Standards of Telephone Information Services (ICSTIS) directly… [who] can take regulatory action against parties running such services. ICSTIS has prosecuted several service providers so far and it intends to ‘name and shame’ the operators who currently support the service providers running these premium rate services.”

[Vodafone press release, 21 August 2003]

Even though this initiative is two years old, I’ve not come across it before, so I’m blogging it here for anyone who is interested.

Useful mobile handset commands

Posted on By Mark Wilson

Have you ever been asked to type out some obscure code on your mobile handset to retrieve some information for a support representative? Here are some of the useful codes I’ve found (tested on Nokia handsets using the two largest UK networks: a Nokia 6021 connected to Vodafone; and a Nokia 6600 connected to Orange):

  • *#06# – display the IMEI of the handset (does not require send to process). IMEI number analysis will show details of the handset manufacturer, type and production date (although strangely, my Nokia 6021 is recorded as having been produced two days after I received it!) as well as handset approval information and IMEI number break down.
  • **21*number# – divert all calls to number (call forwarding).
  • *43# – activate call waiting.
  • #43# – cancel call waiting.
  • 141number – temporarily withhold caller line identification (CLI) information when calling number.

These ones might be useful for Vodafone users (none of them worked for my handset connected to Orange):

  • *#100# – obtain own number (returned in local format, e.g. 07812345678). Number analysis will give a whole host of useful information about a number including the number range, country/operator/network (for mobile numbers – although my personal number which has been transferred between networks still shows the operator as Vodafone Ltd even though it’s been connected to Orange for over a year now), number break-down, network technology type (for mobile numbers), and dialling format information.
  • *#104# – obtain voice mailbox number (a response of 447812345678 VF-GMLRE relates to a voice mailbox number of +44-7812345678).
  • *#147# – display number of last caller, along with time and date (e.g. 01234567890 08:00 30AUG05).
  • *61*mailboxnumber*10*duration# – set the ring duration before diverting to voice mail (where mailboxnumber is in international format, e.g. +447812345678, and duration is between 5 and 30).
  • *#1345# – check pay as you talk balance.
  • ##0021# – cancel call forwarding.
  • 1210 – cancel all voicemail diverts.
  • 1211 – reset all voicemail diverts to the standard setting (divert if switched off, engaged, or out of coverage).
  • 1212 – send all calls to voicemail (e.g. when abroad and receiving calls could cost you money!).
  • 1213 – remove the all calls divert (1212).
  • 1471 – voice equivalent of *#147#, with call return options.
  • 21212 – record a personal greeting.

Another useful Vodafone number to know is for checking call rates when abroad. Text from country (e.g. from France) to 4636 and the reply will detail the cost to make a call from country, the cost to receive a call from country, the cost of sending an SMS message from country to a UK number and the name of the Vodafone preferred rate network for country (e.g. SFR in France).

If anyone has some more useful codes (not numbers for information services), please leave a comment on this post including the handset type and network on which the codes have been tested (no requests for handset unlocking codes please).

Other useful links

Area code information
International dialing instructions

So you want to be a consultant…

Posted on By Mark Wilson

Earlier today I posted a link to Steve Friedl’s illustrated guide to IPSec. Steve’s site has a whole load of technical tips, but one item I stumbled across was his extremely interesting review of consultancy practices (subtitled as “Why work 8 hours/day for someone else when you can work 16 hours/day for yourself?”).

As an IT consultant (albeit one employed by a global IT services organisation), married to a PR consultant, I can really relate to some of Steve’s consulting maxims, the most pertinent of which I’ve quoted below:

  • “‘Trust’ is your best job security”.
  • “You are primarily in the customer service business, not the technical business”.
  • “For a good consultant, your voice is comforting: Be very easy to find”.
  • “The best way to appreciate the value of a good [specification] is to do a project without one”.
  • “Customers hate ‘unhappy surprises’ much more than ‘timely bad news'”.
  • “Ongoing business is much more important than maximizing every billable hour” (which goes hand in hand with “hourly arrangements of any substantial magnitude require that you have earned your customer’s trust”).
  • “It’s better to give away some time than to throw away your reputation” (but remember “if the customer doesn’t know you did work off the clock, you don’t get credit for it”).
  • “Detail is comforting to a customer”.
  • “If you routinely take ownership for your own mistakes, you’re much more likely to be believed when you claim something is not your doing”.
  • “Your best advertisement is publishing of original, technical content”.
  • “It’s a huge asset to communicate well – cultivate this skill vigorously”.
  • “Your references are your reputation in the consulting world”.
  • “The customer is not always right”.
  • “The Internet never forgets: don’t provide dirt for your future”.
  • “If you’re booked up solid, your rates are too low”.
  • “Your long-term customers are your best customers”.
  • “The best way to make a lot of money is to make your customers a lot of money”.
  • “You must know how to read your customer”.
  • “Your customers are buying your judgment, not just your time”.
  • “Being known for your integrity is the Holy Grail of consulting”.

He also makes some useful observations on technical skills and certification:

“Your references and your experience are far more important than your certifications. What counts here is truly learning the subject matter, and there is no harm in obtaining the certificate in the process. But if the goal is just to collect some paper, it leads to the prototypical computer jockey with lots of alphabets after his name but limited power in the driver’s seat.

Where the skills question gets tricky is when getting outside your comfort zone: a customer will ask you about a project that you are almost, but not quite, qualified for. Surprisingly, this happens a lot: if you have conducted yourself well, your customer would rather find a way to use you – a known quantity – than find somebody else. This occurs over a fairly wide range of skills.

When considering one of these projects, the first rule is: never lie to your customer about your skills. Be completely candid with your customer about what you know and how you would address the project. This would likely include substantial off-the-clock time as you got up to speed on the technology in question.”

Well worth a read for any consultant (whether self employed or not) and for any customers who employ consultants too!

An introduction to IPSec

Posted on By Mark Wilson

I’ve been meaning to write something about Internet protocol security (IPSec) ever since I heard Steve Lamb talk about it a few months back but Owen Cutajar blogged about Steve Friedl’s Illustrated Guide to IPSec a few days back which gives a much better description than I ever will! Steve’s site has a whole load of useful technical tips, but as his URL might give away, he comes at things from a UNIX perspective.

For Windows users who are interested in implementing IPSec, I recommend that you read both Steve Lamb’s blog and Steve Friedl’s Illustrated Guide to IPSec, but what follows is a brief description of some high-level concepts which might help to put it all into context.

Although it sounds complex, symmetric key cryptography is a very basic method of encrypting messages (e.g. DES or AES/Rijndael) using a shared secret. The plain text input is encrypted to produce cipher text which is transmitted to the intended recipient, who can then decrypt it to produce plain text output. An example of such a mechanism is the Caesar shift, whereby characters are shifted by a known number of places (the shared secret), so that for example if the shared secret is 3, A becomes D, B becomes E, and so on. Symmetric key cryptography is simple, and fast, but relies on some form of mechanism for exchanging keys (shared secrets).

Symmetric key cryptography

Public key cryptography is an asymmetric encryption mechanism, whereby knowledge of the encryption key doesn’t provide the methods to decrypt the message. The recipient of the message generates a pair of keys (using a certificate authority) and publishes the public key in a directory so that anyone can send them encrypted messages that only they can read. This pair of keys is actually a single key split mathematically using a one-way algorithm (i.e. one which current mathematics does not allow to be reversed). When sending a message, it is encrypted with the recipient’s public key and they can decrypt it (using their private key). Unfortunately even this method has its weaknesses as it is slow, subject to what is known as a “known ciphertext” attack and requires the public key to be trusted (i.e. to be from a known certificate authority).

Asymmetric key cryptography

The real-world answer is often a hybrid encryption process whereby a symmetric session key is encrypted using the recipient’s public key and then, once this key has been decrypted by the recipient (using their private key), they can read messages encrypted using the session key. The session key is transmitted with the encrypted message as a digital envelope. Once the message exchange is complete (whether that is literally the transfer of a message, or a communication session) the session key is disregarded (i.e. its life is finite – dictated by the length of the session).

IPSec is used to authenticate and/or encrypt TCP/IP communications, securing either specific ports or all IP traffic and is obligatory for IPv6.

In an Active Directory environment, IPSec is generally configured via group policy and both the client and the server must be configured. No reply is issued to rejected packets – they are simply dropped. Installing a certificate authority (CA) is a simple process (although because a lot of the configuration is wizard-based, it can be difficult to appreciate exactly what has been done). Windows Server 2003 Certificate Services allows a hierarchy of CAs to be implemented (generally with the root CA kept offline once the hierarchy is established) as well as adhering to public key standards from RSA, Entrust and Verisign (licensed by Microsoft to avoid any per-certificate cost issues). Once a certificate has been issued the client no longer needs to communicate with the CA. Of course, internal CAs are only suitable for internal use of IPSec (a trusted CA needs to be used for securing traffic across the Internet).

One of the advantages of IPSec is that, because it works at the network layer, it can be used to provide secure data transfer without affecting applications; however the downside is that architects (or administrators) should carefully consider the impact that encrypting all traffic would cause as some security software (e.g. intrusion detection systems) will no longer function.

Service packs, feature packs and releases – how they should work

Posted on By Mark Wilson

The various Microsoft product groups issue service packs, feature packs and releases. This is all very well, but they mean different things to different people and are confusing. Then, last Friday, Paul Thurrott reported in the Windows IT Pro magazine network WinInfo Daily Update that Virtual Server 2005 SP1 will now become Virtual Server 2005 release 2 (R2). This might sound like a trivial name change but what it means for legal users of Virtual Server 2005 (a basically good product, but with a few fairly significant bugs), they will need to purchase R2, rather than install a free service pack.

If Microsoft follows this path they are going the way of Apple, who issue point version upgrades to their OS X operating system and have the audacity to charge existing users for a full product (there is no upgrade available).

In my opinion:

  • Service packs should fix bugs (security or otherwise) and that critical patches should be released in advance of a rolled-up, regression tested, service pack. Ideally service packs should also have a predictable timescale (e.g. 6 months after product release then every 12 months from then on until the product reaches end of life).
  • Feature packs should offer new features for an established product. I don’t believe that there should have been any additional features included with Windows XP SP2 (e.g. the Windows Firewall) – instead SP2 should have been a set of bug fixes (alleviating some of the deployment issues associated with new technology) and additionally Microsoft should have offered a free feature pack for Windows XP which provided the extra security features. In this way, users can stay at the latest supported product release (service pack level) but choose which feature packs to add. Security features and other important updates should be free of charge. Others which enhance a product might carry a small charge.
  • Mid-life releases (e.g. Windows Server 2003 R2) are all very well as a marketing mechanism for rolling the latest service packs into a product for new users, but should not preclude existing users from gaining from the latest service pack/feature pack updates. If a product really warrants a new licence, then it should carry a new (major) version number!

Following this model, Virtual Server 2005 R2 should really be a service pack and there should be an additional feature pack for the new features which Microsoft plans to ship (of which there are precious few details at present). As for supporting Linux as a guest operating system – it either works or it doesn’t – Microsoft needs to make up it’s mind as to whether it is a supported guest or not (if they are smart they will say “yes” – that way users can have a virtual Linux guest running on a Windows host if they need the best of both worlds, with Microsoft still gaining licence revenues for the host operating system and the virtualisation software).

Missing disk space

Posted on By Mark Wilson

A few months back, I was chatting with my Dad about his PC (you know, one of those “family IT support desk” jobs) and he was wondering what had happened to all of his hard disk space. David Chernicoff has written an article for Windows IT Pro magazine about the case of the missing disk space and it’s worth a read. I certainly found it interesting – especially the bit about true sizing cf. disk manufacturers’ idea of storage units.