I was recently alerted to the presence of Joe Richards’ PSOMgr tool for managing Windows Server 2008 fine grained password policies and it turns out that Joe has a whole heap of useful tools available for free on his website.
Another new feature in Windows Server 2008 Active Directory Domain Services is that (at long last) it’s now possible to apply multiple password policies within a single domain using a new feature called fine grained password policies. Now PINs can be used for mobile device access and complex passwords for conventional form factor devices without requiring separate domains, third party software or writing a custom password filter DLL.
The fine grained password policies are user and group based (i.e. not per-OU – in order to avoid extra domain load during login) and multiple policies can be applied; however, the new functionality involves a complex administrative process and there is no GUI yet (although the password settings container can be found if Advanced Features are enabled in Active Directory Users and Computers). Fortunately, Joe Richards has written PSOMgr (a command line tool to manage fine grain password policy password settings objects) and Christoffer Andersson has a similar tool with MMC/PowerShell interfaces.
Windows administrators have been waiting to see the back of WINS for years but many applications still rely on single name lables (and multiple DNS name suffixes can become unwieldy). Windows Server 2008 DNS will provide an alternative through its GlobalNames zone (one of several improvements in Windows Server 2008 DNS).
Although it’s not listed in the article linked above, I understand (from Scotty McLeod) that Windows Server 2008 DNS allows the application of a conditional forward (globally – i.e. to all DNS servers) at the domain level; unfortunately, forwarder information still has to be defined on a server-by-server basis.
A few years back, I heard UK-based photographer, Nick Meers speak in general terms about landscape photography saying that in order to capture that special image you need to be passionate – and you can’t come back tomorrow! If you don’t make that image now, then you don’t have the passion… even if you do want to get to supper and don’t want to get the tripod out again!
Unfortunately, I find it hard to reconcile that passion with the demands of a young family, so my photography takes a back seat these days and it seems to me that much of the images I create are distinctly mediocre. Some of that mediocrity can be enhanced post-capture but that’s a time consuming process – and anyway, it’s much better to get it right first time.
But is digital editing is really that bad? After all, with traditional (non-digital) methods, photographers have always used filters and darkroom techniques to enhance their images.
Even the viewfinder acts as a censor, selecting just the part of the overall scene that the photographer wants to appear in the final image. The trouble is that I find that the 3:2 aspect ratio used for 35mm film and by many digital cameras often doesn’t seem “right”. Some photographers (e.g. Charlie Waite) specialise in square images whilst others go for a letterbox format – something that I’ve always been attracted to – largely under the influence of one of my favourite photographers, Australia’s Peter Lik. It’s a pleasing format for the eye because it’s how people see. Consequently it is often used for wide-angle landscapes (and so works well in places with a wide field of view) but it not exclusively a wide angle format and can work well for compressed images with a telephoto lens.
Lik (alond with other notable landscape photographers like David Noton uses expensive 6×17 panoramic format cameras with swing lenses but until recently there was an (almost) affordable way to take panoramic images using multiple frames on standard 35mm film – Hassleblad’s X System. Unfortunately Hassleblad withdrew their excellent XPan II camera from sale last year. I’d wanted one for a while but could never justify the expense (at least not once I purchased a digital camera).
In the end, it was digital photography that killed off the XPan – I’d love for Hassleblad to make a digital XPan but the reality is that image sensors come in a particular size and there would be technical hurdles to overcome that would make the product too expensive. Anyway, single images can be stiched together post-capture and now that the quality of digital image sensors has caught up with (and even surpased) film, it’s hard to deride the convenience and low cost of digital photography.
I’m torn – should I save up for a second-hand XPan, buy a digital body with a higher-quality image sensor (so I can crop a decent quality panoramic photo from a single frame), or take separate images and stitch them together?
This is the last post I’m intending to write based on the content from the recent Windows Server UK User Group meeting – this time inspired by Scotty Mc Leod‘s presentation on read only domain controllers (RODCs), a new feature in Windows Server 2008.
In my post from a few weeks back about some of the new features in Windows Server 2008, I wrote:
Backup domain controllers (BDCs) are back! Except that now they are called read-only domain controllers (with unidirectional replication to offer credential caching and whilst increasing the physical security of remote domain controllers, e.g. in branch offices).
That statement was slightly tongue-in-cheek and, if taken literally would be inaccurate. RODCs are more complex than Windows NT BDCs were. Active Directory still uses a multiple master replication model, but RODCs are really a means of providing a read-only replica of the directory (with outbound replication disabled) – for example at remote sites where to have a fully-functional domain controller would be a security risk. As far as Active Directory is concerned, an RODC is not a domain controller – it actually has a standard workstation account (with some extra attributes).
This has a major advantage in that, unlike a domain controller, an RODC has a local account database, with a local Administrators group (of which Domain Admins will be a member). In effect, this means that a user can be made a full administrator of the RODC, without needing to be a Domain Admin.
In order to create an RODC, the forest and domain need to be at Windows Server 2003 forest functional level with at least one (preferably more) Windows Server 2008 DC present. The forest and domain must also have been prepared for RODCs with
The next stage is to provision the computer account, selecting a site, and whether or not DNS/Global Catalog services will be enabled). Control over the information stored on an RODC is controlled with password replications policies – allow/deny lists for replication of passwords based on users, groups or computers. 2 new groups are created – DeniedRODCPassword and AllowsRODCPassword and as for other Windows NT ACLs, deny takes precendence over allow. Next, it’s necessary to define who will manage the RODC – this effectively defines a user account that can administer the server without needing Domain Admins membership (e.g. to apply patches, restart the server, etc.). One gotcha is that this is a user contact (not a group) – many organisations will circumvent this with service accounts, but that’s really not good practice.
Following this, a new computer account should be visible in the directory. The Windows Server 2003 version of Active Directory Users and Computers (ADUC) will see the account as disabled, whereas the Windows Server 2008 tools will report it as an unoccupied DC account. On joining the domain, the computer will be linked with its account and will become an RODC.
The RODC concept relies on a principle called constrained Kerberos delegation, which in turn needs value linked replication – hence the requirement for a Windows Server 2003 domain and forest dunctional level. In addition the requirement for a Windows Server 2008 DC with which to communicate is created as Windows Server 2003 DC will see the RODC as a “normal” computer – e.g. a workstation. Of course, the Windows Server 2008 DC is potentially a single point of failure, so more than one should be deployed.
The constrained Kerberos authentication works as follows:
- In addition to the krbtgt account that will already exist in the domain (a Kerberos ticket granting service account), each RODC will have its own TGT account created in the form krbtgt_identifier in order to issue its own Kerberos tickets without compromising domain security.
- If a user attempts to logon at a remote site, their credential
s will initially be validated by the local RODC.
- Because password hashes are stripped from RODC replication, if this is the user’s first login attempt, or if they are not in the AllowsRODCPassword group, then the authentication request will be passed across the WAN to a full DC. When the ticket is returned, the RODC asks a full DC running Windows Server 2008 DC replicate a single attribute (the password hash), which is then held for future logins.
- If a login is authenticated by the RODC then a local Kerberos ticket is issued. This local ticket will not be valid elsewhere on the domain (effectively each RODC becomes a subdomain for authentication purposes) and requests to access other resources will be referred to a full DC running Windows Server 2008.
It is possible to force inbound replication to an RODC for a defined set of users (i.e. to pre-populate the information for users on a particular site); however this information can quickly become stale.
Scotty went on to mention a couple of things to beware of when planning to use RODCs:
- Because an RODC cannot be written to, some applications will see RODCs as an LDAP server, if an LDAP v3 referral is invoked then many applications will fail.
- Whilst Exchange Server will treat an RODC as a GC, Outlook will not.
With the Windows Vista launch now history and the Windows Server 2008 launch date set for 27 February 2008 (expect to see the first service pack for Vista, codenamed Fiji, around about the same time), speculation has started about the next version of Windows codenamed Windows 7, formerly codenamed both Blackcomb and Vienna.
Of course, at this stage, Microsoft is keeping quiet about what’s in, and what’s out of Windows 7 (very wise) but a good place to watch is Paul Thurrott’s Windows 7 FAQ.
Whilst the United States is going iPhone crazy, over on this side of the pond we can’t get one yet… so life goes on.
A couple of weeks back, I was given a BlackBerry to use at work (until I can get my hands on a Windows-powered phone – one of my colleagues had a greater need than I for the Palm Treo 750v we snagged but there are some new models coming soon on Vodafone
that I can’t talk about but which look pretty cool).
So, if I want a Windows Mobile device (for work) why am I even looking at the BlackBerry? Firstly, I was given it to try (my Nokia 6021 is a bit beaten up these days) and secondly, I’m intrigued as to why these things are held in almost universal acclaim by senior executives, causing chaos in IT departments up and down the country who don’t want to support a (proprietary) messaging platform in addition to their corporate e-mail on Microsoft Exchange or Lotus Domino (and even leading to the nicknaming of London’s Jubilee line between the West End and Canary Wharf as the Blackberry line).
I’ve re-written this post a few times over the last couple of weeks because as I’ve used it, I’ve warmed to the BlackBerry:
- At first I hated the interface (what is it about mobile phones that, almost without exception, they have such appalling user interfaces?) but that was improved by a software upgrade.
- I didn’t like that I had to buy a USB 2.0 A to mini 5pin cable to charge the device – and battery life is poor – I get about day’s worth of (light) use for voice only (I know that smartphones are battery-hungry but I don’t have a data plan to use it properly… all I do was make and receive calls). As it happens, the fact that I can use a standard cable to charge the device via USB is pretty useful.
- I’ve discovered features like the auto on/off capabilities which could have a real use for me (I have a personal phone which friends and family can use to contact me 24×7 – and even though one of my friends recent described me as having workaholic tendencies the work phone is not normally answered in the evening or at weekends).
- Once you get used the the scroll-click wheel and the button next to it, the user interface becomes a lot easier to navigate – and the 240×260 screen is excellent for viewing photos, although there is no card slot for additional memory (and getting pictures onto the device without a data plan is cumbersome). It looks quite good and feels comfortable in my hand (size and weight). Unfortunately though, I found the keyboard difficult to use – a pretty major failing on a device like this (I think the problem is that it has a qwerty layout but it feels like a mobile phone, so my fingers and thumbs want it to be arranged alphabetically).
I’m not trying to write a product review (for that, refer to Lord Percy or The Register and anyway this particular device is a bit old now so I’m not sure how useful any review that I wrote would be)… this is more of a “this is what I found when I tried to use it” post – I’m hoping that my experience may be useful for others too:
- After inserting my SIM card, all of my calls went to voicemail – it seems that before you can use the device as a phone you have to turn the wireless on. Not realising that this model doesn’t have WiFi capabilities I thought that “wireless” was referring to IEEE802.11b/g but no – the wireless in question is the GSM radio that is required in order to connect to a mobile carrier.
- Not having any manuals, etc., I had to find out what the device was first so that I could Google for some help. IMEI number analysis didn’t help (probably because this was originally an evaluation unit), but I eventually discovered that there is an option/setting labelled about, which tells me I have a Blackberry 7100 Wireless Handheld and a bit more searching confirms that its the Blackberry 7100v.
- I noticed that I still had the previous user’s contacts loaded, so I wanted to wipe the phone – there doesn’t appear to be a delete all option for contacts, so the resolution I used (found on BlackBerry Forums) was:
- Install Blackberry Desktop Manager (4.2), followed by the BlackBerry Handheld Software v184.108.40.2064 for Vodafone (UK) – both of these were downloaded from RIM after searching Google. Following the software update, the device had a totally different (much improved) look and feel. The installation also worked on Windows Vista, despite not being listed as compatible (I ran the installer as an Administrator)
- Open the BlackBerry Desktop Manager application and create a connection to the device (Connection Settings… from the Options menu).
- To delete the old data from within Desktop Manager, select Backup and Restore and click the Advanced… button. Select the appropriate device databases (multiples can be selected by Control or Shift clicking) then click Clear.
- I don’t have a connection to a BlackBerry e-mail service – effectively I’m using the device as a PDA and a phone, but it ought to be possible to set up the BlackBerry as a GPRS modem (not by Bluetooth, but using a USB connection). Unfortunately that’s not working (it should – using the same SIM in my Nokia 6021 allows me to browse the web using GPRS) but I’m unlikely to get anywhere with Vodafone unless I sign up for a BlackBerry service. My BlackBerry alternates between GSM and gprs (depending on signal strength/cell coverage) but never shows GPRS because:
- GSM â€“ GRPS is not enabled (contact your mobile carrier to sign up to a GPRS plan.
- gprs (in lower case) – GRPS is enabled, but not been set up for use with a BlackBerry device.
- GPRS (in upper case) â€“ both GRPS and BlackBerry are enabled, (the service should be enabled for BlackBerry Enterprise Server if Exchange Server connectivity is required, rather than BlackBerry Internet Server).
Even though I’ve warmed to the BlackBerry (and newer models like the curve and the pearl are attractive), I’m still not a convert. Exchange Server 2003 SP2 offers push e-mail too (as does Exchange Server 2007), without requiring another layer of complexity in the organisational IT infrastructure. The dependency on a data plan for even basic things like transferring pictures to/from the device is also a hassle. The jury’s still out on my choice of handset for a personal phone (an iPhone would be nice… but do I really need something that expensive… or on a carrier other than Vodafone? It would be nice to have a decent camera in the device I choose… like the one in the Nokia N95… but last time I had a Symbian smartphone I didn’t get on with the interface. Then again, there are devices like the HTC touch… arghhh, brain overload… too much choice) – in any case, if I have any influence over the selection of my next handset for business it will be running Windows Mobile 6.
I’m not sure where I picked this tip up but I heard about dragging the Applications folder to the OS X dock in order to provide one-click access to all applications (not just the frequently used ones).
At first I was pretty underwhelmed (it didn’t seem to do much except launch a new Finder window) but then I realised that if I click and hold the applications folder icon in my dock then a menu opens up with all the available applications. Dare I say that it’s a bit like a Start Menu for the Mac!
It’s not often that I receive excellent customer service (a subject on which Guy Kawasaki has written a very interesting post) and when I do, I’ll shout about it. Today I got great service from not just one but two technology companies.
I’ve been thinking about buying an iPod with Video for a while now and a few months back, I had the opportunity to win one as an incentive for passing the Microsoft Certified Technology Specialist: Live Communications Server 2005 exam. Although I was offered an 30GB iPod, I’d really like to fit my entire iTunes library on the device, so I asked for the 80GB model instead (offering to pay the difference). For various practical reasons that wasn’t going to work out, so I waited until it was given to me and tried to exchange it at an Apple Store. They couldn’t exchange it for me, but they did check the serial number and told me that it was sold by Amazon. Meanwhile I bought a protective case from Apple and was very impressed that there was no queuing up to pay – the store assistants could complete the sales process on the shop floor and e-mail me a receipt.
Next, I contacted Amazon, to see what they could do to help. In addition to e-mail contact service, Amazon (UK) has a facility on their website whereby they will call you back and you can talk to a real person and their customer service staff (in Ireland – note that they have not outsourced customer service to companies on another continent where English is not a primary language) were really helpful. It seems that I can return a gift to Amazon (within 30 days) and they will pay the postage and issue a credit on my account. The theory is that I can return the 30GB iPod and buy an 80GB model using the credit and some more money of my own. All I need to do now is to get hold of the original order number and I can complete the Returns Support Centre wizard on the Amazon website.
Of course, now I’ve finally got my hands on an iPod with Video, Apple is bound to announce a 6G touchscreen iPod with a large flash-based hard disk… oh well, c’est la vie.
Microsoft’s Exchange Best Practices Analyzer (ExBPA) has been around for a few years now and it’s an excellent preventative maintenance and troubleshooting resource. ExBPA was recently joined by the Exchange Server Troubleshooting Assistant (ExTRA) which, according to the Microsoft website:
“[…] Programmatically executes a set of troubleshooting steps to identify the root cause of performance, mail flow, and database mounting issues. The tool automatically determines what set of data is required to troubleshoot the identified symptoms and collects configuration data, performance counters, event logs and live tracing information from an Exchange server and other appropriate sources. The tool analyzes each subsystem to determine individual bottlenecks and component failures, then aggregates the information to provide root cause analysis.”
ExTRA v1.1 brings together a number of troubleshooting tools: the Exchange Server Disaster Recovery Analyzer (ExDRA); the Exchange Server Performance Troubleshooting Analyzer (ExPTA); and the Exchange Server Mail Flow Analyzer (ExMFA). Furthermore, ExTRA is integrated in the ESM Toolbox for Exchange Server 2007.