Dario IT Solutions Blog

Hi guys,

It was very nice meeting you all yesterday at the re-birth of the Infrastructure & Management User Group.

Below is the presentation for the main subject we talked about – “Windows 2008 R2 Overview”.

We will continue next month, on December 17th with the subject “Active Directory improvements in Windows 2008 R2”.

In the meantime, share your thoughts and interesting finds at the group site – http://www.linkedin.com/groupRegistration?gid=2389097

Have a great weekend and take care!

Symptoms

Users’ Home Folder maps incorrectly on workstations.
The home folder is mapped to the base share instead of the complete path to the profile.
This only happens on PCs. When logging on to terminal servers the mapping is done correctly.

Example:
Home folder set to: fileServerCompanyDepartmentUserName
The mapping that the user receives : fileServerCompany
Manually mapping the path completes successfully and all files are accessible.

The users are the owners of their folders and all permissions are sufficient for drive mapping.  

Cause

Network delays may cause the workstation to try and map the home folder before completely initializing networking during logon.

Resolution

Apply the following setting using GPO :

Computer Configuration / Administrative Templates / System / Logon / Always wait for the network at computer startup and logon

More Information

Description of the Windows XP Professional Fast Logon Optimization feature
http://support.microsoft.com/kb/q305293/

Info from the policy’s description

Determines whether Windows XP waits for the network during computer startup and user logon. By default, Windows XP does not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background once the network becomes available.

Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected.

If a user with a roaming profile, home directory, or user object logon script logs on to a computer, Windows XP always waits for the network to be initialized before logging the user on.

If a user has never logged on to this computer before, Windows XP always waits for the network to be initialized.

If you enable this setting, logons are performed in the same way as for Windows 2000 clients, in that Windows XP waits for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously.

If you disable or do not configure this setting, Windows does not wait for the network to be fully initialized and users are logged on with cached credentials. Group Policy is applied asynchronously in the background.

Note: If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this setting to ensure that Windows waits for the network to be available before applying policy.

Note: For servers, the startup and logon processing always behaves as if this policy setting is enabled.

Quote from Microsoft’s Official eBook "Configuring Windows Server 2008 Active Directory"

"It is highly recommended that you enable the Always Wait For Network At Startup And Logon policy setting for all Windows XP and Windows Vista clients. Without this setting, by default, Windows XP and Windows Vista clients perform only background refreshes (of GPOs), meaning that a client might start up and a user might log on without receiving the latest policies from the domain."

As promised, I’ve uploaded the presentations from the sessions I gave on December 18th at Microsoft Israel. Enjoy.

Two important MPs has been updated, one is the Active Directory Management and the other is the DHCP Management Pack.� Windows Server 2008 is now supported for both of them.

The AD MP has s a couple of improvements:

• Discovery of Windows Server 2008 DC and Read Only DC (RODC). Including also the discovery of FSMO roles
• Windows Server 2008 replication monitoring. Including a cool Multiple SLA workflow that can be configured
• Forests that have 2-way transitive trusts can now be discovered and reflected in the improved topology views (Forest, Domain, Site, Site-Link, Replication Connection)
• New essential services roll-up to accurately reflect services such as Sysvol, DFS, NetLogon, DCLocator
• Support for Windows Server 2008 32-bit and also 64-bit

Download those MP (and all others) from the System Center Catalog.

Following Microsoft announcement of App-v 4.5 RTM (known previously as “Soft Grid”) from the beginning of September, Microsoft just publish the Infrastructure Planning and Design (IPD) for this version.

Infrastructure Planning and Design (IPD) is a series of planning and design guides created to clarify and streamline the planning and design process for Microsoft infrastructure technologies.

The App-v 4.5 RTM will be include as part of the Microsoft Desktop Optimization Pack (MDOP) 2008 R2 that will be available in the next couple of weeks (for more information about MDOP 2008 R2 read our post).

You can find the new App-V 4.5 IPD guide as well as IPD guides for OpsMgr 2007, Active Directory, IIS and much much more at http://www.microsoft.com/downloads/details.aspx?FamilyId=AD3921FB-8224-4681-9064-075FDF042B0C&displaylang=en.

Check out the following posts:

1. What is the purpose of the ‘Deleted’ folder in DFSR?
2. DFSR and Bitlocker work together + performance tests
3. Five Common Causes of �Waiting for the DFS Replication service to retrieve replication settings from Active Directory�
4. What are the Schema Extension Requirements for running Windows Server 2008 DFSR?
5. New DFSR Data Restoration Script

The Active Directory Migration Tool version 3.1 (ADMT v3.1) simplifies the process of migrating objects and restructuring tasks in an Active Directory� Domain Service (AD DS) environment. You can use ADMT v3.1 to migrate users, groups, and computers between AD DS domains in different forests (inter-forest migration) or between AD DS domains in the same forest (intra-forest migration). ADMT can also perform security translation (to migrate local user profiles) when performing inter-forest migrations.

This version is the first one to support Windows 2008.

Download the tool here.

Check out the whitepaper on Migrating and Restructuring Active Directory Domains Using ADMT v3.1.

And you also need to download Password Export Server v3.1 in order to migrate passwords between domains.

Computers in a workgroup require WINS because they cannot query Active Directory for SMS services (server locator point and management point).  While the management point is automatically added in WINS, the server locator point is not, so this record must be manually entered by a WINS Administrator. 

SMS 2003 provides limited support for computers in a workgroup, with the following conditions and exceptions:

1. Workgroup site servers are not supported.
2. Workgroup support is for Advanced Clients only.
3. Clients must use WINS to locate SMS services.
4. Administrative user rights on the computer are required for installing the SMS client software.
5. Active Directory discovery and user targeting is not supported.
6. Advertisements targeted to Active Directory objects, users, or user groups are not supported.
7. Global roaming is not supported.

Some interesting links:

1. Ports that Systems Management Server 2003 uses to communicate through a firewall or through a proxy server – http://support.microsoft.com/default.aspx?kbid=826852
2. SMS 2003 Standard Security, WINS, and Advanced Clients – http://myitforum.com/articles/8/view.asp?id=7323
3. Managing Workgroup Clients with SMS 2003 – http://myitforum.com/articles/8/view.asp?id=7747
4. SMS 2003 in a DMZ – http://www.myitforum.com/articles/8/view.asp?id=8283

If you have 2 Active Directory Servers that are not replicating, ServerA & ServerB, try the following:

First follow this link to check permissions – http://207.46.196.114/windowsserver2008/en/library/89bad964-55c9-4ce4-b216-d4e1f13df9491033.mspx?mfr=true

Then check if the secure channel has been corrupted –
From ServerA, go to Start -> Run and type:  \\ServerB
From ServerB, go to Start -> Run and type:  \\ServerA

If you get and error message indicating that the target name is incorrect, then the the secure channel has been corrupted.  You will also see error messages in replmon and “repadmin debug” indicating that the target is invalid as well.

Perform the following steps to fix the problem:

1. Stop the Kerberos Key Distribution Center (KDC) service, and then set it to Manual startup.
2. Run “netdom resetpwd /server:<replication_partner_name> /userd:<domain\admin_user> /passwordd:*”
3. Restart the computer, start the KDC, and then set it back to Automatic startup.