By
Published
Apr 04 2019 04:42 PM
423
Views
First published on TechNet on Oct 29, 2010
Hiya folks, Ned here again. In today’s Mail Sack I discuss SP1, DFSR, GPP passwords, USMT, backups, AD disk configurations, and the importance of costumed pets.
Boo.
Should it be safe to use the Windows 7 and Windows Server 2008 R2 Service Pack 1 Release Candidate builds in production? They came out this week and it looks like it’s pretty close to being done.
No. This build is for testing only, just like the beta . The EULA specifically states that this is not for production servers and you will get no support running it in those environments.
For more info and test support:
I need to ramp up on USMT for our planned Windows 7 rollout early next year. I’ve found a lot of documentation but do you have recommendations on how I can learn it progressively? I know nothing about USMT so I’m not sure where to start.
I would recommend going this route:
Is there a way to generate a daily DFSR health report?
You can use DFSRADMIN.EXE HEALTH NEW <options> as part of a Scheduled Task to generate a report every morning before you get your coffee.
Is there any good reason to separate the AD Logs, DB and SYSVOL onto separate drives? Performance maybe?
Thomas Aquinas would have made a good DS engineer:
We’ve not really pursued that performance line of thinking as it turned out to be of little value on most DC’s: AD’s database and logs are mostly static. In most environments for every write to an AD DB, there are thousands of reads. If your average disk read/write is under 25ms for any disks that hold the AD database and its transaction logs you are in the sweet spot. LSA tries to load as much of the DB into physical RAM as possible and it also keeps common query and index data in physical memory, so the disk perf isn’t super relevant unless you are incredibly starved for RAM. Server hardware is so much better now than when AD was invented that it’s just hard to buy crappy equipment – this isn’t Exchange or SQL where every little bit counts.
Guidance around separating the files for SYSVOL was always pretty suspicious. That data is glacially static (in most environments it might only see a few changes a year, if ever). It has almost no data being read during GP processing either so disk performance is almost immaterial. I have never personally worked a case of a slow disk subsystem making GP processing slow.
We still provide plenty of space guidance though, and that might make you need to separate things out:
Since Win2008 and later made it so easy to grow and shrink volumes though, even that is not a big deal anymore.
We are looking to make some mass refreshes to our local admin passwords on servers and workstations. Initially I started looking at some 3rd party tools, but they are a little pricey. Then I recalled the "Local Users and Groups" option in Group Policy preferences. However, I have seen some rumblings on the Internet about the password stored in the XML being not completely secure.
We consider that password system in GPP XML files “obscured” rather than “securely encrypted”.
The password is obfuscated with AES-256 (i.e. encrypted but with a symmetric public seed). If you were to control permissions to that GP folder (so that it no longer had “Authenticated Users” or any other user groups with READ access) containing the policy as well as use IPSEC to protect the traffic on the wire, it would be reasonably secure from anyone but admins and the computers themselves. Alan Burchill goes into a clever GPP technique for periodic password changes here:
He also makes the excellent point that a reasonably secure periodic password change system is better than just having the same password unchanged for years on end! Again, I would add to his example that using IPSEC and removing the “Authenticated Users” group from that group policy’s folder in SYSVOL (and replacing it with “Domain Computers”) is healthy paranoia.
Official ruling here, regardless of above:
Try to not get spit all over me when you scream in the Comments section…
Can DFSR read-only folders be backed up incrementally? Files Archive bits never change when I run a backup, so how can the backup software know to only grab changed files?
Absolutely. And here’s a treat for you:
The Archive bit has been dead since Windows Vista.
If you run a backup on a non-read-only replicated folder (or anywhere else) while using Windows Server Backup you will notice that the Archive bit never gets dropped either. The Volume Shadow Service instead uses the NTFS USN journal to track files included in incremental backups. Some backup solutions might still use Archive bits, but Windows does not – it is dangerous to rely on it as so many third party apps (or even just users) can clear the attribute and break your backups. There’s next to no TechNet info on this out there, but SriramB (the lead developer of DPM) talks about this at length:
Now obviously, you cannot restore files directly into a read-only replicated folder as the IO blocking driver won’t allow it. If you try with WSB it will report error “Access is Denied”.
If you are restoring a backed up read-only replica, you have two options:
From our recent hiring post :
For those of you that aren’t from the US, Ireland, Canada, and the Isle of Limes: this week marks the Halloween holiday where kids dress up in costumes and run around getting free candy from neighbors. If you get stiffed on candy, it’s your responsibility to burn down that neighbor’s house. Wait, that’s just Detroit .
It’s also an opportunity for people who were born without the shame gene to dress up their animals in cute outfits. Yay Internet ! Here are some good ones for the dog lovers.
Cat lovers can get bent.
And finally, don’t forget to watch Night of the Living Dead , courtesy of the excellent Archive.org and the public domain law. Still Romero’s best zombie movie ever. Which makes it the best zombie movie ever. You must do it with all lights off, preferably in a house in the woods.
- Ned “ghouls night out” Pyle
Hiya folks, Ned here again. In today’s Mail Sack I discuss SP1, DFSR, GPP passwords, USMT, backups, AD disk configurations, and the importance of costumed pets.
Boo.
- Win7/R2 SP1 RC in production
- USMT ramp up
- Daily DFSR health reports
- Recommendations for separating AD folders and files onto different disks
- GPP admin password maintenance
- DFSR read-only backups and the archive bit's deprecation
- Other randomness
Question
Should it be safe to use the Windows 7 and Windows Server 2008 R2 Service Pack 1 Release Candidate builds in production? They came out this week and it looks like it’s pretty close to being done.
Answer
No. This build is for testing only, just like the beta . The EULA specifically states that this is not for production servers and you will get no support running it in those environments.
For more info and test support:
Question
I need to ramp up on USMT for our planned Windows 7 rollout early next year. I’ve found a lot of documentation but do you have recommendations on how I can learn it progressively? I know nothing about USMT so I’m not sure where to start.
Answer
I would recommend going this route:
Intro
- What Does USMT Migrate?
- Common Migration Scenarios
- Quick Start Checklist
- Step-by-Step: Basic Windows Migration using USMT for IT Professionals
- Step-by-Step: Offline Migration with USMT 4.0
- How USMT Works
- Requirements
Intermediate
- ScanState Syntax
- LoadState Syntax
- Config.xml File
- Create a Custom XML File
- Customize USMT XML Files
- USMT Custom XML the Free and Easy Way
- Exclude Files and Settings
- Include Files and Settings
- Reroute Files and Settings
- Migrate EFS Files and Certificates
- Offline Migration
- USMT, OST, and PST
- Understanding USMT 4.0 Behavior with UEL and UE
- Controlling USMT Desktop Shell Icon Behavior from XP (and how to create registry values out of...
- Get Shiny with USMT: Turning the Aero Theme on During XP to Windows 7 Migration
Advanced
Troubleshooting
- Common Issues
- USMT 4.0: Cryptic Messages with Easy Fixes
- Don’t mess about with USMT’s included manifests!
- Log Files
- Return Codes
- USMT 4.0 and Custom Exclusion Troubleshooting
- USMT 4 and WinPE: Common Issues
Question
Is there a way to generate a daily DFSR health report?
Answer
You can use DFSRADMIN.EXE HEALTH NEW <options> as part of a Scheduled Task to generate a report every morning before you get your coffee.
Question
Is there any good reason to separate the AD Logs, DB and SYSVOL onto separate drives? Performance maybe?
Answer
Thomas Aquinas would have made a good DS engineer:
"If a thing can be done adequately by means of one, it is superfluous to do it by means of several; for we observe that nature does not employ two instruments [if] one suffices."
We’ve not really pursued that performance line of thinking as it turned out to be of little value on most DC’s: AD’s database and logs are mostly static. In most environments for every write to an AD DB, there are thousands of reads. If your average disk read/write is under 25ms for any disks that hold the AD database and its transaction logs you are in the sweet spot. LSA tries to load as much of the DB into physical RAM as possible and it also keeps common query and index data in physical memory, so the disk perf isn’t super relevant unless you are incredibly starved for RAM. Server hardware is so much better now than when AD was invented that it’s just hard to buy crappy equipment – this isn’t Exchange or SQL where every little bit counts.
Guidance around separating the files for SYSVOL was always pretty suspicious. That data is glacially static (in most environments it might only see a few changes a year, if ever). It has almost no data being read during GP processing either so disk performance is almost immaterial. I have never personally worked a case of a slow disk subsystem making GP processing slow.
We still provide plenty of space guidance though, and that might make you need to separate things out:
http://technet.microsoft.com/en-us/library/cc753439(WS.10).aspx
Since Win2008 and later made it so easy to grow and shrink volumes though, even that is not a big deal anymore.
Question
We are looking to make some mass refreshes to our local admin passwords on servers and workstations. Initially I started looking at some 3rd party tools, but they are a little pricey. Then I recalled the "Local Users and Groups" option in Group Policy preferences. However, I have seen some rumblings on the Internet about the password stored in the XML being not completely secure.
Answer
We consider that password system in GPP XML files “obscured” rather than “securely encrypted”.
The password is obfuscated with AES-256 (i.e. encrypted but with a symmetric public seed). If you were to control permissions to that GP folder (so that it no longer had “Authenticated Users” or any other user groups with READ access) containing the policy as well as use IPSEC to protect the traffic on the wire, it would be reasonably secure from anyone but admins and the computers themselves. Alan Burchill goes into a clever GPP technique for periodic password changes here:
How to use Group Policy Preferences to set change Passwords
He also makes the excellent point that a reasonably secure periodic password change system is better than just having the same password unchanged for years on end! Again, I would add to his example that using IPSEC and removing the “Authenticated Users” group from that group policy’s folder in SYSVOL (and replacing it with “Domain Computers”) is healthy paranoia.
Official ruling here, regardless of above:
http://blogs.technet.com/b/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences...
Try to not get spit all over me when you scream in the Comments section…
Question
Can DFSR read-only folders be backed up incrementally? Files Archive bits never change when I run a backup, so how can the backup software know to only grab changed files?
Answer
Absolutely. And here’s a treat for you:
The Archive bit has been dead since Windows Vista.
If you run a backup on a non-read-only replicated folder (or anywhere else) while using Windows Server Backup you will notice that the Archive bit never gets dropped either. The Volume Shadow Service instead uses the NTFS USN journal to track files included in incremental backups. Some backup solutions might still use Archive bits, but Windows does not – it is dangerous to rely on it as so many third party apps (or even just users) can clear the attribute and break your backups. There’s next to no TechNet info on this out there, but SriramB (the lead developer of DPM) talks about this at length:
http://social.technet.microsoft.com/Forums/en-US/windowsbackup/thread/df7045fb-9d88-453c-93c0-5...
Now obviously, you cannot restore files directly into a read-only replicated folder as the IO blocking driver won’t allow it. If you try with WSB it will report error “Access is Denied”.
If you are restoring a backed up read-only replica, you have two options:
- Convert that replicated folder back to read-write temporarily, restore the data and allow it to replicate out, then set the folder back to read-only.
- Restore the data to an alternate location and copy or move it into the read-write replicated folder.
As for other randomness…
Best Comeback Comment of the Year
From our recent hiring post :
Artem -
Crap. You know, I've recently joined Microsoft here in Russia. And guess what? No free Starbucks!
NedPyle -
Congrats on the job. Sorry about the Starbucks. I'm sure there's a vodka dispenser joke here somewhere, but I'll leave that to you. :-P
Artem -
Yep, it's in the Samovar right in the lobby hall. The problem is like in any big company there's a policy for everything. And in today's tough economy, free vodka is reserved for customer meetings only. Usually a policy is not a big problem, but not this one. It is enforced by bear guards.
Halloween
For those of you that aren’t from the US, Ireland, Canada, and the Isle of Limes: this week marks the Halloween holiday where kids dress up in costumes and run around getting free candy from neighbors. If you get stiffed on candy, it’s your responsibility to burn down that neighbor’s house. Wait, that’s just Detroit .
It’s also an opportunity for people who were born without the shame gene to dress up their animals in cute outfits. Yay Internet ! Here are some good ones for the dog lovers.
(from http://www.dogbirthdaysandparties.com )
(from http://www.premierphotographer.com )
(from http://www.dreamdogs.co.uk )
(From http://www.gearfuse.com )
Cat lovers can get bent.
And finally, don’t forget to watch Night of the Living Dead , courtesy of the excellent Archive.org and the public domain law. Still Romero’s best zombie movie ever. Which makes it the best zombie movie ever. You must do it with all lights off, preferably in a house in the woods.
- Ned “ghouls night out” Pyle