Sunday, May 15, 2011

RFC library for Nerds... !!!

http://www.ietf.org/rfc/

Wednesday, March 2, 2011

Loopback Processing of Group Policy in a Domain Environment



SUMMARY

Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

MORE INFORMATION

To set user configuration per computer, follow these steps:
  1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
  2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.
This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used. For example, computers in public areas, in laboratories, and in classrooms.

Note Loopback is supported only in an Active Directory environment. Both the computer account and the user account must be in Active Directory. If a Microsoft Windows NT 4.0 based domain controller manages either account, the loopback does not function. The client computer must be a running one of the following operating systems:
  • Windows XP Professional
  • Windows 2000 Professional
  • Windows 2000 Server
  • Windows 2000 Advanced Server
  • Windows Server 2003
When users work on their own workstations, you may want Group Policy settings applied based on the location of the user object. Therefore, we recommend that you configure policy settings based on the organizational unit in which the user account resides. However, there may be instances when a computer object resides in a specific organizational unit, and the user settings of a policy should be applied based on the location of the computer object instead of the user object.

Note You cannot filter the user settings that are applied by denying or removing the AGP and Read rights from the computer object specified for the loopback policy.

Normal user Group Policy processing specifies that computers located in their organizational unit have the GPOs applied in order during computer startup. Users in their organizational unit have GPOs applied in order during logon, regardless of which computer they log on to.

In some cases, this processing order may not be appropriate. For example, when you do not want applications that have been assigned or published to the users in their organizational unit to be installed when the user is logged on to a computer in a specific organizational unit. With the Group Policy loopback support feature, you can specify two other ways to retrieve the list of GPOs for any user of the computers in this specific organizational unit:
  • Merge Mode
    In this mode, when the user logs on, the user's list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.
  • Replace Mode
    In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

Friday, February 25, 2011

Changes Common To Both Client & Server Platforms In Service Pack 1


Change to behavior of “Restore previous folders at logon” functionality

SP1 changes the behavior of the “Restore previous folders at logon” function available in the Folder Options Explorer dialog. Prior to SP1, previous folders would be restored in a cascaded position based on the location of the most recently active folder. That behavior changes in SP1 so that all folders are restored to their previous positions.

 

 

 

 

 

Enhanced support for additional identities in RRAS and IPsec

Support for additional identification types has been added to the Identification field in the IKEv2 authentication protocol. This allows for a variety of additional forms of identification (such as E-mail ID or Certificate Subject) to be used when performing authentication using the IKEv2 protocol.

 

Support for Advanced Vector Extensions (AVX)

There has always been a growing need for ever more computing power and as usage models change, processors instruction set architectures evolve to support these growing demands. Advanced Vector Extensions (AVX) is a 256 bit instruction set extension for processors. AVX is designed to allow for improved performance for applications that are floating point intensive. Support for AVX is a part of SP1 to allow applications to fully utilize the new instruction set and register extensions.

 

Improved Support for Advanced Format (512e) Storage Devices

SP1 introduces a number of key enhancements to improve support of recently introduced storage devices with a 4KB physical sector size (commonly referred to as "Advanced Format"). These enhancements include functionality fixes, improved performance, and updated storage drivers which provide applications the ability to retrieve information as to the physical sector size of storage device. More information on these enhancements is detailed in Microsoft KB 982018.

Notable Changes In Windows 7 Service Pack 1

 

Additional support for communication with third-party federation services

Additional support has been added to allow Windows 7 clients to effectively communicate with third-party identity federation services (those supporting the WS-Federation passive profile protocol). This change enhances platform interoperability, and improves the ability to communicate identity and authentication information between organizations.

 

 

 

Improved HDMI audio device performance

A small percentage of users have reported issues in which the connection between computers running Windows 7 and HDMI audio devices can be lost after system reboots. Updates have been incorporated into SP1 to ensure that connections between Windows 7 computers and HDMI audio devices are consistently maintained.

 

Corrected behavior when printing mixed-orientation XPS documents

Prior to the release of SP1, some customers have reported difficulty when printing mixed-orientation XPS documents (documents containing pages in both portrait and landscape orientation) using the XPS Viewer, resulting in all pages being printed entirely in either portrait or landscape mode. This issue has been addressed in SP1, allowing users to correctly print mixed-orientation documents using the XPS Viewer.

Notable Changes In Windows Server 2008 R2 Service Pack 1


Dynamic Memory

 

Constraints on the allocation of physical memory represents one of the greatest challenges organizations face as they adopt new virtualization technology and consolidate their infrastructure. With Dynamic Memory, an enhancement to Hyper-V™ introduced in Windows Server 2008 R2 SP1, organizations can now make the most efficient use of available physical memory, allowing them to realize the greatest possible potential from their virtualization resources. Dynamic Memory allows for memory on a host machine to be pooled and dynamically distributed to virtual machines as necessary. Memory is dynamically added or removed based on current workloads, and is done so without service interruption.

Virtual machines running a wide variety of operating systems can use Dynamic Memory; for a complete list, see the “Dynamic Memory Evaluation Guide” at http://go.microsoft.com/fwlink/?LinkId=192444. The guide also discusses Dynamic Memory settings and usage in detail.

 

Microsoft RemoteFX

Businesses are increasingly looking to leverage the efficiency and cost savings that can come from a virtualized desktop infrastructure. With the addition of Microsoft RemoteFX in Windows Server 2008 R2 SP1, a new set of remote user experience capabilities that enable a media-rich user environment for virtual desktops, session-based desktops and remote applications is introduced. Harnessing the power of virtualized graphics resources, RemoteFX can be deployed to a range of thick and thin client devices, enabling cost-effective, local-like access to graphics-intensive applications and a broad array of end user peripherals, improving productivity of remote users.

RemoteFX can function independently from specific graphics stacks and supports any screen content, including today’s most advanced applications and rich content (including Silverlight and Adobe Flash), ensuring that end users maintain a rich, local-like desktop experience even in a virtualized thin-client environment.

RemoteFX also adds mainstream USB device support to virtual desktop computing, including support for USB drives, cameras and PDAs connected to the client device. RemoteFX also provides a platform for hardware and software partners to enhance RemoteFX capabilities in a variety of possible host, client and network configurations.

To use RemoteFX, the virtualization server must be running Windows Server 2008 R2 with SP1, the virtual machine must be running Windows 7 Enterprise with SP1 or Windows 7 Ultimate with SP1, and the remote client computer must be running either Windows Server 2008 R2 with SP1 or Windows 7 with SP1. To connect to the virtual machine, the remote client computer requires an updated version of Remote Desktop Services (included in the service pack for all editions of Windows 7).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Enhancements to scalability and high availability when using DirectAccess

 

DirectAccess is a new feature in the Windows 7 and Windows Server 2008 R2 operating systems that gives users the experience of being seamlessly connected to their corporate network any time they have Internet access. In Windows Server 2008 R2 SP1, improvements have been made to enhance scalability and high availability when using DirectAccess, through the addition of support for 6to4 and ISATAP addresses when using DirectAccess in conjunction with Network Load Balancing (NLB).

 

Support for Managed Service Accounts (MSAs) in secure branch office scenarios

SP1 enables enhanced support for managed service accounts (MSAs) to be used on domain-member services located in perimeter networks (also known as DMZs or extranets).

 

Support for increased volume of authentication traffic on domain controllers connected to high-latency networks

 

As a greater volume of IT infrastructure migrates to cloud-based services, there is a need for higher thresholds of authentication traffic to domain controllers located on high-latency networks (such as the public Internet). SP1 allows for more granular control of the maximum number of possible concurrent connections to a domain controller, enabling a greater degree of performance tuning for service providers.

 

Enhancements to Failover Clustering with Storage

 

SP1 enables enhanced support for how Failover Clustering works with storage that is not visible for all cluster nodes. In SP1, improvements have been made to the Cluster Validation and multiple Failover Cluster Manager wizards to allow workloads to use disks that are shared between a subset of cluster nodes.




Wednesday, February 2, 2011

An Insight To AD LDS

What Is Active Directory Lightweight Directory Services?

Active Directory Lightweight Directory Services (AD LDS) is an independent mode of Active Directory, minus infrastructure features, that provides directory services for applications.

AD LDS is a mode of Active Directory that provides directory services for applications.

AD LDS provides dedicated directory services for applications. It provides a data store and services for accessing the data store. It uses standard application programming interfaces (APIs) for accessing the application data. The APIs include those of Active Directory, Active Directory Service Interfaces, Lightweight Data Access Protocol, and System.DirectoryServices.
AD LDS operates independently of Active Directory and independently of Active Directory domains or forests. It operates either as a standalone data store, or it operates with replication. Its independence enables local control and autonomy of directory services for specific applications. It also facilitates independent, flexible schemas, and naming contexts.

AD LDS does not have the infrastructure capabilities of Active Directory.

AD LDS does not include directory services for the Windows operating system, so it concentrates on the requirements of specific applications. If AD LDS operates in an Active Directory environment, it can use Active Directory for authentication. Because AD LDS does not support the Messaging Application Programming Interface, Microsoft Exchange cannot use AD LDS.

AD LDS usage complements that of Active Directory.

Although AD LDS and Active Directory can operate concurrently within the same network, AD LDS serves the requirements of specific applications. An instance of AD LDS can be created for a specific application without concern for the dependencies required by Active Directory. Multiple instances of AD LDS, each supporting a separate application, can run on a single AD LDS installation.

Uses of AD LDS

Why Use Active Directory Lightweight Directory Services?

Active Directory Lightweight Directory Services (AD LDS) has both functional benefits and operational benefits for developers who create or adapt directory-enabled applications.


Functional Benefits of AD LDS

 

Developers using AD LDS have access to the following functional benefits:
  • AD LDS uses the same directory service technology as Active Directory. This means there is a common framework for both the network operating system (NOS) services of Active Directory and the application services of AD LDS.
  • Use of the same directory service technology increases reusability of design and code between Active Directory and AD LDS.
  • AD LDS increases the scalability of directory services by separating the NOS services from the application services.
  • Multiple instances of AD LDS, each tailored to a specific application, can run on a single AD LDS installation.
  • Each AD LDS configuration set has a separate schema, independent of the Active Directory schema.
  • AD LDS can use X.500-style naming contexts, such as O=Fabrikam and C=US.
  • To increase application security, AD LDS can use Windows security principals for authentication and access control.
  • Development for AD LDS can occur on Microsoft Windows XP Professional as well as on the Windows Server 2003 operating systems.

Operational Benefits of AD LDS

Developers using AD LDS have access to the following operational benefits:
  • AD LDS is easy to deploy. Installation and setup are simple.
  • AD LDS can be installed without affecting Active Directory.
  • AD LDS can be reinstalled or restarted without a restart.
  • AD LDS uses the same administrative model as Active Directory.
  • AD LDS increases reliability by separating application directory services from NOS directory services.

Tuesday, February 1, 2011

New Features in Windows Server 2008 R2 - High Availability

High Availability

Providing high availability to mission-critical applications, services, and data is a primary objective of successful IT departments. When services are down or fail, business continuity is interrupted, which can result in significant losses. Windows Server 2008 R2 supports many key high-availability features to help organizations meet their uptime requirements for their critical systems such as Failover Clustering, Network Load Balancing (NLB), Shadow Copy, Windows Server Backup and a new Windows Recovery Environment.

Failover Clustering

Failover clustering can help you build redundancy into your network and eliminate single points of failure. Learn more at our extensive
Failover Clustering site.

Network Load Balancing

 Network Load Balancing (NLB) allows you to distribute TCP/IP requests to multiple systems in order to optimize resource utilization, decrease computing time, and ensure system availability. NLB has been improved in Windows Server 2008 R2, including:

Windows Hardware Error Architecture (WHEA)

Windows Hardware Error Architecture (WHEA) has been enhanced to support Machine Check Architecture (MCA) error recovery, offering the ability to contain and recover from several types of multi-bit ECC errors in memory and cache without operating system or application interruption.  For more details please visit TechNet http://www.microsoft.com/whdc/system/pnppwr/whea/default.mspx .

Dynamic Hardware Partitioning

On a dynamically partitionable server, partition units can be added or replaced without restarting the operating system. Windows Server 2008 R2 supports hot-add of processors, memory, and I/O host bridges, and hot-replace of processors and memory on x64-based and Itanium-based systems which support DHP.

Fault Tolerant Hardware

Windows Server 2008 R2 includes support for fault tolerate memory synchronization.  Fault-tolerant servers contain redundant hardware – from fans and power supplies, to processors and RAM, which run in lockstep with each other. If a primary component fails, the secondary component takes over in a process that is seamless to the application running on the server.

Scaling Up

Windows Server 2008 R2 scales to 256 logical processors, for business-critical servers supporting large databases, line of business, and custom applications which sometimes require highly reliable, scalable servers.

Increased Workload Support by Scaling Out

The Network Load Balancing feature in Windows Server 2008 R2 allows you to combine two or more computers into a cluster. You can use NLB to distribute workloads across the cluster nodes in order to support a larger number of simultaneous users. Network Load Balancing feature improvements in Windows Server 2008 R2 include:
  • Improved Support for Applications and Services That Require Persistent Connections
    The IP Stickiness feature in Network Load Balancing allows you to configure longer affinity between client and cluster nodes. By default, Network Load Balancing distributes each request to different nodes in the clusters. Some applications and services, such as a shopping cart application, require that a persistent connection be maintained with a specific cluster node.
  • Improved Health Monitoring and Awareness for Applications and Services
    The Network Load Balancing Management Pack for Windows Server 2008 R2 allows you to monitor the health of applications and services running in Network Load Balancing clusters.
  • Next Generation TCP/IP
    Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) are both supported natively by Windows Server 2008 R2. NLB extends full support to IPv6 for all communication while maintaining IPv4 support.
  • Multiple IP Address Support
    Each node in your NLB cluster can now have multiple dedicated IP addresses.
  • Microsoft ISA Server Integration
    Microsoft ISA Server can support your mixed IPv4 and IPv6 infrastructure by allowing multiple IP addresses for each NLB node where IPv4 and IPv6 clients are used. ISA Server can also provide intrusion detection services to protect your NLB cluster.
Learn more about NLB at the HA Windows Server TechCenter.

Shadow Copy, Windows Server Backup and Windows Recovery

Windows Server 2008 R2 contains new and updated features to help you create backups and, if needed, perform a recovery of your operating system, applications, and data. By using these features appropriately and implementing good operational practices, you can improve your organization's ability to recover from damaged or lost data, hardware failures, and disasters.
There are several features in Windows Server 2008 R2 that you can use together to create backups and perform recoveries of your server systems and data. These include the following:
  • Shadow Copies of Shared Folders
    Shadow Copies of Shared Folders provides point-in-time copies of files that are located on shared resources, such as a file server.
  • Windows Server Backup tools
    Windows Server Backup is a feature in Windows Server 2008 R2 that provides a set of wizards and other tools for you to perform basic backup and recovery tasks for your servers running Windows Server 2008 R2. This feature has been redesigned and introduces new technology.
  • Windows Recovery Environment
    Windows Recovery Environment in Windows Server 2008 R2 is a partial version of the operating system and a set of tools that you can use to perform operating system or full server recoveries (along with a backup that you created earlier using Windows Server R2 Backup).
Learn more about the features at the Backup and Recovery Windows Server TechCenter.

Improved Storage Solution Availability

Availability of storage is essential to all mission-critical applications in your organization. Windows Server 2008 R2 includes the following improvements to storage solution availability:
  • Improved Fault Tolerance Between Servers and Storage.When multiple paths exist between servers and storage, Windows Server 2008 R2 can failover to an alternate path if the primary path fails. You can select the failover priority by configuring the load-balancing policies for your storage solution.
  • Improved Recovery from Configuration Errors.An error in the configuration of the storage subsystem can negatively affect storage availability. Windows Server 2008 R2 allows you to take configuration snapshots of the storage subsystem (for example, the iSCSI configuration). In the event of a subsequent configuration failure, you can quickly restore the configuration to a previous version.

Wednesday, January 19, 2011

Advantages of the Server 2008 Domain Functional Level

1. DFS (Distributed File System) Replication


2. Advanced Encryption standard support for the Kerberos protocol


3. Last Interactive Logon Information
          GPO in Computer Configuration --> Policies --> Administrative Templates --> Windows Components --> Windows Logon Options --> Display information about previous logons during user logon.


4. Fine-grained password policies

Sunday, January 16, 2011

Unlocking a Domain Account Locked Out by Remote Access Account Lockout

You can use the remote access account lockout feature to specify how many times a remote access authentication fails against a valid user account before the user is denied access. Remote access account lockout is especially important for remote access virtual private network (VPN) connections over the Internet. An attacker on the Internet can attempt to access an organization intranet by sending credentials (valid user name, guessed password) during the VPN connection authentication process. During a dictionary attack, the attacker sends hundreds or thousands of credentials by using a list of passwords based on common words or phrases.
With remote access account lockout enabled, a dictionary attack is thwarted after a specified number of failed attempts. As the network administrator, you must decide on two remote access account lockout variables:
  1. The number of failed attempts before attempts are denied.

    After each failed attempt, a failed attempts counter for the user account is incremented. If the user account's failed attempts counter reaches the configured maximum, future attempts to connect are denied.

    A successful authentication resets the failed attempts counter to 0.
  2. How often the failed attempts counter is reset.

    The failed attempts counter is periodically reset to 0. If an account is locked out after the maximum number of failed attempts, the failed attempts counter automatically resets to 0 after an interval that you specify.
You enable the remote access account lockout feature by changing settings in the registry on the computer that provides the authentication. If the remote access server is configured for Windows Authentication, modify the registry on the remote access server computer. If the remote access server is configured for RADIUS authentication and Network Policy Server (NPS) is being used, modify the registry on the NPS server
CautionCaution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.To enable remote access account lockout, you must set the MaxDenials entry in the registry to 1 or greater. MaxDenials is the maximum number of failed attempts before the account is locked out. You set the MaxDenials entry in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout
By default, MaxDenials is set to 0, which means that remote access account lockout is disabled.
To modify the amount of time before the failed attempts counter is reset, you must set the ResetTime (mins) entry in the registry to the required number of minutes. You set the ResetTime (mins) entry in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout
By default, ResetTime (mins) is set to 0xb40, or 2,880 minutes (48 hours).

Manually resetting an account that is locked out

To manually reset a user account that has been locked out before it is automatically reset, delete the following registry subkey that corresponds to the user's account name on the remote access server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name
When the lockout count for a user account is reset to 0 due to either a successful authentication or an automatic reset, the registry subkey for the user account is deleted.
NOTE
Remote access account lockout is not related to the Unlock account setting on the Account tab on the properties of a user account.
The remote access account lockout feature does not distinguish between malicious users who attempt to access your intranet and authentic users who attempt remote access but have forgotten their current password.
If you enable the remote access account lockout feature, a malicious user can deliberately force an account to be locked out by attempting multiple authentications with the user account until the account is locked out, thereby preventing the authentic user from being able to log on.





Source: http://technet.microsoft.com/de-de/library/ff687746%28v=ws.10%29.aspx