This snippet taken from The Definitive Guide to Building a Windows Server 2008 Infrastructure, a free e-book sponsored by Tricerat. Get your free copy of the entire 10-chapter bookhere.

What we haven't discussed yet with GPPs has to do with one of their greatest strengths. Unlike most of traditional Group Policy, GPPs have the unique capability in that they can be configured to be mere "suggestions" rather than enforced "policies" as we're used to seeing. Consider the situation where you want to "suggest" an initial environment variable setting for users, but allow them the ability to later change that setting if they desire. Using traditional Group Policy, this is not possible because traditional Group Policy is intended to be an enforcement mechanism. Each time the Group Policy Refresh Interval passes, the Group Policy client will change any modified settings back to their initial configuration.

The image above shows the Common tab found within all GPP settings. There look for the configuration titled Apply once and do not reapply. By checking this box, the GPP will make the configuration change, but it will not reset that change if a user later decides that they want to change their setting away from what you "suggest".

BE AWARE: The client-side code required to process GPPs is natively available within Windows Server 2008. However, Client-Side Extensions (CSEs) must be downloaded and installed to all other operating systems for them to recognize and process GPPs. You can find links for CSEs at: http://support.microsoft.com/kb/943729.

In tomorrow's conclusion, we'll talk about GPP targeting, which eases the process of applying GPPs to the correct machines...

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

This snippet taken from The Definitive Guide to Building a Windows Server 2008 Infrastructure, a free e-book sponsored by Tricerat. Get your free copy of the entire 10-chapter bookhere.

As you'll also see in the image below, the potential for customizable control available through GPPs is remarkable. Within either half, one can easily control elements like drive mappings, environment variables, files and folders, data sources, local users and groups, power options, printers, and much more.

To give you an example of one use of GPPs that has traditionally been accomplished through login scripts, consider your need for setting drive mappings for users' home drives. With login scripts, the process to accomplish this task typically involves creating the script, storing that script in the domain's SYSVOL, and configuring each user to process the script through their user object within Active Directory Users and Computers. Using GPPs this process gets quite a bit simpler. In this example, let's assume that home drives are typically mapped to the H: drive and are stored within the \\w2008a\homefolders share. To use a GPP to set this for all computers in the domain, use the following process:

• Create a new GPO and launch the GPME. Navigate to User Configuration | Preferences | Windows Settings | Drive Maps.
• In the right pane of the resulting screen, select New | Mapped Drive. The window will look similar to Figure 6.9.
• Within that window, change the selections to match what is shown in the image below. Click OK when complete.
• Close the GPME and link the GPO to the domain.

By completing these four steps you have accomplished the same drive mapping that required scripting knowledge as well as the time-consuming management of user-specific settings within Active Directory Users and Computers. Yet this is completed in a much shorter amount of time and with much easier management and troubleshooting in the future. Through their reliance on Group Policy for distribution, GPPs enable common customizations to be managed through the same tools used to manage Group Policy.

Tomorrow, we continue the discussion with a talk about the differences between "policies" and the "suggestions" GPPs bring.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

This snippet taken from The Definitive Guide to Building a Windows Server 2008 Infrastructure, a free e-book sponsored by Tricerat. Get your free copy of the entire 10-chapter bookhere.

Even with the over 2,500 individual settings that can now be configured with Group Policy, the nature of Group Policy itself may not fulfill all the needs of your Windows Server 2008 infrastructure. Due to their highly-customizable nature, IT infrastructures have traditionally made use of login scripts to handle the customized needs of their individual environment.

But there has always been a few issues with login scripts for these sorts of customizations. First, they are only processed at the time of login. If you desire a custom change to occur, you must first change the login script and then wait for each client to re-login in order for the change to process. Additionally, the coding of complex customizations can often be challenging using shell scripting or VBScript languages. In order to properly use login scripts, you need to learn these scripting languages and the best practices associated with their use.

Upon the release of Group Policy with Windows Server 2008 comes a much-desired new enhancement to Group Policy called Group Policy Preferences (GPPs). GPPs bring together much of the customization power of login scripts with the rich targeting and regular update capabilities of Group Policy.

Take a look through the settings found in the traditional Group Policy Administrative Templates. There, you'll find a significant level of ability to control the configuration of workstations and servers attached to your domain. But that configuration control is limited to just the areas that Microsoft has made available through the Administrative Templates. If you want to make your own customized changes that aren't already a part of a Group Policy setting, you're forced to code your own template using XML. This rather difficult process can make cumbersome the process of customization. GPPs overcome this limitation by making available a set of tools that allow for GUI-based customization of areas commonly handled through login scripts.

Take another look at any particular Group Policy within the GPME. Within the left pane of the tree view you will see that the both the Computer Configuration and the User Configuration nodes are further broken into two halves apiece. Each contains two top-level nodes titled Policies and Preferences. The Policies node is where traditional Group Policy settings are configured. The Preferences node is where preferences are enabled.

Check back tomorrow for the next part in the series!

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

If you're like me in that you've been looking for an iSCSI solution to use in creating Windows Server 2008 failover clusters, you might have looked at OpenFiler. This tool has been handy for IT pros for a while, specifically as a target for ESX demonstration environments to host virtual machines.

The other use for this tool that many IT pros want to see work is as a target for Windows clustering. As a virtual machine, OpenFiler is easy to setup, relatively stable, and seemingly perfectly suited as a location for quorum and shared storage.

But, as of today OpenFiler does not work with Windows Server 2008 clustering. The problem is that the application does not support the persistent reservations now required by Windows Server 2008 for managing multiple-host access to shared storage.

I've talked over email with at least one of the OpenFiler developers about this omission. Although the web site reads a somewhat aloof resistance to including the capability, apparently adding this ability is more than a quick fix. The response I received was thus:

Hi Greg,

I've looked into this issue further and unfortunately we're not going to be able to fix this issue in the near term - certainly not before 2.3 comes out.

The underlying iscsi target software (IET) does not support persistent reservation.

For Openfiler Enterprise Edition (due in 4Q 08) we're moving to a more robust solution for the iSCSI target -- which supports persistent reservation among a slew of other enterprise class features such as ERL2 support.

So, no, OpenFiler does not work with 2008 clustering. They're working on it, but it won't be ready for quite some time. I myself haven't found a solution that I can recommend publicly, but today I continue the search. If you've found a solution that's free and that'll work, let us know!

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

My fifth series with CBT Nuggets, last week they officially released my training package on System Center Configuration Manager. This video series discusses what you need to know to be effective with an SCCM infrastructure while at the same time preparing you for Microsoft 70-401 exam.

You can buy the 8 hour series outright for $299 (worth the cash in my book, but I'm obviously biased). Or, an even better idea is to purchase a monthly subscription to the entire CBT Nuggets catalog, netting you 142 titles for $199/month. If you're looking for a fast ramp-up on the technologies you need to know, this is the place.

Check out more information on the video series at this web site: https://www.cbtnuggets.com/webapp/product?id=421.

Or, click past the fold for a list and description of each video in the 20-pack. You'll be impressed with the comprehensive approach to essentially every component of SCCM.

 
Continue reading Greg and CBT Nuggets Release SCCM Video Training Series...

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (1) | TrackBacks (0)

Don't you wish you'd known when someone made that change to Group Policy that broke the network? Don't you wish that you'd had some idea to help you track down the problem just that much faster?

Group Policy is a great tool, and one can argue one of the greatest features of Active Directory itself. But alone, Group Policy doesn't include any built-in workflow features that assist with alerting administrators when things change. Until now.

The guys over at NetWrix announced this week a new tool called Group Policy Change Reporter that assists in doing just this. Best yet, the tool is freeware -- even for companies. The free version...

"...makes Group Policy change auditing task very easy and straightforward. This FREE product sends daily reports detailing every single change made to Group Policy configuration. The reports list newly created and deleted GPOs, GPO link changes, changes made to audit policy, password policy, software deployment, user desktops, and all other settings. The data includes Who, What and When information for all changes with previous and current values for all modified settings."

For a few bucks more you can add some advanced features like better reporting, policy archival, and technical support. Check out and get your free version here: http://www.netwrix.com/group_policy_auditing_change_reporting_freeware.html

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

This week Chapter 6 of my book The Definitive Guide to Building a Windows Server 2008 Infrastructure was released. You can get it as a free download from here: http://www.tricerat.com/ebooks/index.php.

This chapter is all about Group Policy, and goes into detail not only about the basics of Group Policy but also the new features you get with the upgrade to Windows Server 2008. One of the very best new features, Group Policy Preferences, is discussed in detail. If you're still using logon scripts to handle desktop configuration for those things traditional Group Policy just won't do, you need to read this chapter.

GPPs give you amazing power to manage virtually every part of your desktop and server configurations -- even down to mapping individual drive letters and manipulating specific registry keys. Big wow.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

I signed up recently with Microsoft to take part in a reviewer process for SBS 2008. Knowing that I had relatively little experience with SBS 2003, I felt that a pair of fresh eyes could do a good review of this topic without the baggage of previous versions.

So, in doing so I found myself signed up for a few hours of introduction to the product over the phone with the Microsoft product teams. And, oddly enough, about three days later this 50-someodd pound box shows up at my door. Turns out that to fully review the product, Microsoft decided to present its reviewers with a fresh-from-the-computer-store picture of how a small business person can expect the server to arrive.

Notwithstanding the cost of getting these servers distributed to people all over the world, the presentation was nice. Since I don't have good experience with SBS 2003, I thought it particularly handy to go through the entire process from the perspective of the perhaps-not-IT-person that might have purchased this device to see how I felt.

After unboxing the server, plugging it in, and starting it up, I was immediately...

Click past the fold for the rest of the review...

 
Continue reading A Quick Review of Small Business Server 2008 (from Someone who Doesn't Really Know SBS 2003)...

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

...can be found in this blog post: http://blogs.technet.com/josebda/archive/2008/04/14/snw-demo-windows-server-2008-core-hyper-v-and-failover-clustering-with-screenshots.aspx.

Plenty of screen shots there too to get you going.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

If you're currently using a failover cluster on Windows Server 2003 and planning on upgrading to Windows Server 2008, be aware that there are a few gotchas to the upgrade procedure. Here are a few I've picked up recently...

• W2008 provides the "Migrate a Cluster Wizard", however that tool includes some limitations. It does not actually move or copy the data, folders, or shared folder settings during the migration. That data must be relocated manually.
• The wizard cannot automatically relocate mount point information.
• The wizard only migrates from W2003, and cannot assist if your cluster is currently running on W2000. It similarly cannot migrate from W2008 to W2008.
• Drive letters cannot be the same between the "old" and "new" cluster during the migration process. First run the wizard and change the drive letter later once the migration is complete.
• To make the migration process easier, consider removing drive letters prior to the migration. Use a text-based drive letter (such as "Drive_F") for the drive label. This assists with identifying the drive without relying on the "old" drive letter.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

I've recently been engaged by the Small Business Server team at Microsoft to review and provide comment on the new SBS 2008. As part of that, last week I got a private demonstration of the updated product and information about Microsoft's roadmap and list of new and added features.

Today, they mailed an entire freakin server to my front door!

Major style points on the presentation, I'll admit. But, there's another reason why they chose not to merely point me to a download location for the software. This review of SBS 2008 is intended to be done from the perspective of the small business owner that purchases an OEM preinstalled version on workgroup-class server hardware. That preinstalled installation arrives with the OS and drivers already installed, and is intended to bootstrap the quasi-technical small business owner into server ownership.

I've merely got the thing out of the box at this point, so I haven't yet had the opportunity to see how the initial bootup configuration works. Once I get there, I'll report back with more information. What I can say is that from just the demos I've seen of SBS 2008, its console appears pretty slick.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

I just got back from TechMentor where I again found myself spending a lot of time educating Windows administrators on the basics of performance management. There's been a problem with Windows administration over the past few years in that the needs of software hasn't kept up with the abilities of hardware. The end result is that we administrators find ourselves for the first time in the history of computing with vast supplies of resources and little demand.

Becuase of this, a generation of Windows administrators hasn't grown up needing to undertake the daily basics of performance management on servers. The basic concepts of performance management have gotten lost as the old guard moves on and the new guard takes over. What changes all of this, however, is the implementation of virtualization into the IT environment. WIth virtualization, your servers at 3% utilization find themselves "squished together" with others on a virtual host. For this architecture to work successfully, we now see a rebirth of the need for vigilance in watching and actioning on performance.

CC Hameed over at the Ask the Performance Team blog presents a comprehensive look at the command line tool LOGMAN.EXE. This tool provides a command-line approach to managing PerfMon that enables greater functionality, script and scheduled task-based exposure, and a better ability to manage performance logs.

Check out his LOGMAN Two Minute drill at this site: http://blogs.technet.com/askperf/archive/2008/05/13/two-minute-drill-logman-exe.aspx

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (1) | TrackBacks (0)

TechNet Magazine this month includes an article that discusses best practices in OU design. One great quote from early in the piece that I'm sure you've experienced yourself states, "A poorly planned OU structure tends to take on a life of its own."

So true. With a poorly planned OU structure, you spend more time looking for objects and troubleshooting Group Policy application than necessary. In every case so far in my own personal experience, the simpler the structure the more useable it is going to be. If you find yourself creating OUs for mere object separation without additional reasoning, you may find yourself with an end-result structure that's too complicated. The article breaks down the architecture determination process into three questions. Ask yourself these three questions when you're making decisions about when and where to create OUs:

1. Does this OU need to be created so a unique Group Policy Object (GPO) can be applied to it?
2. Does a particular group of administrators need to have permissions to the objects in this OU?
3. Will this new OU make it easier to administer the objects within it?

If the answer to any of these questions is "yes", then likely the OU creation is a good idea. If you find yourself answering "no" to all, then the OU creation may be extraneous. The article then goes on to a deep discussion about the different object models typically used by successful environments.

Get your copy of this excellent article at: http://technet.microsoft.com/en-us/magazine/cc462797.aspx

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

In fact, here is a list of the RSAT tools that have been confirmed to work with Server 2003:

• Active Directory Domain Services (AD DS) Tools
• Active Directory Lightweight Directory Services (AD LDS) Tools
• Active Directory Certificate Services (AD CS) Tools
• DHCP Server Tools
• DNS Server Tools
• Group Policy Management Tools
• Network Load Balancing Tools
• Terminal Services Tools
• Universal Description, Discovery, and Integration (UDDI) Services Tools

Apparently, not all administrative tools for Server 2008 are even included in the RSAT either. Here is a list of management tools that aren't in the RSAT:

• Active Directory Rights Management Services (AD RMS) Tools
• Fax Service Manager
• Network Policy and Access Services (NPS) Tools (has no remote connectivity functionality)
• Server Manager (has no remote connectivity functionality - top feature request #1 - Server Manager product team is looking how to get this done in next release)
• iSNS (Internet Storage Name Service)
• Storage Explorer
• Windows Media Services (available through separate addon for x86 and x64)
• WINS (Windows Internet Name Service)
• Windows Server Backup
• Windows Deployment Services (WDS) Tools
• IIS 7 Manager (available through separate addon for x86 and x64)
• Hyper-V Tools (available through separate addon for x86 and x64 - More information: Q949758)

Thanks to Michael over at 4sysops for this juicy little post...

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

If you haven't taken a look at Group Policy Preferences (GPPs), you absolutely should. With these babies, you'll finally be able to get rid of your login scripts completely. They allow for nearly complete control over most of the "missing" aspects of your desktops that you've been waiting for.

But, you can't forget the Client-Side Extensions (CSEs). Like Group Policy, GPPs are all about the client. If the client doesn't know how to translate the intstructions its getting, they're not going to apply. In order for GPPs to work, the CSEs must be installed onto every managed client. No exceptions.

Get the CSEs here: http://support.microsoft.com/Default.aspx?kbid=943729

IMPORTANT NOTE FOR XP/2003 USERS: There is a required prerequisite installaiton called Xmllite also required for your machines. Scroll to the bottom of the link above to get this critical installation.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (1) | TrackBacks (0)

Server 2008's new auditing capabilities for Active Directory accesses are getting a lot of hype in the press and the blogosphere. The main feature being touted is the separation of the old "Audit Directory Service Access" category into four separate subcategories:

• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Access

I'll admit that I've been pushing this meme as well, to what I've recently learned is at the exclusion of a whole set of new auditing subcategories. In doing a little research this week, it appears that Vista's and Server 2008's nine original auditing catgories have actually been broken out into 50 individual subcategories.

As an example, the original auditing category "Audit account management" now has six separate subcategories that you can enable or disable to specifically target the type of auditing of interest. Those six subcategories are:

• User Account Management
• Computer Account Management
• Security Group Management
• Distribution Group Management
• Application Group Management
• Other Account Management Event

Randy Franklin Smith has a great run-down of each of the new 50 subcategories at this site: http://www.ultimatewindowssecurity.com/newauditpol/

The only downer about Microsoft's implementation of these subcategories is that they're not presently Group Policy configurable. The nine major categories can be managed via Group Policy, but I have had no success in finding any ability for GP to manage the subcategories.

To enable or disable these subcategories, you'll need to use the command-line tool auditpol.exe.

Click below the fold for detailed info on how to use auditpol.exe...

 
Continue reading Vista & Server 2008's Auditing Capabilities More Granular than Being Reported...

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

If SCCM's console isn't providing enough information for you, you also have the option to run it in "debug view mode". This mode adds additional actions to each node that allow you to view CM Object Properties in addition to the standard view. This is particularly handy when needing data for scripting and advanced troubleshooting.

Load the console in debug view with the command: adminconsole.msc /SMS:debugview

You'll need to navigate to the C:\Program Files\Microsoft Configuration Manager\AdminUI\bin folder to directly launch this application.

Other console extensions are available as well to change the console's language as well as ignore and/or reset extensions. You can learn more about extending the console at this address: http://technet.microsoft.com/en-us/library/bb693533.aspx

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

The RSAT is Vista's replacement for WIndows XP's adminpak.msi, and they've been a long time in coming. For many IT administrators, the move to Vista has been tainted by a lack of these necessary tools for remotely administering Windows networks.

Click past the fold for a list of the tools available in this version of the RSAT.

Get your copy at these fine locations:

• Microsoft Remote Server Administration Tools for Windows Vista with SP1 (x86): http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960
• Microsoft Remote Server Administration Tools for Windows Vista with SP1(x64): http://www.microsoft.com/downloads/details.aspx?FamilyId=D647A60B-63FD-4AC5-9243-BD3C497D2BC5

 
Continue reading The Remote Server Administration Tools Have Been Released...

Digg it!

Sphere it!

Del.icio.us