Friday Mail Sack – It’s About To Get Real Edition
Hello Terra, it’s Ned here again. Before I get rolling, a big announcement:
On May 16th all the MSDN and TechNet blogs are being migrated to a new platform. This will get us back in line with modern blogging software, and include new features, better search, more user customization, and generally remove a lot of suck. Because AskDS is a very popular blog – thanks to you – we rated extra sandbox testing and migration support and we believe things are going to go smoothly. The migration will be running for a week (although many sites will be done before then) and during this time commenting will be turned off; just email us through our contact form if you need to chat. You can read more about the new features and track progress on the migration here.
On to this week’s most interesting questions.
- GPMC scripts in Win7/R2
- DFSR and port 5722
- DSA.MSC missing tabs
- ADLDS/ADAM password sync
- Scripting user home folders
- Win2008 Resource Kit tools
- Auditing
Question
What happened to the GPMC scripts in Windows 7 and Win2008 R2?
Answer
Those went buh-bye when Vista came out. They can be downloaded from here if you like and I’ll wager they’ll work fine on 7, but the future of scripting GP is in PowerShell. Recommended reading:
- Group Policy Cmdlets in Windows PowerShell
- Automating Group Policy Management with Windows PowerShell
- Simplify Group Policy Administration with Windows PowerShell
Question
KB832017 (Services Overview and Network Port Requirements...) lists port 5722/TCP as being used for DFSR -- but only on Server 2008 or Server 2008 R2 DCs. What exactly happens over 5722/TCP? KB832017 is practically the only time I've ever seen that port mentioned.
Answer
There’s no special reasoning here, it’s a bug. :-) In a simple check to determine if a computer was a member client or member server, we forgot that it might also be a domain controller. So the code ends up specifying a port that was supposed to be reserved for some client code. Amazingly, no Premier contract customer has ever opened a DCR with us asking to have it fixed. I keep waiting…
Nothing else weird happens here, and it will look just like normal DFSR RPC communication in all other respects – because it is normal. :)
You can still change the port with DFSRDIAG STATICRPC <options> if you need to traverse a firewall or something. You are not stuck with this.
Question
I am missing tabs in Active Directory Users and Computers (DSA.MSC) when using the Windows 7 RSAT tools. I found some of your old Vista content about this, but you later said most of this has been fixed. Whiskey Tango Hotel?
Answer
As is often the case with RSAT (a tool designed by committee due to all the various development groups, servicing rules, and other necessities of this suite), there are a series of steps here to make this work. I’ll go through this systematically:
After installing RSAT on a domain-joined Windows 7 client, you add the Role Administration Tools for "AD DS Snap-ins and Command-line Tools":
You then start DSA.MSC and examine the properties of a user. You notice that some or all of the following tabs are missing:
Published Certificates
Password Replication
Object
Security
Attribute Editor
Environment
Sessions
Remote Control
Remote Desktop Services Profile
Personal Virtual Desktop
UNIX Attributes
Dial-in
1. Enable "Advanced Features" via the View menu. This will show at least the following new tabs:
Published Certificates
Password Replication
Object
Security
Attribute Editor
2. If still not seeing tabs:
Environment
Sessions
Remote Control
Personal Virtual Desktop
Remote Desktop Services Profile
Add the following RSAT feature: "Remote Desktop Services Tools". Then restart DSA.MSC and if Advanced View is on, these tabs will appear.
3. If still not seeing tab:
UNIX Attributes
Add the following RSAT feature: "Server for NIS Tools". Then restart DSA.MSC and if Advanced View is on, this tab will appear.
4. The "Dial-In" tab will always be missing, as its libraries are not included in RSAT due to a design decision by the networking Product Group. If you need this one added, open a Premier contract support case and file a DCR. We’ve had a number of customers complain about this, but none of them bothered to actually file a design change request so my sympathy wanes. Until they do, there is no possibility of this being changed.
Question
What tools will synchronize passwords from AD to ADAM or ADLDS?
Answer
MIIS/IIFP (now Forefront Identity Management 2010) can do that. We don't have any in-box tools or options for this. [Thanks to our resident ADAM expert Jody Lockridge for this answer. He’s forgotten more about ADAM than I’ll ever know - Ned]
Question
I am trying to script changing user home folders to match the users’ logon ID’s. I’ve tried this:
dsquery.exe user OU=AD_ABC,DC=domain,DC=local | dsmod.exe user -hmdir \\servername\%username%
But this only places the currently logged on username in all users profile. How can I make this work?
Answer
DSMOD.EXE includes a special token you can use called $username$ . It automatically uses the SAM account name passed in from DSQUERY commands and works with the –hmdir, –email, –webpg, and –profile arguments.
So if I do this to locate all my users and update their home directory:
I get this:
Question
When will the Windows Server 2008 Resource Kit utilities and tools be released?
Answer
Never. If it didn’t happen 3 years ago, it’s not going to happen now. The books do include helpful scripts and such, but the days of providing unsupported out of band reskit binaries are behind us - and it’s for the best. If you want to buy the 2008 books, here’s the place:
2008 Resource Kit - https://www.microsoft.com/learning/en/us/book.aspx?ID=10345&locale=en-us
2008 GP Resource Kit - https://www.microsoft.com/learning/en/us/book.aspx?ID=9556&locale=en-usR
Question
Something something something Auditing something something something.
Answer
While I find Windows security auditing quite interesting and periodically write about it, if you want retroactive answers to every common audit question you need to visit Eric Fitzgerald’s blog "Windows Security Logging and Other Esoterica”. Eric was once the PM of Windows Security auditing and helped design the new audit system in Vista/2008, then he moved on to helping design the Audit Collection Service, and gosh knows what he does now – he’d probably have to kill me after he told me. A million years ago, Eric was also a Support Engineer in my organization, so he knows your pain better than most Windows developers. Many questions I get asked about auditing have already been answered on his blog so give it a look before searching the rest of the Internet. Eric is also a funny, decent guy and a good writer – pick any blog post and you will learn something. I wish he wrote more often.
Finally, we had a nice visit this week from Tim Springston – yes, that Tim Springston. Tim’s been working on a new system designed to make it easier for you to open support cases and have them route correctly so he bored us to tears demo’ed all that to us. Make sure you stop by his blog and check it out.
Until next time.
Ned “fingers crossed on the blog migration” Pyle