Friday Mail Sack: Shut Up Laura Edition
Hello again folks, Ned here for another grab bag of questions we’ve gotten this week. This late posting thing is turning into a bad habit, but I’ve been an epileptic octopus here this week with all the stuff going on. Too many DFSR questions though, you guys need to ask other stuff!
Let’s crank.
- DFSR forest boundary
- DFSR and anti-virus
- Password reset tracking
- Programming for AD Web Services
- DFSR and satellite links
- Other
Question
Is it possible to setup a DFSR topology between branch servers and hub servers, where the branches are an affiliate company that are not a member of our AD forest?
Answer
Nope, the boundary of DFSR replication is the AD forest. Computers in another forest or in a workgroup cannot participate. They can be members of different domains in the same forest. In that scenario, you might explore scripting something like:
robocopy.exe /mot /mir <etc>
Question
I was examining KB 822158 – with the elegant title of “Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows” - and wanted to make sure these recommendations are correct for potential anti-virus exclusions in DFSR.
Answer
They better be, I wrote the DFSR section! :-)
Question
Is there any way to tell that a user’s password was reset, either by the user or by an admin, when running Win2008 domains?
Answer
Yes – once you have rolled out Win2008 or R2 AD and have access to granular auditing, this becomes two easy events to track once you enable the subcategory User Account Management:
ID |
Message |
4723 |
An attempt was made to change an account's password. |
4724 |
An attempt was made to reset an account's password. |
Once that is turned on, the 4724 event tells you who changed who’s password:
And if you care, the 4738 confirms that it did change:
If a user changes their own password, you get the same events but the Subject Security ID and Account Name change to that user.
Question
Any recommendations (especially books) around how to program for the AD Web Service/AD Management Gateway service?
Answer
Things are a little thin here so far for specifics, but if you examine the ADWS Protocol specification and start boning up on the Windows Communication Foundation you will get rolling.
Windows Communication Foundation
https://msdn.microsoft.com/en-us/library/dd456779(v=VS.100).aspx
[MS-ADCAP]: Active Directory Web Services: Custom Action Protocol Specification
https://msdn.microsoft.com/en-us/library/dd303965(v=PROT.10).aspx
Remember that we don’t do developer support here on AskDS so you should direct your questions over to the AD PowerShell devs if you get stuck in code specifics.
Question
Is their any guidance around using DFSR with satellite link connections?
Answer
Satellite connections create a unique twist to network connectivity – they often have relatively wide bandwidth compared to low-end WAN circuits, but also have comparitively high latency and error levels. When transmitting a packet through a geosynchronous orbit hop, it hits the limitation of the speed of light – how fast you can send a packet 22,000 miles up, down, then reply with a packet up and down again. And when talking about a TCP conversation using RPC, one always uses round trip times as part of the equation. You will be lucky to average 1400 millisecond response times with satellite, compared to a frame relay circuit that might be under 50ms. This also does not account for the higher packet loss and error rates typically seen with satellite ISP’s. Not to mention what happens when it, you know, rains :-). In a few years you can think about using medium and low earth orbit satellites to cut down latency, but those are not commercially viable yet. The ones in place have very little bandwidth.
When it comes to DFSR, we have no specific guidance except to use Win2008 R2 (or if you must, Win2008) and not Win2003 R2. That first version of DFSR uses synchronous RPC for most communications and will not reliably work over satellite’s high latency and higher error rates – Win2008 R2 uses asynchronous RPC. Even Win2008 R2 may perform poorly on the lower bandwidth ranges. Make sure you pre-seed data and do not turn off RDC on those connections.
Other
Totally unrelated, I found this slick MCP business card thing we’re doing now since we stopped handing out the laminates. It’s probably been around for a while now, but hey, new to me. :) If you go to https://www.mcpvirtualbusinesscard.com and provide your MCP ID # and Live ID you can get virtual business cards that link to your transcript.
Then you can have static cards:
Or get fancy stuff like this javascript version. Mouse over the the right side to see what I mean:
Oh yeah, did you know my name is really Edward? They have a bunch of patterns and other linking options if you don't want graphics; give it a look.
Finally, I want to welcome the infamous Laura E. Hunter to the MSFT borg collective. Author and contributor to TechNet Magazine, the AD Cookbook, AD Field Guide, Microsoft Certified Masters, and endless boring a considerable body of ADFS documents, Laura is most famously known for her www.ShutUpLaura.com blog. And now she’s gone blue – welcome to Microsoft, Laura! Now get to work.
Have a nice weekend folks,
- Ned “what does the S stand for Bobby?” Pyle
Comments
- Anonymous
June 14, 2010
The comment has been removed