Finally the new version of ADMT is out, together with the following tools and document, and downloadable from MS.com:

• Active Directory Migration Tool version 3.1: http://www.microsoft.com/downloads/details.aspx?FamilyID=ae279d01-7dca-413c-a9d2-b42dfb746059&DisplayLang=en
• Password Export Services (PES): x86 http://www.microsoft.com/downloads/details.aspx?FamilyID=f0d03c3c-4757-40fd-8306-68079ba9c773&DisplayLang=en and x64 http://www.microsoft.com/downloads/details.aspx?FamilyID=5b4e5c61-1c00-4da7-9c0d-130200aed21a&DisplayLang=en
• Migrating and Restructuring Active Directory Domains Using ADMT v3.1: http://www.microsoft.com/downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en (I am afraid it contains some typos so be watchful…)

Sadly, it is not supported to deploy this version of ADTM on Read-only DC’s and on CORE version of Server 2008 or on any version prior Windows Server 2008. Apparently NT4 is not supported as source domain anymore and the migration agent is not supported on NT4 computers anymore…

Hopefully, it now uses SQL2005 as backend (remote or local) and comes with extended command-line capabilities for set-up and post set-up configuration

It’s therefore time to revise my backup/restore process a bit compared to by original post from April 08 (http://www.marc-antho-etc.net/blog/post/2008/04/BackupRestore-of-the-ADMT-Database.aspx)

Thanks to SQL2005 you can now backup to a remote folder, example:

“%PROGRAMFILES%\Microsoft SQL Server\90\Tools\Binn\osql.exe" -E -S %computername%\MS_ADMT -Q"BACKUP DATABASE ADMT TO DI

SK = '\\SERVER\SHARE\admt.bak'"

Note that that the path contains 90 instead of 80 since the SQL version is incremented.

Now for another stuff, just a little bit tricky. It is possible to use ADMT against a remote SQL server. But the problem is: you have to create the database first and then install and configure ADMT while, to get your hands on the tool to create the database, you have to install ADMT first… Catch my drift?

Here is how to do it seamlessly:

1. Log on you DC, preferably with a domain admin or with a user administrator on both DC and SQL Server
2. Start the ADMT Setup
3. On the Welcome screen, click Next
4. On the EULA, select “I agree” then click Next
5. On the customer Experience Improvement Program, chose whatever you want the click Next
6. On the Database Selection, select “Use and existing SQL Server” and enter the name of the remote SQL then click Next
7. The next screen will show an error messaging complaining about the fact that the setup could not connect to the remote SQL or find the ADMT database. Keep the wizard open and do not click on Finish
8. Open a command-line and navigate to %WINDIR%\ADMT\AdmtDb\ 
9. Execute the command “admtdb create /s:MYSQLSERVER\MYINSTANCE” (the instance is optional and depends on your SQL configuration. The command should return “The ADMT database was created successfully”. If not, check permissions, connectivity, name resolution etc.
10. Return to the Wizard and click Back
11. On the Database Selection, select “Use and existing SQL Server” and enter the name of the remote SQL like you previously stated in the command-line then click Next
12. The next screen should now show a successful message, click Finish

Now let’s say that you changed your mind and wish to use the local SQL Express that ADMT installed during the setup (yes it actually installed one instanced then disabled it). Here is how to do:

1. Open a command-line and navigate to %windir%\ADMT\AdmtDb\
2. Execute the command “sc config MSSQL$MS_ADMT start= auto”, this will set the SQL instance’s startup mode to “Automatic”
3. Execute the command “sc start MSSQL$MS_ADMT”. It should return a text containing “STATE              : 4  RUNNING”. This will start the SQL instance
4. Execute the command “admtdb create /s:%computername%\MS_ADMT” to create the ADMT database locally. It should return “The ADMT database was created successfully”
5. Set the path to %windir%\ADMT\
6. Execute the command “admt config setdatabase /s:%computername%\MS_ADMT” to configure ADMT to use the local database. Note: The document from MS over ADMT v3.1 contains typos regarding the parameters of this command.
7. Start the ADMT console to check if everything OK

And cut!

This may be Terence Hill’s best movie (well “less worst actually”) and it can turn out to be something useful in some scenarios. NULL session I mean

Example:

• You’re setting up a Windows deployment infrastructure but you want to be able to fetch software from a repository located on a server while your system is not joined to a domain yet
• You could use FTP or HTTP but you’d prefer to use an UNC path like \\MYSERVER\Software
• By default, you’ll then have to prove credentials in order to connect to this shared folder
• If you want to automate the download and installation of those software’s, these credentials must be placed into your automation script
• …Therefore exposing your systems a little too much since the credentials can be re-used to logon interactively, or, if it is a domain account, to list 90% of your AD…

There is an alternative to this: creating a share accessible anonymously. Here’s how to proceed:

1. On you file server, create a folder named “Software” then share this folder, preferably keeping hit “hidden” by naming it Software$
2. Add the following permissions at share-level: Anonymous Logon: Read
3. Add the following permissions at NTFS-level: Anonymous Logon: Read & Execute, List folder contents, Read
4. Edit the server’s security policy by typing secpol.msc
5. Navigate to Security Settings > Local Policies > User Right Assignment
6. Grant the right “Access this computer from the network” to “Anonymous Logon” and accept the warning
7. Navigate to Security Settings > Local Policies > Security Options. For the option “Network access: Shares that can be accessed anonymously”, add Software$ to the list.
8. Close the console and execute the command gpupdate /force
9. The system is now ready
10. From a system located in a workgroup, test the following command: net use * \\MYSERVERSoftware$ /u:”” “”. This should map a free network drive to the share and granting read access.
11. Optionally, you can audit logon/logoff on MYSERVER, the event generated as consequence of the net use command will not contain any username but it will contain the clientcomputer name and its IP address as well.

And cut!

In order to control the weapons of his recently stolen aircraft, The MIG31 "Firefox", Mitchell Gant (Clint Eastwood) must think in Russian otherwise he’ll never get it to work.

It is exactly the same with PowerShell: to unleash its power, I must forget about the VBS or CMD semantics; I have to think in Russian, hem I meant in PoSh.

To help customer cleaning up the SharePoint backups performed using the Central Administration web site or STSADM, MS Support deliver a cool VBS script (http://support.microsoft.com/kb/941330). But in our modern times, the ultimate weapon in SharePoint management is PowerShell. Here is a quick translation. Use at your own risks and fine-tune at will.

$spbackuptocfile = "\\server\Backups\Farm\spbrtoc.xml"

$NumberOfDays = 5

$DateTime = (get-date).AddDays($NumberOfDays*-1)

write-host $DateTime

$xml = [xml] (get-content $spbackuptocfile)

$nodelist = $xml.selectnodes("SPBackupRestoreHistory/SPHistoryObject")

write-host "SharePoint Backup files"

write-host "-----------------------"

foreach ($node in $nodelist) {

                if ($node.SPIsBackup -eq $TRUE)

                {

                               if ($node.SPFinishTime -gt $DateTime)

                                               {

                                               write-host "Keep:" $node.SPId $node.SPDirectoryName $node.SPTopComponent

                                               }

                               else

                                               {

                                               write-host "Delete:" $node.SPId $node.SPDirectoryName $node.SPTopComponent

                                               rmdir $node.SPBackupDirectory -recurse

                                               [void]$xml.SPBackupRestoreHistory.RemoveChild($node)

                                               }

                }

}

$xml.save($spbackuptocfile)

And cut!  ...or touch down!

Hopefully, we don't need Chuck Norris today, do we?

Since NT4, I am rather sorry to say that I haven’t seen a lot of improvement to Windows’ DHCP Server service, Server 2008 is no exception to that near-zero evolution (support for NAP not taken into account of course).  When listening to customers, here are the top of feature request:

A decent high-availability solution: clustering is seen as too expensive or too complicated, split-scope are tedious to manage, in particular with a lot of reservations and “hot stand-by” server solution does not really belong to the high availability category. It’s high time to look at RFC3074 (DHC Load Balancing Algorithm) or to implement a feature similar to Exchange’s local continuous replication (LCR)

A support for granular/delegated administration: it would be nice to have a set of permission that would be applicable at server-level, super scope-level and scope level in order to improve manageability and ideally avoid the implementation of multiple DHCP Server when organization want to split the administration of computer addressing and IPTel addressing for example… And I don’t even talk about the frustration of helpdesk officers requesting read-only or very light “change” access to the console for changing reservations for example.

More granularity in Backup/Restore: once again, not only at server level but also scope and super scope

The ability to resize a scope without having to delete it, subnet-mask change included

A really usable “call-out” or “hook-in” API: The existing is complex to use (develop code) implement and maintain. It’d so much better to have a kind of event handler API, fully configurable from command-line and console) that can raise code as well as script execution (once again, remember the Exchange features has or had for this purpose)

A real reporting/statistics engine: For large environments, this would really help to see “what’s happening” on the short, mild and long term (trending)

An improved scripting/automation API: ok, it comes with a richer set NETSH of commands but guys, how do I explain to the customer that they have to forget about Powershell or VBScript? Have you ever used it? Don’t you honestly think it is almost as difficult to use as NTDSUTIL?

[From me]: a robust backend engine like SQL for example. This would not only increase stability I guess but also improve operations (backup/restore, if well structured, use SQL reporting services, make it cluster-aware…)

[From me]: based on that robust backend, equally robust and usable reporting capabilities. Yes I mean SQL Reporting Services

[From me]: a configurable and flexible way to log activity. Re-using the same philosophy as the one behind IIS W3C logging for example (frequency, field selection…) as well as better Windows Event loggin capability. It is funny to see that since Windows 2000, the DNS service got a dedicated log while DHCP is still lacking one

Note: most of the features requested here could be achieved by intensive scripting or custom code but then, where is the gain?

And Cut!

Software companies in general, Microsoft in particular, are good at selling commercial claims instead of products or solutions. A recent good example is Windows Server 2008 “Core”.

Note: This post is unfortunately subject to “censorship”. Although I had the opportunity to compare “Full” and “Core” upon customer request, the customer did not authorize the public release of the detailed results, even with the appropriate name obfuscation. So do not blame me for the lack of technical details and justification, I have more than 50 pages full of them

Okay, I hear you all loud and clear, this is a “revolution” in the Windows world! Now, we can work “à la Unix”, your colleagues administering FreeBSD systems will not laugh at you anymore when you’ll move your mouse pointer all over the screen drag and dropping items in all directions, this era is over! Now the command-line realm is really starting... well, ahem not really actually.

OK, let’s take the claims and put them to the test on by one.

“Core” reduces software maintenance

Compared to a Full version, “Core” required indeed twice less updates nevertheless, it required the same number of reboots and, to my great surprise, needed to update Internet Explorer too . At least it could dramatically minimize the reboot scenario but no, no way Jose, Windows remains Windows...

“Core” reduces management

I don’t really see what MS means by “management” because managing Full or Core is functionally identical but technically different: it is much more difficult and tedious to manage “Core” because Windows always lacked command-line maturity and unlike Unix, its configuration is not based on plain configuration files: you need to handle registry, XML files, DCOM… All those things so natural with a GUI becoming a nightmare for the keyboard fan… So tell me where management got improved…

Important to say that if you expected an improved experience with OOB remote management devices such as HP iLO or Dell DRAC, this won’t be the case because you’re still in pure graphical mode, not a text one…

“Core” reduces the attack surface

Although there can be multiple definitions applicable to “attack surface”, let’s say it is measures the number of TCP/IP ports left open after a standard installation. “Full” and “Core” show exactly the same result using netstat. Amazing, NMAP says the same, it cannot even make a difference between “Full” and “Core”. Finally, results are identical using Nessus with an aggressive scan policy. So in short, if the attack surface is defined by the number of open ports and in a certain way, the number of system services in listening mode, there is no difference between the two server brothers.

“Core” has a reduced footprint

This is where “Core” wins:

Used disk space after installation (including page file) is less than 50% of what “Full” required. And you can improve it by removing unnecessary packages if you want.

The total numbers of handles is reduced by 20%, of threads by 15% but the number of processes is almost identical

For sure, “Core” saves on memory tool. On a 512 MB RAM configuration, the amount of remaining “free” physical memory is doubled compared to “Full”. Interestingly, the amount of kernel memory usage is also reduced by about 30%.

Any conclusion? Draw your own!

And Cut!