I am usually reluctant to mirror other blogger’s contents or just post links but in this case I decided to make an exceptional exception. “Black Viper” (sounds like a gamer tag isn’t it?) published a comprehensive guide over Windows Server 2009 R2 and windows Seven System Service configuration covering all OS flavors. Have a look at it prior starting any optimization or hardening work!

• Windows Server 2008 R2
• Windows Seven

Previous Windows versions are also available btw.

From Hervé Schauer Consulting you might also find this (blast from the past, read “up to XP/Server 2003”) set of information useful:

• Windows network services internals
• Windows Systems Network Services

Marc

First my best wishes to you all over the place visiting this blog and site. The number of visits as well as the time spent reading was really incredible in 2009 and all I can hope for 2010 is to be equally good or better.

I was also pleased to see my MVP status renewed for another year. I’d like to thank my MVP Lead Martine T for her nearly real-time support, Prasad G for the great chat and collaboration and Jose B (and his team of course) for the excellent work they delivered last year.

Besides this I’d like to sincerely congratulate two other MVP for their nomination : First, a newcomer named Tonino Bruno, who’s also a very good friend and part-time colleague. He’s, with his mates, the active hand behind the Belgian MS Exchange User Group http://www.proexchange.be/. Congrats Toni and remember you owe me a beer now ;) Second, I’d like to congratulate a “serial” French MVP (7 times nominated!) named JC Bellamy not only knowledgeable regarding Windows but also continuously reinventing the French vocabulary related to IT;)

Now for a Silly Little FAQ, since I got these questions numerous times, time to reply has come, at least as seriously as possible ;)

Q: Where does the sentence “Happy is the one who could enter the secret causes of things” come from?

A: This is the direct translation of the French sentence present on a large pillar in the entrance of the University of Guernon (France), a fictional school depicted in the move “The Crimson Rivers”. It totally reflects my (compulsive?) willingness to understand the bits and bytes therefore never being satisfied with the marketing or technical “claims”, very fashionable nowadays. Note: although I picked up this sentence, needless to say I strongly disagree with the philosophy in place in the at Guernon ;). I am not the one to shout louder, I prefer to say it right because real facts mean real safety.

Q: Where is Anthony, what is he doing?

A: At home or at work, doing fine! No seriously, although we started this blog together, he also has to deal with other personal and professional challenges keeping him away from this online activity, though I am not totally desperate about having some contributions from him coming one day ;)

Q: Who is reading the blog, what are the readers looking for and where are they from?

A: Who: I have very few names to give out ;) but mostly IT people of course!

A: What: mostly hands-on problem-solving information, although I got a lot of positive feedback from more pro-active posts

A: Where: everywhere, but with more than 50% located in North America

Q: Why ain’t you talking about movie anymore?

A: Things tend to change, I prefer not to confuse the audience too much with cinema-related content and focus on more on technique. Besides this, No I did not particularly like Cameron’s Avatar, which indeed blew my senses out but miserably failed in touching my soul. Did all talented story tellers definitely leave Hollywood?

Q: What about the long-time promised posts on Federated Search, people-picker and so on?

A: Still coming (but not as soon as I promised I’m afraid)

Marc

I did not expect to receive so much feedback by mail regarding this (not so fascinating) topic. Not to mention referring sites and so on… This brought the motivation to loop the loop by testing on Windows Server 2008 (SP2) as well as on 2008 R2 in-depth in order to cover the whole stuff.

So in summary, when will PAC signature verification will finally occur?

The table hereunder summarizes possible scenario’s:

So in short, the only difference between Server 2003 and 2008/2008 R2 is that with from 2008, you do not need to modify registry anymore since the default value is inverted.

Once again, the important point here is: if you configure Kerberos on a IIS farm (SharePoint or “simple” ASP.Net), PAC Validation will ALWAYS occur, regardless what you will do to prevent it UNLESS the application is granted and makes use of the right “Act as part of the operating system”.

If the target application is granted seTCB making use of it:

Granting the seTCB privilege is not sufficient because it will be disabled by default until the application effectively requests it. But why would it need it? For various reasons this privilege might be needed by the server application. 2 common usages are described in the sections below.

Protocol transition

Protocol transition is the ability for a server application to delegate user credentials to a back-end service using Kerberos while they were not initially provided under that form by the client.

In clear, this means that a user may be authenticated by a service using non-Kerberos protocols such as Basic, NTLM, Digest and this service, making use of that feature, will transform the credentials in order to propagate them to another server. Example: a user authenticates against SharePoint using NTLM, want to use reporting service while it runs on a 2nd server, the SharePoint server will perform the necessary transition to push (aka “delegate”) the user’s credentials to the SRS server using Kerberos.

IIS MVP Ken Schaefer gives an excellent overview on his blog: IIS and Kerberos Part 5 - Protocol Transition, Constrained Delegation, S4U2S and S4U2P.

Services For User

SU4 extensions are tightly linked to Protocol Transitions. In very very short, they allow, under certain conditions, an application to perform a logon on behalf of a user without knowing his/her password.

This feature is, for example, used in IAM/SSO products such as IBM TAM/WebSEAL or CA SiteMinder

For both technologies, since the user does not initially authenticate using Kerberos, there is no PAC to validate.

OK but finally, why is disabling PAC validation so important?

Well I won’t say it is “so important”. I might help improving performances under some circumstances.

Since, in short, the PAC is verified by the server application before granting a Ticket-Granting-Service (TGS) to the client, it does not occur at every request as long as the TGS remains valid (note: there are some exceptions to this rule). BUT in some case, this initial verification can take some times because 1) the client’s AD is far (in term of network, hops, latency, bandwidth…) from the server’s AD or 2) the client’s AS is too busy. This could therefore give the wrong impression that client to server authentication seem slow while you expect a big boost by switching to Kerberos.

Additional Resources

• MSDN Patterns & Practices - Protocol Transition with Constrained Delegation Technical Supplement
• MSDN Magazine April 2003 - Exploring S4U Kerberos Extensions in Windows Server 2003
• MSDN - [MS-APDS]: Authentication Protocol Domain Support Specification

Marc

On 64-bit Windows systems running I/O intensive application, I have sometimes faced the issue that, since the kernel is having plenty of address space at hand (compared to the 1GB on 32-bit), it may decide to use that memory for its caching mechanism but sometimes in a too ambitious way.

Microsoft very recently release an add-on called “Microsoft Windows Dynamic Cache Service” which allows administrators to gain better control over the system’s cache behavior and therefore reducing one type of intensive I/O’s provoked by the cache manager: read I/O’s.

• Download the Windows Dynamic Cache Service

Extra information from the Microsoft Advanced Windows Debugging and Troubleshooting Team’s Blog:

• Microsoft Windows Dynamic Cache Service
• Too Much Cache?
• The Memory Shell Game

Note: the download includes the source code as well as a version compiled with the debug flag set, (unusually!) cool!

And cut!

Starting a blog is not an easy task. Marc has been harassing me for months to write some posts related to Powershell. My knowledge is still limited and I am far from being a master (I will introduce myself in another post, this is not my goal today). However my experience is growing. Scripting, scripting, scripting, and again scripting. This is the secret... But were to start? If you don't know anything about Powershell, what would you do to be ready to attend the next Microsoft Winter Scripting Games? Here are some advices for beginners. No big deal. Don't put pressure on yourself, just find your way to become a master.

1. Install Powershell

It may sound stupid as a first tip, but this is something really concerning for a beginner. If you're a real beginner, start with PowerShell version 1, which is still the latest official version.

As pre-requisite, you must have .NET Framework 2.0 installed.

• .NET Framework 2.0
  Go to the following URL and find out what version (x86, x64) matches your environment: http://msdn.microsoft.com/en-us/netframework/aa731542.aspx
• PowerShell v1
  Go to the following URL and find out what version (x86, x64) matches your environment:
  http://www.microsoft.com/windowsserver2003/technologies/management/powershell/download.mspx

When you start to have more experience, you can start to think about PowerShell version 2. The CTP3 was released some weeks ago and we will cover some new cmdlets (abbreviation of “commandlet”, that you can translate as a “function” or command for now…). .NET Framework 2.0 is required. However, if you want to take advantage of the new features, such as Integrated Scripting Environment (ISE) and Out-GridView, you should install .NET Framework 3.5 Service Pack 1.

• .NET Framework 3.5 Service Pack 1
  Go to the following URL and find out what version (x86, x64) matches your environment: http://msdn.microsoft.com/en-us/netframework/aa731542.aspx
• PowerShell v2 CTP3
  Go to the following URL and find out what version (x86, x64) matches your environment:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=c913aeab-d7b4-4bb1-a958-ee6d7fe307bc&DisplayLang=en

If you want to use remoting features of the v2 CTP3, you will have to install the following component (still Beta at the time of writing the post)

• WinRM 2.0 CTP3
  https://connect.microsoft.com/wsman
  This will be covered in a later post.

2. Find some (free) good Documentation

• "Windows Powershell" and "Administrative tasks using Windows PowerShell" free ebooks by Frank Koch : http://blogs.technet.com/chitpro-de/archive/2008/02/28/free-windows-powershell-workbook-server-administration.aspx
  Frank is an Infrastructure Architect in the Technet team in Switzerland (BERN) . This is an amazing source for beginners. It permits to give a good overview of different possibilities that PowerShell provides. Definitely my favorite resource!!
  Don't thank me, thank Frank! Go and download them and read them directly. They even contain workshops.

• Windows Powershell SDK
  - Online version: http://msdn.microsoft.com/en-us/library/cc136763(VS.85).aspx
  - Downloadable version : http://www.microsoft.com/downloads/details.aspx?FamilyID=c913aeab-d7b4-4bb1-a958-ee6d7fe307bc&DisplayLang=en for the SDK of the Powershell v2 CTP3

• Microsoft Technet Script Center: Scripting with Windows PowerShell: http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx
  Have a look at the URL: "../msh.mspx". For the story, you have to know that the code name for PowerShell was initially Monad. Maybe you wonder why? (answer: http://en.wikipedia.org/wiki/Monadology)

• Microsoft Webcasts at http://www.microsoft.com/technet/scriptcenter/webcasts/ps.mspx

There are a lot of other interesting docs available, for free or not… start with those ones and share any other you find interesting with us!

3. Get an Editor and start to write your first Scripts

Powershell is a shell… but also (mostly?) a scripting language. And to write your scripts, you need a good editor (even if in fact Notepad is enough to start!). Here is a quick selection of some editors I tried and really liked. Download them, evaluate them, and make your choice. You have to feel comfortable to create your scripts.

First of all, the free editors…

• PowerGUI: http://www.powergui.org
  PowerGUI just rocks! It’s a, FREE, very nice-looking editor with a bunch of nice features and it permits to create “Powerpacks”, collection of nodes and functions to extend the PowerGUI console. Just have a look at the screencast tutorial and you’ll find that amazing. I will certainly propose some Powerpacks in the future. 
   
• PowerShell Analyzer: http://www.powershellanalyzer.com/
  One of the first Powershell editor. Haven’t worked with it for a long time but it was nice to work with. Very interesting features too. 
  
  
• PSPad: http://www.pspad.com/
  This my favorite free multi-languages editor. It contains a lot of cool features and color definition for Powershell can be downloaded.

And for the lucky ones who can afford commercial applications, the two following can be natural choices. I anyway invite everybody to download the trial versions, just to have an idea if the features they propose are worth the cost for you and your company or not (and I believe they generally are!). Both following tools have different version (standard, professional, enterprise) and provide great features like color coding, auto-completion, sample scripts, WMI/ADSI wizards, forms builder, logon script builder, etc.

• Primalscript: http://www.primalscript.com/
  
  
• AdminScriptEditor “ASE”: http://www.adminscripteditor.com

Let’s stick to those ones for now; we’ll propose other competitors in a future post, including extended comparison.

4. Convert from vbs

Learning a (scripting) language is not an easy job and it is difficult to have a “starting point”. If you’re already a scripter, mainly in vbscript, I would suggest you to start converting the scripts you already created. For that purpose, you must absolutely add the following link to your favorites “The VBScript-to-Windows PowerShell Conversion Guide”:
http://www.microsoft.com/technet/scriptcenter/topics/winpsh/convert/default.mspx

5. Time for discipline!

And from now, if you have to create new scripts, don’t use vbscript but do it directly in Powershell: “yes boss, it can take me 10min to write it in vbs and 2 hours in Powershell... but that's the future... Do it in Powershell or die…“

6. Find some goals and projects to work on with Powershell

Go the scripting games webpage of last years and use the competition as training:
http://www.microsoft.com/technet/scriptcenter/funzone/games/default.mspx

7. Ask the experts, read their experiences

Woody Allen is the master of one-liners. You can become the Woody Allen of Powershell if you carefully listen to the wise and experienced guys. I’m far from being part of this restricted club but believe me, I do respect them a lot!

• Blogs
  - Windows Powershell Blog: http://blogs.msdn.com/powershell/
     Microsoft Powershell team official blog, mainly represented by Jeffrey Snover, Windows Management Partner
     Architect
  
  - BS on Posh: http://bsonposh.com/
     Brandon Shell is the one. Any of his comment/post is interesting and clever.
  
  - Dmitry’s PowerBlog: PowerShell and beyond: http://dmitrysotnikov.wordpress.com/
     The creator of PowerGUI has a lot of energy and shares a lot of knowledge.
  
  - The PowerShell Guy: http://thepowershellguy.com/blogs/posh/
     Marc, nicknamed /\/\o\/\/, was one of the first guy to blog about Powershell on the Internet. He started a series
     of “Hey Powershell guy!”, using the concept “Hey Scripting Guy!” concept for Powershell.
     You also want to have a look at his Powertab tool.
  
  - get-powershellblog: http://marcoshaw.blogspot.com/
     Marco Shaw is an MVP from Canada. He’s been blogging for a long time now and is proposing very
     interesting podcasts, where you can find interviews of different Powershell stars!
  
  - Richard Siddaway's Blog "Of PowerShell and Other Things": http://richardsiddaway.spaces.live.com/
     Active member of the UK PowerShell User Group, Richard proposes a nice series of very short posts that permit
     to get interested in some features or cmdlets

• Discussions
  - Use a newsgroup reader client and subscribe to “microsoft.public.windows.powershell”, ask your questions
     or just read the news. Always interesting.
  
  - Windows PowerShell Technet forum: 
     http://social.technet.microsoft.com/Forums/en/winserverpowershell/threads
  
  - The Official Scripting Guys Forum! at http://social.technet.microsoft.com/Forums/en/ITCG/threads/
     Ever been to the Script Center? You know, http://www.microsoft.com/technet/scriptcenter/. If your answer is
     "yes," you know what to do. Dive in and help somebody! If your answer is "no," welcome to our fun little world!
     We'd recommend that you first head over to the Script Center, get your feet wet, and then come back to either
     ask or answer questions. We can't be everywhere at once (I know--shocking!), so we will appreciate any and all
     help you can give to each other to get scripting problems solved. The Microsoft Scripting Guys

8. Script, script, script… and when you’re done, script again!

No choice. If you want some experience, you have to script. And improve your existing scripts. Otherwise you will forgot what you learned. That’s pity , but it’s fact.

In the next post, we’ll cover some additional things you can learn or use to be more efficient to Powershell, including a short list of books. Open your mind, a new world is coming to you. In the mean time, check all the links I provided, read the docs, train yourself, and… You're ready for the next Winter Scripting Games :-))