Vol. 20, #43 - October 26, 2015 - Issue #1053
Understanding AD Mod
- Editor's Corner
- From the Mailbag
- Understanding AD Mod
- Send us your feedback
- Recommended for Learning
- Microsoft Virtual Academy
- Free White Paper
- Registration is Open for Cloud Admin CON 2015
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- This Week's Tips
- Windows 10 - Create a Custom Quick Access Toolbar
- Windows 10 - How to perform a clean reinstall
- Networking - Pulling a cable through a conduit
- Events Calendar
- North America
- Tech Briefing
- Exchange & Office
- Security and Privacy
- Small business IT
- Recommended TechGenix Articles
- Recommended articles from websites in TechGenix Network
- Windows Server News
- I got 99 problems and an SLA is one
- When and where to back up virtual servers
- VMware EUC GM sounds off on VDI competition
- GPOs to control app updates, file associations
- WServerNews FAVE Links
- Great Italian Motorcycle Display
- World’s Best Motorcycle Stunt Rider
- Motorcycle Driving 300km/h On Autobahn Gets Passed By Audi R
- Modern Motorcycle Diaries - Alaska to Argentina
- WServerNews - Product of the Week
- SQL Server 101: What is SQL Server and how does it work
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter is all about Active Directory Modernization or AD Mod, the latest buzzword used to describe what happens when a merger, acquisition or reorganization leaves you with multiple Active Directory forests and having to figure out what to do with them. We welcome Ian Lindsay, a Strategic Systems Consultant at Dell, who has contributed the guest editorial for this issue of WServerNews to help us understand current industry thinking and practices in this area.
Buzzwords are fun, but they can also be useful. For example, it's one thing to know how to consolidate several Active Directory forests into a single forest. It's another thing however to know how you can leverage the word "consolidate" to impress your boss as this Dilbert comic illustrates:
Ask Our Readers: WServerNews has almost 100,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at [email protected]
From the Mailbag
Several readers offered feedback concerning Issue #1051 Experiencing Windows 10 and we're including a short sampling here. Jeffrey Harris the reader who contributed the guest editorial mentioned several "quirks" he felt were in Windows 10. Another reader named Clive mentioned another "quirk" to add to the list:
Following on from your quirks of Windows 10 I'd like to add a couple for you. Set up a VPN and try to change the IPv4 settings to untick the Use Default Gateway option.Then, try to use the VPN at logon. I've not found how to access it before logon yet...
Does anyone know how to answer Clive's second problem? Email us at [email protected]
A couple of readers pointed out the following oversight in the article:
The Snipping Tool was introduced in Windows 7 - not Windows 8 - I know as I am still using Win 7 and use the Snipping Tool a lot.
Actually the Snipping Tool goes back even further to Windows Vista:
But it's easy to forget stuff like this when Windows has gone through so many changes in recent years.
Another slip in the article was the so-called enhancement to File Explorer to perform cyclic redundancy checks and checksums on file or combination of files. As several readers pointed out this was a feature added by 7-Zip which was installed on the system used for writing the article. I confess I probably would have made the mistake -- when I recently upgraded my new HP Envy laptop from Win81 to Win10 (see Issue #1049 3am tech support) I was surprised myself to see a 7-Zip menu option when I right-clicked on files in File Explorer and I thought to myself, "Gee how nice, I didn't notice before that Windows 10 now includes 7-Zip, when did Microsoft acquire that?" I guess that's typical though of the kind of thinking you tend to have when you've been working late into the wee hours of the night.
Finally, in the concluding section of his guest editorial Jeffrey made the following statement:
Those people who prefer Windows 7 (and I would have to say that new features aside, I find myself in that camp, although I like new things) have five years to wait and see if Microsoft can further improve upon Windows 10 before Windows 7 support expires. Those of us in IT know there is always room for improvement, but whether Windows 1X will be better than Windows 7 in five years will be difficult to say; all I can predict is that Windows 1X will be at least as different from Windows 10 as Windows 10 is from Windows 7 (and perhaps more).
A reader named Shane took issue with this as follows:
He talks about "Windows 1X", when there will be now new versions of Windows. From now on starting with W10 it is "Windows as a service", with updates to W10 provided to bring new features, as stated by Jerry Nixon "we're releasing Windows 10, and because Windows 10 is the last version of Windows, we're all still working on Windows 10".
Microsoft's new "Windows as a Service" model definitely deserves some further discussion and we'll reserve a future issue of WServerNews for delving into this in more detail , but for now let me briefly respond by pointing readers to the following story on The Verge says that a Microsoft spokesperson told them that they "aren't speaking to future branding [of Windows] at this time" which I take to mean that "Windows 10" won't necessarily be the name for Windows forever:
This article on Ars Technica also suggests that it's not the name "Windows <whatever>" that matters but the underlying version number:
The above article also mentions the Long Term Servicing builds of Windows 10 which if you haven't read about yet you should do so. You can start with these:
So while the statement that Windows 10 is the "last version" of Windows may be true in one sense, it's actually a bit more complicated than that.
Anyways, let's now move on to our guest editorial by Ian Lindsay...
Understanding AD Mod
People are starting to use a new term in the IT world, Active Directory Modernization or AD Mod. AD Mod is really just a new twist on an old project. Much of what came to be called AD Mod came from Active Directory consolidation / migration. When Company A buys Company B, the easiest way to get connectivity and start working together is setting up a trust relationship between the two directories. Then the fun begins as work starts to move objects from one domain to the other in an effort to get rid of one domain.
AD Mod is really the same thing, without the merger or divestiture. Think of your existing environment. How many forests do you have? More than one? Very possible for a number of reasons. Now think of the domain structure. How many domains to you have? More than one? Two? Three? More?
In the early days of Active Directory, we created multiple domains for a variety of reasons. Security boundaries, keeping Research separate from the rest of the company. Geo-political, laws in some countries required extra domains. Internal Politics. Network and bandwidth restrictions. Regardless of the reasons we had back then, many of those reasons no longer apply, allowing us to collapse the complicated structure that we have today into one that is much more rational.
So how to begin? AD Mod is much more of a journey, than a process. One we don't need to stop at a certain point. Also not one we need to start at a specific step. The graphic to the right outline the processes that we should go through. So where do we start?
Figure 1: What's involved in Active Directory Modernization
I prefer to start an AD Mod project in the Recover step of this model. We are about to move a lot of objects around. Collapse and remove potentially multiple domains. We plan and plan but things still go wrong. So let's make sure, in case of some unforeseen event, we can get back to a good state easily. Now I am not talking about a standard server backup. We want a backup for the Active Directory that will allow us to recover objects down to the attribute level. (If the backup program can also help you in event of a disaster recovery, even better.)
You may be thinking that you can get away with the AD Recycle Bin. Think of the Recycle Bin like the one on your desktop, it is for deleted items. We are going to move and modify items, not delete them. Also, your AD must be at a functional level of Windows Server 2008 R2 for Recycle Bin to work.
The restructure faze is nothing more complicated than an AD migration. This is where we will collapse domains and move objects around. Everything you think of in a migration applies here. Moving objects and collapsing domains is straight forward using todays migration tools. The big thing to plan for here is the applications from the domain to be removed. Most Windows apps will continue to work just fine.
Where more time needs to be spent is on non-Windows applications that use the active directory as an LDAP directory. We need to find them and how they are calling into the directory, and how they are calling into the directory. Next we need to mitigate these applications by either fixing the app directly or by implementing a virtual directory server that will capture the calls to the directory and redirect them automatically to the new directory.
The management of your directory is something you are already doing today. However, there are some things that you may want to consider adding to your environment. Monitoring tools. The AD is one of the most critical systems in any environment. But no one notices it until there is a problem. If you do not already have systems in place to monitor the health of Active Directory, consider them now.
As your organization gets larger, and you have more people modifying the directory, it becomes harder to maintain consistency with the naming conventions that we want to enforce. So why not start to automate this? People think identity management systems when we talk about this kind of automation. And IdM systems are large, complicated and take a long time to implement. However, there are tools that will allow us to begin the journey, and automate the management of AD attributes without having to fully implement an identity solution. If you've ever been thinking about identity solutions, this is a good place to start as you can show immediate value to your organization and then implement the harder parts later.
Growing organizations have more fingers in the AD cookie jar. So we want to control them. There are a few things to consider to help secure AD. First, consider 2 factor authentication. 2 factor has evolved from the fobs that we've had to carry around all the time. Now you can get software tokens that can be put on your laptop or phone. Some of them never expire as well.
Next, look at all the administrative, root and service accounts that you have out there. If you have not already looked at managed service accounts in AD, do it now. Service Accounts tend to be one of the weakest links in our security posture. The password gets set once, and no one wants to change it because of worries that something will stop working. And too many people know that password.
Next consider putting the rest of your administrative accounts (administrator (both domain and local), root passwords from Unix, Linux, routers, etc.) into a password safe. There are two kinds of tools to look at here. First, is just a password safe. This will allow administrates to "check-in" and "check-out" administrative passwords for the systems they need. You want a system that will allow for workflows for approval of the request, time limits on the request, and the password to automatically be set to an unknown password when the request is finished.
Some systems will alternately allow you to check out a session, instead of the password. This is a great option of 3rd parties that may need access to do maintenance, but nothing more. They can make the request, but instead of getting a password, they are presented a session (RDP, Telnet, etc.) to the system they need. Usually you can also control what commands the admin can run. And some systems will allow the entire session to be recorded.
The last thing to think about is providing Role Based Access Control into the AD itself. We have lots of people that need some level of authority in to the AD (think OU admin) but in AD directly, we have to potentially give more rights than we really want (the admin can see the entire AD structure). Tools available today will allow you to "firewall" off the AD and assign much more granular permissions then can be assigned natively. For example, you have an administrator that you want to manage all of the sales people in your organization. However, the AD is designed by location and each location contains more than just sales people. Natively, you would need to over-permission the admin to do the job. Using additional tools, we can create "virtual" OU structures, so I can create a "Sales OU" that contains all sales reps, no matter what location. I can then give my admin rights to just see the new Sales OU and just manage the attributes I want them too.
When the auditor asks, "Who put Bill into the Domain Admins group?" how do you answer? If you are auditing the changes to AD, this is a very simple answer. Run a query, find the record for Bill being added to the group, and look to see who did it. Auditing can also help you find anomalous activity that may be a security issue. I have one customer that is using auditing to help them figure out how and when users are locking themselves out.
Now that we have a well built and secure AD, why not extend it out to UNIX, Linux and Macs? Ever wanted to apply GPOs to your Macs? These are all now possible with tools that will allow us to bridge the AD environment over to the non-AD world. This is especially helpful on the UNIX / Linux side where you no longer have to create a new account on every machine that a user needs access to, they just use their existing AD credentials.
Modernizing your Active Directory is a journey, not a destination. The phases I outlined above can be done in any order, and there is no requirement to do them all. However, if you do go down this path there are many advantages including reduced costs, tighter security and happier users. Feel free to contact me for more details!
About Ian Lindsay
Ian S. Lindsay has been in the IT industry for over 27 years. As a Strategic Systems Consultant for Dell Software, Ian has been responsible for providing solutions and architectural guidance to core customers in Dell's Central and East districts. His experiences range from software development on UNIX to designing enterprise network infrastructures using the latest technologies. Prior to joining Dell, Ian was a Sr. Technology Strategist with Microsoft for almost 14 years and was responsible for the healthcare customers in Microsoft's Pittsburgh account team.
You can find Ian's blog here:
Ian is also on Twitter (@ilindsay760):
You can also reach Ian by email at [email protected]
Send us your feedback
Got feedback about anything in this issue of WServerNews? Email us at [email protected]
Recommended for Learning
One of my favorite sites when I'm looking for something fresh to learn about Microsoft Windows is the site called "Windows Tip of the Day" run by Jason Savitt, a systems engineer with more than 20 years of experience utilizing enterprise technologies to create resilient system architectures with servers, cloud infrastructure, networks, SANs, virtualization, Web-based technologies and databases. Jason recently asked me to take a look at his ebook "Power User Guide: Windows 10 Secrets: The Ultimate Windows Tips and Tricks Guide for Everyone" and I'll briefly review it here.
First off, Jason's ebook is well organized and quite easy to read. I enjoyed his writing style which is "professionally neutral" in tone as that's best for readers who "just want the facts" and not the writer's opinions. I definitely learned a few things from reading Jason's book. For example, I didn't realize that Windows 10 had abandoned so many features found in Win7/8! On the other hand Jason occasionally simplifies things a bit too much. For example, he says that the new Settings panel includes "a great deal of new functionality...that is not available in the older control panel folder" and while I can agree with that, there's also some Control Panel functionality that is *missing* from the new Settings panel. Once you skim through the first 1/3 of the ebook though you come to the "meat" where Jason begins taking a more in-depth look at the new features in Windows 10. Here the writing becomes more task-focused instead of informative and there are many valuable tips Jason presents to help you get the most out of working effectively with Windows 10. With Jason's permission we've included one of these tips below in the This Week's Tips section of this newsletter. In my opinion the dozens and dozens of tips in this ebook are worth the purchase price alone. You can buy Jason's ebook on Amazon here:
Power User Guide: Windows 10 Secrets: The Ultimate Windows Tips and Tricks Guide for Everyone
Microsoft Virtual Academy
Windows Server 2012 R2: Active Directory Enhancements
Interested in Active Directory enhancements within Windows Server 2012 R2? Join us for a detailed look. Explore the options for deploying domain controllers using the new Server Manager and using both the GUI and Windows PowerShell. Hear about the new Active Directory Management tool, and use its Windows PowerShell History Viewer:
Getting Started with Microsoft Azure Active Directory
Are you wondering about Active Directory and the cloud? Look no further. Active Directory is the Microsoft backbone offering for identity management. Utilized by 93 percent of larger organizations, Active Directory has now been extended into the cloud via Microsoft Azure Active Directory:
Using PowerShell for Active Directory
IT Pros, want to automate redundant tasks and do it right the first time? Learn how to turn your real-time management and automation scripts into useful reusable tools and cmdlets. Use PowerShell to better create, query, update, delete, and manage your Active Directory. You might be surprised at how straightforward it is. You can even use it for forensic data investigation, learn what was changed and when, and manage your environment in scale:
Free White Paper: Understanding SSL Certificates
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. This white paper is hosted on our sister site WindowSecurity.com.
Registration is Open for Cloud Admin CON 2015
Cloud Admin CON is a cost-effective, convenient opportunity for busy System Administrators and IT Managers to stay up to date on the most recent industry trends and vendor solutions and build their network of IT experts and vendors. Individual focus sessions are scheduled to run consecutively, allowing you to attend all sessions, or selectively choose only those you wish to attend. A sample of what you can expect to learn includes:
- How to extend applications securely to mixed public/hybrid clouds
- Securely scale out private cloud environments
- Protect users and data with the use of 3rd party cloud apps
- Protect complex cross-border regulatory environments and data sharing.
Date and Time: Thursday, November 19, 2015 11am EST | 8am PST | 4pm BST
Participation is limited to the first 500 registrants, so s!
Quote of the Week
"There is no reason anyone in the right state of mind will want a computer in their home." -- Ken Olson, President of Digital Equipment Corp, 1977
Until next week,
Note to subscribers: If for some reason you don't receive your weekly issue of this newsletter, please notify us at [email protected] and we'll try to troubleshoot things from our end.
This video on WindowsSecurity.com demonstrates usage of free Service Account Finder and Reporter utility.
COMODO Backup lets you quickly create reliable backups of your data to a wide range of storage media.
Remote Utilities for Windows is free for business use on 10 remote PCs.
GOT ADMIN TOOLS or other software/hardware you'd like to recommend? Email us at [email protected]
GOT TIPS you'd like to share with other readers? Email us at [email protected]
Windows 10 - Create a Custom Quick Access Toolbar
The following tip has been excerpted from Jason Savitt's ebook "Power User Guide: Windows 10 Secrets: The Ultimate Windows Tips and Tricks Guide for Everyone" and is included here by permission of the author.
Some of the older Windows desktop programs (File Explorer, Wordpad, Paint, etc.) that are still included with Windows have a feature called a Quick Access Toolbar. This feature dates back to Windows 7, but it’s still a useful if the user uses these applications regularly.
A Quick Access Toolbar allows for the creation of a custom toolbar of shortcuts to popular functions (i.e. cut, copy, paste, undo, redo, etc.) in the title bar of the application.
To create a customized quick access toolbar, launch the File Explorer, in the upper-right corner, dropdown the toolbar menu. Select the option, Show below the Ribbon:
Figure 2: Quick Access Toolbar Example
Now right-click any of the icons in the File Explorer ribbon, and select Add to Quick Access Toolbar:
Figure 3: Quick Access Toolbar Example
The customized toolbar should be available below with the items that were selected. To get rid of any of the items in the new toolbar, just right-click on the icon and select Remove from Quick Access Toolbar.
You can purchase Jason's ebook here on Amazon:
Windows 10 - How to perform a clean reinstall
Microsoft MVP Greg Carmack has a helpful post on the Microsoft Answers Community forums that explains in detail how you can successfully reinstall Windows 10 on a machine that you've previously performed a free upgrade on from Windows 7/8/8.1 to Windows 10. Check it out:
Networking - Pulling a cable through a conduit
If you need to pull an additional Cat6 network cable through a conduit that already has other cables in it, the simplest way is usually to attach and use a string to pull the new cable (provided you can get the string through the conduit). Or you can avoid the problem entirely by running some extra unused cabling when you install the conduit.
But what if you don't have anything already installed to pull the additional cable through the conduit? Try attaching a vacuum cleaner hose to the far end of the conduit and suck the string through, it usually works great!
Convergence on April 4-7, 2016 in New Orleans USA
Ignite on May 9-13, 2016 in Chicago USA
2016 Microsoft Worldwide Partner Conference on July 10-14, 2016 in Toronto Canada
Convergence 2015 EMEA on Nov 30 - Dec 2, 2015 in Barcelona Spain
Add Your Event
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact [email protected]
Getting Started with AWS (Part 11) (InsideAWS.com)
How to Help Lock Down a User’s Amazon EC2 Capabilities to a Single VPC (AWS Security Blog)
Exchange & Office
Office 365 - Automating the Configuration of Information Rights Management (IRM) using CSOM (FromTheField)
Intune and Exchange ActiveSync (Part 7) (MSExchange.org)
Cisco ACI – Creating Contracts (VirtualizationAdmin.com)
Parse As – When a Protocol Doesn’t Use a Standard Port (MessageAnalyzer)
Security and Privacy
The Final Countdown for Forefront TMG (Yuri Diogenes)
Microsoft Ignites a new Focus on Security (Part 4) (WindowSecurity.com)
Small business IT
Goodbye ‘Out of Office’ (Microsoft UK Small and Medium Business)
Windows 10 brings new security features for business (Microsoft UK Small and Medium Business)
IDaaS: The changing World of IAM
Clarity on Windows 10 Data Collection
How to Successfully Create a Hyper-V Cluster Using Virtual Machine Manager (Part 8)
Mobile Device Management in Exchange Online (Part 1)
I got 99 problems and an SLA is one
A cloud service-level agreement is a comforting promise from a cloud provider to keep your applications up and running, almost all the time. Though they help users know what to expect, they also present numerous potential problems for the enterprise. Start embracing these cloud service-level agreement best practices to get the most out of yours.
When and where to back up virtual servers
Today, it is all too easy to forget about virtual server backups, especially with replication being used in the data center. Unfortunately, replication doesn’t cover everything. The measure of good backup software can often be how powerful the recovery tools are. Review these expert tips for your virtual server backup strategy so you can avoid common mistakes.
VMware EUC GM sounds off on VDI competition
The battle between Citrix and VMware is raging on, but according to VMware's EUC General Manager Sanjay Poonen, matching Citrix feature-for-feature isn't as important as having a long-term vision for IT organizations. Access this exclusive interview now to hear more about what this GM thinks sets VMware apart.
GPOs to control app updates, file associations
With new and updated GPO settings in Windows 8 and 8.1, you can now control updates to apps from the Windows Store and configure file associations for LOB applications. Some settings you might not know about can make dealing with automatic updates from Windows Store applications a lot easier. Learn how to control app updates with Windows 8 and 8.1 GPO settings.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]
Great Italian Motorcycle Display
Fantastic film of police riders showing off their motorbike riding and coordination skills in the 50s in Rome (Italy):
World’s Best Motorcycle Stunt Rider
Polish stunt rider Rafal Pasierbek, aka Stunter13, wins 1st Place at the XDL Championship in Indianapolis:
Motorcycle Driving 300km/h On Autobahn Gets Passed By Audi R
A guy doing 300 km/h (186 mph) on his motorcycle on the German autobahn gets casually passed by an Audi RS6:
Modern Motorcycle Diaries - Alaska to Argentina
An epic journey on the exciting Pan American route from Alaska to Argentina: 503 days - 82,459 miles - 22 countries - 1 man:
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.