Changes in Functionality from Windows Server 2008 to Windows Server 2008 R2

A recent Microsoft document came out, describing the changes in functionality
between Server 2008 and 2008 R2, showing there are serious changes.
For those of you not up to speed yet,
this is not like the 2003 to 2003 R2 upgrade, there are many core improvements in Server 2008 R2,
concerning Active Directory, GPO, NAP, Remote Desktop Services (not just a rename!), WDS, Powershell (has 2.0 included !),
just to name a few !

Crashing Spoolers ? Printer Driver Isolation is coming!

Another nice 2008 R2 feature, I hadn’t paid attention to yet, is Printer Driver Isolation.
If, like me, you have (non pleasant) experiences with crashing Spoolers,
especially notorious on Terminal/Citrix Servers or high volume Print Servers with loads of diffent (3rd party) printer drivers,
you will probably be delighted by this new feature!
I haven’t seen it used in a production environment yet, but from what it looks like, it’s very promising.
Here’s some history of using Printer Drivers in the Real World:
In the Old Days (Pre W2K), Printer Drivers (called version-2) used to run in Kernel mode and could easily BSOD a printserver.
Beginning with W2K, Version-3 Printer Drivers were introduced, which run in User-Mode and can not BSOD a server,
“only” the Printing Subsystem (=Spooler Service=spoolsv.exe) in which the drivers were loaded.
As you probably know this is still a major concern for Print Servers, on which a spooler crash can have large impact,
if it hosts hundreds or even thousands of Print Queues, or if it happens regularly in Citrix farms where dozens of
users can be working on a server at the same time.
In Windows Server 2008 R2 (and Windows 7), Printer Driver Isolation (PDI) is introduced,
which means a bad behaving Printer Driver can only affect itself!
The isolation can be configure on a Per Driver basis, in three modes:
"None – in this mode, print driver components are loaded into the spooler process.  This is essentially the model found in previous versions of Windows
Shared – multiple drivers that are set for isolation are loaded into a single shared process space that is separate from the spooler process (PrintIsolationHost.exe) .  Although this protects the spooler process, the drivers that are in shared mode can affect one another
Isolated – each driver is loaded into its own process space.  This protects the spooler from individual driver failures, and also protects drivers from each other "
Basically the idea is this, at least this is probably how I would set it up:
-Run all well behaving drivers as ‘Shared’ (default)
-Run bad drivers as ‘Isolated’ if no suitable replacement is available
-Don’t run drivers in ‘None’, if necessary move those to separate server if you want a stable solution !
One approach for new drivers would be to start them off as ‘Isolated’,
and when proven innocent, ‘upgrade’ them to shared.
(The shared mode saves system resources as fewer isolation processes are needed).
On systems that don’t host a lot of print queues you could consider running them all isolated,
if resources are a non-issue.
Not all drivers will support isolation, I hope all companies that create Windows printer drivers will make them
compatible asap, so we can use it for all printers, to prevent problems, and have more control over our Print Servers.
The global settings can be managed using GPO, where you can disable or enable PDI,
and configure compatibility settings (override behaviour of compatible and incompatible drivers).
The PrintIsolationHost processes are only started when needed.
And there are registry settings that you can use to configure timeouts for the processes,
especially an option for restarting the Isolated processes after a certain amount of time,
so you can even handle drivers that are known to leak memory!
Of course, you shouldn’t use these, that’s why I said in the ‘Real World’ above 😉
There are often political, financial, historical or other non-technical reasons,
that some printers and especially their drivers have to be used, most of you probably know this.
At least know you have a way to handle these!
O yeah, the isolation settings are set per driver, and you can do so using the update PMC (Printer Management Console):
Have fun!


Enumerate the RODC FAS (Filtered Attribute List)

The FAS is the Read Only Domain Controller (RODC) Filtered Attribute Set,
it contains the attributes in the AD Schema that are never replicated to RODCs,
because they contain sensitive or confidential data (password related or other secrets).
Technically this is implemented by setting the 10th bit on the SearchFlags attribute of the schema attribute,
and also setting the 7th bit to make it ‘confidential’.
This means members of ‘Authenticated Users’ can’t read the contents,
this is to have additional security, in case your RODC was robbed, it can’t be used to read the info from other RW or RODCs.
In the examples below the bits practically mean that you need to use 512 (0X200) for searching for RODC Filtered Attributes,
128 (0X80) ) for confidential attributes, and 640 (0x280) for the combination, which is the Microsoft recommended approach,
for adding confidential attributes to the FAS.
But if it is set on attribute level in the Schema definition of attribues,
I guess it’s not a list in the sense you can view it as a list (array) of some kind in AD.
But I was wondering, if I want to view quickly which attributes are in the FAS in a certain Forest, how could I do that ?
I found following article on how to search for certain bitwise set values in Active Directory:
Exactly what I was looking for!
I started manually using LDP to try to get the FAS Attributes.
Using a standard search in the Schema partition, I got it to work pretty quickly:
The search returned following list on this environment:


ldap_search_s(ld, "CN=Schema,CN=Configuration,DC=lab,DC=net", 1, "(SearchFlags:1.2.840.113556.1.4.803:=512)", attrList, 0, &msg)

Getting 6 entries:

Dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=lab,DC=net


name: ms-FVE-KeyPackage;

objectClass (2): top; attributeSchema;

Dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=lab,DC=net


name: ms-FVE-RecoveryPassword;

objectClass (2): top; attributeSchema;

Dn: CN=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=lab,DC=net


name: ms-PKI-AccountCredentials;

objectClass (2): top; attributeSchema;

Dn: CN=ms-PKI-DPAPIMasterKeys,CN=Schema,CN=Configuration,DC=lab,DC=net


name: ms-PKI-DPAPIMasterKeys;

objectClass (2): top; attributeSchema;

Dn: CN=ms-PKI-RoamingTimeStamp,CN=Schema,CN=Configuration,DC=lab,DC=net


name: ms-PKI-RoamingTimeStamp;

objectClass (2): top; attributeSchema;

Dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=lab,DC=net


name: ms-TPM-OwnerInformation;

objectClass (2): top; attributeSchema;


Ok, so far so good,
but of course my preference would be to have this Powershell-ized,
so it is easy to use for automation (for reporting or somekind of automatic checking).
I wanted to used the AD PowerShell Module in Powershell 2.0 (Windows 7 and W2K8 R2 only at this time),
combined with the Active Directory Web Service (available for Windows 2003 and up at this time!).
I use the Get-ADObject Cmdlet in the example below, to get the same information as I got using LDP above:
Get-ADObject -LDAPFilter "(&(ObjectClass=attributeSchema)(SearchFlags:1.2.840.113556.1.4.803:=512))"
-SearchBase ‘cn=Schema,cn=Configuration,dc=sandbox,dc=net’ -server  -SearchScope Subtree | fl  *
DistinguishedName : CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-FVE-RecoveryPassword
ObjectClass       : attributeSchema
ObjectGUID        : 6d27488e-eab9-4d40-b475-053c44b2cbc3
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
DistinguishedName : CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-FVE-KeyPackage
ObjectClass       : attributeSchema
ObjectGUID        : dbf86f5a-55fa-477a-aaac-f6702d5f7416
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
DistinguishedName : CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-TPM-OwnerInformation
ObjectClass       : attributeSchema
ObjectGUID        : 558234a0-6a87-427f-9ba1-218a669f1951
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
DistinguishedName : CN=ms-PKI-RoamingTimeStamp,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-PKI-RoamingTimeStamp
ObjectClass       : attributeSchema
ObjectGUID        : 69c0b65e-97f7-4c8f-95f8-a93436873cbb
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
DistinguishedName : CN=ms-PKI-DPAPIMasterKeys,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-PKI-DPAPIMasterKeys
ObjectClass       : attributeSchema
ObjectGUID        : b4dbff5e-3271-4503-8cf3-f008543cc5f3
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
DistinguishedName : CN=ms-PKI-AccountCredentials,CN=Schema,CN=Configuration,DC=lab,DC=net
Name              : ms-PKI-AccountCredentials
ObjectClass       : attributeSchema
ObjectGUID        : a8cba1e4-34f2-41da-968b-68cc8066073c
PropertyNames     : {DistinguishedName, Name, ObjectClass, ObjectGUID}
PropertyCount     : 4
So now I got a command to easily extract the RODC Filtered Attribute List (FAS) from Active Directory,
mission accomplished, on to the next one!

Active Directory Management Gateway Service RTMed !

The ADMG or

Active Directory Management Gateway Service or Active Directory Web Service

for Windows Server 2003 and Windows Server 2008 has RTMed !

I posted before about this component that enables you to use the

Powershell 2.0 AD Module to manage your Active Directories.


So now not only on 2008 R2 but also on 2003,2003R2 and Windows 2008 Server (in RTM version this time)

download here:

Script GPO operations using PowerShell

If you are like me – so you’re both a PowerShell enthousiast and you don’t like repetitive (boring!) work,
you try to automate stuff that you need to do more than a few times.
In this case I was working with GPOs.
I needed to add lots of computer objects to a GPO’s security filtering list, you know what I mean:
In this case I couldn’t use groups, so I had to add all the objects seperately…(don’t ask)
Another challenge was, that it concerned a domain not trusted by my workstation’s domain.
I looked into the VBscripts that come with GPMC in Windows 2003 (in the ‘\Program FilesGPMC\Scripts’ Folder),
following command looks like it should work, but I doesn’t seem to work for user objects in a non-trusted domain,
and the script doesn’t seem to work for computer objects at all:
Cscript SetGPOPermissions.wsf "MyGPO" "MyServer" /Permission:Apply /Domain:wedonttrustyou.local
I also tried porting the script to PowerShell, using the same GPMgmt.GPM Com Interface,
but that seems to have issues as well, so there might be inherent issues with this interface and using it for
non-trusted domains, as far as I can tell.
I did find a good starting point for that kind of scripting, in an old Technet Magazine:
There is also some code for download there, including a ‘GPMC PowerShell Functions.txt’
If you load this in your Posh Profile or dot-source it in a session,
you have a lot of functions at your disposal, to do different Group Policy tasks.
But I had to look for an alternative…
I remembered I downloaded and installed the SDM GPMC Powershell CmdLets 1.3 once, but I hadn’t put much use in them yet..
Check out: for these and other nice tools.
I even had The SDMSoftware.PowerShell.GPMC snap-in loaded already through my PoSh profile script, so I was ready to go!
I quickly discovered the Add-SDMgpoSecurity CmdLet, which looked right for the job.
After a few typos I had it working in a few minutes!
In a session, started with alternate credentials for the non-trusted domain,
I could use following command to get the job done:
Add-SDMgpoSecurity  -name "MyGPO" -Trustee "MyServer" -PermApply -Domain "wedonttrustyou.local"
After that I could pipe the entire list of computers to the command and relax,
and next time the command will be at my disposal at will (if I forget I can check this blogpost I guess 😉

Work with Trusts, Secure Channels and NLTest

If like me you work in an environment that contains multiple Trust between multiple Domains,
you probably need to be able to check or change the status of your secure channels between different Domain Controllers.
Play with this a little (in a lab) to get comfortable with the commands!
Secure channels are secure communication paths between machines, used for example for passthrough authentication.
There a different kinds:
-A member server/workstation has a secure channel to a DC in its own domain, the member’s Machine account is used for authentication.
-A DC has a secure channel with the PDC emulator in its own domain, except the PDC Emulator itself,the DC’s Machine account is used for authentication
-A DC has a secure channel with a DC in every Domain that is Trusted by its domain, in this case the TDO (Trusted Domain Object, special object used for Trust authentication) account is used.
The tools you need are nltest and netdom, those should probably be standard gear in your weapons arsenal.
‘NL’test comes from NetLogon, as this is the service responsible for managing Secure Channels.
As an example I will use member server RESOURCE01 that lives in domain RESDOM.NET.
Resource Domain RESDOM.NET has an outgoing external Trust to User Domain USERDOM.LOCAL (RESDOM trusts USERDOM).
To check the Trust RESOURCE01 has to its own domain:
nltest /sc_query:RESDOM.NET /server:RESOURCE01
The /server switch can be omitted when the command is run from the server in question.
A problem with a member -> DC can happen when a machine has been off the network for a long time ( > 60 days)

and the computer account password in AD isn’t the same as the one on the machine.

Resetting the Computer Account using ADUC and Rejoining the machine is often the easiest cure.
Command line you can try following to reset both the AD and Computer SC password, to prevent a rejoin:
netdom reset <server> /Domain <domain> /UserO <user to connect to machine> /PasswordO *
To check a secure channel between a DC and a DC in a Trusted domain use:
nltest /sc_query:<trusted domain> /server:<DC in trusting domain>
for example:
nltest /sc_query:USERDOM /server:RESOURCE01
In stead of sc_query you can also use sc_verify which is less passive:
"if the secure channel is not working, this operation removes the existing channel and builds a new one" as per Microsoft.
If there’s a problem with a Secure Channel (for example in case of a network or firewall issue or name resolution issue),
you can try following command to rebuild the secure channel:
nltest /sc_reset:<trusted domain> /server: :<DC in trusting domain>
for example:
nltest /sc_reset:USERDOM.LOCAL /server:RESOURCE01
You can also force the server to create a SC to a specified DC in the Trusted Domain:
nltest /sc_reset:<trusted domain>\<DC trusted domain> /server: :<DC trusting domain>
for example:
nltest /sc_reset:USERDOM.LOCAL\GOOD-DC01 /server:RESOURCE01

Hope you find this useful, I know some of you may not be very comfortable using these commands,

but maybe after reading this post they make a little more sense!

New Windows Bible is out!

I just received my new Windows ‘Bible’ in the mail: Windows® Internals, Fifth Edition
All the true low level ‘geek’ stuff about the inner workings of Windows,
written by famous Windows Internals heroes Mark R,   David A. and Alex I.
I read big portions of the previous 4th Edtion and learned a lot about
the workings of Windows Memory manager, processes, system startup etcetera.
Now it’s updated and covers Vista and Windows Server 2008 as well.
Here is the book’s identification info:
Author: Mark E. Russinovich and David A. Solomon with Alex Ionescu  Language: English
Length: 1264 Pages  Level: Intermediate, Advanced
ISBN 13: 9780735625303 
Here’s a link to more info on Microsoft’s Learning website:
Recommended for anyone interested in how Windows really works !