/var/log

Once again, I find I don’t know as much about the inner workings of Active Directory. Joe of joeware dissects a TechNet article about AdminSDHolder which uses his fine tool (AdFind) to query AD for security information. Joe finds a few things lacking in the article (calls it “rough.”)

Once again, it strikes me that one can administer an Active Directory without requiring a deep knowledge of how things work under the hood, so to speak. For most, I expect this is not an issue. Microsoft excels at hiding the complexity of its products and many “administrators” are quite content with yelling for technical support help (at approximately $250 a question) when the SHTF, thank you very much. I am dissatisfied with continuing to manage the largest AD forest I have ever managed without an exhaustive, rigorous knowledge of AD’s nuts and bolts.

Of course, there is an altogether simple course here: study. So it is with some renewed vigor that I break open all my resources to drink deeply from the AD (and Exchange) bowl of knowledge.

I wonder what I’ll find? Will I be even more dissatisfied when I find out how “bad” things? The deeper one travels in the bowels, the closer to crap one gets.

Comes the news from Nasir Ali (Exchange Escalation Engineer, the poor bastard) that Exchange Server 2007 SP2 setup fails if all domain controllers are running Windows Server 2008 R2.

The error is as follows:

[ERROR] Cannot find at least one domain controller running Windows Server 2003 Service Pack 1 or later in domain ‘DC=DCName,DC=com,DC=DCName’. This could be the result of moving domain controller objects in Active Directory. Check that at least one domain controller running Windows Server 2003 Service Pack 1 or later is located in the ‘Domain Controllers’ organizational unit (OU) and rerun setup.

Grammatically, I would expect that reading “Windows Server 2003 Service Pack 1 or later” technically includes Windows Serfver 2008 R2. As a technician, this would drive me absolutely nuts.

Thanks goes to that beneficial giant of all things software, Microsoft, for once again exhibiting (my) truism that your left hand doesn’t necessarily need to know what your right is doing to still make oodles of money.

This is major good news from the MS folks: I recently discovered it is possible to automate metadata cleanup, required after the forced removal of an AD Domain Controller.

Even better, on DCs running Windows Server 2008, deleting the DC’s computer object in ADUC (Active Directory Users and Computers MMC) initiates the cleanup process automatically.

More information here.

An undefined problem has an infinite number of solutions.
—Robert A. Humphrey

And there shall be wailing and gnashing of teeth.

That sentence pretty much describes every other day working to administer a Microsoft Windows installation. This is because I get to deal with what I’ve come to call “illogical deviances”, abnormalities, downright idiocy. Over time, I’ve come to understand that I can’t expect the same outcome from a repeatable operation.

What works today, doesn’t tomorrow for no seeming reason. This is the one part of working with Windows that drives me up a wall. It seems to me that for a massive conglomerate as Microsoft, taking the time to perform a “finishing” routine should be par for the course.

KB article 973772 is an example of what I’m talking about. Apparently, on a Windows Vista or Windows Server 2008-based computer, when attempting to configure the printer item in Group Policy Preferences for printers that use third-party drivers (which, unless Microsoft’s now manufacturing and selling printers, is every single printer available), Group Policy Preferences stops responding. When this problem occurs,  it is no longer possible to perform any other operations in addition to no longer being able to logoff.

Why does this problem happen? Well … because a hidden dialog box is opened.

A hidden dialog box.

This is the kind of BS programming that infuriates people, wastes time (thus money) and drives those of us who prefer to think in logical terms to believe we’re going insane.

A hidden dialog box.

Sigh.

Here are some other examples of fireworks photography, spellbinding.

Anyone remember the old movie Force Ten From Navarone? If you don’t know it and like WWII movies, I heartily recommend it.

So why Force Ten From Redmond? Microsoft’s latest update cycle seems to be doing some strange things regardless of what the users decides to choose as their update process. As you know, there are several choices you can make about how any updates from Microsoft get applied ranging from automatically downloading and installing updates to turning off automatic updates completely. It now looks like the latter option may be the only way to go.

According to Windows Secrets, people have reported that choosing any option other than turning off automatic updates results in updates installed without regard for setting or choice.

Nice.

As you know, installing updates from Microsoft sometimes breaks things so you can see where updates getting installed without approval may spoil the broth, so to speak. What to do about this? The only choice (hah!) left is to turn off Automatic Updates which results in a red warning icon but it is possible to turn that off and then check for updates manually:

Step 1: Disable Automatic Updates. In XP, open the Automatic Updates Control Panel applet and select Turn off Automatic Updates. In Vista, open the Windows Update Control Panel applet, choose Change settings in the left pane, and select Never check for updates (not recommended).

Step 2: Turn off the red warning. Open the Security Center Control Panel applet, click Change the way Security Center alerts me, and choose Don’t notify me and don’t display the icon (not recommended).

Step 3: Check for updates manually. Run Microsoft Update or an independent update service at least once a month (preferably just after reading the analysis that Windows Secrets publishes two days after every Patch Tuesday). Third-party update tools such as the Secunia Personal Software Inspector and the Shavlik Google Patch Gadget can identify critical updates that both Windows and your major applications require.

I won’t go on a rant about how this kind behavior is ridiculous (I mean, MacOS doesn’t do this kind of thing, for starters) but I have neither the time nor inclination.

Today’s Thought:

“The world runs in real time, but government runs in batch.”
- Vivek Ranadive, TIBCO

For the longest time, it was a burr embedded in my side.

With ISA servers standing guard in front of our Exchange Server 2007 installation and having a UCC (or SAN) SSL certificate installed, Outlook (2003 and 2007) users on Windows XP were having the hardest time getting access to Exchange via Outlook Anywhere.

As it turns out, the problem turned out to be simple enough: one simple little check box.

The problem has to do with the unique combination of Outlook, ISA 2006 SP1, Windows XP and Exchange Server 2007. Our UCC/SAN SSL certificate has the principal name of mail.company.com but also has owa.company.com and autodiscover.company.com on the same certificate.

ISA was set up to have the public name of autodiscover.company.com “redirected” by a rule to the protected, internal web farm name of mail.company.com. When Outlook clients presented themselves for connections through Outlook Anywhere (RPC over HTTP) to the ISA box by using autodiscover.company.com, they obtained the SSL certificate for mail.company.com.

With the check box checked, Outlook clients compared the SSL certificate they got (mail.company.com) to the URL to which they were connecting (autodiscover.company.com) and summarily rejected any connections but there was no error beyond prompting over and over and over for credentials.

Initially, I didn’t think there was a problem because my box which is running Vista didn’t have a problem. I think Vista was able to handle SAN SSL certificates.

I’m not sure; requires some research.

Whatever the case, I have instructed all users attempting Outlook Anywhere access to uncheck that box and life’s all right. Of course, if I’d been the one to set up the ISA firewalls, I’d have ensured that the web farm field was set to autodiscover.company.com and had the same as the principle principal name on the SSL certificate.

Being that I’m a senior controller on the VATSIM network, I have to work with Zulu time (also known as UTC or GMT) all the time so I set up an additional clock to be shown on my Vista x64 machine only to find out it’s off by one hour.

At first I thought it was a problem when my time zone change from Mountain Standard Time to Mountain Daylight Time but those settings were (are) fine.

As it turns out, what in Vista exists as GMT is actually local London time which, as you may know, changes seasonally at the same general time as the US daylight saving time changes (note: Daylight Saving Time, not Daylight Savings Time).

Why Vista’s programmers have a GMT setting which changes time zones borders on stupidity. GMT is GMT is UTC is Zulu is GMT. It never changes. What they should have done is to have a separate time zone for GMT not related to London local time which right now is BST (British Summer Time).

I had to use the Time Zone Edit utility to change GMT not to allow daylight saving time. I wonder sometimes why I continue to use this bloody OS.