Schuberg Philis has sent me and 4 colleagues to Berlin to attend the TECH-ED over there.

Together with another 7000 techies, this is a week of planning, running, eating, experiencing all kinds of (new) technologies presented by Microsoft guys.

Feeling some blisters already, because I’m not used to running so much on a day, especially with a Lenovo T500 on my shoulder. The Berlin Messe is a huge place. But the overall sense of the MCE’s is that we are enjoying the sessions. Not all session are that good, but for instance Mark Minasi is good fun to watch and hear.  The food and beverages (very important) are good and plenty.
Technically we are not always that challenged, in many occasions the depth is lacking, but then again, it is a mass-event and not everybody is a (potential) MCE.

Read more…

Finally I have seen a nice Microsoft solution for light touch deployment of servers and workstations. During a half-hour demo session on TechEd MS demonstrated that deploying new desktops and servers doesn’t have to be a tough job if you use the new Deployment Toolkit 2010 and WAIK 2.0. It was impressive to see how easy automated deployment for various operating systems becomes when you use the new Deployment Workbench which wraps like a management shell around the individual WAIK 2.0 components. Big plus for the Deployment Workbench is that all UI management operations are also accessible from Powershell by loading a single powershell snap-in making it easier to automate.

WAIK 2.0 comes with some new tools like DSIM.exe which is a combination of previous WAIK tools like Pkgmgr.exe, Intlcfg.exe, PEimg.exe and has basic functionality to mount and maintain Windows images (either WIM or VHD file format) by adding or removing device drivers, patches, software packages etc..

Other new features in this toolkit:

• BCDboot is a new tool used to quickly set up a system partition, or to repair the boot environment.
• USMT. User State Migration Tool used for doing an in place migration while maintaining all user data and settings.
• Volume Activation Management Tool. Manages volume activation of Windows clients using a Multiple Activation Key (MAK)
• Hardware recognition and driver injection (also during pre-installation stage while booting from WinPE).
• Create image files for media-based deployments from existing deployment shares (WIM and/or ISO image files).

It supports deployment of Windows XP, Vista, Windows 7, Windows Server 2003/2008/2008 R2

Read more about MDT 2010:
http://technet.microsoft.com/en-us/solutionaccelerators/dd407791.aspx

What’s new in MDT 2010 (link to Word doc):
http://go.microsoft.com/fwlink/?LinkId=163309

Of course there was a warning, as all speakers must have done the last couple of years, about the `ending` of IPV4. We are running out of ip addresses, we’ve heard that before.

Here you will find a nice link of where Geoff Huston is predicting the end of time:http://www.potaroo.net/tools/ipv4/index.html 

And in fact, we cannot ignore this. It will happen. And I want to be prepared, so that’s why I attended this session. I cannot longer sit back and hoping this would only happen when I’m retired. (and the Dutch government is not helping as well, as they have decided to extend pensioning from 65 to 67 years..)

Windows has already implemented the IPV6 stack from 2003 (and XP sp2) onwards and IPV6 from Vista onwards is the preferred protocol by default. Of course you can disable this, but in Win2k8 IPV4 is built on the IPV6 stack, so even when you disable IPV6, you’re always able to ping your local-home-address (::1).

Something I found during my research: Exchange 2003 on Windows 2008 needs IPV6, unless you disable it via a reghack (http://msmvps.com/blogs/ehlo/archive/2008/06/12/1634433.aspx).

You need to understand the principles (doh…) but networking is a piece of cake with IPV6

IPV4 is all about routing, IPV6 is all about shouting, was a statement of Mark Minasi.

Motivators to use IPV6:

• China is knocking at the internet-door.
• All European car-manufacturers have agreed to implement IPV6 in their cars as the standart protocol for car applications. (so beware, breaking will done via commands transported via IPV6..)

I don’t want to get in detail here, plenty of explanation on the web, but the modern OS-es all are capable of doing IPV6, and certainly I will dive deeper into this.  

You should too.

Late October PowerShell V2 was released for almost all Windows platforms. Check out http://support.microsoft.com/kb/968929 and download the version you need.

Happy scripting!

Remote Management.
Well finally, PowerShell v2 is included and holds an AD Module, so the Quest ActiveRoles Management Shell for Active Directory is now ‘sort of’ native.  A comprehensive set of AD cmdlets for AD DS and AD LDS administration, configuration and diagnostic tasks.

PowerShell drives for AD will simplify navigation in AD Directory Services. And most of all: certain tasks can only be achieved through PowerShell hurrah for the shell.

AD Web services (ADWS) will create a web service ‘gateway’ for managing windows 2008 R2 servers through PowerShell. Be sure you have port 9289 opened on the firewalls and your home free.

For backward compatibility Active Directory Management Gateway Service (ADMGS) is available for Windows Server 2003 and 2008, however this does not support instances of AD Mounting Tool (get-PSdrive)

AD Administrative Center
The users and computers interface is enriched by progressive disclosure of data, which means, the interface builds up navigation history and anticipates on tasks you’re about to do and fill the interface accordingly. Big plus is that you can connect to multiple domains at the same time.

Managed Service Accounts
Currently using built in accounts for services does not provide service isolation. And in case we run the services using standard user accounts with some extensive privileges. But then again, changing services account passwords on a regular basis did cause some unexpected service failures.

So managed service accounts are presented, though the accounts must be created and managed through Windows PowerShell. J. It’s delivered in three steps. The sweet thing is that a reset of the password is done on a regular basis (default by 30 days) by the system itself.

However:
1: Service / application requiring managed account must be running on Windows 7 or Server 2008 R2
2: Managed accounts cannot be shared across multiple servers

The latter is a major setback since the whole security of the password changes are embedded, so why don’t enable it cross hosts, so keep it simple and transparent does not apply here.

Djoin.exe
Now, Windows 7 or Windows 2008 R2 machines can be joined to a domain while offline, it’s not PowerShell driven though. During deployment the machine has already domain joined the domain at startup, so no reboot required. This will definitely speed up deployment of VMs and scripted installs. The sysprep process will create a new section in unattended.xml to supports offline domain joins which will actually simplifies domain joins to RODCs.

Recycle Bin for AD
Here it is: a fast and decent failsafe of accidently deletion of AD objects; the recycle bin for AD.
You need to promote to 2008 R2 Forest functionality and, of course, it’s PowerShell driven.
Bear in mind, once enabled it cannot be disabled, but then again, it restores all attributes including linked attributes.  Of course it will impact storage, but no more than 5 -10% increase of the AD database. Here is how it will work:

Session by: Andrew Fryer

In this interactive lab I learned how to install and configure SQL 2008 on Windows 2008 R2 Core, which has the following technical advantages and characteristics:

-          Running on R2 Core instead of normal setup, limits the need of patching and maintenance of a SQL OS to the minimum R2 core components updated, minimizing the instance downtime.

-          Running several SQL instances is possible as it is on the GUI enabled full OS setup.

-          All installations and configurations needs to be done using Powershell cmdlets, which are limited to installation of .Net framework 3.5, configuring windows firewall to allow 1433 and installing base components of SQL 2008, and of course the GUI components of SQL including management studio is not to run from the R2 core and the instance needs to be managed by remote machine.

-          It makes the life really easy to prepare an R2 image with pre-installation of SQL 2008 using Sysprep for fast deployment of an SQL Server. We have reached an OS/SQL deployment time of 5 minutes in the lab.

-          Running on R2 core is has also security advantages for SQL Server instance as major windows vulnerabilities are related to higher levels and Windows 2008 core is mostly not affected.

-          It is possible to cluster an SQL instance running on R2 core.

-          This implementation is not supported by Microsoft at this moment, but several factors shows it will be supported in the near future.

The how to guide will be shortly available on Codeplex. If not, I will add an installation guide to this blog too.

Everything. Microsoft SQL Azure is the new cloud computing online services for Microsoft SQL Server launching in November 09 in the V1 level.

It was amazing to see that you are actually able to connect to an online SQL server cloud using the normal SQL management studio connecting to the database engine using the FQDN. The SQL Gateway which is manageable by an online web interface and includes all security and firewall settings for the SQL Cloud, the redirector layer which load balance T-SQL traffic and the underlying SQL Fabric which serves the cloud, is fully transparent to the SQL management studio and system administrators can manage all futures of SQL as they do in the normal in-house setups.

The V1 version is targeted for non mission critical SQL databases for middle and large organizations, in the first quarter of 2010 the V2 release will target the mission critical SQL needs and some features like snapshot and restore to the specific point of time, and using multiple database connections using USE <db> which is not available at this moment, will be added.

It is possible to use this service based on “on demand” resource needs, meaning at an specific period of time the database load can be balanced on virtually unlimited resources where the gateway billing mechanism is aware of this short recourse peak time.

There are rumors that the SQL cloud computing technology will also be available for third party organizations in the near future.

Three days ago on the 3rd of November Marsh Ray and Steven Dispensa of PhoneFactor released a whitepaper that describes a man in the middle attack against TLS and SSL v3 by using the “renegotiation” feature of the protocol. Let there be no mistake, this is a limited, but still serious attack.

This new attack adds to the issues published by Moxie Marlinspike, Dan Kaminski and Mike Zusman I blogged about earlier.

So what does this new attack do?

The attack described by Marsh Ray et al. exploits a feature of the TLS protocol called renegotiation. Renegotiation allows the TLS client or server to initiate a renegotiation of the encryption of the connection in order to refresh keys, increase authentication, increase the strength of the cipher suite or any other reason. This renegotiation can be performed by the server or the client by sending a server or client hello message.

Read more…

Some cupfighters are going to TechEd Europe 2009. In fact the company we work for, Schuberg Philis, organizes the dutch country drink together with Microsoft.

We will blog during this event, and try to post major announcements, being made during TechEd, on this site as fast as we can. So keep an eye on this site or twitter!

http://www.schubergphilis.com/countrydrink

Read more…