Miklos Cari Blog

Hello to all..

This will be my last post in this blog, since I am moving to the: http://msmvps.com/blogs/miklos/

There you will find all the information that I was sharing here and of course the new one..

I encourage to all of you to bookmark my new blog, and of course thanks for all the comments that I got so far..

See you in my new blog and thanks for supporting this one that helps me to start on the blog stuff

 

Yes, starting this month (January 1^st to be accurate), I got the MVP (Most Valuable Professional) award for 2010!, as you should know this award is given by Microsoft to outstanding members of Microsoft's technical communities based on contributions made during the previous 12 months to offline and online Microsoft-related technical communities. Of 100 million technical community participants worldwide, about 5,000 are MVPs. Outstanding technical community members are nominated by their peers, Microsoft employees, and MVPs. Each year a panel of Microsoft employees reviews the contributions of each nominee for quality, quantity, and level of impact on the technical community. I am very proud to be an MVP on Windows Desktop Experience, and thanks to all of you to support me, and of course to be here and read the blog and share your problems, comments and give live to this blog!... Thank you!

 Hi, this article I need to thanks to Wendy Tapia, since she wrote most of it, and is a problem that maybe you will face it... the steps needed to configure a Windows 2008 child domain in a Windows 2003 Domain environment, the main problem of course will be the schema that needs to be updated, and other minor things, that I hope that you will find useful.

I am considering that you have already configured a windows 2003 domain and you just want to add a windows 2008 child domain so it is necessary follow the next steps

1.      Raise functional level

You can see the steps needed to raise the functional level in your windows 2003 domain machine. 

1.      In the Windows 2003 machine domain  Go to start and select  “Administrative tools” >”Active Directory Domains and Trusts”  

2.      Right click in the domain where the child domain will be added and select “Raise domain functional level” when the “Active Directory Domains and Trusts” window appears.  

 3.      Select “Windows server 2003”  domain functional level and click on “Raise” button 

4.      Click on “ok” button in the Warning text box message

5.      Click in “Ok” button in the information textbox message 

2.      Run Adprep /forestprep to prepare the schema

Now you can see the steps needed to prepare the schema from schema31.ldf to schema47.ldf in your windows 2003 domain machine.

1.      Load  the CD installer of “windows 2008”  

2.      Open the CD and open the “Support” folder contained in the CD installer 

3.      Copy the “adprep” folder contained in the “Support” folder to C:\ 

4.      Go to start an run cmd

5.      When the cmd window is opened set the command “cd C:\adprep”

6.      When the directory had been changed set the command “adprep32 /forestprep”

7.      Type “C” and press enter after the ADPREP WARNING message appears

8.      Wait until the message “Adprep successfully updated” appears

9.      Set the command “adprep32 /domainprep  /gpprep”     

10.   Wait until the message “Group policy object (GPO) has been updated” appears 

3.      Run DCPROMO 

When all the previous steps has been configured the windows 2008 machine is ready to be configured as a child domain. To configure the machine follow the next steps. 

1.      Go to start and run “DC PROMO” (if this is the first time you run DC PROMO in the windows 2008 machine wait until the Active Directory are being installed) 

2.      Check “use advanced mode installation” option in the welcome window in the configuration wizard and click on next in the follow window

3.      Check  the options “Existing forest ”and “Create a new domain in an existing forest” ,click on the “next” button  

4.      Fill the domain name information where the child domain will be added and set the correct credentials, click on the “Next” button. 

5.      Fill the information with FQDN of the parent domain   and the domainchild name, click on the next button. 

6.      Wait until the examining  active directory is validate (at this point no error message appears)

 

7.      Click on next in the windows where the NETBIOS name for the child domain has been generated 

8.      Change the domain functional level to “Windows 2003” and click on next

9.      Select the “Default Site name ” and click on next

10.   Uncheck the DNS option and click on next  

11.   Click on “YES” in the Warning text box message  

12.   Click on next in the “Source domain controller” window

13.   Click on next in the “location log files, active directory” window

14.   Set the credential for the Restore mode and  click on next

15.   Review the selection and click on Next in the summary window 

16.   Wait until all the component being installed  

17.   Click on finish in the completing  installation window

18.   The Child domain has been created successfully, restart the machine and you are done!!!!

Hi all....

Yes another year more, and I got another opportunity to be in the TechEd Europe (in Berlin this time), this time I went to the Springboard Booth (that was more in charge of the Windows 7!) as TLC what was known in the past as proctor or Ask The Expert (ATE), all the week was very busy since a lot of people was needed to attend that comes with questions regarding Windows 7, and of course about what is Sprinboard, and I hope that all of you know, but if you don't I encourage you to visit the site www.microsoft.com/springboard, that is a one stop shop location to find all the information about Windows Client (XP, Vista, Windows 7), you want to know what is new?, well in Springboard site you will find everything that you need about it that is in all the microsoft site, like a portal for all the information: videos, walktroughs, blogs, technical documents, etc., also you need to know how to deploy?, then enter to springboard, select deploy and you will find everything related just to deployment. Well, was really fun and the week passes too quickly, just keep now a good memories about it. Now some pictures about what was the TechEd and Berlin

 

O.k. be warned, since following the Microsoft Windows Server division blog, was decided that by July 13 of 2010, Windows 2000 will no longer be publicly supported but will be able to continue using "Self-Help Online Support". And for Windows Server 2003 and Windows Server 2003 R2 (at a supported service pack level) will move from the Mainstream Support phase to the Extended Support phase, as well was confirmed that will be no Service Pack 3, so what you currently have is what you will have it going forward.

In any case to understand better those phases see the picture below to have a better idea of what those phases means and what kind of support you should expect: 

So consider this for future testings, purchases and of course be sure what you will expect from support after July 2010

Yes!, starting today, now you can download the Windows 7 RTM if you have a TechNet+ or MSDN Subscription!, however it appears that the traffic is very heavy today since the download speed is not as high as was the other days (today is around 100 Kbps!)... anyway is time to install the RTM version... remember the schedule of availability for download from my previous post, and happy downloading!!

Yes, finally after months and months of news about it, Windows 7 and Windows Server 2008 R2 are now RTM (Released to Manufacturing). The big question right now is when you can get it, so there is nice post from Windows Team Blog, that explains when you can get it, for example if you are an IT Pro with the Technet Subscription, then you will be able to get it since August 6th, if you are a Developer with MSDN Subscription, then you will be able to get it by August 6th as well (just in English) and all the remaining Languages by October 1st!, for Microsoft Partner Program Gold/Certified Members will be able to download by August 16th, and so on, check for more details, but in any case remember that the GA (General Availability) date will be October 22, so if you are not in those groups don't worry you will get it later!!, more information about this big milestone find in the Windows Server 2008 R2 blog and Windows 7 blog.

Well, if you were using the Net Print command (you know that this command was very used in Windows 2003 to display information about the specified print queue or to control a specific print job) that was present on Windows Vista and Windows 2008 as well. So take care now, since in Windows 7 and Windows Server 2008 R2 this command was deprecated, in order to perform the same functions you will need to use WMI or Powershell as alternatives. In any case the Windows team will release a KB as soon the versions becomes available. So meanwhile take care!

Some people asked me of how to use IPSec with Windows 2008, well the IPSec has changed compared to Windows 2003 and XP, well that changed a little bit, since we now manage from another console (plus the Windows Advanced Firewall). To begin with this let’s say that you have the Machine "A", and want to use IPSec for the communication that is between port 3389, we will use the ‘non recommended procedure’, but the good thing is that you can configure this very quickly and test it in your non production environment. So let’s begin:

1. Create an IPsec Negotiation policy on Computer "A"

1.　　　 On Computer "A", click Start, click All Programs, click Administrative Tools, and then click Local Security Policy.

2.　　　 Right-click the IP Security Policies on Local Computer node, and then click Create IP Security Policy.

3.  　　 On the Welcome screen of the IP Security Policy Wizard, click Next.

4.　　　 In the Name box, type Secure3389. In the Description field, type Policy to encrypt SMB, and then click Next.

5.  　　 If you will NOT have in your environment machines earlier than Windows Vista then ensure that Activate the default response rule is not selected and go to step 7, and then click Next.

6.　　　 In the Default Response Rule Authentication Method, choose the option: Use this string to protect the key exchange (preshared key): and type $ecrET

7.  　　 In the Completing the IP Security Policy Wizard dialog box, ensure that Edit properties is selected, and then click Finish.

8.　　　 In the Secure3389 Properties dialog box, click Add.

9.  　　 In the Welcome to the Create IP Security Rule Wizard, click Next.

10.            In the Tunnel EndPoint dialog box, click This rule does not specify a tunnel. Click Next.

11.      In the Network Type dialog box, click All network connections, and then click Next.

12.            In the IP Filter List dialog box, click Add.

13.      A new dialog box called IP Filter List appears. Type Secure3389TCP, and then Add.

14.            On the Welcome screen of the IP Filter Wizard, click Next.

15.      In the Description text box, type 3389 IPsec Filter. Click Next.

16.            In the IP Traffic Source dialog box, click Any IP Address, and then click Next.

17.      In the IP Traffic Destination dialog box, click Any IP Address, and then click Next.

18.            In the IP Protocol Type dialog box, click TCP in the drop-down list, and then click Next.

19.      In the Protocol Port dialog box, select From this port, type 3389 in the text box, select To Any port, and then click Next.

20.            On the Completing the IP Filter Wizard screen, click Finish, and then click OK.

21.      In the IP Filter list, select Secure3389TCP, and then click Next.

22.            In the Filter Action dialog box, click Add.

23.      In the Filter Action Wizard dialog box, click Next.

24.            In the Filter Action Name dialog box, type Secure3389Filter, and then click Next.

25.      In the Filter Action General Options dialog box, select Negotiate Security, and then click Next.

26.            In the Communicating with computers that do not support IPsec dialog box, select Do not allow unsecured communications, and then click Next.

27.      In the IP Traffic Security dialog box, select Integrity and encryption, and then click Next.

28.           On the Completing the IP Security Filter Action Wizard screen, click Finish.

29.      In the Filter Action dialog box, select Secure3389Filter, and then click Next.

30.            In the Authentication Method dialog box, select Use this string to protect the key exchange (preshared key), type $ecrET and then click Next.

31.      On the Completing the Security Rule Wizard screen, click Finish.

32.             In the Secure3389 Properties dialog box, click OK.

Task 2: Assign the Policy

Since you already have the policy created this is still not active until you activate it, so to do it, you need to:

1.　　　 On Computer "A", click Start, click All Programs, click Administrative Tools, and then click Local Security Policy.

2.　　　 Go to the IP Security Policies on Local Computer node and in the right pane right click the Secure3389 Policy and select Assign.

You are done!, you configure IPSec under the 3389 port, now let’s see how you need to configure the clients in order to be able to communicate between them.

Windows Vista or Machine "B"

In Windows Vista client, the process is similar to the one that I presented before, so you can execute the steps 1 trough 32 and then you will be able to connect, or you can export the policy from windows 2008 and import it on Windows Vista, with this procedure:

1.　　　 In the Local Security Policy Microsoft Management Console (MMC) console, right-click IP Security Policies on Local Computer, click All Tasks, and then click Export Policies.

2.　　　 In the Save As dialog box, type C:\IPSecPolicy\IPsecurityPolicy3389.ipsec, and then click Save. (and then save that ipsec policy on a USB key)

Import the security policy to Windows Vista machine (Machine "B"):

1.　　　 On Windows Vista machine, open the local security policy. To do this, click Start, click the Start Search dialog, and then type: gpedit.msc.

2.　　　 Navigate to Computer Configuration  Windows Settings  IP Security Policies on Local Computer.

3.　　　 Right-click IP Security Policies on Local Computer, click All Tasks, and then click Import Policies.

4.  　　 Is good to Read the IP Security Import warning, after that click Yes.

5.　　　 In the Open dialog box, navigate to the USB key (where you should have the file), and then double-click IPsecurityPolicy3389.ipsec.

We finish!, of course if you have access (in a LAN) to the file you can share in a directory and copy more easily.

Now you can try, and have the 3389 communication protected under IPSec!

Another thing is the enforcement, for that you need to use the Advanced Windows Firewall and configure a Security Association with this procedure:

Configure a Security Association rule in the Windows Firewall with Advanced Security MMC

1.　　　 On Computer "A", click Start, click Administrative Tools, and then click Windows Firewall with Advanced Security.

2.　　　 Select and then right-click Connection Security Rules, and then click New Rule.

3.  　　 In the New Connection Security Rule Wizard, select Server-to-server, and then click Next.

4.　　　 In the Endpoints dialog box, select Any IP Address for both options, and then click Next.

5.　　　 In the Requirements dialog box, select Require authentication for inbound and outbo und connections, and then click Next.

6.　　　 In the Authentication Method dialog box, select PreShared key, type $ecrET in the text box, and then click Next.

7.　　　 On the Profile page, verify that the Domain, Private, and Public options are selected, and then click Next.

8.　　　 In the Name box, type SecureServerAuthenticationRule, and then click Finish.

9.  　　 Perform steps 1 through 8 on Computer "B".

And now you are completely done… enjoy your IPsec connection between them