From Jorge's Quest For Knowledge I learned that there is a compatibility pack for Windows Server 2003 and XP clients that are deployed in conjunction with Read-Only Domain Controllers (RODCs). Because an RODC is read-only, several functions might not work as expected and those are described in KB article 944043.

CoreConfigurator is a great tool to easily configure Windows Server Core using a simple GUI. The CoreConfigurator tool has now been updated with a couple of new functions:

• Windows Update configuration
• Windows Server Backup performance setting: full or incremental backups

Download the new version here.

After redirecting the Favorites folder on Vista to a different location I could not save a link in my favorites. It turns out you have to run the following command:

icacls "path_to_new_favorites_folder" /setintegritylevel (OI)(CI)low

This has something to do with IE in protected mode and the integrity levels that were introduced in Vista.

I also found out that I could not print a web page. To solve that I had to create a directory called low under my temp folder and also set the integritylevel with the icacls command.

Check out PowerTerm WebConnect for WS08 if you want some extra features for Windows Server 2008 Terminal Services for free:

• Ability to publish multiple applications from multiple terminal servers in one step.
• Ability to publish applications to specific users and groups.
• A web interface with single sign-on that only shows your published applications (and not all of them like in Windows Server 2008)

Note that WebConnect is not completely free. When you download the installation package you actually install the full version. After 30 days, only the free features remain with some limitations. More information about these limitations can be found here.

• Microsoft released the Microsoft Remote Server Administration Tools for Windows Vista with SP1. Download the correct version for your operating system: x86 | x64
• They also released an update to enable remote management of Hyper-V RC0: x86 | x64
• If you did not take a look at Hyper-V yet, now is a good time. The release candidate works a lot better than the beta. I installed it on a quad core box with 8GB of RAM and it is quite fast. And with support for Vista SP1 and Windows XP SP3 it is much more useful especially as a test environment.
• You don't like to configure Windows Server 2008 Server Core using the command line? Then this is something for you: CoreConfigurator.
• If you want to setup your own ESX 3.5 (or 3i) server, take a look at the ASUS P5BV-SAS motherboard. It comes with an LSI Logic 1068 RAID controller, built-in VGA and supported network cards (2x 1Gb). I plugged in a quad core Intel CPU, 8GB of RAM and 4 500GB SATA disks. ESX installs perfectly on this box and the performance is quite good!

Check out the following blog: The things that are better left unspoken. Lots of good Server Core info about IP configuration, page files, remote desktop and more.

Go check it out already!

If you are testing Windows Server 2008 in a virtual environment you probably get tired of answering setup prompts after each new template gets deployed. Although you can use sysprep as with Windows Server 2003, the answer file for sysprep has changed quite a bit.

The answer file is now an XML file instead of an INF file. In the past, you could generate the answer file with setupmgr.exe but that cannot be done with Windows Server 2008. Instead, you will need to use Windows System Image Manager to create the XML file. Windows System Image Manager is part of WAIK and can be downloaded here. Although much more powerful, Windows System Image Manager is not as easy to use as setupmgr.exe.

The XML file I generated with Windows System Image Manager is very basic but enough to do the job of automating sysprep. Here it is for x86 and nl-be regional settings:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ComputerName>*</ComputerName>
            <ProductKey>AAAAA-BBBBB-CCCCC-DDDDD-EEEEE</ProductKey>
            <RegisteredOrganization>Org</RegisteredOrganization>
            <RegisteredOwner>Org</RegisteredOwner>
            <ShowWindowsLive>false</ShowWindowsLive>
        </component>
        <component name="Microsoft-Windows-Security-Licensing-SLC-UX" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <SkipAutoActivation>true</SkipAutoActivation>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-International-Core" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>nl-be</InputLocale>
            <SystemLocale>nl-be</SystemLocale>
            <UILanguage>en-us</UILanguage>
            <UserLocale>nl-be</UserLocale>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <NetworkLocation>Work</NetworkLocation>
                <ProtectYourPC>1</ProtectYourPC>
                <SkipUserOOBE>true</SkipUserOOBE>
            </OOBE>
            <RegisteredOrganization>Org</RegisteredOrganization>
            <RegisteredOwner>Org</RegisteredOwner>
        </component>
    </settings>
</unattend>

To actually use this XML file, you copy it to your template. I copied mine as sysprep.xml to c:\windows\system32\sysprep. That is the folder on a Windows Server 2008 system where sysprep.exe is located by default. From that location, you execute the following command:

sysprep /generalize /oobe /shutdown /unattend:sysprep.xml

The system will shut down. The next time you start this system (or better a copy of it), it will ask you nothing and install with the settings in the XML file. The computername will be automatically generated.

Update: if you want to use this unattend file on an x64 system, replace x86 with amd64.

Windows Integrity Levels (or WIC) is a system that can label an object with an integrity level. There are six such levels:

1. Trusted Installer
2. System
3. High
4. Medium
5. Low
6. Untrusted

WIC is available on Vista and Windows Server 2008.

Mark Minasi has an interesting article about it and a tool that allows you to work with these levels. The tool, chml, has more options than the built-in icacls.exe command. Check out the article here.

Microsoft have released XP SP3 Release Candidate (RC) and Windows Server 2008 RC1. You can download both from MSDN and Technet.

Windows XP SP3 contains mainly bugfixes and a lot of previously released enhancements for XP like MMC 3.0, MSXML 6, BITS 2.5 and WPA2. There are some new features as well:

• Network Access Protection (NAP): also available in Vista and enforced using Windows Server 2008 infrastructure such as DHCP and NAP.
• Windows Product Activation: it is not necessary to provide a product key during installation of a full, integrated installation of Windows XP SP3.

More information can be found here.

A feature that is not available is SSTP or Secure Socket Tunneling Protocol. Next to PPTP and LT2P/IPSec it is a VPN protocol but all traffic is tunneled through an SSL connection over port 443. Windows Server 2008 RRAS provides the server-side of SSTP tunneling and Vista SP1 contains the SSTP client portion. But XP SP3 does not seem to contain this feature yet.

Windows Server 2008 RC1 has one big new feature called Group Policy Preferences. Kurt Roggen has already blogged about it here and his blogpost clearly shows what the feature can do. Other info can be found on the Windows Server Division Weblog.

I am at IT Forum Barcelona this week where today's sessions have just finished. It started with the keynote by Bob Kelly where a couple of things were announced and talked about. Of course, virtualization is still a big thing and an announcement was made that Windows Server Virtualization will be called Hyper-V. The role will be named like that but it will also be a separate product "Hyper-V Server". Not many details right now though.

Microsoft is really trying to focus on different levels of virtualization and they are repeating it in all sessions about it. The focus is on 4 levels of virtualization:

• Server Virtualization (Virtual Server and Hyper-V)
• Application Virtualization (SoftGrid or now to be called Microsoft Application Virtualization with the 4.5 beta)
• Presentation Virtualization (TS, TS RemoteApp, TS Gateway)
• Desktop Virtualization (Virtual PC; to solve app-to-os issues)

But the big thing according to Microsoft is of course managing the virtualized environment with their System Center products. During the keynote, but also during another session (Virtualization 360), System Center Virtual Machine Manager was demoed. They already have a build where the Hyper-V name is used and they also had a couple of ESX 3i servers in the Hosts pane. According to Microsoft, somewhere next year, you will be able to manage your VMware servers as you do with VirtualCenter, including live migrations and so on.

Microsoft needs to focus on the bigger picture because they are still behind when it comes to server virtualization. We have Windows Server Virtualization running in our labs and it really is not that great yet. So focussing on management issues and other virtualization technologies is what keeps them going for now.

Some other things that were shown during the keynote were SQL Sever 2008 and SCCM (System Center Configuration Manager 2007). A new November CTP of SQL 2008 will be available with almost all features. Some of the nicer features are the resource governor, policy-based management (can be tied into SCOM 2007) and a revamped report designer tool.

The SSCM demo mainly focussed on server deployment with add-on tools from Dell to change things like BIOS settings with just a few clicks.

The last part of the keynote showed another great enterprise technology, Windows Home Server ;-). It looks ok but really targetted to the average consumer that wants a home server with some backup capabilities.

Previously code-named "Centro", Windows Essential Business Server is a new integrated multiserver solution designed for midsize businesses. The product is based on Windows Server 2008 and it combines software for management, messaging and security.

The products that are in the solution are Windows Server 2008 with Active Directory Domain Services, Microsoft System Center Essentials, Microsoft Exchange Server 2007, Microsoft Forefront Security for Exchange Server and Microsoft Internet Security and Acceleration Server (ISA). Those are just for the Standard edition. The Premium edition also includes Microsoft SQL Server 2008 Standard Edition.

Like Small Business Server, the product should be cheaper than buying the separate licenses and administration should be a lot simpler from one unified console. Especially the addition of System Center Essentials is interesting because it allows the administrator to more effectively manage the infrastructure. For more info about System Center Essentials go here. Also check out this intro video here.

You can find the Microsoft PressPass announcement here. You can also see the product in action at IT-Forum in Barcelona next week. I am going to IT Forum so I definitely will have a look.

If you want to filter out DHCP requests to DHCP Server based on MAC addresses, check out the Microsoft Windows DHCP Team Blog. Interesting add-on that should work on Windows Server 2003 and 2008.

Creating a failover cluster with iSCSI disks is quite simple but there is one thing you need to be sure of: support for persistent reservations by your iSCSI target. I tried to create a failover cluster with iSCSI disks served off an OpenFiler target but that did not work.

But how do you know it will not work? Well, the good thing is that Windows Server 2008 has a Cluster Validation tool that will tell you if your configuration is supported. Click the images below to see parts of the validation tool.

Select the servers to verify:

You can select the tests to run:

The validation tool is part of the Failover Cluster Management console that will be available to you when you install the Failover Clustering feature.

After it became clear that OpenFiler was not going to work, I switched to RocketDivision's StarWind iSCSI Target for Microsoft Windows. I downloaded the 30 days trial because the free version does not support clusters. The iSCSI target works fine with Microsoft's iSCSI Initiator in Windows Server 2008 and it supports everything that is needed to create a failover cluster.

As the iSCSI target server, I used my laptop that runs Vista. I only needed small iSCSI disks so I created file-backed iSCSI disks with the mkimage.exe tool (part of StarWind). You create a disk file with the following command:

mkimage -sparse c:\image.img 1G

After you create the disk file, you need to "publish" it so you can connect to them using iSCSI. You do this by editing the starwind.cfg file (in c:\program files\rocket division software\starwind). In the <devices> section, add the following:

<device name="ImageFile0" file="c:\image.img" asyncmode="yes" clustered="yes"/>

After you save the file, stop and start the StarWind service.

Now you can present the disk to your Windows Server 2008 servers:

• Open Control Panel.
• Double click the iSCSI Initator icon and answer the questions that come (to start the service etc...).
• In iSCSI Initator properties:
• In the Discovery tab, add the target portal (in my case, that is my Vista laptop).
• In the Targets tab, click Refresh. You should see the iSCSI targets offered by StarWind. Click each target and click the Log on... button. Make sure you set the option to automatically restore the connection when the computer starts.
• Close iSCSI Initiator properties (click OK).
• In Disk Management (diskmgmt.msc) you should see an extra disk (not initialized yet)

To continue, make sure that the Failover Clustering feature is installed on each node. From Server Manager, select Features and then click Add Features. Select the Failover Clustering feature.

After installing the Failover Clustering feature, you can start Failover Cluster Management from Start / Administrative Tools. You can now create the cluster and add services and applications.

Watch out: if you do not initialize the disk, the cluster will be created as a Node Majority cluster and not as a Node and Disk Majority cluster. To create a Node and DIsk majority cluster, on one node, initialize and format the iSCSI disk as NTFS.

The screenshot below shows the management console (with some services configured). Click the image to enlarge.

I am not showing how to create the cluster because they really made this child's play. It was not that difficult before, but now it is even simpler.

Now you have a quick and easy way to create a Windows Server 2008 cluster for testing and evaluation of the features. Have fun!

SSTP or Secure Socket Tunneling Protocol is a new type of VPN connection that uses port 443. SSTP is part of Windows Server 2008 RRAS (Routing and Remote Access). On the client side, you need Vista SP1.

The setup is very simple. Just setup RRAS on Windows Server 2008 and follow the wizard. When you setup the VPN, ports will be created for PPTP, L2TP and SSTP:

The RRAS wizard does not help you with the required certificate. It does not matter how you get the certificate (online CA, public CA, ...) but you need to make sure you store the certificate in the Computer store (Personal):

On the client side, make sure that the computer (not the user) recognizes the SSTP certificate. If you used your own CA, make sure that the CA certificate is in the Trusted Roots store of the computer. Then make a new VPN connection and select SSTP in the Networking tab:

That's it. You can now establish a VPN connection using only port 443 and forget about those typical NAT problems with IPSec VPNs or PPTP passthough issues.

If you would like to publish applications with Windows Server 2008 and you would like to have the Windows Vista look and feel, take a look below.

You can get access to a published application from an .rdp file or from an .msi but in this case, I made the application available using TS Web Access:

When the user goes to the TS Web Access page and clicks the icon, a few dialogs will pop up because you have to authenticate. After that, Paint should appear in a seamless window like below:

This is fine but I would like the Vista look and feel because my client runs Vista. This is very simple to accomplish:

1. On the Terminal Server, set the Themes service to automatic and start it.
2. Force the Aero theme with a Group Policy: the setting is in User Configuration / Administrative Templates / Control Panel / Display / Desktop Themes and the setting is called: Load a specific visual style file or force Windows Classic. Then set the path to the theme file. It is %windir%\resources\Themes\aero\aero.msstyles.

When a user starts the Paint application from TS Web Access he/she will now get:

At first, I thought I had to install the Desktop Experience feature of Windows Server 2008 but that feature just adds client programs such as Windows Calendar, Mail, Photo Gallery etc...

As an additional tip: if you are trying this yourself and you use Windows Server 2008 RC0 or higher, make sure that you use Vista SP1 beta or Windows Server 2008 as the client for TS Web Access. For more info see this.

In a previous article, I already talked about the granular password policies of Windows Server 2008. At that time they were a bit difficult to create because you needed to do it the hard way with adsiedit or ldp. It has gotten a lot simpler now with the Quest PowerShell cmdlets for Active Directory. It is a collection of cmdlets for querying Active Directory and creating new objects such as users and groups. On top of that, there are cmdlets for creating password settings objects (PSOs) to implement the granular password policies.