Search This Blog

Monday, August 21, 2006

Advanced AD Troubleshooting and Theory

The dates for my course are now available at Cornerstone's website. Contact Cornerstone if you want to attend.

Friday, August 18, 2006

Tuesday, August 01, 2006

Sad day for MS/Good day for Jesper.

As you might know, Jesper M. Johansson is leaving Microsoft. He's a buddy and whatever makes him (and his family) happy makes me happy! Good luck with the new job!

As a MS employee he has been (to me):
- A good friend.
- Known as a "know-how" person.
- He's respected amongst his peers.
- His presentation skills are great (I wish I was half as good).

Future (knowing Jesper):
- A good friend.
- Known as a "know-how" person.
- He's respected amongst his peers.
- His presentation skills are great.
- Don't stop reading his blog! He will continue posting useful things.
- He will stay on top of his area.
- He will not leave the "security business"

When the new URL is known to his blog, I will post it.

Wednesday, July 05, 2006


So yet another question about how to find out the last logon time for users.... Ok, here is how it works in Windows 2003.

One of the new attributes in Windows 2003 is lastLogonTimestamp which can be used to retrieve the last logon time for users, good so we have a new attribute to use! Sounds easy, right?

But this is not as trivial as you might think! The lastLogonTimestamp is not always showing the truth since it is only replicated every 14 days... Then take into account that when you read the value for the attribute it is stored as a 64-bit integer calculated from 1601 January 1st in 100-nano secs interval. (No, it was not MS fault. It was the darn Cobol programmers!!)

And another funny thing is that VBScript can't handle 64-bit integers!!!!! So you need to break it down into two 32-bit integers with IADsLargeInteger, which has two properties:

highpart = store the high 32-bits
lowpart = store the low 32-bits

…then you add them to get a single value.

So how would a script that does this look like you might wonder.

I will not just put the code here but rather I will walk you through how to “think” to solve it. (If you really need the code and don’t know how to write it, send me an e-mail).

  1. Use “Get” to retrieve the attribute (lastLogonTimestamp)

  2. Store the value in an IADsLargeInteger object

  3. Combine the highpart and lowpart values into one value by taking the highpart * (2^32) and add the lowpart.

Ok, step 3 which is one line of code will give us the last logon for a user. But it will give us the time in a format of how many 100-nano secs intervals occurred since  Jan 1, 1601 and the user’s last logon.

The value might look like this: 2.5643571264596E+16

This, at least to me, looks kind of hard to read. And I bet the one asked for the report will not be happy if you give him/her this….. So now we need to do something about it, but first a little bit on nanosecs:

1 second = 1,000,000,000 nanosecs = 10,000,000 nanosec intervals per second (10,000,000 * 100 = 1,000,000,000). This means that there are 600,000,000 100-nano secs intervals per minute.

  1. To find out how many minutes elapsed since Jan 1, 1601 and last logon we can take the last logon time and divide it by (60*10000000).

  2. If we want to find out the number of days that have elapsed we dived the last logon time with 1440 (which is the number of minutes per 24 hrs).

The above steps (5 and 6) can be done in one step if you want…..

  1. Now we know how many days elapsed since Jan 1, 1601 so we take that and add it to Jan 1, 1601 (“last logon time” + #1/1/1601#) and we get the result in an easy to read format!

But I assume it is W2K3 otherwise you need to use the lastLogon which is not replicated at all, which means you have to retrieve it from all DCs and then compare the values, sounds boring but can be solved with some code...

Saturday, June 24, 2006


Yep, here once again with Carola, if we could give anyone advice for visiting Rome it would be:

  • Stay at the Hilton Cavalieri.

  • Go to the private club “Blue” by the sea (40 minutes by car from the hotel and the hotel will arrange a private driver)

Oh! And just to mention, we got engaged the 20th of June at Blue!

More details later!

Sunday, May 21, 2006

Mark Arnold missed the plane

I’m not alone!!

My good friend Mark Arnold is visiting this weekend, he was supposed to fly in on Friday and land at 13.20... Guess what happens, he missed the plane… And no, he didn’t even try to get to the airport in time because he missed the date!! Yes, the man missed the plane by a day!!

BTW - if you have the chance to attend Exchange Forum in Sweden this week, check out Mark's presentation about Exchange 2007. I've had the luck to see the .ppts and it looks good, if Mark is speaking about Exchange I will listen.

Tuesday, March 14, 2006

Good cluster configuration...

I just remembered a conversation I had with a mate of mine, he stated that the only good cluster configuration is Inactive/Passive... Go figure.... :)

Monday, March 13, 2006

The fast recovery components

The fast recovery components

Creation of Shadow Copies
As I stated earlier, the process of creation initiates by the requestor (a backup program) contacting the Volume Shadow Copy Service (VSC service) to request a copy of the System State. The VSC service will act as a coordinator and notifies the System State writers to prepare for writing data for creation of a shadow copy.
Once the data is ready for the actual backup process each writer notifies the VSC service which then relays information to the backup requestor. Next step is that the requestor halts Active Directory I/O writes as long as it takes the provider to create single point-in-time copies of the three volumes. Usually this takes just a few seconds and should have no to little impact on Active Directory operations.

After the copy is made the VSC service will be instructed to break the connection with the original and the copy. At this point the shadow copy becomes read-only and the original will continue as usual (read/write). Now we are at the point where the shadow copy is no longer associated with a particular server and resides on the SAN until we need it.

Using EFS on virtual DCs

I just read this post about the possibility to use EFS to encrypt a DC that is running as a virtual machine. Sounds interesting, need to spend some time in the lab :)

Thursday, March 09, 2006

When do you need to recover AD?

...hopefully never!
But just in case, I will describe something called Fast Recovery during the following days...

There are alternatives to tape backups such as lag sites, but I will not go into that but rather I will talk about how it is possible to use shadow copies instead. I find it interesting and in conjunction with tape backups it can be effective.

The reason way I found this interesting is because it is fast and use a mirroring process that doesn't affect the system performance much. So in order to understand this we need some information how the underlying services works. Not to get into bit-level discussion I will give an overview:

Volume Shadow Copy (I will call it VSC)
With VSC you can create point-in-time snapshots of a volume, the service itself coordinates with other applications like backup software for instance and storage hardware to enable app-aware data management and it also support backup of open files.

There are three components that are needed in order to make a full shadow copy:
1. Requestor, which is the utility that request the copy (or rather request for the creation)
2. Writer, this is the software (app-specific) that makes sure that the data is ready to be copied.
3. Provider, this component gives the functionality to make the copy. VSC can use 3rd party hardware provider if needed.

Virtual Disk Service (I will call it VDS)
To make it short, it provides volume management with a single Windows interface which is used to manage storage devices. It also provides APIs for ISVs and IHVs to create storage solutions. The service itself use two CLI utilities, Diskpart and Diskraid. The Diskpart command is used to control creation, deletion and extension of dynamic and basic disk partitions. Diskraid is used to configure hardware RAID, to be specific, it is used to create, extend, delete and unmask LUs (logical units) on SANs.

Well, it simply makes your VSC data available for use. It do this by unmasking the backups stored on SAN. This means that it makes them visible and change the status from read-only to read/write. It also mounts the volume on the server. The whole process is called transport and is a virtual process since the data is on the storage array.

That is all I have time for now, got to catch a flight. I will continue another day :)

Windows Server 2003 Disaster Recovery

As many of you already know, besides the project in Finland I also do a tour (ExpertZone) in Sweden. One of the sessions is about troubleshooting AD and I get a lot of questions about recovery and the different ways of doing it.

Most people tend to have similar questions so I will start a series of posts about this topic, so keep an eye on this blog if you're interested in disaster recovery :)

Saturday, February 25, 2006

Securing Exchange 2003

A friend of mine that happens to be an Exchange MVP just told me the secret of securing Exchange. Do you want to know?

“Don’t break the seal!”
     - Mark Arnold, February 25, 2006

Friday, February 24, 2006

Mark as arrived...

Landed at Arlanda, went to the bar to get a beer while waiting for M. Arnold. Realized I had nothing to do! So, as the geek I am I pulled up my two laptops and started to work on my next presentation.

Mark finally calls and says that he’s waiting for his bag; I pack up my things and get to the luggage belt, surprise! No Mark, the bloody Englishman had wandered off so I go through the customs and see the cabbie with a big sign “M. Arnold” and there were only about 7 people outside but no Mark.
I call him and he’s nearby, mind that the cabbie is the first thing you see after customs, but NO Mark didn’t see him and walked passed him…

We’re off to a good start….. ;)

Wednesday, February 22, 2006

Advanced AD Troubleshooting and Theory

As I said in an earlier blog, my troubleshooting course is available at Cornerstone. I have changed the name to Advanced AD Troubleshooting and Theory. Please notice the course code T640 if you want to attend.

This weekend Mark is in Sweden!

This weekend Mark is coming to my place in Uppsala! Carola has planned his activities and I’m not sure what is going to happen other than I had to go get some good champagne and wine and book a table at Mancini. That was all she trusted me to do!
Well, to be honest she knows us far too well and she has seen us goofing around in Amsterdam and London with her own eyes already. But in our defense, in Amsterdam we had Gianluca, Olaf, Steve and Daniel (last name left out to save the innocent) in the same apartment and in London we spent the time (not the same apartment) with Nick, Oli and Steve… Yeah, if you know which ones I’m talking about you know how the rest went. ;)

Well, it is always good to have one of your best friends visiting and it will be fun and hopefully relaxed. As I said, I have only one plan and that is to take him to the best restaurant in Stockholm, after that Carola is in charge.

Ok, I know I haven't been updating...

Ok, I know it was month ago since I last updated this blog, to be honest I haven’t had much time. Since the last post I’ve worked about 17 hours on average almost 7 days a week and as many of you know, that never goes well since the Enterprise Admin in my house also want to spend time with me (still)…

What have I been up to you might ask, well first of all I’ve spent most of my time in Finland on a project for HP as a subcontractor. We are doing a company split and it is more work than I signed up for… But it is a challenge; sometimes fun and sometimes not. You all know how it is, some good and some bad as always in a project this size.

If that was not enough I also do a seminar series for Cornerstone called ExpertZone. This time the main theme is Active Directory & MIIS where I present two sessions, Active Directory Future and Active Directory Troubleshooting. First session is about the original idea with Active Directory and what lies ahead for the future (well, at least what I can say without breaking NDA) and the second one I don’t think I have to explain… ;)
We’ve been I Stockholm last week, next week is in Gothenburg and then I think we are going to Sundsvall…?

I just visit the website for Exchange Forum here in Sweden, I’m going to speak about how to use Monad to administrate Exchange 12, and realized a lot of my friends are also speaking there! I’m already looking forward to it!

Besides this I had 4 days where I was in Sandviken and trained their global Active Directory team in troubleshooting, obviously my own course tweaked to suit their needs. Sandvik is an interesting company with all the challenges you need as an Active Directory admin, it is kind of big and if memory serves they have a presence in 131 countries. They were a lot of fun and we had a good time, last day we did more like an Q&A with a lot of people outside their Active Directory team.

Well, now I’m back at Hilton in Helsinki sitting by the open fire in the bar and just relaxing…