Friday, December 17, 2010

Win 2008 R2 RDS Resource Kit is out !

The Windows Server 2008 R2 Remote Desktop Services Resource Kit is out now and available !

Check it out on Microsoft's learning site:
http://www.microsoft.com/learning/en/us/Book.aspx?ID=14232&locale=en-us



Tuesday, December 14, 2010

Test a remote SQL Connection very quickly and easy

I ran across a very useful MSDN blog post today and thought I’d share it. It explained a very quick and easy way to test a SQL connection and verify if you can logon with a specified account.
Here’s how:


Go to any folder on the system from where you want to test the connection, and create a new file














 Then change the extension to .UDL






 When you open that up you can easily see any SQL server within your reach








 



And then easily test the connection for a specified account (is the case the Windows Integrated) by just opening the database list, or pressing Test Connection












I think this is a very usefull way to quickly check a connection without having to configure or install anything.

Tuesday, December 7, 2010

Printing and RDS/TS, how acquaintances became close friends…

Now and then I spend some time on Microsoft’s Social TechNet forums at http://social.technet.microsoft.com/Forums. In particular the Remote Desktop Service (Terminal Services) forum. It´s interesting to see and read about what issues other people encounter when using RDS (formally TS). The amount of threads about printing would probably end up the top 5 so I thought I’d devote a blog on it. Nothing new though, just a thought, a little history and some personal experience.
Ever since the concept of Terminal Services one of the major issues has always been dealing with Printing Services. Back in the old days (Windows Server 2003 pre-SP1 timeframe), when you wanted your users to able to redirect their local printers, you had to install the appropriate drivers on (all) of the terminal servers in your farm. I think every administrator was really annoyed by that and had a hard time explaining to their customers what they had to do to make their printers even show up. Besides installing the drivers you sometimes had a hard time of even finding the appropriate drivers that were compatible with Windows Server 2003. (Especially with the x64 version!) And installing all kinds of drivers (and maintaining them regularly) didn’t make the Terminal Servers more reliable.
Along came software by  3rd party vendors that were able to redirect the printers without the need of installing the drivers (i.e. Tricerat ScrewDrivers). This software however required you to get a license per Terminal Server and wasn’t stable enough either.
Along with SP1 for Windows Server 2003 came Fallback Printer Driver functionality. The idea behind this was that when a user connected to a Terminal Server with a printer that the Terminal Server didn’t have a driver for a fallback printerdriver was used. The idea was good, and in basic it worked, but of course this wasn’t a full proof solution. An end-user expects that after he presses Print of CTRL-P a printerdialog pops up that shows the printer the user wants to use with all its features. (like different trays etc.) So this solution was in fact what it was called, a fall back. With Windows Server 2008 along came Terminal Services Easy Print. I don’t think they could have chosen a more appropriate name. A blessing for all Terminal Server (remote desktop) Administrators!
“…The Terminal Services Easy Print driver is a feature in Windows Server 2008 that enables users to reliably print from a Terminal Services RemoteApp™ program or from a terminal server desktop session to the correct printer on their client computer. It also enables users to have a much more consistent printing experience between local and remote sessions…”
For TS Easy Print to successfully work there were three basic requirements that you would have to meet. You would have to use at least version 6.1 of the Remote Desktop Client, the client needs .NET Framework 3.0 SP1, and a Group Policy Object (GPO) would have to be in place to actually enable TS Easy Print. But no doubt this was a huge improvement compared to installing printerdrivers and / or using Fall Back Printer drivers. (Although the GPO setting is still there, The Fall Back Printer functionality is even no longer available in Windows Server 2008).
The release of Windows Server 2008 R2 and Windows 7 makes the life of the RDS Administrator complete! As Easy Print is now no longer dependent .NET Framework! A very common request from customers that didn’t want to install .NET on all clients from which they wanted to print. The XPS format to GDI conversion that was done via .NET Framework before this conversion is now handled by Win2008/Win7.
So nowadays when you want to configure printer redirection in a RDS environment, use the combination Win2008R2 and Win7, apply the Group Policy below, and you’re done!!
  • Use Terminal Services Easy Print printer driver first
    This policy setting is located in the following node of the Local Group Policy Editor:
    Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection
    The possible values are:
·         Enabled or Not configured: If this policy setting is enabled or not configured, the terminal server will first try to use the Terminal Services Easy Print driver to install all client printers. If for any reason the Terminal Services Easy Print driver cannot be used, a printer driver on the terminal server that matches the client printer will be used. If the terminal server does not have a printer driver that matches the client printer, the client printer will not be available for the Terminal Services session. By default, this policy setting is not configured.
·         Disabled: If you disable this policy setting, the terminal server will try to find a suitable printer driver to install the client printer. If the terminal server does not have a printer driver that matches the client printer, the server will try to use the Terminal Services Easy Print driver to install the client printer. If for any reason the Terminal Services Easy Print driver cannot be used, the client printer will not be available for the Terminal Services session.
And to finish it off, here are some related recommended hotfixes:
946411 - FIX: When you print an XPS file on a Windows XP Service Pack 2 or Service Pack 3-based computer, the characters in the XPS file print incorrectly
954744 - FIX: Some pages are printed in the incorrect orientation when you use Terminal Services Easy Print to print a document that contains both portrait-oriented pages and landscape-oriented pages
954743 - FIX: After you apply hotfix 954744, printing performance may be significantly slower when you print documents by using Terminal Services Easy Print

Friday, November 19, 2010

Multiple Credential prompts on Remote Desktop Remote Apps

An interesting article has been released today on technet about the mutiple credential prompt when using RD Remote apps. It describes the a solution that is documented in KB977507 and envoles editing the renderscripts.js which is located in C:\windows\Web\RDWeb\Pages\ on the RD Web Accces server.

If you have mutiple credential prompt issue it will be worth a try!

You can find the technet article here:
http://blogs.technet.com/b/askperf/archive/2010/11/19/getting-multiple-credential-prompts-when-connecting-to-remote-desktop-remote-apps.aspx

And you can find the KB article that it refers to here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;977507

Friday, November 5, 2010

Provisioning SUN DS with FIM2010, and about chickens & eggs!

As an introduction, FIM2010 comes with an out of the box management agent that is able to synchronize with SUN Directory Services. Although when using SUN DS 6.x you first have to set the correct version of the SUN DS system into the registry of the machine that hosts the FIM Sync service to prevent from running into a “Unknown Server Version” when performing an export or import. For FIM 2010 the key is called iPlanetMASupportedServers  and is located in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FIMSynchronizationService\Parameters I won’t go into more detail about that here because you can read all about this on several other blogs and TechNet.
In most cases the sync to SUN DS is pretty straightforward. You enter the details of your SUN DS server, use a SUN account that has the appropriate privileges and start flowing attributes. But, as with many directory services solutions you are able to extend the schema that is used on SUN DS to store extra attributes on for example the group object. When extending the schema in SUN DS, SUN DS want you to create an extra objectclass and then create a “parent-child” relationship between the to be extended objectclass and the new objectclass. Although it might seem like a logical choice to select the objectclass type that you want to extend as the parent, in some customer environments you might find that the objectclass “top” is chosen as the parent. You can do so without any harm because there is also an attribute “objectclasses” which is mandatory and allows you to specify all the objectclasses during the creation of an object when you for example manually create an object.
But how does FIM handle this situation?
After you extended the schema in SUN you replicate the new schema changes using your SUN Management agent in FIM and you’re ready to go. But! Since the attributes are now actually spread over two separate objectsclass types in SUN we run into an issue when using a Synchronizationrule in the FIM Portal. A sync rule in the FIM portal lets us flow attributes to and from an external systems, in order to do this FIM wants you to specify the MetaVerse resource type, and the external system resource type. That raises the question what resource type do we select for the external system because we now have the option to either select the actual SUN DS Group objectclass OR the newly created objectclass (the so called child). J And as you might have guessed, FIM can’t know about the relationship because “top” was defined as the parent in this example environment, so when we select the actual SUN DS Group objectclass we can only flow the attributes that exist within that objectclass, the attributes of the objecttype that we created for the extension are of course not included. And, when we select the newly created objectclass type we can only flow attributes from that objectclass. Sound like a chicken-and-egg problem doesn’t it?
You could, of course, define 2 synchronization rules, one that flows the attributes of the actual SUN DS Group objectclass, and one that flows the attributes of the newly created objectclass type. But since you don’t have the attributes available of the parent when flowing to that newly created objectclass type, you (usually) don’t have an attribute available to build the relationship upon. Another solution would be to use an ECMA to build your own customized SUN DS MA, but that doesn’t make much sense since the MA for SUN DS is available out of the box. A solution would be (and I think should be) to define the actual SUN DS Group objectclass type as the parent for the newly created objectclass. This seemed the more logical choice from start anyway. In that case we can select the newly created objectclass as the source on the synchronization rule and still have the attributes available that were defined on the extended attribute class.
The lesson here: Watch the (custom) objecttype classes and their relationship closely when flowing attributes to your SUN DS environment!

Friday, October 8, 2010

Passed exam 70-432 (Microsoft SQL Server 2008, Implementation and Maintenance)

I passed Microsoft exam 70-432 this week (Microsoft SQL Server 2008, Implementation and Maintenance). With only 40 questions it was a pretty short exam.
If you're going to be taking this exam prepare for a big focus on database security. In my exam there weren't many questions about high availablity solutions like clustering, database-mirroring or logshipping. (Sections that I'm personally more interesting in). Many questions were security related or involed backup and recovery.
And last but not least the exam contained some tricky questions about managing and maintaining SQL Server 2008 using T-SQL statements, so be sure to have some experience on that before taking the exam.


Wednesday, October 6, 2010

First book on FIM 2010

Recently the first book about Forefront Identity Manager 2010 (that’s not primarily about certificate management) has been released. One of the authors of the book is Microsoft MVP David Lundell. The book is the first in a series of volumes and is titled “FIM Best Practices Volume 1”.
I can advise anyone who wants to get to know the basics of FIM to read the book. It’s a very easy to read, pocket-size book. Although the book is an introduction, it’s also very valuable for people that already have FIM experience from the field.
You can read about the latest release of the book here: http://blog.ilmbestpractices.com/2010/09/errata-and-updates-to-fim-best.html
The book can be ordered through lulu.com

Tuesday, October 5, 2010

Forefront Identity Manager 2010 and provisioning userfolders

As you might know Forefront Identity Manager 2010 (FIM) can be used to provision objects to lots different platforms. For synchronization to those different platforms FIM uses management agents. FIM 2010 comes with some management out of the box (see http://technet.microsoft.com/en-us/library/ff608275(WS.10).aspx). In case the platform you want to synchronize against isn’t listed (or in case it’s not fully satisfying your needs) FIM supports so called Extensible Connectivity Management Agent (ECMA). Using an ECMA you can use your own piece of code (ie C# or VB) to do the actual provisioning.
For example an ECMA can be used to provision userfolders (ie. Homedrive- and profile-folders. I’ve written an ECMA that provisions those folders (homedrive and profile) on a DFS share using C#. Of course the service account that FIM uses when provisioning needs the necessary rights on the share to actually create the folder. As we all know users need special permissions on their profilefolder. I used C# to actually give the useraccount in question the appropriate NTFS permission. Furthermore a user needs to be the owner of his profilefolder to actually make the roaming profile work. But, only administrative permissions are allowed to transfer ownership, and since we don’t want to give our FIM service account that much permissions we need another solution.
For the service account to be able to transfer the ownership you need to hand out the following privilege: “Restore files and directories” on the fileserver(s) in question. The best way to do this would be by making use of a GPO. This is where you can find the settings:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
For more information see about the privilege see also: http://msdn.microsoft.com/en-us/library/ms813998.aspx

Welcome to my blog!

Hi Everyone,

In this blog I will share my experience with Microsoft products that I work with. I'm a senior infrastructure engineer focused on the Microsoft platform. The Microsoft products that I'm specifically interested in and will mostly talk about in this blog are in the range of Remote Desktop Services, Forefront Identity Management, Group Policy and besides that the Microsoft platform in general.

Hope you enjoy reading it!

Freek Berson