Tuesday, December 24, 2013

Review: Microsoft System Center 2012 Orchestrator Cookbook

A few months ago, I was contacted by the publisher of Microsoft System Center 2012 Orchestrator Cookbook and was asked if I'd live to review a copy on my blog. Since I spend most of my professional life deploying Service Manager and Orchestrator, I thought it was a great opportunity. It's currently on sale for $5 in eBook format for the holiday season and can be purchased at the Packt Publishing site.

Monday, November 4, 2013

Full Control v Modify - Why you should be using modify in most cases

Full control is a set of permissions that I see granted quite a bit, perhaps more frequently than it needs to be. For example, I see quite a large number of customers with the full control NTFS permission for each user set on their network home folders, or a group with full control to their departmental network shares. I'm a firm believer of using modify permission instead of full control in these situations and this is why:

Monday, October 28, 2013

Why I got the three VMware VCA certifications

As some of you that follow me on Twitter may already know, there are promo codes for free VMware VCA certifications floating around. Not only does that make these entry-level certifications free, but you can even test for them at home, on your own computer, right in the browser of your choice with no additional software necessary. The combination of free plus a low barrier to entry makes these a quick and easy choice for someone that doesn't do much VMware work, but wants to stay diverse.

Monday, September 9, 2013

Deduplication in Windows Server 2012

Deduplication is probably one of the coolest features in Windows Server 2012 and I haven't written about it yet. Until now!

Fans of enterprise storage have grown to love deduplication for the massive space savings is can bring on things like volumes that host VMs or backup archives. The problem has been that there is a high barrier to entry for a lot of SMBs that can't necessarily afford the proper hardware and/or licensing to use deduplication properly. In some cases, these organizations will roll out a ZFS solution. ZFS on Linux is a relatively new development, so up until very recently, it would require a Solaris derivative or a BSD that was not encumbered by the GPL license. Because of this, many smaller organizations have skipped deduplication in favor of just buying more disks.

Well, now the wait is over. In Server 2012, deduplication is baked into the OS for no additional cost and is incredibly easy to configure and get rolling with. Check out the YouTube video after the break for a quick walkthrough on setting up some basic deduplication settings on your Windows Server 2012 file server.

Wednesday, July 31, 2013

Configuring HA DHCP on Windows Server 2012 Without Clustering

Server 2012 has brought a much welcomed improvement to the DHCP Server role. You can now do lease replication for highly available DHCP without needing to do clustering or split-scope. This is beneficial, because you don't need to add the complexity of a failover cluster or the ugliness of split-scope to have multiple DHCP servers provide IP addresses for a given scope.

Monday, July 29, 2013

Creating a new Active Directory domain on Windows Server 2012

Windows Server 2012 has brought many improvements and has phased out some legacy tools. One of those tools is good old dcpromo.exe. It's been deprecated in favor of PowerShell's Install-ADDSForest or the Server Manager-based GUI, which simply manipulates PowerShell under the hood. The video below walks you through the creation of a new AD install using Server Manager in Windows Server 2012.

Wednesday, July 24, 2013

Enabling and using the Active Directory Recycle Bin in Windows Server 2012

Server 2008 R2 introduced the AD Recycle Bin, which was a great addition to any AD environment, but it was only accessible via PowerShell. This made it tricky for a lot of people to enable. Server 2012 makes it much simpler to enable and to work with. You can still do everything via PowerShell (and you should learn it if you don't know it already!), but you can also handle restores through the GUI as well.

Tuesday, July 23, 2013

Making Active Directory replication between sites almost instant

When you have a multi-site environment in AD, the lowest interval that you can set your replication schedule to is 15 minutes. This has been around since the old days when replication could significantly impact a sub-megabit WAN connection. Now, with modern MPLS connections of 20Mbps or greater being extremely common, it makes sense to enable change notification between sites. This allows for near-instant replication like you're accustomed to enjoying with domain controllers in the same site.

Friday, July 19, 2013

SCSM 2012 service accounts and denying interactive logon

I recently did a System Center Service Manager 2012 SP1 install for a customer that has a blanket policy of denying interactive logons to all service accounts in their domain. The first issue that we ran into was that the Service Manager Data Warehouse could not be registered. After allowing interactive logon, it registered fine. We also hit a snag where the AD connector wouldn't start synchronizing until interactive logon was allowed. The workflow account will also fail at various tasks when denied interactive logon.

The moral of the story is that you should not deny the "Logon Interactively" right to your SCSM 2012 service accounts!

Wednesday, July 3, 2013

More documentation from Microsoft about properly naming your AD domain

I've written about this before and not to beat a dead horse, but I just came across this TechNet article on Server 2012 AD DS and found this nugget part-way down the page:

Do not create new Active Directory forests with the same name as an external DNS name. For example, if your Internet DNS URL is http://contoso.com, you must choose a different name for your internal forest to avoid future compatibility issues. That name should be unique and unlikely for web traffic. For example: corp.contoso.com.

Just more proof that split-horizon naming for your AD is not recommended, no matter what your Lync or Exchange people tell you. There's some extra configuration on their end, especially with certificates, but split-horizon is not recommended and should not be deployed. Since this is from Server 2012 documentation, there's really no way anyone can dispute this by calling it outdated or no longer relevant.

Sunday, May 19, 2013

System Center Orchestrator 2012 AD Connector Permissions

Just a quick note about something that I stumbled on when trying to automate some user account creation processes in Orchestrator 2012: The user account that you configure the AD connector with is the account under which all AD actions are performed. The documentation makes it sound like the Orchestrator service account is what is used, but that's not the case.

Hopefully this helps someone else out, since it took me a couple of hours to track down!

Tuesday, April 9, 2013

Best practices for configuring a new Active Directory

Name Your Active Directory properly
I've written about this before. If your company website is example.com, the FQDN of the Active Directory should be in the form of ad.example.com, corp.example.com, or another third-level subdomain of the existing publicly used DNS. Avoid using example.com internally and externally. Also avoid making up a TLD like .local or .lan. During promotion of the first DC in a domain, consider setting the NetBIOS name to EXAMPLE instead of the default value, so that users see EXAMPLE\user instead of the ambiguous AD\user or CORP\user. You only get one chance to set the NETBIOS name, so consider it carefully. It's non-trivial to change.

Monday, April 8, 2013

Handling tech recruiters and salary negotiations

I got another new job. This is the second one in ten months.

I had some serious concerns about how I was being used at my last job and I wasn't able to correct them, so I felt that I had to leave before it did damage to my long-term prospects. Now, I'm in a much better situation than I was before and I was able to use the earlier round of interviewing as a learning experience for this most recent round.

One thing that almost no one likes dealing with are tech recruiters, but they're a necessary evil. They want to know your salary history. They tell you how their six month contract 50 minutes from your apartment is the best thing that could possibly happen to you. They assure you that the positions that they have open will jumpstart your career. What does that even mean? Are they implying that my career has stalled and that it needs a jumpstart?

Thursday, February 28, 2013

Create new users and Exchange 2010 mailboxes in PowerShell

Using a .csv as a data source, you can quickly populate your Active Directory with users and make mailboxes for them at the same time. The script below can be used as a quick way to get started with this.

Thursday, February 14, 2013

Scripting UPN suffix changes in PowerShell

I've been doing a little consulting work on the side lately. One client is using an alternate UPN suffix to make a "pretty" UPN even though they're using a subdomain for their Active Directory as I recommend here. Since the end users will be instructed to "log in with their email address" it's important that all user accounts have the proper UPN set.

After defining the desired UPN in Active Directory Domains and Trusts, I realized that there was no good way to "force" new accounts use this UPN. The person at the site responsible for adding and removing users generally isn't a full-time IT person, so while you can give instructions, you can't guarantee that they'll be followed. To work around this, I whipped up a few lines of PowerShell and dropped it into task scheduler. It runs every 10 minutes and queries AD for all users in a specific OU structure that have the undesirable UPN and changes it to the desired one.

Tuesday, February 5, 2013

Creating User Accounts and Copying Existing Group Membership with PowerShell

The script in this post will get you started in using PowerShell scripts to automate your user account creation. It has very basic functionality so far. It takes the username as input from the user. It also asks if you'd like to copy the group membership of an existing user. It then creates a new user in the default container with the appropriate group membership.

Tuesday, January 29, 2013

Imaging a large number of labs with WDS and PowerShell

In a previous life, I worked for a university that was broke. Not broke in the sense that it was falling apart, but broke in the sense that we had to make a lot of our own tools. This meant no SCCM, no Ghost (does anyone even still use it?), etc. There are dozens of labs and had a clunky imaging solution that we rolled ourselves based on SQL Express, VBScript, and WinPE distributed by PXE Linux on a CentOS box. Certainly a very clunky scenario. When I was made the lead on the campus-wide Windows 7 rollout, I knew I needed to get a fresh start on this.

To capture or not to capture?
One of the great religious battles of our day (as far as desktop imaging goes) is whether or not capturing a reference image and sysprepping, or deploying a standard "thin" image and installing the necessary applications through another means is the best way to go.