in
Home Tips Reviews CES 2008 Forums

Enter NOW To Win an HP HDX Dragon!


HP, BuzzCorp, and 31 Blogs across the Internet (including Windowsconnected.com) are giving away one HP HDX Dragon, loaded with stuff, every day for 31 days.  If you have never heard of the HP HDX dragon it is an amazing machine sporting a 20.1" display, Intel Core 2 Extreme x9000, 4GB of Ram, Blu-Ray drive and more. 		Windows

Jeff's Connected Corner

Windows Server System news and real-world info

December 2006 - Posts

  • Longhorn: Three Favorite AD Improvements

     

    Well... we all know what Josh thinks about the new Longhorn bits. I, on the other hand, have decided to blog about my three favorite Active Directory enhancements. I know they don't hold a candle to "Aero on a server"... but hopefully I'll break the 100 reader mark anyway.

    1.) "Restartable" Active Directory Service: In previous versions of Windows Server, you were required to reboot the server into something called Directory Services Restore Mode to perform maintenance on the Active Directory database. Such maintenance might include an offline defrag, or possibly an authoritative restore of one or more objects. Rebooting into DSRM was necessary because there wasn't any other way to take AD offline. That's about to change with Longhorn Server. Take a look at the screen shot below to see the new 'Domain Controller' service:

    There are quite a few new scenarios enabled by this change, but I'll give you my personal favorite. Let's just say you're cruising around in AD Users and Computers and accidentally delete the wrong object (say, the CEO instead of the maintenance guy). If you have a Domain Controller in another site, you can remotely stop the 'Domain Controller' service on that machine (via the MMC or command-line) and then perform an authoritative restore of the CEO's user account before anyone even notices. Granted, this is possible today... but the time required to reboot into DSRM, and the work-around required to gain remote access to a machine in DSRM should help you appreciate how cool this new feature really is. However, if you're not lucky enough to have more than one AD site, then you're in for some more work (i.e. DSRM, restore from tape, authoritative restore, etc.). Maybe it's time for another AD site, even if it's just a 'pretend' site in the same physical location. Give it some thought -- it might save your rear end one day.

    2.) Improved Directory Services Auditing:  This definitely isn't as sexy as Aero on a server... but for anyone dealing with internal/external auditors, Microsoft is about to make your life a lot easier.  With the proper settings in place, it is now possible to not only see who made a change to what AD object, and when... but now you can also see the old & new values as well.  For example, let's say I want to change the description of John Doe's account from Maintenance Guy to CEO.  With Longhorn Server, I'll see two events in the Security Event Log with an ID of 5136.  The important new information is in the details, as seen below (before and after screen shots - click to expand).  Very cool... in a geeky kind of way.

    3.) Read-Only Domain Controller:  Last, but certainly not least, is the new Read-Only Domain Controller.  This role is perfect for branch office environments with limited physical security (e.g. manufacturing facility, retail location, etc.).  As we all know, current Active Directory DCs maintain read/write copies of the entire directory.  This means that one compromised DC could result in the loss or corruption of an entire domain (and in some cases, even the forest).  So the rule-of-thumb has always been to only install DCs in a locked and monitored server room (sorry, the telco closet doesn't count).  I'm not saying everyone follows this rule, but it is highly recommended.

    Now, with Read-Only as an option, you can feel free to install DCs just about anywhere.  By default, Read-Only DCs don't even store passwords - so an offline attack against AD won't yield any critical data.  However, this also means that each authentication request must traverse the network to find a read/write DC.  If you feel comfortable taking a little risk - you can configure the Read-Only DC to cache passwords for a limited group of users (say, user accounts in the retail location containing the Read-Only DC).  Either way, the choice is entirely up to you.  And AD Users and Computers even has a new tab that shows which (if any) Read-Only DCs contain a copy of a users' credentials.  Again... very cool.

    That's enough fun stuff for today.  Leave me a comment if you have any questions or concerns.  And by all means, download and install Longhorn Server at your earliest convenience.  Right now it's kind of a stealth product... not much hype, but a lot of new features.  I hope they keep it that way.  We don't need another Vista anytime soon. ;)

    Posted Dec 21 2006, 12:34 PM by Jeff with 3 comment(s)
    Filed under: ,

  • Windows 2003 SP2 RC - Refresh 1

    Windows 2003 SP2 beta testers just received notice that 'SP2 RC - Refresh 1' is available on Microsoft Connect.  The build number is 2845, and the x86 download weighs in at 370MB.

    Refresh 1 isn't widely available (public SP2 RC link) - unless you have access to SP2 on Connect you're out of luck.  However, from the brief change log I saw, Refresh 1 is simply a bug fix release.  Wondering what's coming in SP2?  Check out the Top 10 Reasons to Install SP2 on Microsoft.com.  Installed it yet?  Leave a comment and let us know your thoughts.  Cheers!

    Posted Dec 20 2006, 02:29 PM by Jeff with 1 comment(s)
    Filed under:

  • Better Together, With a Catch

    It's hard to miss the 'Better Together' message in Microsoft's product launch frenzy.  However, for the first time one such 'Better Together' scenario is going to cost you extra.  I'm referring to the removal of Outlook 2007 client software from the Exchange CAL.  Previously, when a customer purchased Microsoft Exchange server licenses, and the appropriate number of CALs, they received a copy of Outlook along with each CAL.  Well, technically they acquired the right to run Outlook... the software itself had to be ordered through Worldwide Fulfillment or via Volume License mailings/downloads.  But regardless, if you owned Exchange Server 2003 and Exchange CALs - Outlook 2003 client software was included at no extra charge. 

    This held true even if you didn't own the entire Microsoft Office suite, or were running a previous version of Office.  I've participated in many Exchange 2003 deployments where customers rolled out Outlook 2003 alongside Office 2000 or Office XP (usually for benefits such as cached-mode and RPC/HTTPS).  This version mismatch had a few minor issues, such as the inability to use Word as the Outlook e-mail editor.  However, in most cases it wasn't a show-stopper.

    Well - those days are officially over.  Unless your Exchange CAL Software Assurance was current as of November 30, 2006 - an upgrade to Exchange Server 2007 and Outlook 2007 might cost more than you expected.  The official announcement is buried in the Product Use Rights section of Microsoft.com (scroll down about half way to the sub-heading "Outlook 2007 grant for Exchange Server 2003 CAL customers").  I've included the relevant text below for completeness:

    Exchange Server 2007

    Outlook 2007 grant for Exchange Server 2003 CAL customers
    Unlike prior versions, Exchange Server 2007 Standard or Enterprise does not include the right to install Outlook on devices for which CALs are obtained. However, for each Exchange Server CAL, Core CAL Suite or Enterprise CAL Suite with active Software Assurance coverage as of November 30, 2006, customers will be granted one Office Outlook 2007 license. The right to use Outlook under that license expires upon expiration of the corresponding CAL. Use of Outlook under this offering is subject to the customers’ license agreement and the product use rights for that product. If Software Assurance coverage on the corresponding CAL is maintained continuously (i.e., renewed with no lapse in coverage), and one later version of Office Outlook (i.e., N+1, where N=Office Outlook 2007) is made available prior to the expiration of that coverage, customers’ license will be for that version instead. Alternatively, customers are eligible to acquire Software Assurance coverage for that Office Outlook license, provided that coverage is acquired by February 28, 2007. Customers who wish to acquire Software Assurance coverage for Office Outlook after that date must first acquire a new license for the version of Office Outlook that is current at the time coverage is acquired.

    A couple things strike me as odd about this decision.  First, it isn't well-publicized on the main Exchange 2007 web site.  I can find plenty of 'Better Together' articles that extol the benefits of running Exchange 2007 with Outlook 2007 (herehere & here for example).  However, not one of them mentions the licensing change above.  Heck, the change isn't even spelled out in the Exchange Licensing FAQ.

    Second, without Outlook 2007 - what exactly does Microsoft expect clients to use to access Exchange 2007?  OWA?  Previous versions of Outlook?  It just doesn't make any sense to me.  Outlook 2007 rocks... so why create another deployment blocker?

    What are your thoughts on the Exchange CAL changes?  Will this impact your deployment, or were you planning to roll out the entire Office 2007 suite anyway?

    Posted Dec 19 2006, 11:52 PM by Jeff with 15 comment(s)
    Filed under:

  • Exchange 2007 RTM (Updated)

    Following up on my earlier post re: Exchange 2007 not actually launching on launch day...  Well, it seems the team is finally pleased with their work and have signed off on RTM.  As usual, see the EHLO Blog for details.  As soon as I get the bits installed I'll grab some screen shots and post a full review.  Maybe I should add a VoIP gateway to my Christmas list.  Santa, are you listening?

    Update: Head over to the Exchange TechNet site to register for the evaluation version.  Still no word on availability, but the registration process ends with "Thanks... we'll e-mail you when it's ready".  I'm also hopeful that the team will release updated VHD Test Drive images in short order.  There's no better/quicker way to test this product than a pre-configured VHD.

    Update 2: I spoke with Mary Jo over at ZDNet this morning re: the launch.  She asked for my thoughts - specifically around a topic that hasn't received much coverage.  My answer: servicing.  Read the details of our discussion on Mary Jo's blog.

    Posted Dec 07 2006, 09:26 PM by Jeff with no comments
    Filed under:
.
Windows is a registered trademark of Microsoft Corporation.
Listed on the Offical CS Listings Powered by Community Server, by Telligent Systems Themed By nb development