Software and Security on Domain Controllers

This post was inspired by someone who I consider a friend and a mentor in the Active Directory world...11 time AD MVP Joe Richards

Microsoft recently published an excellent Active Directory Security document.   Laura Robinson is the lead author of the document and there are serious heavy hitters in the acknowledgements section including Laura Hunter, Dean Wells, and others.   You can download the document using the link below:

Best Practices for Securing Active Directory

Joe brought up an excellent point on the DS-MVP list stating that we all know that best practice is to not run additional and unnecessary software on domain controllers but was this documented.   The document above addresses this.

From page 27 of the document:

Protecting Domain ControllersDomain controllers should be treated as critical infrastructure components, secured more stringently and configured more rigidly than file, print, and application servers. Domain controllers should not run any software that is not required for the domain controller to function or doesn’t protect the domain controller against attacks. Domain controllers should not be permitted to access the Internet, and security settings should be configured and enforced by Group Policy Objects (GPOs). Detailed recommendations for the secure installation, configuration, and management of domain controllers are provided in the Securing Domain Controllers Against Attack section of this document.

Microsoft also recently released a shorter document that is worth downloading and reading.

Securing Active Directory: An Overview of Best Practices 

I appreciate Microsoft and everyone who took time to write, edit, and review this important document..  Many times we can tell our customers best practices but they often don't believe it unless they see it come from a Microsoft site or document.

If you have worked around Active Directory long enough this is a common problem.  Domain Controllers used as file servers/app servers/etc.  This is simple, reduce your attack vectors don't install unnecessary software on your DCs.  Also look into RODCs and Server Core as other easy ways to help secure DCs.

You may also see similar posts on other MVP blogs. Joe has asked us to get the word out about this.

Active Directory MVPs on Twitter

I've become a big fan of twitter over the last few years; it is one of the best sources for information and news in my opinion.  I still like RSS feeds for checking blogs and new entries but I'm using twitter more these days.  It is also much easier to interact using twitter.   With the impending closure of Google Reader I'll probably be a bigger twitter user.  

I've started compiling a list of Active Directory/Directory Services MVPs on twitter.   Tweet frequency ranges from multiple daily tweets to rarely.  I will try and keep this list up to date.  I'm sure there are folks that I missed.  Please send me an email or leave a comment if any entry needs updating.   I don't want to leave anyone out.

I'll try to update and go through this list every quarter (MVPs are selected every quarter Jan/April/July/October)

Microsoft MVPs - Directory Services	Twitter Name and Profile
Mesut Aladag	@mesutaladag
Zubair Alexander	@ZubairAlexander
Jimmy Andersson
Brian Arkills	@barkills
Hank Arnold
Alexandre  Augagneur
Edoardo Benussi	@ebenussi
Paul  Bergson	@pbbergs
Sander Berkouwer	@SanderBerkouwer
Xiaolong Cai
Paul  Clement
Ragael Correa
Eugene Delprato
Brian Desmond	@brdesmond
Olivier Detilleux	@olivierdx
Sean Deuby	@shorinsean
Freddy Elmaleh
Marius Ene
Salman Farizy
Ace Fekay	@AceFekay
Liang Feng
Lee Flight
Tamas Gai
Ermanno Goletto	@ermannog
Guido Grillenmeier
Chunlong Han
LiGang Han
Junxian Huang
Nils Kaczenski	@Kaczenski
Joe  Kaplan
Sainath KEV
Gil  Kirkpatrick	@gkirkpatrick
Jyrki Kivimaki	@jykivima
Mike Kline	@mekline
Michinari Kobuna
Suguru Kunii
Roberto Di Lello	@RaDiansBlog
Guangji Liang
Qiang Liu
Fernando Lopez
Thiago Cardosa Luiz	@t_cardoso
Ahmed  Malek
Tadayoshi Manabe
Mark  Minasi	@mminasi
Richard Mueller
Tony Murray	@MrTweetTastic
Gary  Olsen
Niyi Omotoyinbo
Mark  Parris	@markparris
Suttipan Passorn	@passorn
Jorge de Almeida Pinto
Pawel Plawiak
John Policelli	@JohnPolicelli
Marcin Policht
Leonardo  Ponti	@PontiLeo
Bobby  Primasta
Yuwei Qi
Shengrong Qu
Slamet Raharjo
Leone Randazzo	@LeoneRandazzo
Joe  Richards	@joewaredotnet
Llya Rud
Marc Salvador
Mario Serra	@Marioserra72
Morgan Simonsen	@msimonsen
Ulf Simon-Weidner	@DSGeek
Santhosh Sivarajan	@Santhosh_Sivara
Chris Spanougakis	@spanougakis
Jacek Swiatowiak
Yanyang Tian
Hakan Uzuner	@hakanuzuner
Awinish Vishwakarma	@Awinish
Gabrizio Volpe	@fabriziovlp
Meinolf  Weber	@mei_web
Ralf Wigand	@ralfwigand
Haidong Wu
Chenggang Xiang
Haji Yakub
Shuyong Yan
Bobby  Zulkarnain	@bobbyiz

Honorary MVP

Laura Hunter                                                    @adfskitteh
**Laura was a long time MVP and now a blue badger.  Microsoft employees can't be MVPs.

Gil dasdfsadf

My Friend Wrote a Book - Part 2

In 2009 I wrote a blog about my friend Kevin writing a book.  Friend is really not a good word here. Kevin and I have been like brothers for 30 years now.  I've always said that I have two brothers, my biological brother Andy, and Kevin.

In 2009 Kevin's book was mentioned in the local county paper.  Since that book was released Kevin has been working on his second book that tells the important story of blacks in Loudoun County, VA during the Civil War.

The book is called  From Loudoun To Glory

This is Kevin Grigsby's second book, which highlights Loudoun County's African-American heritage. From Loudoun To Glory is about the important role that African-Americans from Loudoun County, Virginia played in the Civil War. They would serve as soldiers, sailors, nurses, spies, and scouts. Over two hundred and fifty African-American soldiers and a dozen sailors from Loudoun served in the Union military during the Civil War.

The same things I said in my first blog about Kevin's book goes for this one.  This book  has made a bigger initial splash.  When I woke up on Sunday morning and saw the Washington Post I saw that Kevin's book was featured on the front page of the paper on A1, above the fold.  WOW!!!

The full Washington Post article can be found in the link below.  I've also included some screenshots from the paper.

Ghosts of the Union's black solders rise from Loudoun County's past

Sunday, March 3, 2013  Washington Post front page, I put the red box around the book mention

A mention on the front page of one of the biggest papers on the planet.  It doesn't get much bigger than that.  It is cool to be on the same page with President Obama.  I thought that I'd see the book story in the Loudoun weekly section (small weekly insert).  I was wrong on that!  The book was prominently featured on the front page of the Washington Post Metro section. 

Sunday, March 3, 2013  Washington Post Metro Section 

This is one of the proudest moment's in Kevin's life (his kids are  #1 and #2 by a long shot) .  I couldn't imagine being happier for someone.  Years of hard work and dedication will keep this important story alive for many generations to come.  

Today - mentioned on the same page with President Obama...tomorrow a picture and meeting with President Obama where you present him with a signed copy...sky is the limit :)

Microsoft IT Camp - Speaking Event

I am honored to once again be working at a Microsoft event at the Microsoft office in Reston, VA on March 9, 2013 from 8 AM - 4 PM.   The District of Columbia Maryland Virginia Management User Group is holding an event that includes an IT camp focused on Windows Server 2012.     I'll be working with Microsoft Senior Evangelist Yung Chou during the IT camp.  We will be going over many topics including Active Directory  Hyper-V, Installation, Storage Spaces and more.

There are also System Center and Windows Deployment sessions for those interested in those subjects.  The Windows deployment sessions will be led by Microsoft MVP Rhonda Layfield

The Microsoft Reston location is easy to get to with plenty of parking and they have a great setup there for events like this.  It is also a great chance to meet other enthusiastic IT Pros.   I know that may sound cliche but the type of people that come out to events on Saturdays and put in the extra time and my type of people :)

You can register for the event and find more information about the session and speaker bios by going to

http://dmvmug.eventbrite.com/

DATE: Saturday, March 9, 2013

Time: 8:00 AM to 4:00 PM

Location:  Microsoft Reston, 12012 Sunset Hills Rd, Reston, VA 20190

You can see the flyer for the event below.

I'm looking forward to the event and hope to have a full house.  I'm sure everyone is going to learn something as we move forward with Windows Server 2012.

Future Server Service Packs

As an MVP we have MVP leads that share information and are our main connection to the MVP program.   Recently my MVP lead sent out a great Q&A that I wanted to share.  I checked with her to make sure this is not NDA information and it was not. (thanks Michelle!)

There are still a lot of organizations that still believe that they should wait for a service pack before deploying a new Server OS.   If you were around 10 years ago or more you might remember that Windows NT had seven service packs (1-6a).    Windows 2000 had four service packs   With that many service packs you can see why some old timers still think waiting for service packs is the way to go.

The days of four, six ,or more service packs are probably gone forever.   I can't speak for the future of the Microsoft development life-cycle; but with major releases being released every four years and R2 releases every two years there is not much room for service packs.  In addition Microsoft does a really great job with patch Tuesday patches and zero-day patches when applicable.

The point here is you can tell your manager that there is no reason to wait for a service pack.  Windows 2012 is ready now.   It is ready to be tested and deployed now.   I'm in the field just like the rest of you.   Looking forward to this journey.

TechGate Conference - Speaking Review

I spoke at the TechGate conference sponsored by Microsoft this weekend.  My topic was new Active Directory features in Windows Sever 2012.

I first want to thank Andy and DeLise from Microsoft.  The Microsoft facilities were outstanding and we were treated well. This was my first speaking engagement at a conference like this and I'm honored that they allowed me to speak.  I know they had a lot of people that wanted slots and glad I was selected for one of the featured slots.

The room was packed and some people had to stand.   There were some lessons learned on my part that I want to share for others that may be starting out on their speaker journey.  I would also love to hear tips from others that have been doing this for a while.

Lessons Learned

• 50 minutes is not enough time to give a talk with demos about Active Directory features in Windows 2012.  I should have either cut out sections or not attempted demos.  I definitely rushed a bit at the end.
• The crowd was about 80 percent developers/those not familiar with AD and 20 percent were IT pros that knew AD.  I let that fluster me for the first few slides.  When I asked how many people are familiar with dcpromo and only 4 people raised their hands I was thinking "oh shit" in my head....once I got over that I was fine.
• I tried to switch between the PowerPoint presentation view (slides with notes on my laptop monitor and slide show on projector) and the duplicate screens (for the demos).  Next time I will just use duplicate screens at all times and have my notes on the side.
• Dynamic Access Control is a great feature but I can tell that it's going to take a lot time for IT Pros to understand and "get it".  I might try and present 50 minutes just on that feature next time...but that might not be enough time either.
• Thanks to the lady in the back, the MCS engineer and a few others that did have a good working knowledge of AD...the questions and back and forths with you all was great.  
• I have seen speakers at other conferences having conversations after their talks in the hallways.  That happened to me too.  That was great, met some really great and enthusiastic people.  
• Thanks to my co-workers Shumbey, Nate, and Kurt for coming.
• Thanks to my AD buddies (Mark especially) who sat through some dry runs.

Overall I give myself a B-  I learned a lot and hope to go back in the spring.  Someday I want to be as good as Dean Wells (he had the #1 talk at TechEd North America 2012)....I know that won't happen but it is a good goal to strive for :)

Windows 2012 AD Schema Version

I previously posted  "quick-hitter" blogs about the schema versions in   Windows 8 Developers Preview, Windows Server 8 Beta

Windows Server 2012 was released today!!   The schema version did not change from the RC version.  The final version is  56 

I once again used adfind to quickly find the schema version.

The final Active Directory Schema version table is listed below.

Windows Server 2012	56
Windows 2008 R2	47
Windows 2008	44
Windows 2003 R2	31
Windows 2003	30
Windows 2000	13

MVP Brian Arkills posted a link to the changes made in adprep in Windows 2012 from version 48 to 56.  You can find that here

Windows Server 2012: Changes made by adprep.exe

You can download an evaluation copy of Windows Server 2012 and go start to learn and have fun.  This will be an OS that most of us will be using for the next 10+ years and it is an exciting day for those of us in the Windows Server world.   Thanks to all the hard work put in by the many people at Microsoft that made today happen.