Active Directory Migration Tool version 3.2 (ADMT v3.2) has been released


ADMT v3.2 has finally been released to the public; I’m currently involved in a migration project where we consolidate over 70+ forests to one corporate forest running Windows Server 2008 R2 and one of the main benefits with version 3.2 is the support for Windows Server 2008 R2


About ADMT 3.2

 

ADMT v3.2 is an out-of-band tool available as a free download (in 8 languages: English, Chinese (Simplified and Traditional), French, German, Japanese, Portuguese, and Spanish) to enable customers to deploy Active Directory in the following scenarios:

 

        Migration of Active Directory data from one environment to another. ADMT 3.2 specifically supports migration to Windows Server 2008 R2 with added support for Managed Service Accounts.

 

        Restructuring of Active Directory environment due to mergers, acquisitions, divestitures, consolidations, etc.

 

 

 

From the download page:

 

 

 

Overview

 

The Active Directory Migration Tool version 3.2 (ADMT v3.2) simplifies the process of migrating objects and restructuring tasks in an Active Directory® Domain Service (AD DS) environment. You can use ADMT v3.2 to migrate users, groups, service accounts, and computers between AD DS domains in different forests (inter-forest migration) or between AD DS domains in the same forest (intra-forest migration). ADMT can also perform security translation (to migrate local user profiles) when performing inter-forest migrations.

 

 

 

System Requirements

 

·        Supported Operating Systems: Windows Server 2008 R2

 

·        ADMT can be installed on any computer capable of running the Windows Server 2008 R2 operating system, unless they are Read-Only domain controllers or in a Server Core configuration.

 

·        Target domain: The target domain must be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2

 

·        Source domain: The source domain must be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2

 

·        The ADMT agent, installed by ADMT on computers in the source domains, can operate on computers running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

 

 

You can download ADMT v3.2 here

It’s been Windows 7 Summit, Visit to Redmond and Microsoft TechDays

It’s been a very busy month, I’ve been traveling a lot and been speaking at a few different seminars and conferences. First of was the Windows 7 Summit held here in Sweden by ourselves TrueSec,

 

Windows 7 Summit

I did two sessions together with Mikael Nyström, first session was an introduction to the Windows 7 Client, covering some UI changes and the approach Microsoft has taken with Multi-Touch and the other was about new technologies and features in Windows Server 2008 R2, it was a great time and I had lots of fun on the stage, I’m sorry that I misspelled my own sisters name during the Recycle-Bin demo J

 

Microsoft decided to record the sessions, so if anyone is interested to see the sessions (In Swedish), here you go!

 

An introduction to the Windows 7 Client.
http://mediadl.microsoft.com/mediadl/www/s/sverige/technettv/2009/Win7Summit/Windows7Summit-090226-pass1.wmv

 

New Technologies and Features in Windows Server 2008 R2
http://mediadl.microsoft.com/mediadl/www/s/sverige/technettv/2009/Win7Summit/Windows7Summit-090226-pass2.wmv

 

Redmond
Directly after the Windows 7 summit it was time to fly over to Seattle/Redmond for the Microsoft MVP Summit. A big thanks to the entire Directory Service Team at Microsoft for the amazing week we had in Redmond at the Microsoft Campus working with them, and all other DS MVPs that attended the Microsoft MVP Summit, also thanks to my friend Eddy for inviting me to his new house, you got a nice place J

 

Microsoft TechDays in Västerås

At Microsoft TechDays in Västerås (Sweden) I attended as a speaker and presented on how to Incorporate RODCs (Read Only Domain Controllers) to your existing Active Directory, this was a 400 level sessions where I decided to give a deep-dive on how RODCs really works (and doesn’t work) in detail and how it effects an already existing Active Directory and related components. Unfortunately time didn’t allow me to show the FAS (Filter Attribute Set) Demo, I’m sorry for that, but I’m planning a detail article on FAS works, the basic idea is that you can flag attributes with sensitive/confidential information to never replicate to RODCs, in case of an RODC compromise, this information isn’t reveled.

 

You can download the slide deck from the session here: tech_days09_sweden_ds_final.zip

 

I’ve got many questions about RODCs and DNS after my sessions, I’ve blogged about that topic a while ago, you can find the article here: How Read-Only Domain Controllers and DNS works.

 

Thanks to Microsoft for putting together the TechDays Conference, this was the first time the concept of “TechDays” where used in Sweden, the idea is to have a sort of local TechED event, and I must said everything did work very well, hopefully there will be a TechDays next year as well.

Fine Grain Password Policy Tool 1.0 (2300.0) RTM

Build: FGPP RTM_2300-20081223.0
Branch: FGPP-RTM-branch.
Usage: Production Usage.

 


General Information

 

This build is the final RTM build of the Fine Grain Password Policy Tool. (FGPP RTM_2300-20081223.0) For full release notes see the document “Release notes for Fine Grain Password Policy Tool” included in the package, as well to be released on the website later today, other documentation available with this release are.

 

·         Quick Start Guide for Fine Grain Password Policy Tool

 

·         Windows PowerShell Usage for Fine Grain Password Policy Tool

 

·         Password Policy Samples for Fine Grain Password Policy Tool

 


Acknowledgements


Stanimir Stoyanov,
thanks
for providing the incredible support and your ideas while this piece of software was being written. Especially for the work that was done with the Native Methods. Please have a look at this blog for other projects he has been released http://www.stoyanoff.info

 


Björn Österman, t
hanks for your help and support with the initial design of the Password Policy class.

 


TrueSec Team
, thanks for providing support while this piece of software was being written.

 

Overview of Fine Grain Password Policies in Windows Server 2008:
http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx

 

Download

Download Fine Grain Password Policy Tool (x86) 1.0.
http://blogs.chrisse.se/files/folders/fgpp/entry51.aspx

Download Fine Grain Password Policy Tool (x64) 1.0.
http://blogs.chrisse.se/files/folders/fgpp/entry50.aspx

 

Quick Start Guide.
http://blogs.chrisse.se/blogs/chrisse/pages/fine-grain-password-policy-tool.aspx

 

System Requirements

Fine Grain Password Policy Tool 1.0 are “Supported” on the following platforms

 

·         Windows Server 2008

·         Windows Server 2008 R2

·         Windows Vista with Service Pack 1 or later

·         Windows 7

·         Windows Server 2003 with Service Pack 1 or later and Windows Server 2003 R2

·         Windows XP Service Pack 2 or later


Prerequisites
Before installing this build, you must have:

Windows Server 2008, Windows Server 2008 R2 and Windows Vista, Windows 7

·         Windows Server 2008 Active Directory Domain.

·         Windows PowerShell installed (for command-line and scripting support)

Windows Server 2003 and Windows XP

·         Microsoft .NET Framework 2.0.

·         Microsoft Management Console 3.0

·         Windows Server 2008 Active Directory Domain.

·         Windows PowerShell installed (for command-line and scripting support)

 
Usage information:

Fine Grain Password Policy Tool Core PowerShell Samples.

FGPP RTM supports the following PowerShell Commands.

Create new Password Policies

New-PasswordPolicy <Name> [-domain <FQDNDomainName>] >] [–server <DCFQDN>] -MaximumPasswordAge <timespan> -MinimumPasswordAge <timespan> -MinimumPasswordLength <PassswordMinLenght> -PasswordComplexityEnabled <$True/$False> -PasswordReversibleEncryptionEnabled <$True/$False> -PasswordSettingsPrecendence <PrecendenceOrder> -PasswordHistoryLength <NumberOfPasswords> -LockoutDuration <timespan> -LockoutObservationWindow <timespan> -LockoutThreshold <int> -AppliesTo *SupportedNameFormats

 


Modify existing Password Policies
Modify-PasswordPolicy <name> [-domain <FQDNDomainName>] >] [–server <DCFQDN>] [-MaximumPasswordAge <timespan>] [-MinimumPasswordAge <timespan>] [-MinimumPasswordLength <PassswordMinLenght>] [-PasswordComplexityEnabled <$True/$False>] [-PasswordReversibleEncryptionEnabled <$True/$False>] [-PasswordSettingsPrecendence <PrecendenceOrder>] [-PasswordHistoryLength <NumberOfPasswords>] [-LockoutDuration <timespan>] [-LockoutObservationWindow <timespan>] [-LockoutThreshold <int>] -AppliesToAdd *SupportedNameFormats -AppliesToRemove *SupportedNameFormats

 


Delete Password Policies
Delete-PasswordPolicy <name> [-domain <FQDNDomainName>] [–server <DCFQDN>] [-all]

 

Reame Password Policies
Rename-PasswordPolicy <name> [-domain <FQDNDomainName>] -NewName <name>

 


Add users and global groups to an existing Password Policy
Add-PasswordPolicy -Name <name> [-domain <FQDNDomainName>] [–server <DCFQDN>] -AppliesTo *SupportedNameFormats

Remove users and global groups to an existing Password Policy
Remove-PasswordPolicy -Name <name> [-domain <FQDNDomainName>] [–server <DCFQDN>] -AppliesTo *SupportedNameFormats [-all]

 

Get the Effective PasswordPolicy for one or more users objects

Get-PasswordPolicyEffective <name> [-domain <FQDNDomainName>] [–server <DCFQDN>]

Export Password Policies

Export-PasswordPolicy <name> <path> [-domain <FQDNDomainName>] [–server <DCFQDN>]


Import Password Policies

Import-PasswordPolicy <name> <path> [-domain <FQDNDomainName>] [–server <DCFQDN>]

————————————————————————————————————————————————————–

*SupportedNameFormats: [DomainUserN, “First LastName”, {4fa050f0-f561-11cf-bdd9-00aa003a77b6}, example.microsoft.com/software/user name, usern@example.microsoft.com, S-1-5-21-397955417-626881126-188441444-501]

 
Fine Grain Password Policy Tool Additional PowerShell Samples.
————————————————————————————————————————————————————–

 

How to use the Get-PasswordPolicy and New-PasswordPolicy to copy an existing PasswordPolicy

 

Note: Any parameter can be used with New-PasswordPolicy override settings from the existing policy.

 

Get-PasswordPolicy <name> [-domain <FQDNDomainName>] | New-PasswordPolicy <Name> [-domain <FQDNDomainName>] [-MaximumPasswordAge <timespan>] [-MinimumPasswordAge <timespan>] [-MinimumPasswordLength <PassswordMinLenght>] [-PasswordComplexityEnabled <$True/$False>] [-PasswordReversibleEncryptionEnabled <$True/$False>] [-PasswordSettingsPrecendence <PrecendenceOrder>] [-PasswordHistoryLength <NumberOfPasswords>] [-LockoutDuration <timespan>] [-LockoutObservationWindow <timespan>] [-LockoutThreshold <int> -AppliesTo * SupportedNameFormats]

 

————————————————————————————————————————————————————–

 

How to check policy compliance for linked users for a one or more Password Policies

foreach ($Policy in Get-PasswordPolicy [<Name>]) { foreach ($Applied in $Policy.AppliesTo) { Get-PasswordPolicyEffective $Applied } }

Windows Server 2003 Domain Controllers may perform Automatic Site Coverage for RODCs

Note: Domain controllers running Windows Server 2003 do not consider RODCs when they evaluate site coverage requirements and may register its Domain Name System (DNS) service (SRV) resource records for a site that contains an RODC. As a result, they perform automatic site coverage for any site regardless of the presence of an RODC for the same domain. Consequently, client computers that attempt to discover a domain controller in the RODC site can also find the domain controller that is running Windows Server 2003 and may not authenticate to the RODC.

 

There are a few possible solutions for this problem:

 

 

    1. Apply the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients (http://support.microsoft.com/kb/944043/en-us)
      (This hotfix has to be applied to all Windows Server 2003 DCs that may perform automatic site Coverage)

 

    1. Ensure that only domain controllers running Windows Server 2008 are present in the site closest to the RODC site.

 

    1. Configure the weight or the priority of the DNS SRV records so that clients are more likely to authenticate with the RODC than with a remote Windows Server 2003 domain controller.

 

  1. Disable automatic site coverage on domain controllers running Windows Server 2003 present in the site closest to the RODC site.

 

How to disable automatic site coverage:

 

 

    1. Click Start, click Run, type regedit, and then click OK.

 

    1. Navigate to the following registry subkey HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters

 

    1. Click Edit, point to New, and then click DWORD Value.

 

    1. Type AutoSiteCoverage as the name of the new entry, and then press ENTER.

 

    1. Double-click the new AutoSiteCoverage registry entry

 

    1. Under Value data, type 0 to disable automatic site coverage. 1 = to enable it.

 

    1. Click Start, Click Run, type cmd and then click OK.

 

  1. In the Command Prompt, type the following command:
    nltest /dsregdns or restart the netlogon service