Top Tips

I have previously written about this, but feel it’s worthy of another mention.  Microsoft have hidden away on their WHDC (Windows Hardware Developer Central) website, an excellent document on Performance Tuning Guidelines for Windows Server 2008 R2.  It is worthy of a read as it details lots of changes in functionality that can affect performance.

The paper was last updated on the May 16th 2011 and details:

Choosing and Tuning Server Hardware
Performance Tuning for the Networking Subsystem
Performance Tuning for the Storage Subsystem
Performance Tuning for Web Servers
Performance Tuning for File Servers
Performance Tuning for Active Directory Servers
Performance Tuning for Remote Desktop Session Host (formerly Terminal Server)Performance Tuning for Remote Desktop Gateway
Performance Tuning for Virtualization Servers
Performance Tuning for File Server Workload (NetBench)
Performance Tuning for File Server Workload (SPECsfs2008)
Performance Tuning for Network Workload (NTttcp)
Performance Tuning for Remote Desktop Services Knowledge Worker Workload
Performance Tuning for SAP Sales and Distribution Two-Tier Workload
Performance Tuning for TCP-E Workload

October 2012 Update: 

Updated Server Core Installation Option, Correct Memory Sizing for Child Partitions, and Correct Memory Sizing for Root Partition.

September 2012 Update:

Further updates to the Performance Tuning guidance for the TPC-E Workload section

May 2011 Update:

“Performance Tuning for Web Servers” – Updated guidance to reflect that Http.sys manages connections automatically.

“Performance Tuning for File Servers” – Fixed typos in NFS Server tuning parameter registry keys.

“Performance Tuning for Virtualization Servers” – Added information about Dynamic Memory tuning.

“Performance Tuning for TPC-E Workload” – Clarified tuning guidance.

“Resources” – Updated references.

October 15th Update:

Throughout the paper – Clarified some explanations; clarified energy consumption vs. power consumption.

“Interrupt Affinity” – Added recommendation to use device-specific mechanism for binding interrupts, if supported by the driver model.

“Network-Related Performance Counters” – Added IPv6 and TCPv6.

“Performance Tuning for the Storage Subsystem” – Various minor updates throughout.

“Performance Tuning for File Servers” –Added guidance for NtfsDisableLastAccessUpdate; added “Tuning Parameters for NFS Server”, “File Server Tuning Example”, and “File Client Tuning Example”.

“Performance Tuning for Remote Desktop Session Host” – Added references to two new white papers on capacity planning.

“Monitoring and Data Collection” (multiple sections) – Updated the list of counters to monitor.

“Performance Tuning for File Server Workload (SPECsfs2008)” – New section.

“Performance Tuning for SAP Sales and Distribution Two-Tier Workload” – Substantial updates to the whole section.

“Performance Tuning for TPC-E Workload” – New section.

“Resources” – A few additions and updates.

Today I was presented with a Windows 7 Home Premium laptop, that until a couple of days ago had sound and LAN connectivity.

The sound worked when diagnostics were run, but would not run when Windows 7 was loaded. So I knew it was not defective hardware.

The solution which was relatively easy to implement took a while to discover and I will update this post at a later date with the troubleshooting steps.

The solution was to add to the local administrators group the networkservice and the localservice

This can be done by running these two commands from an elevated command prompt:

net localgroup Administrators /add networkservice

net localgroup Administrators /add localservice

Once these two commands are run, restart the laptop and if your issue was the same as mine, sound (and LAN) should now be working.

I recently found a need to have Operating System and Service Pack information displayed dynamically in Active Directory Users and Computers rather than have it hardcoded into the Description attribute of the computer object.

I remembered that many moons ago, I had seen Dean Wells demonstrate this ability, so I dug out my notes and thought I would share (but Kudos to Dean).

If you open Active Directory Users and Computers, navigate to an OU and then select View Add/Remove Columns, we can see that the information about the Operating System is not available to add as a column.

image

But if we right click on a computer object  we can see that the Active Directory knows about the computers Operating System and Service Pack information.

image

If you view the computers attributes, we can see how these attributes are stored in Active Directory

image

The attributes I am interested in displaying in Active Directory Users and Computers are:

operatingSystem and operatingSystemServicePack

To add them to the Add/Remove columns tab, logon to the Active Directory with Schema Admin privileges, and start ADSIEDIT.MSC.

Navigate to the Configuration Partition and then DisplaySpecifiers and then select the code page for your language. For me this is 409.

image

navigate to CN=organizationalUnit-Display double click and navigate to extraColumns

image

Double Click extraColumns and add the following two values.

operatingSystem,Operating System,0,150,0
operatingSystemServicePack,Service Pack,0,150,0

These values equate to:

<ldapDisplayName>,<Column Title>,<Displayed by default>,<Column Width>,<unused>

image

image

Once the values are added, navigate your way out of ADSIEDIT.MSC and open Active Directory Users and Computers.  Once again navigate to an OU and then select View Add/Remove Columns we can now see two additional columns

image

Select Add to make then available in the displayed columns.

image

We now have Operating System and Service Pack information available at a glance, but many of the other attributes can be added in exactly the same way.

All though Active Directory has been available for over ten years, one question that comes up time and time again at customer sites is “What do the Forest and Domain Functional Levels do and should I set them?”  After validating their Active Directory my answer is usually yes,  but what do these levels enable within Active Directory?

Domain functional levels

There are six domain functional levels:

The functional level for a domain enables features that affect the only that domain.

Windows 2000 mixed (the default in Windows Server 2003) DFL 0
Windows 2000 native DFL 0
Windows Server 2003 interim DFL 1
Windows Server 2003 DFL 2
Windows Server 2008 DFL 3
Windows Server 2008 R2 DFL 4
Windows Server 2012  DFL 5
Windows Server 2012 R2 DFL 6

Forest functional levels

There are five forest functional levels:

The functional level for a forest enables features in all domains within a forest.

Windows 2000 (the default in Windows Server 2003 and Windows Server 2008) FFL 0
Windows Server 2003 interim FFL 1
Windows Server 2003 (the default in Windows Server 2008 R2) FFL 2
Windows Server 2008 FFL 3
Windows Server 2008 R2 FFL 4
Windows Server 2012  FFL 5
Windows Server 2012 R2 FFL 6

Domain Functional Level

Windows 2000 native

All default Active Directory features and the following features:

Universal groups are enabled for both distribution groups and security groups.

Group nesting.

Group conversion is enabled, which makes conversion possible between security groups and distribution groups.

Security Identifier (SID) history

Supported Domain Controllers

Windows 2000 Server
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2003

All default Active Directory features,

All features from the Windows 2000 native domain functional level, plus the following features:

The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.

Update of the logon time stamp. The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain.

The ability to set the userPassword attribute as the effective password on the inetOrgPerson object and user objects.

The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes it possible to define a new well-known location for these accounts.

Authorization Manager can store its authorization policies in AD DS.

Constrained delegation is included, which makes it possible for applications to take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. You can configure delegation to be allowed only to specific destination services.

Selective authentication is supported, which makes it possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Supported Domain Controllers

Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2008

All default Active Directory features, all features from the Windows Server 2003 domain functional level, plus the following features:

Distributed File System Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.

Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.

Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.

Fine-grained password policies, which make it possible for password policies and account lockout policies to be specified for users and global security groups in a domain.

Supported Domain Controllers

Windows Server 2008
Windows Server 2008 R2

Windows Server 2008 R2

All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:

Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.

Supported Domain Controllers

Windows Server 2008 R2

Windows Server 2012

All default Active Directory features, all features from the Windows Server 2008 R2 domain functional level, plus the following features:

The KDC support for claims, compound authentication, and Kerberos armoring.

Supported Domain Controllers

Windows Server 2012
Windows Server 2012 R2

Windows Server 2012 R2

All default Active Directory features, all features from the Windows Server 2012 domain functional level, plus the following features:

DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

  • Authenticate with NTLM authentication
  • Use DES or RC4 cipher suites in Kerberos pre-authentication
  • Be delegated with unconstrained or constrained delegation
  • Renew user tickets (TGTs) beyond the initial 4 hour lifetime

Authentication Policies

New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.

Authentication Policy Silos

New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

 

Supported Domain Controllers

Windows Server 2012 R2

Forest Functional Level

Windows 2000 ServerAll default Active Directory features, plus the following features:

Supported Domain Controllers

Windows NT 4.0
Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2003

All default Active Directory features, plus the following features:

Forest trust

Domain rename

Linked-value replication (Changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit.) This results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.

The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.

Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level.

The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.

The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.

The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.

Deactivation and redefinition of attributes and classes in the schema.

Supported Domain Controllers

Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2008

This functional level provides all of the features that are available at the Windows Server 2003 forest functional level, but no additional features.

Supported Domain Controllers

Windows Server 2008
Windows Server 2008 R2

Windows Server 2008 R2

All of the features that are available at the Windows Server 2008 forest functional level, plus the following features:

Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.

Supported Domain Controllers

Windows Server 2008 R2

Windows Server 2012

All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.

All domains that are subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Supported Domain Controllers

Windows Server 2012
Windows Server 2012 R2

Windows Server 2012 R2

All of the features that are available at the Windows Server 2012 forest functional level, but no additional features.

All domains that are subsequently added to the forest will operate at the Windows Server 2012 R2 domain functional level by default.

Supported Domain Controllers

Windows Server 2012 R2

Are you looking to plan, pilot or deploy Windows and Office?

The Microsoft Springboard team from Redmond will be in the UK en route to TechEd Europe (Berlin) on Monday 1st November, they will be delivering a five hour workshop on:

Office 2010 IT investments.

Key deployment strategies for Windows 7 and the Microsoft Desktop Optimization Pack.

Opportunities for training and certification in these key products.

Why Windows 7 has received rave reviews from IT organisations and is setting records as the fastest selling operating system in history.

Tools, tips and tricks you need now to jumpstart the successful deployment and management of your Windows desktop environment today.

If you are interested in attending, then register today for the workshop and the opportunity to come and network with members of the US based Windows and Office Product Teams, as well as local Microsoft Technology Evangelists.

To verify what version of the Active Directory Schema you have installed:

Using adsiedit.msc, navigate to either of the relevant locations:

Active Directory Schema version  “CN=Schema,CN=Configuration,DC=domain,DC=local”

Note: Replace “dc=domain,dc=local” with your domain information.

To verify the schema version, right click the distinguishedName that you navigated to and scroll down to the objectVersion attribute and note the value.

Compare the attributes value to the table below:

Active Directory Schema Versions.

13 Windows 2000 Server
30 Windows Server 2003,Service Pack 1, Service Pack 2
31 Windows Server 2003 R2, Windows Server 2003 R2 SP2
39 The beta schema that shipped on the Vista DVD and not supported.  Read this post by Ned
44 Windows Server 2008 RTM, Windows Server 2008 SP2
47 Windows Server 2008 R2
51 Windows Server 8 – Developer Preview
52 Windows Server 8 – Beta
56 Windows Server 2012
69 Windows Server 2012 R2
72 Windows Server 10 Technical Preview (Build 9841)

Exchange Schema Versions. (rangeUpper attribute value of ms-Exch-Schema-Version-Pt)

4397      Exchange Server 2000 RTM
4406      Exchange Server 2000 Service Pack 3
6870      Exchange Server 2003 RTM
10637    Exchange Server 2007 RTM
11116    Exchange Server 2007 Service Pack 1
14622    Exchange Server 2007 Service Pack 2
14625    Exchange Server 2007 Service Pack 3
14622    Exchange Server 2010 RTM
14726    Exchange Server 2010 Service Pack 1
14732    Exchange Server 2010 Service Pack 2
14734    Exchange Server 2010 Service Pack 3
15137    Exchange Server 2013 RTM
15254    Exchange Server 2013 CU1
15281    Exchange Server 2013 CU2
15283    Exchange Server 2013 CU3
15292    Exchange Server 2013 SP1
15300   Exchange Server 2013 CU5

I am not a big Google product user but one of their applications which I use on a regular basis is Google Latitude.

Google Latitude interfaces with Google maps; which shares your current location with people you have chosen to share it with.

Google Latitude seamlessly integrates with my Blackberry 9700 and my wife’s Blackberry 8900 allowing us to know where the other one is (this is great for when I am nearly home, as she knows when to put the kettle on, but not so good when I am in the pub). It also helps to track down a misplaced Blackberry.

Looking through the Google Latitude website today, I noticed that I can easily obtain summary reports of where I have been.

These I found of great interest and are only as accurate as the phone signal itself but I should imagine that they are accurate to within a small percentage.

Last week:

I spent 44 Hours at work (not sure how Google knows this is work).

I spent 72 hours at home.


I spent 35 hours out somewhere else.

And 17 hours Google latitude did not know about  (24 x 7) – (44 + 72 + 35) = 168 151 = 17

I find this information quite interesting as it shows that I am not always in the pub.