I discovered today that expired passwords on SQL Server accounts (as in non-windows) will result in very strange and misleading error messages by the SQL MA in ILM. I usually try to avoid SQL server accounts but there are times when the customer environment and policies dictate otherwise.
Running an Import with the SQL MA using a SQL Server account with an expired password will fail with status no-start-ma. The underlying error message is session-establishment-failure and the corresponding event log entry will contain the ever helpful Failed to start run because of undiagnosed MA Error.
After unselecting enforce password policy and enforce password expiration on the Login properties screen in SQL Management Studio of the account in question everything worked like a charm.
During the summer my colleague Pål and I have had the pleasure to design and implement an identity management solution based on ILM 2007 for a customer in the banking sector. The solution is designed to manage bank customers and their respective identities in various systems. A new CRM system had recently been purchased but contained no customers yet. Our first job was to import all customer data from various data sources within the bank into ILM in a controlled fashion, preferably with some accuracy, and then do a one-shot export to the new CRM system. We started out with roughly 250k separate identities and after some rather elegant work on our part we were left with roughly 50k unique customer identities. We also export each customer’s system specific IDs to a reference table that is used by separate integration based on BizTalk to give authorized bank employees a complete overview of a customer with one click.
With all the customers present in the new and shiny CRM system the flow has now been reversed meaning that a bank customer will begin his or her digital life within bank in the CRM system. Automatic provisioning of customer identities into the various connected data sources is planned for later stages in the project.
Mattias, a fantastic project manager from the customer, did a great job of getting us to understand their business, the current identity related problems and thereby enabling us to simplify things for them. If you don’t take the time to really understand how the customer does their business and what their current pain points are then there is a fair chance that the resulting solution will help them very little.
Currently I am back at a customer for whom I designed an identity management solution last year. This particular customer has recently been acquired by a much larger company and is at the same time switching its entire infrastructure to a new outsourcing partner. The fun part of working with this customer is that they really aren’t afraid of making decisions, big or small. They listen to advice from experts and they usually go for the option that will serve them the best in the long run. Their area of business is quite cut-throat and it clearly shows in how agile they are getting things done.
I’m tasked with integration aspects between my customer and their new parent company while at the same time preparing for the move of ILM to the new outsourcing provider, the switch from Exchange 2003 to 2007…the list goes on and on. These are exiting times to say the least.
How is your summer?
Joachim and me were recently interviewed for Technet Edge by David Tesar from Microsoft. I talk about AD snapshots, DSCT and there is also a short demo in there. This is my first proper interview (lights, make-up, etc) but I’m quite happy with the result, although in retrospect I can think of several things I would have liked to have said at the time of the interview. These are mainly things I would like to see in the next or future release of the snapshot functionality such as
- Writeable snapshots
Being able to make an exact copy of your production AD in seconds and then test your newly developed script or application against that would surely ease a lot of minds in IT departments the world over.
- Better user experience when creating and mounting snapshots
The snapshot feature is an awesome addition in Windows Server 2008 but the user experience of creating and mounting snapshots is quite poor.
- More Volume Shadow Copy (VSS) functionality exposed via WMI (and managed classes in .NET)
I have tried various approaches to duplicate how ntdsutil creates snapshots from managed code with no luck. The closest I’ve gotten is with WMI being able to create a shadow copy although it was created in the wrong context. The Win32_ShadowCopy.Create() method has a parameter for context but it will refuse to do anything unless ClientAccessible is specified. Ntdsutil creates snapshots in the AppRollback context.
Joachim has published a screencast showing DSCT 1.2.1 in action. He also shows of various aspects of the Active Directory Snapshot feature in Windows Server 2008. If you have a few minutes to spare I highly recommend that you take a look.
Congratulations to Joachim, one of my best friends, who yesterday became a Microsoft MVP! A whole bunch of people went out to celebrate last night resulting in a bar tab of galactic proportions. My sense of pride and hapiness for my friend is currently only surpassed by my hangover.
Since Hyper-V recently RTMed and I had a few minutes to spare while tooling around with other things I decided to upgrade the installation I had on my laptop. The upgrade went without a hitch, all my virtual machines appear to be happy campers so all is well. I have several virtual machines that I use when working with customers and a few private ones that are used for developing and testing DSCT.
The rather lovely laptop is an HP 8710w with 4gb of ram and I can without a doubt say that it so far is the finest laptop I’ve had the pleasure to work with. Coupled with Windows Server 2008 x64 as my desktop OS the experience is fast, responsive and rock solid from a reliability stand point.
Even “mission critical” applications like Steam (Team Fortress 2 baby!) and my mobile broadband adapter work just like a charm in Windows Server 2008 x64.
Click for larger version
There is a new version of Directory Service Comparison (DSCT) available containing some usability improvements.
- You can now search for and select the user object when artificially raising the highestCommittedUsn on the DC when connecting to a newly taken snapshot.
This is an issue in Windows Server 2008 and is explained below.
Download links and more info
When you create a snapshot of Active Directory with ntdsutil the value of highestCommittedUsn for the snapshot will be greater than the corresponding value on the DC. This means that the snapshot appears more up to date than the DC from a directory synchronization perspective. Comparing the two data sources will not be possible until the DC highestComittedUsn value is either equal to or greater than the value in the snapshot.
You can easily verify this by looking up the highestComittedUsn values in RootDSE on both the DC and the snapshot with a tool like ADSIEdit:
- DC: LDAP://myhost:389/RootDSE
- Snapshot: LDAP://myhost:snapshotPort/RootDSE
Somehow I managed to anger the phishing filter in Internet Explorer in my previous post. Can’t say I understand what the problem is…hm…
DSCT, acting as a DirSync client, gets the current state of the snapshot by retrieving a DirectorySynchronizationCookie. By supplying this cookie in the query against the DC only the changes that have been made since the snapshot was taken are returned in the form of a searchResultCollection. DSCT examines each object that is returned and looks for the presence of specific attributes and values to determine if the object has been modified, added or deleted since the snapshot was taken.
When you select an object in DSCT a few different things will happen depending on the type of modifcation that DSCT has deteced.
- If the attribute whenCreated is present then the object was created after the snapshot was taken. DSCT will not try to look up the corresponding object in the snapshot since it won’t exist.
- If the distinguishedName contains “Deleted Objects” then the object was deleted since the snapshot was taken (not the ideal approach, will change in next release). DSCT will look up this object in the snapshot unless whenCreated is present. If whenCreated is present on a deleted object it means that it was both created and deleted after the snapshot was taken.
- If none of the above rules apply the one ore more attributes on the object have been modified since the snapshot was taken. DSCT will look up the corresponding object in the snapshot since it is guaranteed to exist.
DSCT uses the objectGUID value of the selected object to look up the corresponding object in the snapshot. That way objects can be matched even if they have been moved or renamed in Active Directory since the snapshot was taken.
The reanimation feature uses functionality in System.DirectoryServices.Protocols to clear the isDeleted value and also move the object back to it’s lastKnownParent.
The restore attribute value feature simply copies the values for each selected attribute from the snapshot object to the actual object in Active Directory:
de.Properties[selectedAttributeName].Value = snapshotDE.Properties[selectedAttributeName].Value;
Update: I had to disable comments on this post since the IE phishing filter started complaining when when this url was accessed. I have no idea why it is complaining when the comments are turned on. So sorry to all of my four readers, no comments here.
Joachim and I had the opportunity to build a proof of concept environment showcasing various aspects of federated web SSO for a customer. The requirements, while not overly strict, mandated that we build an environment consisting of three federation parties: One resource partner hosting some form of claims-aware web application and the remaining two acting as account partners supplying users.
Before building an environment like this it is helpful to have something to run it on and therefore part one of this epic series we will focus on the set up of the environment and how we right at the start got completely sidetracked by some new features in System Center Virtual Machine Manager (SCVMM).
Physical environment
We started out with a HP ML370 with a quad-core CPU, 6 GB of RAM and a total of 290 GB disc. Techies as we are we unanimously decided that it wouldn’t be enough to run our entire Hyper-V based demo environment. One phone call and a few hours later we were at 20 GB of RAM. And if Joachim at this point hadn’t dragged up the System Center Virtual Machine Manager beta and its ESX managing capabilities we would have started building the demo right then and there. Like children in a toy store we said “Demo? What demo?” to each other and rushed off to commandeer a HP ML350 with a quad-core CPU, 12 GB of RAM , 438 GB disc for a VM Ware ESX installation.
The only thing that disturbed our nerd nirvana was the networking aspect which consisted of a really old and slow DLINK switch that can at best be described as cute. It just had to go.
Physical Environment
Physical hosts
Virtual Machines in our demo environment
SCVMM Overview
SCVMM Job list
SCVMM Library
Virtual Center Overview
All your base are belong to us (the virtual machines)
After we figured out the virtual machine template feature in SVCMM our environment quickly got taken over by a horde of virtual machines. To the tune of Baby one more time by Britney Spears we deployed virtual machines like Darth Vader deployed Tie Fighters in episode 2 (or was it 5?). This led to the inevitable: overload!
After some cleaning up we started configuring our demo environment, which we will tell you about in the forthcoming episodes.
