@>A2C2E:G6*6G:6H'?=:?6'7N46+F:E6DA %2C<6E/2E49C@FA(@=:4J,@@=DA
.)".$&-&.32 0
# ! % %@C6C66-E:=:E:6D
2?5+6EE:?8D A
! A
2? @=>6D'7N46,:AD
" %2=H2C6(C@E64E:@?6>D
*/ %
-"+1,+-2)& 1&,+
$ / 4444&+!,40&1-/, ,*
20 +!
'%!&, !++(*!&
Let’s leave the hardware where it is.
Introducing the software-based
VoIP solution from Microsoft. It’s a
whole new way to look at telephony.
As it turns out, that important
move to VoIP isn’t about ripping and
replacing or big, upfront costs. That’s
because it’s no longer about hardware.
It’s actually about software.
That’s right. Keep your hardware—
your PBX, your gateways, even your
phones. Add software. Software that
integrates with Active Directory,®
Microsoft Office, Microsoft Exchange
Server, and your PBX. Simply maximize
your current PBX investment and make
it part of your new software-based
VoIP solution.
Because what you have is good.
What you have with the right
software is even better. Learn more
at microsoft.com/voip
MARCH 2008
NO. 3
47 Best Practices for Managing User Data
and Settings, Part 2
For the client side of the equation, let’s look at unifying UDS management
for Vista and XP users and addressing four key types of UDS: “normal
data,” “normal settings,” “locally accessed data,” and “unwanted data.”
Yet Another 8 Absolutely Cool,
Totally Free Utilities
Once again, we’ve combed the Web for a new and scintillating collection
of free tools that promise to make your job easier. Get $500 worth of tools
for nothing—except the time necessary to download them.
59 PowerShell 101, Lesson 2
PowerShell lets you create pipelines that link cmdlets together to perform
complex operations and refine retrieved information. Learn how to use
a pipeline to create PowerShell statements and how to format and sort
output from those statements.
How to Handle Long PowerShell Statements …………………...................62
29 The Soul of Windows Server 2008:
Server Core and Hyper-V
65 Vista and Server 2008 Malware Protection
35 Active Directory Enhancements in
Windows Server 2008
In an exclusive interview, Bill Laing, general manager of
Microsoft’s Windows Server division, talks candidly about
Windows Server 2008 features that surprised him, technology
that might be hard for users, and lessons learned from this
Take a tour through the changes and enhancements in Windows
Server 2008 Active Directory (AD). In particular, examine the new
read-only domain controller (RODC), and learn how it can help
lower risks to your organization.
Windows Server 2008 Editions Supporting RODCs ........................35
Names for AD Services Change in Windows Server 2008 ...............36
41 Volume Activation in
Windows Server 2008
VA2 uses Multiple Activation Keys (MAKs) or Key Management
Service (KMS) hosts to activate systems in midsized and large
organizations, eliminating the security and administrative problems
of Volume License Keys (VLKs).
Read this article online at www.windowsitpro.com
Avoid Windows Server 2008
Integration Challenges
Only hard-won experience can expose pitfalls that can cause frustration
when you deploy a new OS. Before you implement Windows Server
2008, benefit from an expert’s lessons-learned about integration with AD,
compatibility with Microsoft server applications, virtualization, backup, and
antivirus and antispyware.
InstantDoc ID 98197
Understand Data Execution Protection (DEP) and Address Space Layout
Randomization (ASLR)—two defenses in Windows Server 2008 and
Windows Vista that help you secure your system against attacks that use
buffer overruns.
71 Getting to Know Office 2007
Microsoft Office 2007 tips help you use forms-based authentication with
Office and SharePoint, remove Excel duplicates, set Recycle Bin settings in
SharePoint, and more.
T R I C KS & T R A P S
13 Reader to Reader
Add file extensions to GPOs with ADSI Edit, troubleshoot locked-out
accounts, and fight spam and phishing attacks by adding SPF records to
your DNS entries.
75 Ask the Experts
Learn about Microsoft Update Catalog 7.0, find out how to keep your
system secure with Live OneCare, and learn how to clear the Outlook
auto-complete address cache.
Read this article online at www.windowsitpro.com
Testing Windows Server 2008
This month’s IT Pro Hero, Arlin Sorensen, CEO for Heartland Technology
Solutions, discusses his company’s experiences testing Server 2008 and the
benefits he expects to gain from the upgrade.
InstantDoc ID 98122
Access articles online at www.windowsitpro.com. Enter the article ID (located at the end of each article)
in the InstantDoc ID text box on the home page.
Karen Forster
Mark Minasi
IT Pro Perspective
Open Source and Windows Server’s Direction
Bill Hilf’s open-source background has helped
Microsoft gain new direction, as a “platform” company
with a compatible set of end-to-end technologies.
Windows Power Tools
Decommission Old Computers with Cipher
Leverage EFS to overwrite the hard disks of
decommissioned systems.
Michael Otey
Top 10
Free Virtualization Utilities
15 New & Improved 18
Check out the latest products
to hit the marketplace.
FalconStor Software’s virtual
tape library (VTL) storage
Jason Bovberg shares insights
from his chat with LANdesk,
while Todd Erickson discusses
trends in mobile device
Paul’s Picks
Are online office suites
from ThinkFree, Zoho, Ajax,
Silveroffice, and Google
viable replacements for
Microsoft Office?
Microsoft Office Live
Workspace: A Winning
O&O Defrag 10
This disk-defragmentation tool
offers five defragmentation
methods to help you organize
and optimize your hard disks.
Online Office
Apple iPhone and Mac OS
X “Leopard” updates prove
Apple can still deliver—but
there’s room for improvement,
Paul says.
Password Policy
A password policy enforcer
from Special Operations
Software lets you set
multiple password policies
without the need for
multiple domains—which
can help you keep your
Active Directory (AD) forest
slim and trim.
16 Industry Bytes
These free tools will help you convert physical
systems to VMs, change VMware VMs to Microsoft
VMs (and vice versa), and perform other tasks to
help you manage your virtual environments.
Group Policy
Tools: Easing
the Pain
Group Policy helps you
centrally configure and
manage computers
and remote users in
your Active Directory
(AD) environment.
Microsoft’s new Group
Policy Preferences and
ISV products will make it
increasingly useful to more
78 Readers
aders Review
Hott Products
ers highlight their favorite
ucts from Ensim, AppDev,
and Unitrends.
Dennis Podgorski,
IT manager
Connecting the
IT Community
Your Savvy Assistant
Directory of Services
Advertising Index
Vendor Directory
Connecting the IT Community
Introducing: Virtualization UPDATE
valuate, manage, and optimize virtualization technology in a Windows environment with Virtualization UPDATE. Each issue includes commentary on the virtualization market from Windows IT Pro Senior Editor Jeff James, as well as tips, tricks,
and advice from vendors and experts. Virtualization UPDATE is your best source for
keeping informed about the booming virtualization segment of the IT industry.
Step-by-Step Guide to Disaster-Recovery Planning
ould you like some practical guidance on developing, implementing, and
testing your disaster-recovery plan? Have you ensured that your plan will
work as expected and will scale as your business and IT needs evolve? Register
for this Web seminar to find a holistic approach to disaster-recovery planning that
combines available backup and recovery technologies.
SharePoint Pro Live! Technical Workshop Tour
re you getting the most from Microsoft Office SharePoint Server 2007? Join SharePoint experts Dan Holme and Melissa Fraser to learn how to deploy and implement
SharePoint Server and Windows SharePoint Services effectively in your organization.
Register today to take advantage of preregistration online pricing for only $99!
April 27-30
Dive into new releases with Microsoft
hit t and
d industry
i d t experts!
t ! See
page 24 for details.
Enterprise Performance
Management for Emerging
Businesses and Workgroups
everage business intelligence (BI)
and Enterprise Project Management (EPM) solutions to manage your
business’s expansion and address
complex reporting and compliance
requirements. Download this white
paper and ensure that your company
has the BI and EPM tools to meet its
current and future needs.
IM at Work
The Missing Link to IT Resources
IM is an essential
communication tool
for many businesses, but
with its efficiency can also
come security risks. Keep
your IM traffic safe with these helpful
• “IM Risk Management for Enterprise,”
• “IM Security Primer,” InstantDoc ID
Look Who’s Talking (and Chatting and Surfing)
confess. Sometimes my in-office IM conversations don’t pertain to work, and
maybe I check my personal email once in a while. But my responsibilities come
first, and I always get my work done. So why am I freaked out that my employer
could be watching my every move?
Monitoring employees’ computer activities isn’t anything new and, as forum
member rain3d states, is a company’s right as long as it’s “understood by the
employee in a written acceptable use policy (signed by employee) that the computers are for business use only and
subject to monitoring” (www.windowsitpro.com/go/MonitorEmail).
Even if snooping on worker bees is legal, many people still feel that such actions are an invasion of privacy. Others
think that surveillance is the only way to keep a business running efficiently. I agree that people should work while
they’re at work; I just don’t remember when keeping employees scared became the only way to keep them honest.
Do you think that monitoring employees’ computer activity is fair or that it’s gone too far? Share your thoughts on
my extended blog post at InstantDoc ID 98056, or email me at Christan.Humphries@penton.com.
Windows IT Pro
MARCH 2008
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
Look like an Exchange
migration expert.
Take the risk and complexity out of migrating Exchange.
NetMigrate for Exchange simplifies Exchange migrations with a comprehensive, best practices approach for less than
most other solutions. Even the smallest details—like calendars, appointments, and folder permissions—remain intact.
End users don’t notice a thing. And Help Desk phones stay quiet. Plus, you can roll back anything, anytime. NetMigrate for
Exchange…when you need to look like an Exchange migration expert.
NetMigrate for Exchange
go to www.netpro.com/go/migrate to download your
free copy of “Steps for a Successful Exchange Migration”
IT Pro Perspective
Open Source and Windows Server’s Direction
Institutionalizing interoperability
he unfortunate tagline for the launch of Windows
Server 2003 was “Do more with less.” Microsoft
never comprehended the irony of that tagline—
but it strikes me as fitting the company’s mood five years
ago. Competition from Linux had Microsoft nearly paralyzed. The company seemed to be desperately seeking
direction. Now, in 2008, Microsoft has found a direction—
thanks in large part to the people the company hired away
from the Linux world.
In February 2004, Microsoft hired Bill Hilf from
IBM. According to his official biography, Hilf “led
IBM’s Linux/Open Source Software technical strategy
at a world-wide level for the Emerging and Competitive
markets organization.” Hilf’s mission at Microsoft was to
establish a Linux lab. Starting as one server under Hilf’s
desk, the lab has flourished
and expanded—and Hilf’s
Microsoft career has rocketed. Hilf is now “General
Manager of Platform Strategy, driving Microsoft’s
platform strategy efforts
across the company. Bill’s
primary focus is to champion platform initiatives
… while leading long-term strategy planning in the
Windows Server and Tools organization.” That’s a big
change in a position that was, before Hilf, titled simply
“General Manager of Windows Server Marketing.” And
this change signals a reinvigorated sense of direction.
puzzle, which also includes all the technologies necessary
to create business solutions. By thinking of itself as a “platform” company that has a compatible set of end-to-end
technologies, Microsoft puts itself in a powerful position.
Not only are there hundreds (if not thousands) of Linux
permutations, but also a huge variety of technologies and
applications are necessary to make an open-source business solution feasible—and all the pieces aren’t necessarily compatible. Ramji said, “There’s OS X, Linux, FreeBSD,
Windows, Solaris, AIX, Oracle, SQL, MySQL, Postgres—
there’s whole bunch of technologies underneath it that
may power it in some way. How does all this stuff mix?”
If Microsoft takes on the task of making all the
technologies work together, the company’s competitive
position becomes unmatched. This thinking is at the
heart of what Ramji
calls Microsoft’s
decision to “institutionalize interoperability.” Microsoft
realized it can make
money by supporting non-Microsoft
technologies. Ramji
even sees the future
of Windows Server as being a platform for Linux in
virtual environments. “We’ve always had a technological grounding, but we’ve added a business focus. Collectively, we [i.e., Hilf’s open-source team] have gone
from strategists and agitators to business owners. So
interoperability is not just a good idea—it’s actually the
business strategy. I think that shows a lot of Hilf’s rising
star in the company—that institutionalizing interoperability that’s happening. It says a lot that Bob Muglia
and Steve Ballmer would look at Bill and say, ‘This is
the kind of leader we want to have in charge of our $4.5
billion growth business.’”
The key descriptor for
Microsoft’s newfound
direction is the
word “platform.”
The P Word
The key descriptor for Microsoft’s newfound direction is
the now-ubiquitous word “platform.” How is the concept
of Windows as a platform connected with Hilf’s opensource background? I talked to Sam Ramji, director of
Platform Technology Strategy, who reports directly to
Hilf and oversees Microsoft’s Open Source Software Lab,
and the Microsoft and Novell Interoperability Lab in
Cambridge, Mass.
Ramji spoke of insights from the Open Source Software Lab that are key to Microsoft’s new focus: “We
started having a bigger conversation, which included
not just how do we bridge gaps with Linux, how do we
compare to and compete with Linux, but how do we
look at open source? It’s a greater phenomenon than
operating systems. It’s really about how developers
communicate, about how developers improve technology, and a different way for users to adopt technology.”
Most important for Microsoft’s concept of its own
business is the idea that the OS is only a piece of the
w w w. w i n d o w s i t p r o . c o m
.com) is group editorial
and strategy director for
Windows IT Pro and SQL
Server Magazine and former director of Windows
Server User Assistance
at Microsoft.
Hilf’s influence and recognition of virtualization’s power
to open new possibilities will guide the upcoming version of Windows. Linux has gone from a source of fear,
to a source of optimism, which is even reflected in the
Windows Server 2008 tagline: “Heroes happen here.” (OK,
I admit it’s a typically lame Microsoft tagline. But you have
to agree that it’s more positive than “Do more with less.”
And don’t even get me started on how you could interpret
“institutionalizing interoperability”....)
W e ’ r e i n I T w i t h Yo u
InstantDoc ID 98111
Windows IT Pro
MARCH 2008
Group Editorial and Strategy Director
Karen Forster
Executive Editor
Technical Director
Art Director
Production Director
Anne Grubb
Senior Editor, Products
Jeff James
Systems Management
Deputy Editor
Senior Editor
Associate Editor
Brian Keith Winstead
Senior Editor
Senior Editor
Senior Editor
Todd Erickson
Lavon Peters
Renee Munshi
Senior Editor
SQL Server
Megan Bearly
Assistant Editor
Production Editor
Christan Humphries chumphries@windowsitpro.com
Administrative Assistant
Mary Waterloo
Paul Thurrott
Technology Pro Community Editor
Dan Holme
Senior Contributing Editors
Erik Lodermeier
Group Administrative Manager
Danna Varnell
Peg Miller
Jeff Carnes
EMEA Managing Director
Irene Clapham
Windows Group Custom and SQL Publisher
Michele Crockett
Group Editorial Director
Dave Bernard
Regional Sales Manager
Chrissy Ferraro
Regional Sales Manager
Chief Executive Officer
John French
Chief Financial Officer
Chief Revenue Officer
Darrell C. Denny
Andy Rees
Account Executive
Kelly Koza
Office and SharePoint Accounts Manager
Doug Hay
Client Services Managers
Windows is a trademark or registered trademark of
Microsoft Corporation in the United States and/or other
countries and is used by Penton Media under license from
owner. Windows IT Pro is an independent publication not
affiliated with Microsoft Corporation.
Submit queries about topics of importance to Windows
managers and systems administrators to articles@
Karen Shaw-Lafferty
Michelle Andrews
Ad Production Supervisor
Glenda Vaught
Unless otherwise noted, all programming code in this issue
is © 2008, Penton Media, Inc., all rights reserved. These
programs may not be reproduced or distributed in any form
without permission in writing from the publisher. It is the
reader’s responsibility to ensure procedures and techniques
used from this publication are accurate and appropriate for
the user’s installation. No warranty is implied or expressed.
Contact Walter Karl, Inc. at 2 Blue Hill Plaza, 3rd Floor, Pearl
River, NY 10965 or www.walterkarl.com/mailings/pentonLD/
Subscriptions in US, $49.95 for one year (12 issues for 2008);
in Canada, $59 US currency, plus 6% for GST for-one
year; in UK £59; in all other countries, US $99. Payment
should be made in US dollars drawn on US banks. For new
subscriptions, call 800-793-5697 or 970-663-4700, or check
our Web site at www.windowsitpro.com. For questions
or other subscription problems, call customer service at
800-793-5697 or email subs@windowsitpro.com. Europe,
europe@windowsitpro.com, Windows IT Pro, Di-An House,
2 Aegean Road, Atlantic Street, Altrincham, Cheshire, WA14
5UW, England; tel.-0161 929 2800, fax-0161 929 1511.
Reprint Sales
Joel Kirk
Group Audience Development Director
Marie Evans
MARCH 2008
Marketing Project Coordinator
Shay Black
Renewal Marketing Manager
Tricia McConnell
Marketing Associate
Anne Oaks
Senior Marketing Communications Manager
Bob Chronister
Jerry Cochran
Sean Deuby
Jeff Fellinge
Brett Hill
Darren Mar-Elia
Tony Redmond
Ed Roth
William Sheldon
Randy Franklin Smith rsmith@montereytechgroup.com
Orin Thomas
Douglas Toombs
Ethan Wilansky
Windows IT Pro
Sales Manager
Contributing Editors
Jeff Lewis
News Editor
David Chernicoff
Mark Joseph Edwards
Kathy Ivens
Mark Minasi
Paul Robichaux
Mark Russinovich
Group Publisher
Assistant Production Manager
Eric Lundberg
Networking and Hardware
Jason Bovberg
CT , GA, IL, IN, MA, MD, NC, NH,
NJ, NY, PA, RI, VA, Ontario, Quebec
Senior Editor
Senior Editor
Assistant Editor
Sheila Molnar
Kim Paulsen
Group Interactive Publisher
Messaging , SharePoint, and Office
Gayle Rodcay
Senior Vice President, Technology Media Group
Senior Production Manager
Kate Brown
Web Site Strategic Editor
Caroline Marwitz
Larry Purvis
Linda Kirchgesler
Michael Otey
Karen Bemowski
Senior Art Director
Layne Petersen
Amy Eisenberg
Barb Gibbens
Lyle Bonfigt
Marketing Communications Manager
Amy Reitz
Marketing Director
Sandy Lang
Marketing Manager
Tammy Yelton-Boone
Marketing Coordinator
Andrea Knudson
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
How to Protect and Improve System Performance
The Top 10 Points to Know about Fragmentation
professionals are heroes of the workplace. Whether with cunning
wit or a Phillip’s head screwdriver, they solve most any computer
emergency. However, keeping a computer running at top speed is
usually preventative maintenance instead of last-minute, adrenaline-surging,
virus-vaccinating heroics.
Here are 10 key points to maintain peak
performance across any network:
1. The hard-disk is the slowest part
of any system.
Say you are operating a 2.5 GHz processor.
That’s 2.5 billion operations every second.
A large number of
hard disks only spin
at 7200 rotations per
minute, or 120 cycles
per second, or 120
Hz. This means your
CPU is more than 20
million times faster
than the hard disk. The hard disk still has
mechanical components. Think Terminator
2®, when a mechanized Schwarzenegger is
outclassed by the faster, smarter T-1000.
When the slowest part of your computer
is making unnecessary reads, the entire
system is dragged down.
2. Fragmentation has severe effects.
It’s more than sluggish and crawling
computer speeds; fragmentation leads to
crashes, hangs, data errors, file corruption
and boot-time failures. Files that suffer fragmentation are more difficult and take longer
to back up. When systems are thoroughly
defragmented, they run faster and more
3. Real-time defragmentation is necessary.
Many companies rely on 24/7, missioncritical servers. Taking these systems offl ine
for maintenance is not an option. But, having
a server with I/O bottlenecks is also not
an option. Only real-time, invisible defragmentation fi xes this catch-22 situation.
4. Give your systems faster-thannew speeds.
NTFS best-fit attempts for file placement
on hard drives are limited. Diskeeper®
2008 comes with a new technology called
I-FAAST™ (Intelligent
File Access Acceleration
Technology)1 that resequences your files.
So, in addition to
space, defragmenting
with Diskeeper boosts access to your most
frequently used files by as much as 80%.
I-FAAST gives systems faster-than-new
5. Servers are especially susceptible.
While disk striping improves physical
I/O capacity and performance, RAID and
SAN systems simply do not fi x fragmentation where it begins—at the file system.
Enormous volumes with heavy read/write
activity lead to astronomical fragmentation
rates, making RAID and SAN work harder
than they should. The
efficiency of RAID and
SAN may lessen some
of the physical effects
of fragmentation, but
fragmentation is never
eliminated. You’ll need
to buy more and more
against fragmentation of critical system fi les.
Frag Shield 2.0 prevents crash-inducing
fragmentation. It’s like Superman® saving
the day—two days before there’s a problem.
9. Auto-defrag breathes life into systems.
It keeps systems at optimum speeds
and eliminates fragmentation-related performance issues. Thoroughly defragging
systems adds 2–3 years onto the hardware’s
useful life.2
10. Analyze your network’s performance.
Poor performance on a remote system can
easily be mistaken for a slow network. Get
Disk Performance Analyzer for Networks™.
This free utility scans networked systems
for fragmentation. See for yourself how
fragmentation is affecting your systems.
This groundbreaking program will provide
comprehensive reports on how system
speeds will improve with thorough defragmentation. Visit www.diskeeper.com/w11
and get this free, must-have utility.
Diskeeper 2008 is the only fully-automated defragmentation program. It operates invisibly in the background and it dynamically
adapts defragmentation strategies to fit the
When systems are thoroughly defragmented,
they run faster and more reliably—period.
equipment to compensate. Sooner or later,
the tortoise catches the hare, and your
system suffers I/O bottlenecks and slow
server speeds.
6. Operate without interrupting productivity.
The new InvisiTasking™ technology makes
software transparent. Diskeeper 2008 with
InvisiTasking will work invisibly in the
background; only using untapped resources.
Systems are continually improved without
any management or impact on a system’s
7. Defragment despite minimal free space.
The purpose of defragmentation is to
restore lost speed and performance. A
defrag engine must be able to operate in
limited free space because drives with
extremely limited free space are the ones
in need of the most help. Diskeeper 2008
handles millions of fragments and can function with as little as 1% free space.
8. Stop fragmentation before it happens.
Diskeeper 2008 comes with Frag Shield™
2.0, a technology that automatically defends
needs of individual volumes. With new
defrag engines, Diskeeper 2008 restores
performance on volumes with as little as
1% free space. Get rid of slows, bottlenecks,
and fragmentation-induced crashes. Visit
Available on Pro Premier, Server and EnterpriseServer editions.
See white paper at www.diskeeper.com/wpaper
Try it FREE for 45 days!
Download a free trial at
(Note: Special 45-day trialware is
only available at the above link)
Volume licensing and Government/Education discounts are
available by calling 800-829-6468, extension 4415.
© 2008 Diskeeper Corporation. All Rights Reserved. Diskeeper, InvisiTasking, Maximizing System Performance and Reliability—Automatically, Disk Performance Analyzer for Networks, Frag Shield,
I-FAAST, and the Diskeeper Corporation logo are either registered trademarks or trademarks owned by Diskeeper Corporation in the United States and/or other countries. All other trademarks and brand
names are the property of the respective owners. Diskeeper Corporation • 7590 N. Glenoaks Blvd. Burbank, CA 91504 • 800-829-6468 • www.diskeeper.com
Windows IT Pro welcomes feedback
about the magazine. Send comments
to letters@windowsitpro.com, and
include your full name, email address,
and daytime phone number. We edit
all letters and replies for style, length,
and clarity.
Windows IT Pro
MARCH 2008
Lazy administrators have overlooked command-line tools for
ages. Curt Spanburgh’s article,
“Castaway on CommandPrompt Island” (January 2008,
InstantDoc ID 97507), shows
how the command line can
save you a lot of work and
time if you have a basic understanding of the tools—and
an open mind to look further
than the GUI.
—Rob Sanders
Who Are You?
I’m just now getting around
to reading Karen Forster’s IT
Pro Perspective piece, “Microsoft Asks: Who Are You?”
(December 2007, InstantDoc
Many readers have responded
ID 97478).
to this column, and all of them
Microsoft abandoned
think Microa lot of
soft’s Who Are
people with
You? efforts
are a bad
Server 2007.
idea. So, it’s
PowerShell is
good to get
great if you’re
your hopeful
dozens of like
tive. By the
servers, but
way, you
B? 4gRWP]VT!&
I don’t have
many Exchange
servers, and
I don’t want
in your
to be a UNIX
concern about
administrator. I’m a child of
Exchange and PowerShell.
Windows. I love the GUI. I
Check out the blog entry I wrote
hate that I’ll have to perform
on exactly that topic: www
certain command-line tasks
because they aren’t exposed
in the Exchange Management
Users_Lament.html. You’ll find
Console (EMC). When Microthat a lot of people responded
soft did its Exchange 2007
with similar concerns. Thank
Technology Adoption Program
you for taking time to write.
—Karen Forster
(TAP), the company seemingly
InstantDoc ID 98077
forgot to involve small to mid-
W e ’ r e i n I T w i t h Yo u
W H^ d
C f X c
T X ] 8
F T a
sized business (SMB) Exchange
administrators, because people
like me don’t want to deal with
the command line.
I know SP1 exposes more
in the GUI, but until it’s all
exposed (or at least 98 percent
of it), I won’t be satisfied. Is
my visual nature part of my
personal life? Maybe not in the
true spirit of your article, but I
would have been happy to give
feedback about these changes
to the Exchange 2007 team, had
I been given the opportunity.
Your article gives me hope
that Microsoft has recognized
the error of its ways. In my case,
the situation has caused me to
pause an Exchange 2003–to–
Exchange 2007 transition until
I can get a better grasp of what
isn’t exposed in the GUI and
what we’re going to have to do
from the command line.
—Trey Cook
CommandPrompt Castaway
In the product review “HP
Compaq dx2250 Microtower
Business PC” (December
2007, InstantDoc ID 97321),
we incorrectly defined the
acronym TPM. The correct
definition is Trusted Platform
Module. We apologize for the
I read Michael Otey’s Top
10 column, “Windows Vista
Annoyances” (January 2008,
InstantDoc ID 97490), and I
agree with most of his annoyances. I thought I’d offer my
own list of the top 10 reasons
I’m not running Vista as my
primary OS.
1. Windows Mail doesn’t let
me resize all columns.
2. Vista won’t let me drag
a new toolbar off the taskbar
to the desktop. (I like to set up
My Computer and My Network
Places as an autohide toolbar
on the right edge of the screen,
like a sidebar.)
3. Disk Defragmenter forces
me to defragment all drives,
unless I use the command
line; there’s no GUI option for
selecting individual drives.
4. When I choose to autohide the taskbar, Vista won’t let
me drag a shortcut to the taskbar without dragging it over the
Start button area.
5. Vista requires more clicks
for changing the time and for
updating the time with a time
6. On the Vista taskbar and
desktop, I can’t right-click the
network icon to access Properties, Repair, or Status options.
7. The functionality for
watching newsgroup messages
through Windows Mail doesn’t
work correctly. (Microsoft
knows about the problem and
won’t fix it.)
8. When I view files in Windows Explorer’s details view,
an entire line has focus. Setting
focus in the folder is difficult,
especially using the Single-click
to open an item option. I end
up opening a file when all I
want to do is set focus.
9. In Windows Explorer, I
see no folder-size status information in the status line—only
the number of files.
10. The sidebar has no
autohide option.
—Gary Keramidas
0= !'
More Vista
AH! '
8C?A>2 ><
w w w. w i n d o w s i t p r o . c o m
Instant Backup
and Restore
Database /
Email Storage
The Perfect Fit...
for your growing storage needs
If you are looking for instant back up and data
recovery, with RAID-DP protection against dual
drive failure, you’ve found the perfect fit. With
NAS, iSCSI SAN, and DAS right out of the box,
the StoreVault product family provides storage
solutions that will grow with your business
needs. NetApp enterprise-proven technologies
provides a rich feature set, including simple onthe-fly provisioning and off-site data replication.
It’s truly the perfect fit to maintain business
continuity and regulatory compliance.
The new S300 starting at under $3,000
or the S500 starting at $5,535
Call us today at 800.206.5363
Learn more about our Special Offers
at www.storevault.com
Finally, Affordable Enterprise-Class Archiving
Introducing Sunbelt Exchange Archiver. Sunbelt
Up to 80% smaller message store. With SEA, you’ll
Exchange Archiver (SEA) is a robust new product which
dramatically reduce your Exchange storage. The benefits are
delivers real enterprise-class email archiving, at a price that
clear: faster backup times, better Exchange performance,
won’t break your budget. Get comprehensive legal and
and faster recovery.
regulatory compliance. Reduce your Exchange storage by
Journaling not required. It’s a fact that using the
up to 80%. Securely store emails on your choice of media,
Exchange Journaling mailbox for archiving
using the built-in Hierarchical Storage
dramatically affects server performance.
Management. And, find archived emails
With SEA, Journaling is an option – the
rapidly with full-text search for e-discovery
“Exchange performance
program’s breakthrough Direct Archiving
or compliance.
feature stores all emails immediately after
is suffering. Your users
they are received, keeping load off the
Compliance, e-Discovery, and legal
Exchange server.
readiness. If you need to archive emails
complain about email
for regulatory or legal reasons, SEA has
No more PST headaches! SEA gets
you fully covered. Emails are stored in
of pesky PST files that are a major
their original form, in whatever secure
storage. Your CEO wants
headache. SEA automatically finds
media you prefer, with complete flexibility
them, imports them, and makes them part
on retention. Need to find an archived
legal compliance.
of your user’s archive.
email? Simply use SEA’s powerful
integrated full-text search of emails and
Now what?”
Great for disaster recovery. No
attachments, and you’ll be ready at a
matter where you email is stored, business
moment’s notice for e-discovery or legal
continuity is assured with SEA. Using the
included web client, users can continue to
Seamless end-user experience. SEA
is fully transparent for your users, whether
they’re running Outlook, OWA, Blackberry
devices or even Entourage on the Mac – with
no special client software needed. Trusted
end users can be delegated granular authority
with the included web-interface or optional Outlook
add-in. They can do off-line synchronization, and search,
edit, forward, move or delete archived emails.
see and use their email even if Exchange is
Archiving’s time has come for
everyone. Contact us today and see how
SEA solves your legal and compliance
headaches and immediately improves the performance of
Exchange – while saving critical budget dollars.
Get A Free Quote and See How SEA Compares to Symantec Enterprise Vault ™!
Email sales@sunbeltsoftware.com or call 888-688-8457
Sunbelt Software
Tel: 1-888-688-8457 or 1-727-562-0101
Fax: 1-727-562-5199
© 2007 Sunbelt Software. All rights reserved. Sunbelt Exchange Archiver is a trademark of Sunbelt Software. All trademarks used are owned by their respective owners.
Reader to Reader
Fighting Spam
and Phishing
with SPF
Everybody knows that unsolicited email advertising, commonly referred to as spam, and
its even more evil descendant,
phishing, can be both an annoyance and a security risk to an
organization. Everyday phishers
send emails purporting to be
from organizations you do business with, attempting to convince the recipient to provide
sensitive information, typically
of a financial nature.
Sender Policy Framework
(SPF) records are designed to
protect against forged emails
and reduce the number of
incoming spam messages a
mail system (and sometimes
users) have to process. Many
times spammers or phishers send email with a forged
From address, hoping that the
domain name they forge will
catch a victim’s attention or at
least be allowed through spam
filters. An SPF record is a DNS
TXT record that a mail server or
spam filter will access to verify
the source of email messages as
they arrive. Many email services
began checking SPF records as
early as 2004.
Enabling SPF record checking in your mail server software
or spam filtering software
varies by vendor. Many Open
Source email platforms support
SPF record checking natively,
and plugins (both free and
commercial) are available for
Microsoft Exchange platforms.
You should, however, do more
than just implement SPF record
checking—you should place an
SPF record in your own DNS
entries to help fight spam and
reduce the chance that a phishing attack utilizing your domain
name is successful. Larger organizations might host their own
external DNS servers, while othw w w. w i n d o w s i t p r o . c o m
ers rely on their Web-hosting or
domain-registration company’s
DNS servers.
To add a TXT record in Windows DNS, select Administrative Tools under the Start menu,
then choose DNS. From there,
navigate to Forward Lookup
Zones, then to the domain to
which you want to add a TXT
record. Right-click an empty
space and select Other New
Records. From there, choose
Text (TXT). You can name the
TXT record anything you want.
Strings of code need to be
entered into the Text field. For
most organizations, the following TXT record value is acceptable to implement SPF:
“v=spf1 a mx –all”
This string essentially states that
if the mail is received from an
IP address that’s listed in the
sending domain’s A or mail
exchanger (MX) records, the
mail is legitimate and should
be processed. If specific IPs
send email that isn’t part of the
A or MX records, they can be
included using the ip4: mechanism, as the following shows:
“v=spf1 a mx ip4: –all”
In this example, the IP address
of the additional mail server is
Prior to implementing
SPF, you must make sure that
you’ve identified each IP that
mail originates from and each
domain name used by your
organization. For domains that
mail should never be sent from,
the following SPF record can be
“v=spf1 –all”
This SPF record states that the
domain has no IPs that send
mail, and the mail system
receiving mail from this domain
should automatically reject the
As with all things technical,
you need to test your implementation to ensure it functions
as you expect. The Sender Policy Framework Web site (www
.openspf.org) has some excellent tools to help you implement and test your SPF records.
If the vast majority of DNS
records contained SPF values
and if the vast majority of email
servers used SPF to check for
valid email server IP addresses,
the volume of spam and phishing email would be significantly
reduced. We could then all go
about the business of doing
business without the nuisance
and security risks associated
with spam and phishing.
—Nolan Garrett, Co-Founder
and Chief IT Consultant,
Intrinium, and Jeff Jones,
Co-Founder and Chief Security
Consultant, Intrinium
Share your Windows
discoveries, comments,
solutions to problems, and
experiences with products
and reach out to other
Windows IT Pro readers
(including Microsoft).
Email your contributions to
Please include your phone
number. We edit submissions for style, grammar,
and length. If we print your
submission, you’ll get $100.
Submissions and listings
are available online at
.com. Enter the InstantDoc
ID number in the
InstantDoc ID text box.
InstantDoc ID 98034
Use ADSI Edit to
Associate File
Applications that you deploy
with Group Policy Software
Installation sometimes don’t
register their file extensions.
Consequently, when someone
double-clicks a file that has an
extension of one of those published applications, the autoinstall feature doesn’t work.
This situation most often occurs
in applications that weren’t
designed for deployment
through Group Policy Software
Installation but were deployed
anyway through some minor
tweaks. (If you’re unfamiliar
with Group Policy Software
Installation, see technet2
One way to solve the file
extension problem is to use
ADSI Edit to manually add the
file extensions to the Group
W e ' r e i n I T w i t h Yo u
Policy Object (GPO) that publishes the applications. To show
you how this solution works,
let’s walk through the steps
you’d use to add the file extension for Microsoft Visio 2007
Viewer, which unfortunately
wasn’t designed for deployment
through Group Policy Software
Installation. Here are the steps
you need to follow:
1. Download Visio 2007
Viewer (visioviewer.exe) from
the Microsoft Download
Center (www.microsoft.com/
displaylang=en). You’ll need
WinZip to unzip this file. If you
don’t have WinZip, you can use
7-Zip, which is freeware that you
can download from www.7-zip
Windows IT Pro
MARCH 2008
Reader to Reader
2. Double-click visioviewer
Click OK.
.exe. In the window that appears,
6. Navigate to Domain,
right-click visioviewer.exe and
DC=<your AD domain’s
select the option to extract the
LDAP name>,CN=System,
files to a new folder. After the
CN=Policies,CN=<your GPO’s
extraction operation completes,
the folder should contain five
Store,CN=Packages. Here you’ll
files, including vviewer.msi.
find representations for all your
Copy that folder to the share you GPOs. If you have more than one
use for GPO-installed packages.
GPO, you’ll have to manually
3. Create a new GPO, go to
find the correct one by doublethe User Configuration\Softclicking each GPO and checking
ware Installation folder in the
the value of the displayName
Microsoft Management Console
attribute, which needs to be Visio
(MMC) Group Policy snap-in,
Viewer in this case.
and use the vviewer.msi file
7. After you find the correct
to publish the application.
GPO, look for its fileExtPriority
Because Microsoft
attribute and open
didn’t create Visio
it. (If you don’t
2007 Viewer with
see this attribute,
GPO installation
clear the Show only
in mind, the file
attributes that have
extension .vsd
values check box.)
doesn’t get regisIn the dialog box
that appears, enter
4. Obtain the
the extensions you
globally unique
want to associate
identifier (GUID) of
with this packFotakelis
the GPO you used
age. Visio 2007
to publish Visio
Viewer’s extension
2007 Viewer. To get it, open the
is .vsd, so you’d enter
GPO and move to the root level,
.vsd: 0
which is the level above Computer Configuration. Right-click
Note that you must include the
and select Properties. The GUID
space between the colon (:) and
appears in the Unique name
the value of 0. Click Add. You
can enter multiple extensions,
5. Use ADSI Edit to edit the
following the procedure I just
GPO. (If you don’t have this tool
installed already, you can find
it in the Windows Server 2003
That’s it! Now, whenever
Support Tools.) Under the Start
users double-click .vsd files,
menu, select Run. In the Run
Visio 2007 Viewer will automatidialog box, type adsiedit.msc
cally get installed. Interestingly,
and click OK. After ADSI Edit
if you add more extensions after
opens, go to the Action menu
the initial deployment of the
and select the Connect to option
package, you don’t have to wait
to open the Connection Setfor Group Policy to be refreshed
tings dialog box. In the dialog
for the change to take effect. It
box’s Connection Point section,
works instantly!
click Select a well known Nam—Apostolos Fotakelis, Systems
ing Context and select Domain
Administrator, Aristotle Univerfrom the list. In the Computer
sity of Thessaloniki, and freesection, enter the name of your
lance IT consultant
InstantDoc ID 97782
nearest domain controller (DC).
Windows IT Pro
MARCH 2008
Tools for
Troubleshooting locked-out
accounts can be difficult and
time-consuming. Cached credentials on drive mappings,
Microsoft IIS application pools,
COM+ objects, scheduled tasks,
services, and interactive logons
are all common causes of
account lockouts. Fortunately,
Microsoft provides tools and
techniques to help you narrow
the search for the root cause,
including the Account Lockout
and Management Tools. You
can download these tools
from the Microsoft Download
Center at www.microsoft.com/
At my organization, we
recently used the following
tools to locate the root cause of
a locked-out account that was
discovered during one of our
regularly scheduled password
EventCombMT.exe. EventCombMT.exe collects and filters
events from the event logs
of domain controllers (DCs)
within a specified domain. This
tool features a built-in search
for account lockouts, which
defaults the search to the security log. It populates the Event
ID field with relevant event IDs
(i.e., IDs of events that pertain to
locked-out accounts). Consolidating the lockout events into
text files in a common folder
provides a quick way to search
for the locked-out account and
the name of the server or workstation from which the lockout
LockoutStatus.exe. LockoutStatus.exe examines all
DCs in a domain, letting you
know when the target account
W e ' r e i n I T w i t h Yo u
last locked out and from which
DC. In addition, it provides the
locked-out account’s current
status and the number of bad
password attempts that have
been made. Depending on
the topology of the Windows
domain, this information can
help you determine whether
the server or workstation locking out the account is located at
a particular site.
Netlogon logging used for
tracking Netlogon and NT
LAN Manager (NTLM) events.
Enabling Netlogon logging on
all DCs is an effective way to
isolate a locked-out account
and see where the account is
being locked out. The Microsoft
article “Enabling debug logging
for the Net Logon service”
109626) contains information
about how to enable Netlogon
logging on the various versions of Windows. Although
Netlogon logging isn’t part of
the Account Lockout and Management Tools, NLParse.exe
is used to parse the Netlogon
logs—and NLParse.exe is one
of the account lockout tools.
Enabling Netlogon logging
can create large files quickly,
so using NLParse.exe to locate
relevant events in the Netlogon
log can save time when troubleshooting lockouts. The output
from NLParse.exe is extracted
to comma-separated value
(CSV) file, where it can be easily
searched or sorted.
The Account Lockout and
Management Tools helped us
reduce the amount of effort it
took to locate the root cause of
our locked-out account. They
helped us target our energy at
specific servers or workstations
in our organization.
—Brent McCraney, Senior Technical Analyst, Ontario Teachers’
Pension Plan
InstantDoc ID 98031
w w w. w i n d o w s i t p r o . c o m
New & Improved
EDITOR’S NOTE: Send new product announcements to products@windowsitpro.com.
Product Spotlight
and Recovery
Optimize Key DPM 2007 Tape Archive Functions
Microsoft Systems Center
Operation Manager
Create and Display
Operations Manager
Information Visually
Bringing visual mapping features to
Microsoft System Center Operations
Manager 2007 is the focus of Savision’s new mapping product: Live
Maps for Operations Manager
2007. According to Savision, this
product is the first mapping product
to integrate with Operation Manager.
Using Live Maps, admins can create
visual, map-based views of their IT
infrastructures. Each user of the system can have a unique view into the
data that Live Maps generates, from a
strategic, top-level view for the CIO to
FalconStor Software announced that it has successfully tested all its virtual tape library (VTL) storage solutions with Microsoft System Center
Data Protection Manager (DPM) 2007. IT storage planners and architects
can now combine DPM 2007 with new and existing heterogeneous environments by integrating FalconStor VTL features with multiple backup
applications that
share tape library
resources. FalconStor presented its
VTL solutions at
Microsoft TechEd
last year in Barcelona, Spain. For
more information,
contact FalconStor
at 866-669-3252
or visit www
a functional, operational
perspective for a network
administrator. For more information, contact Savision at
905-812-0638 or visit
Backup and Recovery
Real-time Mirroring, Synchronization, and
Backups on Windows
RAID-1 capabilities are typically available only in software, which is expensive.
Techsoft offers a less expensive alternative with MirrorFolder 4.1, a real-time
mirroring and synchronization application
that backs up files from a local Windows
drive to any local, removable, or network
drive. In RAID-1 mode, MirrorFolder creates a real-time, bootable backup of your
hard drive on another local drive. MirrorFolder works on Windows Vista, Windows
Server 2003, Windows XP, and Windows
2000 Server servers. For more information, contact Techsoft at info@techsoftpl
.com or visit www.techsoftpl.com.
Manage User
Account Lockouts
Account Lockout Examiner from NetWrix is designed to help IT pros manage and troubleshoot account lockout
policy. NetWrix tracks account lockouts
in real-time, and can be configured to
automate work related to detecting and
responding to account lockout situations. A Web-based portal allows help
desk personnel to manage account
lockout issues, and many program
functions are accessible remotely from
handheld devices. A version of Account
Lockout Examiner for PowerShell is
also available. For more information,
contact NetWrix at 888-638-9749
or visit www.netwrix.com.
InstantDoc ID 98001
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Industry Bytes
Insights from the industry
Manage Your Mobile and Distributed Systems As If They’re Local
emote workers disconnected from the corporate LAN can
pose a big threat to your network. Traditional systems
management software can only actively manage assets that
are inside your corporate firewall. You’re probably looking for a
product that extends management beyond the corporate LAN
and actively manages remote devices through the Internet—
without the need for costly VPN connections. LANDesk has a
product you need to look at.
“Our customers are really interested in doing more with
less,” said Nathan McLain, LANDesk’s product manager
for the LANDesk Management Gateway Appliance. “People
are worried about management functions, security, policy
enforcement and so on. The challenge that has brought the
Management Gateway solution is a growing, geographically
distributed workforce. Mobile users are proliferating, and as
one of our beta testers said, ‘I’m not only responsible for my
local division; I’m now responsible for another 25 divisions,
along with all those servers, desktops, and mobile devices, distributed throughout different geographies!’”
The LANDesk Management Gateway Appliance solves the
problem of remotely managing geographically distributed sites
any time, anywhere. “In the traditional sense of remote, secure
connections,” McLain said, “you typically think of a VPN, which
punches a hole in the firewall and lets anybody with a username and password access the corporate network. That might
be OK for salespeople who will get to a VPN to be managed,
but in the real world, mobile and distributed systems aren’t that
connected to the network. Most users don’t use the VPN regularly and thus aren’t manageable that way.”
With the LANDesk Management Gateway Appliance, a laptop
with the LANDesk Management agent can call home
and obtain a brokered,
secure communication over
SSL. Through that gateway,
anaging the proliferation of mobile devices is the focus of a new product from Odyssey
the remote system can
Software: the Athena Add-In wireless device manager for Microsoft System Center Condownload software distribufiguration Manager (SCCM) 2007. According to Odyssey, the extended mobile device management
tions, pull down policies,
provided by Athena is now integrated with the SCCM console to increase administrative control
and even allow the adminover enterprise mobile devices without the need to launch a separate proprietary console.
istrator to remotely control
Odyssey Software President and CEO Mark Gentile announced the release of Athena at the
the device. In other words,
2007 Microsoft TechEd IT Forum in Barcelona, Spain. According to Gentile, Athena integrates
the appliance permits the
with SCCM to provide extended device management and support for any mobile device running
kind of functionality that
Microsoft Windows Mobile and Windows Embedded CE, including consumer mobile devices, rugyou have on the local netgedized portables, and smart phones.
work from anywhere in the
Gentile explained that Athena allows admins more control of mobile devices over any public or
world. “The IT administrator
private IP-based network, including live remote-control functionality for troubleshooting, the abiluses LANDesk software for
ity to distribute software and control settings-management and policy enforcement from a central
inventory, software distribulocation, and the ability to see what applications the device is running.
tion (updates, application),
Athena does not use a dedicated server, process, or even a console. “The heart of the product is
remote control (very imporreally an agent that resides on the device,” says Gentile. “SCCM can deploy that agent out of the box.”
tant for support), and secuGentile says Odyssey is developing a similar add-in for Microsoft System Center Mobile
rity (policy enforcement),”
Device Manager 2008 and a management pack for System Center Operations Manager.
said McLain. “The LANDesk
Tony Rizzo, director of mobile technology research for industry analyst The 451 Group, says
Management Gateway Appli“more and more Microsoft shops will adopt the Odyssey platform,” as a result of Odyssey’s deepance lets you do that anyening affiliation with Microsoft.
But, Microsoft’s history of partnering up with companies and their innovative technologies—
The solution’s plug-andat least until it can produce the technology itself—should worry Odyssey. Rizzo says things are
play (PnP) capability lets
going well for Odyssey now, but the company needs to watch out if Microsoft decides to veer
you instantly deploy, set up,
away from its affiliation with Odyssey once they can duplicate the functionality of tools like Athena.
and manage desktops and
Rizzo believes the enterprise mobility market will grow substantially in 2009, with the number
laptops outside the firewall
of active mobile device users expected to be near 80 percent. “This market is still in its infancy,”
in order to immediately
Rizzo says. He believes next year will be the “on-ramp” year for enterprise mobile technology
inventory and bring corpomarket players to establish themselves.
rate assets into compliance.
—Todd Erickson
InstantDoc ID 97657
—Jason Bovberg
Odyssey Software Tackles Mobile Device
Management with Athena
InstantDoc ID 97516
Windows IT Pro
MARCH 2008
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
3/ 3/
!! #7*$)"&,3&7
"! ! "
! 70&1 *134",*8"3*/.=+467#.+<#6+10+510'1(6*'*166'566'%*01.1)+'5
#0&6*4'''&+6+1051( +0&195'48'4+0%.7&'+%4151(650'9;2'4
&15&1/1&=016*'4*7)'4'#51061/+)4#6'61 +0&195'48'4
#0&/'#08'45+101(6*' +0&195'48'46*#6524+/#4+.;&'5+)0'&
&15&1"."(&1=*'0'9 +0&195'48'4'48'4#0#)'4/#-'5
#&/+0+564#6+101( +0&195'48'4'#5+'4#0&/14''?'%6+8'6*#0'8'4
1(6*'1.&'4 +0&195'48'4
'%74+6;10>)74#6+10 +<#4&5+0)6*'0'9'48'4#0#)'4;17%#0#&&
4'#51061/+)4#6'61 +0&19'48'45+0)#0#&/+0+564#614%#0
%'&'2.1;/'065 +0&195'48'450'9
%#2#$+.+6;+5#016*'4)4'#64'#51061/18'61 +0&195'48'4*'0'9
61/#-'#%1/2'..+0)%#5'61#&126 +0&195'48'4*#5#0'9
%10641.':#%6.;9*+%*('#674'5#4'+056#..'&106*' '$5'48'42418+&'5#0
'06+4'.;0'9/#0#)'/'066*#6.'65#0#&/+0+564#614/#0#)'$16* '$5'48'4
6*'0'9'4/+0#.'48+%'55722146+0 +0&195'48'40191?'456*'
'48+%'5 '$%%'55('#674'6*#6'0#$.'5$4195'4$#5'&9'$#%%'5561'4/+0#.
"*,/5&1,423&1*.(=14+/2418'&#8#+.#$+.+6; +0&195'48'4#.51
#016*'4)4'#64'#51061%105+&'4/+)4#6+0)61 +0&195'48'4*'
1.&*#4&6175'#%-72#22.+%#6+10(170&+0 +0&195'48'4#0&
/+)4#6'61 +0&195'48'47+.6106121(6*'*#4&'0'& +0&195+56#
%14' +0&195'48'4+56*'/1565'%74'12'4#6+0)5;56'/6*#6+%4151(6
*#5241&7%'& +0&195'48'46#-'5#5*+'.&572#2241#%*615'%74+6;
$')+06112'0+672$;+056#..+0)41.'575+0)'48'4#0#)'4 +0&195'48'4
#.51*#5#072&#6'&8'45+101(6*' +0&195+4'9#..*'0'9 +0&195
O&O Defrag 10 Professional Edition
Editor’s Note: Following is a summarized version of Jeff James’ review of O&O Defrag 10
Professional Edition. To read a full-length version of the article, go to www.windowsit
pro.com and enter InstantDoc ID 97966.
O&O Defrag 10
Professional Edition
PROS: Robust feature set; attractive
interface; multiple defragmentation options
eeping your hard disks organized and optimized is one of the regular maintenance
CONS: O&O Software lacks a US office;
tasks that most IT pros don’t like to do but that must be done on a regular basis. Dedoesn’t offer multiple licenses for SMBs
fragmenting your hard disks not only improves system performance and reliability, but also
keeps small hard disk problems from becoming large hard disk problems. Enter O&O SoftPRICE: $44.95/computer for
ware’s O&O Defrag 10 Professional Edition, a robust, standalone disk-defragmentation tool.
Professional Edition; $249/computer for
O&O Defrag 10 supports the 32-bit and 64-bit versions of Windows Vista and Windows
Server Edition; volume discounts available
XP, as well as Windows 2000 Professional. Installing the product is quick and painless,
and it even provides several options to help you configure the software correctly for a given
10 is one of the best disk-defragmentation
piece of hardware.
tools on the market today—I highly recommend you try it.
The product offers five defragmentation methods, which are shown in Web Figure 1
(www.windowsitpro.com, InstantDoc ID 97966). The O&O Defrag 10 interface is clean,
CONTACT: O&O Software • www
.oo-software.com • +49-30-4303-4303
attractive, and strongly resembles Microsoft Office 2007’s ribbon-based UI. The default
view provides detailed information about the disks currently being defragmented. You can
schedule defragmentation tasks in advance by using O&O Defrag 10’s defragmentation
scheduling tool. Also, you can create multiple defragmentation jobs at once to save time and streamline your defragmentation tasks.
I installed and ran O&O Defrag 10 on a network running Vista and XP machines, and tested the software by using each of the
defragmentation methods. All the defragmented machines showed a range of speed improvements related to disk access, with a system running XP (and booting from a heavily fragmented local disk) showing nearly a 10-second improvement in boot times. Speed
improvements varied, but were most noticeable on older machines running XP. If you’re trying to squeeze as much life as possible
out of an existing IT infrastructure still running XP, upgrading to XP SP3 and investing in a disk-defragmentation tool, such as O&O
Defrag 10, might help you maximize your existing IT investment.
The version of O&O Defrag 10 that I tested was primarily aimed at small-to-midsized businesses (SMBs). However, large enterprises
that are looking for better network support and a central control console might want to take a look at O&O Defrag 10 Server Edition.
I do have some gripes about O&O Defrag 10, but they’re minor. One thing I don’t like is that O&O Software doesn’t have an office in
the United States, which could be a problem for businesses that prefer a stateside sales and support office. However, that shouldn’t
discourage you from trying what is arguably one of the best disk-defragmentation tools available today.
InstantDoc ID 97966
—Jeff James
Summaries of in-depth product
reviews on Paul Thurrott’s
SuperSite for Windows
Apple Mac OS X Leopard 10.5
PROS: A continuation of the solid Mac OS X; better network browsing
CONS: Buggy initial release; no clear value proposition when compared to Windows Vista
RECOMMENDATION: Leopard disappoints only in that it’s not the major upgrade that Apple touts. A
continuation of the mature and capable Tiger, Leopard’s new features are hard to spot: a backup
application, Time Machine, that’s laughably childish; a multiple-desktop utility called Spaces; and that’s
about it. Leopard has been given a spit-shine, though some features aren’t as successful as others.
Particularly bad are the Stacks pop-up windows and the bland folder icons. Apple continually updates its
products, though, so these nitpicks might be fixed by the time you read this. Overall, Leopard is a solid
update but offers no reason to switch from Windows.
CONTACT: Apple • 800-275-2273 • apple.com
DISCUSSION: www.winsupersite.com/reviews/macosx_leopard.asp
Apple iPhone 1.1.3
PROS: Dramatic new functionali
functionality; IMAP support
for Gmail
CONS: No Microsoft Exchange ssupport;
Microsoft Outlook calendar syn
sync is broken
RECOMMENDATION: As flawed as it is technically
exciting, Apple’s recent major iP
iPhone update
adds a slew of functionality and plugs holes from
previous releases. Now, the iPhone Home screen
lets you push superfluous icons to a secondary
page and add Web application shortcuts called
Web Clips. Google Maps has been updated
with a GPS-like location function, and the Mail
application fully supports IMAP-based Gmail.
Lack of Exchange support limits iPhone’s appeal
for corporations. And Outlook calendar sync
doesn’t work right on many Windows-based
CONTACT: Apple • 800-275-2273 • apple.com
DISCUSSION: www.winsupersite.com/reviews/
InstantDoc ID 98059
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Specops Password Policy
Editor’s Note: To read the full-length version of this review, go to www.windowsitpro.com and enter InstantDoc ID 98074.
Special Operations Software’s Specops
Password Policy (SPP) is a password
policy enforcer that lets you create
multiple password policies in the same
domain. In my quest to keep my Active
Directory (AD) forest as simple as possible, and yet be able to set multiple
password policies, I recently tested SPP.
After I installed Microsoft .Net Framework 2.0 SP1 and the Group Policy
Management Console (GPMC) on the
DC (both are prerequisites for installing
the Specops application), I was ready
to install the Specops Password Policy
Domain Administration tool by click-
Started Wiki that I found online, and it
stepped me through creating all of the
policies. SPP is laid out extremely well
and is very simple to navigate. You use
this one tool to create password policy
templates. You then use the standard
Microsoft Group Policy Management
Console (GPMC) to deploy the templates
via Group Policy. It couldn’t be simpler.
When I was done, each of my three
OUs had a different password policy.
With SPP, an endless set of password
policy configurations is available. Some
configurations will be familiar as they
mimic the standard settings in the default
Not only can you require the setting
“three of the four” character types as the
standard Microsoft “complex password
setting” requires, you can specify how
many of each character is required.
domain GPO. Other settings will be a new
ing Setup.exe. The software installation
and welcomed sight. For example, not
requires a reboot, so be sure to add this
only can you require the setting “three of
to your deployment plan.
the four” character types as the standard
After the installation was finished, I
Microsoft “complex password setting”
registered a special Specops extension
requires, you can specify how many of
to the Active Directory Users and Comeach character is required.
puters extension by running SpecopsAIf you’re contemplating adding a secducMenuExtensionInstaller.exe with the
parameter /add. This
let me see the new
Specops features
in Active Directory
Users and Computers,
which Figure 1 shows.
What’s nice about this
added functionality is
that it’s not a Schema
update but simply
updates the Active
Directory Users and
Computers tool.
I decided to create
a separate password
policy for each of my
organizational units.
Figure 1: SPP integration with ADUC
I followed the Getting
Windows IT Pro
MARCH 2008
W e ’ r e i n I T w i t h Yo u
Specops Password Policy
PROS: Easy creation of multiple password
policies in the same Active Directory (AD)
domain; extremely simple interface; tight
integration into Active Directory Users and
Computers and Group Policy Management
Console; no AD Schema updates necessary
CONS: Not able to copy existing Specops
password template to use as a baseline when
creating a new template, making creating
new templates based on existing templates
difficult; firewall must be disabled to install
the Sentinel service remotely
PRICE: $1,200 per domain plus $4 per
user; volume discounts for domains above
500 users
RECOMMENDATION: If you need multiple password policies and are considering
adding multiple domains to accomplish this,
check out Specops Password Policy.
CONTACT: Special Operations Software •
www.specopssoft.com • 866-857-5325
ond domain because you have to have
another password policy, I recommend
that you make your life easier and instead
check out Specops Password Policy.
InstantDoc ID 98074
—Eric B. Rux
w w w. w i n d o w s i t p r o . c o m
Comparative Review
Online Office Suites
Can a low- or no-cost online office suite replace Microsoft Office?
hen it comes to the workhorses of business
software—word processors, spreadsheets,
and presentation software—the Microsoft
Office suite has ruled the corporate roost for more than
a decade. Anyone remember WordPerfect, Lotus 1-2-3,
or Harvard Graphics? Like Pete Best—the onetime
member of the Beatles who was dismissed before the
band hit the big time—those once-famous applications
were relegated to bystander status as Office became the
preeminent office application suite. Corel, IBM, and Harvard Graphics were slow to port their wares to Windows,
and history has proven the folly of being slow to adapt to
changes in the market. Some might argue that Microsoft’s
overly aggressive pricing and ability to bundle Office
with new PCs had more of an impact on the fate of those
applications, but the outcome isn’t in dispute: Microsoft
became the dominant provider of business application
software with Office and hasn’t looked back.
Fast forward to 2008: Today, Microsoft Office is
fending off challenges from new competitors. Thanks
in part to the remarkable growth of the Internet and
the explosion of high-speed Internet access, a new
generation of Web applications is beginning to compete
with traditional office-productivity products such as
Microsoft Word, Excel, and PowerPoint. Unlike traditional applications that are installed and maintained
on a local client, these online apps live entirely on the
Web, and their files reside on the application provider’s
file servers. For example, Google Docs lets you create,
edit, print, and save spreadsheet, word processor, and
presentation documents without needing to install an
application on your PC. These products also leverage
the strengths of the Internet by allowing for the easy
sharing of documents among office workers who are
separated geographically from one another. And here’s
the kicker: Most of these online apps are free (or very
low cost), which has captured the interest of many cashstrapped IT managers.
The sheer number and diversity of online apps has
mushroomed over the past few years: Online word processors such as Adobe Buzzword and Coventi Pages
allow documents to be created, edited, and shared
online, and online spreadsheets such as Team and Concept’s EditGrid and TrimPath’s Num Sum do the same
for workbooks. Even Dan Bricklin—the co-creator of
VisiCalc, the world’s first spreadsheet—has entered the
online app arena with Software Garden’s wikiCalc. All
of this development is good news, but do any of these
online applications really have a chance of unseating
w w w. w i n d o w s i t p r o . c o m
Office as the premier business application suite? To
find out, I’ve compared five of the most popular online
office products that offer word processing, spreadsheet,
and presentation capability: Ajax13, Silveroffice gOFFICE, Google Docs, ThinkFree Online, and the Zoho
office suite. Instacoll’s Live Documents office suite was
announced at press time, but Instacoll didn’t respond
to our invitation to participate in this review. Transmedia’s Glide Business offers online applications but also
includes extensive OS replacement features that are
beyond the scope of this review.
Although Microsoft has been slow to respond to the
challenge these newcomers present, it has begun to
articulate a new “Software plus Services” strategy that
attempts to combine the strengths of the traditional
Office applications with the improved flexibility and
collaborative nature of Web applications. The beta of
Microsoft Live Office Workspace, which was announced
just before press time, is a product of that strategy. (For
more information, see the sidebar “Microsoft Office
Live Workspace: A Winning Strategy?” on page 22.)
To test how well these online office suites compete
with (and work together with) Microsoft Office, I created
sample Excel, PowerPoint, and Word documents, then
used each of the online suites to load, edit, save, and
print each document. If any application couldn’t import
the documents, I created an approximation of each
document manually by using the relevant application’s
editing tools. Table 1, page 23, provides a price- and
feature-comparison summary of all five products.
Finally, in the interest of fairness, all of these products are classified as betas in development by their
vendors. Nearly all exhibited minor glitches or bugs,
so you’ll want to consider criticisms of the behavior of
certain program functions in that context.
by Jeff
Google Docs
Although Google Docs is the most well-known online
product that replicates some of the functionality of
Microsoft Office, it isn’t—as of this writing—the best
Web-based alternative to Office. Google Docs is available in a free edition for home and small-business use,
and Google also offers a Premier Edition that includes
extra features—mainly security and support features—
for business use. For example, the Premier Edition
includes APIs that let Google Docs integrate easily
with an existing IT infrastructure, offers 25GB of storage space per account (the free version offers 2.75GB),
and provides access to Postini spam control and other
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Comparative Review | Online Office Suites
business-oriented features.
Google Docs did an admirable job preserving the appearance of my sample Word
document and left most of the formatting intact. The test PowerPoint document
was imported without too many glitches,
although some text overflowed existing text
boxes, and font sizes varied from the original
Word document. The Excel document was
larger than the 1MB size limit Google Docs
imposes for Excel documents, but smaller
worksheets loaded without problems.
The ability to share documents with others and easily track shared document revisions is a slick feature, and the recent release
of Google Gears—an API that enables online
applications that use it to be run offline—
promises to make Google Docs even more
useful. You can save documents that you
create with Google Docs locally for editing
with other applications, but the current version of Google Docs can’t edit documents
offline. (Ironically, Zoho Writer uses Google
Gears to provide offline document-editing
Google Docs can be a good choice for
home and small-office work, but the limited
feature set means it isn’t ready to replace
Office for the majority of users. That said,
the document collaboration features are
usable, Google Gears shows great promise
for improving integration between online
Google Docs
PROS: Tight integration with best of
breed Web email; lots of storage space for
documents; fast performance and good
reliability; excellent document-sharing
CONS: Not as feature-packed as
ThinkFree and Zoho office suite; competitive solutions offer more applications, ability to edit documents offline
PRICE: Free for standard edition; $50 per
user, per year for Premier Edition
Microsoft Office alternative for home users
and small businesses that don’t need complete Office compatibility but rather the
ability to easily share and revise documents
CONTACT: Google • 800-225-5224 •
Windows IT Pro
MARCH 2008
and offline files, and Google will undoubtedly upgrade the functionality of Google
Docs in the months and years to come.
Silveroffice gOFFICE
PROS: Lots of free templates and sample
text; US mail and fax services for printed
Silveroffice’s gOFFICE combines an online
word processor, spreadsheet, and desktop
publishing program. The vendor claims that
a graphical presentation application will be
available soon, but it was unavailable for
testing at press time.
gOFFICE is available in one edition for
personal and business use priced at 99 cents
per month. The spreadsheet module in gOFFICE offers the ability to import Excel documents, but the word processing application
doesn’t: You need to either create your documents from scratch online or cut and paste
them into the document workspace from
another word processing program. The word
processing and spreadsheet modules have a
very limited feature set, but both are easy to
use—the lack of program features will turn off
many business users, but getting up to speed
with how to create, edit, save, and print documents is a straightforward process.
The gOFFICE applications include some
nice features for personal use, including an
assortment of free letterhead designs and
sample text for a variety of common business uses, such as purchase orders, thankyou letters, and sales receipts. Silveroffice
also provides a free document fax service to
US phone numbers and free postal delivery
of gOFFICE documents (limited to one
mailing per week).
I encountered a number of glitches and
head-scratching features when using gOFFICE, ranging from a tiny “gOFFICE.com”
watermark included on all printed documents to module page headers that refer to
gOFFICE as a “Free browser-based online
office suite,” despite the fact that users are
charged to use the service. (The gOFFICE
Web site’s SSL certification expired in September 2007, which might make you think
twice before entering your credit card number.) The online Help is anemic, and the
current desktop publishing module lets you
create only gift cards and business cards
(although more templates are forthcoming).
Even at 99 cents a month, gOFFICE
doesn’t compare well to more full-featured
offerings from Zoho, ThinkFree, and Google.
Even home and small-business users will be
better served by choosing another product.
W e ’ r e i n I T w i t h Yo u
Silveroffice gOFFICE
CONS: Limited feature set; inability to
import Word documents; general program
stability and performance problems
PRICE: $0.99 per month, per user
templates and mail and fax services are
unexpected (and welcome) features, but
gOFFICE has little to offer beyond them.
Because competitive products offer more
features and stability for less cost, I don’t
recommend gOFFICE.
CONTACT: gOFFICE • www.goffice.com
ThinkFree Premium
Someone once said that imitation is the
sincerest form of flattery. If that’s the case,
Microsoft should be blushing—ThinkFree is
the closest thing yet to a literal translation of
Office to an online environment. ThinkFree
offers packages aimed at corporate and
enterprise users, making it the best choice
for business users looking for a light-duty
PROS: Closely approximates Microsoft
Office look and feel; excellent document
sharing options; affords ability to work
offline with some documents; good document import and export functionality
CONS: Slower performance with large
documents than competitors; comparatively
slow pace of updates and improvements to
core applications
PRICE: Free for ThinkFree Premium; $30
per user per year for ThinkFree Server
RECOMMENDATION: It still can’t
replace Microsoft Office in most office environments, but ThinkFree Premium comes
closest to providing a Web-based, low-cost
alternative to Office for home and smallbusiness users than the competition.
CONTACT: ThinkFree • support@think
free.com • www.thinkfree.com
w w w. w i n d o w s i t p r o . c o m
Comparative Review | Online Office Suites
online alternative to Office.
ThinkFree is available in a number of
variants that are available at low or no cost. A
desktop version installs on a client machine
and provides a subset of Office functionality.
ThinkFree Online lets desktop users edit and
create online documents that are hosted by
ThinkFree. ThinkFree Server lets companies
run the ThinkFree software on their own Web
server. I chose to test ThinkFree Premium,
which introduces the ability to work with
(and sync) online and offline documents. It
also provides 24-hour technical support and
file synchronization options that make it the
best choice for small businesses.
Whereas the other products in this comparison have developed their own interface
design for each of their application modules, the ThinkFree UI strongly resembles
Microsoft Office 2000 and 2003. Like Google
Docs, ThinkFree features a common online
workspace to which you can upload Word,
Excel, and PowerPoint documents for editing. ThinkFree Premium also lets you access
documents locally so you can edit them
when you’re not connected to the Internet.
Two editing options are offered: A quick edit
option is designed for creating simple online
documents; a power edit option allows
the creation and editing of more complex
documents that are compatible with their
Microsoft Office equivalents.
Other thoughtful touches abound: You
can upload multiple files from a single
screen, the online Help is verbose and actually helpful, and the file-sharing features are
easy to find and use. On the downside, getting to my online files seemed to take longer
than it did with some of the other products,
and editing tasks periodically took a second
or two longer than expected. ThinkFree
lacks the vast quantity of applications (and
frequency of updates) that Zoho offers, and
it might trail Google when it comes to email
and calendaring functionality. Office rules
the roost when it comes to mid- to-heavy
application use, but ThinkFree Premium is
worth a look as the best of the current breed
of online alternatives to Office for home and
small-business users.
Zoho Office Suite
Like many of the other products in this comparison, Zoho has basic office-suite application tasks covered: Zoho Writer, Zoho
Sheet, and Zoho Show provide basic word
w w w. w i n d o w s i t p r o . c o m
Zoho Office Suite
PROS: Includes more than a dozen applications; lots of program features; robust
import and export capability; affords the
ability to work offline (via Google Gears)
with Zoho Write documents; high-traffic
(and helpful) user support forums; frequent
and high-quality application updates
CONS: Bright, playful interface seems
more focused on home users; some performance problems; Zoho Show import problems with some PowerPoint files
rowest of margins kept the Zoho family of
applications from earning the top spot in
this comparison. Zoho excels as a viable
alternative to Microsoft Works (and similar
application suites) for personal use—just a
few more business-oriented features would
see it emerge as the Microsoft Office alternative to beat.
CONTACT: Zoho • www.zoho.com
processing, spreadsheet, and presentation
functions, respectively. (In this review, I refer
to the Zoho office applications collectively
as the Zoho office suite.) Where Zoho excels
is in the depth and breadth of products it
offers: Nearly a dozen online applications do
everything from project management (Zoho
Projects) to Web conferencing and database
creation, in addition to customer relationship management (CRM—Zoho CRM) and
wiki software (Zoho Wiki), and all are free.
In terms of document compatibility,
Zoho Writer and Zoho Sheet loaded my
sample Word and Excel documents without any formatting problems. Zoho Show
loaded the sample PowerPoint document
with a few visual glitches, mainly disappearing borders and some unusual font
sizes. Conversely, most Zoho modules feature impressive export options once you’ve
made changes to your online documents.
For example, Zoho Sheet can export worksheets in XLS, Open Document spreadsheet
(ODS), OpenOffice.org spreadsheet (SXC),
Gnumeric, CSV, HTML, Extensible HyperText Markup Language (XHTML), and PDF
formats. Zoho also offers a Zoho plug-in for
Office that lets users edit and save documents directly into Zoho Writer and Zoho
Sheet from Word and Excel, respectively. A
W e ’ r e i n I T w i t h Yo u
free Zoho plug-in for Microsoft Office lets
you save files locally.
Like Google Docs and ThinkFree Premium, Zoho provides robust support
for sharing documents with other users
online. During the course of my evaluation,
Zoho released a slew of new updates and
enhancements, and the frenetic pace of
product updates is scheduled to continue.
Zoho may lack the professional appearance and Office-oriented feature set that
ThinkFree Premium includes, but Zoho
wins points for the breadth of the applications it offers, the rapid pace of its upgrades,
and a very active online community that is
frequented by many Zoho developers.
In addition to being the name of a powdery
household cleanser my mother was fond of
using, AJAX (the acronym stands for Asynchronous JavaScript and XML) describes
a group of Web-focused programming
techniques that allow rich, feature-packed
Web applications to run with respectable
performance in a Web browser. The AJAX
programming methodology is an important
part of most of the products featured in this
comparison and lends its name to the last
online office suite I examined: Ajax13.
Ajax13 is actually a compilation of five
applications: ajaxWrite (word processing),
ajaxSketch (drawing), ajaXLS (spreadsheet),
ajaxPresents (presentation) and ajaxTunes
(a music player). Like most of the other
products in this comparison, the product
PROS: Clean module interface design;
core applications load quickly
CONS: Lack of features; lots of import
and export bugs and glitches; quirky, counterintuitive file-loading dialogs; requires
Mozilla Firefox 1.5
RECOMMENDATION: Nearly all of the
Ajax13 applications we tested had serious
bugs, quirks, or simply didn’t function at all.
Granted, this software is in beta, but so are
all the other products in this comparison.
This one simply isn’t worth the time or
effort needed to make it work.
CONTACT: Ajax13 • www.ajax13.com
Windows IT Pro
MARCH 2008
Comparative Review | Online Office Suites
is free. Getting started with any of these
applications can take some time because
the Ajax13 suite requires the use of Mozilla
Firefox 1.5 to function properly. Ajax13
doesn’t work with Safari, Microsoft Internet
Explorer, or Opera, although Ajax13 has
stated that it’s working on extended browser
support. This requirement alone is a big
negative, but weak browser support is the
least of Ajax13’s problems.
AjaxWrite—a simple word processor
that sports a clean, minimalist interface—
was the first module I tried. I attempted
to load the test document, then waited.
And waited. Then waited some more. After
about 10 minutes of watching an animated
loading screen that resembled a history of
Google’s stock price, I cancelled the import
and moved to the ajaxPresents module. Not
much luck here either: The program spit out
an error message each time I tried to load
the sample PowerPoint document. Hoping
that the third time was the charm, I turned
to the ajaXLS spreadsheet viewer, only to be
blocked by a frozen dialog box.
To be fair, these Ajax13 applications—like
all the other products in this comparison—
are beta software. The Ajax13 suite does
have some laudable features, namely clean
interface design, fast core-application load
times, and a well-populated user forum.
However, these few positive features can’t
make up for some crippling bugs, curious
feature omissions, bizarre load and save dialogs, and a general lack of stability. Ajax13
might be fine for Web-focused hobbyists
Microsoft Office Live Workspace:
icrosoft may have been slow to respond to the flood of Web-based competitors to Office, but it isn’t hard to see why. A
Web-based version of Office could cannibalize the existing (and profitable) sales of Office products, but doing nothing will
simply cede a potentially lucrative future market to Microsoft’s competitors. After realizing that Web-based office applications aren’t
going away, Microsoft has developed what it believes to be a winning strategy: “Software plus Services.” Described as a mix of the
company’s existing client-based software with newer server-based applications, the objective of the Software plus Services strategy
is to maximize the benefits of both mediums, teaming the security, speed, and reliability of existing offline Office applications with
online services that provide document sharing and collaboration.
The first tangible manifestation of Microsoft’s strategy is Microsoft Office Live Workspace (shown in Figure A), an online
service (currently in beta) that lets Office users upload and share Office documents. There are some caveats: Users are
required to have a version of Office installed in order to edit and save documents, and the lack of online editing capability is
a curious oversight.
Based on my experience with the beta version, Office Live Workspace provides some interesting features (especially the
ability to store common documents for later editing at a different location with a different PC), but lacks others—such as the
absence I mentioned of the ability to create and edit documents online, a feature that all the products in this comparison offer.
The interface should be familiar to Office users, and as a first stab at providing for Web-based sharing of Office documents,
it’s a passable effort.
“Office Live Workspace will provide anywhere-access to Office documents, including
Word, Excel, and PowerPoint files,” Jeff Raikes,
president of Microsoft’s Business division, has
said. “In other words, these documents will go
wherever people go when they’re away from their
usual desktop.”
Granted, the ability to upload and share
documents has been done before (specifically,
by Google), but the tight integration between
Office and Office Live Workspace could address
criticism that Office doesn’t offer robust document-sharing functionality. The Office development team hasn’t been idle, and we’re bound to
see more updates and improvements over the
coming months and years. The next version of
Office might still be a long way off, but it’s clear
that tighter integration with the Web will be
a given.
Office Live Workspace
Figure A:
Windows IT Pro
InstantDoc ID 98103
MARCH 2008
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
Comparative Review | Online Office Suites
Table 1:
Online Office Suites Comparison
Google Docs
Zoho Office Suite
Standard edition is free; Premier
Edition is $50 per user, per year
$0.99 per user,
per month
Storage Space for
2.75GB per account for standard
edition; 25GB per account for
Premier Edition
1GB per account
1GB per account
1GB per account
Word Import
Word Export
Excel Import
Excel Export
PowerPoint Import
PowerPoint Export
*Features didn’t function during testing.
who have use for some of its more esoteric
features, but anyone else should give this
online office suite a wide berth and look
Are the Days of
Microsoft Office
Can competing online office suites truly
replace the ubiquitous Microsoft Office? If
you’re an IT manager at a medium to large
enterprise, the answer is a definitive no. As
promising as these applications are, they
lack the depth of content, robust security
features, and massive support infrastructure
that midsized-to-large enterprises need.
Because ThinkFree Premium comes closest to reaching those goals for light-duty
business use, I’ve designated it my Editor’s
Choice. (But don’t count out Zoho and
Google: At their current rate of development, both the Zoho office suite and Google
Docs might have launched more updates
and improvements to their products by
the time you read this.) Only ThinkFree
Premium, Google Docs, and the Zoho suite
were able to load and allow editing of all
three sample documents. Ajax13 and gOFFICE are outmatched in nearly every category in this comparison.
For small-business and personal use,
the best online office suites in this comparison can be attractive solutions. As
an alternative, IT pros running on a tight
w w w. w i n d o w s i t p r o . c o m
application budget—or those who prefer
to keep their office applications offline and
local—might take a look at the open-source
alternatives to Microsoft Office: OpenOffice.org, IBM Lotus Symphony, and Sun
Microsystems’ StarOffice. Each is based on
the OpenOffice.org code base, and most
provide the bulk of the features that Office
As promising
as these
are, they
lack the depth
of content,
robust security
and massive
that midsizedto-large
W e ’ r e i n I T w i t h Yo u
does at no cost. (A StarOffice license costs
$69.95 per user, who can install that software on 5 machines.)
Whether we’re discussing online Office
workalikes or products like OpenOffice.org,
it’s clear that there are now more options
for business desktop applications than ever
before. Microsoft Office still dominates the
market, but changes are coming. Office Live
Workspace might be a passable stopgap for
Office users who want to share documents
online, but Microsoft clearly needs to do a
better job of integrating the existing Microsoft Office suite with the Internet. The days
of Microsoft ruling the desktop application
market virtually unopposed are over. We’ve
seen only the opening skirmishes of what
will undoubtedly be a long battle over how
people should create, edit, and share documents between computers and across the
Internet. The ensuing competition will not
only be entertaining to watch but will also
signify that consumers have more products
and solutions to choose from—and that’s
always good news.
InstantDoc ID 98104
Jeff James
(jjames@windowsitpro.com)is senior editor, products,
for Windows IT Pro and SQL Server Magazine. He
specializes in virtualization and terminal services and
has over 15 years of experience as a writer and digitalcontent producer.
Windows IT Pro
MARCH 2008
April 27-30
Dive into the new releases
with Microsoft Architects
industry experts!
and Industry
Hyatt Regency Grand Cypress
Over 100 in-depth sessions, 75 Microsoft
architect and industry expert speakers,
and exciting announcements!
Connections raises the bar
for IT conferences, delivering:
Covering Critical Technologies Including Virtualization
and Windows Sharepoint Services
WinConnections.com ■ 800-505-1201 ■ 203-268-3204
See Web site
for details.
$$$$$!" !%"#&
22-!-+.*#2#2&#!&**#,%#,!#7-3!-+.*#2#,"13 +'22&#-,*',#.-02'-,-$2&#
!&**#,%#7-3** ##*'%' *#2-
"05',%5'** #&#*"-,.0'*
,"2&#5',,#05'** #,-2'9#"4'#+'*
&2 !)3.1-$250#'1 3'*2-,25-"#!"#1-$.0-4#,#,%',##0',%,"'12&#%-*"
"-,#-$2&# -4#
#**-$2&# -4#
&0"#0$-0-0%,'82'-,12-+##2120'!20#!-4#07.-',2- (#!2'4#15'2&-32
&2 !)3.1-$250#'1 3'*2-,25-"#!"#1-$.0-4#,#,%',##0',%,"'12&#%-*"
"-,#-$2&# -4#
#**-$2&# -4#
&0"#0$-0-0%,'82'-,12-+##2120'!20#!-4#07.-',2- (#!2'4#15'2&-32
2-!-+.*#2#2&#!&**#,%#,!#7-3!-+.*#2#,"13 +'22&#-,*',#.-02'-,-$2&#
!&**#,%#7-3** ##*'%' *#2-
"05',%5'** #&#*"-,.0'*
,"2&#5',,#05'** #,-2'9#"4'#+'*
$$$$$!" !%"#&
Market Watch
Group Policy Tools: Easing the Pain
Help is on the way
here’s no reason Group Policy shouldn’t
be easy to use,” says SDM Software CEO
and Group Policy MVP Darren Mar-Elia. If
you’re in the 22 percent of IT pros who admit to “winging
it” as they configure and manage Group Policy, you might
be surprised to hear that statement. Many IT pros have
found it difficult to find a specific setting in Group Policy,
to design Active Directory (AD) organization units (OUs)
with Group Policy in mind, to set up user and computer
groups to work with Group Policy, to troubleshoot nonworking Group Policy Objects (GPOs), and to back up the
GPO infrastructure.
That a significant number of IT pros acknowledge
being somewhat clueless about Group Policy—even as
they use it—surprised Group Policy solution provider
NetIQ. The company surveyed IT pros about how they
use Group Policy and published the results in 2007.
According to Sacha Dawes, senior manager of product
marketing at NetIQ, that figure of 22 percent is evidence
of the lack of available native tools for managing Group
Policy, including “the severe lack of change control.”
In a conversation with Windows IT Pro magazine in
the fall of 2007, Dawes noted that 58 percent of survey
respondents said they’d experienced an unplanned outage from a Group Policy change and that their troubleshooting time ranged from 45 minutes to more than 6
hours. And more than half of the respondents also said
that they had no system set up to alert them to a Group
Policy problem or anomaly—their “strategy” was simply
to wait for an incident to occur.
Group Policy experts, solution providers, and users
agree that Group Policy can get you into a lot of trouble if
you don’t use it properly. They differ on what Microsoft’s
role is in managing this technology and what vendors can
best do to help fill in the gaps. They also have different
opinions on what impact Microsoft’s soon-to-be-released
Group Policy Preferences (technology from the acquisition of DesktopStandard) will have on the Group Policy
tools market.
Most agree, however, that if you’re not using Group
Policy yet, you will be. Let’s look at how Group Policy
has evolved, why it has a reputation for causing IT pros
to sweat bullets, and how Microsoft and third-party tools
aim to help ease your Group Policy pain.
Group Policy Past and Present
Group Policy is a Windows feature that lets you centrally
configure and manage computers and remote users in
an Active Directory (AD) environment. You’ll find Group
Policy at work in the enterprise as well as in smaller organizations, such as schools and libraries, where it can be
w w w. w i n d o w s i t p r o . c o m
used to restrict users’ actions and increase security.
Using Group Policy, you configure settings and store
them in Group Policy Objects (GPOs). You create and
edit GPOs with two tools: The Group Policy Object Editor
(GPE) lets you create and edit one setting at a time, and
the Group Policy Management Console (GPMC) lets you
create and edit multiple settings at a time. After you create the GPO, you target or link it to an AD site, a domain,
or, more typically, an organizational unit (OU). Then the
Group Policy client pulls a list of GPOs appropriate to a
machine and logged-on user and applies the GPOs. The
GPOs enforce your organization’s security settings and
restrictions—and keep users from overriding them.
NetIQ’s survey found that a surprising number of IT
departments use Group Policy as a way to write fewer
scripts. The more typical use, however, is for configuration
management and for implementing server security and
protection at the client level. Group Policy’s usefulness is
clear; what, then, makes it so difficult to master?
Consider that Group Policy began in Windows 2000
with just 500 settings. “You could wrap your brain around
that,” Microsoft’s Lead Program Manager in Group Policy,
Kevin Sullivan, says. Windows XP Service Pack 2 (SP2)
had “800 additional settings. With Vista, it’s 3,000. A slew
more will appear in 2008.”
Mar-Elia, of SDM Software, explains: “The way Group
Policy was built, a team built the engine and created a
framework. But the team didn’t create a standard. So each
product group went off and did its own thing.” Sullivan
offers the Microsoft perspective: “The Group Policy team
doesn’t decide what needs to be managed, for example,
in Windows Media Player—but we do help them and test
the Group Policy experience.”
With the acquisition of DesktopStandard in 2006,
Microsoft at least made it easier on itself in the Group
Policy arena. DesktopStandard’s GPOVault Enterprise
became Microsoft Advanced Group Policy Management
(AGPM) and was released in the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance (SA) in July
2007. AGPM lets you manage GPOs by offering change
control (e.g., the ability to check GPOs in and out for editing), the ability to compare two versions of a GPO, and
role-based delegation. Microsoft is integrating DesktopStandard’s PolicyMaker Standard Edition, Share Manager,
and Registry Extension into the GPMC and renaming it
Group Policy Preferences. It will be in Windows Server
2008 and offered as a Windows Vista SP1 download in the
Remote Server Administration Toolkit (RSAT).
Two vendors whose product offerings don’t overlap
with Microsoft’s Group Policy offerings comment favorably on the release of the newly acquired tools. Thor-
W e ’ r e i n I T w i t h Yo u
pro.com) is an associate editor for Windows
IT Pro and SQL Server
Magazine, specializing
in Active Directory (AD),
Group Policy, and
desktop management.
Windows IT Pro
MARCH 2008
Market Watch | Group Policy Tools
björn Sjövold, CTO and founder of Special
Operations Software (Specops), says Microsoft “more than doubled the number of
Group Policy extensions with Group Policy
preference extensions (GPPE). This is really
good news because it shows that Microsoft
believes in Group Policy and is committing to the technology.” The former CEO
of DesktopStandard, now CEO of Beyond
Trust, John Moyer, adds, “What Microsoft
is releasing with Group Policy Preferences
is going to make Group Policy useful to the
broader market and will help with standardizing desktops.”
The settings in Group Policy Preferences
“could potentially reach a staggering number,” Microsoft’s Sullivan says. “I mean that
in a ‘wow, look at my breadth of management’ way. For example, it’s easy to distribute
binary data out to clients. It’s a pretty exponential leap we’re looking at.”
Group Policy Preferences adds flexibility,
Sullivan says. An administrator can create an image, deploy it to users, and users
can change some of the preferences if the
administrator allows it. “An admin can set or
narrow down in Editor, turn on filter options,
and look for commented settings.” Sullivan
points out the usefulness of being able to
annotate GPOs with commented settings.
“Today, if customers open a GPO and see a
creation date of 2000, they don’t know why
it was created or who created it.” Another
feature in Group Policy Preferences is what
he calls “starter GPOs.” What he refers to is
architecture that supports a baseline application. “You can create starter GPOs with
canned settings and another admin can use
those canned settings as a starting point” to
configure a new GPO.
Jason Leznek, Microsoft Senior Product
Manager for Windows Client Manageability,
adds, “The other thing that Group Policy
Preferences lets you do is richer targeting.
Group Policy Preferences lets you set Windows Management Instrumentation (WMI)
filtering or go beyond, and it’s in a GUI. You
can have check boxes; you can specify situations for settings; you can have multiple settings in one GPO.”
According to Sullivan, Microsoft jumped
on those feature changes that provided best
customer value and didn’t step on partners.
Sullivan says his team asked customers,
“What do you want to do in Group Policy?”
The answer was that they wanted to do
Windows IT Pro
MARCH 2008
everything they could on their systems.
“Group Policy Preferences provides application extension,” Sullivan notes. “Partners
can go in through the core and add and
Third-Party Solutions
You’ll find several big players in the Group
Policy arena and some smaller ones. Tools
from third parties tend to fall into two main
areas—those that extend what you can do
with Group Policy and those that help you
manage Group Policy.
Tools that extend Group Policy. Within
the extension area are tools that add Group
Policy functions. Examples of such functions include software deployment and asset
Preferences offering.
Tools that extend Group Policy include the
• Beyond Trust Privilege Manager—lets
administrators use Group Policy to configure applications so users can launch them
without having administrator privileges.
It includes the ability to let enterprises
operate with User Account Control (UAC)
turned on or off.
• FullArmor Endpoint Policy Manager—
uses an organization’s existing Group
Policy infrastructure to provide real-time
management and enforcement of endpoint policy settings by pushing Group
Policy settings to client computers that
might not connect often to the domain; it
“What Microsoft is releasing
with Group Policy Preferences is going
to make Group Policy useful to the broader
market and will help with standardizing
—John Moyer, former CEO of
DesktopStandard, now CEO of Beyond Trust
inventory. Two vendors in this arena are
Beyond Trust and Specops.
Beyond Trust uses the concept of least
privilege to help administrators configure
applications to run on desktops. “We get
apps that require admin privileges to run on
the desktop where they don’t have administrative privilege,” CEO Moyer says. He notes
the impact of a recent US Office of Management and Budget mandate: “Federal agencies must move to standard configurations
for Vista and XP, which means no more local
administrator accounts. The local administrator account undermines all settings. It
undermines what you’re trying to do with
Group Policy. We see the need to exploit this
concept, developing new products and new
As a former strategic Group Policy partner of DesktopStandard, Specops offered
tools that didn’t overlap with DesktopStandard’s and that don’t overlap with Microsoft’s
releases. Specops founder and CTO Thorbjörn Sjövold, says that, besides DesktopStandard, Specops is actually the only winner
among the Group Policy Extension ISVs
when it comes to Microsoft’s Group Policy
W e ’ r e i n I T w i t h Yo u
also provides auditing and reporting for
• FullArmor GPAnywhere—lets administrators create portable policies from Group
Policy settings and settings provided by
IntelliPolicy for Clients to enforce policies
on devices outside AD.
• Specops Command—combines Windows
PowerShell with Group Policy, making it
possible to execute PowerShell scripts on
any number of computers.
• Specops Deploy—uses a Group Policy
client-side extension (CSE) that replaces
the built-in Group Policy software installation (GPSI) functionality in Windows.
• Specops Inventory—uses Group Policy to
provide detailed data to track Windowsbased IT assets.
• Specops Password Policy—removes the
obstacle of the single password policy per
domain in Group Policy.
Tools that manage Group Policy. Within
the management area, you see tools that
focus on specific management functions—
such as troubleshooting, reporting, and
security—and tools that offer many managew w w. w i n d o w s i t p r o . c o m
Market Watch | Group Policy Tools
ment functions across the board. Mar-Elia, of
SDM Software, approaches Group Policy by
conceiving of his products in three “buckets”:
troubleshooting, management, and reporting. “I decided the first thing I wanted to
do was get tools for troubleshooting.” His
second product was something he’d wanted
to do for a long time. Editing GPOs required
Group Policy Editor (GPE); Microsoft provides Group Policy Management Console
(GPMC), and there was some scripting, but
it was geared toward the GPO. He wanted to
make a Group Policy Software Development
Kit (SDK) and expose settings. The result was
the company’s scripting toolkit.
He has two additional products ready to
release: One is Group Policy Backup and
Recovery. “GPMC provides backup and
recovery as an afterthought. I’m trying to
make it more of an enterprise-strength
solution, with backup and restore links.”
The other is Desktop Policy Manager, which
rides on the scripting toolkit. With it, smallto-midsized businesses (SMBs) can manage
Group Policy by using a Web interface that
walks people through how to define settings
and shows them in profiles. According to
Mar-Elia, it hides the linking. “Instead of
thousands of settings, the user sees a dozen.
Not everyone has to see the complexity of
GPMC—we shield them from that.”
Gil Kirkpatrick, CTO of NetPro, says,
“Smaller organizations are just now beginning to experiment with Group Policy. I
talked to a group of SMBs about AD backup
and recovery, and very few were using it.
It looked complicated to them.” He says,
however, that we’ll see many smaller businesses getting into Group Policy. “I think
that’s what’s driving a lot of the introduction
of Group Policy tools.” In the past, he says,
“management tools didn’t scale well to the
SMB area and weren’t intuitive. Microsoft
built the platform services well, then gave
you a crappy interface and left it to the ISVs
to fill in.” NetPro’s tools cover the AD realm
and include specific Group Policy management tools, such as GPOADmin. It’s not yet
possible to be an all-NetPro shop, though
additional offerings are in the future.
Using Group Policy, Kirkpatrick says, “needs
to be a controlled IT process, a process that’s
standardized.” The other need is “to be able
to delegate Group Policy creation or setting.
Native tools don’t let you delegate the ability
to manage Group Policy.”
w w w. w i n d o w s i t p r o . c o m
About Microsoft’s recent entry of the DesktopStandard product version, he says, “We
had just released GPOADmin, which competed with DesktopStandard’s product—
but Microsoft split that product in two.”
As he understands the Microsoft offering,
“It doesn’t help you much with respect to
management, but it does have a nice UI.
It’s not like Microsoft solved the management problem in Group Policy. Vendors will
just have to be more innovative.” NetPro’s
GPOADmin “expanded features and added
workflow. You can delegate and let others
make changes and an email goes out to
higher administrators who can approve and
apply the changes. It doesn’t make sense for
shops with one IT guy, but it’s necessary for
large shops and is in line with IT Infrastructure Library (ITIL).”
Tools that help you manage Group Policy
include the following:
• NetIQ Group Policy Administrator—offers
a change management process for GPOs,
including offline management, versioning,
workflow and delegation, the ability to
replicate GPOs, and auditing and reporting capabilities.
• NetIQ Group Policy Guardian—alerts
administrators when certain Group Policy
changes occur, details and documents
Group Policy change history, and offers
change tracking.
• NetPro ChangeAuditor—adds audit visibility beyond native logs with coverage
for GPOs and nested groups in addition to
real-time auditing and reporting of AD, file
system, and Exchange changes.
• NetPro GPOADmin—lets you automate
change management tasks by configuring
workflow approval processes that include
the ability to do offline edits to GPOs as
well as GPO commenting, tracking, version control, backup, scheduling, and
change auditing.
• Quest Software Quest Group Policy Extensions for Desktops—lets you use Group
Policy to implement and enforce endpoint
security and includes tools that extend
Group Policy to manage desktops, including the ability to configure Microsoft Office
applications and to manage Microsoft
Outlook remotely.
• Quest Software Quest Group Policy Manager—adds version control and a new UI
to its GPO change management solution,
which includes archiving and rollback, a
W e ’ r e i n I T w i t h Yo u
multilevel approval process, and the use
of PowerShell to automate Group Policy
management tasks.
• SDM Software GPExpert Backup Manager
for Group Policy—lets you manage the
backup and recovery of GPOs and GPO
links in your AD environment.
• SDM Software GPExpert Scripting Toolkit for PowerShell—helps you automate
Group Policy management using PowerShell.
• SDM Software GPExpert Status Monitor—
lets Help desk administrators find out
quickly when Group Policy isn’t working
by referring to desktop event logs that
record successes or failures in Group
Policy processing.
• SDM Software GPExpert Troubleshooting
Pak—helps administrators troubleshoot
and resolve problems in Group Policy
Group Policy in Your
With its acquisition of DesktopStandard
and the resulting new Group Policy–related
offerings, Microsoft is giving more attention
to configuration and management difficulties that have plagued Group Policy users.
As third parties build more features into
their Group Policy products, those tools will
expand on what Microsoft has done.
Sjövold, of Specops, says, “Microsoft’s
renewed commitment to Group Policy will
most likely encourage more ISVs to build
solutions on top of Group Policy.” Peter
Beauregard of Beyond Trust concurs: “We
look at what [Microsoft’s] doing, and it gets
people excited about Group Policy.” According to NetPro’s Kirkpatrick, “Microsoft had a
gaping wound with respect to management
of Group Policy. They’ve put a good bandage
on it. But they’re not going to have a team of
20 developers working on updating Group
Policy Preferences.” He adds, “There’s still lots
of room to innovate.”
Mar-Elia, of SDM Software, also sees
room for growth: “There’s a ton of untapped
potential, stuff that Group Policy could do
better—the engine could be more resilient,
you could have more robust reporting,
and you could add the ability to fail over to
another location.” He adds, “We’ll see XML
start to permeate Group Policy” as a more
unified way of describing configuration.
InstantDoc ID 98087
Windows IT Pro
MARCH 2008
Brent Kerby, Product Marketing Manager for AMD’s Server/Workstation Division, and Ward Ralston,
Senior Technical Product Manager of Microsoft’s Windows Server Division, discuss energy efficiency
and reducing the industry’s environmental impact.
How do energy-efficient technologies contribute to an
organization’s financial bottom line?
The power bill is the second largest datacenter expense, only
trailing the phone bill. Hence, most IT departments are discovering the
value of developing an energy strategy. Energy-efficiency technologies
can reduce costs, reduce datacenter management demands, and free-up
resources. With energy prices expected to keep rising, efficient technologies will be even more significant to the IT budget. Environmental sustainability is a fundamental, long-term business strategy for Windows Server.
power consumption. Power-efficient Quad-Core AMD Opteron
processor-based systems, utilizing DDR2 memory and Direct Connect
Architecture with integrated memory controller, can consume less
power at the wall than comparable systems.
2. Dual Dynamic Power Management™ (DDPM) provides independent
power supply to the cores and memory controller, allowing them to
operate on different voltages, as determined by usage.
3. The innovative Enhanced AMD PowerNow!™ Technology strengthens
the per-watt performance capabilities of the AMD Opteron processor.
It also increases platform investment protection by reducing the strain on datacenter
cooling and ventilation systems.
4. AMD’s CoolCore™ Technology, can
reduce energy consumption by turning off
unused parts of the processor. AMD Virtualization™ (AMD-V™)
technology for virtualization enables multiple operating systems and
applications to run simultaneously on the same server, resulting in a
more efficient use of hardware and a significant reduction in energy used.
Is AMD committed to reducing its environmental impact?
Kerby: AMD is committed to managing the environmental impact of
both its products and operations. Specifically, AMD has taken action to
purchase renewable energy, maximize energy efficiency, and lower costs
and reduce environmental impact through its technology design, manufacturing innovations, and facilities design and operations.
What are AMD’s short-term and long-term goals related to
reducing its environmental impact?
Kerby: AMD is focused on three things:
1. outsourcing energy supplies with lower global-warming impact;
2. optimizing existing manufacturing processes, associated facilities, and
technology upgrades; and
3. lowering gas emissions with new facilities and new equipment.
Long term, we are committed to continued innovation toward products that boost processor performance, and lower power consumption
and continued work with the industry on environmental issues.
AMD has demonstrated its commitment to energy efficiency and
environmental stewardship by partnering in voluntary initiatives,
including the EPA’s Climate Leaders program, Energy Star® and the
Green Power Partnership. In 2006, AMD became one of the founding
members of the technology industry coalition, The Green Grid, which is
dedicated to promoting energy-efficient computing in the data center.
How does AMD assist customers in reducing their
environmental impact and increasing energy savings?
Kerby: Our commitment to energy efficiency spreads throughout the
technology ecosystem, and to customers, helping address power concerns
at a global level. One way we manage our influence on the global climate
is by providing customers with energy efficient technology solutions,
because from our perspective, energy-efficiency is just as important as
speed and performance in computing innovation. In real terms, AMD is
helping reduce business energy costs for server processors by up to 30-50
percent. The technologies and products we design to help customers
build more energy efficient products include:
1. The latest generation of AMD Opteron™ processors are geared toward
maximizing computing power in the datacenter, while minimizing
What features in Windows Server 2008 help consumers
manage power consumption?
Windows Server 2008 is Microsoft’s most energy efficient
server system to date. There are three main areas where Windows Server
2008 can provide power savings. First, organizations will see the most
direct power benefit from Hyper-V’s virtualization capabilities. With consolidation of up to eight underutilized servers onto one physical server,
organizations can immediately see significant power savings. Second,
Windows Server 2008 has the ability to throttle power to hardware components that consume large amounts of power. The CPU, for example,
can account for as much as 45 percent of server power. Windows Server
2008 continually evaluates the CPU load and can reduce the CPU power
by as much as 50 percent. Third, the next generation of multi-core CPUs
can extract four to eight-times the processing power without increasing
CPU power consumption.
One AMD Place, P.O. Box 3453, Sunnyvale, CA 94088
(408) 749-4000 customer.inquiry@amd.com
One Microsoft Way, Redmond, WA 98052
(800) 642-7676 http://support.microsoft.com/contactus/
Server Core and Hyper-V
by Karen Forster
A candid
with Windows
Server General
Bill Laing
n Windows Server history, each release has been notable
for some key technology. Windows 2000 Server was the
Active Directory (AD) release. Windows Server 2003 was
the security release.
When planning began for Longhorn Server (now Windows Server 2008), Microsoft was preoccupied with Linux.
Consequently, the original plans lacked significant innovation: Longhorn Server was an unexciting revision of Windows 2003 with some manageability enhancements. As time passed,
the corresponding Longhorn client (now Windows Vista) release
continuously slipped, holding back Longhorn Server.
Finally, in 2005, because the original features conceived for
Longhorn Server were finished (and to appease Software Assurance
llow two
customers) Microsoft announced a new cadence of a “minor” release to follow
years after each “major” release such as Windows 2003. The result was Windows
Server 2003 R2. R2 was notable for clearing the stage so that the actual Longhorn
release could introduce some really interesting technology: Server 2008 debuts a
new roles-based management paradigm enabled by componentization off the OS;
but the features this release will be notable for are Server Core and nativee virtualization, Hyper-V (code-named Veridian).
Just as each Server release has been noted for a technology, so has each
release’s development been led by a Microsoft engineer. Windows NT was fathered
by Dave Cutler. Win2K finally shipped thanks to Brian Valentine. Windows 2003
bears the imprint of Dave Thompson. Responsibility for Server 2008 rests on Bill
Laing, general manager of the Windows Server division.
In a recent conversation, Laing discussed Server 2008’s evolution, candidly
commenting about the development of key features, lessons learned, what he
thinks might be hard for some users, and what surprised him.
The Role of Roles
Forster: What were your goals for Server 2008?
Laing: We always have the basic goals of improving reliability, security, scalability, but the notion of role-based deployment was a big change for Windows. We
wanted the server so you could configure it by role, or by workload. The big Aha!
moment was that customers actually say “roles.” We didn’t make that word up; it
came back to us.
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Forster: Didn’t Windows 2003 start moving toward
Laing: We had Manage Your Server
Serv and Configure Your
Server, but it wasn’t a natural too
tool you left up the whole
time. Now we literally don’t include
the bits for undeployed roles in the directory. Th
They’re on the disk, but
if you don’t install the role, the code for that role is not
even there.
Forster: What are the implications of role-based deployment?
Laing: The way I think about it is you’re reducing the
surface area, which helps you with management because
you’re only exposing the things you need for the role. If
you don’t install Media Player, you don’t have to pay any
attention to it—whether it’s managing it, or patching it,
or whatever. I think of how easy it is with Windows 2003
to turn on File Server. Well, now you have to consciously
go through the act of creating a file server role. You’re not
accidentally going to create shares, for example.
Forster: Do roles enhance security?
Laing: I’d love to claim it makes Windows Server more
Windows IT Pro
MARCH 2008
Server Core and Hyper-V
secure. It’s a tough thing to claim. But there are
fewer moving parts. So the surface area has
come down and it should improve security.
Server Core
Forster: The most important innovation is
probably Server Core, the stripped-down
version of the OS with no GUI. How did
Server Core happen?
Laing: Customers told us they wanted it—
and I was pleasantly surprised at how much
we were able to do in a first release. Actually,
the people who had started doing the initial
work came from the Embedded Systems
group. They’d been thinking about Windows
in embedded environments. They’d been
doing a lot of analysis and had done maps of
different layers of the OS.
Forster: Untangling the dependencies within
Windows Server must have been daunting.
How did you deal with that?
Laing? When we initially went into componentization, naively, we thought there
would be maybe 2,000 components in the OS
and we’d just pick and choose the ones we
wanted. The problem is you have to test all
the ways the components can be combined,
so you really have to choose fairly big building blocks. It was clear to me that we could
only manage a few layers initially.
Forster: What were the challenges of applying the Embedded Systems team’s work to
Windows Server?
Laing: If you build an embedded OS, it’s
deployed in the context of, say, a Point of
Sales terminal. It’s not some general-purpose
thing like an OS that then gets deployed
in many scenarios. The people building
the terminal can choose their components,
integrate the system, and that’s it. So we
walked this fine line between how many
components do you want and the complexity
problem that occurs because components
can be assembled in different ways. That’s
why we went for Core, plus—as we used
to call it—ROS (Rest of the OS), which was
the next building block. That was the difference between Server Core, and then Server
without the roles, and then each role being
separate, and then ideally each feature.
Forster: Hyper-V was a late addition and
actually isn’t a finished part of this release
Windows IT Pro
MARCH 2008
[As I wrote this article, a beta
cally a lot of hard work, but it
Bill Laing came to Microsoft
of Hyper-V had shipped in
impacted the virtualization
in 1999 after an Internet
December and another beta
team, the Server Manager
boom–era stint as CTO of
was scheduled to ship with
team, and overall project
AltaVista. Laing had spent
the previous 17 years at DEC,
Server 2008, with the final
management, but that was
where he was responsible
Hyper-V set to release within
about it.
for VAX clusters and multi180 days.] How did Hyper-V
processing. He came to
come about?
Forster: What will be hard
Microsoft as the architect of
Laing: Around late 2003, we
for users to learn in this
Windows 2000 Datacenter
acquired Connectix (Virtual
Edition, then managed
Server and Virtual PC). At
Laing: Server Core has had a
several projects for Windows
that time, people thought of
lot of positive feedback, but
Server 2003, including IIS,
virtualization as an option
I wonder how many people
clustering, and Network Load
rather than a core strategy
are really used to having no
for the company. The iniGUI—just command-line
tial model was to add Virtual
scripting of everything. CerServer 2005 R2 to provide a
tainly a group of hard-core
virtual hosting model. Then came research
people will love it, and we’ll get better as we
groups, such as Xen (we actually contribget PowerShell on it.
uted research into Xen), and the hypervisor
model. And the semiconductor industry
Forster: What surprised you about this
was developing enhancements to support
virtualization. We said, “That’s a core feaLaing: I was very surprised how popular the
ture of the OS.” That was the change in our
RODC [read-only domain controller] is, and
thinking—that virtualization was a core feathat came from people pushing it in directure of the OS.
tions I didn’t expect. I had a narrow picture
of it at the beginning: It was interesting for
Forster: Will Hyper-V drive demand for
branches, basically. But people have been
Server 2008?
pushing it into the front-end Web server so
Laing: Oh, yeah, I think it will. That’s probthey can push policy out of it. It surprised
ably the main new thing—most other things
me how popular that was because it’s a
that we’ve done are somewhat evolutionary.
complicated thing to do and a lot of people
That’s a big-ticket item that people will go for.
are deploying that.
And the fact that we support Windows 2003
and Red Hat and SUSE Linux on Hyper-V
Windows 2000 was notable for AD. But
makes it interesting.
industry old-timers also remember it as the
Lessons Learned
long-delayed, not-Windows-NT-5.0 release.
Forster: What lessons will you take from this
Thanks to Vista, the Longhorn release cycle
will be recalled as suffering from delays
Laing: Betas are important, but you don’t
and do-overs. But Server 2008 benefited
get deep insight back from betas. If you do
from market developments over the past
stupid things and you have obvious bugs,
five years as Microsoft dealt with its Linux
you get feedback. But we got most out of deep
paranoia and recognized virtualization’s sigengagements: TAP [the Technology Adoption
nificance. Nobody will remember Windows
Program], the EEC [Enterprise Engineering
2003 R2 (the original vision for Longhorn),
Center]. In fact, I would increase our investbut Server 2008 will be noted as the Server
ment in those kinds of programs over time
Core and virtualization release. Sometimes
because it’s a very rich interaction. [For details
delay is a good thing.
InstantDoc ID 97953
about the EEC, see “What You Need to Know
About the Microsoft Enterprise Engineering
Center,” July 2003, InstantDoc ID 39163.]
Karen Forster
Another lesson is that you have to be flex(karen@windowsitpro.com) is group editorial and
ible and have a structure that lets you add or
strategy director for Windows IT Pro and SQL Server
remove things—like it was pretty seamless to
Magazine and former director of Windows Server
User Assistance at Microsoft.
add virtualization to the plan. It was techniW e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
Introducing the server
you’ve always wanted.
Meet Windows Server 2008.
The server
It has sharper vision for seeing across network
resources more clearly. It has a powerful heart,
more secure and protected than ever. It has legs
of steel, capable of running longer, harder, more
reliably. It’s alive with innovations, like Windows
PowerShell , Internet Information Services 7.0,
and Failover Clustering, that will help unleash the
potential of your servers, your IT department,
and your business.
Meet the new Windows Server 2008
at serverunleashed.com
Specops Command
PowerShell remoting through Group Policy
”Psychotically Powerful”
"...when I finally understood
what they were doing, the top
of my head exploded."
Jeffrey Snover
Windows Management Partner Architect
Read more about Jeffrey's impressions of Specops
Command at the MSDN PowerShell blog:
Specops Command
We bring you the future of
scripting, today!
– For more information about Specops Command and how to download
your FREE limited version please go to:
New readonly domain
branch office
by Guido
indows Server 2008 contains a variety of enhancements to Active Directory (AD)
services. A standout AD feature change is the new read-only domain controller (RODC). As the name indicates, this enhancement adds a read-only mode
for DCs, so you can’t write changes to the AD database, and you can replicate
only one way from other DCs. However, unlike the Windows NT Server 4.0 Backup Domain
Controllers (BDCs), which might come to mind, an RODC can be configured to store only the
passwords of specified users and computers. This limitation reduces
the risks in case an RODC is compromised. The Server 2008 RODC
feature, because it has the potential to reduce attack vectors thus
improving physical security, will have a major impact on how you
deploy and manage DCs in branch offices and the perimeter network
(aka the DMZ).
Before I examine the RODC, I’ll show you other enhanced AD
features in Windows 2008. I’ll walk you through the AD functional
he x86 (32-bit) and x64 editions of Server 2008
levels, both the domain functional levels (DFL) and the forest funcfeature the RODC mode in all editions (Standard,
tional levels—FFL). This should give you a good understanding of the
Enterprise, and Datacenter). However, because the
requirements for deployment of RODC and other new options, such
Itanium edition of Server 2008 doesn’t support the
as Fine-grained password policies (FGPP) and DFS replication for
AD Domain Services feature, Itanium also doesn’t
SYSVOL, which I’ll cover here. In addition, I’ll discuss changes made
support RODCs. On all Server 2008 versions, you can
to DNS in Windows 2008 so that the DNS service works with smoothly
deploy RODCs on the Server Core install option. (For
with RODC.
details about Server Core, see the Learning Path on
For a quick overview, see Web Table 1 (www.windowsitpro.com,
page 37.)
InstantDoc ID 98061) which lists the RODC and other important
InstantDoc ID 98063
enhancements to AD.
Windows Server 2008
Editions Supporting
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Feature | AD Enhancements in Server 2008
AD Functional Levels
The RODC requires at least FFL2 (Windows
2003). What does this mean? Let’s look at
the background of AD functional levels.
AD functional levels were introduced with
Windows Server 2003 to avoid conflicts
between AD features specific to each OS
version. Such conflicts can occur when
multiple OS versions are deployed on DCs
in an AD domain or forest. Functional levels
are especially important when you want to
introduce changes that affect the AD replication mechanism or other domain- or
forest-wide features that downlevel versions of the Windows Server OS don’t
For example, suppose you’re upgrading from a Windows 2000 (Win2K) forest,
which is functional level 0, to a Windows
2003 forest. After all DCs in a domain are
upgraded or replaced with Windows 2003
DCs, you can increase the domain’s functional level (DFL) to DFL2 (Windows 2003).
DFL2 enables features such as DC Rename
and the ability to write the last logon timestamp. After you switch all domains in a
forest to DFL2, you can finally upgrade
Table 1:
minor but important Active Directory (AD) change in Windows Server 2008 is one that
will take some getting used to. To better differentiate the versions of AD, Server 2008
introduces new names for important services. Table A shows these name changes.
InstantDoc ID 98062
Table A:
New AD Service Names
AD: Active Directory
AD DS: Active Directory Domain Services
ADAM: Active Directory
Application Mode
AD LDS: Active Directory Lightweight
Directory Services
the entire forest’s functional level (FFL) to
FFL2 (Windows 2003). FFL2 introduces features such as transitive forest trusts, domain
rename, and linked value replication (LVR).
LVR is a major improvement for the replication of large multi-valued attributes such
as group membership. With LVR, if you
make changes (e.g., adding or removing a
member to or from a group) to a long list of
New AD Features per Functional Level
Domain or Forest Functional Level
New AD features with Windows Server 2008
Forest functional level (FFL) 2
(Windows 2003)
Read-only DCs
Domain functional level (DFL) 3
(Server 2008)
Fine -grained password policies
Support for DFS replication for SYSVOL
Domain-based DFS scalability and security
AES 256 support for Kerberos protocol
FFL 3 (Server 2008)
None (other than ensuring that no new legacy DCs or
domains are added to forest)
Table 2:
Names for AD Services Change
in Windows Server 2008
Password Settings Attribute Values
Password Setting
Attribute Value
Common name
Password settings precedence
Reversible encryption
Password history
Password complexity
Minimum length
Minimum age
00:00:05:00 (5 minutes – all the time-values have to be
entered in this dd:hh:mm:ss format)
Maximum age
30:00:00:00 (30 days)
Lockout threshold
Lockout observation window
00:01:00:00 (1 hour)
Lockout duration
99:00:00:00 (99 days)
Windows IT Pro
MARCH 2008
values, only those changes are replicated to
other DCs, instead of replicating the whole
list of values with every change of the list, as
Win2K DCs do.
Note that many new features in Server
2008 AD don’t have a specific requirement
for a DFL or FFL, but a minimum of DFL2
and FFL2 is desirable. Microsoft made an
effort to ensure implementation of RODCs
in domains hosting Windows 2003 DCs. This
allows companies to deploy RODCs without
first having to upgrade the whole domain or
forest. But expect some Windows 2003 hotfixes along with Server 2008 to help make the
two DC versions work smoothly with each
other in the same domain. (For information
on deploying RODCs in a forest containing
Windows Server 2003 DCs, see the Learning
Path on page 37.)
Four new features are enabled when you
switch to DFL3 (Server 2008). Two of those
affect AD design: the ability to assign different password policies to users in the same
domain and the use of DFS replication for
SYSVOL. No new AD features are enabled
after you switch the forest to FFL3 (Server
2008)—i. e., once all DCs in the forest are running Server 2008. However, switching to FFL3
means that all domains in the forest must run
Server 2008 DCs and that no domains or DCs
with a legacy OS can be added to the forest.
See Table 1 for a summary of new AD features
by functional level.
Fine-Grained Password
For OS versions prior to Server 2008, an
AD domain can have only one password
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
Feature | AD Enhancements in Server 2008
policy that applies to the user accounts in
the domain. The password policy determines rules for password length, expiration
date, and complexity for every account
in the domain. Because these settings are
defined via a Group Policy Object (GPO—
i.e. the domain’s Default Domain Policy),
many administrators thought they could
apply multiple password policies simply
by adding different GPOs at different organizational unit (OU) levels in the domain.
However, these GPOs applied only to the
computer’s objects located in the respective OUs and would thus affect only local
accounts on those computers. Many companies found this situation disappointing
and confusing.
Server 2008 changes this limitation by
introducing Fine Grained Password Policies
(FGPP). This feature is available only when
all DCs in a domain are running Server 2008
and the domain has been switched to DFL3
(Server 2008). Although DFL3 still won’t let
you apply different password policies to different OUs, DFL3 does let you define different
password policies directly to a user account
or to a group. Note that these policies also
allow you to set different lockout rules. So,
for example, you can set sensitive accounts
to lock out after fewer attempts than with
ordinary user accounts. To reduce the overall
management effort, the best practice is to
specify policy at the group level rather than
the user level.
Because users can be members of multiple groups, potentially more than one of
which is assigned a password policy, Server
2008 AD includes a feature to determine
the resulting policy for any user. In case no
policies have been assigned to the user or
any of the user’s group memberships, the
default domain policy applies. This feature
gives companies flexibility in setting password policies. Although most companies
have learned to live with the pre-Server 2008
limitations of a single password policy per
domain, some organizations have deployed
different domains just to allow creation of
different policies. With Server 2008, you can
use FGPP instead. Companies can consolidate domains previously used for different
password policies and eliminate the hardware and operational costs associated with
additional domains. Most companies will
value the ability to enforce tighter policies
for sensitive accounts in a domain, such as
w w w. w i n d o w s i t p r o . c o m
the administrative accounts and those used
by services.
You manage the new password policies
via Password Settings objects (PSO) created in the Password Settings Container
in the system container of an AD domain.
Currently, no native GUI or scripting tools
are available from Microsoft to manage
PSOs. Although ADSI Edit is not the sexiest
GUI to work with for this purpose, this tool,
which is now installed natively on every
DC, works well to allow easy creation and
management of PSO objects. Other UIs and
new PowerShell cmdlets might be made
available by Microsoft in the future, but
already there are various tools available for
free on the Internet to download and manage PSOs. See the Learning Path for more
information on tools.
Using ADSI Edit to
Create PSOs
Using ADSI Edit, you can create PSOs in five
1. Ensure that all your DCs in your domain
are running Server 2008 and that you’ve
switched to Server 2008 domain functional
mode (for example, by using the Microsoft
Management Console–MMC–snap-in AD
Users and Computers ).
2. Start Adsiedit.msc and connect to
the default naming context (DC=<your
domain>), then browse to the following
container: CN=Password Settings Container,
CN=System,DC=<your domain>
3. Right-click the Password Settings Container object and select New, Object.
4. Use the Create Object wizard, to create a new msDS-PasswordSettings object.
Create the object with the attribute values
shown in Table 2. The resulting new Password Settings Object, My-ServerAdminPSO (along with other settings), requires
specified users to enter a 15-character
password that needs to be changed every
30 days. To take effect, the PSO still needs to
be applied to user or group objects, which is
the next step.
5. Apply the newly created PSO by viewing the properties of the My-ServerAdminPSO object in ADSI Edit and editing the
msDS-PSOAppliesTo attribute. Enter users
or groups (i.e., those that users must be a
member of) to apply the policy to your target
users. For example, I created a group called
W e ’ r e i n I T w i t h Yo u
Learning Path
“Sampling Server Core,” InstantDoc ID 96438
“Understanding Trust Transitivity,” InstantDoc
ID 93714
“AD DS: Read-Only Domain Controllers”
“Domain Controllers Running Windows Server
2003 Perform Automatic Site Coverage for
Sites with RODCs”
“Identity and Access in Windows Server 2008”
“Manage Windows Server 2008 DNS role”
“RODC Features”
“RODC Frequently Asked Questions”
Tools for managing PSOs:
“ADSIedit Overview”
“View a Resultant PSO for a User or a Global
Security Group” (desget command with
effective pso option)
A key enhancement of Windows Server
2003 R2 was a new, efficient file replication service. Surpassing its predecessor in
integration with DFS, the new file replication service was called DFS Replication
(DFSR). A major new feature was the ability
to restrict the replication traffic to just the
changes in files between two DFS replicas.
So if a file of many hundred megabytes is
changed by just a few bytes, DFSR ensures
that only the changed bytes are replicated
to the various replication partners. Previously, with NT File Replication System
Windows IT Pro
MARCH 2008
Feature | AD Enhancements in Server 2008
After you switch to
DFL3 and migrate to
DFSR for SYSVOL, the
SYSVOL share will leverage the new SYSVOL_
DFSR folder. From then
on, the SYSVOL share’s
contents will replicate
much more efficiently. If
you’re planning a new
AD forest, inefficient
SYSVOL replication will
no longer be a reason to
design a multi-domain
Figure 1:
hoped to leverage this new service for SYSVOL, after upgrading all DCs to Windows
2003 R2. However, this was not possible—
SYSVOL had to keep using the inefficient
NTFRS engine for replicating their Group
Policy changes and the contents of the
scripts folder (NETLOGON share). The inefficiency of NTFRS was actually one cause for
AD architects to sometimes design multidomain forests, merely to reduce the NTFRS
traffic if a large company had many slow
high-latency network links that DCs needed
to replicate across.
Server 2008 will finally make
DFSR available for replication of
SYSVOL between DCs. All DCs in
a domain must be running Server
2008, and the domain must be
switched to DFL3 (Server 2008).
However, in contrast to some other
replication-related features, the
switch to DFL3 does not automatically change the replication
A fairly cumbersome procedure,
which uses the new DfsrMig.exe
tool available on every DC, lets
you create a new DFS root for the
SYSVOL content. This new root
uses DFSR while the original SYSVOL still uses NTFRS. As part of
the migration process, you copy
the original SYSVOL contents to
Password replication policy of an
the new SYSVOL folder, called SYSRODC
VOL_DFSR by default.
(NTFRS), any change in a file (including
changes to attributes such as a file’s NTFS
permissions) caused the whole file to replicate. Now Server 2008 adds even more
scalability enhancements to DFSR, such as
an increased number of parallel file replication threads, and the removal of the 5,000
DFS targets limit per AD-integrated DFS
root. (Now DFS roots can have an unlimited
number of DFS targets.)
Ever since the availability of DFSR in
Windows 2003 R2, AD administrators had
Figure 2:
Windows IT Pro
I don’t have the space
here to explain all of the
DNS changes in Server
2008. (See the Learning Path on page 37 for
information on Server 2008 DNS.) For this
overview, you need to know that DNS has
been updated to allow read-only zones,
which are required to support the DNS
service with the RODC role. The new readonly zones are similar to secondary DNS
zones, except that the read-only zones are
integrated in AD and can only be hosted on
an RODC. As you might guess, a read-only
DNS zone won’t accept dynamic updates
from clients. So a special mechanism for
RODCs ensures that clients are directed
to the nearest writable DNS server for
dynamic DNS registrations and update
requests. Within five minutes after telling
a client which server to update the DNS
information on, the RODC’s DNS service
will try to connect to that same DNS server
to instantly replicate the DNS changes to its
own database.
Another new AD-related DNS feature
allows clients to locate DCs in the “next closest site” when they can’t connect to a DC in
their own site, avoiding potentially slow connections to other remote DCs during failover.
This new capability, a function of the DNS
clients on Windows Vista and Server 2008,
uses site-topology information and site-link
costs stored in AD to determine the next
closest site, before querying DNS to provide
a DC in the respective site. This feature has
been back-ported to Windows XP in the latest service pack. It can be enabled via Group
Policy Object (GPO):
Windows 2000/2003 branch-office DCs can negatively impact the whole AD forest
MARCH 2008
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
Feature | AD Enhancements in Server 2008
• Path: Computer Configuration\
Administrative Templates\
System\Net Logon\DC
Locator\DNS Records
• Enable settings: “Try next closest site”
What’s the Big
Deal with RODC?
A challenge with any Win2K or
Windows 2003 AD deployment
has always been the placement
of DCs in remote sites (such as
branch offices) that aren’t necessarily as physically secure as a
company’s data center.
Except for special Operations
Master (FSMO) roles such as the
Schema Master and the PDC
emulator, all DCs prior to Server
2008 are basically equal. AdminFigure 3: Using Server 2008 AD to restrict writable DCs to trusted networks
istrators of any Win2K or Windows 2003 DC can write changes
to the AD database and can replicate these sites. Organizations now have the option As a result, an AD infrastructure attack
changes to other DCs in their AD domain to deploy RODCs, which by default don’t like the scenario shown in Figure 1 is now
or forest. Therefore changes performed on replicate passwords locally and never rep- limited to the attacked RODC in the branch
a single DC can affect the whole domain or licate local changes back to any other DC. office. And because the RODC doesn’t store
even the whole forest. A malicious user with RODCs have a one-way only replication any administrator user secrets (passwords)
physical access to a DC, say, in a branch connection agreement with their writable by default and will typically be configured to
office, can fairly easily make an elevation-of- DC replication partner. Various changes in cache only the passwords of the users in the
privilege attack to damage or even destroy a Server 2008’s underlying replication archi- RODC’s site, a stolen RODC doesn’t pose the
company’s entire AD forest and dependent tecture ensure that this agreement can’t same risk to a company that a fully writeable
be changed. For example, RODCs aren’t DC does.
As shown in Figure 1, the malicious members of the Enterprise Domain ConAn RODC can also be a Read-Only Global
change on the rightmost branch-office DC trollers security group, which grants write- Catalog (ROGC). Note however, that while
replicates out to the central hub DC, which able DCs various write permissions to the ROGCs are supported to be used as GAL
then replicates that change to all other DCs AD database.
servers for Outlook clients, they aren’t supPassword Replication Policies (PRP) ported as GCs for use by Exchange servers.
in the enterprise. Furthermore, because all
DCs always copy the full AD domain parti- determine which passwords to replicate to This will have an impact on administrators
tion, including the passwords of all users an RODC. Determining how to configure who want to deploy the RODC in a branch
and administrators in that domain, a com- PRPs for your company will be a key chal- office but also maintain a local Exchange
promised DC would also allow a thief to lenge for the management of RODCs. PRPs server.
perform password cracking attacks against are managed per RODC and provide a list
You can compare the features of an
the DC’s AD database, enabling additional of groups, users, or computer accounts that RODC with those of a proxy server. If a user
remote attacks. (See that thief in Figure 1? He are either allowed or denied permission to is authenticating in a site that has an RODC,
cache their password on an RODC. The PRPs the user’s client will locate this RODC like
just stole a DC.)
The Server 2008 RODC was designed are stored with the computer account object any other DC and attempt to authenticate
to reduce such risks. You can use an RODC of the respective RODC in AD, as Figure 2 to the RODC. In fact, clients usually won’t
in locations that might not offer the same shows.
know if they’re talking to a writeable DC or
Deploying RODCs is an extremely an RODC, because the RODC will retrieve
physical security as a datacenter but require
rapid, reliable, and robust authentication attractive proposition to increase security all the data it needs on behalf of the client.
services, even if the network link to a in branch office and DMZ deployments. As When the user authenticates for the first
remote datacenter is not available. Compa- Figure 3 shows, you would deploy writable time to this RODC, the RODC will need to
nies that require such authentication qual- DCs in a Server 2008 AD infrastructure only talk to a writeable DC (usually across the
ity in their branch offices no longer have in fully trusted networks (data centers). You WAN to a DC in a hub site) and authenticate
to deploy ordinary writable DCs into these can safely deploy RODCs in edge networks. the user against this writeable DC. If the
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Feature | AD Enhancements in Server 2008
RODC is allowed to cache the user’s password hash, as determined by the RODC’s
PRP, the RODC will be able to fully authenticate the user the next time without needing
to contact a writeable DC.
RODCs have other attractive features
that distinguish them from writable DCs:
For example, you can delegate local administrator rights (or other roles) to domain
users or groups to a specific RODC, without
granting the users any special rights in your
AD domain. You do so by using the managedBy attribute of an RODC computer
object or by assigning local roles through
NTDSUTIL. This capability saves you from
requiring a domain admin account for
maintenance tasks on branch-office DCs
that can also be performed by users with
lower privileges. (This includes the task
of promoting new DCs.) This capability is
restricted to RODCs.
More to Learn
Server 2008 debuts several major AD
enhancements, which are introduced this
Windows IT Pro
MARCH 2008
Read this article online at
Early Adopter Shares Windows
Server 2008 Insights
Windows Server 2008 is off in the distance for many
IT pros, but for intrepid early adopters like IT services
firm Heartland Technology Solutions, business needs
are driving a leading-edge migration. In this month’s
IT Pro Hero, we talk with Arlin Sorensen, the firm’s
president and CEO, about his company’s experiences testing Server 2008 and the benefits he expects to gain from the
upgrade. Check out the interview at InstantDoc ID 98122.
article. RODC is clearly the feature that
Microsoft spent most effort on, as you
can see by looking at the changes RODC
required Microsoft to make to Server 2008’s
underlying replication architecture. The
Learning Path lists some further resources
on Server 2008 AD enhancements and
InstantDoc ID 98061
W e ’ r e i n I T w i t h Yo u
Author’s note: This article is based on the RC1
release of Server 2008.
Guido Grillenmeier
(guido.grillenmeier@hp.com) is a master technologist
with Hewlett Packard’s Advanced Technology Group. He
is a Microsoft Directory Services MVP and a Microsoft
Certified Architect. He is the coauthor of Microsoft
Windows Security Fundamentals (Digital Press).
w w w. w i n d o w s i t p r o . c o m
This new
replaces the
License Key
f you plan to deploy business versions of Windows Vista or any version of Windows Server
2008—which you’ll do eventually—you need to understand Volume Activation. A VA
infrastructure is necessary for companies with more than a few hundred Vista or Server
2008 systems. Without this infrastructure, every volume-licensed build of these systems
will eventually fail. In this article I define VA, explain how it works, and offer straightforward
recommendations for deploying it in common situations.
by Sean
Volume Activation Overview
Volume Activation 2.0 (VA2) is a major rework of Microsoft’s original volume licensing technology. In volume licensing, one Volume License Key (VLK) was used to activate an unlimited
number of systems. This method required strong security
to ensure the VLK was never compromised; if a key was
“leaked” and became available on the Internet, Microsoft
had to deactivate the key, and all the systems that used the
key had to be rekeyed. VA2 avoids this problem by requiring every Vista or Server 2008 build that’s configured for
volume licensing to activate with Microsoft, either directly
or by proxy.
In VA2, volume builds of the OS use one of two activation methods: Multiple Activation Key (MAK) or Key Management Service (KMS). A MAK is similar to a VLK, but
it has some important differences. A MAK has a limited
number of activations associated with it, whereas a VLK is
unlimited. Every activation instance that uses a MAK must
verify with Microsoft; no verification is necessary with the
VLK method. KMS is a client/server system that activates
multiple clients without requiring any action from the
A Volume
is necessary for
companies with more than a
few hundred Vista or Server
2008 systems.
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Feature | Volume Activation in Server 2008
system’s users. Unlike in a MAK activation, a
system that uses KMS doesn’t have to contact
Microsoft individually. Rather, the KMS hosts
themselves activate the license with Microsoft on the client’s behalf. Microsoft expects
that medium and large organizations that
use VA will use KMS to activate most of their
Before we delve into KMS and MAK
activation in detail, let’s look at the five possible license states for VA clients. (Note that
only the first state requires no action.) The
first and most common state is Licensed, in
which the client is activated and functioning
normally. Next is Initial Grace or Out-Of-Box
Grace; this period occurs after the VA client is
first installed. Out-of-Tolerance Grace occurs
when hardware changes on an activated
system push the system beyond a tolerance
level. Non-Genuine Grace occurs when a system that has the Windows Genuine Advantage (WGA) ActiveX control installed fails
Genuine Activation. All of these license states
have a grace period of 30 days. Finally, Unlicensed occurs when any of the grace periods
expire. In the Unlicensed state, a system runs
in reduced functionality mode (RFM).
Note that the Unlicensed state behavior is
different in Vista SP1. If you’re using a system
that hasn’t been activated and gone through
the 30-day activation grace period, when you
log on to the system on the 31st day, you’ll see
a dialog box on a plain black background.
You’ll have two options: Activate Windows
now, which will bring up all the options to do
so; or activate Windows later, which will take
you directly to the desktop. Your desktop will
appear as before, except you’ll have a plain
black background and a message in the lower
right corner over the system tray telling you
that your copy of Windows isn’t genuine.
Key Management Service
The KMS VA system consists of one or more
KMS hosts (servers) that activate clients
configured to use KMS. These clients locate
a KMS host by one of several methods and
request the host to activate them. The KMS
host uses a special KMS key to activate with
Microsoft, then acts as a proxy to activate its
own clients; the clients don’t need to contact
Microsoft to activate. A host can activate
an unlimited number of clients. As a result,
Microsoft generally provides only one KMS
key for an organization. Microsoft designed
Windows IT Pro
MARCH 2008
the KMS system to be highly scalable so it
requires a minimum of KMS hosts.
KMS-configured systems must renew
with the KMS host on a regular basis, otherwise they’ll eventually fall into the Unlicensed
state and essentially be unusable until they
reactivate with a KMS host. The reason such
a critical piece of Microsoft infrastructure
requires so few servers is that the Software
Licensing Service has very loose requirements compared with other services. When
a KMS client is first built (either a Vista client
or a Server 2008 server), it has 30 days to
activate. This initial grace period can be reset
three times. During this period, the client tries
every two hours to activate. After the client
successfully activates, it attempts to contact
a KMS host once every seven days by default
to renew its activation another six months.
Each client has a six-month countdown
timer that resets whenever the client renews
with a KMS host; if the client can’t renew for
some reason, the timer keeps counting down,
attempting again every week, until the client
either renews or falls into the Unlicensed
state. So a client attempts to reach a KMS host
approximately 25 times. Also, the 15-second
Time to Live (TTL) value of each KMS request
is extremely long by other services’ standards
and the data exchange is quite small, so the
network proximity of the KMS host to the
clients isn’t especially important.
KMS Installation
KMS can be installed on Server 2008, Windows Vista, or Windows Server 2003 SP1. It’s
available on both x86 and x64 architectures
for all platforms. No extra software is necessary for Server 2008 or Vista, but to run
KMS on Windows 2003, go to the Microsoft
downloads Web site (www.microsoft.com/
downloads), search for “KMS on W2K3 SP1,”
then download and install either KMSW2K3_
EN-US_x86.zip or KMSW2K3_EN-US_x64
.zip. Both the KMS host and KMS client are
part of Microsoft’s Software Licensing Service
(slsvc.exe)—but KMS on a Windows 2003
server is referred to as the Software Protection
Platform service.
Although KMS is available on Vista, I don’t
recommend this configuration. Instead, I
suggest that you use a KMS host on a server
OS. Such a critical infrastructure service
should be installed on an existing server or
added as a regular production server.
The main utility to control a KMS host is
W e ’ r e i n I T w i t h Yo u
a straightforward script, slmgr.vbs, which is
located in the \system32 folder of volume
license versions of Server 2008 and Vista. The
most common switches you’ll use are
• -ipk—Install product key
• -ato—Activate
• -dli—Display license information
• -xpr—Expiration date for current license
• -skms—Direct connection (vs. autodiscovery)
The first step in installing a KMS host is
to install a volume license version of the OS.
A volume license OS version won’t prompt
you to provide a license key when you build
it. When the installation is complete, use the
following command to install the KMS key
provided by Microsoft:
SLMGR.VBS -ipk <KMS key>
Note that the KMS key isn’t a MAK. Don’t
give this key out indiscriminately; it’s good
for only six activations, intended for six KMS
instances or rebuilds, for your entire company. Each of these instances can be reactivated as many as nine times. After you
install the KMS key, you must activate it with
Microsoft. This action authorizes, by proxy,
all the activations the KMS host will perform.
The most common way to activate the KMS
host is by directly contacting Microsoft via the
Internet. This method is called online activation, and is executed simply by entering
If your KMS host doesn’t have Internet
access, you can call Microsoft and follow a
mostly automated activation process. To find
the Microsoft number to call, enter
and follow the on-screen instructions.
KMS Location and
After your KMS host is up and running, your
clients must be able to find it. You can forcibly
point the clients to the host (called a direct
connection), or you can let clients find the
host themselves (called auto-discovery). To
set up direct connection on a KMS client,
simply run
w w w. w i n d o w s i t p r o . c o m
Feature | Volume Activation in Server 2008
on the client. KMS_FQDN is the Fully Qualified Domain Name (FQDN) of the KMS host
(or you can enter its IP address). You can also
specify what port the client should connect
to, if it’s other than the default of 1388.
Auto-discovery is a more complicated
matter. For auto-discovery, KMS uses the DNS
SRV record to publish its service into a DNS
zone. Following the _service._protocol format
of the SRV record, a record for KMS would
look like _vlmcs._tcp.mycompany.com.
When it performs auto-discovery, the
KMS client queries DNS for a list of servers
that have published the _VLMCS record for
the zone it’s a member of. DNS returns the
list of KMS hosts in random order, and the
client picks one and attempts to establish
a session with it. If this attempt works, the
client caches the server and attempts to use
it for the next renewal attempt. If the session
setup fails, the client picks another server at
random. The KMS locator process works a
little like the domain controller (DC) locator
process (which also looks for an SRV record),
but it’s simpler. For example, the client can’t
look up KMS hosts by site because doing so
isn’t necessary for the simpler requirements
of the KMS service. Nor does KMS use weight
and priority, which are options available in
the SRV record to sort the result list.
A KMS host configured for auto-discovery
doesn’t automatically publish SRV records
to DNS in any zone other than the one
in which it resides. This means you must
manually publish SRV records into all other
DNS zones—for example, the other child
domains in a domain tree. To do so, you
must enter each zone KMS should publish
WARE\Microsoft\Windows NT\Current
Version\SL\DnsDomainPublishList subkey’s
REG_MULTI_SZ value. Use a separate line to
enter each zone in which you want KMS to
publish itself. Remember that the KMS host
itself must have rights in the target zone to
create these records, and that the zone must
be able to resolve the host name in the SRV
record. If you have many domains—especially domains that don’t trust the domain
your KMS host resides in—this configuration
can become one more manual list that must
be kept in sync with your active domain list.
KMS auto-discovery is integrated with
w w w. w i n d o w s i t p r o . c o m
DNS, not Active Directory (AD); it works just
as well with non-Windows DNS as it does
with AD-integrated DNS. Any DNS server
that supports SRV records (per RFC 2782)
and dynamic updates (per RFC 2136) will
support KMS client auto-discovery and KMS
SRV record publishing. BIND 8.x and 9.x support both SRV records and DDNS.
KMS Odds and Ends
A KMS host itself doesn’t provide much
information about its operation. Instead,
a Microsoft Operations Manager (MOM)
management pack for KMS is available at
the Microsoft downloads Web site (www
.microsoft.com/downloads). The management pack generates alerts for the major conditions that can cause KMS-related activation
problems, such as initialization failures and
DNS SRV record publishing failures. It also
provides a wide range of reports on client
activations through KMS.
Once activated, a KMS host will activate
an unlimited number of clients. However,
the host won’t begin activating clients until
it receives a certain number of activation
requests from physical (i.e., not virtual)
machines. This is called the activation threshold. Vista’s threshold is 25 systems, whereas
Server 2008’s threshold is 5 systems.
Suppose you have an environment with
500 volume-licensed Vista systems and one
KMS host on a shared production network.
As these systems begin appearing on the
network, they will attempt to activate with
the host they’ve found, either through autodiscovery or direct connection. The host will
record each attempt, but not activate the
clients until 25 separate clients have contacted it. The original 25 clients, when not
activated by the KMS host, will simply retry
until the KMS host has reached its activation
threshold, at which point they’ll be activated
normally. These thresholds are exclusive for
each type; if KMS has reached its 25-client
Vista threshold but not its 5-client Server
2008 threshold, it won’t activate Server 2008
servers until that threshold is reached.
A KMS host doesn’t track all its licensed
clients; it records only the last 50 activations
to make sure the service is working correctly.
It also doesn’t pay attention to other KMS
hosts in the network or share activation information between them. No upper limit exists
for how many activations a KMS host can
perform after it reaches its activation threshW e ’ r e i n I T w i t h Yo u
old; volume licenses aren’t a limited resource
on its network. As many as six KMS hosts can
be activated with one VLK, and each KMS
host can be reactivated as many as nine times
(e.g., if a KMS host must be rebuilt).
Using KMS rather than a MAK solution to
activate clients has several advantages. First,
KMS clients don’t need Internet or telephone
access to activate their systems; they just need
to be able to communicate with a KMS host.
Second, there’s nothing to back up or restore
on a KMS host. You simply rebuild, reinstall
the VLK, activate, and it’s ready to go. Third,
the KMS infrastructure is very lightweight
and scalable; one KMS host with a hot spare
in case of failure can service many tens of
thousands of clients. Ultimately, the deciding
factor for how many KMS hosts you use isn’t a
matter of scalability; it’s your network configuration and your political landscape. If a substantial number of your clients can’t contact a
KMS host because of network segmentation,
you’ll have to land another host. And because
KMS is a critical part of your infrastructure,
strongly independent business groups might
want control over their own KMS host.
Although Server 2008 and Vista require
different VLKs, a KMS host can hold only one
activation key. So how can one key activate
both Server 2008 and Vista systems? Microsoft created key groups, which is a hierarchy
of licensing keys based on the products you
purchased for volume license. The groups
range from Vista to server groups A through
C, where each server group increases in
complexity (and cost). Vista key groups can
activate only Vista systems. Server group A
can activate Windows Web Server 2008 and
Learning Path
“Microsoft Licensing and Activation Tools Might
Ease Your Pain,” InstantDoc ID 95337
“Vista Licensing Changes Alienate Tech Enthusiasts,” InstantDoc ID 93896
Vista Activation
Vista Activation: KMS vs. MAK in large enterprise
Windows IT Pro
MARCH 2008
Feature | Volume Activation in Server 2008
Vista; server group B can activate Server 2008
Standard and Enterprise editions, as well as
Web Server 2008 and Vista. Server group C
can activate everything—Windows Server
2008 Datacenter, Windows Server 2008 for
Itanium-based Systems, Server 2008 Standard and Enterprise editions, Web Server
2008, and Vista. When you purchase volume
The most
principle to
remember when
building a VA2
infrastructure is to
keep it simple.
licenses, you’re provided with a key group
that matches the products you purchase.
Installing that key on your KMS host then
activates all the less-expensive products.
Multiple Activation Keys
MAKs don’t require a specific infrastructure.
Your company requests and pays for one
MAK with a certain number of activations.
You can activate the target system with the
MAK in any of several ways—with an unattend file, manually from the Windows interface, or via a script. Every MAK installation
must validate with Microsoft’s activation
servers to complete successfully. Typically
you’d use direct activation, in which the client
itself activates directly with Microsoft, either
via the Web or by phone. The Web activation is simple and works in the same way as
earlier activation methods do (e.g., Windows
XP activation). Activating by phone requires
that you call a phone number and read
aloud or enter an alphanumeric sequence on
your phone, after which an operator reads a
sequence of numbers that you enter into the
corresponding key field.
If your clients don’t have direct access
to the Internet (e.g., in a secured lab), or
they don’t have the administrative rights
necessary for MAK activation, Microsoft
offers a proxy activation method that uses
the Volume Activation Management Tool.
VAMT, which is available from the Microsoft
Windows IT Pro
MARCH 2008
downloads Web site (www.microsoft.com/
downloads), is designed for installation on a
notebook that can move between the closed
network and a network with Internet access.
When on the closed network, VAMT applies
one or more MAKs installed on it to the
Server 2008 and Vista clients it discovers. For
more information about VAMT, see the stepby-step guide that’s bundled with the VAMT
installation files.
If you have to rebuild a system, you can
use the same MAK as before—but its “number of keys used” will increment by one. Similarly, you can’t reuse the same MAK as in the
previous build. For example, if you receive
a system from an OEM with Server 2008 or
Vista already installed, the system has a preinstalled MAK that you paid for as part of the
system cost. If you rebuild the system to your
standard build, you can’t reuse the MAK; you
must use one of your own, essentially throwing away the OEM’s MAK.
Design Principles
Although using KMS and MAKs can seem
complicated and confusing, following a few
design principles helps make sense of it all.
The most important principle to remember
when building a VA2 infrastructure is to keep
it simple. A simple configuration is easier to
create, configure, and maintain. In addition,
you should try to minimize the number
of KMS hosts you use. If technically and
politically possible, have just one set of KMS
hosts for the entire enterprise. Also, try to
maximize the number clients that use KMS
(and thereby limit the number of clients that
use MAKs). Finally, minimize the number of
VAMT proxy configurations. To follow these
principles, it’s helpful to divide your Windows
systems into the following categories: the
production network, secure networks with
firewall access to the production network,
isolated networks with little or no access to
external networks, and disconnected clients.
Production network. This is your primary
company intranet. Inventory the Windows
environment’s AD forests and domains on
the production network, categorizing them
as follows:
• Primary corporate forest(s)
• Secondary forests that trust one or more of
your primary forests
• Untrusted forests (e.g., development,
• Workgroups
W e ’ r e i n I T w i t h Yo u
Secure networks. For secure networks
with firewall access to the production network, assume no Internet access. Again, perform the Windows environment inventory; a
secure network probably won’t have as many
categories as a production network.
Isolated networks. For isolated networks
with little or no access to external networks,
categorize the network as having fewer than
25 clients, or more than 25 clients.
Disconnected clients. Disconnected clients have no email access or any applications
that require regular corporate network connections (e.g., a sales team’s demo notebook
I recommend that you use KMS with DNS
auto-discovery for your corporate forest(s)
and secondary trusted forests, because this
configuration is the easiest to implement.
Register KMS into all the other domains in
your forest and trusted forests so that clients
can use DNS to find the service. Assuming the
majority of your clients are in these forests,
this design lets clients immediately activate
via KMS. This configuration also assumes
your company has a centralized IT model
with a limited number of untrusted forests,
which is similar to Microsoft’s environment—
Microsoft has very few if any untrusted forests
on their production networks. If you do have
untrusted forests (e.g., development or test)
on your production network, those administrators must manually register the KMS host’s
A records and SRV records for auto-discovery
to work. The KMS host probably won’t have
rights to update DNS in an untrusted forest.
Although adding records manually is simple,
you must then manually update the records
with the domain and forest configuration.
Workgroup clients on the production
network should use KMS through auto-discovery, but its simplicity is a matter of which
DNS servers the workgroup clients are using.
If they use the DNS service of the KMS host’s
forest, they can easily locate KMS.
For secure networks with some access
to the production network, use a layered
approach. First, configure the firewall to
allow TCP port 1688 so secure network
clients can contact the KMS host. Then, if
you use a name rather than an IP address
(as recommended), the host must be able
to resolve the name through DNS. Whether
you use auto-discovery or direct connecw w w. w i n d o w s i t p r o . c o m
Feature | Volume Activation in Server 2008
tion for KMS depends on the network’s
DNS configuration; if the network has its
own DNS, the network administrator must
manually register the KMS host’s A records
and SRV records. Having a consistent DNS
infrastructure throughout your company is
important to avoid inconsistency errors and
duplication of effort. Similarly, KMS port
1688 should never be exposed outside the
company; access to a KMS host is the same
as handing out free VLKs.
Secure networks without external access
present a more difficult configuration. If the
network has fewer than 25 clients, you must
use MAKs and activate the clients via the
VAMT utility. A problem with this approach
is that you must, for example, allow notebook
computers that have been on the external
network onto the secure network. If you have
more than 25 clients, you can use KMS and
activate it over the phone. This approach has
its own shortcomings, though, because handing out the KMS key to anyone other than a
few trusted administrators isn’t a secure practice. A variation on the secure network configuration is a secure network in which systems
are rebuilt constantly (e.g., a client test lab). In
such a situation, you might consider simply
never activating the systems if they’ll exist for
fewer than 90 days, because you can use the
slmgr.vbs script’s rearm option (i.e., SLMGR
.VBS /REARM) to reset the product activation
timer a maximum of three times.
If your company uses a standardized
build, a simple solution is to create two
DNS Canonical Name (CNAME) records
with a host name such as kms.yourcompany
.com. Have these CNAME records each
refer to a different KMS host, to create a
basic round-robin configuration in which
either of the hosts is randomly chosen.
Configure your client build for direct
connection, with the KMS name as kms
.yourcompany.com. All the clients will then
use kms.yourcompany.com all the time. You
can control which KMS hosts this CNAME
represents, and you don’t have to deal with
auto-discovery or with registration of the
SRV record in multiple DNS zones.
will let you implement it with a minimum
of trouble. To become a VA2 expert, go to
Microsoft’s VA2 Product Activation page
vol/default.mspx) and download the VA2
planning guide.
Sean Deuby
(sdeuby@windowsitpro.com) is a contributing editor
for Windows IT Pro and an enterprise solutions strategist with Advaiya. Previously, he was the technical lead
of Intel’s core directory services team. He has been a
directory services MVP for five years .
InstantDoc ID 98153
Follow the Basics
VA can be confusing and complicated, but
you’ll need to use it if you ever plan to deploy
Server 2008 or Vista. Although VA2 is far more
complex than I can discuss in one article, following my basic design recommendations
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Practices for
U Data
Part 2
ast month, in “Best Practices for Managing User Data and Settings, Part 1” (InstantDoc ID 97841),
I began a discussion about the pieces you need to put in place to effectively manage user data
and settings (UDS). The goal was to create a UDS-management framework—a combination of
technology, people, and processes—to meet specific security, mobility, availability, and resiliency business requirements. In that article, I covered the server-side components of the framework. This month,
I address the client-side components.
The goal this time is to unify UDS management for both Windows Vista and Windows XP users—
something that isn’t possible without some of the tips you’ll find herein, such as registry-based folder
redirection. Specifically, we need to address four types, or classes, of UDS that I call “normal data,” “normal
settings,” “locally accessed data,” and “unwanted data.” Unfortunately, as you’ll see, Windows provides
direct support for managing only the first two types of data, which is why so many organizations struggle
to put all the moving parts in place—some parts are missing!
Redirect User Data Stores
The first class of data I’ll address is “normal data” that can reside in standard Windows data stores such
as the Documents and Desktop folders. You can use redirected folders to manage normal data and meet
your business requirements.
Redirected folders are a well understood, tried-and-true technology in Windows environments. You
can redirect selected shell folders (e.g., Documents, Desktop) to shared folders on the network, and the
result will be completely transparent to users. You implement most folder redirection through Group
Policy, under User Configuration, Windows Settings, Folder Redirection. You should use the Group Policy
Management Editor (GPME) on a Vista client to edit Folder Redirection Group Policy settings so that you
can configure settings that will apply to both Vista and XP.
Although XP supports redirecting only four folders, Vista lets you redirect thirteen folders, as you can see
in Figure 1, page 48. I highly recommend redirecting Documents and Desktop, as well as any of the new folders that Vista can redirect. As I discuss later, you can redirect the AppData folder, but using roaming profiles
is generally a better management choice for AppData. Except in schools and other environments in which
multiple users should have identical Start menus, I’ve never found it useful to redirect the Start menu.
Microsoft documents the steps for configuring folder redirection in its Help files. Rather than repeat
those steps here, let’s focus on bottom-line recommendations and tips. On the folder-redirection policy’s
Target tab, you can set the following recommended policy settings.
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
these tips
for unifying UDS
management for
Windows Vista
and Windows XP
users and
4 key types of
user data
by Dan
Windows IT Pro
MARCH 2008
Feature | Managing User Data and Settings
• Use Basic rather than Advanced folder
redirection. Advanced folder redirection
lets you redirect folders to different locations based on group membership. That
capability might sound great, but there
are other policy settings supporting a UDS
framework that aren’t similarly multivalued. I recommend that if you need to
redirect users to different servers, create
separate GPOs filtered for each group.
• For the Target folder location of each
folder redirection, choose the Redirect to
the following location setting and enter
the path \\namespace\%username%\
foldername, where namespace is the
DFS namespace for UDS, and foldername is the name of the redirected
folder—for example, \\contoso.com\
users\%username%\Documents. (We created the DFS namespace in Part 1.)
On the Settings tab, you should change
almost all the defaults.
• Clear the Grant the user exclusive rights to
Documents check box. If this check box
is selected, only the user has access to his
or her data stores. As I’ll discuss later, you
should configure the root folder above
all user folders with permissions that
reflect your corporate information security policy. Those permissions should be
inherited by individual user folders.
• Clear the Move the contents of Documents
to the new location check box. If this
check box is selected, a user’s data moves
automatically to the target location after
you introduce the policy. The data move
happens at the first logon and might take
a significant amount of time for large folders. You should plan, control, and manage
the migration of user data to the network
folders; don’t let it happen automatically.
• Select the Also apply redirection to Windows 2000, Windows 2000 Server, Windows
XP, and Windows Server 2003 operating
systems check box. Doing so will ensure
that the folder-redirection policies apply to
all Windows clients. This check box is available only for folders that XP can redirect.
Redirect XP Favorites
and Media Folders
Although Vista lets you use folder-redirection
policies to redirect all user data folders, XP
won’t let you use these policies to redirect
folders such as Favorites, My Music, and My
Windows IT Pro
MARCH 2008
Videos. You can, however, use registry-based
redirection to redirect these XP folders. In
the XP registry, the HKEY_CURRENT_USER\
sion\Explorer\User Shell Folders key contains values for each of these folders. You can
change the data of these values to redirect the
folders to network locations. The resulting
redirection is identical to folder redirection
implemented through Group Policy.
In fact, I’ll make it easy for you. How about
a Group Policy administrative template that
manages registry-based redirection of these
folders? You can download the RegistryRedirection.adm file from www.windowsit
pro.com, InstantDoc ID 98004. Load the
file into a GPO that’s scoped to apply to XP
users. I recommend using registry-based
redirection for Favorites, My Music, My
Pictures, and My Videos on XP, even though
you can use folder-redirection policies to
redirect XP’s My Pictures. For Vista clients,
use standard folder-redirection policies.
When you redirect XP media folders,
applications such as Apple iTunes and Windows Media Player (WMP) will automatically
use the redirected folder. But what about users
who are accustomed to opening My Documents and double-clicking a folder to access
media? To accommodate those users, I recommend that after you migrate the contents
of those folders to the network, you delete the
actual subfolders in My Documents. Then,
create shortcuts called My Music, My Pictures,
and My Videos that point to the new locations.
Those shortcuts will provide XP users with the
visual links they use to browse to media. Of
course, you might also choose not to redirect
one or more of these folders based on your
need to manage users’ media files.
With folder-redirection policies managing all user data stores for Vista users, and
a combination of folder-redirection policies
and registry-based redirection for XP users,
you can unify the experience of users who
roam between computers running different
OSs. Regardless of where the user logs on, he
or she will have access to all data stores.
Roaming Profiles Manage
Ntuser.dat and AppData
Now that you’ve redirected all user data stores
and Favorites, you’re left with the two remaining stores of user settings: the user’s registry
hive and the AppData folder—%userprofile%\
Application Data (in XP) and %userprofile%\
W e ’ r e i n I T w i t h Yo u
Figure 1:
Vista lets you redirect 13
AppData\Roaming (in Vista). These stores,
which I refer to as “normal settings,” are best
managed with roaming profiles.
Roaming profiles got a bad rap in the days
of Windows NT 4.0. Even in the 21st century,
many organizations have had less-than-ideal
experiences with roaming profiles, citing the
size and synchronization of profiles as particularly problematic. However, properly implemented roaming profiles work very well.
Profile synchronization is quite efficient.
At logon and logoff, Windows compares the
server copy of the profile with the locally
cached copy and synchronizes only files that
have changed. However, if your Documents
folder has thousands of files, scanning those
files to identify what has changed can take
a long time, creating a perception of slow
logon and logoff processes. Additionally, the
Desktop or Documents folders might have
one or more large files. For example, PST files
can be huge. Each time Microsoft Outlook
touches a PST file, it changes that file’s timestamp so that, at logoff, Windows considers it
a changed file even when the contents of the
PST file haven’t changed. At each logoff, then,
your PST files get copied to the profile on the
server. Therefore, in most environments, it
isn’t appropriate to allow users’ desktops and
Documents folders to roam.
These two examples illustrate the problem of enabling roaming profiles without
careful thought and design. It’s important to
exclude certain folders from roaming. Redirected folders are automatically excluded
from roaming, so once you redirect the
w w w. w i n d o w s i t p r o . c o m
/;:?@-:@8E C5@4 ;:1 ;>@C;
4 M>?@-:09;?@-::;E5:3
;2 @41 ->@
0 C-? @41
@4 >>1
@41 ?1>B1> 9->71@ 5: ?1>B1> /;:
+5@4@45?:1D@31:1>-@5;:;2 -<<85/-@5;:/;:?;850-@5;:?1>B1>?/-8-.585@E-:0
@41+5:0;C?'1>B1>?E?@19(5?31@@5:3@41-:?C1> -<<85/-@5;:-B-58-.585@E35B5:3-:-095:5?@>-@;>@41
$ (!" ## #*$#&#
"'"# $'"$ #
$ $"$ &" !$"(
#$ !$#
!$#%$$ $!" ## "#$
'$$"%$)(! (
8595@10@;B5>@A-85F5:3+5:0;C?'1>B1> 5:AD-:0
'% '1>B1>+4581@41@-?7;2.A5805:3-/;:?;850-@10
! " # $ '#"&"
" # $ '#"&"(!"
$"$%)$ (
" !
$%$ " #
!&! ! "#'"&
!&"")!!&$()$($%&"!$"%"&"'&"!%! "$"%"&
"$ '#$"!"# !%$
#! ' ( %#$$ '#"&"
'*$$! #$ #(#$
$#'' " #( %
""""$ :A9.1>;2;A>1:@1><>5?1/A?@;91>?4-B1
%$ ' %$#(#
%""$&%!" ! #$ #$"$#$ #"&"
$$" # $ 8->31<>;<;>@5;:;2;A>'
# #$"$"$ #!'$
" # $
%$'(' "'$" # $
$+"#$!$#$&% ( %"
" !"" "
%! $ !&"")!!&$()$)$!!
$&"$"&$"%"&$"$ +&%"'&")!&%
'#"$ '#$"!"# !%$#! ' ( %#
$$ '#"&"'*$$#! #$ $"$!
! #$ #$"$#$ #"&"$$" # $ ($( %$ &"$%)$ $ (
#$"$"$ #!'$" # $
%$'(' "'$" # $$+"#$
!$#$&% ( %"
Feature | Managing User Data and Settings
Documents, Desktop, and other folders, the
number of files in your roaming profile—and
particularly the number of large files—will be
significantly reduced.
You can use Group Policy to exclude
additional folders from roaming. The Group
Policy setting you require is Exclude directories in roaming profiles, located under User
Configuration, Administrative Templates,
System, User Profiles. Because this setting
is user-based, you could have different folders roaming based on a user’s role. You can
specify folder names relative to the user
profile, such as AppData\Roaming\Microsoft \Windows\Cookies. Figure 2 shows an
example that excludes the Cookies folder on
both Vista and XP.
A well-designed UDS framework will
use roaming profiles as the mechanism for
managing a user’s registry file—the ntuser
.dat file in the root of the profiles. This file
contains a number of critical settings and
customizations that affect a user’s Windows
experience, and it’s absolutely worth managing to achieve your mobility, availability, and
resiliency requirements. The only practical
way to meet the requirements for the registry
file is a roaming profile—even if the only item
in the roaming profile is ntuser.dat.
I also recommend that you allow the
AppData folder—specifically, the \AppData\
Roaming folder in Vista and the \Application Data folder in XP—to roam. It’s possible
to redirect AppData, but in my experience,
many poorly coded applications won’t function correctly if AppData is redirected. Some
applications also have trouble if, on a laptop,
AppData is cached using offline files and
network connectivity causes the computer to
transition between online and offline modes.
I think your goal should be to redirect AppData eventually but not until you have time
to thoroughly test all applications. So, the
practical recommendation is to use roaming
profiles to manage AppData until you can
confidently redirect it.
Vista appends a .V2 extension to the
folder that hosts the user’s roaming profile.
If you configure a user’s profile path as \\
namespace\%username%\profile, the user’s
XP profile will be in the Profile folder, and
the user’s Vista profile will be in the Profile.
V2 folder—automatically. Due to significant
differences in registry and AppData structure,
there’s no way to unify those two settings
stores for Vista and XP users. They will be
w w w. w i n d o w s i t p r o . c o m
separate. That’s another good reason for
ensuring that roaming profiles manage only
those two stores—any other stores in the
roaming profile will be duplicated and separate for a user’s XP and Vista profile.
When a user’s roaming profile contains
only the registry file and the AppData folder,
the profile should be very small. On my heavily overloaded laptop, my roaming profile is
only 40MB. Profile synchronization has less
data to scan and copies only changed files,
so the process is fast, efficient, and reliable.
Manage the Location of
Unwanted Data
Most IT organizations aren’t expected to
manage users’ personal music collections.
I’m using music as an example of what I call
“unwanted data”—a class of data that isn’t
subject to your business’s security, mobility, availability, and resiliency requirements.
You might identify other types of data as
unwanted: users’ personal files, pictures,
or email archives from non-business email
accounts. This is one class of data for which
Microsoft doesn’t a provide straightforward
management solution. Vista makes it easier
to manage unwanted data classes if they parallel specific media types: The Vista Pictures,
Music, and Videos folders are already at the
root of the user profile. For other classes of
unwanted data (e.g., personal files), you’ll still
need this workaround.
To ensure that unwanted data isn’t stored
on network servers, you must first move
the data so that it’s not within the scope of
a redirected folder. For example, XP’s My
Music folder is a subfolder of My Documents.
Because My Documents will be redirected,
you must relocate the My Music folder. Create a first-level folder underneath the root of
Figure 2:
Excluding the Cookies folder
W e ’ r e i n I T w i t h Yo u
the user profile—%userprofile%\Music, for
example—and move the data to that folder.
Next, determine how to redirect applications and the user to the new location. In
the case of a media folder such as Music,
you can use registry-based redirection to
redirect applications to the new location.
You can even use the RegistryRedirection.
adm Group Policy administrative template
to implement the registry-based redirection.
Just point the My Music folder to your custom
folder (%userprofile%\Music). You must also
ensure that users can find the custom folder
for the unwanted data. Shortcuts placed at
the data folder’s old location do the trick.
Repeat this process for each class of
unwanted data: Create a folder within the
user profile, redirect applications as necessary, and provide users a way to navigate
to the folder. Of course, you can combine
various types of unwanted data within one
user-profile folder. I recommend creating a
Personal Files folder (%userprofile%\Personal
Files) to host unwanted data that isn’t directly
associated with pictures, music, or videos.
After you move all unwanted data out of
redirected folders, the final step to managing
unwanted data is to exclude the unwanted
data folders from roaming profiles. Use the
aforementioned Group Policy setting to
exclude each unwanted data folder.
Manage Data That Must
Be Accessed Locally
Sometimes, it’s possible to store data on the
network, but you find that performance over
the network while accessing that data is unacceptable. Consider a company that creates
videos for Web streaming. Editing video files
over the network generally isn’t feasible. Most
video-editing software performs adequately
only when video files are accessed from the
local disk subsystem. Our sample company
needs to manage these video files according to the same requirements I mentioned
earlier, including resiliency, availability, and
perhaps even mobility.
These files need to reside on the network,
but users need to access them from a local
disk. I refer to such data as “locally accessed
data”—another class of data for which Microsoft provides no perfect management solution. There are three approaches you can use
to address locally accessed data. Each has its
pros and cons.
First, you can move such data out of
Windows IT Pro
MARCH 2008
Feature | Managing User Data and Settings
redirected folders and into folders in the user
profile. Users access files in the user profile
locally. They’ll be synchronized to the network at logoff as part of the roaming-profile
synchronization. However, if locally accessed
data files are large, synchronization can be
extremely time-consuming.
Second, you can keep the data in redirected folders, use offline files to take the data
offline, and leverage a new Group Policy setting available to Vista clients: Network Directories To Sync At Logon/Logoff Time Only.
The policy is located in User Configuration,
Administrative Templates, System, User Profiles—a non-intuitive location for an offline
files setting. You use the network paths to the
locally accessed data to configure the policy—
for example, \\namespace\%username%\
Documents\StreamingVideoProjects. Vista
clients will access files in that location from
the local cache, providing all the performance benefits of local access. Unfortunately, as with roaming profiles, the data will
synchronize at logoff and synchronization
time might be unacceptable.
The third approach is to move the data
out of redirected folders and into the user
profile—but to exclude the folders from roaming. Then, implement another mechanism
that synchronizes or backs up the data in the
folders to appropriate network locations on a
configurable schedule. Our video-streaming
company, for example, could create a folder
for each user (%userprofile%\StreamingVideoProjects) and exclude it from users’
roaming profiles, then use a scheduled task
to back the folder up to the network every few
days. The Windows Administration Resource
Kit has a script that does just that—and the
script works on all current versions of Windows. You can deploy the script as a logon or
startup script or as a scheduled task, and it
uses Robocopy to synchronize the local store
with a network folder at a given frequency—
once a week, for example. In Part 1, I recommended a Backups folder in the physical and
DFS namespace; that folder is specifically
designed to store a network backup of files in
this “locally accessed” class of data.
UDS to Go
After you’ve moved UDS to network servers,
keep in mind that laptop users will need
access to data and settings when they’re
disconnected from the network. Roaming
profiles will ensure that a user’s registry file
Windows IT Pro
MARCH 2008
and AppData folder are available locally. For
all the data in the redirected folders, you can
use offline files to cache the network data
stores for offline access. In fact, Vista and XP
clients will automatically cache redirected
folders. There are many caveats and nuances
that affect the design and implementation of
offline files. I’ll go over the most important.
• Vista and XP support the encryption of the
offline files cache, adding a layer of security to user data on the road. See “Using
EFS with Offline Files” (InstantDoc ID
47624) for more information.
• Consider disabling the automatic caching
of redirected folders on desktop systems.
You probably don’t want the conference
room computer to cache the redirected
folders of every user who logs on to it.
• By default, XP systems will scan all files
in offline folders to determine what has
changed and what needs to be synchronized at logoff. If you have thousands
of files cached, this scanning can take
forever. XP can use a different algorithm
to track files as they’re changed, making
logoff synchronization significantly more
efficient. Use Group Policy to disable the
Synchronize All Offline Files Before Logging Off policy setting, which you’ll find
in Administrative Templates, Network,
Offline Files of both User Configuration
and Computer Configuration. This option
is equivalent to the Synchronize All Files
Before Logging Off option on the Offline
Files tab of the Control Panel Folder
Options applet. This approach works well
when you’re primarily or exclusively using
offline files to make user data (as opposed
to shared data) available offline.
• Consider removing the list of blocked file
types when you’re using Offline Files to
cache user data. Check out the Microsoft
article “Error message: ‘Files of this type
cannot be made available offline’” for
details. (See the Web-exclusive Learning
Path at www.windowsitpro.com, InstantDoc ID 98004.)
• Folders for which you’ve used registrybased redirection to redirect won’t be made
automatically available offline. You can
“push” these files offline into users’ caches
by using the Administratively Assigned
Offline Files policy setting, which you’ll find
under User Configuration, Administrative
Templates, Network, Offline Files.
• Provide XP users a way to force themW e ’ r e i n I T w i t h Yo u
selves offline when connected over a
mediocre connection. If an XP user connects to the corporate network over a
VPN, Offline Files might decide that the
connection is “good enough” and attempt
to work from the network copies of cached
files. It might even try to synchronize
over the VPN. Microsoft Product Support
Services (PSS) can provide you with Csccmd (csccmd.exe), a command-line tool
for managing Offline Files. The tool supports a /DISCONNECT switch, which can
force a namespace offline so that users
work from the locally cached copy. Create a batch file on the user’s desktop that
he or she can double-click to stay offline
while connected over the VPN. Here’s an
example of the batch file:
csccmd /DISCONNECT:\\contoso.com\
csccmd /DISCONNECT:”\\contoso.com\
• The functionality and performance of
Vista’s Offline Files is so vastly improved
over that of XP that you should have very
few problems supporting the offline use of
UDS for Vista users.
Tip of the Iceberg
A UDS management framework can be quite
complicated, not only because of the complexity and idiosyncrasies of the involved
technologies but also because you have to creatively address two data scenarios—unwanted
data and locally accessed data—that Windows
technologies don’t adequately support.
Microsoft’s documentation thoroughly
details the steps necessary to implement the
individual technologies with which to manage UDS. Unfortunately, very little documentation exists to help you support the varied
classes of data in your enterprise. This article
should help you overcome and avoid common implementation pitfalls, and if you still
need help, I strongly encourage you to dive
into Chapter 3 of the Windows Administration Resource Kit for comprehensive guidance
toward a UDS management framework.
InstantDoc ID 98004
Dan Holme
(danh@intelliem.com) is director of consulting at
Intelliem, which delivers solutions-focused training and
consulting services supporting enterprise SharePoint,
Office, Windows, and Active Directory implementations.
w w w. w i n d o w s i t p r o . c o m
’m addicted to digging up quality tools and utilities that are free—it’s a treasurehunter’s challenge! Sure, anyone can find costly utilities that do a good job of making
a certain task easier. The trick is to find the free ones that perform just as well as their
commercial counterparts. Since last September’s publication
of “8 More Absolutely Cool, Totally Free Utilities” (InstantDoc
ID 96628), I’ve been having a lot of fun unearthing more and
more free utilities for my toolbox, and I’m dying to share them with
you. So, check these out and start downloading! (Check out the Learning Path, page 54, for download details.)
Recently, an external USB drive that I was using for file backups and
storage of non-critical files experienced a hard crash—you know,
the “thunk-thunk-thunk” heads-against-platters noise that makes
any systems administrator’s skin crawl. I knew my chances for a
full recovery were rather slim, so I started looking around for datarecovery utilities.
I came across TestDisk, an open-source application licensed
under the GNU Public License. Available from Christophe Grenier,
TestDisk—completely free for any person or organization to use—
can help you recover damaged partitions, make non-bootable disks
bootable again, and repair damaged boot sectors. The application
runs under DOS, Windows, Linux, the BSD variants, and MacOS, to
name just a few OSs. File-system support includes every common
type (e.g., FAT, NTFS, EXT2/3), as well as a bunch you’ve probably
never heard of. I have no doubt that TestDisk can repair or recover
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Feature | Totally Free Utilities
Figure 1:
TestDisk’s main screen
data from a broad range of malfunctioning
systems. Figure 1 shows its main interface.
Unfortunately, however, TestDisk didn’t
solve my problem. The “thunk-thunk-thunk”
sound was a dead giveaway that I was facing
a physical/mechanical disk problem. No
software can fix physical problems, and the
TestDisk documentation makes that clear.
For mechanical problems, you’d need to
enlist the services of a professional datarecovery service that can physically open the
drive and try to read the platters back.
I had hoped I’d get lucky, to no avail. Still,
the experience gained me another valuable
tool for my toolbox—one that I’ll keep around
should disaster strike.
GParted LiveCD
Have you ever painted yourself into a corner
by partitioning a physical disk drive into multiple logical partitions, only to realize months
later that you didn’t anticipate your space
needs correctly? In the past, I’ve paid for
commercial partition-management utilities
such as Norton’s PartitionMagic to get myself
out of such situations. Invariably, however, by
the time I need to use a partition-management utility a second time, I’m using a newer
file system or a new type of disk that my
partition manager doesn’t support. Recently,
for example, I had to move an ext3 partition
around on one of my systems’ hard disks, but
my outdated partition-management utility
didn’t support ext3.
Having paid multiple times for similar feature sets, I was recently happy to find GParted
LiveCD when I needed to resize some partitions on my laptop. GParted LiveCD is a
bootable runtime version of the Gnome Partition Editor (GParted). By booting up a small,
stripped-down instance of Linux, GParted
LiveCD is the only tool you’ll ever need for
managing partitions on your systems—including resizing partitions, moving partitions,
and even mirroring partitions.
GParted LiveCD is available as a downloadable ISO image. After the download, you
can burn it straight to a bootable CD-ROM
(see CDBurnerXP 4 later) and put it in the
machine whose partitions need editing. Of
course, it goes without
saying that you should
always perform a full
system backup before
resizing a partition on a
production system.
Figure 2:
JkDefrag at work
Windows IT Pro
MARCH 2008
How about my absolute
favorite disk-based utility? JkDefrag is a diskdefragmentation and
-optimization utility for
all modern versions of
Windows. You might ask,
W e ’ r e i n I T w i t h Yo u
“Why should I care about a disk defragmenter when Windows has one built in?”
Because the Windows defragmenter is a bit
basic, there’s still a great marketplace for
commercial third-party disk-defragmentation utilities, and for that reason, I appreciate
a utility such as JkDefrag.
Developed by Jeroen Kessels, JkDefrag
runs automatically, is very easy to use, and
supports several customization features
through command-line switches. Speaking
of command-line switches, there are also
GUI and screen-saver versions of JkDefrag,
in addition to the command-line version.
JkDefrag can handle typical internal
hard disks, external USB drives, floppy disks,
memory sticks—essentially anything that
Windows interprets as a drive. It uses the
standard defragmentation API provided by
Microsoft, so it’s as safe to use as Windows’
built-in defragmenting utility. However, JkDefrag doesn’t simply aim to defragment your
hard disk; the tool’s available command-line
strategies will also help you optimize that
disk’s performance. Figure 2 shows JkDefrag
at work.
For example, when you launch JkDefrag
for the first time (without any command-line
parameters), it will begin to defragment and
optimize all the mounted writable drives
on your system that it can find. The default
optimization is a fast optimization, which
should increase system performance a bit.
For example, the beginning or center of a
hard disk performs much better than the very
edge of a disk; therefore, as a default strategy,
JkDefrag will attempt to move all files to the
center of the disk. However, it doesn’t do so
arbitrarily! JkDefrag tries to place files closest to the center of the disk based on three
levels of importance: directories (the most
often accessed files on a system) in the front,
regular files in the middle, and SpaceHogs
at the end. JkDefrag uses the SpaceHogs
nomenclature to describe files that tend to
be large but less important. Examples of
SpaceHogs include MP3, WMV, and AVI files,
and any i386 directories you might have lying
around. When I run JkDefrag on my systems,
I also flag AAC and *.m4? files as SpaceHogs
by using the -u command-line option. (I have
a lot of purchased content from iTunes.)
After JkDefrag finishes its first default run,
you should have a neatly organized hard disk,
with your most important data toward the
center of the disk and the least important in
w w w. w i n d o w s i t p r o . c o m
Feature | Totally Free Utilities
Figure 3:
PageDefrag’s main screen
the back. Once you’ve finished your first run,
you can schedule recurring defrags to take
place during off hours through the Control
Panel Schedule Tasks applet.
After running JkDefrag for several weeks,
I must say that my system seems a bit faster.
Give JkDefrag a spin on your computer. You’ll
be glad you did! See the Learning Path for
information about where to get JkDefrag’s
latest standalone executables (no installation
While I’m on the topic of defragmentation
and performance, there’s one file in your
computer that’s probably taking up a lot of
space, is critical in terms of system performance, and can’t be defragmented by standard defragmentation utilities. That would
be your pagefile.
The computer I’m using to
write this article, for example,
has a pagefile that consumes
about 1.5GB worth of space.
As Windows swaps certain
programs in and out of main
memory, the page file is the
storage container that receives
the program data. I can’t even
begin to comprehend the complexities of keeping a file such
as this optimized for maximum
performance, but fortunately I
don’t have to. Mark Russinovich
at SysInternals has done it for
As you might know, SysInternals was the home of some
of the best free Windows utiliFigure 4:
ties anywhere on the Internet.
Windows IT Pro
MARCH 2008
Recently, Mark joined Microsoft, and therefore Microsoft
has inherited all these great
tools. PageDefrag is just one
of the many SysInternals
utilities you can find at the
company’s Web site. Figure
3 shows PageDefrag’s main
When I first ran PageDefrag, the application presented a list of files that it
would defragment (i.e., the
pagefile, the hibernation file,
event logs, and the registry
hives), and I was surprised
to see that my 1.5GB pagefile had more
than 2,000 fragments across my hard disk!
I instructed PageDefrag to defragment my
pagefile during the next Windows bootup
(the only time the pagefile isn’t in use, and
therefore the only time it can be defragmented) and let it start its work. You can have
PageDefrag run once on the next reboot or
every time your system boots.
Have you ever had to restore a full desktop
system from a failed hard disk, with only a
recent Windows backup available to you? If
so, you understand the hassle of such a process. First, you have to get a new hard disk,
place it in the PC that needs to be rebuilt, and
install a clean copy of Windows (assuming
you remember where you put that system’s
installation media). That process can take
The DriveImageXML interface
W e ’ r e i n I T w i t h Yo u
Learning Path
Find your free tools:
CamStudio (camstudio.org)
CDBurnerXP (cdburnerxp.se)
Comodo Firewall Pro (www.personalfirewall.
DriveImage XML (www.runtime.org/dixml.htm)
GParted LiveCD (gparted-livecd.tuxfamily.org)
JkDefrag (www.kessels.com/JkDefrag)
PageDefrag (www.microsoft.com/technet/sysinternals/Utilities/PageDefrag.mspx)
TestDisk (www.cgsecurity.org/wiki/TestDisk)
“8 Absolutely Cool, Totally Free Utilities,”
InstantDoc ID 50122
“8 More Absolutely Cool, Totally Free Utilities,”
InstantDoc ID 96628
“A Bootable Network Security Toolkit,”
InstantDoc ID 44409
“6 Network Protocol Analyzers,”
InstantDoc ID 42922
over an hour for most systems. Then, finally,
you can restore your full backup to the system
and get back up and running. Wouldn’t life
be easier if you had an image of your system
that you could just zap to a new hard disk,
and get back up in less time?
Disk-imaging tools such as Norton Ghost
offer a solution to this problem: Instead of
doing a system-level backup, such tools
create an image of the disk itself. Then, if
you experience a failure, you simply need
to write that image to a new disk, and you’re
ready to go—without
the intermediate step of
reinstalling a base copy
of Windows.
Runtime Software
provides a free utility
called DriveImageXML
for this purpose. It stores
the images it creates as
XML-formatted data so
that your images aren’t
locked up in a proprietary vendor’s binary
format. Through the
DriveImageXML interface (which Figure 4
shows), you can also
browse through diskimage files to view or
extract individual files,
w w w. w i n d o w s i t p r o . c o m
Feature | Totally Free Utilities
Figure 5:
CDBurnerXP’s UI
if necessary. DriveImageXML works with all
FAT and NTFS partitions and runs on Vista,
Windows 2003, and XP.
Several years ago, I realized I was getting
buried in original source-media CD-ROMs
and DVDs for all the different versions of
OSs, applications, and peripherals I regularly
work with. Keeping track of all these discs
was becoming tedious, so I started storing
ISO image files of every original media CD I
got, as soon as I received it. By archiving these
CDs in a central location on my network, I
knew they would always be available. If a CD
was ever lost or destroyed, I could still turn
to the ISO file and burn a new disc in a few
minutes, saving me the hassle of contacting
the vendor for a replacement disc.
Figure 6:
Windows IT Pro
Comodo Firewall Pro’s UI
MARCH 2008
CDBurnerXP is
the first tool I used
for this purpose,
and it’s still the tool
I use today. It’s a
full-featured CDburning program
that includes the
ability to create ISO
files from CDs and
DVDs, and it can
burn CDs, DVDs,
HD DVDs, and
Blu-ray DVDs. In
addition to using
CDBurnerXP as an
ISO-reading and
-burning utility, I
use it as a capable audio disc burner. Figure
5 shows the tool’s UI. CDBurnerXP runs
on Vista, Windows 2003, XP, and Windows
Comodo Firewall Pro
When I ponder the notion of a “free firewall,”
I get a bit skeptical. After all, considering the
speed at which Internet-based threats grow,
how good could a “free” firewall application
be? I’m always happy when my skepticism
is proven wrong, and Comodo Firewall Pro
does just that.
When I first installed Comodo Firewall
Pro, I initially thought I’d just installed a
copy of Zone Alarm (a popular, commercial personal firewall application). After a
reboot to insert the proper network-level
modifications into my system, Comodo
Firewall Pro instantly recognized that
it was communicating on a network it
hadn’t seen before (i.e., my home network) and asked me to provide a name
for it. Then, a few network utilities in my
Startup folder that Comodo Firewall Pro
didn’t know about attempted to connect to the Internet. Comodo Firewall
Pro immediately saw this outbound
communication attempt and displayed
a dialog box identifying the application
that was trying to communicate (and
to where) and asking whether I wanted
to allow or deny the outward communication. After I allowed these trusted
applications the rights to communicate
when necessary, Comodo Firewall Pro
never bothered me about them again.
Within five minutes of using Comodo
W e ’ r e i n I T w i t h Yo u
Firewall Pro, I was extremely impressed by
its thoroughness—especially considering
the price. Figure 6 shows Comodo Firewall
Pro’s UI.
How and why, you might ask, does
Comodo offer such a worthwhile product for
free? In a forum posting on the company Web
site, the CEO expresses his intention of offering Comodo Firewall Pro for free as a means
to build corporate brand identity and raise
customer awareness. It’s a smart strategy, and
I have a feeling Comodo Firewall Pro will be
around for a long time. Comodo Firewall Pro
runs on Vista and XP, both 32-bit and 64-bit
In “8 More Absolutely Cool, Totally Free
Utilities,” you’ll find a sidebar for a utility called Wink—a good tool for building
screencast recordings. Screencasts are digital recordings of computer-display output,
often overlaid with audio or video. These
types of tools are becoming increasingly
popular as training and demonstration
utilities. After you produce a screencast, an
audience of thousands can watch it immediately. Since mentioning Wink in that
article, I’ve discovered CamStudio, another
strong contender in this space.
CamStudio is a solid utility for recording
screencasts, interleaving audio and video
simultaneously, then producing final content in Web-friendly Flash files for easy,
cross-platform consumption. Having paid
for commercial versions of such applications
in the past, I’m quite impressed with CamStudio and look forward to it being a strong
contender in this space.
Can’t Beat the Price
Commercial versions of all the utilities in
this article would probably cost more than
$500. Save that money and download these
free and open-source counterparts, which
perform just as well. Stay tuned for the fourth
installment of this series, in which I’ll share
more free software gems to make your job
InstantDoc ID 97968
Douglas Toombs
(help@toombs.us) is a contributing editor for Windows IT Pro and the author of Keeping Your Business
Safe from Attack: Monitoring and Managing Your
Network Security (Windows IT Pro eBooks).
w w w. w i n d o w s i t p r o . c o m
One product. Five defenders.
Five anti-virus engines. One choice.
Viruses don’t stan
a ch an ce wi th
G FI M ai lS ec ur it y
securing your emai
Complete email security with up to five anti-virus engines for Exchange/SMTP/Lotus
No single anti-virus vendor scanner is the BEST and can stop ALL viruses. To obtain maximum security, you need
GFI MailSecurity which uses not one, but up to five virus scanners to check all company email, with limited or no effect
on network and server performance.
GFI MailSecurity is better priced than most single anti-virus engine solutions on the market. With multiple anti-virus
engines you:
 React fastest to the latest virus threats by receiving the quickest virus signature updates
 Take advantage of all their strengths because no single anti-virus scanner is the BEST
 Virtually eliminate the chances of an infection.
Download your FREE trial version from www.gfi.com/mip/
tel: +1 (888) 243-4329 | fax: +1 (919) 379-3402 | email: sales@gfiusa.com | url: www.gfi.com/mip/
by Robert Sheldon
n “PowerShell 101, Lesson 1” (February 2008, InstantDoc
ID 97742), I introduced you to the concept of cmdlets and
how to run basic PowerShell commands. I also showed you
how to use aliases and how to use PowerShell’s Get- cmdlets to get help when creating commands. For example, you
can use the Get-ChildItem cmdlet to retrieve a list of items
in a folder or the Get-Content cmdlet to retrieve the content of a text
file. With cmdlets and their parameters, you can run a wide variety
commands that display system information or carry out tasks.
However, a cmdlet alone might not always provide the full functionality you require. For this reason, PowerShell lets you create pipelines that link cmdlets together to carry out complex operations and
refine the system information you retrieve. In this lesson, you’ll learn
how to link cmdlets into a pipeline to create PowerShell statements.
You’ll also learn how to format and sort statement output.
Implementing a Pipeline
A PowerShell pipeline is a series of cmdlets that pass objects from
one cmdlet to the next. Each cmdlet generates an object and passes it
down the pipeline, where it is received by the next cmdlet. The receiving cmdlet uses that object as input and generates its own output as
an object. You connect cmdlets into a pipeline by using the pipe (|)
Pipelining in PowerShell is different from pipelining in other command shell environments, such as the Windows command shell. In
traditional environments, a command’s results are returned as a single
w w w. w i n d o w s i t p r o . c o m
result set, which means that the entire result set must be generated
before any information is passed down the pipeline. The first result is
returned at the same time as the last result. In PowerShell, however,
the results are streamed through the pipeline. As soon as a command
returns a result, it passes it down the pipeline, and that result is immediately available to the next command in the pipeline.
Let’s look at an example that will help you understand how a
pipeline works. If you run the cmdlet
you’ll receive a list of the services installed your system, similar to
the list in Figure 1, page 60. Notice that the cmdlet returns the status,
name, and display name of each service. Suppose you want to retrieve
a list of running services only. You can pipe the output from the GetService cmdlet to the Where-Object cmdlet, which filters the output
based on the specified criteria, as shown in the statement
Get-Service |
Where-Object {$_.status -eq ‘running’}
As you can see, you use a pipe operator to connect the two cmdlets.
The Get-Service cmdlet generates an object that contains the servicerelated information. The object is passed down the pipeline to the
Where-Object cmdlet. The Where-Object cmdlet receives the object
and uses the information as input. The Where-Object cmdlet filters
the information based on the Status property value. Notice that the
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Figure 1:
Figure 2:
Retrieving a list of services
Where-Object cmdlet includes an expression enclosed in braces ({ }). If the expression
evaluates to true, the Where-Object passes
that object down the pipeline and filters out
any other object.
In this case, the Where-Object expression
states that the Status property value must be
equal to (specified by the -eq operator) the
string running. Status is one of the properties
available to the object generated by the GetService cmdlet. When an object is passed
down the pipeline, you can access its properties, as I’ve done in the Where-Object expression. To access a property in the pipeline in
this manner, you use the $_ built-in variable.
This variable holds the current object within
the pipeline each time the Where-Object
cmdlet loops through the pipeline results.
You can then reference the object’s properties, as in $_.Status. The output now looks
similar to that in Figure 2. (You’ll learn more
about the Where-Object cmdlet, object properties, and operators in later lessons.)
Note that you’d typically enter the statement just given on one line in the PowerShell console window. However, column
widths in the magazine force us to print this
statement on more than one line. Also note
in Figure 2 the >> character sequence at the
beginning of some of the lines in the command. This character sequence constitutes
a multiline prompt. For information about
when you’d want to enter a statement on
multiple lines in the PowerShell console
window and how to properly do so, see the
sidebar “How to Handle Long PowerShell
Statements,” page 62.
Now suppose you want to list only the display name of each running service. You can
pipe the output of the Where-Object cmdlet
to the Select-Object cmdlet:
Retrieving a list of running services
In this statement, the Select-Object cmdlet
receives the object from the Where-Object
cmdlet. In this case, the statement uses the
where alias to reference the Where-Object
cmdlet and the select alias to reference the
Select-Object cmdlet. In the select cmdlet,
you specify the name of the property (or
properties) that you want to display. For
this example, I’ve specified the displayname
property. The statement will now output
results similar to those in Figure 3.
The key to using pipelines is to remember
that you’re always working with objects. Each
cmdlet generates an object that the next
cmdlet in the pipeline receives. Even the final
cmdlet generates an object that outputs the
statement results. As you progress through
the lessons, you’ll learn how to use those
objects and their properties to refine your
PowerShell statements.
Formatting Statement
By default, PowerShell formats a statement’s output based on
the type of data in that
output. For example, the
following statement returns
data about the PowerShell
as shown in Figure 4. If you don’t want the
output in this default format, you can pipe
the statement output to a format cmdlet.
PowerShell supports four cmdlets that format output:
• The Format-Table cmdlet displays data in
a table (Figure 4). This is the default format for most cmdlets, so you often don’t
need to specify it.
• The Format-List cmdlet displays data in
a list.
• The Format-Wide cmdlet displays data in
a wide table that includes only one property value for each item.
• The Format-Custom cmdlet displays
data in a custom format, based on stored
configuration information in a .ps1xml
format file. You can use the UpdateFormatData cmdlet to update a format
file. (A discussion of the Update-FormatData cmdlet and format files is beyond
the scope of these lessons. See PowerShell’s “Update-FormatData” Help file for
more information.)
Get-Process powershell
In this case, PowerShell
displays the output from
this command in a table,
Figure 3:
Retrieving the display names of the
running services
Get-Service |
where {$_.status -eq ‘running’} |
select displayname
Windows IT Pro
MARCH 2008
Figure 4:
Displaying output in a table format
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
To change the format of the output from
the preceding statement, you can pipe it to
the Format-List cmdlet:
Get-Process powershell |
Now your results will be similar to those in
Figure 5. Notice that the list format displays
only a subset of the information displayed in
the table format. The information displayed
differs between formats. PowerShell determines how to format the results based on
object type. In other words, the format type,
layout, and properties returned are specific
to the type of object. For example, the results
returned by the Get-ChildItem cmdlet when
retrieving file system information will be different from the results returned when retrieving information about the registry because
they’re two different types of objects, even
though the same cmdlet is used. PowerShell
uses a set of complex XML format (.ps1xml)
files to determine how to display the results.
Controlling Statement
When you execute a statement, PowerShell
applies the default format to the output and
sends that output to the console window,
unless you override this behavior by using
one the four format cmdlets I just described.
However, you can also control where to send
that output. PowerShell provides six cmdlets
Figure 5:
Figure 6:
for controlling output:
• The Out-Host cmdlet sends output
to the PowerShell console. This is the
default output cmdlet, so you don’t
need to specify it.
• The Out-Default cmdlet sends output
to the default formatting cmdlet. In
addition, Out-Default delegates the
outputting process to the Out-Host
cmdlet. You don’t need to specify the
Out-Default cmdlet.
• The Out-File cmdlet sends output to a
specified file.
• The Out-Null cmdlet deletes output
and doesn’t send it to the PowerShell
• The Out-Printer cmdlet sends output
to a printer.
• The Out-String cmdlet converts the
pipeline object to an array of strings.
You can find additional information
about each cmdlet in the PowerShell
Help files.
To control a statement’s output, add
the output cmdlet at the end of your
pipeline. For example, the following
statement formats the PowerShell process information into a list, then sends
that list to the C:\SysInfo\ps.txt file:
Get-Process powershell |
Format-List |
Out-File C:\SysInfo\ps.txt
Displaying output in a list format
Sorting data based on property values
w w w. w i n d o w s i t p r o . c o m
When you send output to a file,
PowerShell saves the content
to the file but doesn’t display
it in the console. You can use
the Out-File cmdlet to send
output to any type of file that
makes sense. For example,
you wouldn’t want to send
text to a .bmp file. Although
this wouldn’t throw an
error, you
be able to view
anything when
you opened the
The OutFile cmdlet lets
you choose
append the
output to the
W e ’ r e i n I T w i t h Yo u
Learning Path
For more information about pipelining:
“Piping and the Pipeline in Windows PowerShell”
For more information about how to format
“What Can I Do With Windows PowerShell? Using the
Format-List Cmdlet”
“What Can I Do With Windows PowerShell? Using the
Format-Wide Cmdlet”
For more information about how to control
where output is sent:
“What Can I Do With Windows PowerShell? Using the
Out-File Cmdlet”
“What Can I Do With Windows PowerShell? Using the
Out-Printer Cmdlet”
“Making PowerShell’s Out-Printer Cmdlet Easier to
Use,” InstantDoc ID 97632
For more information about how to sort
“What Can I Do With Windows PowerShell? Using the
Sort-Object Cmdlet”
If you’re beyond the basics, check out:
“PowerShell One-Liners for Managing the File
System,” InstantDoc ID 96320
“PowerShell Script Lets You Check Patches’ Status,”
InstantDoc ID 97609
“Understanding PowerShell Security,”
InstantDoc ID 94624
file or replace the existing content with the
output. By default, it replaces any existing
content. To append the output, you need
to add the -append switch to the Out-File
Get-Process powershell |
Format-List |
Out-File C:\SysInfo\ps.txt `
Windows IT Pro
MARCH 2008
s a PowerShell statement grows larger, it’s not always practical to enter it on a single
line in the PowerShell console window. You can enter a long statement on several lines,
but you must take into account how PowerShell treats new lines. When PowerShell
determines that a line is incomplete, it continues to the next line when processing the statement. For example, when the first line in a statement ends with the pipe operator, as in
Get-Service |
where {$_.status -eq ‘running’} |
select displayname
PowerShell knows that the statement continues to the next line. This statement returns
results similar to those shown in Figure 3. Notice the multiline prompt (>>) that precedes
each line after the first line. When PowerShell expects a line to continue to a second line,
it uses a multiline prompt for that line. You then type the next line of code at that prompt.
Once PowerShell enters this multiline mode, it will continue in this mode and always prompt
you with the multiline prompt. When you finish entering the last line, press Enter a second
time to execute the command and return to the normal prompt.
Now suppose you break the statement before the pipe operator:
| where {$_.status -eq ‘running’}
| select displayname
PowerShell now interprets the first line as complete and processes it as an entire statement.
PowerShell then tries to process the second line, which results in the error message: An
empty pipe element is not permitted.
You can remedy this situation by adding a back tick (`) to the end of the lines:
Get-Service `
Still, the Sort-Object cmdlet can be
a handy tool. For example, suppose you
want to retrieve a list of the items in the
C:\Windows folder. You can use the GetChildItem cmdlet in a statement such as
dir c:\windows |
where {$_.length -gt 500000} |
sort -property length -descending
This statement passes the output object
from the Get-ChildItem cmdlet (referenced
by the dir alias) to the Where-Object cmdlet (referenced by the where alias). The
Where-Object cmdlet specifies that the
length must be greater than (specified by
-gt) 500,000 bytes. The results are then
passed down the pipeline. When the SortObject cmdlet (referenced by the sort alias)
has all the objects, it sorts them based on
the defined criteria.
In this case, the Sort-Object cmdlet first
specifies that the sorting should be based on
the Length property. The -descending switch
indicates that the results should be sorted
in descending order, as shown in Figure 6,
page 61. If you don’t specify the -descending
switch, the results are sorted in ascending
order. In addition, you can specify more than
one property (separated by commas) on
which to base the sort order. PowerShell sorts
the data first by the first property specified,
then by the second, and so on.
| where {$_.status -eq ‘running’} `
Moving Forward
| select displayname
The back tick tells PowerShell that the statement continues to the next line. The statement
now returns the same information shown in Figure 3.
PowerShell processes any line that it thinks is a complete statement. In other words, it
automatically terminates a statement when it reaches a new line unless it thinks that the
statement continues. However, you can also manually terminate a statement by adding a
semi-colon (;) at the end:
Get-Service |
where {$_.status -eq ‘running’} |
select displayname;
This statement returns the same results as those shown in Figure 3.
InstantDoc ID 97958
As this lesson demonstrates, the PowerShell
pipeline is a powerful feature that lets you
combine multiple cmdlets to perform a series
of successive operations on one or more
objects. You can pipe together multiple cmdlets into a statement, format the output from
that statement, specify where to place the
output, and even sort the outputted information. In the lessons to follow, you’ll learn how
to enhance your statements even further so
you can take full advantage of PowerShell’s
pipeline capabilities.
InstantDoc ID 97959
Sorting Statement Output
In addition to formatting output, you’ll often
find that you’ll want to sort output. To sort
output, you use the Sort-Object cmdlet. This
cmdlet takes the input objects from the pipeline and sorts them based on the criteria you
define. As I mentioned previously, PowerShell streams the results down the pipeline
Windows IT Pro
MARCH 2008
from one command to the next. However,
when you sort data, the Sort-Object cmdlet
waits until it has all the results (objects) and
then sorts them. This effectively stops the
streaming process until everything is sorted.
For a small result set, this isn’t a problem, but
it could impact performance when retrieving
large amounts of data.
W e ’ r e i n I T w i t h Yo u
Robert Sheldon
(contact@rhsheldon.com) is a technical consultant
and the author of numerous books, articles, and training material related to Microsoft Windows, various
relational database management systems (including
SQL Server), and business intelligence design and
implementation. He is also the author of the novel
Dancing the River Lightly.
w w w. w i n d o w s i t p r o . c o m
online access to
• Windows IT Pro
• SQL Server Magazine
• Exchange & Outlook
• Security Pro VIP
• Scripting Pro VIP
• Windows Webb
ONLY $199!
You choose
Windows IT Pro
or SQL Server
Magazine—a 12
issue (one-year)
print subscription
2 CDs
twice a year,
for lightning-fast
searches through
every article we’ve
ever published!
Go to www.windowsitpro.com/
Spring SharePoint Event Series
March 18 – San Diego, CA ■ March 20 – Atlanta, GA
March 25 – San Francisco,
Francisco CA ■ March 27 – Dallas,
Dallas TX
April 1 – New York, NY April 3 – Boston, MA
April 15 – Minneapolis, MN ■ April 17 – Chicago, IL
April 29 – Seattle, WA ■ May 1 – Denver, CO
Pre-Register Online for $99
That’s a savings of $51 off the price at the door!
■ Windows SharePoint Services v3: Zero to 60
in 60 minutes
■ The File Share is Dead: 21st Century Collaboration with
Windows SharePoint Services Document Libraries
■ Unleash the Productivity: Microsoft Office
Applications as SharePoint Clients
■ Enterprise Search with SharePoint Server
■ Better Saved than Sorry: SharePoint Backup & Restore
■ Get with the Workflow: SharePoint Code-Free Workflows
RESERVE A SEAT by going to:
Dan Holme
Dan is Director of Training at Intelliem, a regular
speaker at Windows Connections, and site mentor for
Melissa Fraser
Melissa is a Microsoft Certified Trainer and has a
decade of experience in technical education and
software development.
Are you getting the MO
MOST from MOSS 2007?
Connect Better with Microsoft
Microso Office SharePoint Server
2007 and Windows SharePoint Services
How well is your organization collaborating? Are your people,
business processes, and critical line-of-business data where
they need to be to maximize organizational effectiveness?
Discover how Microsoft Office SharePoint Server (MOSS)
and Windows SharePoint Services (WSS) helps teams stay
connected and productive by providing easy access to the
people, documents, and information that they need.
Who Should Attend:
■ SharePoint pros
■ IT generalists
■ IT directors/managers responsible for SharePoint deployments
REGISTER TODAY—Get one-day of information packed
technical training on the most common business uses of
For more information, or to register, go to:
"$!" E/@@&353;1E>/;2E=>3??
" $"!'%
-9=>==53B9>=A3>< )*+(/&("
", ",
", /,
", /,
", /,
/, /,
/, /,
", ",
", ",
/, /,
", /,
/, /,
/, /,
/, /,
", /,
", ",
", ",
", ",
", /,
/, /,
/, /,
/, /,
", ",
", ",
", ",
", /,
/, /,
/, /,
/, /,
.-&%0%-#%%')120"2).0%#.-&%0%-#% .0*1(./1
", /,
", ",
0%#.-&%0%-#% .0*1(./1!
0%#.-&%0%-#% .0*1(./1
/, /,
/, /,
,$ '%(%)-
'%$'$(( %$(
", ",
,$(( %$(
%()%$'$(( %$(
", /,
$%+( '%(%)-
$%+((( %$(
*$)$%'#) %$
('(') )$('
'%(%)-(( %$(
()') %$
.12#.-&%0%-#% .0*1(./1
'''#"'"'$&'&')((#"'+'(#&)$('"(#" '''#"'
)*,("/ !&#'#(
@K5MG 5 <=;<@=;<H C: 1=B8CKG CBB97H=CBG K9 5F9 CB79 5;5=B H<F=@@98 HC 69 DF9G9BH=B; -H9J9 ,=@9M
G97IF=HM 9J5B;9@=GH DIB8=H 5B8 ;IFI "9 K=@@ G<5F9 <=G =BG=;<H:I@ 9LD9FH 5B8 DFCJC75H=J9 J=9KG CB H<9
)B5D5(9;5FA 97H;;H7J&?9HEIE<J8;=7D?D?DJ>;J;B;9ECCKD?97J?EDIFH79J?9;E<&?9HEIE<JEDIKBJ?D=,;HL?9;IM>;H;>;MEHA;:
#(!#$) !&
&CB;<CFB .K=BG P 0=GH5 5B8 -9FJ9F 5G K9@@ 5G 5 :=FGH 5B8 6=; G9FJ=79 D57? :CF 0=GH5 .<9MF9 BCH
8CB9 C: 7CIFG9 P K9@@ G99 1=B8CKG =B 5 :9K M95FG P 6IH :CF BCK H<9MF9 K<5H K9J9 ;CH -C <CK 8=8
#34'2+/) +/&073 '26'2 ,O8;N #34'2+/) +/&073 '26'2 7D: *' 0.1-'4' 1)2#&' #/& #+/4'/#/%' 5+&' 7D: >?I 9EBKCDI ?D
97B;:K97J?EDL?:;EI!?ICEIJH;9;DJMEHAI7H;#34'2+/) +/&073'26'2->?H::?J?ED7D:#34'2+/) +/&073!20('33+0/#-!;>7I7BIEMH?J
J;D+/58(02&.+/+342#40237D:7I;L;DJ>;:?J?EDE<#34'2+/) +/&073'26'2
( $ + & & ! $ ( %
$%&$&"+ % # " ! % " $ % # * & ! " $
& " !
#&!#&( '
'#,)-) .3Q')(3*,#&Q'#,)-) .3
(08;JJ;HJE=;J>;HCE8?B;;NF;H?;D9; ;J=K?:7D9;ED
'#,)-) .3Q')(3*,#&Q'#,)-) .3
'+'(#&)$('"(#" '''#"'
&"%/$$#$$/%+(+,)*$ /
FB79;&;:?7J?ED,;HL;H7D: 7J;M7OIM>?9> 7J;M7OI7H;IKFFEHJ;:7D:>EM
$%&$&"+ @@@)49:990.>4:9=.:8
)%#*#))& +)*$*$%+
! $&.-() 0>7J?IJ>;*K7B?JOE<OEKH.I;HI;NF;H?;D9;7D:
! $&.-() ->;KBJ?C7J;)BK=
)&"'' )&
)&"'' )&
+ ! #*'
%$($ )))%$)
+ ! #*'
+ ! #*'
$) &#),
$ + ( % " ! ( )+
+&!/.$ ,)(
$%&$&"+ @@@)49:990.>4:9=.:8
'#,)-) .3Q')(3*,#&Q'#,)-) .3
'+'(#&)$('"(#" '''#"'
"# !
"# !
+"#+'("# #'
)#& "!&
)#& "!&
"# !
7D: %(%'&,<;7JKH;D:CEIJ?CFEHJ7DJ
)#& "!&
$ #-!"(&#)$$# -
&F;H )(ED;79>%;7HD78EKJJ>;D;M
*&() .(#"
"(#" '''#"'
" ! ! & " ! % # $ & +
$%&$&"+ '%2'#3'$#%,514+.'3
'#,)-) .3Q')(3*,#&Q'#,)-) .3
#)((.#)(-)( ,(---#)(-Q*,#&
! ''&'&
"# !
"# !
! ''&'&
0( +/&073*#2'0+/4
% # $ % $ % ' & & " ! % ) % & " $ ' # & % ! " % 30.59>;)0-<4=0,<@0,//79;0 4.;9<91=,8/48/><=;B0A:0;=<:0,50;<
,)"'-!'(%( ",
,(',.%-"' +(.)
%+'"' (&
&+"$(/00+S+$%$!!)S#"&(0/*+"!)S %$(%*%$!)S%+"))*$00+
!#$,-!+) /
&(" S(+%'(%(+"
"<7,9/:):<7/09>0< ,<<4:>>
$%&$&"+ @@@)49:990.>4:9=.:8
F$& &
('+'0(+$,!()S1!' -+$
* "("#&"!*$
C;CEHO <H;;:?IAIF79;/:H?L;7D:7>;7:I;JM?J>C?9HEF>ED;
('+'0(+$,!()S1!' -+$
IOIJ;C'(-->;B7FJEFOEK8H?D=&.,->7L;7JB;7IJ E<
C;CEHO <H;;:?IAIF79;7D:/:H?L;
$&#"&"-F$& &
('+'0(+$,!()S1!' -+$
* "("#&"!*$
JEFOEK8H?D=&.,->7L;7JB;7IJ=?=E<C;CEHO <H;;:?IAIF79;/
('+'0(+$,!()S1!' -+$
->;B7FJEFOEK8H?D=&.,->7L;7JB;7IJ E<C;CEHO <H;;:?IA
'+'(#&)$('"(#" '''#"'
-$%-)&%-()"" +#&)*(*
,(*+"0*%$ +#&)*(*
$%&$&"+ @@@)49:990.>4:9=.:8
"# !
('+'0(+$,!()S1!' -+$
B7FJEFOEK8H?D=&.,->7L;7JB;7IJ E<C;CEHO <H;;:?IAIF79;
('+'0(+$,!()S1!' -+$
* "("#&"!*$
->;B7FJEFIOEK8H?D=&.,->7L;7JB;7IJ E<C;CEHO <H;;:?IA
! ''&'&
'+'(#&)$('"(#" '''#"'
$ !
+! "!&!&
$ /?*35/?"3B/2/
$%&$&"+ !71><?<4@'$"(<;;31@7<;?
)B9!F5B8MDF9GG@J8)F@5B8C &
%=B;8CAS *5F?=GB9M'!'-HI8=CGSD7CHS 5B8=GB9MG
B=A5@%=B;8CAS .<9A9*5F?#B588=H=CB9LD@CF9%9BB98M
%#"!%"$%#*&!"$ &"!
7D7:7 M?BB 8; :?=?J7B E< J>; <KD:I M?BB 8; 7BBE97J;: JEM7H: 7 IK8I9H?FJ?ED JE L7BK;
'"!$!$%&$&"!!'%+!"&"!#$# &$"'"%!%%%"!#$#
4.<:=:1>A.3,920:990.>4:9= EDEH8;<EH;&7H9> 44444444444444
7<J;H&7H9> 6666666666666666666666
)49/:@=:990.>4:9= EDEH8;<EH;&7H9> 6666666666666666666666
7<J;H&7H9> 6666666666666666666666
"114.0:990.>4:9= EDEH8;<EH;&7H9> 6666666666666666666666
7<J;H&7H9> 6666666666666666666666
-5M1<5H0C=79.97<BC@C;=9G:CF#.*FC:9GG=CB5@G 4444444444444444
#H.FCI6@9G<CCH=B;L7<5B;9-9FJ9F 4444444444444444
15@?=BH<9*5F?)::=79CAAIB=75H=CBG-9FJ9F 4444444444444444
15@?=BH<9*5F?'=7FCGC:HL7<5B;9 4444444444444444
1=B8CKG*CK9F-<9@@$IAD-H5FH 4444444444444444
0=FHI5@=N5H=CB$IAD-H5FH 4444444444444444
-<5F9*C=BH!CJ9FB5B79!5H<9F3CIF,9=BG ),$IAD=B; 4444444444444444
0=FHI5@=N=B;'=7FCGC:H-9FJ9FDD@=75H=CBG 4444444444444444
!FCID*C@=7MGG9BH=5@GCB:=;IF5H=CBCBHFC@5B8-97IF=HM 4444444444444444
-IDDCFH=B;-<5F9*C=BH5H565G9G.<9G!I=89 4444444444444444
.<95B89MCB8'=7FCGC:H9D@CMA9BH F5A9KCF?G 4444444444444444
1--#AD@9A9BH=B;IGHCA1CF?:@CKG 4444444444444444
'CB=HCF=B;5B8)DH=A=N=B;-<5F9*C=BH#B89L9G5B8-95F7< 4444444444444444
!9HH<9CB'=7FCGC:HL7<5B;9/B=:=98'9GG5;=B; 4444444444444444
"5F87CF9)-CAD@9H9/B=:=98CAAIB=75H=CBG.9GH&56 4444444444444444
0=FHI5@=N5H=CB"5B8G)BCCH5AD 4444444444444444
"% D5M56@9HC.97<CB:9F9B79G@@D5MA9BHGAIGH69=B/-IFF9B7M<97?GAIGH698F5KBCB5/-65B?
"$!" E/@@&353;1E>/;2E=>3??
" $"!'%
(579AB5@*>41F G-9=>==53B9>=A3><GG
| Feature
Vista and Server 2008
Malware Protection Gems
Use DEP and ASLR to protect yourself against buffer-overrun–based attacks
ttacks based on buffer overruns (aka buffer
overflows) have been a problem for a long time
and are still considered one of the computer
industry’s most important security problems. The first
buffer-overrun–based attack distributed via the Internet, the Morris worm, did a lot of harm in 1988. The sad
thing is that the creators of the Morris worm didn’t write
the worm to cause harm but rather as an experiment for
measuring the size of the Internet. The Morris worm
exploited weak passwords and known vulnerabilities
in UNIX programs such as sendmail and Finger. Two
recent well-known attacks that involved exploiting buffer overruns, the Code Red and SQL Slammer worms,
exposed many Internet-connected systems to attackers’
control. In 2001, the Code Red worm exploited a bufferoverrun vulnerability in Microsoft Internet Information
Services (IIS) 5.0 (the IIS version that is bundled with
Windows 2000), and in 2003, the SQL Slammer worm
used a buffer-overrun vulnerability to compromise
machines running Microsoft SQL Server 2000.
You can defend against buffer-overrun–based attacks
by using defenses that Microsoft includes in Windows
Vista and Windows Server 2008: Data Execution Prevention (DEP) and Address Space Layout Randomization
(ASLR). (At the time of this writing, Microsoft was about to
release Vista SP1 and had released Windows Server 2008
RC0.) I’ll explain why these defenses are important and
how you can configure them and observe their behavior.
Understanding Buffer Overruns
Before going into more detail on the Vista and Server 2008
buffer-overrun defenses, it might be worthwhile to look
at how a buffer overrun works and how it can harm your
systems and data.
A buffer overrun occurs when a malicious or badly
engineered program stores data beyond the boundaries
of a fixed-length buffer in computer memory. The result
is that the extra “overflowing” data overwrites adjacent
memory locations. The data that’s overwritten can
include other buffers, variables, and program logic and
may cause a process to crash or produce incorrect results.
An even bigger threat is that the injected data often
includes executable code that the program under attack
is then lured to execute. This executable code often contains the real payload of a buffer-overrun–based attack.
It’s used to steal or delete data, create Denial of Service
(DoS)–based service outages, trigger privilege elevations,
or spread malware to other systems.
w w w. w i n d o w s i t p r o . c o m
Figure 1:
Simple buffer overflow example
Figure 1 gives a simple example of a buffer overrun.
A program has defined two variables that are stored in
adjacent memory locations. The first variable is an eightbyte-long string called X; the second, a two-byte integer
called Y. Initially, X contains nothing but zero bytes, and
Y contains the number 30. Imagine that a user (whether
unintentionally or maliciously) inputs a character string
OVERFLOW to this program. The program then attempts
to store this character string in X’s memory location
followed by a 0 value to mark the end of the string. The
program logic doesn’t check the length of the string
and partially overwrites the value of Y. The result is that,
although the programmer didn’t intend to change the
value of Y when variable X receives input, variable Y’s
original value 30 is now replaced by the number that’s
part of the character string that was injected into the variable X memory location.
Developers can prevent buffer overruns by including
sufficient boundary checks in their program code and by
leveraging compilers or runtime services that perform
boundary checks. Boundary checks ensure that input
data are of the right length. Although boundary checking
and enforcement have become best practices for developers, plenty of legacy code doesn’t include boundary
checks. Also, coding best practices are worthless if some
programmers don’t follow them.
These reasons explain why many hardware, application, and OS software vendors including Microsoft have
developed proactive defenses that attempt to stop bufferoverrun attacks in badly engineered code. Let’s look at
Microsoft’s implementations of DEP and ASLR.
Jan De Clercq
is a member of HP’s
Security Office and
focuses on identity management and security in
Microsoft products. He
is coauthor of Microsoft
Windows Security Fundamentals (Digital Press).
Data Execution Protection
As I mentioned above, buffer-overrun–based attacks
often write executable malicious code to another
program’s memory buffers and then trick the program into executing the malicious payload. You can
tackle the execution of maliciously injected code
by using DEP. DEP lets Windows mark memory
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
This Security
sponsored by
MARCH 2008
| Vista and Server 2008 Malware Protection
on 32-bit processor systems
not equipped with an NX- or
XD-compatible processor. In
this software workaround, the
processor-level NX- or XD-bit
functionality is provided by a set
of special pointers that the Windows OS automatically adds to
data objects stored in the system
Figure 2:
DEP configuration
locations that should only contain data as
non-executable (NX). When an application
attempts to execute code from NX-marked
memory locations, Windows’ DEP logic will
block the application from doing so.
A negative side effect of the buffer-overrun protection offered by DEP is that the
blocked application will typically halt. In
other words, even though DEP stops malware from executing its malicious payload,
this situation creates a new opportunity for
malware to launch DoS attacks.
Microsoft includes DEP support not only
in Vista and Server 2008, but also in Windows
XP SP2, Windows Server 2003 SP1, Windows
2003 R2. Microsoft DEP implementation
comes in two flavors: hardware-enforced
DEP and software-enforced DEP.
Hardware-enforced DEP. Hardwareenforced DEP leverages a processor feature
that AMD refers to as the no-execute pageprotection (NX) feature and that Intel refers
to as the Execute Disable Bit (XD) feature. At
the time of writing, AMD supported NX only
on its 64-bit processors, and Intel supported
XD only on the Itanium and EM64T 64-bit
processors and a small number of 32-bit
Prescott processors. Microsoft is not the only
OS vendor that leverages the NX and XD
processor features for stopping buffer overruns: NX- and XD-enabled software is also
available in other OSs such as Linux and
UNIX BSD (see en.wikipedia.org/wiki/Nx-bit
for more information).
Software-enforced DEP. Softwareenforced DEP lets Microsoft provide DEP
Windows IT Pro
MARCH 2008
You can easily check whether
your system supports hardwareor software-enforced DEP by
checking the DEP configuration
settings. You can access these
settings using the Advanced Settings option in the System Control
Panel applet and navigating to
the Advanced and Performance
Settings options.
At the bottom of the DEP configuration
settings screen, there’s a reference to the type
of DEP your system supports. Figure 2 shows
the DEP configuration settings on a Vista
system. (I’ll explain the other configuration
options later in this section) The bottom line
reads, “Your computer’s processor supports
hardware-based DEP.”
If your system supports software-enforced
DEP (meaning that your machine doesn’t
have the NX- or XD-compatible processor),
you’ll see “Your computer’s processor does
not support hardware-based
DEP. However, Windows
can use DEP software to
help prevent some types of
An alternative way to
check whether your system supports hardware- or
software-enforced DEP is
by using Windows Management Instrumentation
(WMI) commands. The
procedure is outlined in the
Microsoft article at support
On XP SP2, Windows
2003 SP1, and later Microsoft OSs, DEP is enabled
by default. However, DEP
doesn’t always protect all
programs running on your
system. The exact list of proFigure 3:
grams that are protected by
W e ’ r e i n I T w i t h Yo u
DEP is defined by DEP’s protection level. DEP
supports two protection levels:
• Level 1—The first level protects only the
Windows system code and executables
and doesn’t offer DEP protection for additional Microsoft or third-party applications
that run on your system.
• Level 2—The second level protects all
executable code that runs on your system;
it offers DEP protection for both Windows
system code and the Microsoft or thirdparty applications that run on your system.
By default, XP SP2 and Vista run DEP at protection level 1; Windows 2003 SP1 and Server
2008 run DEP at protection level 2.
Administrators can configure the DEP
protection levels from the DEP configuration
screen, which you can see in Figure 2. In this
example (which shows the default DEP configuration settings on a Vista system), DEP
is enabled for essential Windows programs
and services only—DEP protection level 1.
You can use the other radio button Turn on
DEP for all programs and services except those
I select to switch to DEP protection level 2,
which is the default setting on Windows 2003
SP1 and Server 2008.
Protection level 2 lets you exempt certain applications from DEP protection. This
ability to exempt apps is important because
some legacy applications don’t run properly
when DEP is enabled—for example, at the
Checking DEP status of a process from the
Task Manager
w w w. w i n d o w s i t p r o . c o m
Download and print these white papers,
resource kits, and articles to read and save
for reference.
These compilations of materials from a live
event (including presentations, videos, and
tools) are a quick way to get up-to-date on
a topic of interest.
Download free applications or software
programs to help accomplish specific tasks
you need to complete.
From Q&A sessions with experts on
Microsoft® technology, the industry or
both; to technical and product demos,
these 60-90 minute broadcasts are available online so you can watch at any time,
from any place.
Test Microsoft software and servers in a
sandbox environment.
© 2006 Microsoft Corporation. All rights reserved. Microsoft is a registered trademark
of Microsoft Corporation in the United States and/or other countries.
| Vista and Server 2008 Malware Protection
final note is that when DEP
is running in protection
level 2, your system will run
/NoExecute= values Meaning
a bit slower because of all
DEP always turned on for all serthe extra DEP checks that are
vices and applications – grays out
carried out on the processor
the DEP configuration screen (see
figure 2) in the system properties
and system memory level.
Completely turns off DEP
That’s why for test systems
that aren’t exposed to the
Turns DEP on and sets it to
protection level 1
Internet, for example, you
can consider turning off DEP
Turns DEP on and sets it to
protection level 2
protection completely. The
only way to turn off DEP comtime of writing, Microsoft Word was still pletely on a given system is to specify the
automatically exempted from DEP. Before /NoExecute=AlwaysOff switch in the system’s
switching your DEP protection to level 2, you boot.ini file.
must run an application compatibility test
Note that you can also use the same
to ensure that all applications run properly boot.ini /NoExecute= switch with other
when DEP is enabled. To exempt one of values to turn DEP on and to set the DEP
your applications from DEP, you can add the protection level. Table 1 shows all the /
application’s executable to the excluded list NoExecute values.
in the DEP configuration screen using the
The boot.ini file is available only on XP
Add… button.
and Windows 2003, and you can edit it using
You can easily check whether a given Notepad or going to the Startup and Recovery
application is protected by DEP by checking section in System properties.
the DEP column of the application’s process
On Vista and Server 2008, the boot.ini
in the Windows Task Manager, which Figure has been replaced by the Boot Configuration
3, page 66, shows. If you don’t see the DEP Data (BCD) file. To edit the BCD file, Microcolumn on your system, you can add it using soft provides a command-line utility called
the Task Manager’s View\Select Columns… bcdedit.exe.
When you run bcdedit without switches,
Another way to exempt one of your it shows your current boot configuration.
applications from DEP is to create a software Figure 4 shows the result of running bcdedit
fix to distribute to your systems that auto- on a Vista system. Note the last line that
matically disables DEP for a given applica- holds the nx configuration OptIn. To change
tion on those systems. Microsoft refers to the nx configuration to alwaysoff, you would
such a software fix as a DisableNX shim. To run the following bcdedit command:
create this software fix, see the Microsoft
Application Compatibility Toolkit (ACT), bcdedit /set nx alwaysoff
which also includes a
tool called Compatibility Administrator
that can help (technet
Application developers can also do the
enable their applications for DEP support
in their application
binaries. To do so, they
use the /NXCompat
compilation switch.
Figure 4: Running bcdedit on a Vista System
One important
Table 1:
Windows IT Pro
Boot.ini NoExecute= values and Their
MARCH 2008
W e ’ r e i n I T w i t h Yo u
The values specified in Table 1 for the
boot.ini /NoExecute= switch are also available for the BCD nx option.
For more information about Microsoft
DEP and how to configure it, consult the
Microsoft article at support.microsoft.com/
Address Space Layout
Another technique often used by bufferoverrun–based malware is to inject a system
memory path that points to the location of
an important system DLL into another program’s buffer. The malware then tricks the
program into calling that particular system
file to let the malware leverage the system
DLL’s services without being detected.
This type of buffer-overrun attack is relatively easy to carry out if the OS always loads
certain system DLLs on the exact same
memory location. On XP, for example, the
memory locations of system DLLs are always
identical— they vary only slightly depending on the service pack status of the system.
The new Vista and Server 2008 ASLR feature
makes it harder for malware to leverage a
system DLL’s services by randomizing DLL’s
memory location. Unlike DEP, ASLR isn’t
available on earlier Windows versions.
Each time a Vista and Server 2008 system
reboots, ASLR randomly assigns system code
(basically system DLLs and executables) to
different memory locations. This means that
the system code’s entry points (the addresses
the malware would use to call on the service
of a particular piece of system code) are in
unpredictable locations. In Vista and Server
2008, a DLL or executable can be loaded into
any of 256 locations. This
means that an attacker has
a 1/256 chance of getting
the address right. As such,
ASLR also makes it harder
for hackers to write repeatable code such as worms
that target identical system
resources on many different systems.
You can observe the
effect of ASLR by using
the SysInternals Process
Explorer tool, which you
can download at www
w w w. w i n d o w s i t p r o . c o m
| Vista and Server 2008 Malware Protection
processexplorer.mspx. To
use the tool, start Process
Explorer and ensure that
you have selected the
Show Lower Pane option
in the View menu.
Then select the
explorer.exe process in the
upper pane and check the
base address of the ntdll.
dll in the base column in
the lower pane. (If you
don’t see the base column
you can add it by using the
View / Select Columns…
menu option—the Base
column can be added
from the DLL tab.)
Write down the base
address, then reboot your
system. On an XP system,
the base address for ntdll.
dll remains identical after a
system reboot (XP doesn’t
support ASLR). On a Vista
Figure 5: Observing the effect of ASLR with SysInternals Process Explorer
system, the base address
is different after a system
reboot (because Vista supports ASLR).
implemented long before Vista and Server run defense. Where ASLR makes it more difFigure 5 shows the Process Explorer inter- 2008, on platforms such as Linux and UNIX. ficult for malware to find the right code, DEP
face and the base address for the ntdll.dll Also certain Host Intrusion Detection System makes it more difficult for malware to execute
DLL. Table 2 shows the base addresses I (HIDS) solutions have been supporting ASLR the code once the target code is found. You
found for the ntdll.dll and user32.dll DLLs on legacy Windows platforms long before the can leverage both techniques at the same
time and they can also be leveraged in virtual
when running Process Explorer on an XP SP2 native Windows support.
system and on a Vista system.
A good analysis of the Microsoft ASLR computing environments such as Microsoft
You can leverage ASLR not only for ran- implementation in Vista is offered in the Virtual PC or VMware products.
From an application-support point of view,
domizing the memory locations of Windows Symantec research paper at www.symantec
should remember that you must test your
system files but also for randomizing the .com/avcenter/reference/Address_Space_
for DEP compatibility prior to
memory locations of executables and DLLs Layout_Randomization.pdf. Unlike with
on a DEP-enabled Windows
of any application that runs on Vista or Server DEP, Microsoft doesn’t offer ASLR-specific
cause certain applications
2008. To do so, application developers must configuration settings for fine-tuning the use
or even halt.
compile their code with the /dynamicbase of ASLR.
to understand that
linker option. Microsoft Visual Studio supDEP
panacea for the
ports this option from Visual Studio 2005 SP Important Proactive
1 and later.
Like DEP, ASLR is not a Microsoft-only DEP and ASLR each use a slightly different
invention and implementation. ASLR was proactive defense approach as a buffer-overfor example, doesn’t make it
impossible for malware to find
Effect of ASLR on DLL Base Addresses
Table 2:
system code, but it makes the
Windows XP SP2
Windows XP SP2 base Windows Vista base Windows Vista base
process of finding system code
base address
address (after reboot) address
address (after reboot)
much more challenging. In
many cases, ASLR and DEP
will also effectively stop bufferNtdll.dll
overrun–based attacks.
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
InstantDoc ID 98005
Windows IT Pro
MARCH 2008
Introducing an integrated approach to complete
SharePoint protection and management
DocAve™ Software for SharePoint
Changing the way Administrators manage SharePoint
Download at
SharePoint management made simple.
Complete SharePoint protection.
Now you can control and manage the back-end of
all your SharePoint environments from one place.
DocAve is the only truly integrated, easy-to-use
software that offers a complete set of SharePoint
backup, recovery, and administration tools. One
solution, with many mix-and-match functions,
now gives you power like never before.
With item-level backup and full-fidelity restore,
DocAve allows for fast recovery of business critical
documents and content. Complete SharePoint
platform backup allows for quick and painless
recovery of the entire system during a disaster.
With DocAve, you’ll have complete confidence
in your SharePoint environment.
Call 1-800-661-6588 or visit www.AvePoint.com for
more information or to download a free trial.
© AvePoint, Inc. All rights reserved. DocAve, AvePoint, and the AvePoint logo are trademarks of AvePoint, Inc. All other names mentioned are property of their respective owners.
Getting to Know
Office 2007
Q: I reinstalled Microsoft Office Outlook 2007 and I no longer see names “autofilling” when
I type them in the To field of an email message. What’s up?
A: The feature you’re asking about is called AutoComplete. It proposes names as you type
in the To, Cc, and Bcc fields of email messages, meeting requests, assigned tasks, and share
requests, as well as in the email field of contacts.
A common misconception about this feature is that it “pulls” names from your contacts.
It should pull names—but it doesn’t. Microsoft, are you listening? Hello—Office 14 feature
What it does do is suggest names based on email addresses you have typed before, whether
those names are in your address book or not. If you reinstall Outlook, you lose that history
(although upgrading preserves it). Here are a couple pointers about using AutoComplete:
• If a name appears in the AutoComplete list that you don’t want to appear, scroll down to
it and press Delete. This helps to prevent you from accidentally sending an email message to someone you emailed once before.
• The AutoComplete list is stored in a file named Outlook_profile_name.nck. So, for
example, if my Outlook profile name is Dan, my AutoComplete list is dan.nk2. You can
find the list stored in the Outlook folder in the local settings folder of your user profile,
which is %userprofile%\AppData\Local\Microsoft\Outlook on Windows Vista and
%userprofile%\Local Settings\Application Data\Microsoft\Outlook on Windows XP. You
simply copy and paste this file to transfer it between systems. You can rename the file if
the profile name has changed (e.g., rename Dan.nk2 as DanHolme.nk2). Logically, this
file ought to be in the roaming portion of your user profile, though it’s not.
Q: I have a SharePoint site with forms-based authentication. When I try to do <fill in the
blank> using an Office application, it doesn’t connect correctly. How can I make it work?
A: I’m asked variations of this question frequently, hence <fill in the blank>. It could be that
you’re trying to open a library in Windows Explorer, connect to a SharePoint site with Microsoft
Office SharePoint Designer 2007, export to Microsoft Excel, connect to a list with Microsoft
Access, or complete another task. Whatever it is you’re trying to do, when you use forms-based
authentication, you must select the Sign me in automatically checkbox, and Microsoft Internet
Explorer (IE) must remain open. Your Office application (i.e., SharePoint, Access, Excel) will
ride on the authentication you’ve created.
Technically, what happens is that your forms-based authentication creates a persistent
cookie, which client applications can use. If you don’t select Sign me in automatically, or if
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Answers to
your questions
about the
Office 2007
by Dan Holme
Got Questions About
Microsoft Office?
Send them to Dan Holme at
danh@intelliem.com. And
for more Office tips and
insights, visit officeshare
pointpro.com, a community
for IT professionals, developers, and
end users interested in Microsoft Office
Windows IT Pro
MARCH 2008
Office Tips
persistent cookies aren’t allowed in your
environment, client integration will fail.
Here are two other important tips regarding forms-based authentication:
• The persistent cookie expires. So
“sign me in automatically” is a bit of a
misnomer—by default, it signs you in
for 30 minutes. To change the timeout
value, you must change or add a timeout
attribute with a timeout value expressed
in minutes. You add this to the forms
element in the Web.config file for the
application. For example, to change the
timeout to two hours, type
<forms loginUrl=”login.aspx”
timeout=”120” />
where “120” is the timeout value of two
hours, expressed in minutes. (The previous
entry wraps to several lines because of space
constraints here; you should type it on one
line in the file.)
• You must have client integration enabled
for the SharePoint application. In SharePoint Central Administration, open the
settings for the application’s authentication provider and select Yes in the Enable
client integration section.
Q: How can I remove duplicates from an
Excel database?
A: Luckily, Microsoft Office Excel 2007 made
it significantly easier to remove duplicates
from a database. Simply select any cell in
your data table and click the Remove Duplicates button on the Data tab of the Ribbon.
You’ll be prompted to choose the columns
to analyze for duplicates. If two or more rows
contain the exact same data in the selected
column or columns, the duplicate rows will
be deleted, leaving only one row with that
data. Easy, huh?
Keep in mind that Excel can open many
common data file formats, such as .csv and
.txt files, for delimited data. So
if you have duplicate data in
another application that doesn’t
support duplicate purging, you
can export to Excel, remove
duplicates in Excel, then export
back to the original database.
Q: Where are SharePoint documents stored on the server?
Windows IT Pro
MARCH 2008
What are the options for backing up and
restoring SharePoint documents?
A: All SharePoint content is stored in a Microsoft SQL Server database. There are several
options for backup and restore that enable
SharePoint to support document storage
more effectively than traditional file shares.
Recycle Bin. Users have access to items
(to which they have permissions) in the
Recycle Bin for the site. If they delete something, they can restore it right away. You
configure Recycle Bin settings for the site’s
Web application through Central Administration, where you specify the Recycle Bin’s
size and how long an item will remain in the
site Recycle Bin before being removed.
Second-stage Recycle Bin. Windows
SharePoint Services 3.0 and Microsoft Office
SharePoint Server 2007 have a second-stage
Recycle Bin at the site-collection level. When
an item is removed from a site’s Recycle Bin
based on the time configuration mentioned
previously, the item is placed in the secondstage Recycle Bin. An administrator can
recover items from there by navigating to the
Site Settings for the top-level site in the site
collection and clicking the Recycle Bin link.
The size of this Recycle Bin is configured,
also in the Web application settings, as a
percentage of the size of a site’s Recycle Bin.
If the second-stage Recycle Bin fills, the items
placed in the Recycle Bin first are removed to
make room for new items.
Versioning. SharePoint Server 2007 lets
you view the version history of an item or file.
This is useful when users damage files without actually deleting them, such as erasing a
file’s contents or overwriting a good file with
a bad file of the same name. If your document
library has versioning enabled, you can simply go to the document’s Version History and
recover the “good” version.
Content database. Each Windows SharePoint Services site collection is stored in a
content database, which is the actual SQL
Figure 1:
Server database. The content databasecan be
recovered in the event of corruption by using
transaction logs, or it can be restored using
either SQL Server recovery methods or the
restore functionality within SharePoint Central Administration. Of course, that assumes
you have a good backup plan for your SharePoint databases, which is paramount.
Third-party add-ons. Third-party ISVs
offer item-level recovery solutions, which
enable SharePoint administrators to restore
granular items from backup. Tools include
Quest Software’s Recovery Manager for SharePoint, AvePoint’s DocAve, and IBM’s Tivoli
Storage Manager for Microsoft SharePoint.
Q: When I travel to another time zone and
look at Calendar in Microsoft Outlook Web
Access (OWA) in Exchange Server 2003,
it shifts all my appointments to match the
time zone I traveled to. How can I see my
appointments in my “home” time zone?
A: Good question! In OWA, in Options,
there’s a time zone setting, Current Time
Zone, which Figure 1 shows. Changing it,
though, doesn’t change the time in which
appointments are displayed. In fact, I can’t
see what this setting does change. Instead, as
you experienced, OWA uses the time zone on
the client (the Windows time zone) to display
calendar items.
However, if you use the basic OWA client
(instead of logging on to the premium client)
this setting does work. OWA 2007 in Exchange
Server 2007 seems to have solved the problem, and your calendar entries should reflect
the time zone option that you configured.
InstantDoc ID 96106
Dan Holme
(danh@intelliem.com) is director of consulting at
Intelliem, which delivers solutions-focused training and consulting services supporting enterprise
SharePoint, Office, Windows, and Active Directory
The Current Time Zone setting in Outlook Web Access
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
April 28–May 2, 2008 | Las Vegas, Nevada
The Microsoft Management Summit
2008 (MMS 2008) provides a unique
opportunity to learn about the
latest IT management solutions
from Microsoft and partners.
In the past year Microsoft has released
a broad range of new management
products and technologies, including
seven new product updates within the
System Center suite alone. MMS 2008
provides the best way to learn how to
apply these solutions to the business
goals of your organization, fueling
productivity and building growth. With
sessions by technical experts, hands on
labs to try out the new products and
the opportunity to meet with leading
Industry experts and peers, MMS 2008
remains the premiere technical event
of the year for IT professionals.
Register today at :
Along with windowsitpro.com and sqlmag.com two new sites
have been launched to ensure custom-made content is just a click away.
Microsoft Office and SharePoint content mentored by
a community of peers and professionals.
A community addressing the need of content for the
developer who needs to create with the IT administrator in mind.
Engage with our network of peers and professionals and view various forms of content.
It is a complete source for IT Professionals and managers.
For information on managing, mining, building and developing world-class applications.
Tricks & Traps - Ask the Experts
Q: What’s new in Windows Live
OneCare 2.0?
A: Live OneCare 2.0 introduces
welcome support for the 64-bit
versions of Windows Vista and
Windows XP. This version also
adds more PC health and maintenance functionality, including:
• The ability to specify a hub PC
and manage other PCs centrally
via a common Live ID
• Wi-Fi connection security assistance for providing a protected
wireless experience
• The ability to back up photos
and other information to online
• Printer sharing support
• System startup optimizer
• Proactive fix and recommendation advice to keep PCs healthy
• Monthly reports of usage on as
many as three PCs on the same
home network
InstantDoc ID 97940
—John Savill
Q: What’s the Microsoft Update
Catalog 7.0?
A: Microsoft has released a new
version of its catalog Web site,
which lists updates, drivers, and
hotfixes that you can download
from update.microsoft.com for
local installation. The catalog is
available at catalog.update.micro
To use the site, enter a term
in the search box on the main
page (e.g., vista 64-bit driver) and
click Search. A list of all matching
At a Glance
Keeping your system secure
with Live OneCare 2.0
Learning about Microsoft
Update Catalog 7.0
Clearing the Outlook autocomplete address cache
Granting users permission to
add/remove themselves from
a distribution group
w w w. w i n d o w s i t p r o . c o m
How can I clear the Microsoft
Office Outlook auto-complete
address cache?
Outlook has an auto-complete cache to help fill in recipient
information when adding recipients. If you want to delete this
auto-fill cache, you can delete individual items or the entire
cache. You remove individual items by typing an address on
the To line of an email, and when the auto-fill suggestion is
displayed, press the Delete key. To delete the entire cache,
stop Outlook, navigate to the %APPDATA%\Microsoft\Outlook folder (type this in Explorer address bar), and delete the
Outlook.NK2 file. Restart Outlook.
InstantDoc ID 97941
—John Savill
updates will be displayed. Click
Add next to each update you want
to download, which adds the
update to the update basket.
You can perform multiple
searches and add more updates
to the basket. After all the desired
updates are in the basket, click
the view basket link under the
search box, which displays all the
updates in the update basket, as
Figure 1 shows.
Click the Download button, and you’ll be prompted
to confirm a folder to which to
download the updates, then click
Continue. After the download
is complete, click Close in the
download window.
Each update is placed in a separate subfolder in the destination
folder, and each subfolder has the
same name as the update title.
You can then manually install the
updates by double-clicking them,
Figure 1:
or you can inject them into a Windows Imaging Format (WIM) file.
InstantDoc ID 97939
John Savill
—John Savill
Q: How do I give people permission to add or remove themselves but not others from a
distribution group?
A: The Self security principle is
a useful tool for working with
groups. Open the Active Directory
Users and Computers Microsoft
Management Console (MMC)
snap-in and enable Advanced
Features (View, Advanced Features). On the Security tab, select
the Self principal and click Add/
Remove self as member, which will
allow users to add and remove
themselves from the group but
not affect anyone else.
InstantDoc ID 97942
—John Savill
For answers to
more of your Windows server and
client systems
questions, visit our
online discussion
forums at www
Viewing the Update Catalog basket
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Windows Power Tools
Decommission Old Computers with Cipher
Encryption isn’t the tool’s only capability
or the past two months, we’ve been tinkering
with Cipher (cipher.exe), the Windows command-line tool for controlling Encrypting File
System (EFS). The bulk of EFS’s job is to encrypt data
files and manage the keys it uses for that encryption, as
I demonstrated with the previous two column’s looks at
the tool’s /e, /d, /r, and other options. But Cipher offers
other cool functionality, not least of which is its ability—
with its /w option—to simplify the decommissioning of
old systems.
Mark Minasi
gethelp) is a senior
contributing editor for
Windows IT Pro, an
MCSE, and the author
of 25 books, including
Administering Windows
Vista Security: The Big
Surprises (Sybex).
He writes and speaks
around the world about
Windows networking.
You can meet Mark Minasi
at the upcoming Windows
Connections 2008
conference in Orlando,
Florida, April 27-30. For
more information, visit
Windows IT Pro
Disk Decommissioning
What do you do with old computers—sell them or
donate them to a charity? The answer to that question is
important because those old systems probably contain
one or more hard disks that contain all sorts of confidential information. I always wince when I see someone
selling an old laptop or desktop computer because I’m
almost certain the seller hasn’t removed his or her personal data from the system’s hard disk. Perhaps the seller
has formatted the disk, but there are so many tools on
the market for restoring data from formatted disks that
I wonder how many people have been embarrassed
after selling a computer. A few times, I’ve purchased
used computers and discovered personal-finance files,
old email messages—you name it, all recovered without
any genius.
So, before letting go of a computer, you need to
ensure that its data won’t fall into the wrong hands. One
solution is to get rid of the computer but keep the hard
disk, but then we’re back to the question, “How do I get
rid of the data on the disk?” Some people use old hard
disks for target practice, which is fine if you live near a
rifle range. I’ve seen an amazing US Army machine that
shreds hard disks, but unfortunately I can’t afford a toy
like that. The best solution is to overwrite every sector
on the disk with random patterns, and—according to
some—repeat that several times. One erasure might not
entirely overwrite a magnetic area. (Having said that,
I’m not aware of an off-the-shelf hardware or software
solution that can reliably read a hard disk that’s been
overwritten once.)
Cipher’s Solution
Cipher offers a method for erasing a hard disk so that
you can feel fairly secure that none but the most technologically savvy bad guys can get to its erstwhile data.
You perform the process in two steps. First, format the
target disk. The easiest format procedure is probably to
put the disk in a USB-compatible external hard-drive
enclosure, then connect it to your new computer. Then,
MARCH 2008
W e ’ r e i n I T w i t h Yo u
once you’ve emptied the disk, open a command prompt
(I’m assuming your new computer is running at least
Windows XP) and type
cipher /w:<d:>
where d: is the drive letter of the disk you’re decommissioning. Cipher /w will overwrite all unused sectors on
the disk with zeroes, then ones, and finally a random
number. The key to understanding the process is the
phrase “unused sectors.” If you don’t first format the disk,
Cipher won’t touch the sectors that contain your data!
You might be wondering why you need to go through
the whole process of connecting the soon-to-be-de-
I’ve purchased
used computers and
discovered personalfinance files, old email
messages—you name it.
commissioned drive to a working system rather than,
say, booting Windows Preinstallation Environment (PE)
and running Cipher from Vista. I tried that latter solution
with no success. Apparently, Windows PE lacks the suite
of cryptographic support routines that Vista contains.
Oh, and don’t expect to get Cipher’s overwrite process
done quickly. In my experience, Cipher requires a minute or two per gigabyte. Start the encryption at night,
and your disk will be clean as a whistle by the time you
Don’t Worry
On a final note, let me save you some time and aggravation. When you make it known that you plan to use
Cipher /w to decommission a drive, someone—inevitably a security guy—will no doubt claim that overwriting
a drive a mere three times is insufficient to truly protect
that drive from a determined hacker. Now, I freely admit
to being a card-carrying security guy, but some of my
compatriots seem more interested in worrying people
than truly analyzing a security situation. Could the
NSA or CIA retrieve data that has been overwritten
only three times? Yes, those agencies probably could.
But as long as you’re not a member of Al Qaeda, you
can surely rest easy after accomplishing a “mere” three
InstantDoc ID 97933
w w w. w i n d o w s i t p r o . c o m
Top 10
Free Virtualization Utilities
These tools will help you develop and manage your virtual environments
ith virtualization technology making deep
inroads into almost every aspect of IT,
assembling your virtualization toolkit can
really help you be prepared to deal with the wide variety
of situations that you’re likely to encounter. For instance,
what do you do if you want to convert a virtual machine
(VM) from Microsoft Virtual Server 2005 R2 to VMware?
Or what if you’ve created a Microsoft Virtual Hard Disk
(VHD) image, but it’s run out of space and needs to be
expanded? I’ve come up with a list of some of my favorite
free virtualization tools for working with Microsoft or
VMware VMs that can solve these problems and more.
Ultimate-P2V—Converting physical systems to VMs is one of the most common
virtualization tasks. The Ultimate-P2V
utility is essentially a plug-in for BartPE
that creates new boot VM images by ghosting the physical
image and then injecting drivers into a VMware VM image.
This utility is far simpler to use than a tool such as Microsoft
Virtual Server Migration Toolkit (VSMT), but it requires
another third-party tool—Symantec Ghost or Acronis True
Image, for instance—to create the disk image. You can find
Ultimate-P2V at www.rtfm-ed.co.uk/?page_id=174.
VMDK to VHD Converter—If you’re looking
for a tool that can convert the other way—from
VMware to Microsoft images—then you’ll want
to check out vmToolkit’s VMDK to VHD Converter. Because most free tools seem oriented toward
making VMware images, this is a welcome addition if you
need to deal with both VMware and Microsoft VMs. You’ll
find the VMDK to VHD converter at vmtoolkit.com/files/
VMware Workstation 5.5 Disk Mount Utility—
This utility lets you mount a VMware virtual
hard disk file (.vmdk) on a Windows host. The
virtual hard disk file is mounted as a drive, and
you can read from and write to the .vmdk file. You can get
VMware Workstation 5.5 Disk Mount Utility from www
Virtual Server 2005 R2 SP1’s VHDMount—
VHDMount is Microsoft’s answer to VMware’s
Disk Mount Utility. VHDMount is a commandline tool that lets you mount a VHD file (.vhd) as
a local drive. VHDMount is included as part of Microsoft
Virtual Server 2005 R2 SP1 (which is itself free).
VHD Resizer—Expanding an existing virtual
hard drive has always been a problem for both
Microsoft and VMware VMs. VHD Resizer can
expand and shrink Microsoft’s VHD files. It’s
also able to convert between Fixed and Dynamic file types.
VHD Resizer is found at vmtoolkit.com/files/folders/
VMware Converter—This is my favorite conversion tool for VMware. VMware Converter is an
easy-to–use, wizard-based tool that can convert
either physical machines or Microsoft VMs to
VMware VMs. VMware Converter works with Windows
Server 2003 (32-bit and 64-bit), Windows XP (32-bit
and 64-bit), Windows 2000, and Windows NT 4 (SP4 or
later). You can download VMware Converter from www
w w w. w i n d o w s i t p r o . c o m
.com) is technical
director for Windows IT
Pro and SQL Server
Magazine and coauthor
of SQL Server 2005
Developer’s Guide
Virtual Floppy Drive—Virtual Floppy Drive
is another helpful tool; it lets you mount a virtual floppy drive from a VM. Creating a set of
virtual floppy drives can be handy for loading
storage drivers and other software for your VMs. Virtual
Floppy Drive can be found at chitchat.at.infoseek.co.jp/
ISO Recorder—ISO Recorder is my favorite free
utility for working with ISO images, and ISO
images are really handy for installing the OS and
other software on a VM. ISO Recorder integrates
into Windows Explorer’s context menu, and it lets you
create ISO images and burn ISO images to CD-ROM or
DVD. You can download ISO Recorder from isorecorder
Michael Otey
VMmark—Does it seem like VMware has too
many entries in this list? It’s no wonder they’re
the market leader in virtualization. VMmark
is another powerful and free tool; this one lets
you benchmark applications running in VMware VMs.
You can find VMmark at www.vmware.com/products/
W e ’ r e i n I T w i t h Yo u
Virtual Machine Remote Control Client Plus—VMRCplus lets you manage, configure, and connect to Microsoft VMs. Unlike Virtual Server, VMRCplus doesn’t
require Microsoft IIS. VMRCplus can manage up to
32 VMs. You can download the Microsoft VMRCplus
client from www.microsoft.com/downloads/details
InstantDoc ID 98015
Windows IT Pro
MARCH 2008
What’s Hot
Jeff James
is senior editor, products, for Windows IT Pro and SQL Server Magazine.
Readers Review
At a Glance
AppDev Microsoft SQL Server 2005
and Java Training CDs. . . . . . . . . . 78
Unitrends Data Protection Unit and
r te
on Va
ut .......... 7
siim Un
iffy Enterprise
n 1.
5. . . . . . . . . . . . . . . . . . . . . 8
IITT TTraining
raining R
ppDev M
icrosoft S
erver 22005
005 aand
Java Training CDs
use SQL Server 2005 at work,
and I wanted to keep my skills
Dennis Podgorski
updated, but without having
IT Manager
to travel or leave my job to do so. My
company will soon be upgrading a
AppDev Microsoft
membership management system
SQL Server 2005
that is based on SQL Server, and
and Java Training
we’re also planning to move from
—Dennis Podgorski, IT manage
Crystal Reports to SQL Reporting
Services in the near future. I also
watching the relevant sessions again if I needed to. After using both
wanted to learn how to program in
the SQL Server 2005 and Java training programs, I managed to learn
Java, mainly to understand and cuswww.appdev.com
what I needed to—all without having to be away from office, and it
tomize the Alfresco Content Mandidn’t cost me my entire training budget to do it.
agement system and the Zimbra Collaboration Suite (open source
There are some things that AppDev could improve upon. I’d like
them adopt a monthly (or yearly) subscription program, where
I first heard about AppDev and their Microsoft SQL Server 2005
I could just learn the latest and greatest information without having
and Java training programs either from a direct mail piece, or perto buy another training program, possibly similar to the way that the
haps from seeing an AppDev ad in Windows IT Pro. I checked out the
Lynda.com training site does. I’d imagine that a subscription would
AppDev Web site, and saw that AppDev’s training products weren’t
be cheaper in the long run as well. I did lose my installation key at one
that expensive, and I liked that I could sample the products before
point, but my AppDev account rep quickly provided it to me without
purchasing. I considered attending an offsite training program as
any questions or complaints.
an alternative to AppDev’s training products, but that just wasn’t an
option in our small work environment.
The AppDev CDs are well organized and I was able
to get to sections I needed quickly. I also liked being able
What’s Hot continues on page 79
to refresh my understanding of complicated topics by
Wanted: Your Real-World Experiences with Products
Have you discovered a great product that saves you time and money? Do you use something you wouldn’t wish on
anyone? Tell the world in a review right here in What’s Hot: Readers Review Hot Products. If we publish your opinion, we’ll send you a Best Buy gift card and a free online subscription to a ProVIP publication of your choice! Send
information about a product you use and whether it helps you or hinders you to whatshot@windowsitpro.com.
Windows IT Pro
MARCH 2008
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
What’s Hot
Disaster Recovery Tools
Unitrends Data Protection Unit and Data Protection Vault
ur company was looking for a
allowed us to replicate data to a climate-controlled, fire-proof vault
more reliable disaster recovthat is stored off-site. The DPV is protected by surveillance and secuCameron Sauce
ery tool, since our existing
Operations Manager rity software, and has its own generators in case of a power outage.
tape backup solution was inefficient,
We’ve found that the Unitrends backup solution is well-suited to
and our backups couldn’t be validated.
our business model. It enables our new disaster recovery service, and
Unitrends Data
We also were worried about files being
protects our customers’ business documents. It has added value to
Protection Unit and
lost due to system errors or natural
what we’re able to offer, improves our customer service and helps us
Data Protection
disasters. Our customers need access to
position our company as a trusted technology advisor.
documents quickly, whether they need
We haven’t had many issues with the Unitrends DPU, although
the files for auditing, compliance or
we’ve occasionally experienced a failed backup or a scheduling
other business use. Tape couldn’t proissue, probably due to a job purging process not completing. These
vide the time to recovery our customers
issues are likely due to the storage capacity of the DPU unit itself—
needed, so it was time to start thinking
we’ve outgrown the available space on the unit.
about disk-based backup solutions.
We were impressed with the Unitrends product and realized that
After investigating several other disk-based backup options, we
we could market a new service to our customers. It’s not often that
decided on a Unitrends Data Protection Unit (DPU). The Unitrends
a company’s disaster recovery solution contributes to revenue, but
architecture ensures that data never leaves the backup environment,
that’s exactly what Unitrends did for us.
and the Unitrends management GUI simplifies the backup process. For added disaster recovery protection, we also decided
What’s Hot continues on page 84
to go with a Unitrends Data Protection Vault (DPV), which
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
What’s Hot
Active Directory Management
Ensim Unify Enterprise Edition 1.5
ur IT department had been
looking for an application
that would simplify Active
Francis Marquez
IT Support Directory (AD) management—ideally
Specialist through a central Web-based manageProduct: ment console—and we began searchEnsim Unify ing for a solution that could do what we
Enterprise Edition need. I came across a magazine adver1.5 tisement for Ensim Unify Enterprise
Company: Edition 1.5, and we decided to give the
Ensim product a try.
Installation of Ensim Unify was very
www.ensim.com easy and straightforward: By far, it featured one of the easiest and smoothest
installation processes I’ve seen when installing to a server OS. We
immediately put Ensim Unify to work, and several features stood out
for us as being the most significant.
It’s very easy to create new AD users thanks to the User Template
function, and the distribution list management feature has been very
useful. Ensim Unify also offers extensive security group management
as well. After we installed and launched the software, a single mouseclick populated all of our security groups into a very user-friendly,
very readable format.
My only gripes with the product deal more with the licensing
structure than the product itself. For example, I was unable to get
the activation tool to communicate with their licensing server. The
end result was to make an exception in our firewall specifically to a
certain port and IP specific rule. It would also be nice if the program
could populate the distribution lists for Exchange in the same way
that it does for the AD security groups, but that may be more of a
Windows shortcoming than something that Ensim Unify could do.
“Ensim Unify
also offers
as well. After
we installed and launched
the software, a single
mouse-click populated all
of our security groups into
a very user-friendly, very
readable format.”
—Francis Marquez, IT support specialist
I’ve also found that the Ensim support staff and sales team are some
of the nicest and most courteous people I’ve come across in this
industry—they’ve been very helpful and knowledgeable.
InstantDoc ID 98120
Automation & Management Software
for Exchange, AD, Mobility, & Migration
Provisioning Automation
Self-service Password Reset
One-click Migration
Delegated Administration
Windows IT Pro
MARCH 2008
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
Get your CrypToken today!
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Windows IT Pro
MARCH 2008
Full access, one month at a time.
■ The latest digital issue of
Windows IT Pro
■ 24/7 online access to over
10,000 Windows IT Pro
magazine articles
■ Updates and news alerts on the
absolute latest industry
■ Interactive blog and forum
■ Product comparisons and
■ Exclusive chats with the Editors
and industry experts
■ and much much more!
Sign up today for only US$5.95 per
month and start getting quick answers
to ALL of your IT questions!
Stuffed with relevant
articles and loads of
expert advice—subscribing to Windows
IT Pro is like pocketing your very own
team of Windows
And at a fraction of
the cost.
Get real-world solutions to
everyday IT problems—
subscribe to Windows IT Pro
Only $39.95 (12 issues)
Subscribing to Windows IT Pro is like
pocketing a team of Windows consultants.
Windows IT Pro
MARCH 2008
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
Ad Index
Windows IT Pro Network
Search our network of sites dedicated to hands-on
technical information for IT professionals.
For detailed information about products in this issue of Windows IT Pro, visit the Web sites listed below.
1&1 Internet. . . . . . . . . . . . . . . . . . . . . . . . . 80-83
Microsoft Corporation. . . . . . . . . . . . . . . . . . . 67
AMD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Microsoft Corporation. . . . . . . . . . . . . . . . . . . 73
AvePoint Inc.. . . . . . . . . . . . . . . . . . . . . . . . . . . 70
NetAPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Bomgar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Netikus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Dell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16B
NetPro Computing Inc. . . . . . . . . . . . . . . . . . . . 6
Get free NT/2000/XP/2003 news, commentary, and
tips delivered automatically to your desktop.
Diskeeper Corporation . . . . . . . . . . . . . . . . . . . 9
Network Automation . . . . . . . . . . . . . . . . . . . . 58
Dorian Software Creations Inc. . . . . . . . . . . . 45
Privacyware . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Ensim Corporation . . . . . . . . . . . . . . . . . . . . . . 84
Quest Software Inc.. . . . . . . . . . . . . . . . . Cover 4
GFI Software Ltd.. . . . . . . . . . . . . . . . . . . . . . . 57
Sapien Technologies . . . . . . . . . . . . . . . . . . . . 79
Lantronix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
ScriptLogic Corporation . . . . . . . . . . . Cover Tip
Lucid8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Special Operations Software . . . . . . . . . . . . . 34
IBM Corporation . . . . . . . . . . . . . . . . . . . Cover 3
Sunbelt Software Inc. . . . . . . . . . . . . . . . . . . . . 12
IBM Corporation . . . . . . . . . . . . . . . . . . . . 53, 55
Symantec . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24B
IT Watchdogs . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Unisys Corporation . . . . . . . . . . . . . . . . . . . . 48B
MARX CryptoTech . . . . . . . . . . . . . . . . . . . . . . 85
Windows Connections. . . . . . . . . . . . . . . . . . . 24
Microsoft Corporation. . . . . . . . . . . . . Cover 2, 1
Windows IT Pro . . . . . . . . . . . . . . 63, 64, 74, 86
Microsoft Corporation. . . . . . . . . . . . . . . . . . . 28
www.microsoft.com/windowsserver 2008
World Data Products . . . . . . . . . . . . . . . . . . . . 86
Join our discussion forums. Post your questions
and get advice from authors, vendors, and other IT
Check out the current news and information about
Microsoft Windows technologies.
Windows IT Pro UPDATE
Windows Tips & Tricks UPDATE
WinInfo Daily UPDATE
.NET Briefing
Exchange & Outlook UPDATE
Scripting Central
Security UPDATE
SQL Server 2005 Express UPDATE
SQL Server Magazine UPDATE
Windows IT Library UPDATE
Connected Home EXPRESS
Exchange & Outlook Pro VIP
Discover smart solutions for Exchange and
Outlook administrators.
Scripting Pro VIP
Learn how to create more powerful scripts and get tips
for automating those tedious administrative tasks.
Security Pro VIP
Discover practical, how-to advice for avoiding and
solving security problems.
Microsoft Corporation. . . . . . . . . . . . . 31, 32, 33
Custom Reprint Services
The following vendors or their products are mentioned in this issue of Windows IT Pro on the pages listed below.
Order reprints of Windows IT Pro articles. Contact
Joel Kirk at jkirk@penton.com.
Adobe . . . . . . . . . . . . . . . 20
Instacoll. . . . . . . . . . . . . . . 20
Software Garden . . . . . . . 20
Super CD/VIP
Ajax13 . . . . . . . . . . . . . . . . 20
LANdesk . . . . . . . . . . . . . . 16
Get exclusive access to all of our print publications,
including Windows IT Pro, via the new, banner-free
VIP Web site.
AppDev . . . . . . . . . . . . . . . 78
NetIQ . . . . . . . . . . . . . . . . . 25
Special Operations Software
(Specops) . . . . . . . . . . 18, 26
Apple . . . . . . . . . . . . . . . . . 17
NetPro . . . . . . . . . . . . . . . . 27
Beyond Trust . . . . . . . . . . 26
NetWrix . . . . . . . . . . . . . . . 15
Comodo . . . . . . . . . . . . . . . 56
Norton . . . . . . . . . . . . . . . . 52
Corel . . . . . . . . . . . . . . . . . 19
O&O Software . . . . . . . . . 17
Coventi . . . . . . . . . . . . . . . 20
Odyssey Software . . . . . . 16
Ensim. . . . . . . . . . . . . . . . . 84
OpenOffice.org . . . . . . . . . 22
Falconstor Software . . . . 15
Runtime Software . . . . . . 54
Google . . . . . . . . . . . . . . . . 19
Savision. . . . . . . . . . . . . . . 15
Harvard Graphics. . . . . . . 19
SDM Software . . . . . . . . . 27
IBM . . . . . . . . . . . . . . . . . . 19
Silveroffice . . . . . . . . . . . . 20
Article Archive CD
Access every article ever printed in Windows IT Pro
magazine since September 1995 with this portable
and speedy tool.
Explore the hottest new features of SQL Server, and
discover practical tips and tools.
w w w. w i n d o w s i t p r o . c o m
W e ’ r e i n I T w i t h Yo u
Sun Microsystems . . . . . . 23
SysInternals . . . . . . . . . . . 54
Team and Concept. . . . . . 20
Techsoft . . . . . . . . . . . . . . 15
ThinkFree . . . . . . . . . . . . . 20
Transmedia . . . . . . . . . . . . 20
TrimPath . . . . . . . . . . . . . . 20
Unitrends . . . . . . . . . . . . . 79
VMware . . . . . . . . . . . . . . . 77
Zoho. . . . . . . . . . . . . . . . . . 20
Windows IT Pro
MARCH 2008
SEND US YOUR INDUSTRY HUMOR! Email your funny screenshots, favorite end-user moments, and humorous IT-related pics to
rumors@windowsitpro.com. If we use your submission, you’ll receive a Ctrl+Alt+Del coffee mug.
...Is a Virtue
User Moment of the Month
n the days of the 5.25" floppy disk,
k, I manned a
ay, a profesHelp desk at a university. One day,
sor called and said, “My
Lotus 123 disks
aren’t any good.
The computer
hat do you do after a long day at the
won’t read them
office tinkering with systems and dealud n
and makes a loud
ing with end-users? We’re willing to bet you
m.” I gave
when I insert them.
go home and do the same thing! You tinet, and
and hee expeexpeeehim a second set,
ker with your home-networking setup, share
mee pro
bl m I ask
d him
rienced the same
media files across your systems, and solve the
to bring the disks in so that I could try
problems your family members are having
them on a lab computer. As he opened his
with their satellite systems. You’ve got a conbriefcase, he said, “Why do manufacturers
nected home, and you probably use many of
make it so hard to remove the wrapping?”
the same solutions there as you do at work.
I stared in amazement. He had popped
That’s where Connected Home Media (www
the welding rivets off each floppy disk
.connectedhomemag.com) can help. You’re not
and removed the square plastic protector
only the IT Pro at work—you’re the IT Pro at home! Sign up for the free Connected Home
sleeves. He was handing over a wobbly
Express newsletter (www.windowsitpro.com/email) and get your tips about media sharstack of round, floppy plastic discs.
ing, home-network security, backup and recovery, home theater, and more!
—Dean Edwards
The IT Pro at Home!
March 2008 issue no. 163, Windows IT Pro (ISSN 1552-3136) is published monthly. Copyright 2008, Penton Media, Inc., all rights reserved. Subscriptions in US, $49.95 for one year; in Canada, $59 US
currency, plus 6% for GST for one year; in UK £59; in all other countries, US $99. Windows is a trademark or registered trademark of Microsoft Corporation in the United States and/or other
countries, and Windows IT Pro is used under license from owner. Windows IT Pro is an independent publication not affiliated with Microsoft Corporation. Microsoft Corporation is not responsible
in any way for the editorial policy or other contents of the publication. Windows IT Pro, 221 E. 29th St., Loveland, CO 80538, (800) 793-5697 or (970) 203-2782. Sales and Marketing Offices: 221 E. 29th St.,
Loveland, CO 80538. Advertising rates furnished upon request. Periodicals Class postage paid at Loveland, Colorado, and additional mailing offices. POSTMASTER: Send address changes to Windows
IT Pro, P.O. Box 447, Loveland, CO 80539-0447. SUBSCRIBERS: Send all inquiries, payments, and address changes to Windows IT Pro, Circulation Department, P.O. Box 447, Loveland, CO 80539-0447.
Printed in the USA. BPA Worldwide Member.
Windows IT Pro
MARCH 2008
W e ’ r e i n I T w i t h Yo u
w w w. w i n d o w s i t p r o . c o m
Active Directory | Exchange | SharePoint | SQL Server | Systems Center | Windows Server | PowerShell | Desktops
SQL Server
Windows Management
Active Directory
Windows Server
Systems Center
What’s on your mind?
It’s a no-brainer. Think Quest.
Worrying about your Windows infrastructure can be a real headache. Quest eases the pain
by helping you get more — more performance, more productivity, more reliability and more
value — from your Microsoft investments. No matter what’s on your mind, Quest is the smart
choice for Windows management.
And think about this: Quest and its family of Windows management solutions have won 19
industry awards, including Microsoft’s Global ISV Partner of the Year, in 2007 alone. That’s
because we’re committed to product innovation, customer support and our Microsoft
Get more. Think Quest.
Control changes in your Active Directory and safeguard its operations, security, and integrity.
Download our change management white paper and learn more from the Windows
management experts at www.quest.com/mind
©2008 Quest Software, Inc. All rights reserved. Quest and Quest Software are trademarks or registered trademarks of Quest Software.
All other brand or product names are trademarks or registered trademarks of their respective holders. WM-WINDOWS IT PRO_Q12008.