Category: Windows Server 2008 R2

I guess you’re wondering what the heck “WEBSPAPW” stands for and it is nothing but “Windows Essential Business Server Preparation and Planning Wizards”. Microsoft has now come to the conclusion that this tool as I’ve written before was not only used for EBS migrations but also for general health checks in Active Directory environments. This has resulted in the name change to “Microsoft IT Environment Health Scanner” which is built from the previous EBS tool.

When running the Microsoft IT Environment Health Scanner you may find problems related to AD, DNS, replication and many other things and for everyone in charge of or controlling the IT environment this tool is strongly recommended. Read more on the EBS Blog.

Download: Microsoft IT Environment Health Scanner

I just want to share a quick tip about something really smooth that many IT staff seems to be unaware of. Windows Vista and Windows Server 2008 introduced the fact that you can install it without entering a product key. This was later introduced in Windows XP (with service pack 3 slipstreamed) and also later Windows Server 2003 R2 media. Nothing about this changes for Windows 7 or Windows Server 2008 R2. So to sum it up you can install all current as well as coming operating systems without entering a product key and you will then have up to 30 days to enter it.

Some time ago I had the unfortunate job to do some manual cleaning of an old and since long disconnected (and not decommissioned) Exchange Server in Active Directory using adsiedit.msc and this is not something one want to do I can promise you. Anyway during the testing phase I had to make sure that certain keys and values in adsiedit.msc were safe to be deleted and to accomplish this I removed all permissions on the keys to make sure that no one could read the information. You might think that restoring the permissions on objects in adsiedit.msc is the same as the management with file and folders but that is not the fact.

Instead use the command DSACLS to control the access control lists of Active Directory objects and run for example the following command to let the group Everyone get full permission on the object “First administrative group”.

DSACLS "CN=First Administrative Group,CN=Administrative groups,CN=CONTOSO,
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CONTOSO,DC=LOCAL"
/G Everyone:GA

Beware when working in adsiedit.msc and be very certain about what you are doing before deleting stuff. Sometimes just removing all permissions on objects is the best way because then you can always use the above command to restore permission to the object(s).

If you want to add domain users or groups to a local group on a Windows client machine automatically, this can be done using group policies. One reason could be to easily put groups or users to the local group Remote Desktop Users to allow them to log on via RDP. To control which users or groups you want to add create a new GPO in the domain and go to Computer configuration > (Policies) > Windows settings > Security settings > Restricted groups.

Once there choose to add a group and in my example find the “Remote Desktop Users” group and after that add the user or group you want to add to the local machines which that particular group policy object applies to. More information about restricted groups can be found at http://support.microsoft.com/?id=810076

When preparing an existing Active Directory environment for migration to Windows Essential Business Server  one must run a tool which scan the environment and make sure that no errors exist before the migration can even start. This tool is called Windows Essential Business Server Preparation and Planning Wizards and can be downloaded from Microsoft Download Center without cost.

The thing is that this tool is a great utility to use in existing environments, even though they are not being migrated and never will be migrated to Windows EBs. The tool is a great health check and will most likely show errors or potential problems you had no idea existed in your server environment. It find problems with DNS, in Active Directory and replication and will guide you to recommended system changes and much more. I strongly recommend everyone to run it on your own environments to see what it finds.

Just a quick note related to scanning for errors and best practices is that the upcoming Windows Server 2008 R2 will include a number of best practices analyzers for roles such as DNS, Active Directory and many more. This is really slick!

Download Windows Essential Business Server Preparation and Planning Wizards