Tag: Windows Server 2008

AppLocker does NOT require a Windows Server 2008 R2 DC

Documentation from Microsoft regarding the new feature AppLocker in Windows 7 (and Windows Server 2008 R2) early stated that to be able to use AppLocker you must have a “Windows Server 2008 R2 Domain Controller to host the AppLocker rules”. I have seen this information several times since then and at a seminar I payed a quick visit to yesterday regarding Windows 7 this particular questions was raised.

Of course I had to make sure what’s really going on here and I have now verified that AppLocker works perfectly fine in environments where there are only Windows Server 2003 DCs or Windows Server 2008 DCs. I can see no reason what so ever for AppLocker to require a Windows Server 2008 R2 DC to function. The only requirement is that you’re running Windows 7 Enterprise or Windows 7 Ultimate edition to be able to use th powerful feature of AppLocker.

Solve inconsistencies in the servicing store

Microsoft introduced a totally new servicing mechanism in Windows Vista and Windows Server 2008 which is totally component based. Sometimes information in the servicing store becomes corrupt and inconsistent. This state can cause hotfixes, service packs, security updates and other types of updates to fail.

To solve this problem you can use the System Update Readiness Tool which just have been updated to work with Windows Vista SP2 and Windows Server 2008 Sp2 (it also works for previous service pack levels).

Be aware of a problem when renaming domain controllers

If you have renamed a Windows Server 2008 or Windows Server 2008 R2 domain controller you should be aware of  a problem. The problem is that a DFSR object is not renamed to the new name. This does not cause any problems until you remove the domain controller in question and after doing a demote or cleaning it up with metadata cleanup the object will become orphaned. So if you have renamed 2008 or 2008 R2 DCs you should follow the steps in KB2001271 to fix this.

HOW TO: Clean out Windows\Installer folder correctly

When disk space is running out on a system disk, may it be on a server or a client, there are certain things to clean out. One of them being the %SYSTEMDRIVE%\Windows\Installer folder. You cannot under any circumstances delete files from this folder manually as this not only may but most likely will break software that is installed using MSI files, or Windows Installer files.

The %SYSTEMDRIVE%\Windows\Installer folder is a cache for installation files and patches (MSP files) and removing those will cause you to not being able to repair or uninstall applications, and in some cases not removing patches or applying new patches to software. In the event when you actually did delete this cache you can rebuild the files you need manually by extracting the files from original installation media, from patch packages etc but this is a time consuming and not that easy task to accomplish.

But let me get to the point. If you do want to free disk space you can clean out the %SYSTEMDRIVE%\Windows\Installer folder by downloading Windows Installer Cleanup Utility (NOTE: This tool has been retired and is no longer available from Microsoft) and then running the command

msizap.exe G!

When running this, the installer and patch packages are enumerated and unreferenced packages are considered to be safe to delete and are thereby also deleted. Depending on the age of the system and the number of applications installed, this action can free a significant amount of disk space.

A bug in the DNS service in Windows Server 2008

I’ve seen quite an interesting behaviour of the DNS service in Windows Server 2008 for a long time without even thinking about the DNS service having a bug. Apparently there has been a fix for this issue out since summer time but it was not until Microsoft blogged about the bug a few days ago that it got my attention.

The problem is with secondary DNS zones that suddenly loses all (or many) records of the zone, which is not a very good thing I can tell you.

After reading through the description of the bug a couple of times I just sat there with my mouth open. This is exactly what I have been experiencing for some time now. So what is the moral of the story? Always check if it is bug!

Download and more info: KB953317 A primary DNS zone file may not transfer to the secondary DNS servers in Windows Server 2008