..by Guillaume Ross
A great new feature in 2008 is the ability to replicate SYSVOL using DFS Replication. DFS replication is much more powerful and (IMO) easier to troubleshoot than FRS. It was a great improvement in 2003 r2, and it is great that we can now use it on SYSVOL!
Ned Pyle at Technet has a great article about verifying on his blog
A limitation of Active Directory that I have always found to be extremely aggravating is the Password and Account lockout policy.
You could only set one for the domain..any other policy defined at the OU level would be applied to local accounts only.
How many times did I wish I could set a different password policy for service accounts ! I had to decide between relying on people to use good service account passwords or forcing end-users to use insane passwords. So we had to trust the people creating the service accounts..
Different departments requiring different policies for auditing purposes were also a reason to setup a separate domain. That means at least two new servers, more management time..ew!
In 2008, if you are running AD in Windows 2008 Native mode, you can now create PSOs (Password Settings Objects) and therefore apply different password policies to different security groups!
This is absolutely awesome and is a very good argument to migrate to 2008.
See this Technet article about Password Settings Objects/Fine-grained password policies , and use this great tool (PSOMgr from Joeware) to play with the settings, instead of using Adsiedit.
I wonder when Microsoft will have a nice interface to create these..
Oh yeah, and my other favorite reason is Read-Only DCs..let’s say they both rank as #1 reasons 
1 Virtual machine running 2003 sp1 as a DC+File server
1 Virtual Machine running 2003 sp1 as a member server
1 Other Windows 2003 sp1 machine that will act as a second DFS host later on
DFS Root and target folder located on the DC. It shares a folder that contains about 5600 sub folders, but no files for our test.
Removing an ACE from the ACL at the top takes about 3seconds. Forcing it to re-apply on all subfolders took about 30seconds.
Adding an ACE and saving the ACL took approximately 210 seconds.
Removing the same ACE and saving took exact 202 seconds (I had the patience to really watch it until it was done this time!)
Adding an ACE and saving the ACL took approximately 225 seconds.
Removing the same ACE and saving took 208 seconds
Adding an ACE and saving the ACL took exactly 498 seconds!
Removing the same ACE and saving took 492 seconds !
Adding an ACE and saving the ACL took approximately 119 seconds
Removing the same ACE and saving took approximately 90 seconds
Obviously, setting ACLs locally on the file server is about 67 times faster in my case. Not really a surprise.
On a brand new, best-of-worlds system, setting ACLs through a DFS path is not much longer than with the direct SMB Path of the target. The differences in my test are too small to say there is even a difference, as this is not a 100% controlled environment.
However, setting the same ACLs on a share that is not part of DFS is close to twice as fast.
Notes
If you’re using Windows 2003 with no SP or Windows XP sp1, download this .
My test was done on 2003 sp1 servers, since this is what I had installed right now for compatibility with a client’s system. However, DFS was much improved in 2003 R2, especially regarding DFS replication VS FRS. I would expect performance to be better on an R2 system, and I will run the test when I get the chance to ! Maybe the difference will be smaller..who knows!
Ever get sick of the beeping of your VMs?
Working quietly, logging on to a vm…
BEEEEEP! YOUR PASSWORD HAS EXPIRED SO I FELT LIKE WAKING UP EVERYONE IN THE OFFICE!
Well, if your test lab is in a domain, there is a good permanent fix for you.
Now, the next section is useful to know if you want to know where service configuration in a GPO is stored. If it’s not interesting for you, just go to the “Shortcut” section at the end.
Create a new group policy. Call it DISABLE_THE_BEEPS.
Edit it.
Under Computer configuration, in Windows settings\security settings, open System services.
The service we want to control is called Beep. What…it’s not in there?
God does not want me to live free from these annoying beeps? Will I have to open up my laptop case and rip the PC Speaker apart?
No no no..a simple GPO trick will do it!
Edit Any service in the GPO (If your GPO is linked to an OU with computers, try not to pick a critical service, just in case). I usually take the Print Spooler.
Go in its propertiers, and set the startup mode to Disabled. Click OK.
In GPMC, go to the details page of the DISABLE_THE_BEEPS GPO. Note the Unique ID of the GPO.
Browse to \\yourdomain\SYSVOL\yourdomain\Policies\{unique id}\Machine\Microsoft\Windows NT\SecEdit .
Right click the GptTmpl.inf file and open it with notepad.
The last line should be “Spooler”,4,”"
Replace Spooler by Beep. Save the inf.
You can now review the GPO settings..
Now just make sure the GPO is getting applied to your VMs, and GONE ARE THE BEEPS!
Shortcut:
Create a GPO, browse to it in Sysvol, open the security settings inf, add this at the end of the file:
“Beep”,4,”"
Apply it on servers.
Video
Disabling the Beeps through GPO..
When hardening Windows servers through security templates or Group Policies, it is important to give the proper permissions to services. You might want to grant a helpdesk group the rights to stop, start and pause a service while not being able to change the parameters on the server, and most of all, without being a local admin of that server.
To do that, you create a new Group Policy, and under Computer configuration, you find the System Services section. Then you select your spooler service, you set its startup mode to automatic, and you specify the rights.
Now, the problem is that the default rights the GPMC console shows you is NOT aligned with the actual defaults of Windows !
Here you can see on the left, what GPMC is proposing. On the right, Default Windows 2003 settings.
Now, it is probably a very good thing to remove Power Users. The print spooler might be perfectly fine with what GPMC wants you to use + your own customizations.
However, it is very important to make sure that any service that depends on this service is able to read! For example, if only administrators can read the service, and you have a Fax server that depends on the Print Spooler , it will not be able to start unless the service account it uses is part of Administrators!
Just a thing to keep in mind when hardening a lot of services, or when troubleshooting service startup problems..
Well, I passed this exam yesterday afternoon.
I prepared by reading Configuring Windows Server 2008 Applications Infrastructure in diagonal, really quickly.
If you already have OK knowledge (and I don’t mean GOOD by any means, I’m not GOOD with Sharepoint services or even IIS..just OK) of Sharepoint, IIS, and Terminal Server, you should be fine by just learning the new features of IIS7, Terminal server in 2008, as well as KMS and MAK activation. There will be a few questions on DRM and Windows Media server, but nothing really complicated.
4 exams to go for the whole MCITP:Enterprise Admin..
