Now that you’ve established your rules, tested them in Audit mode, and also tested them in Enforce mode, you’re ready to start deploying AppLocker to all of your computers. In your GPO, go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services and find the Application Identity Service. Double-click it, click the checkbox next to Define this policy setting, and set the startup mode to Automatic. This will change the Application Identity Service so that it starts automatically and will start the service at the next policy refresh.

AppLocker – Enable Application Identity Service in GPMC

I mentioned in a previous article that I like to keep my AppLocker settings in a separate GPO. There are two reasons I do it this way: First, if you need to disable AppLocker quickly, all you need to do is delete or disable the link without having to make changes to all of your new AppLocker rules.

The second reason is because of the Application Identity Service. I like to make sure that the setting to enable the Application Identity Service is in the same GPO as all of my AppLocker rules. This ensures that at the next policy refresh that the Application Identity Service startup is set to Manual along with the AppLocker rules being removed from the computer.

That’s it. You’re ready to start linking your new AppLocker GPO to computer OU’s for deployment! Before you just go linking the GPO, I highly recommend letting end users know about this change. You may be surprised by the number of users that have installed applications into non-standard locations, their profile, or USB drives.

Publisher digital signatures

Eventually, you’re going to be burned by a vendor’s digital signature. Some vendors are better than others about signing ALL of their executable files. Unfortunately, there’s no real way to handle that problem until you come across one that isn’t signed.

Some vendors use multiple certificates for signing their software. Citrix is a good example: They use one that has “Citrix Systems, Inc.” and another that has “Citrix Online.” The big difference between the two is that one is used by Citrix GoToMeeting and the other by the parent company.

AppLocker – Citrix Systems Digital Signature | AppLocker – Citrix Online (Go To Meeting)

Customize the block message (sort of)

One of my complaints with AppLocker is the message that is shown to the end user. The biggest problem I have is the “contact your system administrator,” part. It would be really nice if you could customize the text to say whatever you want. Unfortunately you can’t. You can, however, add a link to a web site on this dialog box. To do so, in your GPO, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer > Set a support web page link. Set the policy to Enabled and enter your URL.

AppLocker – Support Site Policy

When a user has an application blocked, they’ll get the same error message, but will also be presented with a link they can visit to get more information.

AppLocker – Block Message with Link

Users with Admin Rights

AppLocker rules will still apply to users with Admin rights just like any other user. The big difference is that users with Admin rights can circumvent AppLocker pretty easily. All an Admin would need to do is create a Path rule for the path * for ‘Everyone’ and now AppLocker is effectively disabled. If you’re still giving end users Admin rights, consider changing the practice.

UAC and default rules

I know I’ve already mentioned this, but because of some of the problems it has caused for me, I feel the need to repeat it. Users with Admin rights are probably going to see deny messages if you only use the default rules. The default AppLocker rule that allows all executables for Builtin\Administrators assumes that a user with Admin rights has used elevated privileges. This means that any Admin will need to right-click and choose “Run as Administrator” any time they need the allow Builtin\Administrators to run all executables rule. Where would this apply? Let’s say you download some kind of installer to C:\downloads. C:\downloads isn’t covered by the default rule for Program Files or Windows. If you double-click the executable as an Admin, you’ll get a deny message.

There are really only two ways around this: One is to make sure your people with Admin rights know they need elevated credentials when they need Admin rights. The other way around this is to create a Path rule that uses * as the path and a Group that you specify. You can essentially duplicate the ‘All files’ rule for BUILTIN\Administrators and just change the group. Just be aware that this is removing the AppLocker protections for this group. Do this very sparingly.

I hope this series on AppLocker has been helpful to you!

• AppLocker tutorial – Part 3: Testing (0)
• AppLocker tutorial – Part 2: Best practices (0)
• AppLocker tutorial – Part 1: Planning (1)
• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)

Go back into your GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. Right-click on AppLocker and choose Properties. Check the box next to Configured for each area of AppLocker that you’ll be testing and change the pull-down to Audit only. This will log all of the rule results to the Event Log without actually blocking any applications.

AppLocker – Properties Audit

I like to keep my AppLocker rules in a dedicated GPO. If you’re setting up AppLocker the same way, you can now link your GPO to an OU for testing. At this point, I haven’t configured what to do with the Application Identity Service (AppIDSvc). When I tested initially, I applied the GPO to a few volunteers’ computers (with the rules in Audit mode) and manually started AppIDSvc remotely and left the Startup type as Manual. I asked the users to let me know if they rebooted their computers so I could also restart AppIDSvc. With the rules in Audit mode, nothing should be blocked. But why take anything to chance? Should a user have problems with AppLocker, simply rebooting will disable AppLocker.

Now, you wait. After a few days, you can check the Event Log to see what’s getting blocked. Microsoft has a dedicated area of the Event Log just for AppLocker that makes things easy. In the Event Viewer, go to Applications and Services Logs > Microsoft > Windows > AppLocker and you should see “EXE and DLL” and “MSI and Script.” You should be able to skim through these events and see Warnings where things would be blocked by AppLocker if the rules were not in Audit. On my test system, you’ll see that the user ATL\testuser ran Google Chrome that is installed in the user’s profile in AppData. Since I’m looking to block applications from users’ profiles, this is the expected behavior I’m looking for.

AppLocker – AppLocker Event Log blocked app

After you’ve gotten comfortable with your rules, you can move on to enforcing them. First off, I still haven’t set the Application Identity Service (AppIDSvc) settings anywhere in Group Policy. The AppIDSvc service is disabled by default. By starting the service manually on the client computer, the end user has the fallback position of rebooting to disable AppLocker should the rules break something. Go back into the GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies, right-click on AppLocker, and choose Properties. Make sure Configured is still checked and change the pull-down to Enforce Rules. Since we’re testing the policy, you can run a quick gpupdate on the client to refresh the Group Policy.

AppLocker – AppLocker Enforce Rules

Once you’ve made sure that AppIDSvc is running and still set to Manual, you’re back to waiting. The good news is that now your customer is going to see the block messages in addition to the entry you’ll see in the Event Log. The end user will be told that, “This program is blocked by group policy. For more information, contact your system administrator.”

AppLocker – End user message for blocked app

Back in the Event Viewer, you’ll see that the Warnings are now Errors that AppLocker is enforcing rules.

AppLocker – Event Viewer application blocked

You should now be at the point where you have a pretty good idea of what works and what doesn’t work for your AppLocker rules. In the next, and final, part of this series, I’ll discuss the best way to enable the Application Identity Service for your computers and some of the common issues I’ve seen during an AppLocker implementation.

• AppLocker tutorial – Part 2: Best practices (0)
• AppLocker tutorial – Part 1: Planning (1)
• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)

By now, you should have a pretty long list of rules that have been generated by the GPMC. I would consider these rules as a starting point and not something you should use in production. If you’ve looked through the list, you’ll notice that there is a lot of redundancy. If you scanned the entire C:\ drive, you may also notice some things that you actually want to block with AppLocker. Here are some things I did to clean up my rules:

Use the default rules

If you’re going to use the default rules, you should be able to pare down some of the rules that were automatically generated. You don’t need 100+ rules for executables in the Windows or Program Files folder if you’re already allowing everything in those folders to execute.

Use publisher digital signatures

Most of the reputable software companies like Microsoft, Adobe, Citrix, Cisco, VMware, etc. do a relatively good job at digitally signing their executables. Several of these companies tend to have their installers end up in temporary folders inside of AppData that will be blocked if you don’t include a Publisher rule. Instead of allowing Adobe Reader, Acrobat, Illustrator, Photoshop, InDesign, etc. individually, you can use a publisher rule that allows anything digitally signed by Adobe.

AppLocker – Adobe Publisher Rule

Specify file paths IT controls

If you have file shares that are read-only to users/computers that are controlled by IT that are used for network applications or software distribution, consider creating path rules to allow those paths if the applications residing there aren’t digitally signed. This includes Sysvol! If you’re controlling scripts with AppLocker, they could be blocked from running in Group Policy if you haven’t created a rule to allow them to execute.

Keep hash rules to a minimum

Using hash rules can get dangerous really quick. The biggest downside to Hash rules is that you have to constantly update them. Every time an application update comes out, you’ll have to make sure you have the most current hash as well as the previous hash until you’ve patched all your machines. That could get time consuming very quickly.

Use descriptive names for rules or use descriptions

The default names that are created aren’t necessarily helpful at letting you know why the rule was created. If you have a Publisher rule named “Signed by O=Acme Software, Inc. , L=ATLANTA, S=GEORGIA, C=US,” you can’t really tell that the rule was created for software signed by Acme Software that is used by your Accounting department. There’s also a Description field if you need to include more detailed information like a reference back to a support ticket.

Does ‘Everyone’ need to be able to run that app?

I, like many other people, support several applications that don’t behave well in Program Files on Windows 7, but will run without major issues if you put them in a folder on the C:\ drive. Another pitfall of these applications for me is that they aren’t digitally signed requiring me to use a Path or Hash rule. If you have applications like this, consider giving a Group the ability to run the application instead of ‘Everyone.’ The same is true for software distribution shares and other resources used by IT; you don’t necessarily need to let ‘Everyone’ execute files from those locations.

UAC matters

Users with Admin rights are probably going to see deny messages. Microsoft has a TechNet article that explains the default rules that can be created for AppLocker. Unfortunately, it fails to explain that if you have UAC enabled, users with local Admin rights are going to see AppLocker deny messages. Why? The default AppLocker rule that allows all executables for Builtin\Administrators assumes that a user with Admin rights has used elevated privileges. This means that any Admin will need to right-click and choose “Run as Administrator” any time they need the allow Builtin\Administrators to run all executables rule.

The way around this is to create a Path rule that uses * as the path and a Group that you specify. You can essentially duplicate the ‘All files’ rule for BUILTIN\Administrators and just change the group. Just be aware that this is removing the AppLocker protections for this group. Do this very sparingly.

You should now have what you need to generate a list of AppLocker rules that you can start testing. In my next article, we’ll cover auditing your rules on a test computer to determine if your AppLocker rules are working the way you want them to and pushing the rules out to everyone.

• AppLocker tutorial – Part 3: Testing (0)
• AppLocker tutorial – Part 1: Planning (1)
• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)

Like any good systems administrator, I always try to do my research before implementing a new technology. While researching AppLocker, I came across quite a bit of documentation from Microsoft, questions various people posted to message boards, but nothing that really gave me an idea of what I could actually expect during my implementation. Here are the things I’ve learned after a couple of AppLocker deployments that I hope will help you.

AppLocker – Group Policy Management Editor

What is AppLocker?

AppLocker is an application whitelisting and blacklisting that is built in to Windows 7 and Windows Server 2008 R2. It allows you to write rules in Group Policy for which applications, scripts, and Windows installers are allowed to run (and which ones aren’t) that are enforced on the client PC by the Application Identity Service (AppIDSvc). Michael’s done a great job of giving an overview of AppLocker.

Prerequisites

To implement AppLocker, you’re going to need a management station that is running Windows 7 or Windows Server 2008 R2 with the latest GPMC. AppLocker policies cannot be edited on earlier versions of Windows. You’ll also need to be running Windows 7 or Windows Server 2008 R2 on any client systems where you want to use AppLocker. If you’re using older versions of Windows, you’ll have to work with Software Restriction Policies since the older OS will ignore the AppLocker settings in a GPO.

Planning

First, you’re going to have to decide on what you would like to accomplish by implementing AppLocker. This is important because it will determine how you’re going to write your AppLocker rules. In my situation, I wanted to block malware from running in user profiles as well as preventing unauthorized software from being installed or run from USB media. There are two ways you can deploy your rules: Blacklisting and Whitelisting.

Blacklisting

Blacklisting in AppLocker lets you allow everything, but block specific applications, scripts, and Windows installers that you do not want to allow on your computers. (Microsoft recently published a whitepaper on how Microsoft IT did this internally. This method will most likely cause the fewest headaches if you know exactly what you want to block. The downside is that you’ll have to generate a list of what you want to block and keep the list up to date. This method is also easier to circumvent if you’re using file paths to identify the application or file hashes that don’t include every version of an application.

Whitelisting

Whitelisting in AppLocker lets you deny everything except for specific applications, scripts, and Windows installers you want to allow. Anything that is not included in your list will be blocked. This method will require a lot more upfront work to make sure that you don’t accidentally block something, but in the long run will stop more unauthorized applications from running.

Detective work

Now that you’ve decided how you want to implement AppLocker, you need to identify the executables that you’ll need to allow or deny. (I’m probably going to use the term executable most often since my goal was to control applications. In most of what I’ll discuss, script or Windows Installer can be interchanged with the term executable.) Create a new GPO in the Group Policy Management Console and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker (see screenshot above).

Here, you can right-click on Executable Rules and choose Create Default Rules. This will create rules that will allow Everyone to run files that are in Program Files and in the Windows folder. It will also create a rule that allows users with local Admin rights to run anything. The default action is Deny. This means that you’ll need to explicitly create a rule to allow everything if you’re planning on Blacklisting only.

Next, you’ll need a computer that is running a typical software load for your organization that has the Remote Server Administration Tools installed. Run the GPMC and go back to the AppLocker settings in your new GPO. Right-click on Executable Rules and choose Automatically Generate Rules. By default, you’ll be prompted to scan Program Files. You may want to consider changing the path to C:\ to catch things that end up outside Program Files. Just be aware that if you do change it, you may end up with things in your initial set of rules that you actually want blocked.

The wizard will ask whether you want Hash or Path rules for executables that don’t digital signatures. The answer really depends on your environment and how often those files will be updated. Just be aware if you choose file hash, you’ll need to keep your rules updated after each application update.

Between the default rules and the rules created automatically by the GPMC, you should have a good starting point for your AppLocker rules. In my next article, I’ll discuss the rules that were created by the GPMC and strategies for paring them down into something more manageable.

• AppLocker tutorial – Part 3: Testing (0)
• AppLocker tutorial – Part 2: Best practices (0)
• Troubleshooting Group Policy – Part 6: Common problems (0)
• Troubleshooting Group Policy – Part 5: Active Directory problems (0)
• Troubleshooting Group Policy – Part 4: Client problems (0)

You are a domain administrator for your organization. The company recently established a second campus in another state and installed two new domain controllers at that location. You create a new Active Directory site for the second campus and establish a new site link that joins the local site to the second campus site.

What remaining tasks are necessary in order to complete the new site topology? (Select the two best choices)

A. Enable site link bridging on the site link.

B. Move the domain controller objects to the second campus site object.

C. Define subnet objects for the second campus.

D. Change the link cost for the site link object.

E. Edit the replication schedule by editing the properties of the second campus’ domain controller objects

The correct answer, explanation, and analysis

The two correct answers are B and C. To complete the site implementation topology in this scenario, we need to move the new domain controller objects to the newly created site object, and define subnet objects for the second campus.

Remember that our Active Directory site design should mirror our physical infrastructure. Because the domain controllers in the second campus are located on the same physical campus, we want to allow for intrasite (that is, almost instantaneous) replication between those DCs.

The Knowledge Consistency Checker (KCC) is an Active Directory component that exists on all domain controllers. The determines an optimal replication topology for all domain controllers both within and between sites. The Inter-Site Topology Generator (ISTG) role, which is held by one DC within each site, calculates intersite replication topology based upon administrator-specified schedules and link costs. The following screenshot points out where we configure these properties on a site link.

Configuring the properties of a site link

The reason why choice A is incorrect is because site link bridging is enabled by default with Active Directory site links. Site link bridging enables site links to be used transitively in much the same way that Active Directory domain trusts are transitive. Thus, if we have a site link between site 1 and site 2 and another link between site 2 and site 3, we can replicate Active Directory changes from site 1 to site 3 even though there is no explicit site link connecting those sites.

Choice D is incorrect because site link costing is relevant only when the topology includes more than one site link. In this scenario we have only two sites and one site link. By contrast, if we had a backup network link between the campuses, we could set the second link at a higher cost than the first link in order to force the ISTG to use the primary link first, and then the secondary link only when the first link is unavailable.

Choice E is incorrect on a technicality. In order to set a replication schedule, we edit the properties of the site link, not the domain controller. When tackling Microsoft certification exam items, we need to parse EVERY WORD and make sure that we understand what’s going on.

Conclusion

I hope that you found working through this sample practice question to be fruitful to your certification studies. If you remain unclear on how Active Directory sites work, then see the companion piece that I mentioned at the beginning of this blog post. You are also free to leave your questions, comments, and concerns in the comments portion of this post. Happy studying!

• Microsoft Exam 70-640 – Configuring sites (0)
• Microsoft Exam 70-640 – Active Directory trusts – Sample question (0)
• Microsoft Exam 70-640 – Active Directory trusts (0)
• Microsoft Exam 70-640 – DNS Server settings – Sample question (1)
• Microsoft exam 70-640 – DNS server settings (0)

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

For each exam domain, I will give you two blog posts. One blog post represents a nutshell summary of the content underlying a particular subobjective from the 70-640 certification exam outline. The second blog post offers a representative practice exam question that covers one topic from that content domain.

The screenshot below shows the relevant section from the 70-640 exam blueprint on configuring Active Directory Domain Services (AD DS) sites.

Microsoft Exam 70-640 – Configure Sites / Domain 2, Subobjective 3

You know what the term replica means, right? A replica is an exact duplicate of some other object. Similarly, in Active Directory, our domain controllers replicate changes to the AD database in order to ensure that all domain controllers contain consistent (exact) data.

Whereas objects like the forest, domain, and organizational unit are logical objects that can be organized in several different ways, the Active Directory site, subnet, and site link objects are intended to reflect the physical infrastructure of your organization.

In a nutshell, domain controllers that exist in the same AD site will replicate to/from each other almost immediately (in 15-second intervals, to be exact). By contrast, domain controllers located in separate sites are connected by a site link object that the domain administrator can control to determine replication frequency. After all, the network link between sites is generally presumed to be much slower and potentially more unreliable than the high-speed LAN links that connect DCs within one site.

We implement our Active Directory site topology by using the Active Directory Sites and Services MMC console. We can do the same thing as well by using Windows PowerShell 2.0.

Active Directory Sites and Services console

Before you register to take the 70-640 exam, please ensure that you are very comfortable with all technologies and procedures that are referenced in this subobjective:

• Creating Active Directory Subnets
• Configuring Site Links
• Configuring Site Link Costing
• Configuring Sites Infrastructure

Creating Active Directory subnets

A subnet is an Active Directory object that denotes an area of high-speed network connectivity. I personally consider “high-speed connectivity” to denote LAN speeds of between 10Mbps and 1Gbps; however, the Microsoft literature gives what are to me absurdly low thresholds for subnets.

A subnet object

Because intrasite replication happens immediately (more or less), we define site objects in Active Directory that reflect the physical network topology within each site location. When we define a site, we specify the CIDR notation of the subnet (192.168.1.0/24 to denote a network ID of 192.168.1.0 and a 24-bit subnet mask), and the site object to which the subnet is associated.

NOTE: Windows Server 2008 R2 supports both IPv4 and IPv6 for subnet objects.

Relevant Links:

• Configuring Network Subnets
• Create a Subnet

Configuring Site links

Site links are manually created by domain administrators to, well, link site objects. The cool thing about site links is their ability to be scheduled and configured with a costing metric.

Active Directory Site link

Remember that because we presume that the physical network infrastructure links between physical sites are slower than LAN speed, we can set up a replication schedule on a site link in order to fully control how often Active Directory takes place.

By default, site link bridging is enabled on Active Directory site links. What this means in a nutshell is that site links are transitive in the same way that Active Directory trust relationships are transitive.

Relevant Links:

• Understanding Sites, Subnets, and Site Links
• Creating a Site Link Design
• Create a Site Link

Configuring Site link costing

Active Directory site links use a relative costing metric; lower cost values denote preferred replication paths. Consider the following diagram: in this topology, we can force Active Replication between site 3 and site 2 to occur by way of site 1 due to our configured costs. We could in this case use the site 3 > site 2 link as a backup for the purpose of redundancy.

Site link costing

Relevant Links:

• Configure Site Link Cost
• Determining the Cost

Configuring Sites infrastructure

All right—now let’s tie everything together. We now know that we want all of our domain controllers replicating changes to the AD database in a time-efficient manner. Most administrators define site objects to reflect each physical campus in their organization.

Within each site we have one or more subnet objects that denote the areas of high-speed connectivity within each campus.

Finally, we build site link objects to tie together our sites and manually specify replication paths and frequency.

NOTE: If you are wondering, “Where is the information on IP vs SMTP site links? What about the KCC and ISTG?” then hold on—we will cover those topics and more in the next exam subobjective. Be patient!

Relevant Links:

• Overview of Designing a Site Topology
• Designing the Site Topology

Conclusion

I hope that you find this approach to 70-640 exam preparation to be beneficial. Please feel free to leave your questions, comments, and exam experiences (no braindumps, please) in the comments portion of this post.

In the next post I will provide a sample practice question for the “Configure sites” subobjective.

• Microsoft Exam 70-640 – Configuring Sites – Practice question (0)
• Microsoft Exam 70-640 – Active Directory trusts – Sample question (0)
• Microsoft Exam 70-640 – Active Directory trusts (0)
• Microsoft Exam 70-640 – DNS Server settings – Sample question (1)
• Microsoft exam 70-640 – DNS server settings (0)

DPM 2010 provides the ability to protect servers in workgroup or non-trusted domains, using local accounts and NTLM based authentication. This capability proved less than popular in large enterprises because of the inherent weakness in NTLM, auditing difficulties and local account management. DPM 2012 adds another authentication method (the previous capabilities are still available); certificate based authentication. The following workloads are supported; SQL Server, File Server, Hyper-V and these can be clustered as well as standalone (note the missing pieces here, no Exchange, SharePoint, System State / Bare Metal Recovery or client computers). A secondary DPM server for DR can also use this authentication method.

All protection in DPM is done around the concept of Protection Groups.

The required certificates can’t be self-signed; hence an internal CA needs to be in place. Setting up certificate based protection is quite involved, first each DPM server has to be configured; generate a certificate from the CA for the DPM server, import this certificate on the DPM server and then configure the DPM server to use certificate based protection. For each server you want to protect you’ll need to install the agent and attach to the DPM server, generate a certificate for the server from the CA, import the certificate on the local computer and configure the DPM agent to use certificate based authentication. When the time comes to renew certificates, DPM will issue a warning alert 30 days before expiry and a critical alert one day before expiry.

Conclusion

A glaring problem in DPM 2010 that’s not addressed in DPM 2012 unfortunately is Exchange single item restore. Some competing backup products offer the ability to restore individual items from a mailbox. The fault doesn’t directly lie with the DPM team however as the methods used by third party software aren’t supported by Microsoft.

From a customer’s point of view it’s a bit odd though that DPM is so good at backing up most Microsoft workloads but falls flat in this one area. It’s time for the Exchange team to step up their game and provide a supported method for single item recovery as soon as possible.

A minor problem (compared to the Exchange issue) is that even though DPM recognizes Active Directory as a data source, single item recovery is again not possible. Another irritating issue is that if I select the Hyper-V node of a Hyper-V server one would assume that any VMs that are created after the creation of the Protection Group would be automatically protected but they’re not. Whilst it’s possible to do this with a PowerShell script it’s surprising that this wasn’t incorporated in this new version as default behavior.

Apart from these issues DPM 2012 is an excellent product, following the already successful earlier versions with a product that’s more enterprise friendly, eminently capable whilst still easy to use and administer. The new Central console is going to save many hours in large environments; the streamlined troubleshooting is a real winner and Role Based Access along with numerous other improvements makes this “best for backing up Microsoft products” even better.

Resources

The DPM team blog

• DPM 2012 – Part 3: Other improvements (0)
• DPM 2012 – Part 2: Role Based Access and scoped console (0)
• DPM 2012 – Part 1: Installation and Console (0)
• eDiscovery in Exchange – Part 4: Restoring a mailbox database with DPM 2010 (0)
• FREE: EASEUS Todo Backup Free Edition (2)

In a virtualized environment the issue is whether to backup from inside the guest or from the host. The latter provides “bare metal restore” of an entire VM where something’s gone catastrophically wrong with a VM (or the host) but in general it doesn’t provide granular restore of files / folders. DPM 2010 added Item Level Restore (ILR), allowing you to restore individual files or folders within a VM even though it had only been backed up from the host. But this capability was only available when DPM 2010 ran on physical hardware, if the DPM server itself was in a VM this capability was not available. DPM 2012 fixes this glitch and can now do ILR even when the DPM server is a VM.

Note that in both DPM 2010 and 2012 ILR is only for files and folders, if you’re running a transaction based workload such as SQL, Exchange or SharePoint in a VM you’ll need to install the agent inside the VM for granular protection. Also be aware that the Hyper-V role needs to be installed on the physical server for DPM 2010 in both Windows Server 2008 and 2008 R2, this is also the case when DPM 2012 runs on top of Windows Server 2008 but NOT when running on 2008 R2.

For stand-alone Hyper-V servers DPM 2012 introduces Changed Block Tracking, which transfers only the changed blocks rather than reading the whole VHD file. This improves backup performance as well as enhancing the Hyper-V server performance by reducing the number of IOs required for backup.

The tested scalability limits in DPM 2012 hasn’t changed from DPM 2010 and remains at 80 TB for replica volumes and 40 TB for recovery point volumes for a total of 120 TB.

DPM 2010 supports item level recovery for SharePoint but it’s time consuming as the entire content database has to be transferred to a staging location before items can be recovered. In a move sure to please SharePoint administrators (and stressed users who needs that document NOW) DPM 2012 instead attaches the database files on a recovery point to a SQL Server instance remotely and recovers the item. This can also be done for data in SQL Filestream content databases. Another improvement for SharePoint is farm level protection where new sites added to a farm are automatically protected.

For business with large tape libraries the added control with the new tape retention policies will be very useful.

DPM has had a tape optimization feature for some time which allows data co-location to better utilize available space on tapes. What was lacking in earlier versions was control over what data is housed with what; with only a single global policy for how many days before a tape can be overwritten.

DPM 2012 improves this by allowing you to configure Protection Group sets. Within each set you can control the Write Period which is the length of time that a tape is available for writing new backups as well as Expiration Tolerance which is the time an expired recovery point can remain on a tape until the tape is marked as expired.

Another tape improvement is that a single Protection Group can spawn multiple tape jobs and in DPM 2010 if one of those jobs had an issue, all of the jobs had to be stopped, in DPM 2012 only the job with an issue needs to be killed.

Also new in DPM 2012 is that any workload that comes with a VSS writer can now be recognized and protected by DPM, this is called Generic Data source protection.

In this part three of the four part series on DPM 2012 we covered a slew of different improvements in areas such as Hyper-V, tape management and Item Level Recovery. The next part will cover certificate based authentication along with a look at some areas where DPM could still do with improvement.

• DPM 2012 – Part 4: Certificate based authentication (0)
• DPM 2012 – Part 2: Role Based Access and scoped console (0)
• DPM 2012 – Part 1: Installation and Console (0)
• eDiscovery in Exchange – Part 4: Restoring a mailbox database with DPM 2010 (0)
• FREE: EASEUS Todo Backup Free Edition (2)

The scoped DPM console

The Central Console also enables another nifty troubleshooting feature – the scoped DPM console. When an alert is raised in SCOM you can click the Troubleshoot button which will take you to a DPM console which only shows the data sources, backup jobs and agents that are affected by this particular issue. Even better, once you have resolved the underlying cause you can run a test backup with a single click before resuming the entire backup job. It also provides context; the ticket number, alert and DPM server is listed in an area at the top of the scoped console.

Centralizing management inside of SCOM doesn’t just mean an aggregated view of all backups across many DPM servers; it also lets you work on more important issues first, for instance by showing issues that affect multiple data sources. Segregating errors into infrastructure and backup failures enables Tier 1 or 2 support to focus on backup failure alerts, whereas Backup Admins work on infrastructure problems and Tape Admins focus on tape errors.

Smaller environments can use the Remote Administration feature which lets you install the DPM console on a workstation and then connect that console to any remote DPM server.

The Scoped Console will be a real time saver in troubleshooting scenarios.

Role Based Access in DPM 2012

Another sign that DPM is stepping up to the big league is the application of Role Based Access (RBA) similar to how other Microsoft products (Exchange, SCOM) are approaching authorization for particular tasks in big organizations. Be aware that the DPM 2012 RBA model only covers the task itself, i.e. this user can recover data but you can’t further limit this by objects, i.e. this user can only recover Exchange data from these databases.

DPM comes with a set of seven built in roles with descriptive names: Read-Only User, Recovery Operator, Reporting Operator, Tape Operator and Tape Admins as well as the all-powerful DPM admin. The last two are Tier-1 Support (help desk) who can resume backups and take automated recommended action and the Tier-2 Support (escalation) who also can run backups on demand and take corrective actions such as enabling / disabling agents. Note that the roles are respected by the SCOM console and scoped DPM consoles that are opened from within the SCOM console but are NOT respected in the DPM console on the DPM server itself.

Incorporating the DPM user roles using the SCOM user role approach is another great way of integrating DPM into SCOM.

In part three we’ll over other improvements in DPM 2012.

• DPM 2012 – Part 4: Certificate based authentication (0)
• DPM 2012 – Part 3: Other improvements (0)
• DPM 2012 – Part 1: Installation and Console (0)
• eDiscovery in Exchange – Part 4: Restoring a mailbox database with DPM 2010 (0)
• FREE: EASEUS Todo Backup Free Edition (2)

Submitted by Chris Wright – Website: Cjwdev

NTFS Permissions Reporter is a new tool from Cjwdev, with a completely free edition available for anyone to download and use without any registration or time limits imposed. It makes auditing and reviewing permissions on your file system quick and easy, as you can simply right click on any directory in Windows Explorer and choose Report Permissions to launch the program and instantly see how permissions are assigned to that directory and all of its sub directories.

What are the NTFS permissions? NTFS Permissions Reporter

The report results can be viewed in either tree format (which mimics the explorer style view of directories that we are all used to) or in a sortable table format. Different levels of permissions are highlighted in different colours to make it easy to see at a glance what level of access a particular user or group has to a directory.

This is taken a step further in the standard edition as filters can be used to limit the results to only permissions where a specific account is used either directly or via group membership, and various other attributes can be filtered on as well. Even the free edition lets you automatically expand groups to show their members in the report though (both direct and nested members), giving you a true view of everyone that has been granted or denied permission to each directory.

NTFS Permissions Reporter – Report settings

Results can be exported to HTML file (and CSV file in the standard edition) for viewing at a later date or for sharing with colleagues.

NTFS Permissions Reporter

• FREE: Smart Defrag – A defragmentation tool (9)
• FREE: Disk Defrag – A disk defragmenter (3)
• FREE: MyDefrag – Script defragmentation (4)
• FREE: Fast Duplicate File Finder – Find and delete duplicate files (2)
• Raffle: StarWind Enterprise CDP Edition – iSCSI SAN Storage Software for Windows (0)

Introduction

Protecting your data and systems running Microsoft workloads is paramount and the best way to do that is with Microsoft Data Protection Manager (DPM). This is an enterprise class product that’s gone from strength to strength over the last few versions. In this review we’ll look at DPM 2012 Release Candidate.

DPM 2012

In this four part article we’ll first look at installation of DPM 2012 RC and the new Centralized Management capability. In part 2 we’ll cover the scoped DPM console as well Role Based Access. Part three will cover other small and large improvements in DPM 2012 whilst the fourth part will look at Certificate Based Protection as well as some concluding remarks.

DPM 2012 installation

The overall installation experience has changed very little from previous versions. As before you can select to install a local instance of SQL Server (2008 R2 in this version) but larger environments are likely to use the option of a remote SQL Server. Multiple DPM servers can share a SQL server; each requires about 2.5 GB of memory so scale your servers accordingly. The underlying OS can be Windows Server 2008 / 2008 SP2 or 2008 R2 with or without SP1.

If you’ve been trying out DPM 2012 beta be aware that it can be upgraded to DPM 2012 RC which in turn will be upgradable to DPM 2012 RTM.

Whilst both DPM 2010 and 2012 servers can share a tape library (provided it’s recognized by device manager in Windows correctly) you can’t have DPM 2010 and 2012 servers talking to the same tape library, something to take into account for your upgrade planning.

The new DPM console has adopted the ribbon at the top as well as following suit with other System Center products with a wunderbar on the left a la Outlook.

Installing DPM 2012 is characteristically smooth and easy.

Centralized management of DPM 2012 and DPM 2010

To really enable DPM 2012 to reach enterprise scalability scenarios, in a manner that can be effectively managed, required a change in the management paradigm. If your company has two or three DPM servers, perhaps in separate locations, managing them independently isn’t a big deal. But if you have tens or even hundreds of DPM servers that approach quickly becomes expensive, notwithstanding the capabilities of PowerShell scripting.

DPM 2012 provides a centralized console for multiple DPM servers but rather than building a separate console it’s integrated with a console that many corporations are already using – Systems Center Operations Manager (SCOM). For businesses that rely on a third party ticketing system the SCOM integration will ensure that DPM alerts flow nicely into those systems as well. DPM 2012 beta supported SCOM 2007 R2 but the Release Candidate only supports SCOM 2012 RC. Both versions might be supported at RTM but we’ll have to wait and see.

To enable the Central Console is a three step process, first you’ll need to have SCOM 2012 RC installed and then run the main DPM installation screen and select to install the Central Console on the SCOM server. Finally the new Management Packs need to be imported into SCOM; if you’re thinking of trying out SCOM 2012 detailed instructions are available here.

Large businesses that have deployed DPM 2010 will be glad to know that the centralized console will manage DPM 2010 servers as well as DPM 2012. The centralized management extends further and lets you perform remote recovery, take corrective actions remotely and consolidate alerts across your entire backup environment. The Actions pane on the right is context sensitive and presents DPM actions appropriate to the object selected in the tree hierarchy. The tested scalability limit for the Central Console is 100 DPM servers or 50 000 protected data sources.

Using Operations Manager as the Central Console for DPM 2012 is an excellent move and it’s also very well implemented.

Raised Alerts are grouped by data source, disk, tape and tape drive, protection groups and replica volumes alerts, which makes it easy to focus on the area you need to troubleshoot. The central console on SCOM also filters alerts to match your SLA; say you have a guarantee to back up a data source every 4 hours but you actually run backups every hour, if these backups fail the DPM console will have an alert for each failure but SCOM will only raise an alert when the SLA is actually breached.

In part 2 we’ll cover the scoped DPM troubleshooting console as well as Role Based Access.

• DPM 2012 – Part 4: Certificate based authentication (0)
• DPM 2012 – Part 3: Other improvements (0)
• DPM 2012 – Part 2: Role Based Access and scoped console (0)
• eDiscovery in Exchange – Part 4: Restoring a mailbox database with DPM 2010 (0)
• FREE: EASEUS Todo Backup Free Edition (2)

You are the Active Directory architect for a two-forest enterprise whose logical topology is shown in the following diagram:

Active Directory – Logical topology

Your IT security team determined that due to the sensitivity of their project work, users in the lab domain should not be allowed to access resources in the 4SysopsA.com forest.

Which of the following actions should you undertake in order to accomplish your goal?

A. Redefine the forest trust as an external trust.

B. Redefine the forest trust to use selective authentication.

C. Remove the SID History attribute(s) from users in the lab.4SysopsB.com domain.

D. Create a shortcut trust between the lab and corpA domains.

The Correct answer, explanation, and analysis

The correct answer is B. By default, forest trusts use forest-wide authentication, which enables users to authenticate to any domain on either side of the trust relationship. This works fine when both forests are owned by the same people.

However, there are cases in which administrators need to be more selective in terms of which user accounts are allowed to cross a trust. This is where the selective authentication feature of Active Directory Domain Services (AD DS) trust relationships becomes relevant.

Enabling selective authentication is a two-step process. First, we must enable the feature by examining the properties of the trust relationship. The relevant dialog box here is shown in the following screenshot.

Enabling selective authentication

NOTE: We can also specify the authentication security type during trust creation in the New Trust wizard.

The distractor choices in this practice item can be ruled out easily if you have a good grasp of (a) the different types of trust relationships that are available; and (b) when to apply each one. For instance, we can rule out choice A because external trusts are intransitive. In this scenario we do indeed want all involved domains to access each other across the forest trust relationship. Only the lab domain has the special security concern.

Choice C is a red herring that assumes that you have no idea what SID history is. The fact that Active Directory stores the SIDs of user accounts that have been migrated to a new domain is not in the least bit relevant to the item’s scenario. Finally, we can dismiss choice D because shortcut trusts are used to reduce logon times between non-adjacent domains, not to selectively filter access across a forest trust relationship.

Conclusion

I hope that you found working through this sample practice question to be fruitful to your certification studies. If you remain unclear on how Active Directory trust relationships work, then see the companion piece that I wrote for 4sysops.com. You are also free to leave your questions, comments, and concerns in the comments portion of this post. Happy studying!

• Microsoft Exam 70-640 – Configuring Sites – Practice question (0)
• Microsoft Exam 70-640 – Configuring sites (0)
• Microsoft Exam 70-640 – Active Directory trusts (0)
• Microsoft Exam 70-640 – DNS Server settings – Sample question (1)
• Microsoft exam 70-640 – DNS server settings (0)