Skip navigation

Monthly Archives: October 2011

There was an article this morning that mentioned that Metro was replacing Aero as the overall theme in the next version of windows. I’ve been using both Windows 8 and Windows Server 8 since the BUILD conference, and I just don’t see how that is the case. In some of the recent posts by Steven Sinofsky there have been some screen shots of task manager and other desktop apps using a very basic theme. 

This one illustrates the new flat basic theme.


I haven’t tried the Client OS on a non-3D accelerated  system yet, but this is the default for the Server OS accelerated or not.

In fact on the Server OS it’s a feature “Server Graphical Shell”:



Aero came enabled by default on the client OS.


On the Server OS you can get Aero by installing the “Desktop Experience” feature with the PowerShell command “Add-WindowsFeature Desktop-Experience”…This same feature is also available on Server 2008 R2 via the Server Manager interface.

While it may not be the most attractive interface ever, it is very consistent when using Remote Desktop Services. Using the default Server OS install gives you an experience that is the same locally and remotely.  Since a large number of virtual desktop deployments end up not enabling Aero this might be an effort to start managing expectations about remote UI in general. VDI is a MASSIVE push by industry and MS in particular since it really does away with a lot of the headache of managing desktop systems. At BUILD they were really hyping the potential for device makers to build cheap RDP terminals that serve as thin VDI clients. There was at least one session on it, though I didn’t see it personally.

While you can enable Aero in VDI sessions with RemoteFX, starting in Server 2008 R2, that actually requires installing some fairly expensive co-processors that allow virtualized 3D acceleration.

@the_gadgeteur asked me to post some screen shots and build numbers…so, cheers.

AD LDS (aka ADAM) is a general purpose LDAP directory that you can use for free with Windows Server. It’s used for thing that you would normally use an LDAP server for…If you don’t know what that is then I promise you don’t care.

If you do know what an LDAP server is useful for…and you have the need…it’s a feature that can be installed from the Server Manager UI in 2008/ 2008 R2 or PowerShell in Server 8 Preview. (Add-WindowsFeature ADLDS)

Depending on how you deploy LDS you will need to take different steps to enable SSL. I’m writing this because I actually couldn’t find an example on the web that used LDS instead of the older ADAM on 2K3. It’s the same thing, mind you…just different names and a slightly different UI experience. The easiest way to go about this would be to get a machine account certificate from AD CS or whatever hoops you have to jump through to get a server auth certificate. That is, the Enhanced Key Usage needs to be both Client Authentication ( and Server Authentication ( The certificate should be installed in the machine’s personal certificate store like so:


Once that is in place you need to give your service account access to that key. Most deployments are going to use Network Service. Right click on the certificate and choose “Manage Private Keys…”


This will bring up a security dialog that allows you to add users/groups and set permissions on the private key of the machine identity certificate. Add Network Service and set the permission to Allow Read.


I still use LDP for everything…you can use what you like…Fire up an LDAP browser and make sure you can connect via SSL.

It goes without saying that if you are using a domain account as your service account identity then you will need to take further steps to ensure that Kerberos works by setting the Service Principal Name to the correct value. You should also install the certificate in the personal store of your service account if that is your model.

In all cases you will need to make sure that the certificate is issued to the DNS name that you will be connecting to. Using a vanity domain name that will be load-balanced would require a service account and Kerberos configuration. These steps aren’t that radically different from getting SSL and Kerberos working for IIS, though…So have fun with that.

Learn to love PowerShell…its the preferred management interface in the new server OS.

The preferred deployment model is going to be the “Server Core” installation. This is generally a Good Thing® in that it will drastically lower the attack surface for operating system exploits…But most Windows admins I know don’t even know the legacy VBScript that they should. I actually had a guy ask me how to get to the “search” feature that was on the XP start menu.

This is why UNIX admins seem better at their job.

Regardless, it really seems like MS really gets how big of a pain it is to run lots of machines at once. Things that used to require either expensive third party tools or custom development are baked in. In fact, the new Server Manager interface is actually just surfacing PowerShell commands. You can actually save the command text from the newest version of the Active Directory Administrative Center. This should ease the learning curve.

I guess I’ve finally read enough PowerShell examples that I’m starting to come around. Up until now I have mainly used C#, VBScript, and C++ (when forced) to do my work. One thing that I can say for the PowerShell ‘methodology’ is that its incredibly consistent.

Get-Help Some-Command –examples

It’s consistent patterns like the above that seem to pervade the whole system.

Speaking of ADAC…ADAC actually depends on the Active Directory Web Service. Some places might have reservations on deploying ADWS since it needs to be installed on every domain controller. (That’s the entry level recommendation at least.) I know quite a few places that didn’t deploy it just because it had “Web” in the name. Insert groan tag. The benefits really do out weigh any deployment or management costs whether real or mythological.

One really neat feature of PowerShell is that HKCU, HKLM, the certificate store, and IIS are all drives. So is Active Directory.

This image illustrates what I mean…


It’s been a long time coming. Windows really didn’t have good scripting story before PowerShell.

Full disclosure…you aren’t supposed to do this. The metaverse in FIM 2010 (ILM 2007, MIIS 2003) can be exported to an XML file. I finally got around to writing an app that can search the schema of ldap directories and SQL tables and add those new attributes to the MV schema with a prefix. Why? Because you will pretty much never get away from data flow troubleshooting questions. The FIM Sync Manager interface can only run on the console of the server that it’s installed on. (And no, you can’t install it on a server that has Remote App/terminal services installed.) There is some basic RBAC for segregating permissions but you still have to give RDP access to the machine.

The initial configuration of this application is also the very definition of tedium. The “old” method using the Sync manager was a pain…the SharePoint based method is worse.

More to come in the next post, but the general idea is a more automated means of getting the connected directories mapped into the system with inbound attribute flow’s that populate MV objects with the corresponding CD data. Programmatically generating the metaverse schema is the first step. Next step will be manipulating the MA export files.  Being able to generate these config files out of band will also enable some interesting UI scenarios for creating the attribute flows…There has to be a better way.

For the impatient:

Here’s a snippet that adds MV elements to the “person” class…
static void AddSchemaElement(string schemaObjectName)
var xEle = xDoc.Descendants(XName.Get(“directory-schema”, dsml.NamespaceName)).First();
var personEle = xEle.FirstNode.ElementsAfterSelf().Where(x => x.Name.LocalName == “class” && x.FirstAttribute.Value == “person”).First();
XElement newAtrributeType = new XElement(XName.Get(“attribute-type”, dsml.NamespaceName),
new XAttribute(“id”, schemaObjectName),
new XAttribute(“single-value”, “true”),
new XAttribute(XName.Get(“indexable”, msDsml.NamespaceName), “true”),
new XAttribute(XNamespace.Xmlns + “ms-dsml”, msDsml.NamespaceName),
new XElement(dsml + “name”, schemaObjectName),
new XElement(dsml + “syntax”, “”));

personEle.Add(new XElement(dsml + “attribute”,
new XAttribute(“ref”, “#” + schemaObjectName),
new XAttribute(“required”, “false”)