Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘SQL Server’ Category

(2010-10-09) Should You Do A Domain Rename Or Not – That’s The Question?

Posted by Jorge on 2010-10-09


A friend of mine asked me if a domain rename is something that should/could be used or not within an organization. What I answered him is more or less explained in this blogpost. Information about performing a domain rename can be found through the following links:

Instead of performing a domain rename [1], you could also create a new domain in an existing AD forest or new AD forest and migrate [2] everything into that new AD domain. To determine which to use ([1] or [2]), you must know the AD forest environment very very well! With "AD forest environment" I mean: the size of the environment, number of DCs per AD domain/site (location), number of AD sites (locations) with DCs, the AD forest/domain structure, the version of AD, version of AD aware/enabled apps (e.g. exchange, ocs, etc.), versions of member server and member client operating systems, which client/servers apps (e.g. SQL, Citrix, etc.) exist and their versions, what the remote possibilities are to connect to the DCs (including when the DCs are booting) and the dependency of such a solution with AD, where support personnel is available and where not, etc, etc. As you can see, doing your homework is the very first step to take before anything else! Doing this homework should help you in determining how much technical and logistical pain you may experience during such as exercise. The impact of doing a domain rename is HUGE! In a test environment I do not have any issues with doing a domain rename, but in a production environment I would never do this that easily and probably I would never do it. Domain rename impacts ALL DCs in the AD forest at the same time and therefore not just the DCs in the AD domain for which you want to rename the NetBIOS Name and/or the FQDN. If you still think domain rename is still a viable option to check out, then make sure you have a very representative test environment with all applications to see where things might go wrong. Also check with the vendor of the app/system if it supports domain rename at all. Create a plan of your own and test, test, test, test, test, test, test, test, test, test, test, test! Also make sure to have an up-to-date and tested disaster recovery plan as a fallback plan when the shit hits the fan!

An example: assume your AD forest has 3 AD domains and each AD domain has 100 DCs. So in total you have 300 DCs in the AD forest. At a certain point in time (check the domain rename manual from Microsoft) ALL those DCs in the AD forest will reboot AT THE SAME TIME. It would scare the crap out of me rebooting 300 DCs at the same time! A simple test before performing a domain rename is to reboot each and every DC kust to make sure it return in normal mode without any issue.

After the domain rename, you most likely have to fix all kinds of applications in some way. Some apps/systems might not work until certain repairs have been done. It is still possible that domain rename is not possible or even not supported by Microsoft. For example, if you have Exchange in your AD environment, then this will play a very important role in determining if it is even possible to perform a domain rename.

The biggest disadvantage of a domain rename is the huge impact on the environment and the impossibility of doing it in a phased manner.

The other option that can be used, instead of a domain rename, which does not impact the environment that heavily and does allow a phased manner and with much lower risks, is a domain migration.

Remember though that if you have multiple AD domains in a specific AD forest, that this is far from a best practice. You might also want to think about consolidation your AD domains within that AD forest as much as possible. Much organizations do not do this (consolidation) because the benefits do not outweight the costs involved

The following was taken from MS-KBQ300864:

Examples of applications that are incompatible with domain rename include, but are not limited to, the following products:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange Server 2007
  • Microsoft Internet Security and Acceleration (ISA) Server 2004
  • Microsoft Live Communications Server 2005
  • Microsoft Operations Manager 2005
  • Microsoft SharePoint Portal Server 2003
  • Microsoft Systems Management Server (SMS) 2003
  • Microsoft Office Communications Server 2007

With regards to a domain rename I found the following questions to which I or others responded

#################

[Q]

OK, I have raised domain functional level to windows server 2003 and also set functional level to windows server 2003. Now how do I rename my domain name? Next steps, please advice.

[A1]

I hope you are kidding! You want to do a domain rename and are asking for the steps here? That means you did not do any homework, correct? IMHO that’s the most NOT RECOMMENDED action to take. Microsoft provides documents about the domain rename. You should read it, understand it, TEST it and decide if you really want to do it. Domain Rename has a HUGE impact on the environment and is NOT something to think easy of.

My suggestion as next step. start reading domain rename docs:

http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx

http://technet.microsoft.com/en-us/library/cc738208.aspx

#################

[Q]

Does anyone know the Domain Rename Supported combinations of Windows and Exchange

For example:

W2K3 AD with E2K3SP1 = supported

W2K8 AD with E2K3SP1 = supported

W2K3 AD with E2K7 RTM/SP1 = NOT supported

W2K8 AD with E2K7 RTM/SP1 = NOT supported

How about:

W2K3 AD with E2K3SP2 = ???

W2K8 AD with E2K3SP2 = ???

[A1]

With regards to W2K8 please read http://technet.microsoft.com/en-us/library/cc816848.aspx. it says:

"The Windows Server 2008 domain rename operation is not supported in an Active Directory forest that contains Exchange Server 2003, Exchange Server 2003 SP2, Exchange Server 2007, or Exchange Server 2007 SP1.". So I guess 2nd scenario is not supported. The http://msexchangeteam.com/archive/2004/08/30/222719.aspx link has info on W2K3. It says "All Exchange servers in the org must be Exchange 2003 SP1 + " . So I guess first scenario is OK. Might be worth posting a comment on the exchange product group’s blog in case there have more recent info.

[A2]

I know about that article and what is stated there. That was the reason WHY I asked my question. I was wondering if Exchange 2003 WITH SP2 supports Domain Rename in both w2k3 and w2k8 AD. It looks like:

Domain Rename W2K3 AD with E2K3SP2 = OK

Domain Rename W2K8 AD with E2K3SP2 = NOT OK

[A3]

Windows Server 2008 Answer? –> http://technet.microsoft.com/en-us/library/cc794909.aspx

The Windows Server 2008 domain rename operation is not supported in an Active Directory forest that contains Exchange Server 2003, Exchange Server 2003 Service Pack 2 (SP2), Exchange Server 2007, or Exchange Server 2007 Service Pack 1 (SP1).

[A4]

Same info, different article. Two sources mention this… does anyone know *WHY*:

W2K3 AD + E2K3 SP2 = OK

W2K8 AD + E2K3 SP2 = NOT OK

[A5]

I found this snippet.

As part of PrepareAD, the Exchange Server 2007 setup tool stamps the Active Directory with a number of server names in GUID and fully-qualified domain name (FQDN) formats. This is to enable Exchange Server 2007 to fulfill a much-requested feature: don’t require WINS. Unfortunately, from a Domain Rename perspective, this means that once PrepareAD has occurred, it’s too late to go back. At that time, the ONLY option for a domain rename is to remove ALL Exchange servers. That includes any Exchange 2000 Servers or Exchange Server 2003 servers which may be in the environment. The goal is to be able to remove the Organization container in Active Directory (which removing the last Exchange server in a forest will do). Having an updated schema is not an issue. Once the Organization container is gone, a domain can be renamed and Exchange re-installed. But that’s a very very dangerous option. Doing a full active directory migration to a new forest may be safer. Consider yourself informed! Until next time…

As always, if there are items you would like me to talk about, please drop me a line and let me know!

http://theessentialexchange.com/blogs/michael/archive/2008/04/04/exchange-2007-and-domain-rename.aspx

[A6]

Got word. They never tested it (W2K8AD+E2K3SP2). Reason for that people almost choose migration over rename. Third-party apps most of the time do not support rename.

#################

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Exchange Server, OCS/Lync Server, Sharepoint Server, SQL Server, Windows Client, Windows Server | 1 Comment »

(2009-06-06) ILM 2007 FP1 And SQL Server 2008

Posted by Jorge on 2009-06-06


At the moment ILM 2007 FP1 officially supports:

  • SQL Server 2000 SP3a (and higher) Standard or Enterprise (x86/x64)
  • SQL Server 2005 SP1 (and higher) Standard or Enterprise (x86/x64)

I have not seen an official statement yet on some Microsoft page, but I have read here that SQL Server 2008 it supported by ILM Sync Engine, ILM Certificate Management, but also as a connected data source. For another MSFT employee I heard that SQL Server 2008 will most likely work with ILM 2007 FP1 RTM, but tests were validated with builds 3.3.11xx.x

UPDATE:

If you install SQL 2008 and then try to install ILM 2007 FP1 you may get the following error: "Install the correct SQL version or SP"

Believe it or not, but the resolution to this is:

  • Install SQL 2005 + latest SPs
  • Install ILM 2007 FP1
  • Upgrade SQL 2005 to SQL 2008

Source: http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/d2892a5d-c4b9-43cc-b375-6ae0dd81cf68

 

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Identity Lifecycle Manager (ILM), SQL Server | Leave a Comment »

(2009-06-06) High Availability For ILM 2007 Sync Engine With Clustering

Posted by Jorge on 2009-06-06


When using ILM 2007 Sync Engine and you would like to have high availability you need to think about the all components of the solution. In the case of ILM 2007 Sync Engine those would be:

  • Windows Server
  • ILM 2007 Sync Engine
  • SQL Server
  • ILM Datastore

Windows Server and SQL Server can be made high available through Microsoft Clustering Services.

ILM Datastore can be made high available by putting it on a SAN/NAS/Shared Storage/Whatever, as long as you use a redundant set of disks, or in other words some RAID configuration such as RAID1 (mirroring), RAID5 (disk striping with parity) or RAID10 (mirroring and striping).

OK, but how about the ILM 2007 Sync Engine? For ILM 2007 Sync Engine you have following possibilities:

  • Operational Instance: the ILM instance which is actually running by importing, exporting and synching data between connected data sources (ILM server license needed)
  • HOT Standby Instance: the ILM instance which is NOT running (service = stopped and disabled), but for which its Windows Server is up and running (additional ILM server license needed). For a guide on how to implement this go here.
  • COLD Standby Instance: the ILM instance which is NOT running (service = stopped and disabled), but for which its Windows Server is ALSO NOT up and running (NO additional ILM server license needed)

So, when the Operational Instance dies for whatever reason, use need to use the available standby instance (for the COLD standby instance you need to start the server first of course) and activate it by using the MIISACTIVATE tool with the Encryption Keys created by the first ILM instance that was installed for the solution. If you are using password synchronization (PCNS) you need to reconfigure the PCNS object in AD to target the new ILM instance. As you can see that is a manual process. Can you automate it? That depends if you are using something that can automatically switch over to the standby instance.

Is ILM 2007 Sync Engine cluster-aware? Nope, it is not!

Can you install the Operational Instance of ILM 2007 Sync Engine on a Cluster (e.g. the active node) and is it supported by MSFT? Yes, it can be installed on the active cluster node and that is also supported by MSFT.

Can you install the Standby Instance of ILM 2007 Sync Engine on a Cluster (e.g. the passive node) and is it supported by MSFT? Yes, it can be installed on the passive cluster node and that is also supported by MSFT.

Even on a cluster you need to manually switch to the standby instance on the passive node by activating it if the operational instance on the active node fails or becomes unavailable.

Can this be automated, so that when the active cluster node dies, ILM automatically switches over to the passive node and would that be supported by MSFT? Yes it is possible to automatically failover ILM by using the script which can be found here. But, is this supported? Unfortunately, it is NOT supported by MSFT! Also take this post into account.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Identity Lifecycle Manager (ILM), SQL Server | Leave a Comment »

(2009-06-05) Exporting Multi-valued Attribute To SQL Table

Posted by Jorge on 2009-06-05


Based upon my post about "Multiple Authoritative Sources For Group Memberships And How About Precedence In ILM", a technology partner and I were setting up and test/demo environment. The idea was as follows.

The MGMT app is authoritative for groups and group memberships, which then flow into AD. Group Membership is established on business logic like for example:

  • Everyone with "JobTitle=Admin" and "Department=ICT" becomes a member of the group "R1Grp_EMPLOYEES_JOB_ICT_ADMIN"
  • Everyone with "employeeType=EMPLOYEES" becomes a member of the group "R1Grp_EMPLOYEES"
  • Etc.

However, in AD it must be possible to adjust/establish group memberships that do not follow the business logic. For example, a contractor is added to the group "R1Grp_EMPLOYEES". That new group membership flows (import) from AD to the MV through the "ADDS-Group-IMP" MA. From the MV it flows (export) to the SQL Database (multi-valued table) through the "MGMT-Group-EXP" MA.

When a group membership is established in the MGMT APP the following flags should be set in the SQL multiple valued tabled: MGMT=YES & IDM=NO (as properties of that specific group membership)

When a group membership is established in the MGMT APP the following flags should be set in the SQL multiple valued tabled: MGMT=NO & IDM=YES (as properties of that specific group membership)

This way the MGMT APP can check on eventual business conflicts by checking the flags and report on it!

So as a test we wanted to test this by adding a contractor person to the "R1Grp_EMPLOYEES" group. Initially the group "R1Grp_EMPLOYEES" contained 32 employee persons and after the change an extra contractor person was added to it.

What was the expect end result?

  • 32 employee group memberships with the flags MGMT=YES & IDM=NO
  • 1 contractor group membership with the flags MGMT=NO & IDM=YES

So I imported the group membership from AD into ILM and exported it to the SQL database.

What was the REAL end result?

  • 32 employee group memberships with the flags MGMT=NO & IDM=YES
  • 1 contractor group membership with the flags MGMT=NO & IDM=YES

What the heck?!?! Why are the flags of ALL group memberships for the group "R1Grp_EMPLOYEES" changed as if they were exported? I expect only one INSERT into the table and not 33 INSERTS.

The way to find out is to use SQL Server Profiler and check what’s happening under the hood! So let’s do this.

Before exporting to ILM I checked the ILM statistics. See picture below.

image

After exporting I checked the SQL Server Profiler Trace and saw the following…

image

Let’s take a look at this trace

  • Yellow marked text: Delete all existing group memberships for the group "R1Grp_EMPLOYEES"
  • Green marked text: Add the new group membership for the new member (the one established in AD)
  • Blue marked text: Add the new group membership for the previously existing members (the ones established in MGMT APP)

I wonder WHY ILM works this way…Anyone from the Product Group care to explain? Please do so!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Identity Lifecycle Manager (ILM), SQL Server | Leave a Comment »

 
%d bloggers like this: