BPuhl’s Blog

A little bit of everything without actually being much of anything

Archive for September, 2008

Infrastructure Master’s for App Partitions

Posted by BPuhl on September 25, 2008

One of our operations guys sent mail tonight with an error received trying to demote a server prior to rebuilding it with the next Win7 (Server 2008 R2?) milestone build.  The error was:


If you can’t read that, it says that the DCPROMO failed because it barfed trying to move a FSMO role holder for the DC=ForesetDNSZones partition.  His initial troubleshooting didn’t show a whole lot:

C:\Users\v-ntx>netdom query fsmo /domain xcorp.microsoft.com
Schema master               xcorp-dc-10.xcorp.microsoft.com
Domain naming master        xcorp-dc-10.xcorp.microsoft.com
PDC                         XCORP-DC-01.xcorp.microsoft.com
RID pool manager            xcorp-dc-10.xcorp.microsoft.com
Infrastructure master       xcorp-dc-10.xcorp.microsoft.com

The command completed successfully.

The only thing I can think is that xcorp-dc-03 is Win-7 M3escrow and the other servers are WS08 RTMF.

C:\LocalBin>dcchk xcorp
Server            Build  Site        Opt.    Ping     Sysvol   DCQuery   InSync GCQuery
—————   —–  ———   —-   ——-   ——   ——-   —— ——-
XCORP-DC-01       6001   Liberty      GC    Success    True    Success   True Success
XCORP-DC-03       6781   Liberty      GC    Success    True    Success   True Success
XCORP-DC-10       6001   Liberty      GC    Success    True    Success   True Success

The problem of course didn’t have anything to do with any of the other servers, but rather that since this is our pre-deployment lab environment, we crash and burn a lot of servers and normally don’t really worry about demoting them properly.

A quick reminder that application partitions have their own Infrastructure Master roles, and it was pretty easy to see that this is where our problem was:

Dn: CN=Infrastructure,DC=ForestDnsZones,DC=xcorp,DC=microsoft,DC=com
cn: Infrastructure;
distinguishedName: CN=Infrastructure,DC=ForestDnsZones,DC=xcorp,DC=microsoft,DC=com;
dSCorePropagationData: 0x0 = (  );
fSMORoleOwner: CN=NTDS SettingsADEL:41729533-c386-47a3-95bf-61e15b86af6f,CN=XCORP-DC-02ADEL:7b5b8121-bc44-416b-840b-2900689ab877,CN=Servers,CN=Liberty,CN=Sites,CN=Configuration,DC=xcorp,DC=microsoft,DC=com;

This got even easier for me, because rather than needing to type out a long e-mail explaining this whole phenomenon, I remembered that my buddy Ulf had already posted an extensive explanation over on his blog already!  So for your further reading enjoyment, head to http://msmvps.com/blogs/ulfbsimonweidner/archive/2008/07/31/how-many-infrastructure-masters-do-you-have.aspx for the full explanation.

If you just want to get it fixed, then your options are:

Use your favorite editing utility (I’m partial to LDP.EXE), and update the CN=Infrastructure objects fSMORoleOwner attribute with the DN for the NTDS Settings object of the server you want to move the role to.

…or…if you prefer…

Go to http://support.microsoft.com/kb/949257 and copy/paste the fixFSMO.vbs VBScript to your local server, and run it.  It’ll do the same thing automagically for you.


Posted in Active Directory, Identity and Access, Random Tecnical Stuff | 2 Comments »

Zune Warranty Coolness

Posted by BPuhl on September 25, 2008

Second Zune post in as many days – Wasn’t intentional, but the FedEx guy just stopped by and I thought this was too cool not to blog about!


For Christmas 2007, I got Sammi an 8GB, hot pink Zune from http://zuneoriginals.net with the “Love 2” (butterfly’s and hearts) engraved on the back and “Sammi Puhl, Christmas 2007, Love Mom and Dad” on the back.  Not a bad right? 

Bad news:  This past spring, it was stolen by some kids at school. 
Good news: She knew who did it, and it didn’t take long for me to arrange with the other parent to get it back. 
Bad news:  In the meantime, “someone” had taken a screwdriver/knife/something and scratched the text off the back

So for the past many months, there has been a small piece of tape on the back of her Zune, covering the scratches, and she used/abused the thing like crazy.  Loves it.

Bad news:  It started to break.  I tried all of the firmware/software resets, including e-mailing back and forth with Zune support, but it looks like a hardware issue.
Good news:  Under Warranty still!  – Went to http://service.zune.net, filled out the form online, and printed out the confirmation sheet

This is where it got interesting, because the support site didn’t include any address to send the Zune to.  Instead, a few days later, a pre-paid FedEx package designed and built to protect the Zune in transit showed up.  Off on it’s way it went…

Fast forward about 2 1/2 weeks…

Last night, Sammi asked me whether I had heard anything about here Zune.  “Nope, I can go online and check tomorrow though.”  Then I went to set her expectations appropriately, and explained what “refurbished” means – since that’s what I was expecting to show up.

This morning:  FedEx shows up with a box from Zune Originals.  In the box was a brand new Zune, with the original design, AND THE ORIGINAL TEXT!  Woo hoo!!!!

This may have been what some of you would have assumed, but having worked in customer service for way too many years, I tend to set my expectations pretty low, and am usually just pleased when everything works.

This is awesome!  I’m ecstatic with the flawless way that this worked out and that they sent us back a brand new one with all the text! I don’t think this could have been any better or gone any smoother.




(Same note as last time: 
To the iPod folks:  Comments are appreciated, especially the ones describing your awesome experiences.  As a general rule I don’t delete/edit comments, but any comments of, “You should have bought an iPod”, aren’t going to make it because that’s just lame)

Posted in Babbling and Blabbering, Friends and family, Randomness, Sammi | 2 Comments »

Since we all have so much spare time

Posted by BPuhl on September 24, 2008

Not as good as fantastic contraption, but still fun!  http://www.addictinggames.com/lightbot.html

Posted in Randomness | 2 Comments »

Zune Subscriptions…

Posted by BPuhl on September 23, 2008

I’ve got 3 Zunes in my house, that are used by 3 different people.  Here are my options for a Zune Pass subscription:

– Pay $16 per month each so that each Zune user can have their own subscription, friends, and “social experience”
– Pay $16 per month total for the unlimited music downloads, but use a separate/shared LiveID that each person needs to log in to. 

Let’s just get this clear right off the bat – I don’t want to share my 16 year old daughters “social experience” – In fact, I don’t even want HER to participate in it, but that’s a different tangent…

The thing is, that even though the Zune Pass subscription service is restricted to “3 Zunes and 3 computers”, the reality is that the Zune subscription is also restricted to a single LiveID.  From a user experience/scenario perspective, then this the wrong identity to be tying it to.  Of course, if you’re in marketing and trying to maximize profits, then this makes perfect sense.

So why bother with all of this?  Because in previous posts, I’ve talked about different federation scenario’s, and where the authorization policy gets applied.  In this case, what we really want (we, being me, the guy paying the bill) is for the subscription (authz policy) to be tied to the Zune (policy enforcement point) themselves.  And if you’ve got a Zune, then you know that it actually has it’s own identity (just try plugging it into a new computer), and the relationship of the validity between the Zune and the music which is DRM’d on it (ie. the data) is really the one that you want to enforce. 

Of course, that’s what I’d like.  I’m sure the marketing people are/were expecting that a single user would have multiple Zunes, and that is the target market that they were shooting for.  But it also demonstrates a fundamental concept that’s always been lacking in LiveID – the ability to group multiple LiveID’s together for shared access to common resources.

Instead, I’m forced to flip between different LiveID’s for different purposes, because I’ll be damned if I’m going to pay $50 a month so that each Zune can have it’s own separate subscription.


(edited 9/24/2008 8:30am to add:
And for all of the iPod bigots out there who are going to leave me a bunch of comments about how getting an iPod will solve the worlds problems (overnight there have already been a few), kindly explain HOW that would help here since I tried iTunes about 6 months ago and it did the same thing – I’m deleting all ‘get an iPod’ comments, which is something that as a general rule I don’t do)

Posted in ADFS, Identity and Access, Random Tecnical Stuff, Rants | Leave a Comment »

Homeowners Insurance

Posted by BPuhl on September 21, 2008

I’ve been dealing with some plumbing problems recently.  Specifically, a drain line from the kitchen which runs under the concrete slab to connect to the other drain lines on their way out to the sewer – failed.  Since I have a split level house, the plumbers came out, and tore up the ceiling downstairs to run a new drain line from the kitchen into the garage.  I started ripping out moldy walls, replacing studs, etc…  Altogether, about a $4500 adventure.  (which is relatively cheap for this kind of an issue – fortunately we didn’t have to dig up the slab)

So where was my home owners insurance through all of this? 

Remembering back to when I bought my house, there was something like a 4 inch stack of paperwork that required about 150 signatures.  Ok, ok, ok – I’ll admit it here – No, I did not actually read and fully understand every single word of every one of those documents that I signed.  (really, did you?) 

Well, one of those pieces of paper was my home owners insurance policy, and I really should have read it more thoroughly.  Growing up, I’ve always seen various types of insurance have $250, $500, or $1000 deductibles – something like that.  Ah, turns out that State Farm gave me a policy with a “One Percent” deductible – which put’s it at…oh…about $4500 or so.  DOH!!!  (And I’m not blaming them, because I would actually bet that they TOLD me about it as well.  This is all my fault, State Farm has actually been pretty good)

What’s worse, is that when I called to ask about filing the claim, the nice lady offered that just by saying the word, I could change my deductible to $1000 and it would take effect immediately (unfortunately not retroactively), and it would cost an additional $140 per year.  Now – quick math says that there are about 25 “hundred-forty-dollars” inside the $3500 difference between my 1% deductible and $1000 (not to mention, hopefully, the value of the house goes up over time).  Was I stupid!?!  Of course, change that stuff immediately! 

(and those of you diving for the comment button – that was a rhetorical question)

So I’m doing most of the repair work myself now (Home Depot shareholders can thank me later).  Lesson learned, the hard way for me, but sharing this with you on the off chance that just possibly, you might not have read all that paperwork either.

Posted in Babbling and Blabbering, Randomness, Rants | 2 Comments »

Has the LHC destroyed the earth yet? (continued)

Posted by BPuhl on September 13, 2008

By now most folks have seen http://www.hasthelhcdestroyedtheearth.com – if you haven’t, then you may want to check (you know, just in case!) and if you don’t know what the LHC is, then don’t worry about it – the black hole has already formed…

Turns out that with all the popularity, they are now dropping extra comments into the source code, have an RSS feed now (hopefully there are no changes to the status soon!) etc…   Even more fun with the site though here:

http://www.hasthelhcdestroyedtheearth.com/robots.txt (normally used for managing search engines)


Posted in Randomness | 3 Comments »

A kinder, gentler federation agreement

Posted by BPuhl on September 6, 2008

I blogged a post back on July 20, about a federation agreement which I had been asked to sign as part of allowing MS employees access to one of our business partner extranets.  That post, here, talked about how the federation agreement was really around risk management, etc… and that this agreement from our partner was based on our own agreement here at MS (which we’re in the process of getting changed).

Recently, I was (figuratively) smacked upside the head, by a different federation partner – one who has been doing various forms of SSO for a while – with their approach to this whole federation agreement nonsense.  And let me tell ya, I kind of like it.

I would describe the approach that some of us (MS included) were taking previously, like this:  

From high upon the mount, the federation commandments were handed down:

Thou Shall have passwords. 
Thou shall have provisioning. 
Thou shalt… blah blah blah…

Seriously? not very friendly…but as I described my other post – this is pretty much what it’s like.

Along comes this other partner, who we’ve been working with for quite a while, but instead of reaching down from their ivory tower with a list of commandments that we must meet, it was more like:

(buddy walks over, putting his arm around your shoulder)
“So hey, we’re in this together, but we still share some responsibility.  So can you tell me just a little bit about your stuff so I can decide if I want to do this?”

In addition to some generic boilerplate legaleze that accompanies any type of agreement (THIS CONTRACT DOES NOT CONSTITUTE A WARRANTY, EITHER IMPLIED OR EXPLICIT, BLAH BLAH BARF).  We received 4 doc’s from this partner.  They were:

  1. FederationOverview.pdf – Yup, just like it says – a primer of general federation technologies.  Answers to questions your partner might ask if this were all new to them.
  2. Federation Integration Guide.pdf – Details required specifically to set up the federation with them.  Short, brief, but everything you needed to know if you already knew/had federation capabilities.  This is very similar to the “onboarding package” we provide to our partners for onboarding with us.
  3. Federation Integration Questionnaire.doc – Form for providing company information, business and technical contacts, etc…  This also contains the fields for including your signing certificate, URL/URI info, etc…
  4. Federated Identity Risk Value Assesssment.doc

This last one was the most interesting, because it mapped directly to the “Security Requirements” in the previous templates.  Only, instead of being a list of requirements, it was a survey which looks like this – only with much better formatting that didn’t translate to the blogosphere – (names hanged to protect the guilty):

In the following section, please select Yes or No next to each question. For some questions, additional details are requested.
Yes     No

1. Does your company have written and formal security policies in place?

2. Does your organization have a Chief Security Officer or an equivalent position? If so, please provide their name and contact information.

3. Does your organization perform annual or periodic reviews of your security program and practices? This can include any security audits, SAS-type reports, and/or ISO certification?

4. Does your organization utilize an existing identity management system? If so, please describe its architecture, number of users, how extensively it has been deployed within your company, and how long it has been in production.

5. Has your company implemented a Federated Identity solution with other companies? If so, please describe that solution. Does your organization provide single sign-on with any third party product or service?

6. Does your organization have an incident response plan in the event of a suspected or confirmed identity management security breach? If so, how will that plan be integrated with <company> since such an event can impact our Federated Identity Agreement?

7. Please describe your user (employee) provisioning and de-provisioning process.

8. Are contractors or vendors within your organization going to be included in this Federated Identity arrangement? If so, please describe how they are provisioned and de-provisioned in your organization’s identity management system.

9. Does your identity management system handle ‘orphaned’ accounts? If so, what are the policies?

10. Are individuals (both employees and non-employees) provided with a unique, non-changing or static user ID or authentication credential?

11. If you are using unique, non-changing or static User IDs or authentication credentials in your system, are there rules employed to create them (e.g., randomly assigned numbers within a range, made up of the individual’s name or other personally identifiable information, created by the user?) If so, please describe how user IDs are generated.

12. Are there any attributes used for validating the user upon being provisioned with a company-wide authentication credential? Will the authentication credential be utilized in this Federated Identity Agreement?

13. Do you provide systems and resources to maintain and monitor authentication audit logs and transaction logs? If so, how long do you store them and can they be utilized for any forensics?

14. What methods and physical controls are in place to prevent unauthorized physical access to your company’s identity management system? Select all that apply.

[ ]   Network servers in locked rooms
[ ]   Physical access to servers limited by security identification (access cards, biometrics etc)
[ ]   Video monitoring
[ ]   Sign-in logs and procedures
[ ]   Security badges or ID cards visible at all times in secure areas
[ ]   Security guards

15. Which of the following areas are covered by your password management and application security policy?
[ ]   No common password policy is in place
[ ]   Use of static passwords
[ ]   Are any User Accounts (ID’s) shared
[ ]   Password length restrictions (min/max):
[ ]   Password aging, # of days:
[ ]   Password lockout, # of attempts:
[ ]   Password reuse
[ ]   Password content (alphanumeric requirements):

16. Which of the following best describes your method for authenticating and authorizing access to your systems and applications?
[ ]   No common method is in place
[ ]   Authorization/Authentication performed by supporting operating system
[ ]   Single sign-on
[ ]   Two-factor authentication for internal and confidential information

<since this was in a word doc, the formatting was much, much, much better than what translates via Live Writer – and I left out some sections which weren’t relevant, such as contact info, etc…>

Since I’ve mentioned the formatting thing twice now, it’s probably worthwhile to address the, “why not just edit and post the Word docs”?  Because I’m not necessarily trying to poke your copy/paste nerves, but rather, I’m shooting for something a little bit deeper than that.  I’m actually targeting the synapses responsible for thinking, understanding, and applying the general principle – and giving examples, so you can see/understand what other folks are doing.

I’m a big fan of this type of approach, it feels like this is much more inline with what the federation agreement is supposed to be about.  More geared towards evaluating a partner against your risk tolerance, and making an informed decision on your own, rather than trying to beat some square peg into your round hole.


I suppose it’s also worthwhile to point out, that there is a lot of detail asked for here – that you may not necessarily feel comfortable giving to someone else (I actually deleted most of the lines which just said: Details: for easier reading).  This may be true, in fact, I actually had the same thought when I first saw this.  But then it dawned on me, that this service provider happens to be one who is providing financial and tax services for every MS employee.  They already have a whole smack-ton of our confidential information to begin with! 

Even still, when I filled out the form and sent it back, it was with limited information and in some cases, I didn’t fully answer all the questions.  In my experience, these types of documents are used to start the conversations, not necessarily end them.

Posted in ADFS, Digital Identity, Identity and Access, Random Tecnical Stuff | 4 Comments »

A Tour of MS Campus

Posted by BPuhl on September 4, 2008

Wow, I’m sort of mixed on what to think about this…  I watched the entire thing, and my reactions were flipping faster than a rolodex:

  • what’s he doing with his hands?
  • is he really dancing in front of each building?
  • wow, that’s sort of gay
  • I didn’t even know we had a building there
  • Smith towers twice?
  • dancing with a partner is better
  • hands again?  Is that like, ‘hang loose’ or something?
  • a brady bunch thing…

and on and on and on it went…

Now it’s your turn, if you’re interested:  http://blogs.msdn.com/tzink/archive/2008/09/03/a-tour-of-microsoft.aspx

Posted in Randomness | 2 Comments »