BPuhl’s Blog

A little bit of everything without actually being much of anything

Archive for the ‘Win 7’ Category

Getting your Bitlocker keys out of AD

Posted by BPuhl on October 14, 2010

I often talk about my perspective that AD is a great publishing engine, but that it should not be authoritative for anything.  Any mission critical data should be mastered outside of AD, and then sync’d into the directory to be published/consumed.

The problem with this, is when you have services which source their information in AD directly, but that data is still mission critical.  One example of this, would be BitLocker Drive Encryption recovery keys.  The BDE service on clients will write it’s recovery keys directly into AD.

Before MSIT broadly deployed Bitlocker, we worked with an internal team to build a solution for finding new BDE recovery keys, and copying them out of AD into an external store.  We even went a step further, and put some self-service recovery options in front of that store.

I’m happy to see that MSIT was able to publish this solution out to Codeplex, so we can share it with everyone.

If you’ve got Bitlocker deployed in your environment, but are ONLY storing the recovery keys in AD – you may want to take a look.



Posted in Active Directory, Identity and Access, Random Tecnical Stuff, Win 7 | Leave a Comment »

Windows 7 RSAT Tools (RTM) now available for download

Posted by BPuhl on August 11, 2009


Windows 7 RSAT Tools RTM version now available for download:


Posted in Win 7 | Leave a Comment »

Federation Services and Direct Access

Posted by BPuhl on August 6, 2009

Now here’s an interesting combination.  What do you do when you have a service which has both an internal and internet facing components, with different behavior for each, and then you deploy Direct Access?

Quick aside:  For those not aware, Direct Access is a feature which allows domain joined Win7 laptops to behave as though they were on the corporate network and have full access to internal resources, regardless of where they are.

The important detail here, is that one of the control mechanisms is an idea of split DNS.  Internal domains are flagged as such, so that clients route that traffic internally, and everything else is considered “internet”.

So the question is, if you have your ADFS servers deployed in a unique namespace (we use *.sts.microsoft.com), then do you call that an internal namespace or an external one?  I’m not sure of the right answer at this point, but I’ve been bouncing around and just recently (this past week) requested a change.

Another quick note:  Remember, that we’ve got ADFS deployed so that users who are on corpnet get integrated authentication – no prompts – when they hit the ADFS servers.  Users on the internet get forms based auth, and have to enter credentials

So for your DA users, what kind of experience should they have?  Initially, when we first started rolling out DA, it made sense to me that DA enabled clients on the internet should have the “corpnet” experience.  In other words, even though I’m at home, I should still get integrated authentication. 

Just recently though, we ran into some issues where DA enabled users would be in situations (client issues, behind firewalls, etc…) where they were able to traverse the internet but were not able to get the DA connection back to corpnet.  In these cases, users were actually able to hit the internet based, federated resource.  But because the client thought that the ADFS servers were internal (and DA wasn’t working), they were failing to authenticate.  They could see the app, just not get into it.

So we had the DNS policy on DA clients changed, and now our DA clients believe that the ADFS servers are external.  This takes us back to our pre-DA behavior, where clients physically on corpnet (DA or not) will get integrated auth, but clients on the internet (DA or not) will always get FBA.  At least with FBA though, they can get access to the resources.

The change hasn’t been in place long enough, and we don’t have a critical mass of users on our DA pilot yet, so I haven’t heard the rumblings about the change to see whether anyone has noticed. Yet.  I’m sure this won’t be the last time we need to think about ADFS and DA, but all other things considered, right now I think the best thing to do is keep the 2 separate.

Posted in ADFS, Random Tecnical Stuff, Win 7 | 1 Comment »

Enabling RSAT tools in Win7

Posted by BPuhl on August 6, 2009

Does anyone else think it’s odd that you have to go through and click every one of these darn little boxes to enable all of the RSAT tools?  Odd defaults…


Posted in Randomness, Rants, Win 7 | 2 Comments »

Win7 Client Beta

Posted by BPuhl on January 25, 2009

I’ve been running Win7 Beta on my laptop for a couple of weeks now.  In general, I can’t say enough about how much faster the machine is, especially booting up. 

Here’s some helpful hints that I’ve come across, some of them mine, others that have been pointed out for me:

MSN Messenger – If you want it back in the notification tray, which is where I’m used to it being – right click the shortcut and run in Vista compat mode.

RSAT Tools – Get them here, after you run the install you need to go to Programs and Features to turn them on

Show Desktop – It’s that extra box at the far right of the task bar, on the other side of the notification tray

Powershell v2 – It’s there – and it’s awesome.

About the only thing that I’ve decided I miss (and I haven’t gone back to figure out if it’s possible to change yet), is Sidebar.  Sidebar is still there, you just run the gadgets on the desktop.  But I really liked the ability to dock gadgets into an area that represented the edge of “full screen” when other windows were maximized.  I have started to get used to a partially compensating UI quirk though, which is that if you take a window and drag the top of it to the top of your screen, the bottom fills out to the bottom of your screen for you.  So it’s vertically maximized.

Posted in Random Tecnical Stuff, Win 7 | 1 Comment »