(Can you sense flatten-and-reinstall time approaches?)
Or Windows 8. Applies to .Net 3.51, 3.0, and 2.0. Works with or without Internet.
(Can you sense flatten-and-reinstall time approaches?)
Or Windows 8. Applies to .Net 3.51, 3.0, and 2.0. Works with or without Internet.
(Quick public dump so I can find the tool link again easily)
Works for Windows 8, worked for Windows 8.1 Preview, no reason to think it won’t work for Windows 8.1 RTM, or Windows Server 2012 R2 etc.
Good if you’re planning a clean installation; otherwise, simply double-clicking the ISO is probably enough to do the upgrade as of Windows 8, which can mount ISOs and VHDs from a double-click.
Australian Premier Support customers: Join us for an overview of the new stuff in Windows Server 2012 and Windows 8!
This series of events will run for the entire day in each city and showcase 4 sessions of about 90 minutes, on a range of Windows Server 2012 and Windows 8 client topics. All topics will be presented by the best Premier Field Engineers across Australia and New Zealand.
Except they got me for Sydney! I’m covering the new Networking features.
Windows Server 2012 – Networking
Connect from anywhere, more working and less waiting, better network management via cost-aware networking. Sound interesting? This session provides a general overview, including many of the improvements to DirectAccess, BranchCache, and general networking improvements in Windows 8 and Server 2012.
Details and signup:
And if you’re at Tech.Ed 2012 AU, you can catch Darth Chad and I presenting on the enhancements to Windows Server 2012 DirectAccess.
Several reliability fixes included:
To install UR2, you need to be running SP2 (with or without UR1) already.
Just some notes recording what I’ve picked up from a couple of days using the Windows 8 Consumer Preview on my main desktops:
The hit target for the Start button is the very bottom left corner – like, the four pixels in that region. Just slam the mouse there and click – when you get used to it, it’s cool!
The sides of the screen work consistently that way – each is a slam-to-any-corner, then mouse up or down to get to the functionality on that border. This makes it fast without permanently cluttering screen space (I haven’t tried multimon yet).
Task switching – slam to top-left, then
drag mouse straight down. (Or, bottom-left-as-in-Start, and slide up). Has grown on me greatly; I often now have a metro app side by side with the Win32 stuff/desktop. Alt+Tab still works.
Charms are important – each app has its own Settings (Win+I to skip the Charms menu step) now, and you print (for example) through the Devices charm by picking the Printer. Share through the Share charm. And so on.
On Settings – you can get to Settings (as in, that big list of Win8 style settings) by going Charms, Settings, More Settings (at the bottom). It’s arguably easier just to hit your username and Change Picture.
Drag straight down (violently!) from the top to throw away (i.e. terminate, I think) any Metro app. Otherwise, drag it to the region you want it in.
Start-and-type to search and run programs still works like in Windows Vista and 7 – you just hit Start and without waiting for anything, type a bit of the name of the program you want to run, and it searches for it. Ctrl+Shift+Enter probably still elevates that program to Admin. The difference from Windows 7 is that there’s no search box before you start typing. Well, that and there’s a full-screen list of programs.
Tip: The Start screen goes away as soon as you’re running a Win32 app, just like the old Start menu*. If all you run is Win32 apps, it’s big, sure, but it’s fluid.
If you’re still Win+R ing to Run apps, that works too.
I’d summarize this as: the Metro one is optimized for fullscreen touch interfaces (and won’t entirely capture your mouse when in fullscreen – if you mouse to the bottom left, you get the local OS start menu), while the MSTSC version works basically how it always did. Plus extra buttons and stuff. If you were working on a touch-only device, swiping for the local start menu makes a lot of sense (how else are you going to escape!?)
As I’m working on a touch-enabled desktop but mostly keyboard-and-mousing, I tend to prefer the MSTSC behaviour over Remote Desktop Metro.
If you’re using Win8 MSTSC, it’s faster to click the (new) Start button in the MSTSC connection bar (at the top of the windowed desktop) than try to hunt for the lower left pixel if it’s windowed, at least right now, as far as I can tell, YMMV, cheques may not be honoured. Just connect Fullscreen, and slam that mouse around!
As long as you’re capturing the Windows key in your RDP session, other handy non-hunting tips: Win+C = Charms, Win+I = Settings
* except again, it’s full screen. I’m OK with that – it wasn’t like I scrutinized the Start menu every time it appeared.
Note: Tristan has no inside information on Windows 8, he’s experiencing the Consumer Preview along with the rest of the world.
My downstairs PC (on the dining room table) is an HP Touchsmart all-in-one Core 2 Duo Intel Integrated Graphics 965-based box, which makes it absolutely abominable for games.
Upstairs, my internet connection plugs into my Hyper-V host (actually, a TMG instance on it), and I’ve a sort-of-gaming PC set up next to that, which has a nice video card, and chair, and half-assembled steering wheel.
I’ve GigE running all over the place.
Back to the downstairs PC, though: I once tried Borderlands on it, and at the lowest settings, I could’ve made a faster PowerPoint deck. Pretty sure my WP7 phone has more 3D graphics grunt.
Recently, I’ve been playing a lot of Jagged Alliance, because it seems like there’s just so much of it about, and I really loved the earlier incarnations.
But to play Jagged Alliance Online, or Jagged Alliance: Back In Action, I’ve needed to move from downstairs, where I like to hang out in the dining/living room, to upstairs, or The Man Room, where I’m quite isolated from my girlfriend, the TV, and the small family of woodpeckers that’s moved into the dining room table.
The Hyper-V box got upgraded to a Core i7 (from a Q6600) with 16GB RAM recently. This means SLAT/EPT is available, which means that I now have the possibility of sexy 3D GPU graphics without actually crippling the performance of the VMs running on it.
Also, it got me thinking about RemoteFX:
Could I get reasonable 3D gaming performance from the Hyper-V host, using the downstairs box as just a screen?
Not having used RemoteFX before, I did some research. Then some more research. Then some more. Everyone and their dog was trying it with an unsupported GPU (“for business purposes”… suuuuure), but there were some success stories around, so I persevered despite not really understanding what I was doing. (It’s a good quality. Honest.)
Note: This should not be taken as endorsement or condonement of using an unsupported GPU. If stuff just randomly stops working, or a driver update breaks this, there’s no recourse. So if you need a supported, working, supportable solution, DO NOT DO THIS. (yes, just like Xbox Live through TMG).
I jammed an Nvidia 9400 (or something; the only spare PCIe card I had) in the server as a proof of concept (depending on what you read, you either need more than one card, or the Intel isn’t a suitable RemoteFX GPU anyway).
The literature commonly refers to installing the RemoteFX Cap Driver because most servers don’t use WDDM drivers for their inbuilt video cards.
Mine did have a WDDM driver (the i7 has Intel Integrated HD Graphics)… but I didn’t know that, so I assumed it was XPDM and installed the Cap driver; turns out I simply didn’t need to, and there was much installing and uninstalling of the cap driver, with reboots required. (Which take out my house’s Internet connection).
In short: looks to me like if your inbuilt server adapter is WDDM, no need for the CAP driver. But like I said – I removed the ?XPDM? Live Mesh adapter before starting.
It worked, but the 9400 didn’t support new niceties like Shader Model 3.0, so BIA was out. And JAO ran too slowly for my liking. And the card was ollllld. So assuming that’d be the problem, I figured I’d try a new one.
So I bought a new ATI/AMD Radeon HD 6770 1GB card (and a 6790 for the gaming PC…) for $140, and dropped that into the Hyper-V box.
(Yes, I know it’s unsupported. Yes, I know there are special GPUs for this. No, I can’t help you if you run into trouble with this.)
At this point, I tried installing drivers, but it didn’t seem to work initially, possibly because I still had the Cap driver installed (there was screen blanking). Eventually, after several uninstall-reinstall cycles, it just worked. I didn’t (as of 12.1 Catalyst) need different drivers; I didn’t install Catalyst Control Center on the successful run, but I don’t think it was that anyway.
The Event Log messages about nonworking GPUs disappeared, and I had a working RemoteFX host again. (Moral of the story: if you are using a cap driver, and you need to add or change a video card, disable the cap driver first).
It goes alright!
Some games react weirdly to RDP-style inputs (particularly the mouse); some games have glitches they don’t otherwise have with the synthetic 3d adapter.
I would not try playing most FPSs via RemoteFX (you’re instantly dealing with input lag plus network lag plus rendering time on the server and the client, plus that mouse-movement-is-display-mouse-movement thing).
Also, keep in mind: this is a screen remoting protocol; if your box can’t do smooth full-motion 3d on its own, or smooth full-screen video, doing smooth full-motion 2d-of-3d might put a fair load on it as well. If Aero is jerky on the box (it is on the Touchsmart), that’s about the best-case frame-rate you’re likely to get from RemoteFX or anything for that matter. There are performance counters to track where bottlenecks are.
I can now play Jagged Alliance: BIA on my downstairs PC pretty reliably, which is all I wanted to do in the first place. I do it a lot right now. I use 1280×720, 30Hz (seems to respond better), 2xaa, 4xAniso (or 4x whatever that last setting is), and Vsync.
JAO has some graphical weirdness (blank world map and face tiles) which fixes itself up when you play with the 9 and 0 keys (graphics detail level). Again, can now play it on the Touchsmart, which is incapable of playing it on its own.
Company of Heroes looks great, and with all the settings turned up to max, I got a “Great” score on COHmark. Can’t remember the numbers, but better than I expected. Haven’t played with it extensively yet.
I tried Civ IV, and it was the first time I’ve played it… it worked pretty well.
Frozen Synapse didn’t work at all, just crashed to desktop.
Deus Ex: GOTY – man, that game’s a pain to configure these days, what with its software rendering default and 16 bit colour! ugh! – it doesn’t really work well, input issues once the video issues are fixed.
It’s not a solution that allows me to dedicate the full unfettered power of the GPU to a single client (at least, I haven’t worked out how), but with a nice, grunty GPU in the server box, it’s nice that I won’t have to replace the touchsmart until Win8 comes out (bevel-less touch is important), and then I’ll get me one of those sexy new HP all-in-ones, and maybe play games locally again for a while. Or maybe stick with the thin screen/lots of bandwidth solution!
Users cannot access an IIS-hosted website after the computer password for the server is changed in Windows 7 or in Windows Server 2008 R2
Essentially, if the computer acount password changes, AppPoolIdentities might be unable to perform Kerberos authentication thereafter (if IIS is restarted as well).
(pasted from my email clippings. I’m on holiday right now, catching up on paperwork!)
The TLDR version is: using AppPoolIdentity as both the App Pool Account and Anonymous user account lets you have multiple isolated anonymous websites on one box.
IIS 7.x and upwards (as of Win2008 R2 and Windows 2008 SP2, also in IIS 8.x in Windows Server 2012 and IIS 10.x in Windows Server 2016) supports a new Application Pool account type, called an ApplicationPoolIdentity. This low-privileged account can be used to isolate distinct sets of anonymous website content, without requiring the administrator to set up a unique account for each website manually.
So whereas the default IUSR anonymous account is per-server, an ApplicationPoolIdentity is per-app-pool, and IIS creates one app pool per site, by default when the GUI is used to create a site.
So by setting the ApplicationPoolIdentity as the anonymous user account for a site, you can isolate content and configuration for that site so that no other sites on the same box can access it, even if it’s an anonymous site.
And now, the long version!
Before I start: Terminology disambiguation corner (because App Pool Identity is a horribly overloaded term nowadays):
Also, a reminder that process identity is the basic “RevertToSelf” identity for a process, and that thread identity can be different from process identity via impersonation or explicit logon.
So, any or all of the threads in a process might be someone other than the process identity, but if any call RevertToSelf or somehow lose their token, they’ll snap back to acting as the process identity. (Which is the ultra-short version of why you don’t want that being LocalSystem or another privileged account.)
App Pool Account:
The when-not-impersonating/process identity; used to start the app pool and to read web.config files; pretty much needs permissions to everything.
On IUSR vs Application Pool Account as anonymous:
App Pool Account as Anonymous
The alternative is to use an App Pool Account as the Anonymous account (so a thread doesn’t bother putting on its IUSR clothes on anonymous requests)
Using the App Pool Account as anonymous is a good idea because it allows you to secure your content at the NTFS level for just COMPUTER\Coke or IIS AppPool\Pepsi, and be assured that Windows file system security will prevent one company’s anonymous app from reading (or otherwise affecting) its competitor’s anonymous content.
Using the AppPoolIdentity as the App Pool Account in this case is just a simple, no-hassle way of having a common user account on all machines that share the IIS configuration (or at least the name of the app pool), without having to faff about creating or replicating Windows users and worrying about their permission level.
The bit I’m less confident on but still fairly sure I’m right:
When it gets to off-box (eg database) resources, you’re out of IIS-land and into app framework (ASP.Net)-land; short version is that if your token isn’t delegable (for eg, comes from an NTLM auth), it’ll fail to be passed to the next hop, and you’ll end up with process identity and any limitations/benefits it incurs.
Recently, I worked on a Kerberos configuration issue with a customer; these are my notes from the visit.
You’ll see some common themes with Kerbie Goes Bananas, and it puts much of that into practice. Speaking of, I must redo Kerbie with SetSPN -S (shameface)
This configuration step avoids an Internet Explorer behaviour whereby IE resolves a CNAME into an A record, and requests a ticket by building an SPN for the A record, instead of the CNAME.
More information is available at http://support.microsoft.com/kb/938305 . In most cases, adjusting the behaviour of Internet Explorer across all machines is harder than adjusting the DNS entry involved.
Note: use the Windows 2008 (or later) version of SetSPN to identify problems such as duplicates when updating SPNs. Any existing document using SETSPN -A should be updated to use SETSPN -S.
Only two SPNs are required for Kerberos to function against a farm – the FQDN, and the short hostname.
These must be applied to the account used by the Application Pool receiving the user request, which practically means that in most cases, only one account is usable per hostname (pair).
SPNs to be registered are:
Against the user identity of the Application Pool the user is connecting to – say, DOMAIN\SPAccount. This must be a domain account when used in a Farm scenario.
Note that no port number is used for the default port, and that these SPNs are also used for TLS/SSL.
SETSPN -S HTTP/farm DOMAIN\SPAccount
SETSPN -S HTTP/farm.example.com DOMAIN\SPAccount
If the individual hostname is to be used occasionally (e.g. for troubleshooting), http/machinename and http/machineFQDN should be registered against that account as well.
This should result in a list of SPNs as shown:
setspn -l DOMAIN\SPAccount
Registered ServicePrincipalNames for CN=SharePoint App Pool Account,OU=Service Accounts,DC=example,DC=com:
In a web farm scenario, a domain account must be used as the application pool identity. Once a suitable domain account is configured as the application pool identity (DOMAIN\SPAccount in this example), Kernel-Mode Authentication must be disabled, or the configuration’s useAppPoolCredentials property must be set to true (both may be used).
If this step is not performed, the app pool will not be able to decrypt the Kerberos ticket supplied by the client.
Open InetMgr (IIS Manager), browse to Authentication for the site, click Windows Authentication and open Advanced Settings (Actions pane on the right), and untick “Use Kernel-mode Authentication”.
Open a CMD window as Administrator, then:
appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true
Note: one line (wrapped), with no space after any dash (-) character.
Use of Kerberos should significantly reduce traffic between WFEs and Domain Controllers.
Every NTLM-authenticated connection requires the server to make a connection to a DC to complete authentication. The number of connections available to a DC simultaneously is governed by MaxConcurrentApi registry value.
Kerberos allows the client to authenticate to a DC once for the website, and to continue to use the ticket for the ticket lifetime (10 hours by default), across multiple connections, without necessarily needing to interact with the DC again.
Kerberos vs NTLM authentication with ISA Server (same concepts apply with Sharepoint or any Web app)
And a third-party performance comparison of Kerb and NTLM authentication with kernel-mode authentication and without was found here (not overall site performance, just basic RPS).
There I was, blathering away about Kerberos and SetSPN and sleeping – sleeping! – while the long-awaited-but-unnanounced TMG SP2 was released. And announced, I guess.
The documentation’s still being updated (the release notes haven’t made it up yet), but you can try it out from here:
• The new Site Activity report displays a report showing
the data transfer between users and specific websites for any
• A new look and feel has been created for
• Error pages can be more easily customized and can include
• You can now use
Kerberos authentication when you deploy an array using network load balancing