Check out some of the latest MakeUseOf discoveries. All listed websites are FREE or come with a decent free account option. You can make use of them without spending a dime. If you want to have similar cool websites round-ups delivered to your email daily email subscribe here.

Add Your Website Here!

These are just half of the websites that we discovered in the last couple of days. If you want us to send you daily round-ups of all cool websites we come across, leave your email here. Or follow us via RSS feed.
Do you like MakeUseOf articles? Don’t forget to share our articles with others! It’s really important to us.

• makeuseof extra #27 (171)
• Finally Stick To Your Resolutions With StickK (107)
• Cool Websites and Tools [September 9] (51)
• Cool Websites and Tools [September 9th] (90)
• Cool Websites and Tools [September 8th] (62)

Read more posts on MakeUseOf.com »

For the latest gadget news, visit SAI: Tools. Follow us on Twitter and Facebook.

Join the conversation about this story »

Hello,

Anyone who is searching for a cheap reliable reseller hosting please have a look at http://www.2clubhost.com
We have the most cheapest rates you would ever get!!
99.9% Uptime guarantee with Live Chat (Outsourced) Support.

================================+
Resell-1 Package:
================================+
5000MB (5GB) Hosting Disk Space
25,000 MB Monthly Bandwidth
Unlimited Emails, MySQL etc
Free Domain Reseller Account – Check Now
Create 10 Cpanel Accounts
Price: PKR.3000/yr (till april 31st)
================================+

================================+
Resell-2 Package:
================================+
15000 MB (15GB) Hosting Disk Space
50,000 MB Monthly Bandwidth
Unlimited Email, MySQL etc
Free Domain Reseller Account – Check Now
Create 40 Cpanel Accounts
Price: PKR.6000/yr
================================+

================================+
Resell-3 Package:
================================+
Unlimited Hosting Disk Space
Unlimited Monthly Bandwidth
Unlimited Email, MySQL etc
Free Domain Reseller Account – Check Now
Create Unlimited Cpanel Accounts
Price: PKR.7000/yr
================================+

Check out NOW!!

Hi folks, Ned here again with another tri-weekly Friday Mail Sack. This time we talk service auditing, trust creation, certificates and USMT, SYSVOL migration with RODCs, DFS stuff, RPC and firewalls, virtualization, and the zombie corpse of FRS.

Shoot it in the head!

Question

We’re setting up a trust between two domains in two forests. When we type in the name of the domain we are immediately prompted for credentials in that domain and the message “to create this trust relationship, you must supply user credentials for the specified domain”. We can enter any domain credentials here from that domain and it will work – some nobody user works, never mind an admin":

We are later prompted for administrative credentials like usual when finalizing the trust. Everything works, it’s just weird.

Answer

Anyone can reproduce this issue by removing the NullSessionPipes registry entry for LSARPC. NullSessionPipes – along with RestrictNullSessAccess - controls anonymous access to Named Pipes. Very legacy stuff. The list of default allowed protocols varies between OS and server role; for instance, a pure Windows Server 2008 R2 DC has a default list of:

NETLOGON
LSARPC
SAMR

You’ll find various security documents giving valid (or crazy) advice about messing with these settings but it boils down to “what do you need for your specific server, client, and application workloads to function?” If you get so secure that no one can work, you’ve gone too far.

In this case, setting up a trust uses the LSARPC protocol to connect to a DC in the other domain and find out basic information about it. If you can’t connect to it anonymously for this “phone book” kind of directory info that dates back to NT, you get prompted for creds. Since the info is public knowledge in that domain, any user is adequate.

These are often set through security policies and if you have this issue, look there first.

I’ve also seen it as part of a server image from someone who had too much time on their hands.

Question

DFSN is awesome. What is decidedly not awesome is when the requisite antivirus software absolutely kills client-side performance. What can loyal DFSN evangelists do (short of removing the AV or completely disabling network file scanning) on the client-side to prevent our users from suffering a dreaded antivirus performance hit when using DFS Namespaces?

Answer

Sort of a sideways approach, but if you are using Windows 7 clients then Offline Files might be an option. As an experiment with some test computers/users, you can configure:

• Enable Transparent Caching
• Configure Background Sync
• Configure Slow-Link Mode

You could make these computers work as if they are on a “slow network”, working primarily out of their Offline Files cache and trickle synchronizing their data back to the servers in the background continuously.

• http://technet.microsoft.com/en-us/library/ff183315(WS.10).aspx
• http://technet.microsoft.com/en-us/library/dd637828(WS.10).aspx
• http://technet.microsoft.com/en-us/library/ff633429(WS.10).aspx
• (and the GP explain text)

I specifically call out Windows 7 as Vista doesn’t support all these features, and XP supports none of them. XP is also gross.

Ultimately, you can only bandage things in this scenario. Whaling on your vendor (even if it’s us!) to improve performance is the only thing left. Like beer, they are the cause of - and solution to - all of life’s problems…

Question

I read your previous post here where you talked about how USMT 4.0 migrates computer certificates without private keys. Generally speaking this has not been an issue, as we have certificate auto-enrollment and the new computers get new valid certs. One application is having problems with these migrated invalid certs though and we need to block them from migrating, is that possible?

Answer

Yes. While this should be avoided if possible (a machine cert without a private key might still mean something useful to some strange application), it's simple to block computer certificate migration. Here is sample unconditional exclusion XML named skipmachinecerts.xml that you would run only with scanstate.exe (no need for loadstate to run it):

scanstate.exe c:\store /i:migapp.xml /i:migdocs.xml /i:skipmachinecerts.xml

<?xml version="1.0" encoding="UTF-8"?>
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/sampleskipcomputercerts">
<component type="Documents" context="System">
  <displayName>SkipComputerCertMig</displayName>
   <role role="Data">
    <rules>
     <!-- This override XML prevents computer (not user) certificates from migrating. –>
     <!-- This should ONLY be used if machine certs with no private keys are causing issues –>
     <!-- Nice applications consider these certs invalid and computers request auto-enrollment –>
     <unconditionalExclude>
      <objectSet>
       <pattern type="Registry">HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\*[*]</pattern>
      </objectSet>
     </unconditionalExclude>
    </rules>
   </role>
  </component>
</migration>

You should never block user certificate migration as they have private keys and if users are securing data like EFS-encrypted files you would be be locking them out of their files. If there's no DRA it would be permanent.

Question

What is the event, if any, that is triggered when we perform a D2 on a FRS non-sysvol replica set?  Is it the same error message we get when we perform in on SYSVOL, but we insert the new replica set name? 

Answer

Ha! You wish it were that cool. You get these events (in this order – here I D2’ed just a single custom replica set and did not touch SYSVOL at all):

Some old docs also say you should get a 13565 when you BURFLAG a replica – but you do not unless it’s SYSVOL:

“Oh, but this is a DC” you are saying. Ok. Here’s a member server getting D2’ed:

1. 13520 like above
2. 13553 like above
3. 13554 like above
4. Done.

Question

We have a server that is part of a simple DFS Namespace and Replication setup. Is there any issue with virtualizing a DFS server, shutting down the old host, and bringing the virtual one online. We would do this during a period of downtime so data change would be minimal?

Answer

That’s pretty much the point of SCVMM so I can’t really say no, can I? :)

http://technet.microsoft.com/en-us/library/cc764232.aspx

The important thing (as always with P2V) is that you do a one-to-one change. You cannot have both servers alive at the same time. This is the risk with tools like disk2vhd.exe and other stuff on the internet, and why SCVMM is less risky – it ensures you don’t shoot yourself in the foot. Once the new DFS server looks like it’s working, destroy the old server so there is no chance it can come back up (format drive – you got a complete bare-metal capable backup of it first. Right???). To the other servers it would just like that server was rebooted and reappeared no worse for wear.

Question

We rolled back a DFSR SYSVOL migration (don’t ask). All the DC’s rolled back fine except one – an RODC ended up in an inconsistent state. He is the only one that has entries under DFSR-LocalSettings and he is constantly switching between state 5 and 9.

The event logs show:

Log Name:      DFS Replication
Source:        DFSR
Date:          5/5/2011 9:00:00 AM
Event ID:      6016
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      rodc1.contoso.com
Description:
The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.

Additional Information:
Object Category: msDFSR-LocalSettings
Object DN: CN=DFSR-LocalSettings,CN=rodc1,OU=Domain Controllers,DC=contoso,DC=com
Error: 2 (The system cannot find the file specified.)
Domain Controller: writabledc1.contoso.com
Polling Cycle: 60

I’m not sure of the recommended way to clean it up.

Answer

Run on your PDC Emulator DC:

DFSRMIG.EXE /DeleteRoDfsrMember <name of the rodc>

Ensure that AD replication converges to the RODC. Then update the DFSR service with:

DFSRDIAG.EXE POLLAD /mem:<name of the rodc>

As you can see, we planned for this eventuality. :)

Question

Do you have docs on configuring Advanced Audit Policy granular object access for HiPAA, Sarbanes-Oxley, or other US regulatory acts?

Answer

Neither the HiPAA nor SOX Acts make any specific mention of actual object access auditing settings in Windows or any OS - only that you must audit… stuff. Your customer should talk to whoever audits them to find out what their (arbitrary) requirements are so they satisfy the audit. There is an entire industry of “compliance” vendors out there that sell solutions and settings recommendations that vary greatly between each company. We even have one, although it wisely makes no mention of HiPAA or Sarbanes and then completely indemnifies itself by saying it’s totally up to the customer to determine the right settings and we have no opinion. I bet our lawyers had a crack at that one :-D.

Question

What is the best method for cleaning out the PreExisting folder? I've done quite a bit of searching, but most of the results are cleaning out the Conflict directory or recovering files from the Pre-Existing folder.

Answer

If you don’t care about the files anymore (I recommend you at least back them up), you can delete the files and the preexistingManifest.xml file. You don’t need to stop the service or anything, once initial sync is done DFSR no longer cares about those files either. :)

Question

When using the netsh.exe command to set the port range for dynamic RPC, what is the minimum number of ports that you recommend be provisioned? We need to set this value for application servers in an Extranet and want to make sure we provision enough ports but satisfy our firewall folks.

Answer

There’s no rule, it’s just as many as you find you need with testing. Our recommendation is not to mess with these if you are trying to lower the number of ports open in a firewall and instead use IPSEC tunnels between computers – this means you only have to open a couple ports and the traffic is protected regardless. Opening “only 500” ports is not much better than the default of many thousands. Going too low and you will cause mysterious random outages that take forever to figure out.

Barring that, I usually recommend first leaving default and evaluating to see what the usage patterns are – then setting to match with maybe a +10% extra fudge factor for unexpected growth. Then document the heck out of it because when you’re gone and someone else inherits that system, as they are going to be fornicated when problems happen. No one will be expecting that sort of restriction.

Question

It’s pretty easy to audit who is services starting and stopping in Windows Server 2003, I just examine the System Event Log for events 7035 and 7036, sourced to Service Control Manager. The User field will show who stopped and started a service.

But Windows Server 2008 and later don’t do this. Is there a way to audit their services?

Answer

Yes. You will need to decide which services you want to audit as there is no simple way to turn it all on for everything, though. You probably only want to know about some specific ones anyway. Who cares that Ned restarted the Zune Wireless service on his laptop?

1. Logon as an administrator, make sure an elevated CMD prompt if UAC is on.
2. Run on the affected server:

SC QUERY > Svcs.txt

3. Examine the svcs.txt for your service “DISPLAY_NAME” that is being restarted.

For example in my case, I looked for “DFS Namespace” (no quotes) and see:

SERVICE_NAME: W32time
DISPLAY_NAME: Windows Time
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

4. Above the display name you will see the SERVICE_NAME. Note that for below.
5. Run:

SC SDSHOW <service name> > sd.txt

Example:

SC SDSHOW w32time > sd.txt

6. Open this text file. It will contain SDDL data similar (not necessarily the same as below, do not re-use my example) to this:

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSD
RCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)

7. Copy the following and add it to the end of the SDDL string in that text file:

(AU;SAFA;RPWPDT;;;WD)

So if you had used my example SDDL data and then added the above string, you now
have all one line:

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSD
RCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;SAFA;RPWPDT;;;WD)

Note that there is an S: that separates the DACL and SACL sections. If your exported SDDL did not contain an S: you must prepend it to your SACL entry like so:

S:(AU;SAFA;RPWPDT;;;WD)

8. Copy and paste that whole new string and run:

SC SDSET <name of the service> <the big new string>

Example":

SC SDSET w32time D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSD
RCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;SAFA;RPWPDT;;;WD)

Note: What we are doing is adding an audit SACL to the service so that when the previous auditing steps I gave you are used, the restart of the service will be audited and we’ll know who did what. Remember that if there was no auditing in place on the service already (after the "S:") then you will need to add that to the string.

9. Audit Subcategory "Other Object Access Events" for success and "Handle Manipulation" for success.
10. Note events for 4656. Object Server will be "SC Manager", Object Name will the name of the service, Access Request Information will show the operation (ex: "Stop the Service").

Until next time.

- Ned “yes, bwaamp is a technical term here” Pyle

First a short explanaition on how the Kerberos ticket is encrypted:

• The client application (e.g. a web browser) is requesting a Kerberos ticket from the Domain Controller (KDC). As part of the communication with the DC, the client is sending the SPN for the service
• The DC find the domain account that matches the SPN, and create a ticket for the user.
• The ticket is encrypted with the password for the domain account of the receiving application. (To be more accurate: encrypted with the hash of the password for the domain account).
• The encrypted ticket is then sendt back to the client
• The client is sending the ticket to the web application in the authentication header to prove the identity of the user
• IIS is decrypting the ticket to get the identity of the user

To decrypt the ticket, the IIS must know to the password of the domain account. The password is stored (encrypted) in the applicationHost.config, e.g.

<applicationPools>
   <add name="HRWeb">
     <processModel identityType="SpecificUser" userName="mydomain\hrwebact" password="[enc:IISWASOnlyAesProvider:qu/80DmhQaUFn4DnDWsFF/uVty+WVR8WapGLJ77clKE=:enc]" />
  </add>
</applicationPools>

That should therefore not be a problem. But a change were made in IIS 7.0 (and later) that in some cases breaks the Kerberos configuration when the IIS is trying to decrypt the ticket using the password of the computer account. Read here for more info: http://blogs.msdn.com/b/sudeepg/archive/2009/02/08/iis-7-kernel-mode-authentication.aspx

In our HRWeb application the application pool account is configured to use a domain account as identity with a matching SPN.

When a user is visiting the page he will be prompted for username and password, but even if he enters the corect credentials, the request will still fail with HTTP Error 401: Not Authorized.

A Failed Request Tracing log will show the following error:

ModuleName IIS Web Core
Notification 2
HttpStatus 401
HttpReason Unauthorized
HttpSubStatus 2
ErrorCode 2147942405
ConfigExceptionInfo 
Notification AUTHENTICATE_REQUEST
ErrorCode Access is denied. (0x80070005)

To make this work in IIS 7.5 you have two choices:

1. Disable Kernel-mode authentication for this application, or
2. Configure IIS to use the application pool account when the the ticket is decrypted in Kernel mode

You can easily disable Kernel-mode autentication in the GUI. Select the application in the IIS Manger, open the authentication feature, select Windows authentication, select Advanced Settings in the right panel, and uncheck Kernel-mode authentication:

While this configuration will fix the issue, it may not be the best option. A better approach would be to keep Kernel-mode autentication but tell IIS to use the password of the application pool account to decrypt the ticket.

I wish that there were a GUI for changing that parameter but it does not exist.

Instead you have to tweak the applicationHost.config file that usually is located in c:\windows\system32\inetsrv\config, and you need to add the attribute: useAppPoolCredentials="true" to the windowsAuthentication node of the configuration for the application.

See sample:

 You can also use the Appcmd.exe command tool to set this parameter instead of tweaking the xml by hand. I have used the following command line a couple of time where the customer wanted this parameter to be default for all applications on the server::

%windir%\system32\inetsrv\appcmd.exe set config -section:windowsAuthentication /useAppPoolCredentials:"True" /commit:apphost

It should also be possible to do the a change for a single application, but I don't have a working sample to show you.

News

Windows Intune Now Available - Get Started With A 30-Day Trial http://www.microsoft.com/windows/windowsintune/pc-management-how-to-try-and-buy.aspx
Windows Intune helps simplify how businesses manage and secure PCs using Windows cloud services and the Windows 7 operating system. Download a free 30-day trial to see how Windows Intune can better enable your computers and users to operate at peak performance from virtually anywhere. The visit the Windows Intune Resource Zone on TechNet for technical guidance to help you get the most out of your trial.

Sign Up for Solution Accelerator Notifications http://technet.microsoft.com/en-gb/solutionaccelerators/bb687756.aspx
Looking for tools and guidance that help build your organization's security and compliance infrastructure? Microsoft Solution Accelerators provide tested guidance and automated tools to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. To stay up-to-date, subscribe to the Solution Accelerators Newsletter.

Inside Security Compliance Manager with Chase Carpenter http://technet.microsoft.com/en-us/edge/security-compliance-manager-with-chase-carpenter.aspx
When we hear about a disaster like the earthquake in Japan, many of us try to think of ways we can help. Read this Security Tips & Talk blog post for valuable tips you can pass on to your end users to help them avoid online donation scams.

Microsoft Security Bulletin Summary for April, 2011

http://www.microsoft.com/technet/security/bulletin/ms11-apr.mspx

Security Bulletin Overview for April 2011

Microsoft Security Response Center (MSRC) Blog Post http://go.microsoft.com/?linkid=9683067

Windows Media Video (WMV) http://go.microsoft.com/?linkid=9683068

Windows Media Audio (WMA) http://go.microsoft.com/?linkid=9683069

iPod Video (MP4) http://go.microsoft.com/?linkid=9683070

MP3 Audio http://go.microsoft.com/?linkid=9683071

High Quality WMV (2.5 Mbps) http://go.microsoft.com/?linkid=9683072

Zune Video (WMV) http://go.microsoft.com/?linkid=9683073

Microsoft Product Lifecycle Information

Find information about your particular products on the Microsoft Product Lifecycle Web site http://go.microsoft.com/?linkid=9669804

See a List of Supported Service Packs http://go.microsoft.com/?linkid=9669805

Microsoft provides free software updates for security and nonsecurity issues for all supported service packs.

Follow the Microsoft Security Response team on Twitter http://go.microsoft.com/?linkid=9739346 @MSFTSecResponse for the latest information on the threat landscape.

Forefront TMG and ISA Server

Forefront Security TechCenter

http://technet.microsoft.com/en-gb/forefront/default.aspx

Please note that if you have feedback on documentation or wish to request new documents - email isadocs@microsoft.com

Forefront Threat Management Gateway 2010 homepage

http://technet.microsoft.com/en-gb/forefront/ee807302.aspx

Forefront TMG (ISA Server) Product Team Blog

The ISA Server Product Team Blog (http://blogs.technet.com/isablog/) is updated on a regular basis. Latest entries include:

TMG URL Filtering fails

http://blogs.technet.com/b/isablog/archive/2011/04/11/tmg-url-filtering-fails.aspx

Requiring Strong Authentication Only for Specific Published Paths or Sites

http://blogs.technet.com/b/isablog/archive/2011/04/26/requiring-strong-authentication-only-for-specific-published-paths-or-sites.aspx

Forefront Unified Access Gateway & Intelligent Application Gateway 2007

Forefront Unified Access Gateway 2010 Technical Resources

http://technet.microsoft.com/en-gb/forefront/edgesecurity/ee907407.aspx

For comments, feedback, and requests, contact the Forefront UAG User Assistance team at uagdocs@microsoft.com.

Forefront Unified Access Gateway Product Team Blog

The UAG Product Team Blog (http://blogs.technet.com/edgeaccessblog) is updated on a regular basis. Latest entries include:

Creating custom icons for applications

http://blogs.technet.com/b/edgeaccessblog/archive/2011/04/06/creating-custom-icons-for-applications.aspx

Forefront Edge on the Wiki

The home of community-generated content about Microsoft technologies — that anyone can edit! Read the latest wiki articles about TMG and UAG.

TMG - http://social.technet.microsoft.com/wiki/contents/articles/tags/tmg/default.aspx

UAG - http://social.technet.microsoft.com/wiki/contents/articles/tags/UAG/default.aspx

Documents

Security Tip of the Month: 5 Security Tips for Windows Intune http://technet.microsoft.com/en-gb/security/hh144814.aspx
Learn how to use Attack Surface Analyzer, a free tool from Microsoft, to better understand the aggregate attack surface change that may result from the introduction of line-of-business (LOB) applications to the Windows platform.

Microsoft Security Update Guide, Second Edition http://www.microsoft.com/security/msrc/whatwedo/securityguide.aspx
The Microsoft Security Update Guide Second Edition is a valuable source of in-depth information and guidance that helps IT professionals deploy Microsoft security updates and create a safer, more secure computing and Internet environment.

Windows Security Survival Guide http://social.technet.microsoft.com/wiki/contents/articles/windows-security-survival-guide.aspx
Many companies invest a good amount of money trying to protect their resources by adding more software to provide additional layers of protection, and by enhancing policies and procedures to enforce security. Get a better understanding of the core principles of Windows Security and how to take advantage of Windows operating system security capabilities to achieve your company's security goals.

Security and Compliance in the Cloud, Part 1 http://www.microsoft.com/showcase/en/US/details/66401d6b-881a-416c-97d5-601f99c27e51
Join Jim Reavis of the Cloud Security Alliance, Pete Boden of Microsoft and Allan A. Friedman of the Brookings Institution to see what you need to consider as you move to data and applications to the cloud. Watch Part 2 of the discussion for additional insights and tips for organizations of all sizes.

Windows Azure: Understanding Security Account Management in Windows Azure http://technet.microsoft.com/en-gb/magazine/gg607453.aspx
Cloud computing relieves some of the security burden, but you still have an active role in managing access, securing communications and ensuring data protection. Learn what you need to know about account management, certificate management, and employee transitions.

SQL Server: Protect Data at All Costs http://technet.microsoft.com/en-gb/magazine/gg981678.aspx
Maintaining high availability to corporate data stores managed with SQL Server is an essential element of any data management strategy. Get tips on how to work through the requirements and limitations, align your strategy to those requirements, and test the effectiveness of your approach.

Downloads

Licensing Windows Server 2008 Terminal Services

This licensing brief helps to clarify Microsoft licensing policies for Windows Server® Terminal Services (TS), including the new components that are in the Windows Server 2008 operating system.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b8a7c6ed-1bc1-4035-9110-1ee6da8f3fd4

Forefront Identity Manager 2010 Monitoring Management Pack

The FIM 2010 Management Pack discovers and monitors FIM server components.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=a90c3145-19fe-46fb-baec-c333629f2630

Windows Server 2008: Planning for Active Directory Forest Recovery

This guide contains best-practice recommendations for recovering an Active Directory forest, if forest-wide failure has rendered all domain controllers in the forest incapable of functioning normally.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=326c8a7a-dcad-4333-9050-a6303ff3155c

AD FS 2.0 Step-by-Step Guide: Federation with IBM Tivoli Federated Identity Manager

Guide to AD FS 2.0 interoperability with IBM Tivoli Federated Identity Manager

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=52290081-6af4-4c69-9084-1b99364eedda

Information Security Management System for Microsoft Cloud Infrastructure

This paper describes Information Security Management System for Microsoft Cloud Infrastructure as well as some of the processes and benefits realized from operating this model, including an overview of the key certifications and attestations Microsoft maintains to prove to cloud customers that information security is central to Microsoft cloud operations.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7bc2afa0-6e6c-48f7-825d-752ca5914344

Microsoft Security Development Lifecycle (SDL) - Version 5.1

Microsoft Security Development Lifecycle (SDL) Process Guidance - Version 5.1

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e5ff2f9d-7e72-485a-9ec0-5d6d076a8807

Microsoft .NET Framework 4 Platform Update 1 – Design-time Update for Visual Studio 2010 SP1 (KB2495593)

This package contains updated design-time files for Visual Studio 2010 SP1 corresponding to Microsoft .NET Framework 4 Platform Update 1.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4863f88f-5519-4b66-a195-752746b4389a

Microsoft .NET Framework 4 Platform Update 1 - Runtime Update (KB2478063)

This is a Platform Update to the Microsoft .NET Framework 4 containing a set of new features addressing top customer feature requests and important .NET Framework scenarios.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e85a2f1b-031c-419c-95b2-0610e90bafd7

Providing Flexible, Security-Enhanced Network Access to Contractors with a Virtual Desktop Infrastructure

Microsoft IT deployed a secure and cost-effective pilot solution called Virtual Desktop Infrastructure (VDI) to a global group of contractors. VDI supplies a virtual desktop environment that is authentication-enabled and auditable for security purposes.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=39c528f6-2885-45c9-b338-a65a2bd43e4e

Microsoft Lync Server 2010 Security Guide

The Security Guide provides guidelines for assessing and managing security risks to your Lync Server 2010 deployment.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1400504e-8b2e-4d75-b091-1bf9f7bbc46f

Microsoft’s Identity and Access Management Platform Whitepapers

Identity and Access Whitepapers

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9ca5c685-3172-4d8f-81cb-1a59bdc9f7e3

Microsoft® Windows® Malicious Software Removal Tool (KB890830)

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356

Microsoft® Windows® Malicious Software Removal Tool (KB890830) x64

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=585d2bde-367f-495e-94e7-6349f4effc74

Building Global Trust Online: Policy Perspectives on Privacy, Security and Safety

This booklet is intended to be a relevant and useful guide for any decision-maker with responsibility for developing new ideas and solutions for online privacy, security and safety.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b4e5277d-ab04-4b80-9a4d-fea0c1440fe7

Microsoft Office File Validation Add-in (KB2501584)

Office File Validation is a security add-in for Office 2003 and 2007. Office File Validation is used to validate that Binary File Format files conform to the Microsoft Office File Format. The user will be notified of possible security risks if files fail to conform to the format.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6a4e39a4-4c3f-4cc7-98ec-1cb2d5cb5881

Windows XP End Of Support Countdown Gadget

Looking to get off Windows XP? Use this handy gadget to count down the number of days until Windows XP End of Support (EOS) in 2014.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=53a27766-0168-4617-b44e-74b2886cec6d

CVD at Microsoft

Information about Coordinated Vulnerability Disclosure

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=2f25ef80-88b1-461e-95e0-3e3ec7f2fe8e

Active Directory Federation Services 2.0 RTW

Active Directory Federation Services 2.0 helps IT enable users to collaborate across organizational boundaries and easily access applications on-premises and in the cloud, while maintaining application security.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b

Events/WebCasts

Security Webcast Calendar

http://go.microsoft.com/fwlink/?LinkId=37910

Find security webcasts listed in an easy-to-use calendar format.

Upcoming Security Webcasts

http://www.microsoft.com/events/security/upcoming.mspx

TechNet Webcast: Information About Microsoft May Security Bulletins (Level 200)

Wednesday, May 11, 2011 11:00 A.M.-12:00 P.M. Pacific Time

TechNet Webcast: Talk TechNet with Keith Combs and Matt Hester – Episode 21: Joseph Davies and Christopher Palmer on IPv6 (Level 100)

Wednesday, May 25, 2011 9:00 A.M.-10:00 A.M. Pacific Time

Business Insights Webcast: How to handle Data Security, User Authorization and Authentication in the Windows Azure (Level 200)

Wednesday, May 25, 2011 11:00 A.M.-12:00 P.M. Pacific Time

On-Demand Security Webcasts

http://www.microsoft.com/events/security/ondemand.mspx

Visit TechNet Spotlight: www.microsoft.com/technetspotlight

Video on Demand, Video Downloads, PowerPoint Presentations, Audio and more

Cheetahs vs Lions Super 15 Rugby

The Super 15 is the largest rugby union football club championship in the southern hemisphere, consisting of provincial teams from Australia, New Zealand and South Africa.

Lions vs Cheetahs

Match scheduled:
06-05-2011 from 17:10 until 19:10
Super 15 Rugby

Cheetahs team:

15 Riaan Viljoen, 14 Philip Burger, 13 Robert Ebersohn, 12 Corné Uys, 11 Coenie Oosthuizen, 10 Sias Ebersohn, 9 Sarel Pretorius, 8 Davon Raubenheimer, 7 Ashley Johnson, 6 Heinrich Brüssow, 5 Wilhelm Steenkamp, 4 Francois Uys, 3 WP Nel, 2 Adriaan Strauss (capt), 1 Riaan Smit.

Substitutes: 16 Ryno Barnes, 17 Lourens Adriaanse, 18 Waltie Vermeulen, 19 Kabamba Floors, 20 Tewis de Bruyn, 21 Naas Olivier, 22 Hennie Daniller.

Venue:

Coca-Cola (Ellis) Park Stadium

Ellis Park Stadium is a rugby union stadium in the city of Johannesburg, Gauteng Province, South Africa. It hosted the Rugby World Cup final in 1995, which was won by the country’s national team, the Springboks. The large stadium was the country’s most modern when it was upgraded in 1982 to accommodate almost 60,000 people. Today, the stadium hosts both football and rugby, and is also used as a venue for other large events, such as open-air concerts. It has become synonymous with rugby as the only time when rugby was not played at Ellis Park was during 1980 and 1981 when the stadium was under construction during an upgrade.

The stadium was named after Mr JD Ellis who made the initial area for the stadium available.

League, provincial, and international games have all been played at the stadium, and it has seen such teams as Brazil, Manchester United and Arsenal play. Ellis Park Stadium is the centrepiece of a sporting sector in the south-east of Johannesburg, where it neighbours Johannesburg Stadium (athletics), Standard Bank Stadium (tennis), and an Olympic-class swimming pool.

Ellis Park Stadium is home to the following teams:

Orlando Pirates, Premier Soccer League)
Lions (Cats until September 2006), Golden Lions, Currie Cup domestic rugby competition
Cricket matches were held at the stadium in the past. It hosted six Test matches between 1948 and 1954, but it has not been used for first-class cricket since New Wanderers Stadium opened in 1956 and is now used only for rugby and soccer.

Watch Lions vs Cheetahs Rugby Live 6 may 2011

History
In 1889 when after a long and hard fought battle the Transvaal Rugby Football Union (now the Golden Lions Rugby Union) was formed and established a domain. The first games were played at the Wanderers Club’s stadium whose grounds were situated where Johannesburg Park station is today. Rows between the different rugby clubs as well as the Wanderers Club’s claim of the field for the use of cricket games, forced the TRFU to look for an alternative.

An area with a quarry and garbage dumps in Doornfontein was identified in 1927 as the possible alternative. The TRFU negotiated with the Johannesburg City Council’s, Mr JD Ellis, (after whom Ellis Park was named) for the availability of these grounds and 13 acres was made available. On 10 October 1927 the final rental agreement was signed. A quote of £600 was accepted for the grass and with a loan from the city council to the amount of £5 000, the building of the new stadium could commence. The stadium was built in eight months and in June 1928 the first test was played against the All Blacks. Thus was born Ellis Park which became internationally renowned and synonymous with rugby. Crowds of between 38 000 and a record crowd of 100 000 against the British Lions (in 1955) attended the matches.

Ellis Park played the host for cricket matches after an agreement was reached between TRFU and Cricket|Union. From 1947 when the cricket pitch was laid until 1956, Ellis Park was host to various cricket matches with the final games played in the 1953/54 series against New Zealand. Cricket then moved to its new venue where the current Wanderers still is today.

On 28 April 1969 the TRFU formed a stadium committee to investigate the possibilities of a new stadium since the one in use did not meet all the modern requirements. Only fifteen years later, after the game between Transvaal and the World Team on 31 March 1979, the old Ellis Park was demolished. Games were played at the Wanderers while the stadium was being rebuilt.

A new TRFU management was elected in 1984 with Dr Louis Luyt as Chairman and Prof Joe Poolman as his deputy. The decision was taken to place Ellis Park Stadium under the management of a trust. In 1987 after the Ellis Park Stadium was listed on the stock exchange and due to sound financial management by Dr Luyt, Ellis Park could announce that the debt to the amount of R53 million was fully paid and a further 86 suites could be erected.

In 1995 rugby fever hit the country with South Africa’s hosting of the Rugby World Cup, the biggest event on the rugby calendar. Ellis Park was the venue for the World Cup Final which was played on 24 June 1995. In this spectacular final, New Zealand and South Africa ran onto the field at 14:45 in front of 62 000 spectators and millions of spectators in front of their TVs. South Africa won this game 15-12 in extra time.

In 2005 Ellis Park Stadium made history by becoming the first black owned stadium in South Africa. The Golden Lions Rugby Football Union passed the management of the Ellis Park Precinct to a company with 51% black ownership. Interza Lesego, Orlando Pirates F.C. and Ellis Park Stadium (Pty) Ltd make up the new management of the Ellis Park Precinct.
Future
Ellis Park Stadium will host one of the semi-finals of the 2010 FIFA World Cup, for which its capacity will be upgraded by another 10,000 to create a total of 70,000 seats. New upper tiers will be added behind each of the goals, to the north and south of the stadium.

Source – Wikipedia

Lions vs Cheetahs Rugby Live 6 may 2011

Hi folks, Ned here again. Frequently someone asks me how to make USMT 4.0 migrate only recently used domain user profiles. This might sound like a simple request for a USMT veteran, but there are some subtleties caused by processing rules and behaviors. Today I go through how this works, talk about pitfalls, and ultimately show how to solve the issue. Forearmed, you can solve quite a few more migration scenarios once you understand the rules and technique.

The goal and initial results

The plan here was to migrate only Cohowinery.com domain user profiles that had been accessed in the past three months, while skipping all local user profiles. This test computer had a variety of local and domain profiles, some of them very stale:

The USMT syntax used was similar to this:

Scanstate.exe c:\store /uel:90 /ui:cohowinery:\* /i:migdocs.xml /i:migapp.xml /c /o

So far so good. Then they restored the data:

Loadstate c:\store /uel:90 /ui:cohowinery:\* /i:migdocs.xml /i:migapp.xml /c

Which failed and returned to the console:

Starting the migration process

Processing the settings store

 

Selecting migration units

 

Failed.

  Unable to create a local account because /lac was not specified

  See the log file for more information.

 

LoadState return code: 14

Looking in the loadstate.log they saw:

The account 7-x64-rtm-01\admin is chosen for migration, but the target does not have account 7-X64-RTM-01\admin. See documentation on /lac, /lae, /ui, /ue and /uel options.

Unable to create a local account because /lac was not specified[gle=0x00000091]

What the? The "admin" user is a local account. Why was that migrated?

So they went back and examined the scanstate console and noticed something else:

Huh. All the domain users were migrating, even though the BShirley and SDavis had not logged on in more than two years. They could enable /LAC to stop the loadstate failure but that wouldn't accomplish the goals.

Understanding what happened

USMT has complex rules around profile precedence and the /UI, /UEL, and /UE command-line switches. Despite the best efforts of our talented TechNet writer Susan, the syntax is inherently nutty. Let's get the rules straight here first:

• /UI (User Include) always migrates a profile, regardless of /UE or /UEL. This looks simple until you learn that unless you also specify /UE:* then /UI always migrates all profiles regardless of arguments supplied. You must always use /UE:* if using /UI.
• /UE (User Exclude) blocks migrating profiles as expected, but it is always overridden by /UEL and /UE.
• /UEL (User Exclude based on last Logon) migrates profiles based on "newer than" rules; either a date or a number of days. Meaning that if a user's NTUSER.DAT has been modified within the time or date, that profile will be included in migration. /UEL always supersedes /UE.
• You don’t have to include /UI if you’re using/UEL or /UE. If you're blocking one thing - like if I only want to block local using /UE:%computername%\* - leaving the /UI off is sufficient and less confusing.
• All users are implicitly migrated. So not providing any switches gets everyone.

Returning to the scenario above, we now know what happened:

1. /UI was set for all domain users, meaning all domain users will migrate despite /UEL.
2. /UEL would have blocked local users from migrating, but those accounts had logged on recently.
3. Because the local users were included and (naturally) did not exist on the destination computer, loadstate required the /LAC switch to recreate them.

One more insidious point: by running a scanstate on a computer - even if you have various profile filters listed and even if you cancel the scanstate from completing the examination phase - all of the profiles are loaded and unloaded. Meaning that if you run scanstate even once, /UEL will no longer work because all of your NTUSER.DAT files are modified to "right now".

When testing UEL be sure to keep one of those handy "file date modification" utilities close. I use an internal one here called FILEDATE.EXE, but there are a zillion similar freebies on the internet (often with the same name). All you need to do is change the date on a given NTUSER.DAT to make it "stale" to USMT.

Making it work

You know how I like to ramble on about how things work and why they do what they do. Many readers just want the fix so they can get back to FaceBook YouTube work. No one says you have to use the same command-line on your scanstate and loadstate. In this case, that's the solution:

Step 1

Scanstate the source computer using only /UEL. This meets the need for only getting current profiles. This may catch some local user profiles but a local user is unlikely to have much data to migrate. It's also unlikely that a local user is in regular use in a domain environment, meaning /UEL probably catches it as well. For example:

Scanstate c:\store /uel:90 /i:migdocs.xml /i:migapp.xml

Even in my example where a local user was gathered above, it added only 25MB to each store when using a Windows 7 source computer (due to the default Windows Mail files created for all users). If I had used a hardlink migration, it wouldn't even have been that. In reality, my local profiles were quite stale as I had not used them since creating the computer - I had to log on to them to make them "fresh" for my example. J

Step 2

Loadstate the destination computer using /UI and /UE. This prevents the restore of any local profiles captured earlier. Since I only catch "fresh" profiles in the scanstate, there's no need to provide /UEL here. For example:

Loadstate c:\store /ue:* /ui:cohowinery\* /i:migdocs.xml /i:migapp.xml

With that I finally meet the goal of only migrating domain users that have logged on within the past 90 days.

Note: If the source and destination computer names are identical (perhaps a wipe and load scenario), you could alternatively use:

                Loadstate c:\store /ue:%computername%\* /i:migdocs.xml /i:migapp.xml

Musings

To wrap up the USMT rules: nothing means everything, something means everything except when it means nothing, and sometimes often means never. Simple!

Other notes:

• More detail and examples on all of this here:

http://technet.microsoft.com/en-us/library/dd560781(v=WS.10).aspx
http://technet.microsoft.com/en-us/library/dd560804(v=WS.10).aspx

• I used /C a few times for ease of repro. Microsoft still recommends using a config.xml file with error handling rules rather than arbitrarily bypassing non-fatal errors with /c.
  
  
• There is a paradox Easter egg in my examples. Whoever points it out in the Comments first gets the "AskDS Silverback Alpha Geek Crown", currently worn by Darkseid64.

Until next time.

Ned "U-Haul" Pyle

by Joel H. Janes, Christopher P. Wang, Emily Levin-Edens, Inès Vigan-Womas, Micheline Guillotte, Martin Melcher, Odile Mercereau-Puijalon, Joseph D. Smith

Location: Fort Lee, NJ
URL: TRANZACT.NET

To apply: Link to job posting: http://tbe.taleo.net/NA4/ats/careers/requisition.jsp?org=TRANZACT&cws=1&rid=132

1. 10 Important Points To Make A Good Social Media Profile
2. Top 8 Tips To Make A Strong Social Media Profile
3. Punchcast: Password Generator For Different Sites
4. Blogging And Social Networking In India
5. How To Share Google Reader Feeds on Twitter, Facebook and Other Social Media Sites
6. 5 Killer And Efficient Domain Name Selecting Tools

Virtualization Nation,

With the release of Microsoft Hyper-V Server 2008 R2 SP1, we have once again raised the bar for providing a robust, enterprise class virtualization platform at no cost. For example, did you realize that Microsoft Hyper-V Server 2008 R2 SP1 includes RemoteFX? This new feature provides Graphical Processing Unit (GPU) accelerated video within a virtual machine. VMware's flagship product VSphere Enterprise Plus ($3500 per processor) doesn't have this capability.

Let that sink in for a moment.

GPU accelerated video within a virtual machine is an important consideration when architecting a Virtual Desktop Infrastructure (VDI) deployment. Perhaps you decide you're willing to deploy VDI using 2D virtualized video today.  But what if you realize six months or a year down the road that you need 3D GPU accelerated graphics support? Do you really want to choose a virtualization platform for VDI that doesn't offer this capability today? Is VMware willing to provide this feature without requiring an upgrade ($$$)? In writing? If you review their history, that seems highly unlikely. These are key factors that you should consider when making a decision for VDI.

For more info on Microsoft Hyper-V Server 2008 R2 and R2 SP1, check out these two blogs:

• http://blogs.technet.com/b/virtualization/archive/2009/07/30/microsoft-hyper-v-server-2008-r2-rtm-more.aspx.
• http://blogs.technet.com/b/virtualization/archive/2011/04/12/microsoft-hyper-v-server-2008-r2-sp1-released.aspx

Microsoft Hyper-V Server User Experience

If you've ever fired up the no-cost Hyper-V Server, you know that the UI is minimal. This is by design. The goal of Hyper-V Server is to make it easy for you to get the system configured and on the network for remote management. There's no Start menu or local GUI. Hyper-V Server instead includes a command line and SCONFIG, which is included to make it easy for you to configure the system for remote management functionality, such as:

• Domain Join
• Name the Computer
• Add Local Administrator
• Configure Remote Management
• Configure Networking, IP Addresses, etc.
• Enable Clustering for High Availability and Live Migration
• Configure Automatic Updating via Windows Update

Here's a screenshot of SCONFIG:

Once you've configured Hyper-V Server for remote management, you can manage it in a number of ways:

• Using Windows Server 2008 R2 SP1 Hyper-V Manager on a full version of Windows Server 2008 R2 SP1
• Using the Remote Server Administration Tools (RSAT) for Windows 7 & Windows 7 SP1
• System Center Virtual Machine Manager 2008 R2 SP1
•  System Center Virtual Machine Manager 2012 Beta

While these options work for most of you, a number of folks have asked for a local GUI that could be run directly on Hyper-V Server 2008 R2.

Wouldn't that be cool?

We think so too.  That's exactly what our partners at 5nine built!

5Nine Hyper-V Manager

The folks at 5Nine have developed a local GUI for Microsoft Hyper-V Server 2008 R2! With the 5Nine Hyper-V Manager you can create virtual machines, virtual networks, and more. In fact, 5Nine Hyper-V Manager supports Microsoft Hyper-V Server 2008 R2 SP1 and includes the ability to manage RemoteFX and Dynamic Memory settings.

Here's a screenshot of the 5nine Hyper-V Manager:

 Very cool. This is a great opportunity to point out what can be accomplished using the public Hyper-V WMI APIs which have been documented since day one.

Download Links

Here are the key links:

• Microsoft Hyper-V Server 2008 R2 SP1
• 5Nine Hyper-V Manager

Cheers,

Jeff Woolsey

Windows Server & Cloud

FAQ

==============================================

Q: Did Microsoft develop this Hyper-V Manager for Microsoft Hyper-V Server 2008 R2?

A: No. The product is called 5Nine Hyper-V Manager developed by our partners at 5Nine. To learn more about 5Nine Hyper-V Manager you should check out their site here: http://www.5nine.com/5nine-manager-for-hyper-v-free.aspx

===========================================================================

Q: How much does the 5Nine Hyper-V Manager cost? What are the system requirements?

A: 5Nine offers both a free version and a $99 version. You should check out their website for the details. The big difference is that the $99 version provides local access to the VM itself.

Note: 5Nine Hyper-V Manager works with Microsoft Hyper-V Server 2008 R2 and later. It doesn't work with the original Microsoft Hyper-V Server 2008 because it requires some capabilities not included Hyper-V Server 2008, such as .NET Framework.

===========================================================================

Q: Does Microsoft support the 5Nine Hyper-V Manager?

A: The 5Nine Hyper-V Manager was developed by the folks over at 5Nine, however, the 5Nine Hyper-V Manager uses our published Hyper-V WMI APIs, which are fully supported by Microsoft.

===========================================================================

Q: Will Microsoft provide a local GUI?

A: Microsoft provides multiple ways to manage Microsoft Hyper-V Server remotely including:

• Using Windows Server 2008 R2 SP1 Hyper-V Manager on a full version of Windows Server 2008 R2 SP1
• Using the Remote Server Administration Tools (RSAT) for Windows 7 & Windows 7 SP1
• System Center Virtual Machine Manager 2008 R2 SP1
•  System Center Virtual Machine Manager 2012 Beta

Microsoft has no plans to provide a local GUI for Microsoft Hyper-V Server, and we are pleased to see our partners provide a solution. 

Hello my friends

I'm currently trying to capture an image of a clean install of Windows 7 with updates.

My task is as follows:

1. Prepare for Image Capture -

Windows (using sysprep)

OS Type - Windows 7 Ultimate

Product Key Entered

Credentials to rejoin domain after capture is complete entered.

Reboot to automation

      2.  Create image

Image name - WIN7.gho

Imaging Tool - Ghost

Image type - Disk Image

Adanced - Capture image to webserver, specified.

      3.   Reboot to Production

But when it gets to the Create image stage it fails and logs a message and says "The task was killed because it took longer than the allowed time. To change the time go to the tasks advanced properties"

I have been to the advanced properties of the task and there is no option to edit time. Can anyone help me, I'm very new to creating jobs and tasks. I am using Altiris 7 by the way, for info.

The once huge difference in capability between recruitment agencies and internal recruiting teams has become smaller and smaller, and agencies risk becoming marginalised and outdated if they don't employ new methodologies.

Previously, internal recruiting teams lacked the expertise, tools, methodologies and - importantly - the mindset to successfully recruit.

Now, though, the major thing holding them back is "bandwidth". Because internal recruiters have a greater number of jobs to fill at any one time, something is usually sacrificed.

Trends and differences we are now seeing between agencies and internal teams are:

• Professional recruiting methodologies - agencies use these more consistently, due to the fee-for-service aspect of their business;

• Job boards (generalist and specialist) - internal teams "have more of an edge" due to their desire to create direct channels;

• Recruiting technologies - internal teams are more likely to use sophisticated ATS and other technology, while agencies have lagged behind;

• Advanced internet sourcing - internal recruiters are more likely to learn about new methodologies via conferences, Twitter and networking. They are also more likely than agencies to share and copy innovative practices, due to the perceived lack of competition;

• Employee value proposition - internals are better placed to develop and use their EVP to attract and recruit candidates, while agencies have limited impact in this area;

• Talent pipelines, pools and communities - internal teams have a strategic advantage here, and can use their brand to attract and create relationships with potential candidates. Agencies have talent pools "of a sort", but they are not maintained for one or more [clients] and they have not worked out how to make money from them.

• Quality of hire - measuring this has exclusively been the domain of internal teams, and also enables them to measure the quality of external agencies they use.

Agencies can again become "the masters of the recruitment universe" again if they make efforts to become more like internal recruiting functions and learn new technologies.
If they do not accept this challenge, many agencies will become marginalised and outdated.

Essentially they need to:

1. Develop a range of new services, such as talent pooling, that create value using new technologies;
2. Build digital profiles in a range of areas, and manage increasingly sophisticated and complex social media connections; and
3. Become leaders in all things sourcing - by participating in specialist sourcing conferences and training - and demonstrate this to internal teams.

The Microsoft Online Services blog has just released an update guiding you through what you need to be aware of during the transition period from moving from BPOS to Office 365.

Click here for more details.

http://blogs.technet.com/b/msonline/archive/2011/04/28/plan-for-your-office-365-transition.aspx

Quick Snippet below:

Recommendation #1: Download the transition guide

You can download the guide at any time.

Recommendation #2: Watch the Office 365 transition video

This video explains the overall transition process to Office 365—the future of collaboration, communications and online productivity.

Recommendation #3: Keep your team informed - create a distribution list
The best way to keep your team updated about the transition is to generate a distribution list for all the key technical contacts in your organization.

Recommendation #4: Be sure you know the Office 365 system requirements

Depending on your current desktop configuration, updates may be required to enable some of the Office 365 features. Check out the system requirements for more information on features such as synchronization of on-premises mailboxes and Active Directory, configuration services for Single Sign-On, and re-delegation for your email domain (MX Record) to enable email.

Recommendation #5: Always stay up to date
The transition center web site at www.bpostransition.com is the place to learn anything and everything about the transition process. Do you have questions still? Join the conversation in the transition forum.

Windows Server 2003 R2 extended the Windows Server 2003 schema from schema version 30 to 31.  The update from 30 to 31 was schema file sch31.ldf which included support for DFS Replication (DFSr).  An upgrade from Windows Server 2003 to Windows Server 2008 schema transitions the schema to schema version 44.  This includes sch32.ldf through sch44.ldf. 

If an upgrade is performed from a domain that is currently schema version 30, the Windows Server 2008 ADPREP /forestprep command will include sch31.ldf in the schema update process.

Note: Windows Server 2008 R2 transitions the Active Directory Schema to schema version 47.

The updates to the Active Directory schema are:

Sch32.ldf

This adds new attributes of:

• msDS-KrbTgtLink: Used with RODCs to define which krbtgt_XXXX account corresponds to each RODC
• msDS-RevealedUsers: Used with RODCs to identify the user objects whose secrets have been disclosed to that RODC
• msDS-RevealedList: Identifies security principals whose current computer account passwords have been replicated to the RODC
• msDS-hasFullReplicaNCs: Identifies the partitions held as full replicas
• msDS-NeverRevealGroup: Used with RODCs to define which users, computers, and groups are not allowed to have their passwords cached on a RODC
• msDS-RevealOnDemandGroup: Used with RODCs to define which users, computers, and groups are allowed to have their passwords cached on a RODC
• msDS-SecondaryKrbTgtNumber: Identifies the protocol identification number associated with the secondary domain
• msDS-RevealedDSAs: Backlink For ms-DS-Revealed-Users and identifies which RODC holds that user's secret
• msDS-KrbTgtLinkBl: Backlink for the KrbTgtLink attribute
• msDS-IsDomainFor: Backlink for ms-DS-Has-Domain-NCs and identifies which DCs hold that partition as their primary domain
• msDS-IsFullReplicaFor: Backlink for ms-Ds-Has-Full-Replica-NCs and identifies which DCs hold that partition as a full replica
• msDS-IsPartialReplicaFor: Backlink for has-Partial-Replica-NCs and identifies which DCs hold that partition as a partial replica

After the addition of these attributes, Sch32.ldf then modifies the systemMayContain values of certain objects that may contain any or all of these new attributes.

The schema version is then increased to schema version 32.

Sch33.ldf

This adds new attributes of:

• msDS-isGC: Identifies the state of the Global Catalog on the DC
• msDS-isRODC: Shows whether a DC is a RODC
• msDS-SiteName: Lists the site name that corresponds to the DC
• msDS-AuthenticatedAtDC: Forwardlink for ms-DS-AuthenticatedTo-Accountlist and identifies which DC a user has authenticated to
• msDS-PromotionSettings: For a Computer, contains a XML string to be used for delegated DSA promotion
• msDS-SupportedEncryptionTypes: The encryption algorithms supported by user, computer or trust accounts
  • Note: The KDC uses this information while generating a service ticket for this account. Services/Computers may automatically update this attribute on their respective accounts in Active Directory, and therefore need write access to this attribute.
  • msDS-AuthenticatedToAccountlist: Backlink for ms-DS-AuthenticatedAt-DC and identifies which users have authenticated to this Computer

After the addition of these attributes, Sch33.ldf then modifies the msDS-Never-Reveal-Group and the msDS-Reveal-OnDemand-Group attributes and marks them as multi-valued.  It then modifies the systemMayContain values of certain objects that may contain any or all of these new attributes.

The schema version is then increased to schema version 33.

Sch34.ldf

Sch34.ldf adds the following attributes to the Schema:

• msDFSR-ReadOnly: Specifies whether the content is read-only or read-write
• msDFSR-Priority: Priority level
• msDS-AzObjectGuid: The unique and portable identifier of AzMan objects
• msDS-AzGenericData: AzMan specific generic data
• msDFSR-CachePolicy: On-demand cache policy options
• msDFSR-DeletedPath: Full path of the Deleted directory
• msFVE-RecoveryGuid: Contains the GUID associated with a Full Volume Encryption (FVE) recovery password
• msDS-SeniorityIndex: Contains the seniority index as applied by the organization where the person works
• msTPM-OwnerInformation: This attribute contains the owner information of a particular TPM
• msPKIDPAPIMasterKeys: Storage of encrypted DPAPI Master Keys for user
• msDS-PhoneticLastName: Contains the phonetic last name of the person
• msPKIRoamingTimeStamp: Time stamp for last change to roaming tokens
• msDFSR-DeletedSizeInMb: Size of the Deleted directory in MB
• msDS-PhoneticFirstName: Contains the phonetic given name or first name of the person
• msFVE-RecoveryPassword: Contains the password required to recover a Full Volume Encryption (FVE) volume
• msDS-PhoneticDepartment: Contains the phonetic department name where the person works
• msPKIAccountCredentials: Storage of encrypted user credential token blobs for roaming
• msRADIUS-FramedIpv6Route: Provides routing information to be configured for the user on the NAS
• msDS-PhoneticDisplayName: The phonetic display name of an object. In the absence of a phonetic display name the existing display name is used
• msDS-PhoneticCompanyName: Contains the phonetic company name where the person works
• ms-net-ieee-8023-GP-PolicyData: Contains all of the settings and data which comprise a Group Policy configuration for 802.3 wired networks
• ms-net-ieee-8023-GP-PolicyGUID: Contains a GUID which identifies a specific 802.3 Group Policy object on the domain
• msDFSR-MaxAgeInCacheInMin: Maximum time in minutes to keep files in full form
• ms-net-ieee-80211-GP-PolicyData: Contains all of the settings and data which comprise a Group Policy configuration for 802.11 wireless networks
• msRADIUS-FramedIpv6Prefix: Indicates an IPv6 prefix (and corresponding route) to be configured for the user
• ms-net-ieee-80211-GP-PolicyGUID: Contains a GUID which identifies a specific 802.11 Group Policy object on the domain
• msRADIUS-FramedInterfaceId: Indicates the IPv6 interface identifier to be configured for the user
• msDS-NC-RO-Replica-Locations: A linked attribute on a cross ref object for a partition and lists the DC which should host the partition in a readonly manner
• msDS-NC-RO-Replica-Locations-BL: Backlink attribute for ms-DS-NC-RO-Replica-Locations
• msDFSR-MinDurationCacheInMin: Minimum time in minutes before truncating files
• ms-net-ieee-8023-GP-PolicyReserved: Reserved for future use
• msRADIUS-SavedFramedIpv6Route: Provides routing information to be configured for the user on the NAS
• ms-net-ieee-80211-GP-PolicyReserved: Reserved for future use
• msRADIUS-SavedFramedIpv6Prefix: Indicates an IPv6 prefix (and corresponding route) to be configured for the user
• msRADIUS-SavedFramedInterfaceId: Indicates the IPv6 interface identifier to be configured for the user
• samDomainUpdates: Contains a bitmask of performed SAM operations on active directory

Sch34.ldf then adds the following classes to the Active Directory Schema:

• ms-net-ieee-8023-GroupPolicy: This class represents an 802.3 wired network Group Policy object. This class contains identifiers and configuration data relevant to an 802.3 wired network
• ms-net-ieee-80211-GroupPolicy: This class represents an 802.11 wireless network Group Policy object. This class contains identifiers and configuration data relevant to an 802.11 wireless network
• msFVE-RecoveryInformation: This class contains a Full Volume Encryption recovery password with its associated GUID
• nTDSDSARO: A subclass of Directory Service Agent which is distinguished by its reduced privilege level

After the addition of these attributes and classes, Sch34.ldf then modifies the systemMayContain values of certain objects that may contain any or all of these new attributes.

The schema version is then increased to schema version 34.

Sch35.ldf

Sch35.ldf adds the following attributes to the Schema:

• msDS-LastSuccessfulInteractiveLogonTime: The time that the correct password was presented during a Ctrl+Alt+Delete logon
• msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: The total number of failed interactive logons up until the last successful Ctrl+Alt+Delete logon
• msDS-FailedInteractiveLogonCount: The total number of failed interactive logons since this feature was turned on
• msDS-LastFailedInteractiveLogonTime: The time that an incorrect password was presented during a Ctrl+Alt+Delete logon

After the addition of these attributes, Sch35.ldf then modifies the systemMayContain values of the object CN=User,CN=Schema,CN=Configuration,DC=X (where DC=x is the Distinguished Name of the forest root domain) to include these new attributes.

The schema version is then increased to schema version 35.

Sch36.ldf

Then Sch36.ldf makes the following addition to the Schema:

• msDS-RevealedListBL: Backlink attribute for ms-DS-Revealed-List

After the addition of this one attribute, Sch36.ldf modifies the Search Flags value of the following attributes:

• CN=From-Server,CN=Schema,CN=Configuration,DC=X
• CN=msNPAllowDialin,CN=Schema,CN=Configuration,DC=X
• CN=msNPCallingStationID,CN=Schema,CN=Configuration,DC=X
• CN=msNPSavedCallingStationID,CN=Schema,CN=Configuration,DC=X
• CN=msRADIUSCallbackNumber,CN=Schema,CN=Configuration,DC=X
• CN=msRADIUSFramedIPAddress,CN=Schema,CN=Configuration,DC=X
• CN=msRADIUSFramedRoute,CN=Schema,CN=Configuration,DC=X
• CN=msRADIUSServiceType,CN=Schema,CN=Configuration,DC=X
• CN=msRASSavedCallbackNumber,CN=Schema,CN=Configuration,DC=X
• CN=msRASSavedFramedIPAddress,CN=Schema,CN=Configuration,DC=X
• CN=msRASSavedFramedRoute,CN=Schema,CN=Configuration,DC=X
• CN=ms-RADIUS-FramedInterfaceId,CN=Schema,CN=Configuration,DC=X
• CN=ms-RADIUS-SavedFramedInterfaceId,CN=Schema,CN=Configuration,DC=X
• CN=ms-RADIUS-FramedIpv6Prefix,CN=Schema,CN=Configuration,DC=X
• CN=ms-RADIUS-SavedFramedIpv6Prefix,CN=Schema,CN=Configuration,DC=X
• CN=ms-RADIUS-FramedIpv6Route,CN=Schema,CN=Configuration,DC=X
• CN=ms-RADIUS-SavedFramedIpv6Route,CN=Schema,CN=Configuration,DC=X
• CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
• CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
• CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X

The schema version is then increased to schema version 36.

Sch37.ldf

The LDF file Sch37.ldf modifies adds the following attributes to the schema:

• msDS-UserPasswordExpiryTimeComputed: Contains the expiry time for the user's current password
• msDS-PrincipalName: Account name for the security principal (constructed)
• msDFSR-OnDemandExclusionDirectoryFilter: Filter string applied to on demand replication directories
• msDFSR-DefaultCompressionExclusionFilter: Filter string containing extensions of file types not to be compressed
• msTSHomeDrive: Terminal Services Home Drive specifies a Home drive for the user
• msTSProperty01: Placeholder Terminal Server Property 01
• msTSProperty02: Placeholder Terminal Server Property 02
• msTSAllowLogon: Specifies whether the user is allowed to log on to the Terminal Server. The value is 1 if logon is allowed, and 0 if logon is not allowed.
• msTSExpireDate: TS Expiration Date
• msTSManagingLS: TS Managing License Server
• msDFSR-Options2: Object Options2
• msTSProfilePath: Terminal Services Profile Path specifies a roaming or mandatory profile path to use when the user logs on to the Terminal Server. The profile path is in the following network path format: \servername\profiles folder name\username
• msTSMaxIdleTime: Terminal Services Session Maximum Idle Time is maximum amount of time, in minutes, that the Terminal Services session can remain idle
• msTSHomeDirectory: Terminal Services Home Directory specifies the Home directory for the user
• msTSRemoteControl: Terminal Services Remote Control specifies the whether to allow remote observation or remote control of the user's Terminal Services session
• msTSWorkDirectory: Terminal Services Session Work Directory specifies the working directory path for the user
• msTSInitialProgram: Terminal Services Session Initial Program specifies the Path and file name of the application that the user wants to start automatically when the user logs on to the Terminal Server
• msTSLicenseVersion: TS License Version
• msTSMaxConnectionTime: Terminal Services Session maximum Connection Time is Maximum duration, in minutes, of the Terminal Services session
• msTSReconnectionAction: Terminal Services Session Reconnection Action specifies whether to allow reconnection to a disconnected Terminal Services session from any client computer
• msTSConnectClientDrives: Terminal Services Session Connect Client Drives At Logon specifies whether to reconnect to mapped client drives at logon
• msDFSR-CommonStagingPath: Full path of the common staging directory
• msTSMaxDisconnectionTime: Terminal Services Session Maximum Disconnection Time is maximum amount of time, in minutes, that a disconnected Terminal Services session remains active on the Terminal Server
• msTSDefaultToMainPrinter: Terminal Services Default To Main Printer specifies whether to print automatically to the client's default printer
• msTSConnectPrinterDrives: Terminal Services Session Connect Printer Drives At Logon specifies whether to reconnect to mapped client printers at logon
• msTSBrokenConnectionAction: Terminal Services Session Broken Connection Action specifies the action to take when a Terminal Services session limit is reached
• msDFSR-DisablePacketPrivacy: Disable packet privacy on a connection
• msDFSR-CommonStagingSizeInMb: Size of the common staging directory in MB
• msDFSR-OnDemandExclusionFileFilter: Filter string applied to on demand replication files
• msDFSR-StagingCleanupTriggerInPercent: Staging cleanup trigger in percent of free disk space

After these attributes have been added, Sch37.ldf modifies security on Terminal Services objects and then updates the mayContain values of Terminal Services and DFSr objects.

The schema version is then increased to schema version 37.

Sch38.ldf

Sch38.ldf only makes one change.  This change is to the CN=ms-DS-AuthenticatedAt-DC,CN=Schema,CN=Configuration,DC=X attribute.  The modification that is made to this attribute is to mark this attribute as systemOnly.

After this change, the schema version is still increased to version 38.

Sch39.ldf

Sch39.ldf begins by modifying the following attributes:

• msFVE-KeyPackage: Contains a volume's BitLocker encryption key secured by the corresponding recovery password
• msFVE-VolumeGuid: Contains the GUID associated with a BitLocker-supported disk volume
• msDS-HABSeniorityIndex: Contains the seniority index as applied by the organization where the person works

Sch39.ldf then modifies the adminDescription, searchFlags, and rangeUppper of the attributes:

• CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
• CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
• CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
• CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
• CN=msSFU-30-Posix-Member,CN=Schema,CN=Configuration,DC=X

Lastly, Sch39.ldf also updates the systemMayContain and mayContain values of additional objects in the Schema which could contain any of these attributes.

The schema version is then increased to schema version 39.

Sch40.ldf

The LDF file Sch40.ldf adds many attributes to the schema.  Half of these attributes are used with Fine Grained Password policies and the other half are used with Terminal Server Licensing.  This list is all of the attributes that are added to the Active Directory schema:

• msDS-PasswordReversibleEncryptionEnabled: Password reversible encryption status for user accounts
• msDS-NcType: A bit field that maintains information about aspects of a NC replica that are relevant to replication
• msDS-PSOAppliesTo:  Links to objects that this password settings object applies to
• msDS-PSOApplied: Password settings object applied to this object
• msDS-ResultantPSO: Resultant password settings object applied to this object
• msDS-LockoutDuration: Lockout duration for locked out user accounts
• msDS-LockoutThreshold: Lockout threshold for lockout of user accounts
• msDS-MinimumPasswordAge: Minimum Password Age for user accounts
• msDS-MaximumPasswordAge: Maximum Password Age for user accounts
• msDS-MinimumPasswordLength: Minimum Password Length for user accounts
• msDS-PasswordHistoryLength: Password History Length for user accounts
• msDS-LockoutObservationWindow: Observation Window for lockout of user accounts
• msDS-PasswordComplexityEnabled: Password complexity status for user accounts
• msDS-PasswordSettingsPrecedence: Password Settings Precedence
• msTSManagingLS2: Issuer name of the second TS per user CAL
• msTSManagingLS3: Issuer name of the third TS per user CAL
• msTSManagingLS4: Issuer name of the fourth TS per user CAL
• msTSExpireDate2: Expiration date of the second TS per user CAL
• msTSExpireDate3: Expiration date of the third TS per user CAL
• msTSExpireDate4: Expiration date of the fourth TS per user CAL
• msTSLSProperty01: Placeholder Terminal Server License Server Property 01
• msTSLSProperty02: Placeholder Terminal Server License Server Property 02
• msTSLicenseVersion2: Version of the second TS per user CAL
• msTSLicenseVersion3: Version of the third TS per user CAL
• msTSLicenseVersion4: Version of the fourth TS per user CAL
• msDS-IsUserCachableAtRodc: For a Read-Only Domain Controller (RODC), Identifies whether the specified user's secrets are cacheable

It is important to note that these password policy related attributes (i.e. msDS-LockoutDuration, msDS-LockoutThreshold, msDS-MinimumPasswordAge, etc.) are not simply an update to the existing Lockout Duration, Lockout Threshold, Minimum Password Age, etc. settings that administrators are used to see in a Password Policy.  Password Policy settings on a Windows 2000 and Windows Server 2003 domain controller are contained in the registry of the domain controller, not as attributes held within Active Directory.

Windows Server 2008 in Domain Functional Level 2008 allows for multiple Fine Grained Password Policies per domain.  For this to exist, attributes that correspond to each setting needed to be introduced to the schema.

Sch40.ldf then modifies attributes that have been created during the schema update and also updates various objects in the schema.  These modifications are searchFlags, mayContain, systemMayContain, and possPosition values.

After these changes, sch40.ldf then creates two new classes that pertain to Fine Grained Password Policies.  These classes are:

• msDS-PasswordSettingsContainer: Container for password settings objects
• msDS-PasswordSettings: Password settings object for accounts
  • Note: This classSchema object is created with a list of systemMustContain OIDs.  This is a list of attributes that a Password Settings Object (PSO) must contain or else the creation of the PSO will fail.

After the classes are created, the sch40.ldf file then modifies more systemMayContain values of other objects.

The schema version is then increased to schema version 40.

Sch41.ldf

Sch41.ldf makes only a few changes to objects that exist in the schema.  First, modifications are made to the systemMayContain values of the objects:

• CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
• CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
• CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X
• CN=ms-DS-PSO-Applied,CN=Schema,CN=Configuration,DC=X
• CN=ms-DS-Resultant-PSO,CN=Schema,CN=Configuration,DC=X

Second, modifications are made to the rightsGUID values of the objects:

• CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=X
• CN=Terminal-Server-License-Server,CN=Extended-Rights,CN=Configuration,DC=X

The schema version is then increased to schema version 41.

Sch42.ldf

Schema update 42 makes modifications to over 360 objects in the schema.  The modifications that are made to these objects are adding the schemaFlagsEx attribute to each object and setting a value of 1.  The code for each modification looks like this:

changetype: ntdsSchemaModify

add: schemaFlagsEx

schemaFlagsEx: 1

Only the operating system can modify the SchemaFlagsEX value and this value specifies whether an attribute can be part of the filtered attribute set.

After the update to all 360+ attributes, the schema version is increased to schema version 42.

Sch43.ldf

Sch43.ldf adds the following attributes to the Active Directory Schema:

• msDFS-SchemaMajorVersion: Major version of schema of DFS metadata
• msDFS-SchemaMinorVersion: Minor version of schema of DFS metadata
• msDFS-GenerationGUIDv2: To be updated each time the entry containing this attribute is modified
• msDFS-NamespaceIdentityGUIDv2: To be set only when the namespace is created. Stable across rename/move as long as namespace is not replaced by another namespace having same name
• msDFS-LastModifiedv2: To be updated on each write to the entry containing the attribute
• msDFS-Ttlv2: TTL associated with DFS root/link. For use at DFS referral time
• msDFS-Commentv2: Comment associated with DFS root/link
• msDFS-Propertiesv2: Properties associated with DFS root/link
• msDFS-TargetListv2: Targets corresponding to DFS root/link
• msDFS-LinkPathv2: DFS link path relative to the DFS root target share (i.e. without the server/domain and DFS namespace name components). Use forward slashes (/) instead of backslashes so that LDAP searches can be done without having to use escapes
• msDFS-LinkSecurityDescriptorv2: Security descriptor of the DFS links's reparse point on the filesystem
• msDFS-LinkIdentityGUIDv2: To be set only when the link is created. Stable across rename/move as long as link is not replaced by another link having same name
• msDFS-ShortNameLinkPathv2: Shortname DFS link path relative to the DFS root target share (i.e. without the server/domain and DFS namespace name components). Use forward slashes (/) instead of backslashes so that LDAP searches can be done without having to use escapes
• msDFS-NamespaceAnchor: DFS namespace anchor
• msDFS-Namespacev2: DFS namespace
• msDFS-Linkv2: DFS Link in DFS namespace
• msDFS-DeletedLinkv2: Deleted DFS Link in DFS namespace
• addressBookRoots2: Used by Exchange. Exchange configures trees of address book containers to show up in the MAPI address book. This attribute on the Exchange Config object lists the roots of the address book container trees
• globalAddressList2: This attribute is used on a Microsoft Exchange container to store the distinguished name of a newly created global address list (GAL)
• templateRoots2: This attribute is used on the Exchange config container to indicate where the template containers are stored. This information is used by the Active Directory MAPI provider

Once these attributes have been created the schema version is incremented to schema version 43.

Sch44.ldf

Schema Update 44 only does modifications to some objects that already exist.  These modifications are changing systemMayContain, showInAdvancedViewOnly, searchFlags, and adminDescription.  Once this is complete, the schema version is incremented to schema version 44.  At this point, the Windows Server 2008 ADPREP /forestprep is complete

Additional LDF files for Windows Server 2008 R2 ADPREP /forestprep

Sch45.ldf

Sch45.ldf adds the following attributes to the Active Directory schema:

• msDS-USNLastSyncSuccess: The USN at which the last successful replication synchronization occurred
• isRecycled: Is the object recycled (for use with AD Recycle Bin)
• msDS-OptionalFeatureGUID: GUID of an optional feature
• msDS-EnabledFeature: Enabled optional features
• msImaging-PSPString: Schema Attribute that contains the XML sequence for this PostScan Process
• msDS-OIDToGroupLink: For an OID, identifies the group object corresponding to the issuance policy represented by this OID
• msDS-OIDToGroupLinkBl: Backlink for ms-DS-OIDToGroup-Link; identifies the issuance policy, represented by an OID object, which is mapped to this group
• msImaging-PSPIdentifier: Schema Attribute that contains the unique identifier for this PostScan Process
• msDS-HostServiceAccount: Service Accounts configured to run on this computer
• msDS-HostServiceAccountBL: Service Accounts Back Link for linking machines associated with the service account
• msDS-RequiredDomainBehaviorVersion: Required domain function level for this feature
• msDS-RequiredForestBehaviorVersion: Required forest function level for this feature
• msPKI-CredentialRoamingTokens: Storage of encrypted user credential token blobs for roaming
• msDS-LocalEffectiveRecycleTime: Recycle time of the object in the local DIT
• msDS-LocalEffectiveDeletionTime: Deletion time of the object in the local DIT
• msDS-LastKnownRDN: Holds original RDN of a deleted object
• msDS-EnabledFeatureBL: Scopes where this optional feature is enabled
• msDS-DeletedObjectLifetime: Lifetime of a deleted object
• msDS-OptionalFeatureFlags: An integer value that contains flags that define behavior of an optional feature in Active Directory
• msPKI-Enrollment-Servers: Priority, authentication type, and URI of each certificate enrollment web service
• msPKI-Site-Name: Active Directory site to which the CA machine belongs
• msTSEndpointData: This attribute represents the VM Name for machine in TSV deployment.
• msTSEndpointType: This attribute defines if the machine is a physical machine or a virtual machine.
• msTSEndpointPlugin: This attribute represents the name of the plugin which handles the orchestration.
• msTSPrimaryDesktop: This attribute represents the forward link to user's primary desktop.
• msTSSecondaryDesktops: This attribute represents the array of forward links to user's secondary desktops.
• msTSPrimaryDesktopBL: This attribute represents the backward link to user.
• msTSSecondaryDesktopBL: This attribute represents the backward link to user.
• msImaging-PSPs: Container for all Enterprise Scan Post Scan Process objects.
• msDS-OptionalFeature: Configuration for an optional DS feature.
• msImaging-PostScanProcess: Enterprise Scan Post Scan Process object.
• msDS-ManagedServiceAccount: Service account class is used to create accounts that are used for running Windows services.

Then, modifications are made to various objects in the schema which contain values such as systemMayContain and appliesTo.  Lastly, the objects CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=X and CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=X are created as optional features that can be enabled with Windows Server 2008 R2.

When this is complete the schema version is incremented to 45.

Sch46.ldf

The LDF file Sch46.ldf makes one change to the object CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=X.  The change that is made is to modify the defaultHidingValue and configure it with a value of FALSE.

When this is complete the schema version is incremented to 46.

Sch47.ldf

Sch47.ldf modifies only two objects in the schema.  These objects are CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=X and CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=X.  The modification to the first is a modification to the systemMayContain value.  The modification to the second object is a deletion of the systemPossSuperiors value.

When this is complete the schema version is incremented to schema version 47 and the ADPREP /forestprep for Windows Server 2008 R2 is complete.

Posted by Dr. Pete

If you’ve been hit by the Panda update or are just worried about its implications, you’ve probably read a lot about “thin” content. We spend our whole lives trying to get thin, and now Google suddenly hates us for it. Is the Panda update an attempt to make us all look like Pandas? Does Google like a little junk in the trunk?

It’s confusing and it's frustrating, especially if you have real money on the line. It doesn’t help that “thin” content has come to mean a lot of things, and not every definition has the same solution. To try to unravel this mess, I'm going to present 7 specific definitions of “thin” content and what you can do to fatten them up.

Quality: A Machine’s View

To make matters worse, “thin” tends to get equated with “quality” – if you’ve got thin content, just increase your quality. It sounds good, on the surface, but ultimately Google’s view of quality is defined by algorithms. They can’t measure the persuasiveness of your copy or the manufacturing standards behind your products. So, I’m going to focus on what Google can measure, specifically, and how they might define “thin” content from a machine’s perspective.

1. True Duplicates (Internal)

True, internal duplicates are simply copies of your own pages that make it into the search index, almost always a results of multiple URLs that lead to the same content. In Google’s eyes, every URL is a unique entity, and every copy makes your content thinner:

A few duplicates here and there won’t hurt you, and Google is able to filter them out, but when you reach the scale of an e-commerce site and have 100s or 1000s of duplicates, Google’s “let us handle it” mantra fails miserably, in my experience. Although duplicates alone aren’t what the Panda update was meant to address, these duplicates can exacerbate every other thin content issue.

The Solution

Get rid of them, plain and simple. True duplicates should be canonicalized, usually with a 301-redirect or the canonical tag. Paths to duplicate URLs may need to be cut, too. Telling Google that one URL is canonical only to link to 5 versions on your own site will only prolong your problems.

2. True Duplicates (Cross-site)

Google is becoming increasingly aggressive about cross-site duplicates, which may differ by their wrapper but are otherwise the exact same pieces of content across more than one domain:

Too many people assume that this is all an issue of legitimacy or legality – scrapers are bad, but syndication and authorized duplication are fine. Unfortunately, the algorithm doesn’t really care. The same content across multiple sites is SERP noise, and Google will try to filter it out.

The Solution

Here’s where things start to get tougher. If you own all of the properties or control the syndication, then a cross-domain canonical tag is a good bet. Choose which version is the source, or Google may choose for you. If you’re being scraped and the scrapers are outranking you, you may have to build your authority or file a DMCA takedown. If you’re a scraper and Panda knocked you off the SERPs, then go Panda.

3. Near Duplicates (Internal)

Within your own site, “near” duplicates are just that – pages which vary by only a small amount of content, such as a couple of lines of text:

A common example is when you take a page of content and spin it off across 100s of cities or topics, changing up the header and a few strategic keywords. In the old days, the worst that could happen is that these pages would be ignored. Post-Panda, you risk much more severe consequences, especially if those pages make up a large percentage of your overall content.

Another common scenario is deep product pages that only vary by a small piece of information, such as the color of the product or the size. Take a T-shirt site, for example – any given style could come in dozens of combinations of gender, color, and size. These pages are completely legitimate, from a user perspective, but once they multiple into the 1000s, they may look like low-value content to Google.

The Solution

Unfortunately, this is a case where you might have to bite the bullet and block these pages (such as with META NOINDEX). For the second scenario, I think that can be a decent bet. You might be better off focusing your ranking power on one product page for the T-shirt instead of every single variation. In the geo-keyword example, it’s a bit tougher, since you built those pages specifically to rank. If you’re facing large-scale filtering or devaluation, though, blocking those pages is better than the alternative. You may want to focus on just the most valuable pages and prune those near duplicates down to a few dozen instead of a few thousand. Alternatively, you’ve got to find a way to add content value, beyond just a few swapped-out keywords.

4. Near Duplicates (Cross-site)

You can also have near duplicates across sites. A common example is a partnered reseller who taps into their customers’ databases to pull product descriptions. Add multiple partners, plus the original manufacturer’s site, and you end up with something like this:

While the sites differ in their wrappers and some of their secondary content, they all share the same core product description (in red). Unfortunately, it’s also probably the most important part of the page, and the manufacturer will naturally have a ranking advantage.

The Solution

There’s only one viable long-term solution here – if you want to rank, you’ve got to build out unique content to support the borrowed content. It doesn’t always take a lot, and there are creative ways to generate content cost-effectively (like user-generated content). Consider the product page below:

The red text is the same, but here I’ve supplemented it with 2 unique bits of copy: (1) a brief editorial description, and (2) user reviews. Even a unique 1-2 sentence lead-off editorial that’s unique to your site can make a difference, and UGC is free (although it does take time to build).

Of course, the typical argument is “I don’t have the time or money to create that much unique content.” This isn’t something you have to do all at once – pick the top 5-10% of your best sellers and start there. Give your best products some unique content and see what happens.

5. Low Unique Ratio

This scenario is similar to internal near-duplicates (#3), but I’m separating it out because I find it manifests in a different way on a different set of sites. Instead of repeating body content, sites with a low ratio of unique content end up with too much structure and too little copy:

This could be a result of excessive navigation, mega-footers, repeated images or dynamic content – essentially, anything that’s being used on every page that isn’t body copy.

The Solution

Like internal near-duplicates, you’ve got to buckle down and either beef up your unique content or consider culling some of these pages. If your pages are 95% structure with 1-2 sentences of unique information, you really have to ask yourself what value they provide.

6. High Ad Ratio

You’ve all seen this site, jam-packed with banners ads of all sizes and AdSense up and down both sides (and probably at the top and bottom):

Of course, not coincidentally, you’ve also got a low amount of unique content in play, but Google can take an especially dim view of loading up on ads with nothing to back it up.

So, how much is too much? Last year, an affiliate marketer posted a very interesting conversation with an AdWords rep. Although this doesn’t technically reveal anything about the organic algorithm, it does tell us something about Google’s capabilities and standards. The rep claims that Google views a quality page as having at least 30% unique content, and it can only have as much space devoted to ads as it does to unique content. More importantly, it strongly suggests that Google can algorithmically measure both content ratio (#5) and ad ratio.

The Solution

You’ve got to scale back, or you’ve got to build up your content. Testing is very important here. Odds are good that, if your site is jammed with ads, some of those ads aren’t getting much attention. Collect the data, find out which ones, and cut them out. You might very well find that you not only improve your SEO, but you also improve the CTR on your remaining ads.

7. Search within Search

Most large (and even medium-sized) sites, especially e-commerce sites, have pages and pages of internal search results, many reachable by links (categories, alphabetical, tags, etc.):

Google has often taken a dim view of internal search results (sometimes called “search within search”, although that term has also been applied to Google’s direct internal search boxes). Essentially, they don’t want people to jump from their search results to yours – they want search users to reach specific, actionable information.

While Google certainly has their own self-interest in mind in some of these cases, it’s true that internal search can create tons of near duplicates, once you tie in filters, sorts, and pagination. It’s also arguable that these pages create a poor search experience for Google users.

The Solution

This can be a tricky situation. On the one hand, if you have clear conceptual duplicates, like search sorts, you should consider blocking or NOINDEXing them. Having the ascending and descending version of a search page in the Google index is almost always low value. Likewise, filters and tags can often create low-value paths to near duplicates.

Search pagination is a difficult issue and beyond the scope of this post, although I’m often in favor of NOINDEXing pages 2+ of search results. They tend to convert poorly and often look like duplicates.

A Few Words of Caution

Any change that would massively reduce your search index is something that has to be considered and implemented carefully. While I believe that thin content is an SEO disadvantage and that Google will continue to frown on it, I should also note that not all of these scenarios are necessarily reflected in the Panda update. These issues do reflect longer-standing Google biases and may exacerbate Panda-related problems.

Unfortunately, we’ve seen very few success stories of Panda recovery at this stage, but I strongly believe that addressing thin content, increasing uniqueness, and removing your lowest value pages from the index can have a very positive impact on SEO. I’d also bet good money that, while the Panda algorithm changes may be adjusted and fine-tuned, Google’s attitude toward thin content is here to stay. Better to address content problems now than find yourself caught up in the next major update.

Sad panda image licensed from iStockPhoto (©2010).

Do you like this post? Yes No

"All the other Apaches were satisfied after the battle of Kaskiyeh, but I still desired more revenge."

"Perhaps the greatest joy to me was that now I could marry the fair Alope, daughter of No-po-so. She was a slender, delicate girl, but we had been lovers for a long time."

Hi! Jim here again to talk to you about Cryptographic Algorithms, SChannel and other bits of wonderment. So, your company purchases this new super awesome vulnerability and compliance management software suite, and they just ran a scan on your Windows Server 2008 domain controllers and lo! The software reports back that you have weak ciphers enabled, highlighted in RED, flashing, with that "you have failed" font, and including a link to the following Microsoft documentation –

KB245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll:

http://support.microsoft.com/kb/245030/en-us

The report may look similar to this:

SSL Server Has SSLv2 Enabled Vulnerability port 3269/tcp over SSL

THREAT:

The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.

There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.

SOLUTION:

Disable SSLv2.

Upon hearing this information, you fire up your browser and read the aforementioned KB 245030 top to bottom and RDP into your DC’s and begin checking the locations specified by the article. Much to your dismay you notice the locations specified in the article are not correct concerning your Windows 2008 DC’s. On your 2008 DC’s you see the following at this registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

"Darn you Microsoft documentation!!!!!!" you scream aloud as you shake your fist in the general direction of Redmond, WA….

This is how it looks on a Windows 2003 Server:

Easy now…

The registry key’s and their content in Windows Server 2008, Windows 7 and Windows Server 2008 R2 look different from Windows Server 2003 and prior. The referenced article isn't accurate for Windows Server 2008. I am working on getting this corrected.

Here is the registry location on Windows7 – 20008 R2 and its default contents:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel]
"EventLogging"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CipherSuites]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Hashes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001

Allow me to explain the above content that is displayed in standard REGEDIT export format:

·         The Ciphers key should contain no values or subkeys

·         The CipherSuites key should contain no values or subkeys

·         The Hashes key should contain no values or subkeys

·         The KeyExchangeAlgorithms key should contain no values or subkeys

·         The Protocols key should contain the following sub-keys and value:
    Protocols
        SSL 2.0
            Client
                DisabledByDefault REG_DWORD 0x00000001 (value)

Windows Server 2008, 2008 R2 and Windows 7 support the following Protocols:

·         SSL 2.0

·         SSL 3.0

·         TLS 1.0

·         TLS 1.1

·         TLS 1.2

Similar to Windows Server 2003, these protocols can be disabled for the server or client architecture. Meaning that either the protocol can be omitted from the list of supported protocols included in the Client Hello when initiating an SSL connection, or it can be disabled on the server such that even if a client requests SSL 2.0, the server wouldn't respond with that protocol.

The client and server subkeys designate each protocol. You can disable a protocol for either the client or the server, but disabling Ciphers, Hashes, or CipherSuites affects BOTH client and server sides.  You would have to create the necessary subkeys beneath the Protocols key to achieve this.

For example:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server]

This is how it looks in the registry after they have been created:

Client SSL 2.0 is disabled by default on Windows Server 2008, 2008 R2 and Windows 7.

This means the computer will not use SSL 2.0 to initiate a Client Hello.

So it looks like this in the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001

Just like Ciphers and KeyExchangeAlgorithms, Protocols can be enabled or disabled.

To disable other protocols, select which side of the conversation you want to disable the protocol, and add the "Enabled"=dword:00000000 value. The example below disables the SSL 2.0 for the server in addition to the SSL 2.0 for the client.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001  ß Default client disabled as I said earlier

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000  ß disables SSL 2.0 server side

After this, you will need to reboot the server. You probably do not want to disable TLS settings. I just added them here for a visual reference.

So why would you go through all this trouble to disable protocols and such, anyway? Well, there may be a regulatory requirement that your company's web servers should only support Federal Information Processing Standards (FIPS) 140-1/2 certified cryptographic algorithms and protocols. Currently, TLS is the only protocol that satisfies such a requirement. Luckily, enforcing this compliant behavior does not require you to manually modify registry settings as described above. You can enforce FIPS compliance via group policy as explained by the following:

The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Windows XP and in later versions of Windows - http://support.microsoft.com/kb/811833

The 811833 article talks specifically about the group policy setting below which by default is NOT defined –

Computer Configuration\ Windows Settings \Security Settings \Local Policies\ Security Options

The policy above when applied will modify the following registry locations and their value content.

Be advised that this FipsAlgorithmPolicy information is stored in different ways as well –

Windows 7/2008 –

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy]
"Enabled"=dword:00000000ß Default is disabled

Windows 2003/XP –

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
Fipsalgorithmpolicy =dword:00000000 ß Default is disabled

Enabling this group policy setting effectively disables everything except TLS.

Let’s continue with more examples. A vulnerability report may also indicate the presence of other Ciphers it deems to be “weak”. Below I have built a .reg file that when imported will disable the following Ciphers:

56-bit DES
40-bit RC4

Behold!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

"Enabled"=dword:00000000  ß We are also disabling the NULL cipher suite as well

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]

After importing these registry settings, you must reboot the server.

The vulnerability report might also mention that 40-bit DES is enabled, but that would be a false positive because Windows Server 2008 doesn't support 40-bit DES at all. For example, you might see this in a vulnerability report:

Here is the list of weak SSL ciphers supported by the remote server:

  Low Strength Ciphers (< 56-bit key)

    SSLv3

      EXP-ADH-DES-CBC-SHA        Kx=DH(512)    Au=None    Enc=DES(40)      Mac=SHA1   export    

    TLSv1

      EXP-ADH-DES-CBC-SHA        Kx=DH(512)    Au=None    Enc=DES(40)      Mac=SHA1   export    

If this is reported and it is necessary to get rid of these entries you can also disable the Diffie-Hellman Key Exchange algorithm (another components of the two cipher suites described above -- designated with Kx=DH(512)).

To do this, make the following registry changes:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:00000000

You have to create the sub-key Diffie-Hellman yourself. Make this change and reboot the server. This step is NOT advised or required….I am offering it as an option to you to make your server pass the vulnerability scanning test.

Keep in mind, also, that this will disable any cipher suite that relies upon Diffie-Hellman for key exchange.

You will probably not want to disable ANY cipher suites that rely on Diffie-Hellman. Secure communications such as IPSec and SSL both use Diffie-Hellman for key exchange. If you are running OpenVPN on a Linux/Unix server you are probably using Diffie-Hellman for key exchange. The point I am trying to make here is you should not have to disable the Diffie-Hellman Key Exchange algorithm to satisfy a vulnerability scan.

Being secure is a good thing and depending on your environment, it may be necessary to restrict certain cryptographic algorithms from use. Just make sure you do your diligence about testing these settings. It is also well worth your time to really understand how the security vulnerability software your company just purchased does it’s testing. A double-sided network trace will reveal both sides of the client server hello and what cryptographic algorithms are being offered from each side over the wire.

Jim “Insert cryptic witticism here” Tierney

Today, my company AusRegistry International signed an open letter to the United States House Subcommittee on Intellectual Property, Competition, and the Internet as a show of support for ICANN and its new Top-Level Domain program. I'm disappointed by the nature of the oversight hearing the Subcommittee has called and I believe it will only be a distraction.

Let's not kid ourselves; the reason for this hearing is to beat up ICANN over the new TLD program. I think this is unfair and unjustified.

ICANN's new TLD program has undergone extraordinarily thorough and inclusive discussions going back to ICANN's incarnation in 1998, and in earnest since 2005. It is without question that rights holders be afforded reasonable protections. However, it must be fairly pointed out that since initiation of this discussion nearly six years ago, ICANN staff and participants (including rights holders, trademark representatives, and delegates of the US government), at significant expense, have accommodated the needs and demands of the IP community to prevent intellectual property theft or needless cost to IP owners.

This is why I'm at a loss for why this hearing has been called at such a late stage in the process, when we are so close to approving the program.

It frightens me that ICANN must jump when the US government calls a hearing on new TLD's. There is something fundamentally wrong with this situation; the global organisation dedicated to keeping the Internet secure, stable and interoperable should not feel such an imbalanced sense of accountability to one government — the US government.

ICANN's acclaimed multi-stakeholder model means it's accountable to numerous stakeholders, which include Internet users, Regional Internet Registries, Country Code Registries, several committees and councils, and the Governmental Advisory Committee (GAC) to name a few. It's important to remember that the US government forms just one part of the GAC, which is one stakeholder in the vast ecosystem that comprises ICANN.

It makes me think, if any other Government was to call a meeting would the ICANN Community feel as intimidated to participate. What gives them such sway and power and how does the rest of the GAC membership feel about this?

Furthermore, in the Affirmation of Commitments (AoC), ICANN committed to maintain and improve robust mechanisms for public input, accountability and transparency so as to ensure that the outcomes of its decision-making reflect the public interest and are accountable to all stakeholders. The AOC and the completion of the original agreement signalled a globalisation of the Internet and its governance. Yet, we still find ourselves at the mercy of the US government as demonstrated by this House Subcommittee oversight hearing.

What is more intriguing is why the US Government is seemingly opposed to the implementation of the new TLD program and its associated benefits. It's contradictory for the US Government to be speaking about the importance of stimulating the economy and job creation on one hand, and then to be also involved in stifling the new TLD program, which has the potential to drive innovation, create jobs, and boost the digital economy.

At ICANN's recent meeting in San Francisco, former US President Bill Clinton said the technology sector should play a pivotal role in driving economic recovery. He recognised the importance of online innovation for a strong and sustainable economic climate and said information technology was a key driver of the American economy during his eight years in office. He said IT jobs represented 30 percent of the United States' job growth and 35 percent of its income growth. It is my belief that new Top-Level Domain names are the most compelling opportunity for innovation the Internet has seen since its creation.

ICANN is in the final stages of executing a well developed plan that will see new TLDs and all the benefits associated with them approved later this year. To ICANN's credit, they have worn the body blows from various sectors of the Community throughout this long, careful and calculated process. They have battled on working towards a solution that provides for the benefit of ALL stakeholders — an incredibly hard task. I understand that the US Government may have questions — however, ultimately they are one voice and not the only voice providing input into the process. The ICANN Community, including the GAC need to remember that.

Written by Adrian Kinderis, CEO, AusRegistry International

Follow CircleID on Twitter

More under: Domain Names, Registry Services, ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

In his Idea to Interface presentation at An Event Apart in Boston, MA 2011 Aarron Walter encouraged Web designers and developers to tackle their personal projects by walking through examples and ways to jump in. Here are my notes from his talk:

• If we stay focused on execution all the time, we risk losing our creative thinking. Without creative thinking, you may only be doing mediocre work or burning out.
• So how doe we stay excited and keep the fire in our belly. One of the ways is by doing an independent project. These small projects can turn into business, collaborations, or just fun.
• Asking “wouldn’t it be cool if..” is our creative juices flowing. But often we don’t act on the these ideas.
• The hardest thing is to get started. Get it out of your head, put it on paper, and show it to someone. One outcome is “wow that’s cool”. The other “meh not that interesting”. Putting something on the shelf is admirable. Some ideas won’t work out because of timing but that’s ok but it’s important to get your ideas out.
• Failure is OK. It helps you work though inspiration.
• Many times you have to work on your ideas on your own time. It may require a few extra hours at night. You need to make the commitment yourself.
• We need to give ourselves permission to be the person with an idea. We all deserve a shot at making our ideas real. Don’t just think about your ideas but carry them through.
• “I’m not the best but I’m as good as the next guy” You don’t have to be. Just take the plunge and get your ideas out.

The Creative Process

• The “eureka” moment often happens when we tune out and relax.
• The creative process is how our brain works.
• Ideation: have ideas, go through them quickly, think about lots of stuff in short order.
• When you are in the ideation phase, any idea is a good idea. Don’t let others judge things too early. Share them when you have incubated for a while.
• Incubation: time to think and digest the idea. Our brains solve problems when we are not actively thinking about them.
• Evaluate: look back at ideas, evaluate them, and see if they’ll work.
• Around second grade we realize people are looking at us and we are being judged. So we inject an internal judge for ourselves. This often limits what we are willing to try to pursue.
• Ideation means let the ideas flow, let them be crazy, sort them out later.

Tips for tackling Your Ideas

• Tackle the whole design. Design is more than elegant layouts. It’s about understanding our users, organizing our content, interaction patterns, and more. It’s not about little d = decoration. It’s about big picture designing covering everything we do.
• Put your ideas up. Sketchboards are big pieces of paper on walls that allow you to idea rapidly. Paper on the wall is non-committal. You can rip it down and start over. You can bring people in to work with you on the evaluation process. This allows people to work together –it changes your culture because you are working together on a problem. Incubate on your walls and ideate quickly.
• Keep your sketchboards on the wall as they invite collaboration. Make ideas part of the organization. Balance this with knowing when to get your ideas out vs. letting them incubate.
• Prototype. Creating a prototype helps you coalesce your idea and see if you can get other people on board. You have to get things out of your head a soon as possible, draw it write it, or build it. When something is only stuck in your head you can come up with many ideas about why it is not working.
• Keep a common CSS and Javascript folder archived so you can prototype quickly by reusing older files and primitives.
• Prototyping allows you to use your idea while designing it. This helps you work through ideas quickly. Mustache can help you integrate real data in your prototypes using JSON objects.
• If coding isn’t your thing, designing with Keynote can help you create light prototypes quickly.
• New ideas have overhead. When you are working on your idea, design patterns can help you lower the learning curve for users and save a lot of code. Coming up with custom solutions for every interface adds a lot of work. If people are familiar with the patterns you use (because they have used them on other sites), it makes it easier for them to get up and running on your project.
• Mail Chimp killed 46% of their CSS code using patterns.
• The code you put into a prototype shouldn’t be the code that goes live
• Sometimes you want to do something that you want to stand out. Using patterns might not be the best fit for it.
• Get a personality. From the very beginning you want to be thinking about personality. As interface designers we create the windows between people interacting. Software has human attributes and you want to make the right introduction. A design persona: put as much time into thinking about the persona of our product as we do for our users. Think about the brand traits you want your application to embody. Make sure to include what something is and isn’t as well. Can include a visual lexicon, a personality map, and characteristics.
• Go with what you know. You won’t have to learn a bunch of new things if you start with a domain you know and love.
• Team up. The buddy system not only gives you complementary skill-sets but it also gives you someone you are accountable to.
• Get clarity into your design. When you have clarity, you have confidence. Exploring ideas is good for employees, bosses, and business.

New page: ==<center>Creat A Funny Website Free</center>== . . . . ==<center>[http://hardlyfind.com/forum/index.php?topic=qu1OTN8fDEzMDQzNjIzMTR8fDE5MDZ8fChFTkdJTkUpIE1lZGlhV2lraQ%3D%3D&s=Creat_A...

New page

FanPost edited and promoted by MMAmania.com.

The UFC Octagon is a staple of combat sports

Mixed martial arts (MMA) has seen many variations of the famed cage along with use of the boxing ring format. Each promotion tries to fine-tune their playing field to express the brutality and ruthless confines of the cage.

The Octagon is the most famous to the point that it has become a trademarked brand.

The now famous cage would've looked a whole lot different if not for some reasonable-minded people and not the SEG brain trust for creativity.

Let's take a closer look at the evolution of MMA playing fields.

In 1993, Semaphore Entertainment Group (SEG) was an entertainment conglomerate dying for fresh and new content. With the ever increasing popularity of "Faces of Death" an idea came across SEG's desk.

"War of the World's" was the name and it was a new brand of combat sports.

The concept was one that many people in the martial arts community debated, supremacy of their art. It was karate vs. Taekwondo, boxing vs. kickboxing and a relative unknown was wanting to challenge them all, Brazilian jui-jitsu (BJJ).

The name of this new hybrid league was changed to the Ultimate Fighting Championship (UFC). The concept of the show was in the place and the UFC needed a playing field that gave the illusion that this was the ultimate proving ground.

SEG and the Gracie family butted heads for weeks and months about which model should be used to showcase the fighters without looking corny and cheesy.

And this is where it got very interesting.

The brass at SEG pushed the idea of a Gladiator-type stage with pillars and arena-style seating. This stage was to pay homage to the fallen gladiators of the past while giving them a grander feel.

The idea was shot down by the Gracies as being outdated and far too predictable for them.

SEG agreed seeing as the new wave of extreme violence was rushing over America with the MTV generation and extreme sports. They also felt the changing of Eastern Championship Wrestling to Extreme Championship Wrestling (ECW) would make the UFC seem even less hardcore.

The next idea was by far the most ludicrous

.

SEG proposed a moat infested with blood thirsty piranha's swimming within it. The story is the Gracie family stormed out of the room when this was suggested because they were so disgusted with the idea. SEG eventually withdrew the proposal and started working on creations a little closer to reality than fantasy.

The next concept was a plexiglass surrounded canvas enclosing the fighters. The idea faced issues of ventalation and heat created by the fighters exhausting energy. The sturdiness of the plexiglass was also called into question also visibility due to perspiration building up.

The other issue was a fear the plexiglass walls would be used to abuse someones competition.

The concept of the Ocatgon finally came to fruition because the Gracies and SEG wanted an arena which looked like a street fight domain.

The UFC cage is an octagonal structure with walls of metal chain-link fence coated with black vinyl and a diameter of 32 ft (9.8 m), allowing 30 ft (9.1 m) of space from point-to-point. The fence is 5'6" to 5'8"  high. The cage sits atop a platform, raising it 4 ft (1.2 m) from the ground. It has foam padding around the top of the fence and between each of the eight sections. It also has two entry-exit gates opposite each other.

The cage offers the street fight appeal and would be viable for the attending fans. The cage also offered a home paying audience a chance to see much better than previous concepts.

The UFC has never looked back and has made the Ocatgon one of its pinnacle standards throughout time.

Will the UFC ever evolve from the Ocatgon?

Let's see some other implementations of the ring and cage format used by other promotions.

Circular Cage:

Promotions like World Extreme Cagefighting (WEC), King of the Cage (KOTC) and Strikeforce are using this concept because the UFC has trademarked the Ocatgon format.

Fighters don't seem to mind the circular cage but do admit that striking angles change slightly. They also note takedowns are easier because fighters can't find wedges like they can in the corners of the octagon.

Hexagon Ring or Cage:

In the battle of shapes and sizes the next "crazy" concept was the use of hexagon over the "less cool" Ocatgon. Promotions like the International Fight League (IFL)  and DREAM are the most notable users.

The DREAM hex is the most notable as its chain-link caging is the color white. The Japanese tend to do everything slightly different for pure aesthetic purposes. The cage has received praise for its uniqueness and appeal from fighters.

Ring:

The ring was used by Pride Fighting Championship (Pride FC) and Affliction MMA most notably.

The ring offers a whole slew of different variables that a cage concept cannot offer. When in the clinch against the ropes the fighter defending can use a "rope a' dope" to gain leverage to escape the clinch easier. During a double-leg takedown the defending fighter can use his butt to press in between the middle and top rope.

The use is illegal to abuse but has been seen used effectively.

The major difference can be seen when fighters from Pride FC couldn't transfer their skills over to the Octagon. The angles within a boxing ring are hugely different as you're fighting within a square, the ropes bend more and the corners are harder to elude.

So Maniacs, let's say your a promoter, what design would you use or create and why?

hi guys,

i'm tring backup exec 2010 r2 and i have one question.

atm we have 2 different domain ( A and B ) in the same forest.

i have installared backup exec on one server in the domain B .

what is the best practice to create the account for backup exec ?

i create a account named backupexec in the domain B and i put it as local admin in each server in the domain A ?

the account backupexec in the domain B must be in the domain admins group ?

the resource that i need to test to backup are :

domain controller in domain A and B

exchange in domain A

sql in domain A

dynamics crm in domain B

sql in domain B.

thanks for the help.

Best Regards.

Marco

Posted by Cyrus Shepard

Compare the two posts below, both written by the exact same SEO expert and each containing around the same number of words. Without knowing the subject, can you guess which post earned more links?

Try 378 to 6. In addition to its visual appeal, the left post was more timely, useful and informative - all hallmarks of copywriting grace.

The “secrets” of copywriting have existed since before the ancient Greeks. Generations of Don Drapers have perfected the craft. Today we use computer analysis and data mining to uncover the most effective SEO practices. Rand’s early peak at the Ranking Factors hints at some of these factors. My colleague Casey Henry conducted a study of link-worthy material that included elements such as title length and word frequency. Fantastic stuff and I hope he does another such study soon.

So why don’t more authors take advantage? Why all the cardboard looking blog posts?

Here’s the takeaway. To earn links, use copywriting to organize your content.

1. Write for Power Skimmers

Steve Krug’s words of wisdom for website usability in his book Don’t Make Me Think ring true for all elements of SEO copywriting.

"We don’t read pages. We scan them.”
-Steve Krug

Unless you are Wikipedia, don’t look like Wikipedia.

2. Why Headline Formulas Work

Headlines organize your content by making a promise to the reader. The body of your content delivers on that promise.

Check out this recent cover for Wired Magazine.

Using the “who-what-why” formula isn’t the only way to format your headlines, but it works. Another technique I like is to ask a question, e.g., “Have You Been Secretly Penalized by Google?”

Don't be scared of headline formulas. Instead of "gimmicky," think of them as a framework for the promise you make. When I’m stuck for headline inspiration, I surf the fantastic resources over at Copyblogger.

There are literally dozens of effective headline formulas out there, so you need never worry about repeating yourself.

3. Get 20% More with Numbers

I made that number up. Why?

Numbers grab our attention. Look at the titles to some of the most linked-to posts on SEOmoz.

• 21 Tactics to Increase Blog Traffic
• 8 Predictions for SEO in 2010
• Launching a New Website: 18 Steps to Successful Metrics & Marketing
• 17 Ways Search Engines Judge the Value of a Link
  

It makes you want to click one of those links right now...

Whether in a headline or a list, numbers light up the ordered, mathematical part of our brain to make content more attractive. It also provides you with a way to structure your material in a way that makes sense.

4. Free and Easy Power Words

My writing life changed when I read Robert W. Bly’s seminal work, The Copywriter’s Handbook. He introduced me to the power of choosing the right language for successful communication.

Although some of his “power” words belong in the back of a Sunday newspaper advertisement, their effectiveness can’t be denied. These include words like quick, easy, guarantee and free.

“Free is the most powerful word in the copywriter’s vocabulary. Everybody wants to get something for free.”
-Robert W. Bly

Words are magic. The opposite of power words includes language like try, maybe, might, possibly and perhaps. These "halfway" words kill your writing.

The point is not to use a rote list of words like a checklist in your copy, but rather be conscious of the power (or lack of) your language. Don’t hedge your bets with weak prose.

5. A Picture is Worth 1000 Clicks

Rethink your visuals. Visuals are essential to any story and include:

• Photographs
• Artwork
• Charts and Graphs
• Slidedecks
• Video
• Infographics

The wrong way to add images is to buy stock or steal them off of the web. Instead, make every effort to include original media in your content. A simple, 100% original hand drawing attracts more interesting any day of the week than using Parked Domain Girl.

Original Pineapple Artwork by Dawn Shepard

It doesn’t matter what you use, just make it original.

6. Use Sub-Headlines or Die Trying

This is a no-brainer. Imagine the front page of a newspaper with just one headline. All other text is equal. You wouldn’t read it, or you would tire quickly if you did. Our brains don’t work that way.

We want things broken up and organized.

If your text is longer than 250-400 words, you must use sub-headlines. No exceptions.

7. When in Doubt, List it Out

This entire post is a list. Try these numbers on for size:

• 75% of the top 20 post on SEOmoz contain a bulleted list
• 60% feature a numbered list

Why do lists work so well? Why is David Letterman’s Top Ten the most anticipated part of his show, even if it’s not as funny as the rest of the show?

Lists are the building blocks of ideas. When we go to the grocery store, we don’t write a story – that’s ineffective. To communicate your thoughts quickly and effectively, nothing gets to the root of the matter like a list can.

Humans crave order. Use lists to create structure and build your content from the ground up.

8. Quotes

My all-time favorite use of effective quoting comes from Michael Crichton’s science fiction work Timeline. He juxtaposes two ideas against each other to explain a single concept about quantum theory.

“Anyone who is not shocked by quantum theory does not understand it.”
NEILS BOHR, 1927

“Nobody understands quantum theory.”
RICHARD FEYNMAN, 1967

Utilize quotes to set your ideas apart.

9. The Bold and the Italic

Along the same lines, use bold to emphasize important points. If you don’t have important points, you have bigger problems.

Italics do the same job but sound more European, like this guy.

10. Be Honest

Effective SEO copywriting should never alter or misrepresent your work. Indeed, its purpose is to help you communicate your core ideas more clearly and effectively.

"All you have to do is write one true sentence. Write the truest sentence that you know."
— Ernest Hemingway

Writing from the heart is always the best copywriting technique.

Do you like this post? Yes No

Let's face it: Destroying an online brand reputation is harder than ever. Just a few years ago, it was much easier. You could put something offensive on your homepage or just let your domain registration expire, and that would ensure your brand's quick demise. But with CMS systems that control publishing fiascos and 99-year domain registrations, those haphazard days are behind us. That means if you're truly committed to dragging your brand's name through the mud, you'll have to shift tactics. Today's social web necessitates a multi-channel approach to create real, lasting damage to your brand.

If you are serious about losing customer goodwill and squandering brand equity, here are the latest tactics you should put into practice (along with what you should do if you'd like to, for some strange reason, actually protect your brand reputation):

Rinse and repeat... and repeat (and repeat)
You tweeted out 10 links, and got 100 click-throughs -- congratulations! Now that you know you can get attention and traction by sending out Twitter links, you need to scale up dramatically. Upload a bulk file of 1 million tweets with links; you will surely get 100 million click-throughs. Once you have your autofeeds established, take some advice from Ron Popeil -- set it and forget it! This is a quick and easy way to ruination. If someone responds to one of your tweets, just ignore it. You'll quickly show them you don't care and they don't matter to you. Let the bulk feed steamroll any chance for real engagement.

What you should actually do: More is not always better -- sometimes it is just more. You should set up some feeds to automatically cross-post content into different channels. But make sure that automation stays balanced with content specific to the individual platform. If you don't conform to your brand advocates' expectations, they will tune you out, and you'll get zero engagement.

When it makes sense to scale, look to add new channels instead of filling your existing ones even fuller. Your brand presence can extend across many social venues beyond Facebook and Twitter. Being sensitive and responsive to your advocates' communication preferences shows them you value their time and attention.

Add a comment

A large portion of your competitive advantage and your potential value to investors is the size of your intellectual property portfolio. When someone says Intellectual Property (IP), most entrepreneurs think only of patents. In reality, patents are only one of at least eight items that should be in your IP portfolio. You need all these before you start looking for funding.

Some of the other items may cost a lot less, and may be worth far more in the long run. Here are the key elements:

• Company name. The company name becomes your intellectual property at the moment you incorporate your startup as an LLC or a Corporation. Sole proprietorships need to trademark the name to protect it. Select it well – marketers will tell you that you will be selling your name, more than your products. Actual incorporation fees in many states are below $100, if you do it yourself. Don’t pick a company name until you are certain that you can get the comparable domain name, so Internet brokers won’t hold you hostage.

• Internet domain name. This name (www.domainname.com) is just as critical as the company name, and the two should match as nearly as possible. Significant differences will confuse your customers, and open the door to imitators and scam artists. Internet domain names can be acquired from most hosting providers or Network Solutions, for as little as $10/year each.

• Social media accounts. Immediately go to relevant social media sites and grab the same name, even if you never plan to use the accounts. Many companies like Sears, Coca-Cola, and Twitter have already been hurt by people using company names they don’t own on social sites. These days, every business needs a blog, so sign up your domain names accounts on TypePad, Wordpress, and Blogger, or all of the above, before someone starts blogging in your name.

• Patents. Remember that ideas cannot be patented, only novel implementations. But the application or provisional application has to be registered before you disclose the details to investors or consumers, or the implementation will be deemed un-patentable. Patent attorney fees start at around $5K.

• Trademarks. A trademark is a name, phrase or logo that tells the consumer the origin of the goods and distinguishes your goods from those of your competitor. Trademarks require a federal trademark registration from the United States Patent and Trademark Office. The cost for a single trademark is around $300.

• Copyrights. No registration and no cost is required to secure a copyright on written, audio, or video material that you create to be attributed to your company. Still, it is recommended that you add the familiar ©Copyright 2010 symbol at the beginning or end of each media and document segment.

• Trade secrets with employment agreement. Companies often use non-patentable but important trade secrets to run their business. These trade secrets need to be documented and coupled with an employment agreement, to keep them from migrating to your competitors when employees move on.

• Business Plan. Your business plan holds the keys to your kingdom, so you don’t want it in the hands of competitors. If you need early reviews or assistance by people you don’t know well, get them to sign a Non-Disclosure Agreement first. A sample agreement is available for free download from my website.

In cost, all of these elements of intellectual property may be acquired for a few hundred dollars (or a few thousand with an attorney), if you act early and quickly. Later, good intellectual property can be worth millions when your company valuation is set for investment purposes, or when the company is acquired or sold. In between, you need it to survive.

Marty Zwilling

If you like to use the LINQ to SharePoint provider to perform your SharePoint data queries in server-side code, sooner or later you will encounter a certain tension between the strongly typed world of LINQ queries and the decentralized nature of SharePoint. To enable LINQ querying, source code must include an object-relational mapping that turns lists and content types into classes and turns fields into strongly-typed properties of the content type classes. This code is generated by the SPMetal tool. But website owners can add new lists after your solution has been deployed. The new lists are not accounted for in the object-relational mapping. Similarly, new fields can be added to sites and lists. These are also not accounted for in the object-relational mapping.

Of course, if your LINQ queries and data changes only reference the lists, content types, and fields that were present when the object-relational mapping was generated at design-time, the presence of new entities does not cause a problem. But sometimes a mismatch between the design-time object-relational mapping and the runtime reality of the website content that is being queried can cause problems for your LINQ work. Many of these kinds of problems can be solved by extending the object-relational mapping using the techniques described in Extending the Object-Relational Mapping. In this post, I want to describe a problem, and suggest a solution, that is not mentioned in the latter article.

When SPMetal generates code for a Choice field, it will invent an enum type to represent the possible values of the field. For example, the following code is generated for the standard Priority field on the standard Tasks list:

public enum Priority : int
{
    None = 0,

    Invalid = 1,

    [Microsoft.SharePoint.Linq.ChoiceAttribute(Value = "(1) High")]
    _1High = 2,

    [Microsoft.SharePoint.Linq.ChoiceAttribute(Value = "(2) Normal")]
    _2Normal = 4,

     [Microsoft.SharePoint.Linq.ChoiceAttribute(Value = "(3) Low")]
    _3Low = 8,
}

But what happens if the list owner adds “(4) Trivial” as an additional possible choice to the definition of the Priority column? For task items that have the new value in their Priority field, a LINQ query will return “Invalid” rather than “(4) Trivial” as the value of the field.

The essence of the problem here is that data schemas that can be changed by end users are inherently weakly typed, but the object-relational mapping is imposing a strong-typing straitjacket onto the schema. To solve the problem, we need to loosen that straitjacket; that is, we need to weaken the type of the Choice field from enum to string; but not weaken it too much.

An Easy Solution, But Not Always Applicable

If all you are going to do is query the data, there is a easy solution provided by the configurability of the SPMetal tool. You can change the tool’s default behavior by using a parameters.xml file that is referenced in the command line call to SPMetal. The details of how to do this are in SPMetal and Overriding SPMetal Defaults by Using a Parameters XML File. In this case, you tell SPMetal to treat the Priority field as a string rather than an enum with a parameters.xml file such as the following.

<?xml version="1.0" encoding="utf-8"?>
<Web xmlns="http://schemas.microsoft.com/SharePoint/2009/spmetal">
  <ContentType Name="Task" Class="Task">
    <Column Name="Priority" Member="Priority" Type="String" />
  </ContentType>
  <ExcludeContentType Name="Summary Task"/>
</Web>

Side note: You will notice that I’m also excluding the Summary Task content type from the object-relational mapping, this is to avoid having to do some of the other chores in my solution twice because the Summary Task content type also has the Priority field. 

With this parameters.xml file in use, SPMetal will create the following signature for the Priority property of the Task class:

public String Priority

Instead of the following signature which it would have created by default.

public System.Nullable<Priority> Priority

Side note: The Priority field is also in the standard team website as a site column, so SPMetal will still generate the enum to serve as the type of that site column, but it will not use the enum to be the type of the Priority column in the Task content type.

Now your LINQ queries will return “(4) Trivial” or any other choice that is added to the Priority column definition, rather than “Invalid”.

When You Want to Write to the Choice Field Too

But what if you are going to write data with the LINQ-to-SharePoint provider as well as query it? (You can do that as explained in How to: Write to Content Databases Using LINQ to SharePoint.) Now that you’ve weakened the type of the Priority field, code can write any string to the field, even one that is not included in the column definition’s list of possible choices. You could resolve to always write code that checks the list of possible choices before it writes to a choice field, but you do not want to have to re-write that code every time. One way to make sure your validation executes every time is to put the validating code right in the setter of the property that represents the Choice field.

The first thing you need to do is move the code that declares and implements the property out of the file that SPMetal generates. If you do not do this your customization of the setter in that property would be overwritten whenever SPMetal regenerates the code, and you are almost never in a situation in which you know that you will never have to regenerate the code again.

Fortunately, the classes that SPMetal generates are marked with the partial keyword. That means that you can re-declare the class in another code file and add additional member definitions to the class in the new file.

To continue with the example of the Tasks list and the Priority column,  take these steps:

1. Point SPMetal at site that has a Tasks list and generate your code.

2. Add a new class code file to your VS project. Delete the stub class declaration that is created automatically and delete the namespace declaration, too.

Side note: The code file generated by SPMetal does not declare a namespace, which means the default namespace of the Visual Studio project is assumed. If you have a partial class defined in two code files and one does not put the class inside an explicit namespace declaration, the other code file cannot put the class inside an explicit namespace declaration either, not even an explicit declaration of the default namespace. This seems to be a quirk of the way the compiler deals with partial classes. Hence, you have to delete that explicit namespace declaration that Visual Studio automatically included in the new class code file.

3. Add using statements for Microsoft.SharePoint and Microsoft.SharePoint.Linq.

4. Copy the signature of the Task class declaration from the generated code to your new file and add opening and closing braces . (Do not copy the attributes above the class declaration.)

public partial class Task : Item {

}

5. Copy the backing field for the Priority property in the generated code and paste it into the Task class in your new file. If you have previously applied the Easy Solution above to this project, then the backing field declaration looks like this:

private String  _priority;

Otherwise, it looks like this:

private System.Nullable<Priority> _priority;

6. Move the Priority class declaration from the generated file to the new the same way. In this case you do copy the attribute on the declaration.

[Microsoft.SharePoint.Linq.ColumnAttribute(Name = "Priority", Storage = "_priority", FieldType = "Choice")]
public System.Nullable<Priority> Priority
{
    get {
   
        return this._priority;
    }

    set {

        if ((value != this._priority)) {

            this.OnPropertyChanging("Priority", this._priority);
            this._priority = value;
            this.OnPropertyChanged("Priority");
        }
    }
}

Again, the type of the property will be String if you’ve already applied the Easy Solution to this project.

7. If you have not previously applied the Easy Solution to this project, you now need to change “System.Nullable<Priority>” in both places where it appears in your new file to “String”.

8. You cannot declare the same property and backing field in both files. Unlike the classes, properties cannot be marked “partial”. So, you need to ensure that they are removed from the generated code file and not regenerated on subsequent runs of SPMetal. To accomplish that, create a parameters.xml file with the following content.

<?xml version="1.0" encoding="utf-8"?>
<Web AccessModifier="Internal" xmlns="http://schemas.microsoft.com/SharePoint/2009/spmetal">
  <ContentType Name="Task" Class="Task">
    <ExcludeColumn Name="Priority" />
  </ContentType>
  <ExcludeContentType Name="Summary Task"/>
</Web>

9. Rerun SPMetal with a command line that references your new parameters.xml file. The new generated code file will no longer contain the declarations of the Priority property or its backing field.

Now you need to add your validation logic to the setter of the Choice field class. To continue the example, take these steps.

1. Add the following code to the Priority property setter just above the “if’ statement:

using (SPSite siteCollection = new SPSite(----- ????? -----))
{
    using (SPWeb website = siteCollection.OpenWeb(---- ????? -----))
    {
        SPList taskList = website.GetList(this.Path);        
        SPFieldChoice priorityField = taskList.Fields["Priority"] as SPFieldChoice;

        if (!priorityField.Choices.Contains(value))
        {
            throw new ArgumentOutOfRangeException("value", String.Format("'{0}' is not a possible value for the Choice field 'Priority' in the 'Tasks' list.", value));
        }
    }
}

Working from the bottom up, note the following about this code. If the value that calling code is passing is not in the Choices collection of the SPFieldChoice object, then an exception is thrown. The reference to the field object is obtained through the Fields collection of the SPList object, and a reference to the latter object, in turn, is obtained through the GetList method of the SPWeb object and the Path property of the Task object.

Before any of this can be done, however, the code needs to get references to the SPWeb and SPSite objects. If the code is running where there is an HTTP Context, and thus a non-null SPContext object, your code may be able to get current SPSite and SPWeb objects from the SPContext object. But let’s try to write code that can be used even in a console application or other scenario in which there is no HTTP Context.

2. To get a reference to the SPWeb object, we need a site-collection-relative URL for the website. You can construct this URL by starting with the Path property of the Task object and trimming off from the end of it the website-relative URL of the list. So add the following lines above the “using (SPWeb …” line:

String webRelativeListURL = "/Lists/Tasks";
String siteRelativeWebURL = this.Path.Remove(this.Path.Length - webRelativeListURL.Length);

3. Insert siteRelativeWebURL as the parameter to the OpenWeb method.

You need the absolute URL of the parent site collection to get a reference to the SPSite object. This is harder. The Task class’s Path property does not include the protocol or domain part of the site collection URL. Nor is this information in any member of the class that SPMetal generates. What you need to do is create a member of the Task class that can hold this information and then initialize that member when the Task object is created. To continue the example, take the following steps:

1. Add the following declaration of an internal field to the Task class in your code file (not the generated code file).

internal String parentDataContextWebURL;

You’ll see in a moment why we are giving it that name. For now just note that it is going to hold the URL that is needed by the SPSite constructor.

2. Replace the parameter “----- ????? -----” in the SPSite constructor with the name of your new field parentDataContextWebURL.

The content type class has a constructor that is generated by SPMetal and this is one part of SPMetal behavior that you cannot turn off or change. So you cannot customize this constructor to initialize your new internal field (because  you customization would be overwritten the next time the code is regenerated). Moreover, creating another constructor in your own partial definition of the class would serve no purpose. This is because your calling code does not directly construct the list object and the items within it. Rather these entities are created by the GetList method of the DataContext object. And that method, in turn, calls the generated constructor – the one you cannot modify.

You will notice in the generated code that the content type class constructor does call the partial method OnCreated, so you could give this method an implementation in your own partial class definition. Unfortunately, this method takes no parameters (nor does the constructor that calls it) so there is no way to pass it the data it would need to initialize your new field and, in this scenario, we are deliberately avoiding use of the context.

What you need to do is override the GetList method of the DataContext object so that it initializes the new field on each list object before it returns the list. You can do this because the DataContext-derived class that SPMetal generates is also marked partial. To continue the example, take the following steps:

1. Near the very top of the generated code file is the declaration of the DataContext-derived class. Copy that declaration to the new code file you created earlier and then add the opening and closing braces. The name of the class is determined by what you used as the value of the /code parameter on the command line call of SPMetal. 

public partial class LinqChoiceFieldExperimentsDataContext : Microsoft.SharePoint.Linq.DataContext {

}

2. Add the following override of the DataContext.GetList method to the class.

public override EntityList<T> GetList<T>(string listName)
{ 
    EntityList<T> list = base.GetList<T>(listName);

    if (typeof(T).Name == "Task")
    {          
        foreach (T t in list)
        {
            Task task = t as Task;
            task.parentDataContextWebURL = this.Web;                            
        }                           
        return list;
    }
    return list;
}

Note that the method is passing the DataContext object’s Web property (which holds the object’s absolute URL) to the internal field of each Task object in the list. This field, in turn, is used by your customized setter to create an SPSite object. This URL, by the way, might be the URL of a subsite of the site collection. That does not cause any problems. The SPSite constructor is smart enough to know that what you really want is the parent SPSite of whatever is at the URL in the parameter.

That does it. Calling code like the following will be blocked from writing invalid values to the Choice field.

using (LinqChoiceFieldExperimentsDataContext lCFDC = new LinqChoiceFieldDataContext(http://Contoso/Marketing/))
{
    EntityList<Task> tasks = lCFDC.GetList<Task>("Tasks");
    tasks.First().Priority = "(4) Trivial";
    lCFDC.SubmitChanges();
}

Of course, in its present version, this code only works for the Priority column of the Tasks list.  Consider generalizing it to deal with all Choice fields on all lists. As my college math textbooks used to say, “this is left as an exercise for the reader”.

A large portion of your competitive advantage and your potential value to investors is the size of your intellectual property portfolio. When someone says Intellectual Property (IP), most entrepreneurs think only of patents. In reality, patents are only one of at least eight items that should be in your IP portfolio. You need all these before you start looking for funding.

Some of the other items may cost a lot less, and may be worth far more in the long run. Here are the key elements:

• Company name. The company name becomes your intellectual property at the moment you incorporate your startup as an LLC or a Corporation. Sole proprietorships need to trademark the name to protect it. Select it well – marketers will tell you that you will be selling your name, more than your products. Actual incorporation fees in many states are below $100, if you do it yourself. Don’t pick a company name until you are certain that you can get the comparable domain name, so Internet brokers won’t hold you hostage.

• Internet domain name. This name (www.domainname.com) is just as critical as the company name, and the two should match as nearly as possible. Significant differences will confuse your customers, and open the door to imitators and scam artists. Internet domain names can be acquired from most hosting providers or Network Solutions, for as little as $10/year each.

• Social media accounts. Immediately go to relevant social media sites and grab the same name, even if you never plan to use the accounts. Many companies like Sears, Coca-Cola, and Twitter have already been hurt by people using company names they don’t own on social sites. These days, every business needs a blog, so sign up your domain names accounts on TypePad, Wordpress, and Blogger, or all of the above, before someone starts blogging in your name.

• Patents. Remember that ideas cannot be patented, only novel implementations. But the application or provisional application has to be registered before you disclose the details to investors or consumers, or the implementation will be deemed un-patentable. Patent attorney fees start at around $5K.

• Trademarks. A trademark is a name, phrase or logo that tells the consumer the origin of the goods and distinguishes your goods from those of your competitor. Trademarks require a federal trademark registration from the United States Patent and Trademark Office. The cost for a single trademark is around $300.

• Copyrights. No registration and no cost is required to secure a copyright on written, audio, or video material that you create to be attributed to your company. Still, it is recommended that you add the familiar ©Copyright 2010 symbol at the beginning or end of each media and document segment.

• Trade secrets with employment agreement. Companies often use non-patentable but important trade secrets to run their business. These trade secrets need to be documented and coupled with an employment agreement, to keep them from migrating to your competitors when employees move on.

• Business Plan. Your business plan holds the keys to your kingdom, so you don’t want it in the hands of competitors. If you need early reviews or assistance by people you don’t know well, get them to sign a Non-Disclosure Agreement first. A sample agreement is available for free download from my website.

In cost, all of these elements of intellectual property may be acquired for a few hundred dollars (or a few thousand with an attorney), if you act early and quickly. Later, good intellectual property can be worth millions when your company valuation is set for investment purposes, or when the company is acquired or sold. In between, you need it to survive.

Marty Zwilling

Read more posts on Startup Professionals Musings »

For the latest career news, visit War Room. Follow us on Twitter and Facebook.

Join the conversation about this story »

Part 4 of what currently still stands at a four part series. But I have high hopes for further posts. I was going to start off the intro to this blog by congratulating Jason on avoiding falling into the cliché trap of using Bob & Alice and all their cryptographic friends but you will quickly see, as I did, that this was a rather premature notion on my part. 

As a side note; my Cryptography Lecturer at University was called Chuck. I’m quite surprised to see that “Chuck” is traditionally used as the bad guy that intercepts messages. I’m fairly sure he neglected to use his own name in the many slides he referred to this slightly weird bunch of fictional characters! Enough of my ramblings, Jason has a lot to say in today’s session:

If you have been reading the previous blog posts then you’ll know that Public Key Cryptography involves a Public Key which can be passed to whoever you want to give it to and a Private Key which you would never dream of passing to someone. If you haven’t already read the 3 posts preceding today’s, I suggest you have a look at these first as they build up and follow on.

You’ll also know that Public Key Cryptography can be used to offer:

• ·         Confidentiality through encryption
• ·         Integrity through hashing
• ·         Authenticity through encryption and hashing

So, how does all this work?  Well imagine two people meeting up, let’s call them Alice and Bob.  All cryptographers know Alice and Bob very well indeed.  Alice and Bob meet up and want to exchange some encrypted data with each other.  So, the conversation goes rather like this:

Alice      :               “Hello, my name’s Alice.  Nice to meet you”

Bob        :               “Hello Alice, nice to meet you.  I’m Bob”

Some pleasantries (geeks call this handshaking)

Alice      :               “Bob, wouldn’t it be good to be able to communicate securely?”

Bob        :               “Yes Alice.  Let’s create some keys.  Oh here we are.  Have my PUBLIC Key called PuB”

Alice      :               “Thanks Bob.  I’ll store PuB in my address book.  Here’s my PUBLIC key PuA”

Bob        :               “Alice, that’s great – PuA’s going in my address book and I’ll be in touch.  Bye”

Some more pleasantries (teardown)

After some time, Bob decides to get back in touch with Alice, so he generates a Symmetric Session Key (SKB), cracks open his address book, pulls out PuA and encrypts SKB with PuA.  He then fires this over the network.  Alice receives the package, retrieves her PRIVATE KEY (PrA) and uses it to decrypt SKB/PuA.  So, Alice can see the B to A session key.  She could reverse this process and then we’d have two security associations and they could exchange data two ways.

OK, two problems here (apart from a very wooden script) :

• ·         We have a real scalability issue here.  In this scenario if Alice wants to exchange data securely not only with Bob, but also Chuck and Dave then she’s going to have to have a very similar conversation with these other guys too.  That’s going to lead to a real problem with key management.  If everyone needs to communicate securely then we’re going to have n x (n – 1) keys in circulation.
• ·         There’s a more prosaic problem.  How did Bob know that Alice was in fact Alice and how did Alice know that Bob was in fact Bob?  They don’t – they are just taking each other on trust.  What would have happened If Eve the evil hacker was in fact (insert your own maniacal sound effects here) playing the part of Bob and playing the part of Alice in between the two of them? If Alice receives a Public Key from Eve that purports to be from Bob (PuEB) and Bob receives a Public Key from Eve that purports to be from Alice (PuEA) then Bob thinks he’s speaking to Alice and Alice thinks she’s speaking to Bob when in fact they are both experiencing a “Man in the Middle” attack.

Let’s address the first of those problems first, because that’s a little simpler.   Alice and Bob decided to store each other’s Public Keys in each other’s address books.  That’s a great idea, but how about if they both had a shared address book which they could refer to?  Outlook calls that address book the Global Address List.  Now, all everyone needs to do when then want to exchange emails securely is to publish their public keys to the GAL and when they want to send a message, issue a simple query to the GAL for the recipient’s Public Key.

We’ve been talking about emails here, but the exact same principle applies to any other kind of public key.  Some will be published to Active Directory and some will not.

The trust thing is an issue however, so let’s start looking at that.  Typically if you ask me for my public key then what I’ll do is encapsulate it in a certificate.  A certificate acts as a carrier for my Public Key.  It’s a feature of a certificate that it will have:

• ·         A unique identifier for this certificate
• ·         Some subject information – the subject is the entity to which the certificate was issued.
• ·         A start date
• ·         An expiry date
• ·         Issuer Information
• ·         It will be signed

These features allow us to put information into the certificate to better identify who I am and how long I should be trusted for.

SMS has always used certificates to identify the client but these are self-signed certificates.  In essence the client says to the Management Point “Please trust me because I say that I’m trustworthy”.  You can see this if you go into your certificates MMC and have a look in the SMS/Certificates section 

You’ll see that the expiration date is, well a little longer than the expected lifetime of this laptop which I am using and if I open up one of these certificates, we'll see . . .

. . . The tell-tale signs of a self-signed certificate!  Even though it says the certificate is not trusted and the issuer is the same as the subject, is this certificate good enough?  Well the answer is probably – yes.  This certificate is being used to digitally sign communications from the client to the Management Point in a mixed mode SCCM environment, so it’s likely that the other forms of authentication will also come into play.  This changes in a Native Mode SCCM environment as you likely won’t have, for example a Domain Controller to authenticate your workstation.

So, what is Alice doing when she embeds her Public Key within a certificate?  Well, in essence Alice is passing over the proof of her identity to a third party.  What is Bob doing when he looks at Alice’s certificate? Well, he’s deciding that Alice is Alice not by trusting in Alice but by trusting the issuer.

It’s very much like a passport.  When Angela (below)  arrives at passport control and presents her passport, the choice of whether the border agent trusts Angela is not only that Angela looks like her  photo (let’s call that her public key) but also that the passport is within its validity period and, crucially that the passport was issued by the United Kingdom Passports Agency.  A decision has been taken by the country which Angela is trying to enter that British passports can be trusted.  That’s not always the case – sometimes we need a visa to provide additional evidence of who we are (or an excuse for a country to racket visitors) and sometimes certain passports are de facto untrusted!

What’s all this known as in Microsoft Windows?  If you’re still in your certificates MMC you’ll see a list of Trusted Root Certification Authorities.  So, a Certificate Authority is some entity that you go to in order to help prove your identity.

When you install a copy of Microsoft Windows you will already have a list of TRCAs on your system, quite simply because someone, somewhere in Redmond decided that the list should contain certificates from GeoTrust, VeriSign, Go Daddy et al and not from Mikes-dirt-cheap-certs-4-U.COM.  When your domain admin gets his or her hands on your system through Group Policies they can add internal CAs to the list and could, if they really wanted to add in Mikes-dirt-cheap-certs-4-U.COM into this list.  So, ultimately who do you trust?  The CA or the SA?

So, let’s say I wanted to start selling something online.  Would you trust me with your credit card details?  You wouldn’t? So, I am going to need to do something to prove to you that I am who I say I am.  I’m going to go out and get a certificate from a Certificate Authority.  There is a whole bunch of CAs out there, which one am I going to choose?

• ·         The most important thing for me is that the certificate is trusted by you, so I kind of need to second guess what’s going to be in your TRCA.  I know that VeriSign, Geo Trust and so on are likely to be in your list and Mikes-dirt-cheap-certs-4-U.COM is unlikely to be in your list.
• ·         I’m likely to look for someone who is cost effective.

Of course, if all we are doing is something purely internal then we probably don’t need to go out and buy a certificate from someone else as we’ll be able to control the TRCA list internally and can add our own CA in via GPOs.

Let’s look at this at a well-known email provider.  I went to login in to my emails and i got this:

Somewhere, some checks had been performed on the identity of Microsoft to say that they are who they say they are – Internet Explorer also kindly showed them as green so I am even confident.  What happened here? Opening up the certificate I see some interesting things

Frist, I see that the Subject is the same as the website.  That’s a good start.  Then I see that the validity dates are good. Even better.  I also see the Issuer Information VeriSign Class 3 Extended Validation.   Let’s look at that a little more.  In the Certification Path we can see that the certificate which Microsoft supplied us in fact also contains the certificate for the issuing CA AND the certificate for the CAs above that:

So, what we see here is that at VeriSign they have a ROOT CA and a subordinate ISSUING CA.  The certificate of the issuing CA is issued and digitally signed by the ROOT CA.  What about the ROOT CA’s certificate?  Well, that’s self-signed – the ROOT CA is saying “you have to trust me because I’m the Root CA”

“Why should I trust the CA, in this case VeriSign?” Because they are open as to the steps they take to verify identity in The Issuer Statement – take a look for yourself.

The next question then I guesses is “Why should I trust the ROOT CA?”  There, we’ll leave the discussion for now.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

This post was contributed by Jason Wallace, a Premier Field Engineer with Microsoft Premier Field Engineering, UK

• Daily Site Visits are 10 points apiece, per domain or subdomain
• Each page view adds 1 point.
• Each page share adds 5 points per network.
• Each clickthrough on a share gets 1 more point.

More: louisgray.com | RSS | Buzz | E-mail | Cell: 408 646.2759

DoDIIS Worldwide Conference, Detroit, MI–May 2, 2011– Real-Time Innovations (RTI) and Tresys Technology today announced a revolutionary architecture for highly flexible, low-latency cross-domain solutions (CDS) that uses commercial-off-the-shelf (COTS) technologies and is built on the Wind River VxWorks MILS Platform. The solution enables greater flexibility and connectivity, lower cost of maintenance, and reduced risk versus traditional solutions for CDS.

The joint CDS architecture offered by Tresys, RTI, and Wind River replaces traditional proprietary CDS architectures with three components: the Tresys Content Aware Decision and Routing Engine (CADRE) gateway for defining security policies and filters, RTI’s Data Distribution Service (DDS) high-performance messaging middleware, and Wind River VxWorks MILS separation kernel. These three components together provide an open, extensible framework that enables lower implementation, maintenance and modification costs. The solution also runs on much less expensive hardware.

Although the architecture is fully designed, the solution’s concept car approach welcomes input from the Cross-Domain Community to influence a long-life architecture that is adaptable for even the most unique requirements while still meeting certification and accreditation (C&A;) criteria.

Cross domain solutionswhich provide access or transfer of data between differing security domainshave traditionally relied on highly proprietary, closed technologies. This often results in high cost and lengthy turnaround time when a system modification is required. Even minor component modifications can require significant recertification efforts.

“Sharing standard data across domain pairs is pretty straightforward these days,” said Scott Winn, vice president, business development at Tresys. “When you want to handle varying types of data with low latency, high throughput, and maintenance of QoS, it gets harder. Add in the need to accept myriad new data sources, interoperate with coalition partners, and quickly respond to new mission requirements—it gets harder still. Flexibility combined with high assurance requires a rethinking of how a CDS gets built. By involving the community—via our concept car approach—we are taking a game-changing approach to the design-build process that will provide long-lasting benefits to the entire community.”

Basing the joint architecture on the Wind River VxWorks MILS separation kernel secures data flow between multiple security domains. The VxWorks MILS kernel strictly controls data exchange across domains without requiring multiple processors. The VxWorks MILS platform has entered Common Criteria certification at EAL 6+ against the Separation Kernel Protection Profile (SKPP). The Tresys filters and RTI DDS use this secure foundation to connect diverse communication domains into this CDS.

The three technologies work together to provide secure, easy communications:

• Tresys’ CADRE architecture and tools deliver flexible, deep content inspection. CADRE builds on the dynamic attributes of DDS to enable easy creation of content filters and provide consistency in the security and quality of the implementation.

• RTI Data Distribution Service high-performance messaging middleware transmits and “normalizes” data between systems in real-time and with content awareness. The middleware supports end-to-end Quality of Service (QoS) and meets real-time performance requirements not currently satisfied by any CDS

• Wind River VxWorks MILS Platform allows a single processor to host applications running at multiple security levels (e.g., secret and top secret) or from different domains (e.g., Navy and Air Force). This eliminates the typical CDS requirement of segregated user nodes, servers, and network equipment. Applications at multiple security levels can be hosted on a single processor board in secure partitions.

“Creating highly configurable real-time CDS solutions is challenging,” states Chip Downing, senior director of aerospace and defense at Wind River. “This solution stack enables wire speed transmission and filtering of multi-level secure (MLS) data in very small footprint devices.”

“RTI has a long, successful track record with Wind River and Tresys in advanced, secure communication systems,” said David Barnett, vice president of products and markets at RTI. “Our technologies fit together to create compelling and efficient customer solutions, and this platform is another proof point of the power of our joint solutions.”

The companies will demonstrate the joint architecture live at the 2011 Department of Defense Intelligence Information Systems (DoDIIS) Worldwide Conference in Detroit, MI on May 1-5, 2011 and at the Wind River Aerospace and Defense Regional Conferences being held across the United States.

About RTI Data Distribution Service

RTI Data Distribution Service is the world's most widely-used implementation of the Object Management Group (OMG) Data Distribution Service (DDS) specification. DDS is the leading messaging standard for integrating distributed real-time applications and systems-of-systems. By bringing the benefits of a Service Oriented Architecture (SOA) to demanding mission-critical systems, DDS dramatically reduces the time and cost required for development, integration, testing, maintenance and upgrades.

About Tresys CADRE

Tresys’ CADRE is a concept for sharing information across security domains using off-the-shelf technologies that radically change the way cross domain solutions can adapt to evolving requirements. Built on a custom filtering language coupled with a Tresys proprietary CDS architecture, CADRE permits deep content inspection of data formats and protocols that are “unknown” to the filter, thanks to DDS’s ability to abstract the protocol itself.

About RTI

Real-Time Innovations (RTI) is the world's leading provider of messaging middleware compliant with the Object Management Group (OMG) Data-Distribution Service for Real-Time Systems (DDS) standard. With over 70 percent market share, more than 400 unique projects take advantage of RTI's software and expertise to slash the time and cost of systems integration. These span a broad range of industries including aerospace, defense, finance, intelligence, power generation and transportation. Founded in 1991, RTI is privately held and headquartered in Sunnyvale, CA. For more information, please visit www.rti.com.

About Tresys Technology

Tresys innovates and applies advanced technologies to quickly solve the needs of customers who require agility and responsiveness to meet their security requirements. Leveraging secure open source software, our products and services support the most sensitive security missions around the world. As a result, Tresys enjoys a distinct reputation for shifting the way governments and businesses approach security. For more information, visit: www.tresys.com

Location: New York
URL: http://www.google.com/jobs

• Write server-side code for web-based applications, create robust high-volume production applications, and develop prototypes quickly. You should also have a strong understanding of, and practical experience with, Java web application development.
• Build our platforms, systems and networking infrastructure using your strong background in distributed systems, OS/kernel, network system design, and large scale storage systems.
• Build internal systems used by thousands of Googlers around the world with your domain expertise in HR, Staffing, Legal, and all other corporate functions.
• Specialist domains: UI development with AJAX and similar technologies, client application development for Windows/Mac (Chrome, Toolbar, etc.), embedded systems and mobile apps (Android), developer tools (IDEs, large-scale build systems, compilers), internationalization.

• BS, MS, or PhD in Computer Science or related technical discipline (or equivalent).
• A solid foundation in computer science, with strong competencies in data structures, algorithms, and software design.
• Extensive programming experience in C/C++ and/or Java (strong OO skills preferred).
• Several years of large systems software design and development experience, with extensive knowledge of Unix/Linux.
• Coding skills in Python or Javascript/AJAX, database design and SQL, and/or knowledge of TCP/IP and network programming are a plus.

To apply: For immediate consideration, please apply at this URL: http://www.google.com/jobs/application/application?source=37sig&loc=us&action=add&job=Software+Engineer+-+New+York Please ONLY apply online. Emailed resumes will NOT be considered.

The use and protection of distinctive brands are integral steps in bringing a product or service to market, in differentiating that product from others, and in marketing, promoting and selling that product or service to local, regional and global customers. Brands create value, build and protect equity, and become core to the product's definition and reputation in the market. By claiming trademark rights, a brand-holder asserts that an understanding exists between their brand and consumers, that their brand is distinctive and associated with a specific product or service in the market. A trademark can be seen as a form of contract between two parties, where one party uses a brand (a word, domain name, logo, even a color, scent or sound) to identify and differentiate their product or service from others. The other party to the contract is the consumer. This contract can break down when the trademark is not sufficiently distinctive from others, or when a third-party attempts to deceive or confuse the buying public into thinking their own brand is either the same or related to another. In this three-part post series, I will discuss how brand owners can protect their trademarks against misuse.

Trademark laws exist around the world to facilitate the use, registration and protection of your brand. With the incredible growth of the internet and the surge in global commerce it has helped produce, the importance of having a recognizable name has grown. In tandem, the risk of infringement, the threat of someone else trading on or benefiting from someone else's brand equity, has also grown. While it is easier than ever to create a global brand, the challenges involved in protecting the equity it creates have increased.

One can see evidence of trademark disputes affecting commerce every day in the news. The issue of protecting brand equity is front of mind for major companies worldwide, and should be at the forefront of any marketing strategy. Trademark disputes most often hinge on whether consumers will be confused, whether the use of a rival name will unfairly affect the "contract" a brand holder has built with the public. Trademarks do not have to be identical to cause confusion. A local hot dog institution in New Jersey, Rutt's Hut, is suing a rival hot dog restaurant that recently changed its name to Mutt's Hut. Their contention is that Mutt's is trading on the long-term brand equity that Rutt's has built with the public, and that consumers will assume the two restaurants have common ownership. Disputes also arise over whether a certain term is generic or descriptive, whether it is too general for one company to claim exclusive rights. A recent case involves Apple Computer suing Amazon over the use of the term "App Store." Apple has objected to Amazon's planned launch of an "Appstore," a rival service to sell applications for the Google Android operating system. (Interestingly, Microsoft has already disputed Apple's trademark for "App Store" on grounds that it was too generic, and Apple has countered that "App Store" is no more generic than Windows, a Microsoft trademark).

Likelihood of confusion can be extremely subjective, and the real and perceived threat to brand equity can be challenging to assess. Facebook recently opposed a U.S trademark filing by Teachbook, claiming that Teachbook threatened the Facebook brand with a likelihood of confusion, deceptiveness and false suggestion of a connection; along with dilution of the Facebook name, citing the distinctive BOOK component of their brand, along with the fact that Teachbook was calling itself a "Facebook for Teachers." While it is up to the courts to determine the validity of each specific trademark case, it is the strength of the bond between the brand and the product or service it identifies that determines how strong the brand's "contract" is with the public and whether or not confusion could actually exist. Of course, every brand is different, so it's almost impossible to determine what is overreaching and what vigilant brand protection is without examining each case individually.

Several issues affect whether confusion can occur. Among them, channels of commerce (how is the brand promoted and sold), where is it sold and the sophistication of the buyer (an impulse buy or a careful purchase) all affect the likelihood of confusion. It can be argued that a buyer in the checkout lane of a supermarket is much more likely to confuse a gum and hard candy with a similar sounding name than a car buyer would who is looking at models from two different car makers with similar names. Similarly, the actual brand itself can have an impact on confusion. For example, is the name a generic term for the product, a term that described product attributes, an arbitrary term (a common language word that has little or no meaning for the product or service it represents), or a fanciful name with no meaning? In determining likelihood of confusion for a new computer, LAPTOP (generic), SUPERSLIM (descriptive), OCEAN (arbitrary), and XLATRERA (fanciful) may all affect the strength and protectability of the brand. Generally, it is easier to defend those brands that are less descriptive, and more arbitrary or descriptive. The goods/services (what will the product or service be used for) also have a major impact. The likelihood of confusion rises as the similarity of the goods/services rise.

You can see that the concept of confusion is dynamic, complicated and often subjective. At its heart is a simple question: would a reasonable buyer be confused? These concepts should be front of mind as you pick your brand, as they have a strong impact on your ability to defend and promote your name.

Written by Joshua Braunstein, General Manager, CT Corsearch

Follow CircleID on Twitter

More under: Cybersquatting, Domain Names, Law

When we introduced ActiveX Filtering with the IE9 Release Candidate, we focused on delivering a great user experience that stays out of the way from regular browsing and makes it easy for users to turn off filtering when they want to. At the same time, we want users to have a great experience viewing Web sites while ActiveX Filtering is enabled. This includes minimizing site compatibility issues and clearly indicating when content on a Web page is blocked by ActiveX Filtering.

In this post, we describe some additions to ActiveX Filtering in the final IE9 release and share some best practices that we encourage Web site developers to follow. Updating Web sites based on these best practices helps maximize the browsing experience with ActiveX Filtering.

msActiveXFilteringEnabled API

Many Web sites display fallback content when they detect that users don’t have ActiveX controls installed. Typically, the sites display a message informing users that they need to install or upgrade an ActiveX control in order to view the content:

YouTube displays an upgrade message as fallback content

When ActiveX Filtering blocks a control from running on a Web site, the site displays the same message to users even though the control is already installed. The site is unable to determine whether the control is not installed or is simply blocked by ActiveX Filtering. Users proceed to re-install or upgrade the control but will eventually see the same message since the control is still blocked.

With the final IE9 release, we added the msActiveXFilteringEnabled API which determines whether ActiveX Filtering is enabled for the current site. The API returns false on a site if the user decided to turn off filtering for that site, or if ActiveX Filtering is turned off globally. The upcoming section on best practices includes further suggestions on how to use this API.

In-Page Filter Icon

Some Web sites don’t display fallback content when ActiveX controls are blocked by ActiveX Filtering. Instead of displaying a broken object icon in the placeholder area, IE now displays the same filtering icon as the one used in the address bar:

ActiveX control displays properly when ActiveX Filtering is turned off

IE displays the filter icon in the placeholder for the ActiveX control when it is blocked by ActiveX Filtering

IE displays the same icon in the placeholders of content that is blocked by Tracking Protection. Displaying this icon makes it clear to users that IE has filtered that content from the page. It serves as a visual cue for users to click the icon on the address bar to turn off filtering for that Web site and view the content. Without this change, users may perceive that the Web page contains broken links and may not be driven to configure filtering options for that page.

Best Practices for Web site Developers

Here are some best practices that we encourage Web site developers to follow to ensure that their sites work well with ActiveX Filtering:

Use Native Objects Instead of ActiveX

During product testing, we found several examples of Web sites that unnecessarily rely on the Microsoft.XMLHTTP ActiveX control for AJAX operations. Since ActiveX Filtering blocks instantiation of that control via script, the sites won’t render properly when ActiveX Filtering is enabled even though the sites don’t appear to have any ActiveX content.

These sites use the following coding pattern to use the ActiveX version of the XMLHttpRequest object, which fails when ActiveX Filtering is enabled:

  // BAD PATTERN: Don't do this!  var xhr = window.ActiveXObject      ? new ActiveXObject("Microsoft.XMLHTTP")      : new XMLHttpRequest();  

Internet Explorer has supported the native XMLHttpRequest object since IE7. The native object will function correctly even when ActiveX Filtering is enabled. Web sites’ scripts should prefer the native object if it’s present. The following sample code shows how to reliably create the XMLHttpRequest object:

  // Best Practice: Use Native XHR, if available  if (window.XMLHttpRequest) {      // If IE7+, Gecko, WebKit: Use native object      var xmlHttp = new XMLHttpRequest();  }  else if (window.ActiveXObject) {      // ...if not, try the ActiveX control       var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");  }  else {      // No XMLHTTPRequest mechanism is available.  }  

With this code sample, sites will only need to instantiate the ActiveX control as a last resort. Sites can ensure that their functionality does not get unnecessarily affected by ActiveX Filtering by using native objects when possible.

Many of the Web sites that exhibited this behavior were using an earlier version of JQuery which used the above bad pattern to instantiate the XMLHttpRequest object. The latest version, JQuery 1.5.1, has addressed this issue so we encourage Web site developers to update.

Properly Displaying Fallback Content

Earlier we described the potential user confusion around displaying the wrong type of fallback content when ActiveX Filtering blocks a control. Web sites should use the new API to determine whether ActiveX Filtering is enabled on the site to distinguish from the cases where the ActiveX control hasn’t been installed or the version is out of date.

If ActiveX Filtering is indeed enabled for the site, our first recommendation is for developers to not display any fallback content. This allows the filter icon to be displayed within the placeholder area and has the same user benefit as we described earlier.

If sites still desire to display some fallback content, they can show a custom message telling users that they have to turn off filtering to view the content. The following sample code shows how to use the new API to check for ActiveX Filtering and display a custom message if a control is blocked:

  <object type="application/x-shockwave-flash" data="test.swf">      <script type="text/javascript">          // Best Practice: First detect if ActiveX Filtering is enabled          if (typeof window.external.msActiveXFilteringEnabled != "undefined"                  && window.external.msActiveXFilteringEnabled() == true) {              document.write("ActiveX Filtering has hidden this content.");          }          else {              // Either the browser isn’t IE, or ActiveX Filtering is not enabled in IE              document.write("Please install the Flash plug-in to view this content.");          }      </script>  </object>  

Web sites can use some alternate methods to display the original content on the page. For example, the ActiveX Filtering Test Drive demo displays videos in the HTML5 video format when ActiveX Filtering is enabled for the site.

We ask developers not to navigate users to a different Web page when they detect that ActiveX Filtering is enabled. IE contains logic that will keep the filter icon displayed on the address bar even if the new Web page doesn’t contain any ActiveX controls, but users will need to navigate back to the previous page after they turn off filtering. If the new Web page is in a different domain, users will end up adding turning off ActiveX Filtering for the wrong domain.

Test Your Web site with ActiveX Filtering

Some of the site compatibility issues we observed with ActiveX Filtering can be easily identified and addressed through testing. An example is the following site whose layout is affected when ActiveX Filtering is enabled:

The filter icons appear properly in the placeholders for the blocked ActiveX controls. It turns out that the site declared one of the controls with default dimensions that were inconsistent with its actual dimensions. Since IE uses the default dimensions to display the placeholder object on the page, the incorrectly sized placeholder results in layout issues with the rest of the page:

    
The default dimensions for the control is inconsistent with the actual dimensions. The layout for the rest of the Web page depended on the actual dimensions.

Developers should test their Web sites for compatibility with ActiveX Filtering to identify issues like the one described in this post. This ensures that only ActiveX content on a Web page is blocked by ActiveX Filtering and users can continue to view the rest of the page properly.

Working Well with ActiveX Filtering

Since we released ActiveX Filtering in the IE9 Release Candidate, the feedback we received helped us make the proper additions to the feature in order to make it more usable for both end-users and developers. For example, adding the filter icon to the placeholder object for an ActiveX control helps indicate to users that ActiveX Filtering has blocked content on the page, and they can turn off filtering through the same icon on the address bar.

We encourage Web site developers to follow the best practices shared in this post to ensure that Web sites work well with ActiveX Filtering. Developers should prefer natively implemented objects to ActiveX controls when they’re available, and update their sites to JQuery 1.5.1 which uses the right method to instantiate the native XMLHttpRequest object. Use the new API to detect whether ActiveX Filtering is enabled on a site and display more targeted fallback content. Finally, thoroughly test Web site compatibility with ActiveX Filtering to identify subtle layout issues. In the meantime, we welcome developers to share their own best practices in comments for this post.

—Herman Ng, Program Manager, Internet Explorer

ADmitMac is tailored for multi-user, multi-computer scenarios with administrator defined network security. It supports the highest level of security and does not require the downgrading of security when using Windows Server 2003. Kerberos is used to provide secure directory access, thus reducing the risk of unwanted disclosure, spoofing, and man-in-the middle attacks. ADmitMac automatically configures the Macintosh to use Kerberos and obtains the necessary security keys from the domain and performs mutual authentication requiring the server to prove its identify. ADmitMac also works with older NT directory services. All communication with NT domain controllers is performed using SMB/CIFS protocols.

ADmitMac will cache successful user login information for later use. This allows notebook or mobile users to continue using their domain account to log in when their Macintosh is not connected to the domain.

ADmitMac v2.0 includes two major new features: Workgroup Manager plug-ins for both the Mac and PC and AD Commander. The Workgroup Manager plug-ins allow you to integrate Apple's Mac OS X Server MCX settings with your Active Directory domain server. And with AD Commander, you can access and update the Administrative Tools on your Active Directory Domain from your Macintosh.

BASIC ADmitMac FEATURES

• Administrators can easily manage Macs in their Microsoft Windows domain - without special training.
• Installs on the Mac with no Active Directory schema changes required.
• Provides secure access using Kerberos.
• Provides bi-directional file and printer sharing.
• Supports Windows login security restrictions.
• Allows users to easily change passwords.
• Support for Dfs - home directories can be mounted using Dfs.
• Supports NTFS file format - does not create double files.
• Preserves users custom desktop and documents no matter which computer they log into.
• Offers complete interoperability with Services for Macintosh.
• Works with older NT directory services.
• Users can mount any shared folder they are allowed to access via the ADmitMac Browser or the Connect to Server...
• Perfect for computer labs or corporate networks where security is a major concern.
• Provides print client for connecting to Windows printers.

• Allows for user login with home directories located on the Macintosh client's local hard disk.
• Automatically configures Macintosh for use with Kerberos. Kerberos configuration files are generated automatically.
• Fully signed and sealed (encrypted) LDAP connections prevent disclosure of user's personal information and prevent man-in-the-middle attacks.
• Support for SMB signed connections, NTLM SSP, and NTLMv2.
• Expired and reset passwords are handled correctly when users log in to the Macintosh desktop.
• Caches user credentials for mobile user access when not connected to the network.
• Supports browsing for published shares.
• Print client can access shared printers. Printers may be configured by browsing the list of printers published in a domain, or manually.
• Kerberos credentials are set up automatically when a user logs in. No changes to /etc/authorization are required.
• Cross-realm trust with MIT Kerberos.
• Support for multiple domains within a forest.
• Administrators can choose domain search paths for users, groups, and published printers and shares to limit searches to specific organizational units.
• Administrators can choose to give domain members administrative privileges based on their domain group membership.
• Administrators can give administrative privileges to the user specified as the Macintosh's manager in the domain's computer records.
• Supports Mac OS X Server service principal names.
• Home directories may be located at a path where the user does not have access to the parent folders.
• Administrators can utilize Apple's Workgroup Manager MCX settings.
• The ADmitMac Deployment utility creates custom ADmitMac install packages for multi-computer installations.
• Dynamic DNS registration support: the Mac will register it's IP addresses with DNS using it's computer account name.
• The AD Commander tool allows you to edit Active Directory users and groups as if you were using AD Administrator Tools.

• Refines networked workflows around popular Mac applications such as Apple Final Cut Pro, Adobe Creative Suite, Avid and Microsoft Office.

• Mac OS X 10.5 or later
• Domain Service Requirements
• • Microsoft Server 2003 with Active Directory
  • Microsoft Windows 2000 with Active Directory or operating an NT domain
  • Microsoft NT service pack 6 or later operating an NT domain

Today, traditional publishers face numerous challenges. While some will not rise to the challenge and meet them, others may one day look back and find that today's challenges pushed them to even greater heights.

A big reason for that is a proliferation of channels that publishers can use to reach consumers in meaningful ways. To take advantage of multi-channel opportunities, however, publishers need multi-channel strategies.

Here are five tips that can help publishers develop solid strategies.

Focus on creating efficiencies.

Multi-channel publishing can be extremely time consuming and expensive for publishers ill-equipped to work efficiently in a multi-channel world. When it comes to content distribution, for instance, many publishers still have multiple channel-specific processes and technologies.

The solution: focus on finding ways to streamline distribution so that you're not reinventing the wheel for each and every channel.

Remember that doing everything is doing nothing.

Publishers have a growing number of tools designed to enable them to provide their content to consumers whenever and wherever consumers request it. But that should not be seen as an invitation (or imperative) to be everywhere.

Being strategic is better than being prolific. By understanding and segmenting your audience, you can identify and invest in the channels that provide the greatest opportunity for the greatest return.

Select vendors and partners carefully.

Consumer expectations and behaviors are often different from channel to channel. For publishers, this means that it can be difficult to build great consumer experiences across channels in-house. So it's not surprising that publishers increasingly rely on outside vendors and partners to get them to where they think they need to go.

When working with others, choosing the right vendors and partners is crucial. In many cases, it pays to deal with companies with deep domain experience and which focus on a single channel instead of relying on a one-stop-shop for everything.

Piggyback.

It's nice to be ahead of the curve and to feel like a market 'leader', but sometimes it's appropriate to sit back, see what happens and let others discover strategies that you can piggyback on at minimal cost.

iPad publishing provides a good example of this. Many publishers were quick to jump on the iPad bandwagon, investing lots of time, money and publicity into their efforts. Yet the iPad hasn't been a panacea for publishers, and now some of them are scaling back their efforts. The lesson: being first doesn't mean you still won't finish last.

Be wary of hardcore technologists.

Technology is changing the face of publishing, and increasingly the most important channels for many traditional publishers are digital. Yet most publishers would do well to avoid paying too much attention to hardcore technologists.

The truth of the matter is that although channels are changing, the fundamental process by which traditional publishers create content is still largely the same. The problem with listening to technologists is that many of the strategies they espouse require nothing less than the re-engineering of the content creation process. Even for those who agree with the technologist approach, overlooking the fact that these technologists usually don't have any publishing experience, the reality is that most publishers are not going to reinvent all of their core processes overnight. Instead, they must find ways to make them fit within a multi-channel framework.

David Meharg, Senior Manager of Consulting at Armanino McKenna, a Microsoft Dynamics partner in California, has been implementing Connector for Microsoft Dynamics for his customers. He's using Connector to help them integrate their Microsoft Dynamics GP and Microsoft Dynamics CRM solutions.

David took the time to share with us his "best practices" for Connector implementations. We thank David for these great tips and timesavers that will help more of you have success with Connector.

1) Become familiar with Dynamics Security Console.
This is a function of Dynamics GP Web Services, not the Connector. But, this is also a key spot where policies dictate how the data coming from Dynamics CRM is handled when being processed by the Microsoft Dynamics GP web service. Some tweaks will inevitably be needed in this area. For example, Price Overrides are configured via the Security Console.

2) Determine what really needs to integrate and what simply needs to be exposed in the Dynamics CRM interface
There are many details that live in Dynamics GP that may be useful to see in Dynamics CRM. The knee-jerk reaction is to create an integration to pass those values across. In many cases, however, the default maps in the Connector do not accommodate those integrations. Rather than build an integration, perhaps a better approach is to expose the information (in real-time) via a Microsoft SSRS report. We did this for Tracking Numbers. The Tracking Number table in Dynamics GP is not an out-of-the-box, mappable field. By creating an SSRS report, where we pass the Order # value as a parameter from Dynamics CRM, we gained full visibility to all Tracking Numbers associated with orders. Additional logic can be added in the report to create a clickable link to take you to the carrier's tracking page. The same was true for us on Quantities. Dynamics GP provides a wonderful table that contains Quantity on Hand, Quantity Available, On Back Order, etc. It is very simple to provide real-time inventory status, exposed in an iFrame on the Item card in Dynamics CRM, via SSRS so that this information is visible when adding items to a Quote or Order in Dynamics CRM. Exposing data like this is often easier than trying to devise a complicated integration.

3) Watch what you type for credentials when installing Web Services for Dynamics GP
While not directly related to the Connector, Web Services for Dynamics GP is a required component that allows the Connector to work. When installing and configuring Web Services you are asked for the credentials of the domain user that is being used to run the service. It needs to be in the domain\username format. That in and of itself is not unusual, but what is unique, is that the syntax used for the entry is case sensitive. The values that you enter must be capitalized exactly how the name reads. One place to check for this is in Microsoft SQL Management Studio. As part of the installation, you needed to add this domain user as a user to the various databases involved in Dynamics GP. Check there to see what syntax was used.

4) Save maps regularly.
In the course of customizing the Connector's various entity maps, you should regularly create backups of your maps. Inevitably you will tweak a map function in such a way that an error will result. If you can identify and fix the error right away, you're in good shape. But, there are occasions, and you will undoubtedly face this a few times, where you can't identify where the error is. And, when there's an error, you can't save that map, or any other map for that matter. Should that time come, you may need to delete the map and re-import it into the Connector. Having backups of all of your maps is a life-saver. The moral of the story is to back up your work.

5) Create custom fields in Dynamics CRM before you initially configure Connector
Admittedly, this advice is not always practical, but it can certainly help. When you do a full configuration of Connector, the process looks over to Dynamics CRM and identifies all of the fields associated with a particular entity, both standard and custom. This allows Connector to present them as mappable fields. Should you do the initial configuration and then add a field to Microsoft Dynamics CRM later, that field will not automatically show up in the Connector. You must re-run the CRM configuration utility in order to read in that new field. That means stopping the service, running the config, restarting the service, etc. It takes a wee bit of time each run at it. If you piecemeal your new field additions, that all adds up. The best approach is to pre-determine as many of the custom fields needed up front, then run the CRM configuration utility. Some custom fields that are often needed include: Batch ID and perhaps some unique User Defined values for Orders; Custom Description and Site/Warehouse ID for Product Line Items.

6) Learn where to troubleshoot.
I've yet to run into an integration that worked every single time. There will always be snags, whether it be missing or mismatched data or simply an attempt to create a duplicate record. Connector logs all of its integration attempts. While it quite often will provide the necessary information to troubleshoot, the log's message is sometimes very nebulous. So, while the Connector log is the first place to look, you also need to be familiar with how to access the Exception Management Console for Web Services as well as the Event Viewer for eConnect. Fortunately, even if the log gives you an indeterminate error, you do have a clue which side of the integration is failing by looking at the Error Code: line in the Message Properties of the error. It will indicate which side recorded the problem. For example: Microsoft.Dynamics.Integration.Adapters.Gp2010::0x80131501, indicates that the failure happened on the Dynamics GP side. This would lead you to look in the Exception Management Console for more information. Here you can view the exact XML that was used during the transaction. Then, occasionally, you may find the Event Viewer log for eConnect can help define things even further. Knowing where to look is critical to quickly determining a solution.

7) Know when the integration works.
Knowing what happened when an integration fails is one thing, knowing that an integration actually went through is equally as important. There is nothing worse than to hit the "Submit to ERP," assume that it went through fine, and only find out later that it snagged in the Connector. Key indicators include: Was the record assigned an Integration Key value? For Orders, did the Name field update with the Dynamics GP Order Number? If you can identify the key fields that are updated via a round trip from Dynamics CRM to Dynamics GP and back, then you will be able to create a View of the entity that filters out everything but the "failed" integrations. Then you know that extra action may be needed on these records.

I have a number of servers that are some of the same domain and others from different domains.
I am going to use the NAS storage space for backing up these servers. The NAS space is obviously not part of any of the domains. I do have a username and password to access the NAS which is in a workgroup.

I want to add it as a backup-to-disk folder in BackupExec so I can backup my servers to it .
I am using the UNC path to the NAS space when trying to add it as a folder but get the error :
"Unable to create new backup folder. Access denied"

I have tried adding the logon credentials for the NAS to backupexec but this makes no difference.

Any help would be really appreciated.