Can Active Directory benefit from x64?

September 22, 2006 at 12:04 PM2102

We all know that Microsoft products such as Exchange Server 2007, SQL 2005 x64 can really benefit from x64 platform. But what about Active Directory? Similar to the limitations of Exchange Server 2003, Active Directory suffers from the 2GB virtual memory limit of 32bit operating systems. That`s not a problem for small AD deployments but it can be a real issue for large deployments with a LOT of objects. With large number of object it gets difficult to cache the Active Directory database and authentication requests and queries leads to excessive paging and a slowdown in performance.

So if you are planning or working with a large Active Directory deployments than go for x64 platform. Especially now when prices for 32 and 64bit platform are almost the same. [Y]

Let me quickly try to explain about 2GB memory limit in 32bit operating systems.  You probably all heard about the Windows 4GB memory limit. When talking about performance tuning and server sizing, people are quick to mention the fact that that an application on an 32bit Windows system can only access 4GB of memory.

What does that really means?

A 32 bit processor uses 32 bits to refer to the location of each byte of memory. 2^32 = 4.2 billion. That means a memory address that`s 32 bits long can only refer to 4.2 billion unique locations in memory (that`s 4GB of memory). (Source: Wikipedia)

In the 32bit Windows each application has its own »virtual« 4GB memory space. This 4GB memory space is distributed into two parts, with 2GB dedicated for kernel and 2GB for application usage. Each application has its own 2GB, but all have to share the same 2GB kernel space. Using the /3GB boot.ini switch is even worse in some cases (Terminal Server for example). This switch changes the amount of memory for application and kernel environment. It gives 3GB of memory for application environment and »only« 1GB of memory for kernel. But if you are using /3GB boot.ini switch for SQL Servers you can gain performance since it`s a memory-intensive application (and not kernel).

There is a difference when systems are booted using /PAE switch. Physical Address Extension (PAE) is an Intel provided memory address extension that enables support of up to 64GB of physical memory for application. PAE allows the most recent IA-32 processors to expand the number of bits that can be used to address physical memory from 32bits to 36bits trough support in the host operating system for applications using Address Windowing Extension (AWE) application programming interface (API). AWE enables programs to reserve physical memory as non-paged memory and then to dynamically map portions of the non-paged memory to the program`s working set of memory. This process enables memory-intensive programs, such as I already mentioned before (SQL – databases), to reserve large amounts of physical for data without having to be paged in and out of a paging file for usage. Instead the data is swapped in and out of the working set and reserved memory is in excess of the 4GB range.  Additionally, the range of memory in excess of 4GB is exposed to the memory manager and the AWE functions by PAE. Without PAE, AWE cannot reserve memory in excess of 4GB.

Posted in: Windows | Active Directory | x64


Access Based Enumeration

September 22, 2006 at 9:56 AM2102

I`m really busy lately. I have some projects involving Microsoft Exchange Server 2007 Beta 2 (Rapid Deployment Program). But I will talk about that some other time... What I can say for now is that Exchange 2007 really ROCKS (or FYDIBOHF23SPDLT if we take the name from New Exchange Admin Group [H])!

It`s not a new thing but a lot of people never saw it on Windows (but they are familiar with it from Unix or Novell).

So what is Access-based Enumeration?

Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables this feature.

You can download it from here: Windows Server 2003 Access-based Enumeration

Posted in: Windows | Exchange


Microsoft Exchange 2007 documentation (beta)

July 3, 2006 at 1:15 PM2102

Microsoft released beta version of Exchange 2007 documentation.

[This topic is pre-release documentation and is subject to change in future releases. Its current status is: Content Complete. Blank topics are included as placeholders.]

Welcome to Microsoft Exchange Server 2007! Exchange 2007 provides a reliable messaging system with built-in protection against spam and viruses, which provides people throughout your organization with anywhere access to e-mail, voicemail, calendars, and contacts from a wide variety of devices.

The technical documentation for Exchange 2007 consists of the following categories:

• Getting Started
• Planning and Architecture
• Deployment
• Operations
• Security and Protection
• Technical Reference
• Development

Documentation is available here.

Posted in: Exchange


Windows Vista Step-by-Step Guides for IT Professionals

June 28, 2006 at 11:38 AM2102

These step-by-step guides provide instructions for deploying or migrating to Windows Vista. These guides also describe how to configure security, monitor performance, and manage printers.

These step-by-step guides will assist IT Professionals in deploying or migrating to Windows Vista. These guides will also provide step-by-step information on how to control device installation using Device Management and Installation (DMI) and manage ADMX files. There are also step-by-step guides to help you protect data using BitLocker Drive Encryption, to administer the TPM Security Hardware in a computer using Trusted Platform Module (TPM) Services, and to help deploy better-managed desktops and mitigate the impact of malware using User Account Control (UAC).

Download: Windows Vista Step-by-Step Guides for IT Professionals v2.9

Posted in: Windows | Vista


Test post from Office 2007 Beta 2

May 30, 2006 at 6:18 AM2102

My first post from Microsoft Office 2007 Word Beta 2. I like it... :)

Posted in:


Backup EFS certificate

May 29, 2006 at 9:01 PM2102

How do you backup EFS certificates?

I personally use this method from command line:

cipher.exe /x

Simple a? :)

And warning. Store this backup certificate to safe (also physical safe) place!!!


Posted in: Certificates | EFS


Configure 3DES Encryption for EFS

May 29, 2006 at 8:45 PM2102

EFS (Encrypted File System) is a built in feature in Windows 2000, XP and 2003 that allows users to securely encrypt files and folders. But you can change encryption algorithm if needed.

By default EFS use the DESX algorithm for encryption in Windows 2000 and Windows XP. In Windows XP SP1 and Windows Server 2003 default encryption algorithm is Advanced Encryption Standard (AES) using 256-bit key. For users requiring greater symmetric key strength with a FIPS 140-1 compliant algorithm, the 3DES algorithm can be enabled in Windows XP and Windows Server 2003. This can be done via GPO or registry.

When enabling 3DES using Group Policy both IPSec and EFS will use the 3DES algorithm. If you change this in registry changes will aplay only to EFS. Find the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS

Create a new REG_DWORD named AlgorithmID and set the HEX value to 0x6603. After rebooting computer it will use 3DES instead of DESX or AES. Recommended and most secure algorithm is AES in this case. Stay away from 3DES or DESX. [:P]

Posted in: Certificates | EFS


ASLR (Address Space Layout Randomization) in Windows Vista Beta 2

May 27, 2006 at 8:11 PM2102

Today I spent some time playing arround Windows Vista Beta 2. There is one interesting thing that i found out. It has ASLR (Address Space Layout Randomization) and it is turned on by default. It is a great against defense against buffer overrrun exploits called address space layout randomization. This defense is of course not a replacement for insecure code but it is indeed a usefull in Mult-Llayered defense. So remote exploitation of overflows has just got a lot harder.

So what is ASLR?

Address space layout randomization (ASLR) is a computer security feature which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space. This hinders some types of security attack by preventing an attacker being able to easily predict target addresses, for example attackers trying to execute return-to-libc attacks may find it harder to locate the code to be executed. Several security systems implement ASLR, notably OpenBSD and the PaX and Exec Shield patches for Linux.

ASLR relies on the low chance of an attacker guessing where randomly placed areas are located: the odds are 1 / 2b, where b is the number of bits of entropy used to determine the position of the data area. In many systems, 2b can be in the thousands or millions; on modern 64-bit systems, these numbers typically reach the millions at least. Some systems implement Library Load Order Randomization, a form of ASLR where the order in which libraries are loaded is randomised. This leaves libraries at unpredictable positions: the chances of an attacker correctly guessing the location of a library is 1 / n, where n is the number of libraries loaded.


Posted in: Windows | Vista | Security


After two years (almost...) ;-)

May 18, 2006 at 1:27 PM2102

I changed engine and look of my blog... Hope you like it.



Posted in:


Exchange 12 is site-aware application

April 14, 2006 at 10:09 AM2102

Exchange 12 uses Active Directory sites as a basis for choosing which servers to communicate with directly. What that means? When running native Exchange 12 organization no additional routing configuration is required. It automatically routes with minimal hops (shortest path between the source and destination). Each Active Directory site is considered a hop.

If no Bridgehead servers whithin site are available due to temporary network outages, mail will be queued at the point of failure. To avoid this kind of failures deploy multiple Exchange 12 Bridgehead servers whitin site. In this configuration mailflow between the Bridgehead and Mailbox servers is automatically load balanced by default. If one Bridhead server is unavailable (due failure or maintance) failover to other Bridgehead servers is automatic by default.

Posted in: Exchange