Wired Life in the Roanoke Valley

Another year, another TechED.

So what is left to say about Los Angeles? I have already written my conference evaluation and I won’t bother repeating most of what I wrote – no one cares and only Microsoft can act on any of my comments. I do agree with the #tela09 twitter feed that this was not the best TechED I have ever been to. LA was expensive for both Microsoft and my company (I just got my hotel bill) and it is my assumption that the cost explains a lot of what was missing this year. At times it felt as if the conference logistics actually impacted the quality of the sessions. Ugh. On the speaker end of things, this was an off year as well. Minasi, Axford, and Russinovich did their best but some of the other speakers left something to be desired, if not for their content then certainly for their delivery. Powerpoint beat me down this year.

What am I taking away? Here is my short list:

• Time to learn Powershell. It seems that a lot of the management features are being drive to the CLI. Ugh. I knew it was coming but this year confirms it.
• Exchange 2010 will be a worthy upgrade. I am excited about the continued improvements with OWA and I look forward to some new features.
• Windows Server 2008 R2 is going to require some work. The x64 only business is a real shame and I will get to spend some time with my folks trying to determine what we can do with all of our x86 boxes.
• Windows 7 will be great. Microsoft really nailed this OS (even though it really is Vista R2). Technologies like DirectAccess make this a compelling upgrade.
• IPv6 is on Microsoft’s radar. Seeing that DirectAccess uses this as its primary connection method really confirmed to me that we need to start on a development plan for IPv6 even if it is only on our external network.
• Security awareness is where I need to spend some time this year.
• Windows Server 2008 R2 Remote Desktop Services deserves another look before we re-up with Citrix. So many of the features that were Citrix only just a year ago can now be found in the Microsoft product.
• Hyper-v is maturing and is now worth considering side-by-side with VMWare. The feature set is developing and the price, $0, remains good.

I look forward to New Orleans next year and I hope Microsoft deals seriously with the feedback that they received this year.

SIA 326 is one of the TechED sessions you sit through and then, once it is done, you think to yourself, “this should have been a 20 minute presentation.” How did it stretch to fill the allotted 1 hour and 15 minutes? Questions. Lots and lots of audience questions. Here is a simple rule for attendees: unless your question applies to all people in all circumstances, save it for the TLC. Honestly, we wasted about 25 minutes chasing rabbits.

Regardless, here are the takeaways from the session:

• AD now supports a ton of Powershell commands.
• AD now has a recycle bin (awesome). This is not enabled by default so don’t assume that, once you have upgraded, it will be working.
• AD now supports managed service accounts (it will change the passwords for you much like it maintains computer accounts now).
• AD now has the Powershell Administrative Center (which replaces the mmc based stuff).
• AD now has a well developed best practice analyzer.
• AD now supports offline domain joins.
• AD provides authentication assurance.
• AD now allows for DSRM password synchronization with an account.

Most, if not all, of these features are going to require a Windows Server 2008 R2 functional level to enable.

Scott Roberts is my hero of TechED 2009. He is unassuming, mild mannered, and has to fight his laptop’s video resolution but underneath his lead program manager geekiness he wields secret powers. His foremost power is the ability to destroy traditional network perimeters and his secondary power is to obliterate the need for VPNs and SSL VPNs.

He is a new breed of hero, he is DirectAccess Man.

I am (almost) not exaggerating here. Scott’s WSV320 session entitled “Reinventing Remote Access with Direct Access” was nothing short of amazing to me. All week I have been wandering the LACC thinking about the most exciting technology of the conference, Exchange 2010, TMG, and Windows 7 are all sexy but DirectAccess blew me away.

DirectAccess seeks to put the corporate network wherever the users are located. Using IPv6, IPSec, and a Windows Server 2008 R2 box (serving as a Direct Access Server) users can seamlessly connect to internal resources from Internet connections. I the past seamless has meant something on the order of less than 5  clicks but this time MS really means it. No clicks, no user config, nothing.. brilliant.

I could labor on about the technology but Microsoft has done a good job of laying out what is needed on its DirectAccess site and in a “DirectAccess Early Adopter’s Guide,” both of which I recommend reading. Instead of rehashing what you can read elsewhere I wanted to give you Scott’s list of DirectAccess prerequisites:

• Windows 7 Clients running either Enterprise or Ultimate
• Domain-joined Clients
• A Domain Controller running Windows 2008 Server SP2 or R2
• A DNS Server running Windows 2008 Server SP2 or R2
• A Direct Access Server running Windows 2008 Server R2

A note about IPv6: Scott indicated that IPv6 would be required in some sense for DirectAccess. The client has a check-down list for connectivity starting with IPv6 and continuing with 6 to 4, Teredo, and IP-HTTPS so in some sense the client must at least have IPv6 installed (sorry Vista and XP clients). From the Direct Access Server to the internal servers Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) or a NAT-PT/DNS-ALG device can be used depending on the resources that need to be accessed. If everything is running Windows Server 2008 R2 then ISATAP is a cheaper implementation.

If a broad deployment is desired, Scott recommended that we evaluate the Forefront UAG (unified access gateway). The UAG would extend several benefits to down-level clients (Vista and XP) through the use of an SSL-VPN and would facilitate the publishing of IPv4 internal resources. (Keep an eye on the Forefront blog for details of the upcoming release of UAG.)

The reason that DirectAccess is the best takeaway from TechED 2009 is that it ties in Windows 7, Windows Server 2008 R2, and the UAG. These technologies, when combined, actually transform the mobile workforce increasing security and decreasing complexity for all users. Fantastic!

Here is the takeaway from Laura Chappell’s WCL318 session  today:

No Budget Tools

• Packet player -  Packer editor
• Packet builder
• VLC Media Player –Video player & reassembler
• Eakiu
• SIP workbench – VOIP Analysis
• Snort – IDS
• Nessus – Pen Testing

Low Budget Tools

• Netscan Tools
• Chanalyzer / Wispy
• AirPcap Adapter
• Pilot
• Full Duplex Taps
• Keyghost Keylogger SX

Websites

• archive.org
• domaintools.com
• chappellu.com
• chappellseminars.com