Wednesday, November 26, 2008

Train Signal Releases New Microsoft Server 2008 Active Directory Training

Train Signal Inc., a global leader in professional computer training, is excited to announce the release of their new training course, Microsoft Windows Server 2008 Active Directory. Following the launch of this course, Train Signal will be releasing additional training courses for Windows Server 2008.

The comprehensive Windows Server 2008 Active Directory training features more than 20 hours of video instruction on two DVDs. Multiple file formats, such as iPod Video, Mp3 Audio, .WMV and .AVI, are available to make the training even more convenient. And students can print out the instructor's notes to follow along more easily and enhance the learning process.
The training package also helps students prepare for the 70-640 Configuring Windows Server 2008 Active Directory exam. It covers everything they need to know to pass the exam and includes the award-winning 70-640 practice exam software from Transcender, the world's leading exam simulation provider.

"This training package is perfect for anyone who wants to gain hands-on experience on Microsoft Server Active Directory 2008 and prepare for the 70-640 MCITP exam," said Iman Jalali, Train Signal's Director of Sales and Marketing. "We are pleased to offer this extensive package of training materials to help everyone from beginners to experienced administrators enhance their skills."

Train Signal's Windows Server 2008 Active Directory training package is designed to help students develop real skills that they can apply immediately. Key topics covered in the training include:
  • Creating Domain Controllers
  • User Account Creation
  • Group Policy
  • Back Up and Restore/Disaster Recovery
  • Read-Only Domain Controllers in Server Core
  • Sharing Folders and Files
  • Remote Software Installation through Group Policy
  • MCITP: 70-640 Certification
Train Signal's Windows Server 2008 Active Directory video course is instructed by Benjamin "Coach" Culbertson, MCT, MCSA, MCDBA, CIW, A+, Net+, MOS. Culbertson has a passion for educating and motivating students. He has 10 years of training, Web, print and network consulting experience and uses a high-energy teaching style that keeps students engaged.

Source: marketwatch.com

Thursday, November 20, 2008

How to Schedule Active Directory Snapshots in Windows Server 2008

If you’ve played around with Windows Server 2008 Active Directory Domain Services, you will probably be familiar with the snapshot feature within NTDSUTIL. The feature allows you to take snapshot of the volumes that host the AD components and to then mount the snapshot. Once mounted, you can use DSAMAIN.EXE to expose a read-only copy of the AD database to your favourite browsing tool (LDP.EXE, ADSIEDIT.MSC, DSA.MSC, ADFIND.EXE, etc.). The process for doing this is well documented elsewhere, so I don’t intend to reproduce it here.

Microsoft recommends that you schedule regular snapshots, as this provides you with a quick method of checking the contents of the directory at different time slices in the past. One advantage of this that you can quickly identify which backup to use when needing to authoritatively restore accidentally deleted AD objects from backup.

Windows Server 2008 comes with a re-vamped Task Scheduler. You can configure tasks using both the UI as well as the command line (schtasks.exe). I prefer to use the command line as it has the advantage of allowing you to set tasks to run under the SYSTEM account. It is also the only option if you are using Server Core, unless you want to open the firewall to allow remote task scheduling from a computer running the full version.

Here’s the command line I use. Note that this is all on one line (wrapped here to fit page width).

SCHTASKS /Create /RU SYSTEM /SC DAILY /TN MYTASKS\DS_SNAPSHOT /TR “%windir%\system32\ntdsutil.exe sn \”ac i ntds\” create q q” /ST 05:00

It is worth pulling the command arguments apart to explain them better

/Create - pretty obvious. It instructs schtasks to create a new task.

/RU SYSTEM - the task will run under the SYSTEM account. Note that you don’t need to specify a password when using SYSTEM.

/SC DAILY- the task will run daily

/TN MYTASKS\DS_SNAPSHOT - I’ve called the task name DS_SNAPSHOT and this will be created within the MYTASKS task folder. The folder will be created automatically if it does not already exist.

/TR “%windir%\system32\ntdsutil.exe sn \”ac i ntds\” create q q” - This is the task action. It runs NTDSUTIL with arguments. Note that the double quotation marks within the arguments have to be escaped with the backslash character

/ST 05:00 - the start time for the task will be 5am.

The command line shown above assumes that you are working on the local machine on which you want to create the task. If defining the task for a remote computer, use the additional command line options shown below.

SCHTASKS /Create /S MYSERVER /U administrator /P xxxxx /RU SYSTEM /SC DAILY /TN MYTASKS\DS_SNAPSHOT /TR “%windir%\system32\ntdsutil.exe sn \”ac i ntds\” create q q” /ST 05:00

Once you’ve run the command you can verify the settings in the Task Scheduler UI.

Source:open-a-socket.com/index.php/2008/11/20/how-to-schedule-active-directory-snapshots-in-windows-server-2008/

See Also this :-
Restarting Active Directory as a service in Windows Server 2008

Wednesday, November 12, 2008

Active Directory-based soln for UNIX & Linux

Centrify Corporation, a provider of Microsoft Active Directory-based auditing, access control and identity management solutions for non-Microsoft platforms, has announced Centrify DirectAuthorize, a software solution that enables organizations to increase security and compliance by controlling how users access systems and what they can do on those systems.

DirectAuthorize centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems. This can eliminate a user's need to use the root account or other privileged accounts, thereby allowing those accounts to be securely locked down.

DirectAuthorize is the industry's first Active Directory-based solution for UNIX and Linux privilege management and delegation of root access. Leveraging a common architecture, DirectAuthorize is seamlessly integrated with Centrify DirectControl and complements DirectControl's comprehensive Active Directory-based authentication, access control and group policy support for non-Microsoft systems and applications.

"Unlike Windows Active Directory, UNIX lacks a simple and scalable model for administrative delegation," observed Ant Allan and Jay Heiser, Research Vice Presidents in the Gartner publication, Controlling UNIX Superuser privileges is Critical. "Organizations that allow root logins to mission- critical UNIX servers run unnecessary risks."

DirectAuthorize meets compliance-driven requirements for "least access" management by allowing organizations to centrally define logical roles (e.g. backup operator, DBA, web developer, application administrator, etc.) that carry with them the specific rights needed to perform duties within a role. DirectAuthorize's role-based architecture enables the following benefits:

  • Simplify the execution of privileged commands --- users no longer need to switch to root or other privileged accounts
  • Grant users rights to execute commands with elevated privileges, eliminating the need for access to privileged accounts and passwords
  • Assign users a Restricted Environment with access only to a specific "whitelist" of commands
  • Lockdown sensitive systems with fine-grained access controls that specify who can access a system and how
  • Model date- and time-based access windows to match user roles

Like Centrify DirectControl, DirectAuthorize is tightly integrated into Active Directory, meaning no additional servers or infrastructure is required to run DirectAuthorize. DirectAuthorize stores its role and rights data securely in Active Directory Authorization Manager's existing rights-based logical model and data storage schema found in Windows 2003 and above.

This means no Active Directory schema extensions are required to install and use DirectAuthorize, and customers can leverage the pre-existing Authorization Manager (AzMan) tools and APIs to access DirectAuthorize's roles and rights data. DirectAuthorize is built on top of the DirectControl architecture, meaning the DirectAuthorize user interface is integrated with the DirectControl Administrator's Console and the DirectAuthorize rights enforcers are integrated into the DirectControl Agent. And unlike other solutions, DirectAuthorize requires no UNIX kernel changes or system reboots.

Via:ciol.com

Thursday, November 6, 2008

Macs to gain smart card-based login to Active Directory

Just like their Windows coworkers, Mac users in the enterprise will have more options to log into Windows Active Directory services using smart card technology. According to access-control management company Centrify support for smart card-based login will be available next month. A beta version is available now.

On Wednesday, Centrify announced the release of its DirectControl 4.2 for Mac OS X software as well as the card client software supports Common Access Cards (CAC) and Personal Identity Verification (PIV) cards as well as with other cards that support the Apple TokenD interface. Dubbed Centrify DirectControl for Mac OS X Smart Card edition, the software will cost $90 for a single copy.

DirectControl 4.2 will come with some new security policies, the company said.

Finder Lock is one of more than 200 Mac-specific Group Policies that Centrify has developed to help administer Macs from the same centralized administrative tools from which Windows computers are managed. Other policies added in this release include enforcement of a computer policy to require smart card login, a removal policy to either lock the screen or force a logout when the smart card is removed, and additional security controls.

Improved support for Active Directory policies is one of the Mac headaches for IT managers in the enterprise. Smart card login will improve user experience.

For example, longtime Mac connectivity vendor Group Logic (the maker of Mass Transit) last month released the results of a survey of 350 IT pros about Mac/Windows IT issues. Some 70 percent of the respondents said they currently had Macs in their companies and an additional 6 percent were planning to bring in Macs in the “near term.”

Here was the hot list of Mac integration issues from the survey:
  1. Adapting Active Directory policy to support Macs — 38 percent.
  2. Help desk calls from Mac users — 35 percent.
  3. Compatibility and/or data corruption issues — 27 percent.
  4. Lack of IT/file naming policy enforcement tools — 25 percent.
  5. Maintaining the full “Mac Experience” for their end-users — 24 percent.
Source:zdnet