Monday, December 28, 2009

Revealing Windows Server 2003 Resource Tools Kit


A Resource Kit is not a part of any software but it contains a set of software resources and documentation for the software products. It gives many resources like technical help, features and troubleshooting information, management and many more also.

Windows Server 2003 Resource Kit Tools can be used on many editions of Windows including Windows XP. It is a set of tools that can assist administrators in the streamline management tasks like troubleshooting operating system consequences, organizing Active Directory, assembling networking and security features. It comprises a improved command line shell and 188 tools. After its installation, command line shell gives a very smooth integration with Unix utilities that are available in it. Some of the information present in the Windows Server 2003 Resource Kit can be described as follows:

Technical Reference - It gives the comprehensive information about the technologies present in the Microsoft Windows Server 2003 operating system. It is planned to help IT planners and administrators by supplying the foundational information about the technology elements of the operating system.

Deployment Kit - The Microsoft Windows Server 2003 Deployment Kit gives guidelines and recommended processes for planning and preparing for Server 2003 technologies to fulfill your business requirements and IT goals.

The Migrating from Microsoft Windows NT Server 4.0 to Microsoft Windows Server 2003 template is planned for those IT administrators which are present in small and medium sized firms. It gives them assistance in the upgrading of the domain controller, DHCP server, print server, remote access server and Web server roles from Windows NT 4.0 to 2003.

Get Microsoft Server 2000 Support and Microsoft Windows Server 2003 Support. For more queries

Friday, December 18, 2009

Revealing Windows Server 2003 Editions

As you would be familiar with Windows Server 2003, Microsoft developed operating system to be used on the servers. There are various editions of Windows Server 2003 and one of them is Web Edition, which is primarily used for creating and hosting Web applications, Web pages and XML web services. This edition is planned for using it as an IIS 6.0 Web server and it gives a platform for quickly formulating and deploying XML Web services. Terminal Server mode is not present on Web Edition and it does not need Client Access Licenses. After installation of its Service Pack 1, you can install Microsoft SQL Server and Microsoft Exchange software in this edition.

Another edition of Windows Server 2003 is the Standard Edition, which is focused for the small to medium sized businesses. This edition provides centralized desktop application deployment and secure Internet connectivity. The initial launch of WS 2003 was usable for only 32-bit processors, a 64-bit edition for holding the x86-64 architecture was launched in April 2005.

Enterprise Edition of this is focused towards medium to large businesses. This edition is available in 64-bit versions for the Itanium and x64 architectures. The 64-bit version of this Edition is adequate of dealing up to 1 TB of memory.

Datacenter Edition of Windows Server 2003 is developed for those infrastructures which require high security and reliability. Server for this edition can be used with the x86, Itanium and x86-64 processors. Windows Server Datacenter Edition is comprised of the better support for Storage Area Networks, supports 8-node clustering and many other features.

Thursday, December 17, 2009

Alteration in Terminal Server's Listening Port

It is a well-known fact that TCP port 3389 is used by Terminal Server and Windows 2000 Terminal Services for client connections. Alteration in this port is not recommended by Microsoft. But you can change this port. You have to perform this task carefully, otherwise you will face serious problems.

You have to give more concentration while modifying the registry. If you want to change the default port, then you have to follow these steps:

  • You start with the task of running Regedt32 and go to this key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.
  • Then you have to find the port number subkey and notice the value of 00000D3D, hex is for 3389.
  • After this, you have to change the port number in Hex and save the new value

If you want to change the port for a particular connection on the Terminal Server then follow these steps:

  • You have to run Regedt32 and go to this key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\connection.
  • After this, you have to find the port number subkey and notice the value of 00000D3D, here hex is for 3389.
  • Then you have to change the port number in Hex and save this new value.

After performing this, you have to make alteration in the Port on the Client Side. Follow these steps to perform this:

  • You have to open Client Connection Manager.
  • Then on the File menu, click on New Connection and then create the new connection. After executing the wizard, you will view a new connection listed there.
  • Then you have to ensure that new connection is highlighted. After this, on the File menu, click Export.
  • Then you have to edit the .cns file using Notepad. You have to make modifications in the server port, Server Port=3389 to Server Port= new port number, that you had specified on Terminal Server.
  • Now import the file back into Client Connection Manager. Then you will be demanded to overwrite the current one.
  • If it has the same name, then overwrite it.

In this way, you will receive a client that has the correct port settings to match your Terminal Server settings. Hope it will help you out, Don’t Forget to subscribe to my blog for more tips and tricks on server and Microsoft Server Support Services

Thursday, September 24, 2009

Define Active Directory and its Functionalities?

With the ever increasing amount of data moving across large networks, it behooves the network systems administrator to oversee the proper function of these elements, not to mention implement the correct security measures. One helpful tool is the Active Directory.

Developed in 1996 by Microsoft, the Active Directory is the primary method by which Windows operating systems amasses information about domains, and also monitors them. In recent years the function has been increased to allow it to facilitate and view online data flows.

The Structure of the Active Directory

Because it was devised to make accessible all the pertinent objects in the network, the directory was structured in an easy to understand hierarchical structure. There are multiple viewing levels: forests, trees and domains/objects.

The forest is where every tree and domain can be viewed; dropping to the tree level, you will see that it contains one or more domains. Domains or objects have no deeper level.

There are three main categories:
  • Resources : It cover hardware devices like printers and scanners.

  • Servers : It is primary components of both the network and the domain.

  • Objects : It is also primary components of both the network and the domain.

The Active Directory is especially useful for managing objects. An object can be defined as any element that can contain another object. Every object has its own properties or schemas, which can be accessed and modified.

How the Active Directory Works

What makes Active Directory so important for a systems administrator is that it makes the updating and upgrading process a virtual one step process. For example, you need to install a new security application. If there are several computers in the network, the procedure would be tedious, but Active Directory, via its forest structure, makes this easy; you just update one object and it applies to all.

The structure is also flexible enough to allow for making changes to specific objects. Because each has its own schema, then the administrator can assign a particular task to a user and use certain software without giving access to everyone.

Sunday, August 16, 2009

Active Directory Installation

Active Directory Installation is not a tough and nasty task, rather than it is very easy. It will not take too much time also.You can install it without facing too much problems. Only you have to follow the given steps;

  1. Login to the box either locally via console, or through RDP

  2. Go to Start -> Run and type in "dcpromo"

  3. For most cases you will select "Domain Controller for a new domain"

  4. For most cases you will select "Domain in a new forest"

  5. Enter in the FQDN (fully qualified domain name) that you want to use. For example, if your domain was to be called Domain.Com, you would enter Domain.Com. You can also use non existant name spaces such as Domain.Local, or Domain.abc

  6. Afterwards it will also allow to set the NETBIOS name. This is almost always the same name you entered above, only with out the .com (.local, .abc, etc).
  7. The next two screens will be where to place file repositories and service folders. You can accept the defaults.

  8. Some users may now get presented with a DNS screen asking you to configure DNS, or to do it later. Select the middle option (Install and configure for me). This will most likely NOT set up dns properly.

  9. Select the permission type you would like. There are two options. If you will only be using Windows 2003 Server and Windows XP or newer, then select the Second option. otherwise, you would need to use the first option.

  10. Pick a "Directory Services Restore" password. Hopefully you will never have to use this as its quite messy for the inexperienced. In either case, Remember this password.

  11. At this point in the installation you are presented with a basic "Sumary" page listing the options you have selected. Make sure these are set properly before continuing. once you select "Next", active directory will begin to install, and once it does you will not be able to stop, and you will have to first uninstall in order to go back and fix any problems or misconfiguration later.

  12. Active Directory will take a while, it could be a couple minutes, or as much as half an hour. Once it is done you will have to reboot.

If you are still unable to install the Active Directory, then we are here to help you.
Just login at : http://www.iyogibusiness.com/active-directory.html

Thursday, July 2, 2009

How to add new objects to Active Directory from command line

H:\>dsadd /?
Description: This tool's commands add specific types of objects to the
directory. The dsadd commands:

dsadd computer - adds a computer to the directory.
dsadd contact - adds a contact to the directory.
dsadd group - adds a group to the directory.
dsadd ou - adds an organizational unit to the directory.
dsadd user - adds a user to the directory.
dsadd quota - adds a quota specification to a directory partition.

For help on a specific command, type "dsadd /?" where
is one of the supported object types shown above.
For example, dsadd ou /?.
Remarks:
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").

Source: infotechguyz

Wednesday, June 24, 2009

How To Create an Active Directory Server in Windows Server 2003

After you have installed Windows Server 2003 on a stand-alone server, run the Active Directory Wizard to create the new Active Directory forest or domain, and then convert the Windows Server 2003 computer into the first domain controller in the forest. To convert a Windows Server 2003 computer into the first domain controller in the forest, follow these steps:

1. Insert the Windows Server 2003 CD-ROM into your computer's CD-ROM or DVD-ROM drive.
2. Click Start, click Run, and then type dcpromo.
3. Click OK to start the Active Directory Installation Wizard, and then click Next.
4. Click Domain controller for a new domain, and then click Next.
5. Click Domain in a new forest, and then click Next.
6. Specify the full DNS name for the new domain. Note that because this procedure is for a laboratory environment and you are not integrating this environment into your existing DNS infrastructure, you can use something generic, such as mycompany.local, for this setting. Click Next.
7. Accept the default domain NetBIOS name (this is "mycompany" if you used the suggestion in step 6). Click Next.
8. Set the database and log file location to the default setting of the c:\winnt\ntds folder, and then click Next.
9. Set the Sysvol folder location to the default setting of the c:\winnt\sysvol folder, and then click Next.
10. Click Install and configure the DNS server on this computer, and then click Next.
11. Click Permissions compatible only with Windows 2000 or Windows Server 2003 servers or operating systems, and then click Next.
12. Because this is a laboratory environment, leave the password for the Directory Services Restore Mode Administrator blank. Note that in a full production environment, this password is set by using a secure password format. Click Next.
13. Review and confirm the options that you selected, and then click Next.
14. The installation of Active Directory proceeds. Note that this operation may take several minutes.
15. When you are prompted, restart the computer. After the computer restarts, confirm that the Domain Name System (DNS) service location records for the new domain controller have been created. To confirm that the DNS service location records have been created, follow these steps:

1. Click Start, point to Administrative Tools, and then click DNS to start the DNS Administrator Console.
2. Expand the server name, expand Forward Lookup Zones, and then expand the domain.
3. Verify that the _msdcs, _sites, _tcp, and _udp folders are present. These folders and the service location records they contain are critical to Active Directory and Windows Server 2003 operations.

Source

Wednesday, June 17, 2009

How do I undelete an object from the Active Directory Recycle Bin?

Source: Windowsitpro

Once you've enabled the recycle bin, you can undelete objects that were deleted after the recycle bin was enabled within the deleted object lifetime. You view the objects that are in the deleted and recycled states using the steps outlined in the previous FAQ.

To restore an object in the deleted state (isDeleted TRUE), simply pass the deleted object to the Restore-ADObject cmdlet. The easiest way to pass the object is to use the Get-ADObject cmdlet and pass the -IncludeDeletedObjects switch.

For example, if I know the displayName of an object is Dick Grayson, I would use the command below. PS C:\Users\savadmin> Get-ADObject -Filter {displayName -eq "Dick Grayson"} -IncludeDeletedObjects | Restore-ADObject

As you can see below, I actually use the Get-ADObject first just to view the object. I can see its Deleted attribute is True. I then pass the object to Restore-ADObject to undelete it. After that I viewed the object, and the Deleted attribute was blank, showing that it has been restored. In this example,e the object name was AFRBEnabled (After Recycle Bin Enabled).

Wednesday, June 10, 2009

Active Directory Vulnerabilities In Microsoft Windows

These vulnerabilities need to be taken seriously, due to the factor that if they are exploited, a DoS attack may take place.

The two vulnerabilities located in Microsoft Windows are:

  1. A Memory leak error which exists in the Active Directory LDAP service. It could be exploited in order to hang an affected system. This may occur via specially tampered with LDAP or LDAPS requests, which need to consist of exact OID filters.
  2. An error that exists within the Active Directory LDAP service. If this is exploited, the chances are that it may trigger the invalid memory and attackers could then execute arbitrary code. This execution of arbitrary code takes place via specially tampered with LDAP or LDAPS requests.

A malicious character with the correct computer skills will be able to take complete and utter control of an infiltrated system. He will also be able to view, change, modify, create or delete whatever he wishes.

These vulnerabilities were reported in implementations of Active Directory on the Microsoft Windows 2000 Server, Windows Server 2003 as well as the Active Directory Application Mode (ADAM), when it is installed on Windows XP Professional as well as Windows Server 2003.

The affected operating systems
Microsoft Windows XP Professional
Microsoft Windows Storage Server 2003
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server

The impact of these vulnerabilities may include unauthorized system access as well as DoS attacks. All Windows users will be pleased to know that these vulnerabilities only affect Microsoft Windows 2000 Server systems. This vulnerability has been rated as moderately critical. The solution to this problem is for all users to apply the relevant updates immediately with the use of update management software or the Microsoft Update service.

Source: http://www.pc1news.com/news/0717/active-directory-vulnerabilities-in-microsoft-windows.html#msg

Thursday, June 4, 2009

How to Manage Object Properties In Active Directory

Instructions:
  • Step 1 :Open the Active Directory Users And Computers tool.
  • Step 2: Expand the name of the domain, and select the RD container. Right-click the John Q for example, an admin user account, and select Properties.
  • Step 3: Here, you will see the various Properties tabs for the User account. Make some configuration changes based on the personal preferences. Clock OK to continue.
  • Step 4: Select the HR Organizational Unit for example. Right-click the All Users group, and click Properties. In the All Users Properties dialog box, you will be able to modify the membership of the group.
  • Click the Members tab, and then click Add. Add Monica D. President as an example and John Q. Admin User Accounts to the Group. Click OK to save the settings and then OK to accept the group modifications.
  • Step 5: Select the Sales Organizational Unit,. Right-click the Workstation1 Computer object. Notice that you can choose to disable the account or reset it( to allow another computer to join the domain under the same name). From the right-click menu, choose Properties. You'll see the properties for the Computer object.
    Examine the various options and make changes based on your properties on your personal preference. After you have examined the available options, click the OK button.
  • Step 6: Select the Corporate Organizational Unit. Right-click the Monica D. President User account, and choose Reset Password. You will be prompted to eneter a new password and then asked to confirm it. Note that you can also force the user to change this password upon the next logon.
  • Step 7: Close the Active Directory Users And Computers tool and this lesson is complete.
Source: Ehow

Friday, May 29, 2009

Techplus takes on Active directory tools from Specops

Techplus, has brought on management products from Toronto-based vendor, Specops, in a bid to expand its software portfolio.

The distributor will have access to the full software range and has just announced the availability of Specops Virtual Deploy, a Group Policy extension tool that allows administrators to manage Microsoft App-V virtual applications.

Specops provides a range of products allowing organisations to manage and interact with all Microsoft-based server environments through Active Directory or Group Policy platform. Techplus managing director, Paul Kern, said it was Specop’s first local channel partner.

“They have sold products in Australia to some of the larger government departments and multinationals for many years,” he said. “Customers could go online and buy it. But they’ve never been through the channel, or proactively sold products here before.”

Kern said the products were suitable for any organisation – small or large – running Microsoft servers, and claimed they were straightforward to use.

“The core differentiation against other vendors who provide these kinds of products is that users can manage everything through Active Directory – it’s just not an application on top, but a fully integrated solution,” he said.

Specop’s software tools are available for a one-off licence fee. Users can then choose to subscribe to an annual maintenance and support package.

Source: arnnet.com.au

Monday, May 25, 2009

How can I delegate the right to unlock locked Active Directory (AD) user accounts?

To delegate the right to unlock locked user accounts to a user or group in AD, you must modify the permissions to read and write the lockoutTime Active Directory user object attribute.

To let administrators change these two permissions in AD, you must first make sure that the read and write permissions are visible in the advanced ACL editor that you can access from the Active Directory Users and Computers (ADUC) MMC snap-in. In Windows 2000, both permissions are hidden from ADUC by default. In Windows Server 2003 and Windows Server 2008, they show up in the ADUC’s advanced ACL editor, shown here.

The attribute permissions that are displayed in ADUC’s ACL editor can be controlled using the dssec.dat configuration file, which is stored in the %windir%\System32 directory. In dssec.dat, each object attribute can be assigned one of the following values:

* 7 : do not include the property in the ACL editor
* 2 : include only the “Read” property in the ACL editor
* 1 : include only the “Write” property in the ACL editor
* 0 : include both the “Read” and “Write” property in the ACL editor

If an attribute isn't listed in the dssec.dat file, it will show up in the ACL editor. In Windows Server 2003 and Windows 2008, lockoutTime is by default not included in the dssec.dat file, so it shows up in the ACL editor.

Dssec.dat uses an ini file data format to list the properties of each object class that should be filtered out of the list in the Properties section of the ACL Editor. The file is structured as follows:

[objectclass-name1]
@=value
attribute-name1=value
attribute-name2=value
.
.
attribute-nameX=value

[objectclass-name2]
@=value
attribute-name1=value
attribute-name2=value
.
.
attribute-nameX=value

where objectclass-nameX refers to the AD schema object class for which the visibility in the ACL editor should be controlled and attribute-nameX to the attribute. The "@" placeholder controls the visibility of the object itself.

To modify the filter for the lockoutTime attribute in Windows 2000, open dssec.dat in Notepad. You can find the lockoutTime attribute under the [user] heading. You must reset the value for the lockoutTime attribute from 7 to 0 then save the changes to the dssec.dat file.

Note that you only need to edit the dssec.dat file on the Windows 2000 computer where you set up the actual delegation. Also, keep in mind that the dssec.dat file is read only when an administrator opens ADUC. This means that changes you make to dssec.dat won’t take effect until you close and reopen ADUC.

To delegate the right to unlock user accounts on the OU or domain level in ADUC, you can modify the permissions for the lockoutTime attribute directly in the ACL editor or use the AD delegation wizard. In the latter case, you must perform the following steps.

1. Right-click the OU or domain in ADUC and select Delegate Control... from the context menu.
2. Click Next in the Welcome dialog.
3. Click Add... to select the user or group to which you want to delegate control and click OK.
4. Click Next.
5. Select Create a custom task to delegate and click Next.
6. Select Only the following objects in the folder then, in the list, check User objects and click Next.
7. Clear the General checkbox and check the Property-specific box.
8. Check both the Read lockoutTime and Write lockoutTime boxes and clicks Next.
9. Click Finish.

Source: http://windowsitpro.com/article/articleid/102025/q--how-can-i-delegate-the-right-to-unlock-locked-active-directory-ad-user-accounts.html

Sunday, May 17, 2009

Win Server 2008: Owner Rights in Active Directory Domain Services

Windows Server 2008 introduces new capabilities for Active Directory Domain Services object ownership. These new capabilities do not change the default permissions that the owner of an object is granted; however, they do provide the ability to modify the permissions granted to the owner of an object. The ability to restrict the permissions for the owner on an object is a welcome security enhancement in Windows Server 2008.

Each Active Directory Services object has a security descriptor, which facilitate the ability to secure the object by using permissions. A security descriptor contains all information related to access control for a given object, including:

* The owner of the object
* The primary group of the object (rarely used)
* The discretionary access control list (DACL)
* The system access control list (SACL)
* Control information

By default, the owner of the object is given the WRITE_DAC permission and READ_CONTROL permission. These permissions provide the owner with the ability to change permissions on an object and to read the permissions assigned to an object, respectively.

Issues with Pre-Windows Server 2008 Behavior of Object Ownership

There are a number of issues with the pre-Windows Server 2008 behavior of object ownership. It is important to cover these issues to provide a better understanding of the benefits.

One of the biggest security risks with the pre-Windows Server 2008 behavior of object ownership is that it provides the ability to escalate privileges. Consider the scenario in which you've granted your help desk permission to create user accounts but not the permission to delete user accounts. When a member of the help desk subsequently creates a user account, he becomes the owner of that user account object in the directory. With the pre-Windows Server 2008 behavior of object ownership, they automatically receive the ability to change permissions on the user. If they want to delete the user object, or grant anyone the ability to do so, they can grant the ability to do by modifying the permissions on the user account object.

With the pre-Windows Server 2008 behavior of object ownership, you are limited to taking ownership of an object. As a safeguard, members of the Administrators group can always take ownership of an object, even if the current owner has denied Administrators the permissions to modify the object. However, taking ownership of an object is essentially a reactive step. The pre-Windows Server 2008 behavior of object ownership did not have any means to be proactive.

By default, Windows Server 2008 designates the creator of an object as the owner, which is the same as the pre-Windows Server 2008 behavior. Furthermore, Windows Server 2008 still grants the owner the ability to change permissions of an object and read permissions, which is also consistent with the pre-Windows Server 2008 behavior. However, Windows Server 2008 introduces a new well-known security principal called, Owner Rights, which can be used to restrict the permissions that the owner of an object is granted. In Windows Server 2008, you can add the Owner Rights well-known security principal to the Discretionary Access Control List (DALC) of an object, and control the permissions that assigned to the owner of that object. When you add the Owner Rights well-known security principal to the DALC of an object, you can specify the permissions assigned to the owners of objects. This new capability overrides the default pre-Windows Server 2008 behavior of object ownership.


Source: enterpriseitplanet.com

Tuesday, May 12, 2009

Windows Server 2008: Install Active Directory Domain Services

Active Directory provides the structure to centralize the network and store information about network resources across the entire domain. Active Directory uses Domain Controllers to keep this centralized storage available to network users.

In this scenario we are going to install Active Directory fresh with a brand new Domain Controller after a fresh install of Windows Server 2008.

Requirements for Active Directory Domain Services

Let’s go through some of the requirements for a fresh install of active directory services. Some of these will be required to be done before hand; others as noted can be done during the install:

* Install Windows Server 2008

* Configure TCP/IP and DNS networking configurations

* The disk drives that store SYSVOL must be on a local drive configured NTFS

* Active Directory requires DNS to be installed in the network. If it is not already installed you can specify DNS server to be installed during the Active Directory Domain Services installation.

Once you verify that these requirements have been met we can get started.

Install Active Directory Domain Services via Server Manager

For the first example let’s start by installing Active Directory through Server Manager. This is the most straight forward way, as a wizard will guide you through the steps necessary.

1. Start Server Manager.

2. Select Roles in the left pane, then click on Add Roles in the center console.

3. Depending on whether you checked off to skip the Before You Begin page while installing another service, you will now see warning pages telling you to make sure you have strong security, static IP, and latest patches before adding roles to your server.

If you get this page, then just click Next.

4. In the Select Server Roles window we are going to place a check next to Active Directory Domain Services and click Next.

5. The information page on Active Directory Domain Services will give the following warnings, which after reading, you should click Next:

* Install a minimum of two Domain Controllers to provide redundancy against server outage (which would prevent users from logging in with only one)

* AD DS requires DNS which if not installed you will be prompted for

* After installing AD DS you must run dcpromo.exe to upgrade to a fully functional domain controller

* Installing AD DS will also install DFS Namespaces, DFS Replication, and Filer Replication services which are required by Directory Service

6. The Confirm Installation Selections screen will show you some information messages and warn that the server may need to be restarted after installation.

Review the information and then click Next.

7. The Installation Results screen will hopefully show Installation Succeeded, and an additional warning about running dcpromo.exe (I think they really want us to run dcpromo).

After you review the, click Close.

8. After the Installation Wizard closes you will see that server manager is showing that Active Directory Domain Services is still not running. This is because we have not run dcpromo yet.

9. Click on the Start button, type dcpromo.exe in the search box and either hit Enter or click on the search result.

10. The Active Directory Domain Services Installation Wizard will now start.

There are links to more information if you want to learn a bit more you can follow them or you can go ahead and click Use advanced mode installation and then click Next.

For more detail: Source

Wednesday, May 6, 2009

Restartable Active Directory Domain Services Explained

Windows Server 2008 includes a service that allows you to start, stop, and restart Active Directory Domain Services on a domain controller. This new functionality facilitates more streamlined operations when it comes to performing offline tasks on a domain controller. This article takes a closer look at the new restartable Active Directory Domain Services in Windows Server 2008.

Overview of the Active Directory Domain Services Service

Every domain controller that has Windows Server 2008 installed includes a service called Active Directory Domain Services, which can be manipulated like any other service. This new service and functionality is enabled by default on all domain controllers that have Windows Server 2008 installed; there are no domain or forest functional-level requirements for this functionality.

With the Active Directory Domain Services running as a service on a domain controller, you can use familiar tools to manipulate the status of the service. For example, you can use the Services console or sc.exe to stop, start or restart the Active Directory Domain Services service.

The Active Directory Domain Services service has a number of other services that depend on it. As a result, when you change the status of the Active Directory Domain Services service, the dependent services will also be affected. These dependent services include the following:

  • DFS Replication
  • DNS Server
  • Intersite Messaging
  • Kerberos Key Distribution Center

It is common to have domain controllers run other services that do not depend on Active Directory Domain Services. The fact that Active Directory Domain Services runs as a true service, which can be manipulated independently from nondependent services, facilitates the ability for the nondependent services to continue to function when the Active Directory Domain Services service is stopped.

The Active Directory Domain Services service can be in one of two statuses: Started or Stopped. The tasks that can be performed on a domain controller differ based on the status of the service. Furthermore, the directory service functionality is also different depending on the status of the Active Directory Domain Services service.

Active Directory Domain Services Service -- Started

When the Active Directory Domain Services service is started, the domain controller functions just like any other domain controller. In this state, Active Directory Domain Services, and other dependent and nondependent services running on the domain controller, operate just as they do on a Windows Server 2003 or Windows 2000 Server domain controller. The domain controller will process authentication and authorization requests, for example, because the domain controller is online.

Active Directory Domain Services -- Stopped

When the Active Directory service is stopped, the domain controller is said to be offline and functions similar to a domain controller running in Directory Services Restore Mode. When the Active Directory Domain Services service is stopped, the Active Directory Domain Services database (NTDS.dit) is offline. As a result, changes cannot be made to the Active Directory Domain Services database, directly or by virtue of replication.

The fact that the Active Directory Domain Services database is offline when the Active Directory Domain Services service is stopped provides the ability to perform offline maintenance tasks without restarting the domain controller into Directory Services Restore Mode. These tasks include performing an offline Active Directory Domain Services database defragmentation, marking an object or objects as authoritative, and forcefully removing Active Directory Domain Services from the domain controller.

Because the Active Directory Domain Services database is offline when the Active Directory Domain Services service is stopped, the domain controller will not process authentication requests. In this case, authentication requests, and all other Active Directory Domain Services client and service requests, will be referred to an online domain controller. If no other domain controllers can be contacted to process the authentication request, you must logon to the domain controller using the Directory Services Restore Mode account.

Directory Services Restore Mode Account and the Active Directory Domain Services Service

By default, the Directory Services Restore Mode account can be used only when logging onto a domain controller in Directory Services Restore Mode. However, Windows Server 2008 provides the ability to enable the use of the Directory Services Restore Mode account when logging onto a domain controller when the Active Directory Domain Services service is stopped. This functionality is enabled by modifying HKLMSystemCurrentControlSetControlLsaDSRMAdminLogonBehavior registry key. The table that follows lists the three options for the DSRMAdminLogonBehavior registry key:

Value Description
0 (Default) The DSRM account cannot be used for logon.
1 The DSRM Administrator account can be used to log on only when the AD DS service is stopped
2 The DSRM Administrator account can be used to log on at any time.


Source: enterpriseitplanet.com/networking/features/article.php/3814246

Friday, May 1, 2009

Google Apps gains LDAP support

Google Apps has gained a directory tool designed to simplify and accelerate the setup of this hosted collaboration and communication suite.

With the new Directory Sync, Apps can tap into existing LDAP-based user directories, such as the ones in IBM's Lotus Domino and Microsoft Active Directory, so that administrators don't have to set up a separate directory in the Google suite.

Google Apps has mostly been adopted in small and medium-size companies, and groups within large organizations, although the suite has nabbed large deployments in universities and government settings.

The new tool, which comes from technology Google acquired when it bought Postini, runs behind customers' firewalls and offers a one-way delivery of directory information to Google Apps.

"The utility offers many of the customization settings, tests and simulations originally developed and refined for the Postini directory sync tool," wrote Navneet Goel, Google enterprise product manager, in a blog posting Thursday.

The LDAP (Lightweight Directory Access Protocol) component is available at no additional cost for administrators of the Premier, Education and Partner versions of Apps.

For detail info: http://www.reuters.com/article/idgSmallBusiness/idUS210295645120090501

Tuesday, April 14, 2009

How to Fix Active Directory DNS problems?

Lots of times when creating a brand new domain or promoting a computer that does not have DNS installed or correctly configured, Active directory does not properly configure the DNS name space for your new domain.

This can be checked by going into the DNS MMC console and expanding the Forward lookup zone. it should have several sub "folders" such as DC, GC, etc.

Errors like:

server GUID DNS name could not be resolved to an IP address. Check items such as the DNS server, DHCP and server name. Although the GUID DNS name (._msdcs.domain-name.local) couldn't be resolved, the server name () resolved to the IP address () and was pingable. Check that the IP address is registered correctly with the DNS server.

This type of error will cause you to not be able to add computers to your domain, or even add new domain controllers.

Step1: Log into the Domain controller either in console or via RDP

Step2: Download DcDiag.exe from microsoft if you do not have the Windows 2000 support tools installed. You can find it at http://www.microsoft.com/downloads/details.aspx?familyid=23870A87-8422-408C-9375-2D9AAF939FA3&displaylang=en

You can download it and extract it to anywhere you like.

Step3: Open a command window (Start menu -> Run -> Type "cmd" with out quotes and hit enter/click ok), now change directory to where the executable is located.

Step4: Type "ipconfig /flushdns", then "ipconfig /registerdns" (with out the quotes) to flush out the DNS resolver cache and register the DNS source records, respectively.

Some people like to clear the ARP cache as well, you can do this by typing "arp -d *" at the command prompt with out quotes. This part is optional.

Step5: At the prompt type in dcdiag /fix

Read through the output. You will most likely have the following text somewhere in your output:

Server GUID DNS name could not be resovled to an ipaddress.
Althought GUID could not be resolved, the server name resolved to the ip address x.x.x.x and was pingable

Step6: Still at the command prompt, type "dcdiag /fix", then "net stop netlogon" and "net start netlogon" (again with out the quotes) to finalize the changes.

Run dcdiag one more time to make sure the domain controller's DNS is working. You should no longer get the error mentioned in step 5. Some other NIC related errors may show up, but you can dismiss those for the most part it wont affect your installation (you couldnt get this far if there were serious NIC problems)

Step7: You should now be able to add member computers to your new domain and add domain controllers.

Source:eHow

Wednesday, April 8, 2009

OUrganizeIT - Active Directory Object Management tool

OUrganizeIT by Synergix, Inc., is an Active Directory Object Management tool. It helps organize and secure computer objects and user objects in Microsoft Windows Active Directory environment, facilitating organizations meet their SOX, SEC and HIPAA compliance requirements.

Users with elevated privileges may remove their computers from the domain, for non-business, experimental purposes or for business reasons, such as product demonstration purposes at client sites or tradeshows or conferences. OUrganizeITTM helps maintain domain membership.

If the computer object in the Active Directory domain becomes defunct or the user removes the computer object from the domain and puts it in a workgroup or another domain ( at home, internet cafe, etc.), the computer rejoins the domain next time it is put back on the corporate network. All this is achieved without granting the user elevated privileges on his / her workstation or in Active Directory environment.

Version 8 includes VPN User Password Change option.

Source: zdnetasia.com

Friday, April 3, 2009

Windows Server 2008 Active Directory Database Mounting Tool

Windows Server 2008 aims to improve recovery processes for Active Directory Domain Service (AD DS) and Active Directory Lightweight Directory Services (AD LDS). In Windows Server 2008, you can now take point-in-time snapshots of the data that is stored in AD DS or AD LDS. Furthermore, Windows Server 2008 includes a new Active Directory database mounting tool, which allows you to mount the snapshot. This new functionality provides administrators with the ability to view AD DS and AD LDS data, as it existed at different times, thus effectively arming you with better means to deal with the recovery of AD DS and AD LDS data.
Snapshots

The Windows Server 2008 version of the Ntdsutil.exe command-line tool includes a new operation, called snapshot, which provides the ability to create snapshots of AD DS and AD LDS data. The Ntdsutil.exe snapshot operation can be used to create point-in-time snapshots of AD DS and AD LDS data. You can also schedule a recurring task (e.g., using Task Scheduler) that uses Ntdsutil.exe to create snapshots.

You are not restricted to the use of snapshots that were created by using the Ntdsutil.exe snapshot operation. You can use any backup of an AD DS or AD LDS database that uses the Volume Shadow Copy Service (VSS), including Windows Server Backup as well as third-party backup solutions.

Database Mounting

The Ntdsutil.exe snapshot operation also provides the ability to list, mount, and unmount snapshots of AD DS and AD LDS data. If you incorporate this new functionality into your disaster recovery plan for AD DS or AD LDS, you will likely have multiple snapshots of AD DS or AD LDS data. The Ntdsutil.exe snapshot operation provides the ability to list all snapshots so you can determine which snapshot you need to work with. Once you have identified the appropriate snapshot, you must mount the snapshot before you can continue. Mounting and unmounting snapshots is also performed using the Ntdsutil.exe snapshot operation.

Exposing a Snapshot as an LDAP Server

After you have created one or more a snapshots, and you know which snapshot you plan to work with, you must expose that snapshot as an LDAP server before you can view the data stored in the snapshot. Windows Server 2008 includes a command-line tool, called Dsamain.exe, which provides the ability to expose snapshots as an LDAP server. Dsamain.exe can be used to expose AD DS and AD LDS snapshots as an LDAP server. When running the Dsamain.exe command-line tool, you must specify the path to the AD DS or AD LDS database (ntds.dit) file. You can optionally specify where to store the log files and temporary database by using the log path parameter. In most cases, you will view multiple snapshots at the same time. As a result, you must specify which port to use for LDAP communication when exposing the snapshot using Dsamain.exe.

In addition to LDAP communication, LDAP over SSL, global catalog, and global catalog over SSL communication can be used to query a snapshot exposed as an LDAP server. By default, Dsamain.exe will increment the port number by 1 for each of these additional protocols. For example, if you specify port 5000 for LDAP, Dsamain.exe will use 5001 for LDAP over SSL, 5002 for global catalog, and 5003 for global catalog over SSL. You can, however, specify the port numbers to be used for the additional protocols.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3812086

Wednesday, March 25, 2009

Active Directory Recycle Bin can save a Windows Server

The Recycle Bin feature allows objects to be restored via the Active Directory PowerShell environment. For the beta release, this functionality is turned off by default, so the first step is to enable the feature. Figure A shows this step.

Active Directory Recycle Bin

Once this is complete, you can view the contents of the Active Directory Recycle Bin. This special location exists as a container that holds the objects as they are deleted.

In my first looks at Windows Server 2008 R2 beta, I set up a test domain running at that function level. The domain, dev.tld, had nothing in the Recycle Bin after it was created. I deleted two objects: one user and one group. Figure B shows the query of what is in the Recycle Bin before the two objects were deleted, then another query after they were deleted.

Windows Server Active Directory

Notice that some fields were cut off in the display, notably the full GUID (which is needed for the restore). To display the entire GUID and object name, you would run this query:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=dev,DC=tld" -ldapFilter "(objectClass=*)" -includeDeletedObjects | FT ObjectGUID,Name -A

Then, the full GUID is displayed, so a copy and paste operation will allow an easy restore. From the list above, to restore the single user named test, the following command will perform the restore:

Restore-ADObject -Identity 6ff46162-15c2-4d42-8e15-2fcac5c8422e

The object is instantly returned to full existence in Active Directory.

Source: http://blogs.techrepublic.com.com/datacenter/?p=675

Sunday, March 8, 2009

Recovering Bitlocker Keys from Active Directory

BitLocker is a great tool for ensuring that the data on your organization’s computers is protected when laptop computers are misplaced or hard disk drives are stolen. Volumes encrypted using bitlocker can be recovered using the bitlocker recovery tool if you have the appropriate recovery key. As each BitLocker key is individual , the big problem with BitLocker recovery has been keeping track of every computer’s BitLocker keys.

The easiest way to keep track of all keys is to archive them to Active Directory. It saves a lot of effort with setting up an Excel spreadsheet! The Computer Configuration\Administrative Templates\Windows components\BitLocker Drive Encryption node of a Windows Server 2008 GPO contains a policy named Turn on BitLocker Backup To Active Directory Domain Services.

You can configure this policy so that BitLocker cannot be first enabled unless the computer is connected to the domain and the backup of the BitLocker keys to AD succeeds (BitLocker remains on after that). To ensure BitLocker keys are backed up, enable the policy and select the Require BitLocker Backup to AD DS option before deploying BitLocker. You can choose to back up recovery passwords and key packages or just recovery passwords. You should back up both items as this will give you more flexibility when attempting to recover encrypted volumes that might be damaged.

Retrieving a BitLocker key from Active Directory involves using the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. This tool allows you to locate and view BitLocker recovery passwords, assuming that you have Domain Administrator privileges in the domain in which the password is stored and the passwords are archived in AD. You can obtain this tool from Microsoft’s website here: http://support.microsoft.com/kb/928202.

You should note that the tool is not included with Windows Server 2008 or Windows Vista by default. So although you can archive BitLocker keys to AD, there isn’t any way to retrieve them unless you download this extra tool. Before you run the tool on a DC for the first time, but after you have installed it, it is necessary to run the command regsvr32.exe bdeaducext.dll. The tool itself modifies Active Directory Users and Computers so that when you view a computer account’s properties, there will be a BitLocker Recovery Tab that lists BitLocker recovery passwords associated with the computer account. You can remove the tool using Add or Remove Programs in the Control Panel. Once you’ve recovered the appropriate passwords, you can get on with recovering encrypted data!

Source: http://windowsitpro.com/article/articleid/101582/recovering-bitlocker-keys-from-active-directory.html

Sunday, February 22, 2009

Windows Server 2008: Discover the New Active Directory Domain Services

There are a number of new Active Directory Domain Services features in Windows Server 2008. These new features improve auditing, security, and the management of Active Directory Domain Services and show Microsoft's commitment to evolving Active Directory Domain Services. The following is an overview of the new Active Directory Domain Services features that are in Windows Server 2008.

Auditing

Windows Server 2008 introduces significant changes to Active Directory Domain Services auditing. Active Directory Domain Services auditing in Windows Server 2008 is more granular than previous versions and provides you with more control over what is audited.

Active Directory Domain Services auditing is now divided into the following four subcategories:

* Directory Service Access
* Directory Service Changes
* Directory Service Replication
* Detailed Directory Service Replication

You can disable or enable Active Directory Services auditing at the subcategory level. For each subcategory, you can also configure whether to log successful events, failed events, both successful and failed events, or no auditing.

In Windows Server 2008, the new Directory Service Changes subcategory allows you to log the old value and new value of a changed attribute, in addition to the attribute name.

Windows Server 2008 also provides the ability to exclude the logging of changes to specific attributes by modifying the attribute properties.

The Active Directory Domain Services auditing subcategories are viewed and configured by using the Auditpol.exe command-line tool.
Fine-Grained Password Policies

Windows Server 2008 introduces the ability to create multiple password policies in a single domain, which is another first for Active Directory Domain Services. The introduction of fine-grained password policies in Windows Server 2008 allows organizations to create and manage multiple password policies and account lockout policies to meet diverse security requirements.

You can configure the same password policy and account lockout settings in a fine-grained password policy as you can at the domain level. Fine-grained password policies can be linked to users and to global groups. Because users can inherit multiple password fine-grained password policies, a precedence setting has been included to allow you more granular control.

Fine-grained password policies are configured by using the ADSI Edit snap-in.
Read-Only Domain Controllers

Another first for Active Directory Domain Services is the introduction of a new type of domain controller in Windows Server 2008, the read-only domain controller (RODC). RODCs are intended to assist you in situations in which domain controllers must be deployed in locations where physical security cannot be guaranteed, such as branch offices.

Microsoft has implemented a number of mitigating measures to ensure a compromised RODC does not impact the rest of your Active Directory Domain Services environment. These measures include the following:

* Read-only database
* Unidirectional replication
* Credential caching
* Administrator role separation
* Read-only Domain Name System (DNS)

Restartable Active Directory Domain Services

Windows Server 2008 now includes a true service, which allows you to stop, start, and restart Active Directory Domain Services without having to restart the operating system.

In Windows 2000 Server and Windows Server 2003, the operating system on a domain controller had to be restarted in Directory Services Restore Mode for most maintenance and recovery. However, Windows Server 2008 now provides the ability to start, stop, and restart the Domain Controller service.

The domain controller service can be manipulated by using the Services snap-in or the Computer Management snap-in.

Database Mounting Tool

Windows Server 2008 includes a new ability to take snapshots of an Active Directory Domain Services database and mount these snapshots into a new database mounting tool.

The database mounting tool allows you to view an Active Directory Domain Services object's previous state. You can then use this to compare the object's previous state to the object in production. This is particularly useful if you know that an object's attributes were changed, but do not know what the previous value of the attributes were.

User Interface Improvements

A number of user interface improvements have been made in Windows Server 2008. The following is a list of some of the most noteworthy interface changes in Windows Server 2008:

* New installation options for domain controllers.
* A more streamlined and simplified installation process.
* Improvements to the Active Directory Users and Computers console.
* A built-in Attribute Editor, which is accessible on the properties page of each object in the Active Directory Domain Services management tools.

Owner Rights

Windows Server 2008 now provides the ability to limit the default permissions that the owner of an object is given. In previous versions of Windows, the owner of an object was given the ability to read and change permissions on the object, which was more than they required in most cases. This new functionality in Windows Server 2008 also applies to Active Directory Domain Services objects.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3796561

Monday, February 16, 2009

Active Directory Domain Services Fine-Grained Password and Account Lockout Policies

Since the release of Windows NT 3.1, Microsoft's first Network Operating System, password policies were limited to the domain level. This held true for Windows 2000 Server and Windows Server 2003 versions of Active Directory. However, Microsoft has introduced the ability to define multiple password and account lockout policies in Windows Server 2008.

This article takes a deeper look at the new Active Directory Domain Services fine-grained password and account lockout policies in Windows Server 2008.

Password Settings Container and Password Settings Objects

Active Directory Domain Services in Windows Server 2008 includes two new object classes for fine-grained password and account lockout policies: Password Settings Container and Password Settings objects. Fine-grained password and account lockout policies require a domain functional level of Windows Server 2008, so these two objects will not be used for domains with a lower domain functional level.

The Password Settings Container (PSC) is created in the System container in each domain that has a domain functional level of Windows Server 2008. Password Settings Containers are used to store Password Settings objects for the domain. Once created by the system, the Password Settings Container cannot be moved, deleted, or renamed. You can view the Password Settings Container by enabling the Advanced View in the Active Directory Users and Computers Container, ADSI Edit, and LDP.exe.

Password Settings objects (PSOs) are the objects that you create to define fine-grained password and account lockout policies. Password Settings objects are stored in the Password Settings Container for the domain. Multiple Password Settings objects can be stored. Password Settings objects can be created by using ADSI Edit and LDIFDE.

Password Settings Object Attributes

Password Settings objects include the nine attributes for the same Password Policy and Account Lockout settings as the Default Domain Policy. These nine attributes are mandatory and must be defined on every Password Settings object. These attributes are shown in the table below.

LDAP Display Name

Description

msDS-PasswordHistoryLength

Enforce password history

msDS-MaximumPasswordAge

Maximum password age

msDS-MinimumPasswordAge

Maximum password age

msDS-MinimumPasswordLength

Minimum password length

msDS-Password-ComplexityEnabled

Passwords must meet complexity requirements

msDS-PasswordReversibleEncryptionEnabled

Store passwords using reversible encryption

msDS-LockoutDuration

Account lockout duration

msDS-LockoutThreshold

Account lockout threshold

msDS-LockoutObservationWindow

Reset account lockout after

Microsoft did not include the ability to create fine-grained password and account lockout policies in the Active Directory Users and Computers console in Windows Server 2008. As a result, the graphical interface to create Password Settings objects is the ADSI Edit console. The ADSI Edit console allows you to create Password Settings objects, and enter values for the attributes that are contained in Password Settings objects, in raw format. To set a Maximum Password Age of 42 days on a Password Settings object, you would enter a value of 42:00:00:00.

Controlling the Scope of Password and Account Lockout Policies

In addition to the above nine attributes, Password Settings objects also include two new attributes which are used to control the scope. These two attributes are shown in the table below:

LDAP Display Name

Description

msDS-PSOAppliesTo

PSO link

msDS-PasswordSettingsPrecedence

Precedence

The msDS-PSOAppliesTo attribute is used to link Password Settings objects to users and/or global groups. The msDS-PSOAppliesTo attribute is a multivalued attribute, which allows Password Settings objects to be linked to multiple users and/or global groups. The msDS-PSOAppliesTo includes a forward link to user or group objects. The msDS-PasswordSettingsPrecedence attribute is a mandatory attribute which is used to resolve conflicts when more than one Password Settings object is applied to a user or group.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3800436

Monday, February 9, 2009

Integrating Mac OS X with Active Directory

Active Directory within Mac OS X enables Mac clients and servers to integrate smoothly into existing AD environments, and provides the option of deploying a single directory services infrastructure that can support both Windows and Mac clients.

A key component of any modern computing environment, directory services allow organizations to centralize information about users, groups, and computing resources. A network-based repository consolidates resources, simplifies system management, and reduces support and administration costs. At the same time, it benefits users by enabling them to access enterprise resources from anywhere on the network. Thus, a directory services infrastructure offers advantages for both administrators and end users.

Of course, the full benefits of active directory services can only be realized when all of your desktop, laptop, and server systems are integrated into the same directory services infrastructure. This goal has been difficult to achieve in the past due to the proliferation of proprietary directory services solutions.

With the introduction of the Active Directory (AD) plug-in in Mac OS X v10.3 (Tiger), Apple made a concerted effort to enable IT administrators to integrate Mac OS X clients and servers easily into existing Active Directory infrastructures. While every Active Directory installation is different (especially in the enterprise space), Mac OS X integrates well with the vast majority of them, and with minimum effort.

Whatever combination of Mac, Windows, and Linux systems your organization uses, you no longer need to maintain a separate directory or separate user records to support your OS X systems. Users can move effortlessly between different computers while still adhering to enterprise policies for strong authentication and password-protected access to network resources.

Apple's support for Active Directory within Mac OS X enables Mac clients and servers to integrate smoothly into existing AD environments, and provides the option of deploying a single directory services infrastructure that can support both Windows and Mac clients.

Source: http://www.ciol.com/Developer/Operating-System/Tech-Papers/Integrating-Mac-OS-X-with-Active-Directory/4209115565/0/

Monday, February 2, 2009

Microsoft Active Directory Topology Diagrammer

The Microsoft Active Directory Topology Diagrammer is a really useful tool when documenting Active Directory domains of any size.

With the Active Directory Topology Diagrammer tool, you can read your Active Directory structure through Microsoft ActiveX Data Objects (ADO). The Active Directory Topology Diagrammer tool automates Microsoft Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization.

With the Active Directory Topology Diagrammer tool, you can also draw partial information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Visio.

Microsoft Active Directory Services

The Diagrammer is very flexible and allows the user to include and exclude granular information such as the following:
  • domain(s) (child etc.)
  • Site(s )
  • OUs
  • Administrative Groups
  • Exchange connectors (Routing, SMTP, X.400, Notes etc.)
  • Users in the domain(s)
  • Trusts
  • User Count
  • Global Catalog servers
  • IP and SMTP Site links
  • Subnets
  • Inter/Intra Site Replication Connections
  • Number of Mailboxes
  • Application Partitions
  • Servers and OS version information (with color coding)
Source : http://thebackroomtech.com/2008/01/30/microsoft-active-directory-topology-diagrammer/

Tuesday, January 27, 2009

Active Directory Auditing Tools

Active Directory is a crucial component of just about any Windows-based IT infrastructure, and keeping tabs on who modified AD records, when they were changed, and why they were changed can be a full-time job. Throw in some additional requirements—such as the need to be in compliance with federal and state governance guidelines, from the Sarbanes-Oxley (SOX) Act to the Health Insurance Portability and Accountability Act (HIPAA)—and you have the makings of a headache-inducing task for many IT pros. But help is on the way.

Windows Server 2008 AD Improvements

Microsoft listened to IT pro complaints about AD auditing and implemented several new features in Windows Server 2008 to ease the pain. “Windows 2008 brings various benefits to the table with respect to event management, including a completely changed event-log storage model,” says Guido Grillenmeier, a Microsoft Active Directory Services MVP and a master technologist with HP’s Advanced Technology Group. “It also includes improved native AD auditing, as it allows more granular and more complete auditing of AD changes. For example, it can record the old value and new value of an attribute that was changed.”

Server 2008 breaks auditing into four categories: Access, Changes, Replication, and Detailed Replication. The Changes category improves upon the way AD changes were handled in Windows Server 2003 and Windows 2000, logging deltas of attribute changes, detailing new object creation and movement, and offering a create-event feature that’s triggered when objects are moved to different domains.

Choosing an AD Auditing Solution

Regardless of whether you’re running Server 2008, Windows 2003, or Win2K, an off-the-shelf AD auditing product can help minimize the workload. Determining what level of AD auditing your organization needs is important . Grillenmeier cautions against looking for a silver-bullet solution to AD auditing requirements. “For example, proxy-management solutions … such as AD Self-Service Suite and Ensim Unify … are nice tools to delegate specific management tasks to non-admin users and audit the changes they do to AD with the tool. However, these tools only audit what’s changed by them and can’t audit native changes in AD; they can never create a complete auditing trail.”

Grillenmeier contrasts those AD proxy-management auditing tools with AD auditing tools that gather security and auditing events from event logs on domain controllers - such as Microsoft System Center Operations Manager or HP OpenView—and AD auditing tools that combine native event logs with AD data gathered by agents, such as Quest InTrust and Quest ChangeAuditor.

“Event-log–based may be sufficient for many customers that need to meet specific compliancy requirements,” says Grillenmeier. “It’s mainly a matter of correctly setting up auditing in the directory itself, so that the changes are correctly logged in the event logs. Note that if proxy-management tools are used, you still have to combine the native event data with the data of the proxy tools to figure out which person actually performed a change in AD, since for changes done by the proxy tool the native event logs will only see the service account as the owner of the change.” Grillenmeier says that only products that combine event-log auditing with separate agents that gather AD data are capable of auditing all AD changes.

Don’t Forget the Data

One important yet overlooked aspect of AD auditing is the massive amount of data the auditing process can generate. “For enterprise-scale customers, this easily amounts to many gigabytes per day of auditing data,” Grillenmeier says. “Tools that [have the capability] to efficiently store the auditing data in a compressed format and are a critical factor for large companies.” You’ll do well to consider your organization’s auditing needs, the number of AD changes it makes, and how granular those changes are. And you’d be well advised to pay attention to the security, backup, and disaster recovery of AD auditing data, just as you would for other types of data.

Source: http://windowsitpro.com/ActiveDirectory/Article/ArticleID/100828/ActiveDirectory_100828.html

Tuesday, January 20, 2009

Active Directory Domain Services Features in Windows Server 2008

There are a number of new Active Directory Domain Services features in Windows Server 2008. These new features improve auditing, security, and the management of Active Directory Domain Services and show Microsoft's commitment to evolving Active Directory Domain Services. The following is an overview of the new Active Directory Domain Services features that are in Windows Server 2008.

Auditing

Windows Server 2008 introduces significant changes to Active Directory Domain Services auditing. Active Directory Domain Services auditing in Windows Server 2008 is more granular than previous versions and provides you with more control over what is audited.

Active Directory Domain Services auditing is now divided into the following four subcategories:
  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication
You can disable or enable Active Directory Domain Services auditing at the subcategory level. For each subcategory, you can also configure whether to log successful events, failed events, both successful and failed events, or no auditing.

In Windows Server 2008, the new Directory Service Changes subcategory allows you to log the old value and new value of a changed attribute, in addition to the attribute name.

Windows Server 2008 also provides the ability to exclude the logging of changes to specific attributes by modifying the attribute properties.

The Active Directory Domain Service auditing subcategories are viewed and configured by using the Auditpol.exe command-line tool.

Fine-Grained Password Policies

Windows Server 2008 introduces the ability to create multiple password policies in a single domain, which is another first for Active Directory Domain Services. The introduction of fine-grained password policies in Windows Server 2008 allows organizations to create and manage multiple password policies and account lockout policies to meet diverse security requirements.

You can configure the same password policy and account lockout settings in a fine-grained password policy as you can at the domain level. Fine-grained password policies can be linked to users and to global groups. Because users can inherit multiple password fine-grained password policies, a precedence setting has been included to allow you more granular control.

Fine-grained password policies are configured by using the ADSI Edit snap-in.
Read-Only Domain Controllers

Microsoft has implemented a number of mitigating measures to ensure a compromised RODC does not impact the rest of your Active Directory Domain Services environment. These measures include the following:

* Read-only database
* Unidirectional replication
* Credential caching
* Administrator role separation
* Read-only Domain Name System (DNS)

Restartable Active Directory Domain Services

Windows Server 2008 now includes a true service, which allows you to stop, start, and restart Active Directory Domain Services without having to restart the operating system.

In Windows 2000 Server and Windows Server 2003, the operating system on a domain controller had to be restarted in Directory Services Restore Mode for most maintenance and recovery. However, Windows Server 2008 now provides the ability to start, stop, and restart the Domain Controller service.

The domain controller service can be manipulated by using the Services snap-in or the Computer Management snap-in.

Database Mounting Tool

Windows Server 2008 includes a new ability to take snapshots of an Active Directory Domain Services database and mount these snapshots into a new database mounting tool.

The database mounting tool allows you to view an Active Directory Domain Services object's previous state. You can then use this to compare the object's previous state to the object in production. This is particularly useful if you know that an object's attributes were changed, but do not know what the previous value of the attributes were.

User Interface Improvements

A number of user interface improvements have been made in Windows Server 2008. The following is a list of some of the most noteworthy interface changes in Windows Server 2008:
  • New installation options for domain controllers.
  • A more streamlined and simplified installation process.
  • Improvements to the Active Directory Users and Computers console.
  • A built-in Attribute Editor, which is accessible on the properties page of each object in the Active Directory Domain Services management tools.
Owner Rights

Windows Server 2008 now provides the ability to limit the default permissions that the owner of an object is given. In previous versions of Windows, the owner of an object was given the ability to read and change permissions on the object, which was more than they required in most cases. This new functionality in Windows Server 2008 also applies to Active Directory Domain Services objects.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3796561

Thursday, January 15, 2009

How do I install Active Directory on my Windows 2000 Server?

You can configure your server as a Domain Controller manually, but if you don't have the time, skill, brains or will to do it manually, it can still be done with just a few mouse clicks.

Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), and DCPROMO can be by using the Windows 2000 Configure Your Server Wizard.

Even though it's all done automatically, you still need the following:
  • A NIC
  • The TCP/IP protocol
  • An NTFS partition with enough free space
  • A network connection (to a hub or to another computer via a crossover cable).
  • An Administrator's username and password
  • The Windows 2000 Server (or Advanced Server) CD media (or at least the i386 folder)
This article assumes that all of the above requirements are fulfilled. See my Active Directory Installation Requirements page for more info.

Note: This article does NOT assume you have a working brain, or that you can use it correctly. If you think you really want to know how this thing works, please read the How to Install Active Directory on W2K page instead...

To configure your server as a Domain Controller
  1. 1. Press Ctrl-Alt-Del and log on to the server as administrator. Leave the password blank.
  2. 2. When the Windows 2000 Configure Your Server page appears, select This is the only server in my network and click Next.
  3. 3.Click Next to configure the server as a domain controller and set up Active Directory, DHCP, and DNS.
  4. On the What do you want to name your domain page, type dpetri
  5. In the Domain name box, type com (again, this is only an example). Click on the screen outside of the textbox to see the Preview of the Active Directory domain name. Click Next
  6. Click Next to run the wizard. When prompted, insert the Windows 2000 Server CD-ROM. When the wizard is finished, the machine reboots.
  7. The Configure Your Server Wizard installs DNS and DHCP and configures DNS, DHCP, and Active Directory. The default values set by the wizard are:
  • DHCP Scope: 10.0.0.3-10.0.0.254
  • Preferred DNS Server: 127.0.0.1
  • IP address: 10.10.1.1
  • Subnet mask: 255.0.0.0
Source: http://www.petri.co.il/how_to_install_active_directory_on_w2k_for_lamers.htm


Tuesday, January 6, 2009

Win Server 2008 Directory Services, Active Directory Snapshots

Snapshots represent differences between a volume's current content and its state at the moment of their creation. Although ultimately the size of a snapshot depends on how dynamic the environment is and how long you decide to keep them active, due to their nature, snapshots are typically small andd can be initiated in the matter of seconds. To provide meaningful information, they must be paired up with the volume from which they originated. In addition, since they are based on the copy-on-write principle, they result in increased number of disk I/O operations, which might have negative impact on overall performance. It is also important to realize that snapshot can not be used for direct restore of Active Directory objects. Their main appeal comes from an ability to easily generate and view Active Directory state at arbitrarily chosen intervals. In effect, they offer a convenient way to determine when a particular object has been modifed. This helps you identify a backup set most suitable for the restore and delivers extra auditing and change tracking benefits. For the same reason, they significantly simplify extracting any pertinent historical information that can be subsequently imported to an object recovered via tombstone reanimation or used to reverse undesired modifications.

Snapshots are generated using the ntdsutil command line utility launched either directly from the console or a Terminal Services sesssion of a Windows Server 2008-based domain controller. Once you are at the ntdsutil: prompt, Activate Instance NTDS. You also have an option of pointing to an AD LDS instance by specifying its name instead of NTDS value). Next, switch to the snapshot context by typing snapshot and follow by create command. Shortly thereafter you should receive a notification stating that the snapshot set has been generated successfully. The message includes its unique GUID. To confirm, you can execute list all from within the same context, which should provide the listing of all active snapshots (including the date and time they were created). Note that the same can be accomplished running the following from the command prompt, which comes handy when automating snapshot generation as a scheduled task:

ntdsutil "Activate Instance NTDS" snapshot create quit quit

Any active snapshots must be mounted before you can access it via DSAMAIN.EXE. This is done by invoking the mount command followed by either an integer assigned to each snapshot (which can be determined by running list all) or its GUID, resulting in the creation of a junction point, with the name generated by concatenating the word $SNAP, date and time (in military format) when snapshot was generated and the target volume (e.g., $SNAP_200808082008_VOLUMEC$). That, in turn (as we explained in our previous article), determines the full path to the Active Directory NTDS.DIT file. This, in turn, becomes $SNAP_200808082008_VOLUMEC$\Windows\NTDS\NTDS.DIT, assuming default placement of database and log files, and it gets associated with the -dbpath switch when running the Database Mounting Tool.

After you complete browsing through the mounted NTDS instance and terminate the DSAMAIN.EXE, unmount the snapshot by calling unmount command followed, as before, by either its integer identifier or its GUID. Removal of snapshots that are no longer needed can be accomplished with the delete command. For the full overview of snapshot syntax, refer to Windows Server 2008 Technical Library.

Third-Party Offerings

Although snapshots significantly simplify handling unintended deletions or modifications of Active Directory objects (for the reasons we described earlier), the actual recovery still requires multiple steps, which might include rather involved tombstone reanimation and restoring its attributes. Fortunately, a variety of free third-party offerings can further streamline the restore process. Some of the more notable ones are listed below.

Snapshot Recovery Tool from 1Identity - available as a free download containing the command line-based oirecmgr.exe utility, it provides ability to recover an object and restore its attributes from an LDAP instance loaded via Database Mounting Tool to an arbitrary Windows Server 2008 domain controller. It is also capable of reanimating tombstones in both Windows Server 2003 and 2008 Active Directory environments. Note, however, that this option precludes simultaneous attribute recovery.

Although it has a dependency on .NET Framework 2.0, it can be executed remotely from a system running Windows XP Professional or Vista. Its command line syntax allows you to restore arbitrary number of objects, either by specifying their GUIDs via multiple -o switches or by storing them in a text file, which name gets assigned to the -of switch) as well as attributes (in a comma-separated format. For example, the following command (executed directly from the console of a domain controller USDC-NYC001) would reanimate deleted user object with GUID of 7abadaba-daba-d000-0d15-c015dead and restore its attributes, populating both forward and back links, such as user's group membership, by extracting relevant information from an Active Directory snapshot accessible via port 33389. Reanimating tombstoned user accounts does not reinstate their passwords, which will need to be reset before you enable them since, by default, they are disabled following the restore:

oirecmgr.exe -o 7abadaba-daba-d000-0d15-c015dead -sh USDC-NYC001:33389 -ol -real

* Directory Service Comparison Tool is supposed to provide similar functionality but via a graphical interface in the form of a Microsoft Management Console snap-in, which becomes available once you install freely downloadable setup program. This is available in both x86 and x64 versions. To configure it, select Datasource Settings... entry from the context sensitive menu of its node in the tree pane. In the resulting Datasource Settings dialog box, specify the name of a target domain controller and a server hosting a snapshot (or another VSS compliant restore) mounted using DSAMAIN.EXE, along with their LDAP ports, as well as the naming context you intend to compare. The pane window of the console is divided into three tabs, intended for the list of modifications, additions and deletions (respectively) that took place since the DSA-mounted LDAP directory services store has been created. Unfortunately, the tool's functionality is somewhat limited (at least as far as snapshots are concerned), due to a bug affecting highestCommittedUSN value recorded in Active Directory snapshots. Just as Snapshot Recovery Tool, this utility relies on .NET Framework 2.0 being installed, in addition to MMC 3.0, and can be installed on remote Windows XP Professional or Vista system.

* Active Directory Explorer from the Sysinternals team a distinct position in this list since it provides its own capability to create snapshots, independent of the one introduced in Windows Server 2008 Active Directory and supported on all of its versions. Their content can be derived from an online Active Directory environment by connecting to one of its domain controllers or from a restored backup or VSS-compatible snapshot mounted using DSAMAIN.EXE utility. In addition, it is possible to store them for offline viewing in an arbitrary location. The intuitive graphical interface of AD Explorer simplifies browsing their content and includes search and comparison features.

Source: http://www.serverwatch.com/tutorials/article.php/3794191