Wednesday, June 24, 2009

How To Create an Active Directory Server in Windows Server 2003

After you have installed Windows Server 2003 on a stand-alone server, run the Active Directory Wizard to create the new Active Directory forest or domain, and then convert the Windows Server 2003 computer into the first domain controller in the forest. To convert a Windows Server 2003 computer into the first domain controller in the forest, follow these steps:

1. Insert the Windows Server 2003 CD-ROM into your computer's CD-ROM or DVD-ROM drive.
2. Click Start, click Run, and then type dcpromo.
3. Click OK to start the Active Directory Installation Wizard, and then click Next.
4. Click Domain controller for a new domain, and then click Next.
5. Click Domain in a new forest, and then click Next.
6. Specify the full DNS name for the new domain. Note that because this procedure is for a laboratory environment and you are not integrating this environment into your existing DNS infrastructure, you can use something generic, such as mycompany.local, for this setting. Click Next.
7. Accept the default domain NetBIOS name (this is "mycompany" if you used the suggestion in step 6). Click Next.
8. Set the database and log file location to the default setting of the c:\winnt\ntds folder, and then click Next.
9. Set the Sysvol folder location to the default setting of the c:\winnt\sysvol folder, and then click Next.
10. Click Install and configure the DNS server on this computer, and then click Next.
11. Click Permissions compatible only with Windows 2000 or Windows Server 2003 servers or operating systems, and then click Next.
12. Because this is a laboratory environment, leave the password for the Directory Services Restore Mode Administrator blank. Note that in a full production environment, this password is set by using a secure password format. Click Next.
13. Review and confirm the options that you selected, and then click Next.
14. The installation of Active Directory proceeds. Note that this operation may take several minutes.
15. When you are prompted, restart the computer. After the computer restarts, confirm that the Domain Name System (DNS) service location records for the new domain controller have been created. To confirm that the DNS service location records have been created, follow these steps:

1. Click Start, point to Administrative Tools, and then click DNS to start the DNS Administrator Console.
2. Expand the server name, expand Forward Lookup Zones, and then expand the domain.
3. Verify that the _msdcs, _sites, _tcp, and _udp folders are present. These folders and the service location records they contain are critical to Active Directory and Windows Server 2003 operations.

Source

Wednesday, June 17, 2009

How do I undelete an object from the Active Directory Recycle Bin?

Source: Windowsitpro

Once you've enabled the recycle bin, you can undelete objects that were deleted after the recycle bin was enabled within the deleted object lifetime. You view the objects that are in the deleted and recycled states using the steps outlined in the previous FAQ.

To restore an object in the deleted state (isDeleted TRUE), simply pass the deleted object to the Restore-ADObject cmdlet. The easiest way to pass the object is to use the Get-ADObject cmdlet and pass the -IncludeDeletedObjects switch.

For example, if I know the displayName of an object is Dick Grayson, I would use the command below. PS C:\Users\savadmin> Get-ADObject -Filter {displayName -eq "Dick Grayson"} -IncludeDeletedObjects | Restore-ADObject

As you can see below, I actually use the Get-ADObject first just to view the object. I can see its Deleted attribute is True. I then pass the object to Restore-ADObject to undelete it. After that I viewed the object, and the Deleted attribute was blank, showing that it has been restored. In this example,e the object name was AFRBEnabled (After Recycle Bin Enabled).

Wednesday, June 10, 2009

Active Directory Vulnerabilities In Microsoft Windows

These vulnerabilities need to be taken seriously, due to the factor that if they are exploited, a DoS attack may take place.

The two vulnerabilities located in Microsoft Windows are:

  1. A Memory leak error which exists in the Active Directory LDAP service. It could be exploited in order to hang an affected system. This may occur via specially tampered with LDAP or LDAPS requests, which need to consist of exact OID filters.
  2. An error that exists within the Active Directory LDAP service. If this is exploited, the chances are that it may trigger the invalid memory and attackers could then execute arbitrary code. This execution of arbitrary code takes place via specially tampered with LDAP or LDAPS requests.

A malicious character with the correct computer skills will be able to take complete and utter control of an infiltrated system. He will also be able to view, change, modify, create or delete whatever he wishes.

These vulnerabilities were reported in implementations of Active Directory on the Microsoft Windows 2000 Server, Windows Server 2003 as well as the Active Directory Application Mode (ADAM), when it is installed on Windows XP Professional as well as Windows Server 2003.

The affected operating systems
Microsoft Windows XP Professional
Microsoft Windows Storage Server 2003
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server

The impact of these vulnerabilities may include unauthorized system access as well as DoS attacks. All Windows users will be pleased to know that these vulnerabilities only affect Microsoft Windows 2000 Server systems. This vulnerability has been rated as moderately critical. The solution to this problem is for all users to apply the relevant updates immediately with the use of update management software or the Microsoft Update service.

Source: http://www.pc1news.com/news/0717/active-directory-vulnerabilities-in-microsoft-windows.html#msg

Thursday, June 4, 2009

How to Manage Object Properties In Active Directory

Instructions:
  • Step 1 :Open the Active Directory Users And Computers tool.
  • Step 2: Expand the name of the domain, and select the RD container. Right-click the John Q for example, an admin user account, and select Properties.
  • Step 3: Here, you will see the various Properties tabs for the User account. Make some configuration changes based on the personal preferences. Clock OK to continue.
  • Step 4: Select the HR Organizational Unit for example. Right-click the All Users group, and click Properties. In the All Users Properties dialog box, you will be able to modify the membership of the group.
  • Click the Members tab, and then click Add. Add Monica D. President as an example and John Q. Admin User Accounts to the Group. Click OK to save the settings and then OK to accept the group modifications.
  • Step 5: Select the Sales Organizational Unit,. Right-click the Workstation1 Computer object. Notice that you can choose to disable the account or reset it( to allow another computer to join the domain under the same name). From the right-click menu, choose Properties. You'll see the properties for the Computer object.
    Examine the various options and make changes based on your properties on your personal preference. After you have examined the available options, click the OK button.
  • Step 6: Select the Corporate Organizational Unit. Right-click the Monica D. President User account, and choose Reset Password. You will be prompted to eneter a new password and then asked to confirm it. Note that you can also force the user to change this password upon the next logon.
  • Step 7: Close the Active Directory Users And Computers tool and this lesson is complete.
Source: Ehow