Category: networking

Active Directory Sites and Services Tutorial 2k8 R2

Active Directory Sites and Services allows you to create a logical outline of your physical sites and links. Much the same as AD users and computers allows you to create a logical structure of you users and computers objects etc. Sites and Services also allows you to map and control active directory replication which is great for replicating to sites that maybe are not quite so well connected as others. This allows you to design active directory around physical boundaries and challenges such as a slow wan link to a branch office or even {shudder} a dial up link that is only connected irregularly.

By default when you create a new root forest a site is created within sites and services (helpfully named DEFAULTFIRSTSITE) and all domain controllers are added to the to the default first site. To take advantage of the features of sites and services you will need to create 3 different type of objects Those are subnets, Inter-site transport links, and sites. Sites are the objects for physical locations so for example if you had 3 sites, london, paris and isle of wight each location would be represented with a site. Inter-site transport links are objects that define how sites link to each other so if london and paris had a dedicated pipe between each other that would be a site link and if isle of wight had a dial up connection then that would also be a site link. Subnet objects define what subnet a site uses which allows client computers to interrogate DNS to find out which site they are on and therefore contact the local domain controller or other service that is sites and services aware.

 

To start configuring sites and services its always a good idea to change the name of the DEFAULTFIRSTSITE to something meaningful, so for example you can rename it to CorporateHQ. And also rename the DEFAULTIPSITELINK which at the moment has no use until you create an additional site. Now another cool thing whilst we are talking about links is that you can choose one of two different protocols when configuring the link which is either IP or SMTP. Yep I said SMTP the protocol mostly used for mail transport. I’ll explain more on that later.

Initially If you have more than one site link as we do in our example you will need to create the links first that will bind the sites toegether (remember that links are representations of physical links such as WAN connections or slower technologies such as dial up). To create a site link you will need to decide which protocol is best for the site link that you would like to create, you would use IP for an always up connection such as a site to site VPN, or better connection. Now because SMTP is good for queueing data and sending when the link is available you would use SMTP for links that are not always up such as dial up links or slow and unreliable connections to remote offices. I’ll explain more in later blog posts. Right click on the link protocol folder that you wish to use for the connection and select New Site Link, you will at the moment get a warning message about only having one site configured which obviously causes problems for site links as they have nothing to link to, at the moment you can safely ignore this message and click ok. Give you link a name and click ok.

Now to create your first additional site you need to right click on the sites container and click “new site” Choose a name for the site (something short but meaningful) and click next. Then select the sitelink that you would like to use to connect the site with. Then you will get a final message saying you need to take additional steps to correctly configure sites and services for replication.

Once you have created a site its time to start populating the site with configurable options. Now one thing that does underpin alot of what sites and services is about is the subnet configuration. By identifying which subnet a site uses, you enable clients local to that site to be able to find and use their local domain controller(s) or service is sites and services aware. Also when you create and promote other DC’s they will automatically add themselves to the correct site when they are created based upon their own IP address. To create a new subnet all you need to do is right click on the subnets container and select new subnet. Then enter the subnet details into the box and select the pre-created site that it should be associated with. So for example if our paris site uses 10.0.0.x as its address range you would enter 10.0.0.0/24 into the prefix box and then select the paris container.

 

I’ll blog about the configuration of your new sites and services topology which will allow you to define preferences and costs to the links to specify in what order they should be used etc.

 

 

 

Script to remove admin rights pt2

Its been a while since I had a play with this script but what I have discovered is the software that I used to find out who has admin rights seems to also detect power users as Administrators. Which I guess is actually a good thing, however I did not suspect to get quite as many hits as I did for power users.

 

I’ll link all my old posts on the subject below so you can compare notes but the script that I have created now needs to include:

 

net localgroup “power users” %username% /delete > “%userprofile%\pwrusr.txt”

 

and

 

Y:\BLAT\BLAT %userprofile%\pwrusr.TXT -to email@address.com -server <smtp server IP> -f mail@address.com

 

Of course if you don’t want to be notified when these scripts run then you wont need the blat portion of the script and if you really don’t care about knowing if the initial check script has run then I guess you could just push out a script in the order of:

 

@echo off

c:

cd “%userprofile%”

If exist delusr1.txt (exit) else goto :Script

:Script

rem for removing admin Privileges

net localgroup administrators %username% /delete > %userprofile%\delusr1.txt

net localgroup “power users” %username% /delete > %userprofile%\pwrusr.txt

exit

 

This would then run regardless and attempt to remove the locally logged in user from power users and administrators groups. This would need to be assigned to just standard users though as you do not want to assign the script to administrators in your directory (be it AD, ED or maybe OpenLDAP).

 

Again this script is just the way I have chosen to do it, I am no expert in script writing (I really do need to figure out Vbscript), so I’m sure there are better ways of doing this.

 

Admin Script pt1

ESX ports

Well as most exams like you to memorise numbers I thought I’d put together this list of ports that are used within ESX, all of the ports here can be found in the firewall config in the Security Profile Configuration page on the host/virtual center.

Incoming connections

CIM Secure Server 5989 TCP

Outgoing

Licence Server 27000 27010 TCP

CIM SLP 427 UDP TCP Incoming and outgoing

AAM 2050-2250,8042-8045 Incoming and outgoing

Virtual Center Agent 902 UDP

Iscsi Client 3260 TCP

NTP Client 123 UDP

SSH 22 TCP Incoming and outgoing

VCB 443,902 TCP

Alot of these ports I’m sure you’ve all seen before its just really the vmware specific ports that you need to concerntrate on as I’m sure like most other exams I’ve taken they will want to test you on them.

Virtualizing linux boxes

I’m going to talk briefly about virtualizing live linux servers. At work i’ve just virtualized my first red hat box. Was it painless? No. Was it informative? Yes.
l was given the task of p2v’ing the box after a disk in its mirror failed. So with a good bit of googling i came upon this tutorial on how to virtualize the box. It was not quite complete for me and I had to figure out various error messages I encountered along the way but I eventually managed it and with shaking hands clicked the vm’s power on button.

I must admit I was expecting a good number of errors when it started (and would not have been surprised by a kernal panic), but it booted into kudzu hardware manager uninstalling all the old bits and installing the new and too my relief completed its boot without any further issues.

Some of the issues that I came across along the way is doing the conversion in this way creates a VM for you and it firstly mounts a VM convertor helper ISO into the VM. This helper VM requires an IP address etc so you need to either let it DHCP for an address or Statically assign one during the convetor wizard screen.

Also as it needs to be contactable on the network you need to ensure that the VM is set up so that the network card(s) are on your production network. So if any of you normally put the cards into an isolated lan then this wont work. Also I’m not sure if this is to do with our setup or convertor “feature” I found I had to have the machine running the convertor client connecting to the convertor server on the linux box in the same subnet.

Trouble is now I’ve done one I expect I’ll be labelled with the “Linux Virtualization Expert” badge at work and will be given lots of other jobs that wont be quite so smooth! Ah well its all about the learning curve isnt it.

Applications requiring admin rights

As you know I have been tightening up security at work by finding out who has admin rights and removing it. I must say that i am quite shocked at the amount of apps that assume users have local admin rights.

Even things like scanner drivers are affected especially when they are called from other large corporate applications (think of a company who makes pdf reading software and also photo editing software). So the next couple of days will be spent running round figuring out which reg keys and folders users need higher access too. All fun stuff.

I am also working on a post about speed screen and am again thinking about making a few video tutorials.

Remove Admin Rights Scripts

We have been tightening up security at our place recently which has prompted me to do a couple of simple scripts to find out who has local admin rights and another one to take them away. I again have used a couple of tools to get the job done one is isadmin.exe by Bill Stewart which just checks that locally logged on users group access to see if they are members of the administrators group. The other is blat which is a utility for sending smtp emails by command line. I then pipe the output to a text file and get the contents emailed to me and then just use filters to filter the email into either a box for admin users or a box for non admin users.

That script is:

:script for discovering admin privledges

If exist c:\%nwusername%.txt (exit) else goto :check

:check

echo off

(drive letter):\admin\isadmin.exe > c:\%nwusername%.txt

{drive letter):\BLAT\BLAT C:\%nwusername%.txt -TO (emailadress.co.uk) -SERVER (email server) -F (emailaddress.co.uk)

The bits in () you will obviously need to personalise for your environment.

Once that has reported the results to me any users who have admin permissions then also get added to a script that removes them from the Administrators Group. Again its faily simplistic:

If exist c:\delusr.txt(exit) else goto :script for removing admin Privledges

:Script for removing admin Privledges

echo off

net localgroup administrators %username% /delete > c:\delusr.txt

echo %username% has been deleted from %nwusername% admin account >> c:\delusr.txt

(drive letter):\BLAT\BLAT C:\delusr.TXT -TO (emailaddress.co.uk) -SERVER (email server) -F (emailaddress.co.uk)

So hopefully that will complete the removal or admin rights, I shall wait a week or two then change the text file the first script looks for so that it runs again and hopefully will get no reports of people still with admin rights.

Now of course admin rights are generally given to users because of funky old applications that cant handle tightened permissions so I expect that may be a bit of running around trying to find ways of fixing broken apps.

One thing I must say again is how brilliant notepad++ is for creating and editing any kind of script file. If you need to write scripts I would recommend at least trying it out.

Excellent Open Source Applications

Hi all,

 

Just a real quick post pointing you to two really cool OSS applications.

 

One is called Spiceworks and it enables you to scan your network and create an inventory of all devices found without days and days of mapping and writing from scratch. Also it has a built in helpdesk system. So for a small company or limited budget you could use this as your helpdesk and basic change management system. At the very least I would advise you lot to download it and get it to scan your network. Its brill!

SPICELINK

 

Also is an opensource email server I have found called hmailserver. Whilst I have not deployed it yet (too busy geeking over my 291 books). I would really like to get this up and running and put it through its paces. It includes a webmail subsystem as well as access from your favourite smtp/pop client. I would love to get this up and running at the same time as my exchange box and compare the two.

HmailLink

DNS basics

Hi all, This post is just a quickie about the locations that you can use to store your DNS zone data, both standard and active directory integrated.

Standard Zones

 

Standard zones have all their information stored in text files on a DNS server. With standard zones you can only one primary copy of the database. Standard zones are also prone to failure as if the server hosting the primary zone fails then no updates/additions can be made to the zones which in a large domain/network with ddns enabled can quickly become a problem. The text files are generally named after the zone with .dns at the end for example a secondary zone for scrivnet.local would have its data saved on \system32\dns\scrivnet.local.dns . You can obviously use a normal text editor to view the contents of the files.

 

Active Directory Integrated Zones

Active Directory integrated zones do exactly what it says on the tin except with the added advantage that in this configuration you can have multiple servers with primary copies of the same zone data. The main thing to remember with this is that all the dns servers need to be domain controllers as well otherwise you cannot use integrated zones. Also secondary zones can never be integrated into active directory and can only be standard zones as above. Stub zones however can be integrated if you wish.

My Current Domain Network

Hi All,

I thought that it might be a good idea to show you my current domain diagram for my 291. At the moment as you know I have a domain and a child domain, both have a wsus server the child domain wsus is a downstream server. This network will at the moment be used to study DNS,DHCP and wsus. I’ve bought a dell powerconnect 3024 switch from ebay for £20 which I will set up some vlans on it to experiment with routing and relays etc.

Heres the linky for my network

have a look at the powerconnect tags for links to my other posts about the switch.

If you are interested I used an open source program call “dia” to create the diagram, I know the images etc are not very polished but it gets the point across

DHCP DORA

dora

Well I’ve been reading up on the DORA process for DHCP and have created a little tutorial on how clients get IP addresses in the first place. As normal comments and suggestions welcome.

 

CLICK HERE