IT Core Blog

Never stop questioning. Curiosity has its own reason for existing…

Archive for January 2010

Cloud Computing Security Considerations

leave a comment »

Microsoft document for cloud computing security:

A high-level discussion of the fundamental challenges and benefits of cloud computing security, plus some of the questions that cloud service providers and organisations using cloud services need to consider when evaluating a new move, or expansion of existing services, to the cloud. This document presumes that the reader is familiar with the core concepts of cloud computing and basic principles of cloud security. It is not the goal of this paper to provide all the answers to the questions of security in the cloud or to provide an exhaustive framework for cloud security.”

Advertisements

Written by IT Core

January 29, 2010 at 12:03 AM

Posted in Documentation

Tagged with

Licensing Microsoft Server Products in Virtual Environments

leave a comment »

For those of you that have Virtual environments with Microsoft Solutions, check the updated Microsoft Documentation to Licensing Microsoft Server Products in Virtual Environments.

This white paper describes Microsoft licensing models for the server operating systems and server applications under virtual environments. It can help you understand how to use Microsoft server products with virtualization technologies, such as Microsoft Hyper-V technology, Microsoft Virtual Server 2005 R2, or third-party virtualization solutions that are provided by VMWare and Parallels.

Although much of the information in this white paper also applies to licenses that are purchased from channels other than Microsoft Volume Licensing, some differences exist. If you acquired licenses through a means other than a Microsoft Volume Licensing agreement, we recommend that you review the license terms that accompanied your software.

Written by IT Core

January 28, 2010 at 11:56 PM

Restoring Windows XP and 2003 to Windows 7 and 2008

leave a comment »

Many people have asked to Microsoft a tool/update like this one. The reason for that is simple, they need to restore backups from Windows XP/2003 to the new Windows7/2008 R2. As usual, Microsoft gave them what they asked for. Now it’s even simpler to do the migration from XP/2003 to the Windows7/2008 R2.

Utility for restoring backups made on Windows XP and Windows Server 2003 to computers that are running Windows 7 and Microsoft Windows Server 2008 R2.

– Download the 32Bit version of KB974674
– Check the 64Bit version of KB974674

Go for it… 🙂

Written by IT Core

January 28, 2010 at 11:49 PM

Domain Controllers and Active Directory Domains Part 2

with 12 comments

After the “How to create the first domain controller in Active Directory Part1”, it’s time to consider an additional domain controller to your domain.

Why should you to consider that?

Redundancy: If you have more than one DC for a given domain you can provide better redundancy for users, computers and apps. Apart to active directory redundancy, you may also have additional roles in those DCs that you want to keep available in case of a DC failure or DC overload. Roles commonly used in DCs are DNS server role and the Global Catalog.

Workload distribution: With multiple DCs you can “load balance” requests from users, apps, computers, etc… This is particularly important when those services/servers are across sites over WAN links, when that happens you can place a DC or more on those sites and take advantage of local authentication/requests without having them across the WAN link.

Domain hierarchy: The first domain that is created is the Root Domain of the forest. If you lose that domain you lose the entire forest. In a scenario where you have multiple domains within a forest, if you have only one DC for that top Root Domain and you lose that DC forever, you may say goodbye to your entire forest. Hum… that’s not good is it?!! As you already guessed domain hierarchy is very important in Active Directory.

Recovery/Availability: Consider the following scenario. Your DC suffers a hardware failure, and to recover from that hardware failure you’ll have to wait some time. If you have only one DC, you may have a problem, the domain apps may need that DC and may stop working until that DC is back online again, the users that use those apps will also stop working and your company will lose money because of that down time. Anyway, you recover that DC from hardware failure, but then you discover that the DC cannot start (BSoD-More down time), no problem (you think), you start the Backup Recovery process, but you discover that the backup isn’t enough to recover that DC. Now you’ve a big problem, no one is working and the company isn’t making money because that. Everyone will have to wait until you replace the domain controller with a new one. With a second DC, you can reduce that problem, and the dead DC could be replaced easily without affecting users or apps that depend on it.

And if I lose both DCs?
It’s true, you can lose both DCs and you’ll be “dead” anyway, but that is another story with a different planning to a different blog post. The point that I’m trying to make clear is with 2 DCs per domain “at the minimum” you will get a good chance to recover from down times (with good percentage of success) plus better redundancy and distributed workload. I could give you a lot more reasons to have additional DCs, but keep those in mind and hopefully they should be enough to make you think twice before consider only one DC for your Domain.

Ok, back to the beginning, How to create the second domain controller in Active Directory. Actually is a very simple process, we just need to have healthy domain (run dcdiag tools to check if everything is ok), and if everything is working correctly you are ready to add the 2nd DC to your domain.

Before start:
• Plan carefully your FQDN of the domain controller, make sure that follow the rules of your internal company documentation. Although it’s possible to rename DCs that are running Windows 2003 and latter, I would rather do it correctly at first time preventing latter changes. Check the Naming conventions at Microsoft KB909264.

• Configure your NIC with a static IP address. Avoid the use of multiple NICs in DCs, this type of configuration may lead to errors and Active Directory communication might fail on multihomed domain controllers, check MS KB272294 and 191611 for more information.

• Make sure that the Administrator account has a strong password. If possible, avoid using the Administrator account and use a dedicated account to perform your everyday work in AD. Think in Administrator account as the SOS account, and try to use it only for emergency situations.

• You must have at least one drive formatted with NTFS.

• Install the latest updates from Microsoft website.

• Check your event log for errors and correct them before proceed.

• Plan and test the Backup strategy for your Active directory Forest. After that take a full backup of the existing DC in case that you need to rollback.

• At last check the date and time settings, make sure that are correct, and make sure that the existing DC is in sync with a trusted and valid authoritative time server. By Default the DC that holds the PDCe will be (by default) the authoritative time server for your forest and additional DCs will sync their time with this DC.

Don’t miss Part 3 – “How to add a Domain Controller in a Remote Site using the new Windows 2008 R2“

To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation

🙂

Written by IT Core

January 20, 2010 at 10:08 PM

Posted in Deployment, How to..., Videos

Tagged with

Domain Controllers and Active Directory Domains Part 1

with 9 comments

In this blog post I’ll show you an example of How to introduce the First Domain Controller in Active Directory Domain. This will be the first of many other blog posts that will help you with domain controllers configuration and related services across your forest, I’ll also show you how to introduce new domains and different ways to perform identical tasks. Let’s start qith a quick review about Domain Controllers basics:

A Domain controller (DC) is a server role that has the Active Directory service installed. Domain controllers have a database called “NTDS.dit” that stores information about Active Directory objects. This database is divided in different partitions. Domain partition has all information about the domain where that DC is located and is replicated between all DCs within the same domain, each DC has read/write permission to the domain partition. Schema and Configuration directory partitions that are common to the entire forest and replicated between all Domain Controllers within the same forest, it doesn’t matter if they belong to the same Domain or not, as long as they are in the same Forest they’ll need to have a Schema and Configuration directory partitions (which are only writable by their FSMO masters) + Domain Partition for the domain where the DCs were configured. Depending of the version that you’re running, DCs can also store one or more application directory partitions (this applies to Windows 2003 and later OS).

In addition to Active Directory database, DCs can also hold specific roles needed by Active Directory:
Flexible Single Master OperationFSMO” (pronounced Fiz-mo). Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. Active Directory defines 5 operations master roles (2 are Forest wide and the other 3 exist in each domain):

Forest operation masters:
– Schema master
– Domain naming master

Domain operation masters:
-Primary domain controller emulator (PDCe)
-Infrastructure master (IM)
-Relative ID master (RID)

Global Catalog (GC). A global catalog server is a domain controller that, in addition to its full writable domain directory partition replica (does not apply to RODC), also stores a partial, read-only replica of all other domain directory partitions in the forest. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS).
GCs are needed when: doing forest wide searches, User logons (when more than one domain exists in that forest), when a user principal name (UPN) is used at logon and the forest has more than one domain, to cache the user membership when is member of a Universal Group (Universal groups are only available when the domain is native mode or later), Exchange Address Book lookups and exchange clients also use global catalog servers to access the global address list (GAL). These are the most common scenarios, but you can also have specific apps that need to contact the GC to function properly.

DNS: Although DNS is not a component of Active Directory, Active Directory uses DNS as its domain controller location mechanism and leverages the namespace design of DNS in the design of Active Directory domain names. Is possible to have a non-Microsoft DNS solution to support Active Directory, but the DNS server must support service resource records (RFC 2782) and dynamic update protocol (RFC 2136). Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS. Both types of records are necessary for the functionality of the domain controller locator (Locator) mechanism among other functions.

That being said, now it’s time to setup of the First Domain Controller.

Before start:
· Plan carefully your FQDN (fully qualify domain name), the NetBIOS name and the Domain controller name, this is very important to avoid changes that may crash your entire forest later. Check the Naming conventions at Microsoft KB909264.
· Configure your NIC with a static IP address. Avoid the use of multiple NICs in DCs, this type of configuration may lead to errors and Active Directory communication might fail on multihomed domain controllers, check MS KB 272294 and 191611 for more information.
· Configure the Administrator account with a strong password.
· Install the latest updates from Microsoft website.
· You need to have at least one hard drive formated with NTFS.
· Check your event log for errors and correct them before proceed.
· Consider the use of at least 2 DCs for each domain that you plan to have in your forest, this will give you better redundancy but also a fastest way to recover from server failures.
· Plan and test the Backup strategy for your Active directory Forest.
· At last check the date and time settings, make sure that are correct, and make sure that the server is in sync with a trusted and valid authoritative time server. By Default the first DC will be the authoritative time server for your forest and additional DCs will sync their time with this DC.

Now it’s time to install Active directory in your server, check the video and follow the steps bellow:

Check the next article : How to create the second domain controller in Active Directory

To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation

🙂

Written by IT Core

January 19, 2010 at 11:34 PM

Posted in Deployment, How to..., Videos

Tagged with

Antivirus Settings for Microsoft OS

leave a comment »

Here’s a nice document from Microsoft that you should read before configuring your Anti-virus settings.

This document has recommendations that may help you protect a computer that is running Windows Server 2008, Windows Server 2003, Microsoft Windows 2000, Windows XP, or Windows Vista from viruses. This article also contains information to help you minimize the effect of antivirus software on system and network performance.

Click KB822158

From technet Managing Antivirus Software on Active Directory Domain Controllers

Written by IT Core

January 15, 2010 at 12:27 AM

Updated Read-Only Domain Controller (RODC) Branch Office Guide

leave a comment »

Planning for RODC?
Before any implementation have a look at this updated guide at:

RODC) Branch Office Guide
or using
Technet

This guide describes new features in Windows Server 2008 that can provide benefits for Active Directory deployments that include branch offices. It explains how to assess an existing deployment of domain controllers in branch offices to determine whether deploying read-only domain controllers (RODCs) in existing or future branch offices is appropriate for your organization. For more general information about how to install and configure an RODC, see Planning and Deploying Read-Only Domain Controllers. For more information about deploying an RODC in a perimeter network (also known as DMZ), see Active Directory Domain Services in the Perimeter Network (Windows Server 2008).

Written by IT Core

January 15, 2010 at 12:23 AM