IT Core Blog

Never stop questioning. Curiosity has its own reason for existing…

Archive for the ‘Videos’ Category

Failover Clustering & Hyper-V: Planning your Highly-Available

leave a comment »

From Microsoft tech.ed online here’s an excellent video to help you with the Failover Clustering in Hyper-V.

This technical session will discuss Hyper-V and Failover Clustering live migration, deployment considerations, licensing, upgrades, host clustering, guest clustering, disaster recovery, multi-site clustering, System Center Virtual Machine Manager, hardware and validation. What are the pros and cons of each virtualization solution? What’s right for my customers and their scenarios? What about combining physical and virtual machines in the same cluster? This session will include a live demo of a Hyper-V Cluster deployment and live migration.

🙂

 
 

Written by IT Core

November 23, 2010 at 9:34 PM

Posted in How to..., Videos, Virtualization

Tagged with ,

TechEd 2010 Virtualization Sessions

leave a comment »

Here’s some interesting sessions for virtualization from TechEd.

Networking and Windows Server 2008 R2 Hyper-V: Deployment Considerations

 

Microsoft System Center Virtual Machine Manager 2008 R2: Advanced Virtualization Management

The Microsoft System Center Operations Manager Top 20 Must-Have Customizations

Microsoft System Center Operations Manager and Virtual Machine Manager: Monitoring the Service Stack

See the Largest Mission Critical Deployment of Microsoft SQL Server around the World

Check the Latest Videos from TechEd North America

Have Fun 😀

Virtual Desktop Infrastructure sessions

leave a comment »

Recently published videos for Virtual Desktop Infrastructure sessions.
Have a look at: TechNet Edge.

Session 1: VDI Day: Citrix & Microsoft Desktop Virtualization Strategy

In this session we will guide you through the desktop virtualization strategy and show you how Citrix and Microsoft will help you reduce the costs of Managing your virtual desktop infrastructure. We will answer questions like: “Will desktop virtualization really fit every user?”

 

Session 2: VDI Day: Planning and Deploying VDI with Citrix and Microsoft

In this more technical session we will drill down into the Microsoft virtualization architecture of VDI and determine what key questions need to be asked and answered around required components, networking, capacity and end user experience. In the second part of the Presentation we will drill down into the Citrix components of our joint VDI solution. You will learn what the different key components are and how to setup your own test environment.

Session 3: VDI Day: Planning and Deploying VDI with Citrix and Microsoft

In the second part of the Presentation we will drill down into the Citrix components of our joint VDI solution. You will learn what the different key components are, what they add on top of the Virtualization back-end. By then end of this session you will be geared up with the knowledge to setup your own test environment.

🙂

Written by IT Core

June 14, 2010 at 11:05 PM

Hyper-V and Dynamic Memory in Depth by Benjamin Armstrong

leave a comment »

For those of you that read/view the “Dynamic Memory in Hyper-V on Windows Server 2008 R2 SP1” now you can also see in TechEd – Hyper-V and Dynamic Memory in Depth by Benjamin Armstrong.

Dynamic memory is a new feature of Hyper-V coming to Windows Server 2008 R2 SP1. Come to learn how Dynamic Memory enables Hyper-V to more efficiently utilize system resource, and how this can benefit your environment. Also learn how Dynamic Memory works under the covers and what you should be preparing for with the release of Windows Server 2008 R2 SP1.

Written by IT Core

June 10, 2010 at 8:50 PM

Posted in Documentation, Videos, Virtualization

Tagged with

Dynamic Memory in Hyper-V on Windows Server 2008 R2 SP1

with one comment

From TechNet’s Channel 9

One of the very cool new features coming in Windows Server 2008 R2 SP1 is dynamic memory provisioning for virtual machines. In this interview, Vijay Tewari explains how this model works, and gave me a demo of it in action.

Written by IT Core

June 7, 2010 at 7:04 PM

Hyper-V Live Migration with HP StorageWorks

leave a comment »

The video demonstrates Long Distance Live Migration with Microsoft Hyper-V achieved with the HP StorageWorks EVA or XP Disk Array. A similar demo was given to the bloggers that attended the HP StorageWorks Tech Day in Houston.

Written by IT Core

June 5, 2010 at 8:58 PM

Domain Controllers and Active Directory Domains Part 7

with one comment

Click if you want to review part 1, part 2, part 3, part 4, Part5 or part 6 of Domain Controllers and Active Directory Domains series.

“How to deploy a Read-only Domain Controller in a Windows 2003 domain”

In part 7 of this series, we’re going to discuss a new type of domain controllers, the Read-only domain controllers (RODCs).

Read-only domain controllers (RODCs) are additional domain controllers that host read-only partitions of the Active Directory database. RODCs were introduced in Windows 2008 as new feature of Active Directory Domain Services. This new type of domain controllers are the Microsoft solution to clients that had the need to deploy domain controllers at locations where security could not be 100% guaranteed (e.g. branch offices, perimeter networks). With RODCs Microsoft “offers” a solution that may help to resolve a number of security or manageability issues that existed in older operating system versions .

 So what make the RODCs so especial and what do they have that Read/Writable Domain Controllers (RWDCs) don’t? RODCs have:

  • Read-only copy of Active Directory Database. (Applications can only read data from AD database on RODCs. RODCs will forward certain write operations to writable domain controllers, and they will also send referrals to writable domain controllers when necessary).
  • RODCs have a read-only copy of the SYSVOL folder contents.
  • Unidirectional Replication (RODCs get information from WRDCs, but RWDCs do NOT get information from RODCs, this applies to both AD database and SYSVOL data).
  • Administration Role Separation (ARS) – Domain administrators can delegate both the installation and the administration of RODCs to any domain user, without granting them any additional rights in the domain and without compromising the security of the rest of the domain.
  • Credential caching. By default an RODC does not store user credentials or computer credentials, except for its own computer account and a special krbtgt account for that RODC, this means that by default all authentication requests will be forwarded by RODCs to RWDCs).
  • Password Replication Policy (PRP) – Ability to configure which passwords that are allowed to be cached in a RODC.
  • Filtered Attribute Set (FAS) – Control which attributes are not replicated to RODCs – this allows you to protect sensitive data in scenarios where RODCs are stolen or compromised.

 Active Directory prerequisites to deploy the a RODC?

  • The Forest functional level (FFL) must be set to Windows Server 2003 or higher. FFL 2003 is needed because linked-value replication (LVR) and constrain delegation are only available at this FFL or latter. This also means that all domain controllers (DCs) in the forest must have windows 2003 or later Operating system installed.
  • Before introducing RODCs in a Forest, a  writable domain controller running Windows Server 2008 or Windows Server 2008 R2 MUST exist in the same domain as the RODC. The writable domain controller must be a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. RODCs must be able to replicate domain updates from a writable domain controllers running Windows Server 2008 or Windows Server 2008 R2.
  • IF you’ve a Windows Server 2003 domains, you must also run adprep /rodcprep before introducing a RODC in that Forest. Note: The infrastructure master for each domain and for each application directory partition must be available within the environment for the operation to succeed. If these requirements are not met, you may experience the symptoms described at KB 949257. Also read (Known Issues for Deploying RODCs).
  • To learn how to introduce Windows 2008/2008 R2 Domain controllers in your domain/forest, check part 6 of this series.

 Some considerations to be aware of with RODCs:

  • As discussed before, RODCs need at least one 2008 RWDC, this requirement is due the nature of RODCs context in AD. Write operations, DNs updates, Authentication (non-cached accounts), will be forwarded to RWDCs/ authoritative DNS servers. With these operations in mind is generally a good idea to have enough (more than 1) windows 2008 DC available to serve RODCs requests. To learn how to introduce Windows 2008/2008 R2 Domain controllers in your domain/forest, check part 6 of this series.
  • When a RODC that runs 2008 R2 is added to a domain that has RWDC that runs Windows Server 2008, the RODC logs Event ID 2916.This error can be disregarded, and it will not be logged if there is a RWDC that runs Windows Server 2008 R2 in the domain.
  • Cross-domain authentication will fail if the WAN is offline. RODC domain authentication for cached accounts (including User and Computer accounts) succeeds even if the WAN is offline. RODC domain authentication for accounts that are not cached will fail if the WAN is offline.
  • RODCs can only synchronize their time from a RWDCs that run Windows Server 2008, they are restricted from synchronizing with other RODCs and they are restricted from synchronizing with domain controllers outside their own domain (Client computers can synchronize time from any domain controller, including an RODC).
  • Do not use highly privileged accounts (like members of domain admins) to logon in RODCs.
  • Microsoft Exchange Server does not use RODCs. However, you can configure Outlook clients in a branch office that is serviced by a read-only global catalog server to use the read-only global catalog server for global address book lookups (Applications That Are Known to Work with RODCs).
  • Perform staged RODC Installations. The first stage of the installation (requires Domain Admin credentials) is to create an account for the RODC in AD. The second stage of the installation attaches the actual server that will be the RODC in a remote location, such as a branch office, to the account that was previously created for it. You can delegate the ability to attach the server to a non-administrative group or user.
  • When you upgrade a Windows Server 2003 domain controller it always remains a writable domain controller. You cannot make a Windows Server 2003 domain controller an RODC during the upgrade. If you want to upgrade a Windows Server 2003 domain controller and make it an RODC, you must remove Active Directory Domain Services (AD DS). You can remove AD DS either just before or just after you upgrade the operating system. After you upgrade the server and it is no longer a domain controller, reinstall AD DS and choose the RODC option during the AD DS installation.
  • You cannot convert from a full installation to a Server Core installation, or the reverse.

 Deploy RODCs:

Currently there are, at least, 2 ways to deploy RODCs, Staged installation and Direct installation.

Direct installation is the “normal” way to deploy any Domain Controller, basically you complete a full promotion of an RODC as a member of the Domain Admins group or as a member of an additional group with equivalent delegated permissions.

In this blog post I’m going to show you the Staged installation because I think that makes more sense due the nature of the RODCs security context (RODCs are normally placed at unsecure/un-trusted locations, right :)).

 The Staged Installation is divided in 2 stages:

  1. The Domain Admin prepares the Active Directory to receive the new RODC and delegates the final stage of an RODC installation to any user or group.
  2. The delegated user or group installs the RODC at the remote site and adds the RODC to the domain without the need to have a highly privileged account.

 I suggest the use of the IFM installation option in conjunction with a Staged installation (I’ll show you how during the video). Using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently. After you create the IFM installation media for a RODC, you can secure the installation media before transporting it to the branch office by removing secrets such as user account passwords from it. If the installation media is lost or stolen while it is being transported, it cannot be compromised to reveal passwords. This is valid for RODCs because the RODC does not cache any passwords by default, they do not need to be present in the RODC installation media. 

That said, let’s check “How to deploy a Read-only Domain Controller in a Windows 2003 domain
(Note: Before introducing RODCs into 2003 domains, you must have at least 1 Windows 2008/2008R2 DC, to learn how to introduce Windows 2008/2008 R2 DCs in an existing 2003 Forest/domain check part 6 of this series).

Final Notes:
Do not use highly privileged accounts (like members of domain admins) to logon in RODCs.

– Consider the RODC installation in Windows Server Core.

– Consider the use of Bit Locker on RODCs to protect data more efficiently.

– Unless you’re using DFS Replication, any changes in the RODC SYSVOL  will not be replicated to RWDCs and this change can affect any computer that obtains Group Policy objects or logon scripts from that RODC, not only computers that are defined in the PRP.  To synchronize the contents of the SYSVOL folder again, you can make a change on a writable domain controller to force the directory or file to replicate to the RODC, or you can set the Burflags registry setting to D2, check KB315457 for more information. This behavior is by design because FRS provides limited support for read-only SYSVOL on an RODC.

– Extend the RODC FAS to include any attributes that you want to prevent from replicating to any RODC in the forest. When the attributes are prevented from replicating to RODCs, they cannot be exposed unnecessarily if an RODC is stolen or compromised. (As a best practice, make sure that the forest functional level is Windows Server 2008 or latter if you plan to configure the RODC FAS)

– Use remote management tools to administer RODCs (Microsoft Remote Server Administration Tools (RSAT) – Windows Remote Management (WinRM) protocol and Windows Remote Shell (WinRS))

Reliable time synchronization is required for Kerberos authentication. Client computers can synchronize time from any domain controller, including an RODC. An RODC can synchronize time only from a writable domain controller that runs Windows Server 2008 or later.

After 1,500 security principals are in the Allowed List and the RODC stops caching passwords, if you attempt to cache the password for a user in the Allowed List—using repadmin /rodcpwdrepl for example—you will see the following error message (Check: Administering the Password Replication Policy):
Unable to replicate secrets for user CN=user… on read-only DC dsp17a30 from full DC <GUID=126c27dc-cbb2-41b0-b847-71e5d6b69ea2>.
Error: Replication access was denied. (8453)

 Additional Documentation:
Read-Only Domain Controller Planning and Deployment Guide
RODC Technical Reference Topics
Known Issues for Deploying RODCs
Applications That Are Known to Work with RODCs
Read-only Domain Controllers Step-by-Step Guide
Understanding “Read Only Domain Controller” authentication
Read-Only Domain Controllers and Account Lockouts
KB 944043: Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients and for Windows Vista
Active Directory and Active Directory Domain Services Port Requirements
To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation

Written by IT Core

April 22, 2010 at 11:59 PM

Posted in Deployment, How to..., Videos

Tagged with