l2 & l1
TRANSCRIPT
380 HP and 2950 Dell Power edge
Active Directory
Active Directory is a centralized and standardized system, stores information about objects in a network and makes this information available to users and network administrators.
Domain Controller
In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources.
Global catalog server
A global catalog server is a domain controller that stores information about all
objects in the forest. Like all domain controllers, a global catalog server stores full,
writable replicas of the schema and configuration directory partitions and a full,
writable replica of the domain directory partition for the domain that it is hosting. In
addition, a global catalog server stores a partial, read-only replica of every other
domain in the forest. Partial replicas are stored on Global Catalog servers so that
searches of the entire directory can be achieved without requiring referrals from one
domain controller to another.
Partial information of other domains. Partial information nothing but classes and
attributes (first name and last name and phones and addresses) attribute level
security improvement in 2003….
OU:
"Organizational Units", are administrative-level containers on a computer, it allows administrators to organize groups of users together so that any changes, security privileges or any other administrative tasks could be accomplished more efficiently.
Domain:
Windows Domain is a logical grouping of computers that share common security and user account information.
Forest
A Windows forest is a group of 1 or more trusted Windows trees. The trees do not need to have
contiguous DNS names. A forest shares a schema and global catalog servers. A single tree can
also be called a forest.
Tree:
A Windows tree is a group of one or more trusted Windows domains with contiguous DNS domains. “Trusted” means that an authenticated account from one domain isn’t rejected by another domain. “Contiguous DNS domains” means that they all have the same root DNS name.
Site:
Sites are manually defined groupings of subnets. Objects in a site share the same global catalog
servers, and can have a common set of group policies applied to them.
Schema:
The schema defines what attributes, objects, classes, and rules are available in the Active Directory.
SID (Security Identifier):
The SID is a unique name (alphanumeric character string) that is used to identify an object, such as a user or a group of users.
Group Policy
Group policy Architecture:
Group Policy objects (GPO):
A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object consisting of a Group Policy container (GPC) and a Group Policy template (GPT).
password history will store
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
Group Policy Container (GPC)
The Group Policy container (GPC) is an Active Directory container that contains GPO
properties, such as version information, GPO status, plus a list of other component
settings.
Group Polity Template (GPT)
The Group Policy template (GPT) is a file system folder that includes policy data
specified by .adm files, security settings, script files, and information about
applications that are available for installation. The GPT is located in the system
volume folder (SysVol) in the domain \Policies sub-folder.
Filtering the Scope of a GPO
By default, a GPO affects all users and computers that are contained in the linked
site, domain, or organizational unit. The administrator can further specify the
computers and users that are affected by a GPO by using membership in security
groups.
Starting with Windows 2000, the administrator can add both computers and users to
security groups. Then the administrator can specify which security groups are
affected by the GPO by using the Access Control List editor.
Knowledge Consistency Checker (KCC)
The Knowledge Consistency Checker (KCC) is a Windows component that automatically generates and maintains the intra-site and inter-site replication topology.
Intrasite Replication
Replication that happens between controllers inside one site. All of the subnets inside the site should be connected by high speed network wires.
Intersite Replication
Intersite replication is replication between sites and must be set up by an administrator. Simple Mail Transfer Protocol (SMTP) may be used for replication between sites.
Active Directory Replication?
Replication must often occur both (intrasite) within sites and (Intersite) between sites to keep domain and forest data consistent among domain controllers that store the same directory partitions
Adprep.exe
Adprep.exe is a command-line tool used to prepare a Microsoft Windows 2000 forest or a Windows 2000 domain for the installation of Windows Server 2003 domain controllers.
USE:
When Microsoft Exchange Server is deployed in an organization, Exchange Server
uses Active Directory as a data store and it extends the Windows 2000 Active
Directory schema to enable it to store objects specific to Exchange Server. The
ldapDisplayName of the attribute schema ms-Exch-Assistant-Name, ms-Exch-
LabeledURI, and ms-Exch-House-Identifier defined by Exchange Server conflicts with
the iNetOrgPerson schema that Active Directory uses in Windows Server 2003. When
Windows Server 2003 Service Pack 1 is installed, Adprep.exe will be able to detect
the presence of the schema conflict and block the upgrade of the schema until the
issue has been resolved.
GUID:
When a new domain user or group account is created, Active Directory stores the
account's SID in the Object-SID (objectSID) property of a User or Group object. It also
assigns the new object a globally unique identifier (GUID), which is a 128-bit value
that is unique not only in the enterprise but also across the world. GUIDs are
assigned to every object created by Active Directory, not just User and Group
objects. Each object's GUID is stored in its Object-GUID (objectGUID) property.
Active Directory uses GUIDs internally to identify objects.
SID:
A security identifier (SID) is a data structure in binary format that contains a variable
number of values. When a DC creates a security principal object such as a user or
group, it attaches a unique Security ID (SID) to the object. This SID consists of a
domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is
unique for each security Principal SID created in a domain.
Lingering objects
When a domain controller is disconnected for a period that is longer than the TSL,
one or more objects that are deleted from Active Directory on all other domain
controllers may remain on the disconnected domain controller. Such objects are
called lingering objects. Because the domain controller is offline during the time that
the tombstone is alive, the domain controller never receives replication of the
tombstone
Sysvol
Sysvol is a shared directory that stores the server copy of the domain’s public files, which are replicated among all domain controllers in the domain. The Sysvol contains the data in a GPO: the GPT, which includes Administrative Template-based Group Policy settings, security settings, script files, and information regarding applications that are available for software installation. It is replicated using the File Replication Service (FRS).
File Replication Service (FRS)
In Windows 2000, the SYSVOL share is used to authenticate users. The SYSVOL share includes group policy information which is replicated to all local domain controllers. File replication service (FRS) is used to replicate the SYSVOL share. The "Active Directory Users and Computers" tool is used to change the file replication service schedule.
Win logon
A component of the Windows operating system that provides interactive logon support, Winlogon is the service in which the Group Policy engine runs.
Lightweight Directory Access Protocol (LDAP)
It defines how clients and servers exchange information about a directory. LDAP
version 2 and version 3 are used by Windows 2000 Server's Active Directory.
An LDAP URL names the server holding Active Directory services and the Attributed Name of the object. For example:
LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN =Division,DC=myco,DC=domain-controller
USN
Each object has an Update Sequence Number (USN), and if the object is modified, the USN is incremented. This number is different on each domain controller. USN provides the key to multimaster replication.
Universal group membership caching
Due to available network bandwidth and server hardware limitations, it may not be
practical to have a global catalog in smaller branch office locations. For these sites,
you can deploy domain controllers running Windows Server 2003, which can store
universal group membership information locally.
By default, the universal group membership information contained in the cache of each domain controller will be refreshed every 8 hours. Up to 500 universal group memberships can be updated at once. Universal groups couldn't be created in Mixed mode.
What is an ACL or access-control list?
A list of security protections that applies to an object. (An object can be a file, process, event, or
anything else having a security descriptor.)
What is an ACE or access-control entry?
ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for
whom the rights are allowed, denied, or audited.
Flexible Single Master Operations (FSMO)
MultiMaster Operation:
In Windows 2000 & 2003, every domain controller can receive changes, and the changes are replicated to all other domain controllers. The day-to-day operations that are associated with managing users, groups, and computers are typically multimaster operations.
There is a set of Flexible Single Master Operations (FSMO) which can only be done on
a single controller. An administrator determines which operations must be done on
the master controller. These operations are all set up on the master controller by
default and can be transferred later. FSMO operations types include:
Schema Master: The schema master domain controller controls all updates and
modifications to the schema. There can be only one schema master in the whole
forest.
Domain naming master: The domain naming master domain controller controls the
addition or removal of domains in the forest and responsibility of ensuring that
domain names are unique in the forest. There can be only one domain naming
master in the whole forest.
Infrastructure Master:
Synchronizes cross-domain group membership changes. The infrastructure master cannot run on a global catalog server (unless all DCs are also GCs.)
The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
This works when we are renaming any group member ship object this role takes care.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
It assigns RID and SID to the newly created object like Users and computers. If RID master is down (u can create security objects up to RID pools are available in DCs) else u can’t create any object one itSDs down
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.
PDC Emulator - When Active Directory is in mixed mode, the computer Active Directory is on acts as a Windows NT PDC. The first server that becomes a Windows 2000 domain controller takes the role of PDC emulator by default.
Functions performed by the PDC emulator: User account changes and password changes. SAM directory replication requests. Domain master browser requests Authentication requests.GPOTime synchronization
New Active Directory features in Windows Server 2003
• Multiple selection of user objects.
• Drag-and-drop functionality.
• Efficient search capabilities. Search functionality is object-oriented and
provides an efficient search that minimizes
• Saved queries. Save commonly used search parameters for reuse in Active
Directory Users and Computers
• Active Directory command-line tools.
• InetOrgPerson class. The inetOrgPerson class has been added to the base
schema as a security principal and can be used in the same manner as the user
class. The userPassword attribute can also be used to set the account password.
• Ability to add additional domain controllers using backup media. Reduce
the time it takes to add an additional domain controller in an existing domain by
using backup media.
• Universal group membership caching. Prevent the need to locate a global
catalog across a WAN when logging on by storing universal group membership
information on an authenticating domain controller.
• Secure LDAP traffic. Active Directory administrative tools sign and encrypt all
LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data
comes from a known source and that it has not been tampered with.
• Active Directory quotas. Quotas can be specified in Active Directory to control
the number of objects a user, group, or computer can own in a given directory
partition. Domain Administrators and Enterprise
Windows Functional levels
In Windows 2000 Active Directory domains is the concept of Mixed and Native Modes. The default mixed mode allows both NT and Windows 2000 domain controllers to coexist. Once you convert to Native Mode, you are only allowed to have Windows 2000 domain controllers in your domain. The conversion is a one-way conversion -- it cannot be reversed. In Windows Server 2003, Microsoft introduced forest and domain functional levels. The concept is rather similar to switching from Mixed to Native Mode in Windows 2000. The new functional levels give you additional capabilities that the previous functional levels didn’t have.
There are four domain functional levels:
1. Windows 2000 Mixed (supports NT4/2000/2003 DCs) 2. Windows 2000 Native (supports 2000/2003 DCs) 3. Windows Server 2003 Interim (supports NT4/2003 DCs) 4. Windows Server 2003 (supports only 2003 DCs)
And three forest functional levels:
1. Windows 2000 (supports NT4/2000/2003 DCs) 2. Windows 2000 Interim (supports NT4/2003 DCs) 3. Windows Server 2003 (supports only 2003 DCs)
To raise the domain functional level, you go to the properties of your domain in Active Directory Domains and Trusts. To raise the forest functional level you go to the properties of Active Directory Domains and Trusts at the root. Of course, if your domains are not at the correct level, you won’t be able to raise the forest functional level.
Directory partition
A directory partition, or naming context, is a contiguous Active Directory subtree
replicated on one, or more, Windows 2000 domain controllers in a forest. By default,
each domain controller has a replica of three partitions: the schema partition the
Configuration partition and a Domain partition.
Schema partition
It contains all class and attributes definitions for the forest. There is one schema
directory partition per forest.
Configuration partition
It contains replication configuration information (and other information) for the forest.
There is one configuration directory partition per forest.
Domain partition
It contains all objects that are stored by one domain. There is one domain directory
partition for each domain in the forest.
Application Directory Partition
Application directory partitions are most often used to store dynamic data. An
application partition can not contain security principles (users, groups, and
computers).The KCC generates and maintains the replication topology for an
application directory partition
Application: The application partition is a new feature introduced in Windows Server
2003. This partition contains application specific objects. The objects or data that
applications and services store here can comprise of any object type excluding
security principles. Security principles are Users, Groups, and Computers. The
application partition typically contains DNS zone objects, and dynamic data from
other network services such as Remote Access Service (RAS), and Dynamic Host
Configuration Protocol (DHCP).
Dynamic Data:
A dynamic entry is an object in the directory which has an associated time-to-live
(TTL) value. The TTL for an entry is set when the entry is created.
Security Principles - Objects that can have permissions assigned to them and each contain security identifiers. The following objects are security principles:
o User o Computer o Group
RPC:
Active Directory uses RPC over IP to transfer both intersite and intrasite replication
between domain controllers. To keep data secure while in transit, RPC over IP
replication uses both the Kerberos authentication protocol and data encryption.
SMTP:
If you have a site that has no physical connection to the rest of your network, but
that can be reached using the Simple Mail Transfer Protocol (SMTP), that site has
mail-based connectivity only. SMTP replication is used only for replication between
sites. You also cannot use SMTP replication to replicate between domain controllers
in the same domain—only inter-domain replication is supported over SMTP (that is,
SMTP can be used only for inter-site, inter-domain replication). SMTP replication can
be used only for schema, configuration, and global catalog partial replica replication.
SMTP replication observes the automatically generated replication schedule.
Changing of ntds.dit file from one Drive to another
1. Boot the domain controller in Directory Services Restore mode and log on with the Directory Services Restore mode administrator account and password (this is the password you assigned during the Dcpromo process).
2. At a command prompt, type ntdsutil.exe. You receive the following prompt: ntdsutil:
3. Type files to receive the following prompt: file maintenance:
4. Type info. Note the path of the database and log files.5. To move the database, type move db to %s (where %s is the target folder).6. To move the log files, type move logs to %s (where %s is the target folder).7. Type quit twice to return to the command prompt.8. Reboot the computer normally.
DNS
DNS (Domain Name system)
Domain Name System (DNS) is a database system that translates a computer's fully
qualified domain name into an IP address.
The local DNS resolver
The following graphic shows an overview of the complete DNS query process.
DNS Zones
Forward lookup zone - Name to IP address map.
Reverse lookup zone - IP address to name map.
Primary Zones - It Holds Read and Write copies of all resource records (A, NS, _SRV).
Secondary Zones- which hold read only copies of the Primary Zones.
Stub Zones
Conceptually, stub zones are like secondary zones in that they have a read only copy of a primary zone. Stub zones are more efficient and create less replication traffic.
Stub Zones only have 3 records, the SOA for the primary zone, NS record and a Host (A) record. The idea is that if a client queries a record in the Stub Zone, your DNS server can refer that query to the correct Name Server because it knows its Host (A) record.
Queries
Query types are:
Inverse - Getting the name from the IP address. These are used by servers as a security check.
Iterative - Server gives its best answer. This type of inquiry is sent from one server to another.
Recursive - Cannot refer the query to another name server.
Conditional Forwarding
Another classic use of forwards is where companies have subsidiaries, partners or people they know and contact regularly query. Instead of going the long-way around using the root hints, the network administrators configure Conditional Forwarders
Purpose of Resource Records
Without resource records DNS could not resolve queries. The mission of a DNS Query is to locate a server that is Authoritative for a particular domain. The easy part is for the Authoritative server to check the name in the query against its resource records.
SOA (start of authority) record each zone has one SOA record that identifies which DNS server is authoritative for domains and sub domains in the zone.
NS (name server) record An NS record contains the FQDN and IP address of a DNS server authoritative for the zone. Each primary and secondary name server authoritative in the domain should have an NS record.
A (address) record By far the most common type of resource record, an A record is used to resolve the FQDN of a particular host into its associated IP address.
CNAME (canonical name) record A CNAME record contains an alias (alternate name) for a host.
PTR (pointer) record the opposite of an A record, a PTR record is used to resolve the IP address of a host into its FQDN.
SRV (service) record An SRV record is used by DNS clients to locate a server that is running a particular service—for example, to find a domain controller so you can log on to the network. SRV records are key to the operation of Active Directory.
MX (mail exchange) record An MX record points to one or more computers that process SMTP mail for an organization or site.
Where DNS resource records will be stored:
After running DCPROMO, A text file containing the appropriate DNS resource records for the domain controller is created. The file called Netlogon.dns is created in the %systemroot%\System32\config folder and contains all the
records needed to register the resource records of the domain controller. Netlogon.dns is used by the Windows 2000 NetLogon service and to support Active Directory for non-Windows 2000 DNS servers.
Procedures for changing a Server’s IP Address
Once DNS and replication are setup, it is generally a bad idea to change a servers IP address (at least according to Microsoft). Just be sure that is what you really want to do before starting the process. It is a bit kin to changing the Internal IPX number of A Novell server, but it can be done.
1. Change the Server’s IP address
2. Stop the NETLOGON service.
3. Rename or delete SYSTEM32\CONFIG\NETLOGON.DNS and NETLOGON.DNB
4. Restart the NETLOGON service and run “IPconfig /registerDNS”
5. Go to one of the other DCs and verify that its DNS is now pointing to the new IP address of the server. If not, change the records manually and give it 15 minutes to replicate the DNS changes out.
6. Run REPLMON and make sure that replication is working now. You may have to wait a little while for things to straighten out. Give it an hour or two if necessary.
If a server shows that it isn’t replicating with one of its partners, there are several issues to address:
A. Check to see that the servers can ping each other.
B. Make sure that both servers’ DNS entries for each other point to the proper IP addresses
C. If server A says it replicated fine, but server B says it couldn’t contact Server A, check the DNS setup on Server B. Chances are it has a record for Server A pointing to the wrong place.
D. Run Netdiag and see if it reports any errors or problems.
Trust Relationship One way trust - When one domain allows access to users on another
domain, but the other domain does not allow access to users on the first domain.
Two way trust - When two domains allow access to users on the other domain.
Trusting domain - The domain that allows access to users on another domain.
Trusted domain - The domain that is trusted, whose users have access to the trusting domain.
Transitive trust - A trust which can extend beyond two domains to other trusted domains in the tree.
Intransitive trust - A one way trust that does not extend beyond two domains.
Explicit trust - A trust that an administrator creates. It is not transitive and is one way only.
Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendent/ancestor (child/parent) relationship does not exist between the two domains.
Forest trust - When two forests have a functional level of Windows 2003, you can use a forest trust to join the forests at the root.
Shortcut trust - When domains that authenticate users are logically distant from one another, the process of logging on to the network can take a long time. You can manually add a shortcut trust between two domains in the same forest to speed authentication. Shortcut trusts are transitive and can either be one way or two way.
Windows 2000 only supports the following types of trusts:
Two way transitive trusts One way non-transitive trusts.
BACKUP
Archive bit:
The archive bit is used to determine what files have been backuped up previously on
a Windows file system. The bit is set if a file is modified
Types of Backups:
Normal - Saves files and folders and shows they were backed up by clearing the
archive bit.
Copy - Saves files and folders without clearing the archive bit.
Incremental - Incremental backup stores all files that have changed since the last Full,
Differential or Incremental backup. The archive bit is cleared.
Differential - A differential backup contains all files that have changed since the last
FULL backup. The archive bit is not cleared.
Daily - Saves files and folders that have been changed that day. The archive bit is
not cleared.
Multiplexing:
Multiplexing sends data from multiple sources to a single tape or disk device. This is useful if you have a tape or disk device that writes faster than a single system can send data, which (at this point) is just about every tape device.
Multistreaming:
Multistreaming establishes multiple connections, or threads, from a single system to the backup server. This is useful if you have a large system with multiple I/O devices and large amounts of data that need backing up.
To perform a backup, select "Start", "Programs", "Accessories", "System Tools", and
"Backup". The Windows 2000 "Backup Utility" will start. It has these tabs:
System data:
1. The registry
2. System startup files
3. Component services data class registration database
4. Active Directory (Windows 2000 & 2003 Servers only)
5. Certificate server database (Windows 2000 & 2003Servers only)
6. SYSVOL folder (Windows 2000 & 2003 Servers only)
Non authoritative Active Directory restores –
Changes are accepted from other domain controllers after the backup is done.
When you are restoring a domain controller by using backup and restore programs,
the default mode for the restore is non authoritative. This means that the restored
server is brought up-to-date with its replicas through the normal replication
mechanism.
Authoritative Active Directory restores:
Changes are NOT accepted from other domain controllers after the backup is done.
Authoritative restore allows the administrator to recover a domain controller, restore
it to a specific point in time, and mark objects in Active Directory as being
authoritative with respect to their replication partners. Authoritative restore has the
ability to increment the version number of the attributes of all objects in an entire
directory. You can authoritatively restore only objects from the configuration and
domain-naming contexts. Authoritative restores of schema-naming contexts are not
supported. To perform an authoritative restore, you must start the domain controller
in Directory Services Restore Mode.
Authoritative Restore Example
E:\ntdsutil>ntdsutilntdsutil: authoritative restore authoritative restore: restore sub tree OU=bosses,DC=ourdom,DC=com
Opening DIT database... Done.
The current time is 06-17-05 12:34.12. Most recent database update occurred at 06-16-05 00:41.25. Increasing attribute version numbers by 100000.
Counting records that need updating... Records found: 0000000012
Directory Store Files that are backed up
Database file - Stored in SystemRoot\NTDS\ntds.dit, it holds all AD objects and
attributes. Contains these tables:
Ntds.dit is the Active Directory database which stores the entire active directory objects on the domain controller. The .dit extension refers to the directory information tree. The default location is the %systemroot%\Ntds folder. Active Directory records each and every transaction log files that are associated with the Ntds.dit file.
Edb*.log is the transaction log file. Each transaction file is 10 megabytes (MB). When Edb.log file is full, active directory renames it to Edbnnnnn.log, where nnnnn is an increasing number starts from 1.
Edb.chk is a checkpoint file which is use by database engine to track the data which is not yet written to the active directory database file. The checkpoint file act as a pointer that maintains the status between memory and database file on disk. It indicates the starting point in the log file from which the information must be recovered if a failure occurs.
Res1.log and Res2.log: These are reserved transaction log files. The amount of disk space that is reserved on a drive or folder for this log is 20 MB. This reserved disk space provides a sufficient space to shut down if all the other disk space is being used.
Recovery without Restore - Transaction logs are used to recover uncommitted AD
changes after a system crash. This is done by the system automatically without using
a restore from a tape backup.
How to restore a domain controller system:
1. Reboot the domain controller.
2. Press F8 while booting.
3. Open Advanced Options Menu, select "Directory Services Restore Mode".
4. Select the correct Windows 2000 Server operating system if more than one
system is on the computer.
5. During safe mode, press CTRL-ALT-DEL.
6. Log on as Administrator.
7. Select "Start", "Programs", "Accessories", "System Tools", and "Backup".
8. Use the "Restore Wizard".
9. After the restore, if an authoritative restore was done use the "ntdsutil" command
line utility. Type "authoritative restore". Syntax for restoration of partial database
format:
restore subtree OU=OUname, DC=domainname, DC=rootdomain
Type "restore database" to make the entire database authoritative.
10. Reboot the Domain Controller.
How to Transfer the FSMO Roles:To Transfer the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
2. Press OK. You should receive a success confirmation.3. From the Run command open an MMC Console by typing MMC.4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.6. Press Add and press Close. Press OK.7. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.
8. Press Specify .... and type the name of the new role holder. Press OK.9. Right-click right-click the Active Directory Schema icon again and press
Operation Masters.10. Press the Change button.11. Press OK all the way out.
Transferring the FSMO Roles via Ntdsutil
To transfer the FSMO roles from the Ntdsutil command:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete
loss of Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
2. Type roles, and then press ENTER.
Note: To see a list of available commands at any of the prompts in the Ntdsutil
tool, type? And then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server ms-dc04 where ms-dc04 is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type transfer <role>. where <role> is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid master:
Options are:
7. You will receive a warning window asking if you want to perform the transfer. Click on Yes.
8. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
9. Restart the server and make sure you update your backup.
To seize the FSMO roles by using Ntdsutil, follow these steps:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete
loss of Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
2. Type roles, and then press ENTER.
Note: To see a list of available commands at any of the prompts in the Ntdsutil
tool, type ?, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server ms-dc04, where ms-dc04 is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:
Options are:
7. You will receive a warning window asking if you want to perform the seize. Click on Yes.
Note: All five roles need to be in the forest. If the first domain controller is out of
the forest then seize all roles. Determine which roles are to be on which
remaining domain controllers so that all five roles are not on only one server.
8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.9. After you seize or transfer the roles, type q, and then press ENTER until
you quit the Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain
controller as the Global Catalog server. If the Infrastructure Master runs on a GC
server it will stop updating object information because it does not contain any
references to objects that it does not hold. This is because a GC server holds a
partial replica of every object in the forest.
DHCP
Dynamic host configuration protocol is used to automatically assign TCP/IP addresses to clients along with the correct subnet mask, default gateway, and DNS server. Two ways for a computer to get its IP address:
DHCP Scopes
Scope - A range of IP addresses that the DHCP server can assign to clients that are on one subnet.
Super scope - A range of IP addresses that span several subnets. The DHCP server can assign these addresses to clients that are on several subnets.
Multicast scope - A range of class D addresses from 224.0.0.0 to 239.255.255.255 that can be assigned to computers when they ask for them. A multicast group is assigned to one IP address. Multicasting can be used to send messages to a group of computers at the same time with only one copy of the message. The Multicast Address Dynamic Client Allocation Protocol (MADCAP) is used to request a multicast address from a DHCP server.
DORA
DHCP Lease Process
DHCP leases are used to reduce DHCP network traffic by giving clients specific addresses for set periods of time.
DHCP Lease Process
1. The DHCP client requests an IP address by broadcasting a DHCPDiscover
message to the local subnet.
2. The client is offered an address when a DHCP server responds with a DHCPOffer
message containing IP address and configuration information for lease to the client.
If no DHCP server responds to the client request, the client can proceed in two ways:
• If it is a Windows 2000–based client, and IP auto-configuration has not been
disabled, the client self-configures an IP address for its interface.
• If the client is not a Windows 2000–based client, or IP auto-configuration has
been disabled, the client network initialization fails. The client continues to
resend DHCPDiscover messages in the background (four times, every 5
minutes) until it receives a DHCPOffer message from a DHCP server.
3. The client indicates acceptance of the offer by selecting the offered address and
replying to the server with a DHCPRequest message.
4. The client is assigned the address and the DHCP server sends a DHCPAck
message, approving the lease. Other DHCP option information might be included
in the message.
5. Once the client receives acknowledgment, it configures its TCP/IP properties
using any DHCP option information in the reply, and joins the network.
In rare cases, a DHCP server might return a negative acknowledgment to the client.
This can happen if a client requests an invalid or duplicate address. If a client
receives a negative acknowledgment (DHCPNak), the client must begin the entire
lease process again.
When the client sends the lease request, it then waits one second for an offer. If a
response is not received, the request is repeated at 9, 13, and 16 second intervals
with additional 0 to 1000 milliseconds of randomness. The attempt is repeated every
5 minutes thereafter. The client uses port 67 and the server uses port 68.
Client Reservation
Client Reservation is used to be sure a computer gets the same IP address all the time. Therefore since DHCP IP address assignments use MAC addresses to control assignments, the following are required for client reservation:
1) MAC (hardware) address
2) IP address
Exclusion Range
Exclusion range is used to reserve a bank of IP addresses so computers with static IP addresses, such as servers may use the assigned addresses in this range. These addresses are not assigned by the DHCP server.
Database files:
DCHP.MDB - The main database
DHCP.TMP - Temporary DHCP storage.
JET*.LOG - Transaction logs used to recover data.
SYSTEM.MDB - USed to track the structure of the DHCP database.
APIPA
If all else fails, then clients give themselves an Automatic IP address in the range 169.254.x.y where x and y are two random numbers between 1 and 254.
BOOTP
BOOTP or the bootstrap protocol can be used to boot diskless clients
WINS
WINS
WINS stands for Windows Internet Name Service. WINS is a NetBIOS Name Server that registers your NetBIOS names and resolves into IP addresses.
DFS
The Distributed File System (DFS) allows files and directories in various places to be combined into one directory tree. Only Windows 2000 & 2003Servers can contain DFS root directories and they can have only one.
DFS Components
DFS root - A shared directory that can contain other shared directories, files, DFS links, and other DFS roots. One root is allowed per server.
Types of DFS roots:
Stand alone DFS root - Not published in Active Directory, cannot be replicated, and can be on any Windows 2000 & 2003 Server. This provides no fault tolerance with the DFS topology stored on one computer. A DFS can be accessed using the
Syntax: \\Server\DFSname
Domain DFS root - It is published in Active Directory, can be replicated, and can be on any Windows 2000 & 2003 Server. Files and directories must be manually replicated to other servers or Windows 2000 & 2003 must be configured to replicate files and directories. Configure the domain DFS root, then the replicas when configuring automatic replication. Links are automatically replicated. There may be up to 31 replicas. Domain DFS root directories can be accessed using the
Syntax: \\domain\DFSname
DFS link - A pointer to another shared directory. There can be up to 1000 DFS links for a DFS root.
IIS
Virtual Directory:
A virtual directory is a directory that is not contained in the home directory but appears to client browsers as though it were.
What is ISAPI?
Internet Server Application Programming Interface (ISAPI), is an API developed to
provide the application developers with a powerful way to extend the functionality of
Internet Information Server (IIS). Although ISAPI extensions by no means are limited
to IIS, they are extensively used in conjunction with MS-IIS.
What is application pool?
Application Pools” that can house a single or multiple web sites. It provides a
convenient way to administer a set of Web sites and applications and increase
reliability,
What is a COM component?
Any VB6 DLL is a COM component, as is any Windows DLL or EXE that supports the
COM interfaces.
How many types of authentication securities are there in IIS?
In IIS there are 4 types of authentication security - Basic, Anonymous, Digest &
Integrated windows Authentication.
What is the Tombstone? What is the default tombstone life time? How to
increase the tombstone life time?
The number of days before a deleted object is removed from the directory services.
The default tombstone-lifetime of 60 days, Windows Server 2003 sp1 the new default
tombstone-lifetime is 180 days.
You can check your tombstone-lifetime using the following command which comes with Windows Server 2003:
dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -scope base -attr tombstonelifetime
What is a session Object?
A Session Object holds information relevant to a particular user’s session.
How IIS can host multiple websites
To distinguish between websites, IIS looks at three attributes:
← The host header name ← The IP number ← The port number
What is a host header?
A host header is a string part of the request sent to the web server (it is in the HTTP header). This means that configuring IIS to use host headers is only one step in the approach to host multiple websites using host headers to distinguish between the websites. A configuration of the DNS server (usually means that you need to add an (A) record for the domain) is also required, so the client can find the web server.
EXCHANGE SERVER
DS PROXY
DSProxy is the component in Microsoft Exchange Server 2003 that provides an address book service to Microsoft Outlook clients. Although the name implies that this component provides only proxy services, DSProxy provides both of the following services:
1. DSProxy emulates a MAPI address book service and sends proxy requests to an Active Directory server.
2. DSProxy refers Outlook client queries to an Active Directory server.
DSAccess
The Exchange components that need to interact with Active Directory use DSAccess to retrieve Active Directory information rather than communicating directly with domain controllers and global catalog servers
Forestprep
When you use the /ForestPrep option, the Exchange Setup program extends the Active Directory schema to add Exchange-specific classes and attributes.
To verify that the setup /forestprep command completed successfully on a computer that is running Microsoft Windows 2000 Server in an Exchange 2000 environment, use either of the following methods: • Look for event ID 1575
DomainPrep:
DomainPrep creates the groups and permissions necessary for Exchange servers to read and modify user attributes in Active Directory. You must run DomainPrep before installing your first Exchange server in a domain
MAPI (Messaging Application Programming Interface)
It is an extensive set of functions that developers can use to create mail-enabled applications. Enables an application to send and receive mail over a Microsoft Mail message system
Recovery Storage Group:
Recovery Storage Group is a new feature in Exchange 2003. The biggest advantage of this method is that it reduces the impact of restoring a single mailbox from backup.
Exmerge tool:
ExMerge is to recover the mailbox data from the Recovery Storage Group. Since ExMerge creates a .pst file.
List the services of Exchange Server 2003?
Microsoft Exchange Event
Monitors folders and triggers events for server applications compatible with Exchange Server 5.5.
Microsoft Exchange IMAP4
It is a method of accessing electronic mail that are kept on a mail server.
Microsoft Exchange Information Store
The information store, which is the key component for database management in Exchange Server, is actually two separate databases. The private information store database, Priv.edb, manages data in user mailboxes. The public information store, Pub.edb, manages data in public folders.
Microsoft Exchange Management
Provides Exchange management information using Windows Management Instrumentation (WMI). If this service is stopped, WMI providers implemented to work in Microsoft Exchange Management, like message tracking and Directory Access, will not work.
Microsoft Exchange MTA Stacks
You use Exchange X.400 services to connect to Exchange 5.5 servers and other connectors (custom gateways).
Microsoft Exchange POP3
POP3 is a Client/Service protocol in which e-mail is received and held for you by your Internet server.
Microsoft Exchange Routing Engine
The Exchange Routing Engine uses Link State information for e-mail routing. The Routing Engine will forward this information to the Advanced Queuing Engine. The default size of routing table log file is 50 MB and default age is seven days.
Microsoft Exchange Site Replication Service
Provides directory interoperability between Exchange 5.5 and Exchange 2000 Server or Exchange 2003. Site Replication Service (SRS) acts as a directory replication bridgehead server for an Exchange site. SRS runs on Exchange 2000 and serves as a modified Exchange 5.5 directory. SRS uses Lightweight Directory Access Protocol (LDAP) to communicate to both the Active Directory® directory service and the Exchange 5.5 directory. To Exchange 5.5, SRS looks similar to another Exchange 5.5 configuration/recipients replication partner.
Microsoft Exchange System Attendant
Provides monitoring, maintenance, and Active Directory lookup services (for example, monitoring of services and connectors, proxy generation, Active Directory to metabase replication, publication of free/busy information, offline address book generation, mailbox maintenance, and forwarding Active Directory lookups to a global catalog server). If this service is stopped, monitoring, maintenance, and lookup services are unavailable. If this service is disabled, any services that explicitly depend on it cannot start.
What are the Exchange Server 2003 - Troubleshooting Eseutil commands?
Eseutil /mh
Here is a simple switch to verify the state of an Exchange database. All that eseutil /mh does is to determine whether the last shutdown was clean or dirty. Eseutil /mh is ideal to practice getting to the right path and executing eseutil without doing any harm to the mailstore databases.
Eseutil /mlSimilar to the /mh, except this switch performs an integrity check on log files, for example, E00.log.
Eseutil /mmDumps metadata from the database file (not the logs). Specialist use only, I find the output fascinating but not very useful.
Eseutil /mkProvides information about the checkpoint file. Handy for troubleshooting backup / restore problems. Where /mh used priv1.edb, remember to substitute the name of the checkpoint file E00.chk with /mk.
Eseutil /k to check for damaged headers
Eseutil /cc for troubleshooting
Eseutil /d to defrag the .edb database
Example: eseutil /d e:\exchsrvr\mdbdata\priv1.edb (Or other path to your store)
Eseutil /r to repair Exchange 2003 log files
Eseutil /p will attempt to repair a corrupted store database
Eseutil /y Copies a database, streaming file, or log file
Eseutil /g Verifies the integrity of a database
Eseutil /m Generates formatted output of various database file types. e.g. /mh
Isinteg Utility (Information Store Integrity Checker) finds and eliminates errors from the public folder and mailbox databases at the application level. it can recover data that Eseutil cannot recover.
Offline Storage Files (.OST) file
Microsoft Exchange Server locally stores its data in OST file on your storage Device. An OST file is a component Of Microsoft Exchange Server and can’t be used with Microsoft Outlook.
At the time of when exchange server crashes or when mailbox is deleted from the exchange server, OST file gets inaccessible and remains on the users computer holding large part of emails, calendar, journals, notes, contacts, tasks etc.
Advanced Queuing Engine (AQE)
The Advanced Queuing Engine (AQE) is responsible for creating and managing message queues for e-mail delivery. When AQE receives a Simple Mail Transfer Protocol (SMTP) mailmsg object, this object will be forwarded to the Message Categorizer. The Advanced Queuing Engine then queues the Mailmsg object for message delivery based on the Routing information provided by the Routing Engine process of Exchange Server 2003.
Outbound Mail Flow in Exchange Server 2003
Outbound mail flows through an Exchange Server deployment in the following
manner:
1. Mail messages are sent from a client (Microsoft Outlook, Outlook Express,
or Outlook Web Access, for example) and are submitted to the local
Exchange store.
2. The Exchange store submits the message to the Advanced Queuing
Engine.
3. The Advanced Queuing Engine submits the message to the message
categorizer.
4. The message categorizer validates the recipients of the message,
checks for proper recipient attributes, applies limits and restrictions, flags
the message for local or remote delivery, and then returns the message to
the Advanced Queuing Engine.
5. If for local delivery, the Advanced Queuing Engine submits the message to
the Local Delivery queue, and the Exchange store receives the message
from the Local Delivery queue. For more information about the Advanced
Queuing Engine,
6. If for remote delivery, the Advanced Queuing Engine submits the message
to the Routing Engine. The Routing Engine determines the most efficient
route for mail delivery, returns the message to the Advanced Queuing
Engine, and, in turn, submits the messages for remote delivery. The
messages are then sent via SMTP to a remote SMTP host or to the Internet.
The following are the minimum requirements for outbound mail flow:
Exchange Server must have access to the Internet on port 25. This
access should not be blocked by firewalls or other network settings.
Anonymous connections should be allowed.
The Exchange Server SMTP virtual server should be configured to use the
default settings.
The public mail exchanger (MX) resource record configured on your
public Domain Name System (DNS) service should be accessible to all
other Internet domains. The MX record should point to the Exchange
server and must be identified before messages can be sent or received.
INTERVIEW QUESTIONS
What protocol and port does DHCP use?
DHCP, like BOOTP runs over UDP, utilizing ports 67 and 68.
What is the DHCP automatic backup time?
In fact, by default it's 60 minutes. You can change the frequency though
How many scopes you can create
As a general recommendation, limit each DHCP server to having no more than 1,000 scopes defined for use.
When adding a large number of scopes to the server, be aware that each scope creates a corresponding need for additional incremental increases to the amount of disk space used for the DHCP server registry and for the server paging file
For the best possible DHCP server design in most networks, it is recommended that you have, at most, 10,000 clients per server.
Advantage of LDP tool:
Reanimating Active Directory Tombstone Objects we use LDP tool.
Repadmin to remove lingering objects
repadmin /removelingeringobjects
If there is set of 30 hard disk configured for raid 5 if two hard disk failed what about data
Because of parity, information all data are available in case one of the disks fails. If extra (spare) disks are available, then reconstruction will begin immediately after the device failure. However if two hard disks fail at same time, all data are LOST. In short RAID 5 can survive one disk failure, but not two or more.
In Raid 5, suppose I have 5 HDD of 10-10 GB, after configuring the Raid how much space does I have for utilized.
-1 out of the total (eg- if u r using 5 u will get only 4 because 1 goes for parity).
If administrator forget password in 2003 server; how to recover it?
By deleting SAM files you can disable the passwords (C:\WINDOWS\system32\config\sam)But u have to connect the HDD to an system as a slave disk and perform the task.
How to Connect to the Console Session
When you connect to the console session of a Windows Server 2003-based server, no other user has to be already logged on to the console session. Even if no one is logged on to the console, you are logged on just as if you were sitting at the physical console.
To connect from the remote Windows Server 2003-based computer, open a command prompt, and then type the following command: mstsc -v:servername /F -console
where mstsc is the Remote Desktop connection executable file, -v indicates a server to connect to, /F indicates full screen mode, and -console is the instruction to connect to the console session.
What’s the difference between local, global and universal groups?
Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
What is LSDOU?
Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.
Where are group policies stored?
%SystemRoot%System32\GroupPolicy
Where is GPT stored?
SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
How frequently is the client policy refreshed?
90 minutes give or take
How many records can I create for my domain name?
As many as you want!
What’s the major difference between FAT and NTFS on a local machine? F
AT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.
What hidden shares exist on Windows Server 2003 installation?
Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
What hashing algorithms are used in Windows 2003 Server?
RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.
What does a domain controller register in DNS?
The Netlogon service registers all the SRV records for that domain controller. These records are displayed as the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name. Other computers look for these records to find Active Directory-related information.
Character limitation of user id in windows 2003 is 20 characters.
Character limitation of email id is 64Character limitation of Distribution list is 256Character limitation of user id is 20Where DNS Zone file will be stored?
Backup of the zone file stored in %SystemRoot%\System32\DNS is created in the %SystemRoot%\System32\DNS\backup folder.
WINS automatic backup time
WINS files are in SystemRoot\System32\Wins. A file names WINS. WINS backup will occur 24 to 27 hours after the last backup occurred.
Minimum password length determines the minimum number of characters a
password can have. Although Windows 2000, Windows Server 2003 support
passwords up to 127 characters in length, the value of this setting can only be
between 0 and 14. If it is set to 0, users are allowed to have blank passwords, so you
should not use a value of 0. It is recommended that you set this value to 8
characters. Maximum default password age is 42.
Password storage location:
When you ran Dcpromo.exe to install Active Directory, it requested a password to be used for the Administrator password for Active Directory Restore Mode. This password is not stored in Active Directory. It is stored in an NT4-style SAM file and is the only account available when the AD is corrupted.
How do you delete a lingering object? Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory.
If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same? No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different.
What is default time for replication between sites to site?
The default replication interval between two sites is 180 minutes, or 3 hours.
What is default time for replication between DC to DC?
Domain controllers that exist in the same site will replicate to all other domain controllers within 15 minutes. If there are only two domain controllers, they replicate to one another within 5 minutes. Note: in win2k 15 mins, win2k3 5 mins
What are the modes in Terminal services?
Application server mode and Remote administration mode
Ports
What are the standard port numbers?
SMTP – 25, POP3 – 110, IMAP4 – 143, RPC – 135, LDAP – 389, SSL- 443, HTTP – 80 RDP - 3389 DNS - 53 DHCP - 67 & 68, FTP – 21, Global Catalog – 3268, LDAP – 389, Kerberos – 88 , NNTP – 119, TFTP- 69, SNMP – 161.
DCPROMO/ADV
When running the wizard from the command line, you can append the /adv switch to
the dcpromo command to populate the directory using a backup of system state
data from another domain controller in the same domain. Installing from backup
media reduces the amount of data that must be replicated over the network, thus
reducing the time required to install Active Directory.
What is the maximum amount of databases that can be hosted on Exchange 2003 Enterprise? –
20 databases. 4 SGs x 5 DBs.
What is the default life time period not deleting an unconnected mailbox?
The timeline for not deleting an unconnected mailbox from the storage is 30 days by default and can be increased using a private storage system policy.
Some features that are new in Exchange 2003 are:
M: Drive Mapping Removed
Exchange Instant Messaging Removed
Volume Shadow Copy Service for Database Backups/Recovery
Mailbox Recovery Center
Recovery Storage Group
Front-end and back-end Kerberos authentication
Distribution lists are restricted to authenticated users
Real-time Safe and Block lists
Inbound recipient filtering
Attachment blocking in Microsoft Office Outlook Web Access
HTTP access from Outlook 2003
Queues are centralized on a per-server basis
Move log files and queue data using Exchange System Manager
Multiple Mailbox Move tool
Dynamic distribution lists
1,700 Exchange-specific events using Microsoft Operations Manager (requires Microsoft Operations Manager)
Deployment and migration tools
Is circular logging enabled in Exchange 5.5 versions?
Circular Logging is turned on by default for Exchange Server 5.5 and earlier, but circular logging is turned off by default for Exchange 2000 Server.
What happened to the M: drive?
The EXIFS (M: drive) feature has been disabled by default. If the feature is still needed, it can be assigned to an available drive letter with a registry setting.
What is the difference between Exchange 2003 Standard and Exchange 2003 Enterprise editions?
Standard Edition ← 16 GB database limit ← One mailbox store ← One public folder store
Enterprise Edition ← Clustering ← Up to 20 databases per server ← X.400 Connectors← 16 TB database limit.
Summary Exchange Server 2003
Routing Groups: Folder holding a bunch of servers.
Connectors: Configurable 'pipes' that join the servers in different routing groups.
Routing Group Connector: Native Exchange method to transfer email to other servers.
SMTP Connector: Internet connector.
X.400 Connector: Little used method of transmitting email messages.
Routing Group Master: Co-ordinates routing information to all servers in the group
Bridgehead server
In Windows 2000 Server, bridgehead servers are the contact point for the exchange of directory information between sites. Bridgehead is a key concept where you have more than one server in each routing group. All the mail in one group is physically routed through the bridgehead server. Your bridgehead options are extremely flexible. Either you nominate one server on each side of the connector as a bridgehead, or all servers can be bridgeheads.
By default, the Active Directory replication topology generator, the Knowledge Consistency Checker (KCC), automatically chooses servers to act as bridgehead servers.
OR
A domain controller that is used to send replication information to one or more other sites
MS _ SQL
Where do you think the user’s names and passwords will be stored in sql server?
They get stored in master db in the sysxlogins table.
Let us say the SQL Server crashed and you are rebuilding the databases including the master database what procedure to you follow? - For restoring the master db we have to stop the SQL Server first and then from command line we can type SQLSERVER –m which will basically bring it into the maintenance mode after which we can restore the master db.
Windows Important commands
How many users are logged on/connected to a server?Sometimes we may need to know how many users are logged on to a (file) server,
like maybe when there is a performance degradation.
At the server's console itself, with native commands only:
NET SESSION | FIND /C "\\"Remotely, with the help of SysInternals' PSTools:
PSEXEC \\servername NET SESSION | FIND /C "\\"
Who is logged on to a computer?We often need to know who is currently logged on to a remote computer.
With native Windows commands only:
NBTSTAT -a remotecomputer | FIND "<03>" | FIND /I /V "remotecomputer"The first name in the list usually is the logged on user (try playing with the NET NAME
command to learn more about the names displayed by NBTSTAT).
With the help of SysInternals' PSTools:
PSLOGGEDON -L \\remotecomputeror:
PSEXEC \\remotecomputer NET CONFIG WORKSTATION | FIND /I " name "or:
PSEXEC \\remotecomputer NET NAMEPSLOGGEDON is the most accurate solution, except it will display the last logged on
user if no one is currently logged on.
The others all show more or less the same results, but the NBTSTAT command is
much faster.
What is this collegue's login name?My collegues often forget to mention their logon account name when calling the
helpdesk, and the helpdesk doesn't always ask either. I suppose they expect me to
know all 1500+ accounts by heart.
With (native) Windows Server 2003 commands only:
DSQUERY USER -name *lastname* | DSGET USER -samid -display
Note: Windows Server 2003's "DSTools" will work fine in Windows 2000 and XP too, when copied.Keep in mind, however, that some Windows Server 2003 Active Directory functionality is not available in Windows 2000 Active Directories.
What is the full name for this login name?With the native NET command:
NET USER loginname /DOMAIN | FIND /I " name "With (native) Windows Server 2003 commands:
DSQUERY USER -samid *loginname* | DSGET USER -samid -display
Note: The NET command may seem more universal, because it requires neither Active Directory nor Windows Server 2003 commands, but it is language dependent!For non-English Windows you may need to modify FIND's search string.
What groups is this user a member of?In Windows NT 4 and later, users usually are members of global groups. These global
groups in turn are members of (domain) local groups. Access permissions are given
to (domain) local groups.
To check if a user has access to a resource, we need to check group membership
recursively.
With (native) Windows Server 2003 commands:
DSQUERY USER -samid loginname | DSGET USER -memberof -expand
What permissions does a user have on this directory?One could use the previous command to check what permissions a user has on a
certain directory.
However, sometimes SHOWACLS from the Window Server 2003 Resource Kit Tools is
a better alternative:
CD /D d:\directory2check SHOWACLS /U:domain\userid
When did someone last change his password?With the native NET command:
NET USER loginname /DOMAIN | FIND /I "Password last set"
How do I reset someone's password?With the native NET command:
NET USER loginname newpassword /DOMAINWith (native) Windows Server 2003 commands:
DSQUERY USER -samid loginname | DSMOD USER -pwd newpassword
Note: To prevent the new password from being displayed on screen replace it with an asterisk (*); you will then be prompted (twice) to type the new password "blindly".
Is someone's account locked?With the native NET command:
NET USER loginname /DOMAIN | FIND /I "Account active"The account is either locked ("Locked") or active ("Yes").
How to unlock a locked accountWith the native NET command:
NET USER loginname /DOMAIN /ACTIVE:YESor, if the password needs to be reset as well:
NET USER loginname newpassword /DOMAIN /ACTIVE:YES
List all domains and workgroups in the networkWith the native NET command:
NET VIEW /DOMAIN
List all domains controllersWith (native) Windows Server 2003 commands:
DSQUERY Serveror, if you prefer host names only:
FOR /F "tokens=2 delims==," %%A IN ('DSQUERY Server') DO @ECHO.%%A
"I need an up-to-date list of disk space usage for all servers, on my desk in 5 minutes"Sounds familiar?
With (native) Windows XP Professional or Windows Server 2003 commands:
FOR /F %%A IN (servers.txt) DO ( WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv | MORE /E +2 >> SRVSPACE.CSV )The only prerequisites are:
1. SRVSPACE.CSV should not exist or be empty, 2. a list of server names in a file named SERVERS.TXT, one server name on each
line, 3. and WMIC.EXE, which is native in Windows XP Professional, Windows Server
2003 and Vista.
The CSV file format is ServerName,DeviceID,FileSystem,FreeSpace,Size (one line for
each harddisk partition on each server).
If you have a strict server naming convention, SERVERS.TXT itself can be generated
with the NET command:
FOR /F "delims=\ " %%A IN ('NET VIEW ^| FIND "\\SRV-"') DO (>>SERVERS.TXT ECHO.%%A)
Notes: (1) assuming server names start with "SRV-"; modify to match your own naming convention.
(2) delims is a backslash, followed by a tab and a space.
Inventory drivers on any PCWith (native) Windows XP Professional or Windows Server 2003 commands:
DRIVERQUERY /V /FO CSV > %ComputerName%.csvOr, for remote computers:
DRIVERQUERY /S remote_PC /V /FO CSV > remote_PC.csv
SMTP Categorizer
The SMTP categorizer (also referred to as the categorizer) is a component of the
Exchange Server 2003 transport engine. When a message is submitted to the
transport process, the categorizer uses the header information on the message to
query Active Directory for information about how and where the message must be
delivered. For example, from an SMTP address such as [email protected], the
categorizer identifies the Exchange Server 2003 server that contains the user's
mailbox and determines how to route the message to that server. The categorizer
also expands distribution lists and applies per-user limits to messages
The architecture of the Exchange categorizer
What queues should I monitor?
Messages will pass through the following queues during outbound mail flow. If
problems exist with the queues, messages may not be delivered. Consider using
Queue Viewer in Exchange System Manager to monitor the status and state of the
following queues:
Messages Pending Submission Also called the pre-submission queue. This
queue contains messages accepted by the SMTP service. Messages in this queue
have not yet been processed by the message categorizer. If messages are
accumulating in this queue, it may indicate a performance problem on the
Exchange server, or it may indicate a problem with an event sink (such as custom
SMTP processing code for anti-virus screening).
Messages Awaiting Directory Lookup Also called the pre-categorization
queue. This queue contains messages that have passed through the pre-
submission queue and are waiting to be processed by the message categorizer.
Messages will accumulate in this queue when the message categorizer is unable to
process messages. Reasons the message categorizer may be unable to process
messages include the following:
o The message categorizer may not be able to access the global
catalog to attain recipient information.
o The global catalog lookup may be performing slowly.
o If this is a front-end server, the required mailbox store may be
disabled on a front-end server.
Local Delivery Contains messages destined for recipient mailboxes that reside
on the local Exchange 2003 server. Messages can accumulate in this queue if the
Microsoft Exchange Information Store service is not accepting messages or if it has
a performance problem.
Messages Waiting to be Routed Contains messages destined for remote
delivery. Messages can accumulate in this queue if problems exist with routing.
Remote Delivery Contains messages that are destined for remote delivery. If
this queue is in a Retry state (that is, the connection has failed), use Telnet.exe to
try to connect to the intended destination host. Restart the SMTP virtual server to
immediately retry sending queued messages.
Messages with an Unreachable Destination Contains messages that cannot
reach their final destination server. Reasons that messages may not be able to
reach their destinations include the following:
o The route cannot be determined
o The routes are unavailable
o A connector is down
Messages Queued for Deferred Delivery Contains messages that are queued
for later delivery. Reasons that messages will be placed in this queue include the
following:
o Messages are sent by previous versions of Microsoft Outlook
(such as Outlook 2000)
o A message is sent to a user's mailbox while the mailbox is being
moved
o The user does not yet have a mailbox and no master account
security ID (SID) exists for the user
o SMTP message routing is configured in a way that causes a
message to loop (looping messages are moved to this queue)
DSN Messages Pending Submission Contains delivery status notifications that
are waiting to be rendered by Exchange Server. For example, NDRs are delivery
status notifications. Reasons that messages will accumulate in this queue include
the following:
o The Microsoft Exchange Information Store service is unavailable
or not running
o A mailbox store is not mounted,
o Issues exist with the IMAIL Exchange store component.
Failed Message Retry Contains messages that failed queue submission.
Messages can fail for several reasons, including if the message is corrupted or if
system resources are low. If messages appear in this queue, review your server
configuration to determine whether you have non-Microsoft programs or event
sinks installed (such as virus scanners) that can interfere with message queuing. If
the system is responding slowly, use Windows Task Manager to identify processes
with system resources. Restarting Internet Information Services (IIS) may solve the
problem temporarily and allow you more time to identify the root cause of the
problem.
HDD Model and Array Configuration and ILO concepts
ILO makes it possible to perform activities on a HP server from a remote location. The iLO card has a
separate network connection (and its own IP address) to which one can connect via HTTPS. Possible
options are:
reset the server (in case the server doesn't respond anymore via the normal network card)
power-up the server (possible to do this from a remote location, even if the server is shut down)
take over the screen
mount remote physical CD/DVD drive or image.
access the server's IML (Integrated Management Log)
remote console (in some cases however an 'Advanced license' maybe required for some of the utilities
to work)
Hardware Models
DL 380 Rack mountable servers
Dell Power Edge 2850, 2950
While installation of os
Putting that server cd given by hp or dell
We can configure raid
Or go to the bios we can do that
Note: Array ante RAID 5 Configuration
Array configuration: To create or implement to RAID Controller concepts we need to configure array.
Version - 5i
Hp or Dell Management:
If you talk about HP Management tool through this tool we can find out the problems like HDD, there like port0 by 1 ….we can take down the error number log call to Vendor, then Vendor will come to our site resolve the problem.
Firm ware up gradation
HP Management server tool:
The SMS Inventory Tool for HP ProLiant and Integrity Update enables the use of Microsoft Systems
Management Server 2003 with Service Pack 1, Service Pack 2, or Service Pack 3 (SMS 2003
SP1 ,SP2, or SP3) ,for management and distribution of HP ProLiant and Integrity server system
software, firmware, and complete support packs. The SMS Inventory Tool allows customers that have
chosen SMS 2003 to manage HP server inventory and software with the tool they also use to manage
operating system software updates. This product expands on existing integration tools for ProLiant
with SMS 2000 and SMS 2003.
Customers using SMS will appreciate the obvious integration of the HP server software catalog within
the SMS management structure. The Inventory tool supports all SMS features, including server
inventory with adjustable scope, such as filtering by server model or Windows version. It allows remote
scanning of HP server software configurations and reporting of the results via standard template
reports. The tool also enables management and distribution of complete Support Packs or individual
components (drivers, ROM, and software agents) to defined collections of servers. All data is
presented through the SMS interface
What ‘s New :
The SMS Inventory Tool for HP ProLiant and Integrity Servers Updates has been updated. The version 1.3 release provides support for Collect Utility to the newer PSP's and ISP's
ProLiant Support Packs (PSP) represent operating system (OS) specific bundles of ProLiant optimized drivers, utilities, and management agents
Integrity Support Packs (PSP) represent operating system (OS) specific bundles of Integrity optimized drivers, utilities, and management agents
The SMS Inventory Tool for HP ProLiant and Integrity Update enhances previous SMS integration tools provided by HP. The Inventory tool adds the following features:
Management Support of the Collect Utility to PSP 7.9 for ProLiant servers Support of the Collect Utility to ISP 5.2 for Integrity servers
Usability Simplified distribution of ProLiant and Integrity support packs directly from HP.com through
the SMS user interface Complete installation documentation and an interactive Troubleshooting Assistant to allow
simple resolution of common installation and configuration questions Supports ProLiant Support Pack 7.6 and Integrity Support Pack 4.6 and later for Windows
Server 2003. PSP 7.2 supported for Windows Server 2000 " Supports ProLiant Support Pack 7.9 and Integrity Support Pack 5.2 and later for Windows
Server 2003
HP array configuration utility (RAID5)
Overview
All Smart Array products share a common set of configuration, management and diagnostic tools,
including Array Configuration Utility (ACU), Array Diagnostic Utility (ADU), and Systems Insight
Manager. This software consistency of tools reduces the cost of training for each successive
generation of product and takes much of the guesswork out of troubleshooting field problems. These
tools lower the total cost of ownership by reducing training and technical expertise necessary to install
and maintain HP server storage.
Dell Management Tool (OMSA) - open manage server administrator 7.0
Dell OpenManage™ Server Administrator Storage Management provides enhanced features for configuring a system's locally-attached RAID and non-RAID disk storage. Storage Management enables you to perform controller and enclosure functions for all supported RAID and non-RAID controllers and enclosures from a single graphical or command-line interface without requiring use of the controller BIOS utilities. The graphical interface is wizard-driven with features for novice and advanced users and detailed online help. The command-line interface is fully-featured and scriptable. Using Storage Management, you can protect your data by configuring data-redundancy, assigning hot spares, or rebuilding failed physical disks. You can also perform data-destructive tasks. All users of Storage Management should be familiar with their storage environment and storage management.
Storage Management supports SCSI, SATA, ATA, and SAS but not fibre channel.
NOTE: Starting with Dell OpenManage 5.0, Array Manager is no longer an installable option. If you have an Array Manager installation and need information on how to migrate from Array Manager to Storage Management, refer to the product documentation prior to Storage Management 2.1 or Dell OpenManage 5.1.
Take Control with Dell Systems Management.
Dell's approach to systems management is to provide inherently manageable, standards-based platforms along with a comprehensive set of standards-based tools for proactive management throughout the computing life cycle. Dell server, storage, networking, and client solutions are designed to help simplify and automate the administration of your technology resources-and to help you control your IT investment.
The advantages of our interoperable management solutions derive from Dell's commitment to:
Open manageability —Dell's instrumented clients, servers, storage, printers and network platforms interface seamlessly with most standards-based management tools and consoles. Dell systems management solutions and platforms provide the pro-active management information and control functions you need to optimize deployment, health status monitoring, fault recovery, change management and more.
Industry standards —Dell champions open standards within the industry because they are the foundation for management systems that can deploy, monitor and upgrade heterogeneous computing environments. Standards also give you greater choice in the selection of your systems management solution, providing more flexibility to better meet your specific requirements.
Strong partnerships —Dell partners with industry-leading companies to deliver integrated, "best-in-class" technologies, services and standardized components to provide customers with cost-effective broad-based systems management functionality.
RAID?
While installation of os
Putting that server cd given by hp or dell
We can configure raid
Or go to the bios we can do that
RAID (Redundant Array of Independent Disks) is a technology for managing how data is stored on the physical disks that
reside in your system or are attached to it. A key aspect of RAID is the ability to span physical disks so that the combined
storage capacity of multiple physical disks can be treated as a single, extended chunk of disk space. Another key aspect of
RAID is the ability to maintain redundant data which can be used to restore data in the event of a disk failure. RAID uses
different techniques, such as striping, mirroring, and parity, to store and reconstruct data. There are different RAID levels that
use different methods for storing and reconstructing data. The RAID levels have different characteristics in terms of read/write
performance, data protection, and storage capacity. Not all RAID levels maintain redundant data, which means for some
RAID levels lost data cannot be restored. Which RAID level you choose depends on whether your priority is performance,
protection, or storage capacity.
NOTE: The RAID Advisory Board (RAB) defines the specifications used to implement RAID. Although the RAID Advisory Board (RAB) defines the RAID levels, commercial implementation of RAID levels by different vendors may vary from the actual RAID specifications. An implementation used by a particular vendor may affect the read and write performance and the degree of data redundancy.
Hardware and Software RAIDRAID can be implemented with either hardware or software. A system using hardware RAID has a RAID controller that
implements the RAID levels and processes data reads and writes to the physical disks. When using software RAID, the
operating system must implement the RAID levels. For this reason, using software RAID by itself can slow system
performance. You can, however, use software RAID on top of hardware RAID volumes to provide greater performance and
variety in the configuration of RAID volumes. For example, you can mirror a pair of hardware RAID 5 volumes across two
RAID controllers to provide RAID controller redundancy.
NOTE: This release of Storage Management only supports hardware RAID.
RAID Concepts RAID uses particular techniques for writing data to disks. These techniques enable RAID to
provide data redundancy or better performance. These techniques include:
Mirroring (RAID 1)— Duplicating data from one physical disk to another physical disk. Mirroring provides data redundancy by maintaining two copies of the same data on different physical disks. If one of the disks in the mirror fails, the system can continue to operate using the unaffected disk. Both sides of the mirror contain the same data at all times. Either side of the mirror can act as the operational side. A mirrored RAID disk group is comparable in performance to a RAID 5 disk group in read operations but faster in write operations.
Striping (RAID 10) — Disk striping writes data across all physical disks in a virtual disk. Each stripe consists of consecutive virtual disk data addresses that are mapped in fixed-size units to each physical disk in the virtual disk using a sequential pattern. For example, if the virtual disk includes five physical disks, the stripe writes data to physical disks one through five without repeating any of the physical disks. The amount of space consumed by a stripe is the same on each physical disk. The portion of a stripe that resides on a physical disk is a stripe element. Striping by itself does not provide data redundancy. Striping in combination with parity does provide data redundancy.
Stripe size — The total disk space consumed by a stripe not including a parity disk. For example, consider a stripe that contains 64KB of disk space and has 16KB of data residing on each disk in the stripe. In this case, the stripe size is 64KB and the stripe element size is 16KB.
Stripe element — A stripe element is the portion of a stripe that resides on a single physical disk.
Stripe element size — The amount of disk space consumed by a stripe element. For example, consider a stripe that contains 64KB of disk space and has 16KB of data residing on each disk in the stripe. In this case, the stripe element size is 16KB and the stripe size is 64KB.
Parity — Parity refers to redundant data that is maintained using an algorithm in combination with striping. When one of the striped disks fails, the data can be reconstructed from the parity information using the algorithm.
Span — A span is a RAID technique used to combine storage space from groups of physical disks into a RAID 10 or 50 virtual disk.
RAID Levels
Each RAID level uses some combination of mirroring, striping, and parity to provide data
redundancy or improved read and write performance. For specific information on each RAID
level, see "Choosing RAID Levels and Concatenation."
Organizing Data Storage for Availability and Performance
RAID provides different methods or RAID levels for organizing the disk storage. Some RAID
levels maintain redundant data so that you can restore data after a disk failure. Different RAID
levels may also entail an increase or decrease in the system's I/O (read and write)
performance.
Maintaining redundant data requires the use of additional physical disks. As more disks
become involved, the likelihood of a disk failure increases. Because of the differences in I/O
performance and redundancy, one RAID level may be more appropriate than another based on
the applications in the operating environment and the nature of the data being stored.
When choosing concatenation or a RAID level, the following performance and cost
considerations apply:
Availability or fault-tolerance. Availability or fault-tolerance refers to a system's ability to maintain operations and provide access to data even when one of its components has failed. In RAID volumes, availability or fault-tolerance is achieved by maintaining redundant data. Redundant data includes mirrors (duplicate data) and parity information (reconstructing data using an algorithm).
Performance. Read and write performance can be increased or decreased depending on the RAID level you choose. Some RAID levels may be more appropriate for particular applications.
Cost efficiency. Maintaining the redundant data or parity information associated with RAID volumes requires additional disk space. In situations where the data is temporary, easily reproduced, or non-essential, the increased cost of data redundancy may not be justified.
Mean Time Between Failure (MBTF). Using additional disks to maintain data redundancy also increases the chance of disk failure at any given moment. Although this cannot be avoided in situations where redundant data is a requirement, it does have implications for the workload of your organization's system support staff.
For more information, see "Choosing RAID Levels and Concatenation."
Choosing RAID Levels and Concatenation
You can use RAID or concatenation to control data storage on multiple disks. Each RAID level
or concatenation has different performance and data protection characteristics.
The following sections provide specific information on how each RAID level or concatenation
store data as well as their performance and protection characteristics.
"Concatenation"
"RAID Level 0 (Striping)" "RAID Level 1 (Mirroring)" "RAID Levels 5 (Striping with distributed parity)" "RAID Level 50 (Striping over RAID 5 sets)" "RAID Level 10 (Striping over mirror sets)" "RAID Level 1-Concatenated (Concatenated mirror)" "Comparing RAID Level and Concatenation Performance"
RAID
RAID - or Redundant Array of Independent Disks - comes in different flavours from RAID 0 and RAID
1 to combination of those two, and going up to RAID 5 and RAID 10.
RAID 1, also called mirroring, is setting up the two disks such that the second one mirrors the first
providing you an up to the minute backup if something ever goes wrong with the first disk. Should the
first hard disk fail you simply remove it, put the second disk in it's place and carry on where you left
off.
RAID 0 + 1
You could have a combination of RAID 0 and RAID 1 to provide both the speed and the security. You
will, of course, need several hard disks for this.
RAID 1.5
A new concept but the jury is still out on this one. It may give you slightly higher read speeds but write
speeds don't benefit.
What you need to setup RAID 0 or RAID 1
you need to have a motherboard that has a RAID controller on it. If the motherboard does not have a
RAID controller you will need to add a PCI RAID controller card. Check that the RAID facility it offers
covers the type of hard disk you want to use (IDE/SATA/SCSI).
While it is not mandatory to have identical hard disks it is very highly recommended not just that you
have similar sized disks but also exactly the same make and model.
Tips:
RAID 0 + 1 will give you the best of both worlds.
You do not need to have your operating system on the RAID drives.
RAID-0. Has striping but no redundancy of data. Offers the best performance but no fault-tolerance.
RAID-1. Also known as disk mirroring and consists of at least two drives that duplicate the storage of
data.
RAID 5.
Technique(s) Used: Block-level striping with distributed parity.
Description: One of the most popular RAID levels, RAID 5 stripes both data and parity information across three or more drives. It is similar to RAID 4 except that it exchanges the dedicated parity drive for a distributed parity algorithm, writing data and parity blocks across all the drives in the array. This removes the "bottleneck" that the dedicated parity drive represents, improving write performance slightly and allowing somewhat better parallelism in a multiple-transaction environment, though the overhead necessary in dealing with the parity continues to bog down writes. Fault tolerance is maintained by ensuring that the parity information for any given block of data is placed on a drive separate from those used to store the data itself. The performance of a RAID 5 array can be "adjusted" by trying different stripe sizes until one is found that is well-matched to the application being used.
If there is set of 30 hard disk configured for raid 5 if two hard disk failed what about data
Because of parity, information all data are available in case one of the disks fails. If extra (spare) disks are available, then reconstruction will begin immediately after the device failure. However if two hard disks fail at same time, all data are LOST. In short RAID 5 can survive one disk failure, but not two or more.
In Raid 5, suppose I have 5 HDD of 10-10 GB, after configuring the Raid how much space does I have for utilized.
-1 out of the total (eg- if u r using 5 u will get only 4 because 1 goes for parity).
Clustering
A server cluster is a group of independent servers running Windows Server 2003, Enterprise Edition,
or Windows Server 2003, Datacenter Edition, and working together as a single system to provide high
availability of services for clients. When a failure occurs on one computer in a cluster, resources are
redirected and the workload is redistributed to another computer in the cluster. You can use server
clusters to ensure that users have constant access to important server-based resources.
Typical uses for server clusters include file servers, print servers, database servers, and messaging
servers.
Introduction to Server Clusters
A cluster consists of two or more computers working together to provide a higher level of availability,
reliability, and scalability than can be obtained by using a single computer.
• Application and service failures, which affect application software and essential services.
• System and hardware failures, which affect hardware components such as CPUs, drives, memory,
network adapters, and power supplies.
• Site failures in multisite organizations, which can be caused by natural disasters, power outages,
or connectivity outages.
Dependencies on Other Technologies
Server clusters require network technologies that use IP-based protocols and depend on the following
basic elements of network infrastructure:
• The Active Directory directory service (although server clusters can run on Windows NT, which does
not use Active Directory).
Server Cluster Tools
The following tools are associated with server clusters.
Cluadmin.exe: Cluster Administrator
Category
Tool included in Windows Server 2003, Standard Edition, Windows Server 2003, Enterprise Edition,
and Windows Server 2003, Datacenter Edition, operating systems. The tool is also included in the
Windows Server 2003 Administration Tools Pack.
.
Cluster.exe
Category
Tool included in Windows Server 2003, Standard Edition, Windows Server 2003, Enterprise Edition,
and Windows Server 2003, Datacenter Edition, operating systems. The tool is also included in the
Windows Server 2003 Administration Tools Pack.
Cluster.exe can target server cluster nodes that are running Windows Server 2003, Enterprise Edition,
Windows Server 2003, Datacenter Edition, Windows 2000 Advanced Server, Windows 2000
Datacenter Server, and Windows NT Server 4.0, Enterprise Edition.
•
Cluster.exe is the command-line interface for server clusters. Cluster.exe provides all the functionality
of Cluster Administrator, the graphical user interface (GUI), plus several additional functions:
VM Ware
VM ware is a application software, we will install the VM Ware software into one Server and we can
create the servers.
VMware Virtual Infrastructure Client 2.0
This software layer creates virtual machines and contains a virtual machine monitor or “hypervisor” that
allocates hardware resources dynamically and transparently so that multiple operating systems can run
concurrently on a single physical computer without even knowing it.
Some Advantages of VMware
A normal installation of a Microsoft operating system requires a long manual process to
configure the system to the specific hardware of the machine. This means that the same
installation can not be used for another machine which usually has different hardware. Since
VMware emulates the same set of virtual devices on any machine, a single operating system
image can be used.
It is also possible to configure VMware virtual disks in a read-only mode, so that changes to the
filesystem are written to a separate log file, rather than being written back to the disk image.
When the virtual machine is shut down, the changes can either be discarded or committed back
into the disk image. This allows a single disk image to be used without any fear of it being
corrupted. It also allows software to be installed experimentally with the installation only being
committed if it is successful.
Citrix
Citrix ( Citrix ICA Protocol, port no : 1494)
Citrix Presentation Server Application Streaming
The application streaming feature of Presentation Server 4.5 enables applications to be delivered to
client devices and run in a protected, virtual environment. Applications are managed in a centralized
Application Hub, but are streamed to the client device and run in an isolation environment.
Applications become an on-demand service that is always available and up to date.
The Challenge
The reality today is that many companies are hitting a wall of complexity when it comes to managing
their ever-growing number of desktop applications and diverse access scenarios. This complexity
translates into a huge amount of time and money spent providing what amounts to a patchwork
solution. The Application Streaming feature of Presentation Server offers a compelling virtualization
solution for centrally delivering all Windows-based applications to both Presentation Server
environments and to desktops.
Application Streaming benefits
Client-side application virtualization reduces the cost of testing, installing and supporting applications.
Together with application isolation technology,
With server-side application virtualization, the server acts as the client. Applications are streamed to a
protected isolation environment on the server as opposed to the local device. This has many of the
same benefits of client-side virtualization and also helps reduce application silos and greatly improves
management of Presentation Server farms.
Key Benefits
As a key component of both client-side and server-side Application Virtualization, Application
Streaming enables IT to:
1 Eliminate application conflicts and operating system instability resulting from desktop application
installation
2. Reduce the costs associated with regression testing, deployment, maintenance, updates, and de-
provisioning for applications being run locally on users' machines
3. Enable IT to offer applications as an on-demand service
4. Lower application support costs by automatically updating and repairing applications every time they
are used
5. Speed regulatory compliance by eliminating the need for extensive testing to certify applications
6. Enhance security by giving IT administrators complete control over applications delivered to
desktops, even those of unmanaged partners and users
Client side
Client-Side Application Virtualization enables applications to be delivered to client devices and run in a
protected, virtual environment. Applications are managed in a centralized Application Hub, but are
streamed to the user's machine and run in an isolation environment. Applications become an on-
demand service that is always available and up to date. Caching technology makes the application
available even when not connected to the network.
· Record – Applications are packaged using the Profiler, which determines the components and the
system resources the application requires and then defines a set of rules for running the application in
isolation on the endpoint device. The resulting package is a standard cabinet (.CAB) file that is
transparent and is easy to work with and debug.
· Download – The application package is published to a regular network file share, just like with
Presentation Server. No proprietary tools or storage systems are required. Authorized users can start
streaming the application simply by clicking on their desktop icon. The application is cached locally, but
it is not installed. It runs in isolation, without interfering with other applications on the same device.
Play – Applications behave just like they were installed locally, but without any of the problems of
installation. Files are saved locally and individual settings are preserved. Every time the
application is run, it checks for errors or updates and delivers them automatically. The
application is managed centrally, but can be used when it is disconnected from the network.
RSA (RAID Storage Adapter)
RSA SecurID® two-factor authentication is based on something you know (a password or PIN) and
something you have (an authenticator)—providing a much more reliable level of user authentication than
reusable passwords.
The only solution that automatically changes your password every 60 seconds
MS Resource Kit
Table 6 Active Directory-related command-line tools
Tool Description
MoveTree Move objects from one domain to another.
SIDWalker Set the access control lists on objects previously owned by accounts that were moved, orphaned, or deleted.
LDP Allows LDAP operations to be performed against Active Directory. This tool has a graphical user interface.
DNSCMD Check dynamic registration of DNS resource records, including Secure DNS update, as well as deregistration of resource records.
DSACLS View or modify the access control lists of directory objects.
NETDOM Batch management of trusts, joining computers to domains, verifying trusts and secure channels.
NETDIAG Check end-to-end network and distributed services functions.
NLTest Check that the locator and secure channel are functioning.
REPAdmin Check replication consistency between replication partners, monitor replication status, display replication metadata, force replication events and knowledge consistency checker (KCC) recalculation.
REPLMon Display replication topology, monitor replication status (including group policies), force replication events and knowledge consistency checker recalculation. This tool has a graphical user interface.
DSAStat Compare directory information on domain controllers and detect differences.
ADSIEdit A Microsoft Management Console (MMC) snap-in used to view all objects in the directory (including schema and configuration information), modify objects and set access control lists on objects.
SDCheck Check access control list propagation and replication for specified objects in the directory. This tool enables an administrator to determine if access control lists are
being inherited correctly and if access control list changes are being replicated from one domain controller to another.
ACLDiag Determine whether a user has been granted or denied access to a directory object. It can also be used to reset access control lists to their default state.
DFSCheck Command-line utility for managing all aspects of Distributed File System (Dfs), checking the configuration concurrency of Dfs servers, and displaying the Dfs topology.
MOM
An efficient IT enterprise requires a proactive approach to monitoring and managing Windows servers and applications to avoid service outages and downtime. Intelligent monitoring tools can help you keep your organization's infrastructure running at acceptable service levels. A primary requirement of monitoring tools is that they be easy to deploy and manage so that using them consumes minimal IT resources. To address these requirements, Microsoft announced Microsoft Operations Manager (MOM) 2000, an enterprise monitoring solution that provides comprehensive event management, proactive monitoring and alerting, reporting, a built-in knowledge base, and trend-analysis capabilities. After working with many customers to deploy MOM, we have some suggestions that will help smooth your MOM implementation.
Installation Prerequisites Before starting a MOM implementation, verify that your environment meets all the prerequisites. You can't install the MOM server on a domain controller (DC); you must install it on a dedicated member server that's running Windows 2000 Advanced Server Service Pack 2 (SP2) and that has access to a DC. . . .
10. PS-EXEC – Remote Control tool11. PS-SKILL – Kill the process through remotely
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.
PsKill:
Windows NT/2000 does not come with a command-line 'kill' utility. You can get one in the
Windows NT or Win2K Resource Kit, but the kit's utility can only terminate processes on the
local computer. PsKill is a kill utility that not only does what the Resource Kit's version does, but
can also kill processes on remote systems. You don't even have to install a client on the target
computer to use PsKill to terminate a remote process.
SMS
Microsoft Systems Management Server (SMS) is a systems management software product by
Microsoft for managing large groups of Windows-based computer systems. SMS provides remote
control, patch management, software distribution, and hardware and software inventory. An
optional feature is operating system deployment which requires the installation of the SMS 2003
OS Deployment Feature Pack. The current version is 2003 SP3 R2.
Systems Management Server 2003 SP1 Product Overview
Systems Management Server (SMS) 2003 with Service Pack 1 (SP1) provides a comprehensive
solution for change and configuration management for the Microsoft platform, enabling
organizations to provide relevant software and updates to users quickly and cost-effectively. SMS
2003 SP1 provides the following key capabilities:
Application Deployment
Deliver critical business productivity applications reliably and easily to users in the right place at
the right time.
Asset Management
Reduce software costs and stay compliant by understanding the installed application base and its
usage.
Security Patch Management
Improve security of the Microsoft Windows environment through increased vulnerability
awareness and reliable targeted delivery of updates.
Mobility
Deliver enterprise management to the growing mobile workforce through industry standards
independent of connection or location.
Windows Management Services Integration
Reduce operational costs by fully utilizing the management capabilities built into the Windows
platform.
Integrating Operations and Technology
Microsoft Solutions for Management Solution Accelerators provide a blueprint for addressing
key management issues by combining people, processes, and technology to help solve specific
customer scenarios. Solution Accelerators are lab-tested, customer-approved Microsoft best
practices that are intended to be used by Microsoft Consulting Services or Microsoft partners to
help customers achieve optimal solutions.
Improvements in these areas enable enterprises to effectively manage software, from devices to
data centers, on the Windows Server System platform. For more information, read the product
overview datasheet.
SMS 2003 SP1 Updates
SMS 2003 SP1 is primarily a rollup of a number of hotfixes for SMS 2003, but also introduces
some changes to the supported configurations and broadens the configurations allowed.
Features at a Glance
Capability Description
Application
deployment • Detailed application deployment planning. Detailed reports available
in SMS 2003 ease the application deployment process. For a planned
deployment, it is easy to obtain the target group's current hardware base,
existing applications, and version information, as well as the current
service pack and hotfix levels of the system.
• Rich distribution targeting. Software distribution and other
management tasks can be specifically targeted to machines and users
using a wide variety of properties including network and hardware
configuration, Active Directory® organizational unit, and group
membership and software installation status.
• Delta distribution between site servers and distribution points.
When changes are made to previously deployed software package
sources, only the source changes are propagated between SMS 2003 site
servers and distribution points, rather than the entire application image.
• Elevated rights Windows Installer Service. Because SMS 2003
supports the Windows Installer service (.msi), it is able to switch user
account contexts during a package installation allowing for self-healing
application installation on "locked-down" systems.
• Add/Remove Programs support. Applications can be easily published
to the Add/Remove Programs interface to provide users with a consistent
way of installing applications.
Asset
management • Application usage monitoring. Summary and detail reports can be
generated specifying which applications were used by users, how long
they were used, and on which managed systems they were used. Usage
can be tracked by user or computer, and reports can be created
comparing concurrent usage data to current license ownership
(compliance reports).
• Granular software inventory file level searching. Now you can
configure SMS 2003 to get you all the asset discovery you need, and only
what you need.
Capability Description
• Detailed hardware inventory. Windows Management Instrumentation
(WMI) enhancements allow improved client-side performance during
inventory scans and provide a richer set of inventory data, including BIOS
and chassis enclosure data.
• Web-enabled reporting. More than 120 pre-built reports are included,
covering hardware and software inventory as well as computer status and
software deployment progress.
Security patch
management • Vulnerability identification. Standard Microsoft security tools like the
Microsoft Baseline Security Inventory Analyzer and the Microsoft Office
Inventory Tool for Updates enable you to inventory your systems for
applicable patches and vulnerabilities.
• Patch deployment wizard. A simple console wizard is provided to assist
administrators in deploying required patches to managed devices.
• Vulnerability assessment and mitigation reporting. After missing
security patches have been identified, the results of these individual
scans are then posted to the central database for reporting and targeting
purposes. As missing patches are deployed, this data may be optionally
updated in real time.
Mobility• Bandwidth-aware clients. The new Advanced Client uses the
Background Intelligent Transfer Service (BITS) technology to
automatically detect the capacity of the client network connection and
adjust transfer rates efficiently.
• Checkpoint/restart. Upon reconnection, any partial downloads to client
computers will continue where they left off; there is no need to restart
transmissions because of a disconnected session. Checkpoint/restart
works at the byte level, requiring only the download of those bytes in a
package that haven't already been transferred.
• Download and execute. After a new software package has been
successfully downloaded to a client, it remains in the cache of the client
system until the scheduled install time, when it is then executed.
• Location awareness. As mobile users move through geographic
locations, flexible site boundaries ensure that they receive software
packages and updates from the nearest appropriate installation source,
and are not required to install software across the enterprise wide area
network (WAN).
Windows
Management
Services
• Active Directory discovery. SMS 2003 can automatically discover the
Active Directory properties of both users and systems, including
Capability Description
integration organizational unit container and group level membership. Software
packages can then be targeted based on these Active Directory
attributes.
• Active Directory-based site boundaries. Site boundaries can now be
based on Active Directory site names, rather than on Internet Protocol (IP)
subnets.
• Advanced Security Mode. Built-in computer and local system accounts
can be used for all server functions (such as database access),
dramatically simplifying the management of accounts and passwords
within SMS 2003 and making the enterprise more secure by not creating
extra high-rights accounts.
• Improved status tools. The status data provides real-time information
about the current state of SMS 2003 processes, both on servers and
clients.
• Windows XP Remote Assistance support. The high-performance
Windows XP Remote Assistance feature is now an option for
troubleshooting clients remotely from the SMS Administrator Console
when a user is present at the remote machine.
When do I need to set up SMS secondary site servers?
I have 20 remote branch locations connected back to the operations center by T1 lines. Each location has 5-7 workstations. I was planning on using each site's existing file server as a distribution point to save on bandwidth during software distribution. At what number of workstations per remote site should I consider setting up SMS secondary site servers?Even though you may have Distribution Points sitting at the remote locations, you still need to modify some settings on the clients to force ...
Can I distribute any Windows Installer (.msi) application using SMS?
have a customized Citrix 8 client installation in the form of a .msi. How can I use SMS 2.0 SP2 to
distribute this? You can distribute any Windows Installer (.msi) application using SMS. SMS's
software distribution feature basically does what you tell it to do. You'll first want to identify any
distribution options (i.e., command line options) for the .msi you have created and create the SMS
package using those options.
Scripting
Already default scripts are there.
WSH (Windows Scrip Host)....WMI (windows media interface)
Map network driver, user id creation in AD
Set objNetwork = Wscript.CreateObject("WScript.Network")
objNetwork.MapNetworkDrive "G:", "\\atl-fs-01\Sales"
objNetwork.MapNetworkDrive "H:", "\\atl-fs-01\Users$\lewjudy"
Responsabilities1:
Installation, configuration and trouble shooting of Windows Operating Systems include Windows 2000 Professional, Windows XP and Pre-Windows 2000 Operating systems on Desktops/Servers.
PC Hardware, Windows XP/2000 and Microsoft Office Suite, Networking Connectivity Issues (TCP/IP) and other Software Problems.
Member of Team Engineers to provide Information Systems Support. Active Directory services management support.
Responsabilities2:
Experience on windows 2003 and windows 2000 Active Directory Support and Implementation.
Disaster Recovery Plan for Active Directory servers. Expertise in Microsoft Services like WINS, DHCP and DNS. Creating, Configuring, Managing and troubleshooting Group Policy objects Considerable Knowledge on Exchange 2003 server. Installing, configuring, Managing, Exchange Server 2003 Managing users and applying group policies. Configuration & Administration of Brightstor Arc serve 11.5 Backup server. Data Center Maintain ace Vendor coordination
RIS serverIn Hyderabad we have 44 servers and in Hyderabad we have 22 servers including all platforms. I am managing Active Directory and Exchange servers and MOM servers and BrightStor ArcServe backup server.In active directory checking the replication between the two sites. Taking care of user creations and user deletions mailbox transfers. DL creations. Checking the group policies and applying the group policies in active directory.
I have only considerable knowledge on Exchange mail box creation and mailbox deletions and taking care of mail box movements.
In backup I am taking 5 day differential and 2 day full backup. From Sunday to Thursday differential and Friday and Saturday full backup.
Which is the difficult situation u have faced in your organization?
Recently we had faced an issue with our Hyderabad mail server, the mail box store has gone down. We made it up with in an hour. We are using McAfee anti virus group shield in the exchange server and it has deleted the recently created log file due to that the mailbox store has gone down. We have restored it from the backup. Dail tone recovery
Maintains hyd, chenn replication of servers, and maintain the Data Centre
Win 2003 Active Directory Support
Disaster Recovery Active Directory Plans for Servers
2003 Exchange Administrator
Creating, Configuring and managing and troubleshooting group policies
Configuring and troubleshooting Antivirus like MacAfee
DHCP Scopes creations, IP Addresses Creations
Terminal Services Monitoring
File permissions and quotas implementation
Taking the backup, restoration (Daily (Incremental) and Full Backup (weekly))
How many Servers (30)
DC’s and file, mail, internal and applications servers
Server Configurations
HP DL 380’s
4 GB, 5+1 (Raid + Mirroring) total 5 HDD’s
Intel Genuine 3G (Dual Core Process)
all are rack mountable servers
DL 380 proline HP seriesDell 2950 power edge
Mirror and raid for both the servers
Total 5 HDD's
2 for mirror
3 for raid
only we have virtusa domain single domain architecture
only one we have( cross domains, two sites)
only one domain naming masters
PDC Emulators 5 we have ( password resetting , win32 time synchronize)
DHCP:
dhcp.mdb
DNS
dns.back
what is the ntds. Folder- database, transaction logs, check
My responsibilities in Chennai are
Managing two locations i.e., Hyderabad and Chennai.
In Chennai we have 2 domain controllers and in Hyderabad we have 6 domain controllers
One exchange server in Chennai and one more in Hyderabad
One backup server in Chennai and one more backup server in Hyderabad Checking the Replication traffic between the Chennai and Hyderabad, and the replication topology between sites.
ITIL
Every week we have systems and networking meetings. In systems meeting we need to discuss what are the changes we are going to implement how much its use for organization. If you want to do any change you have to raise a change request through the change gear software, then you can send it to your manager for approval. I am going to do like patch management, please approve, once we get the approval from the manger. Then you can go ahead
Suppose if you want to restart the server for that also we need to raise request in change gear. I have to give the explanation like I have installed the patches so its required restart to update the all the patches please approve it. Once we get the approval from the manager. We will restart the server.
Service Desk
This function is the single point of contact between users and IT Service
Management.
Main article: Service Desk (ITSM)Tasks include handling incidents and requests, and providing an interface for other
ITSM processes.
Single Point of Contact (SPOC) and not necessarily the First Point of Contact (FPOC)
There is a single point of entry and exit Easier for Customers Data Integrity Communication channel is streamlined
The primary functions of the Service Desk are:
Incident Control: life cycle management of all Service Requests
Communication: keeping the customer informed of progress and advising on
workarounds
The Service Desk function is known under various names :
Call Centre: main emphasis on professionally handling large call volumes of
telephone-based transactions
Help Desk: manage, co-ordinate and resolve incidents as quickly as possible
Service Desk: not only handles incidents, problems and questions but also provides
an interface for other activities such as change requests, maintenance contracts,
software licenses, Service Level Management, Configuration Management,
Availability Management, Financial Management and IT Services Continuity
Management
The three types of structure that can be considered are:
Local Service Desk: to meet local business needs - is practical only until multiple
locations requiring support services are involved
Central Service Desk: for organizations having multiple locations - reduces
operational costs and improves usage of available resources
Virtual Service Desk: for organizations having multi-country locations - can be
situated and accessed from anywhere in the world due to advances in network
performance and telecommunications, reducing operational costs and improving
usage of available resources
Service Desk
1. Incident management
2. Problem management
3. Change management
4. Configuration management
5. Release management
I am working on incident management.
Incident management
The goal of Incident Management is to restore normal service operation as quickly as
possible and minimize the adverse effect on business operations, thus ensuring that
the best possible levels of service quality and availability are maintained. 'Normal
service operation' is defined here as service operation within Service Level
Agreement (SLA) limits.
SLA: while running a ticket we have an agreement with the client. The client to
owner the ticket and resolving with time stamp.
OLA (Operation Leave Agreements): whatever the agreements we are having
with in the organization support teams.
OC (Under pendent contract): Which the levels of service boundary we are having
with the Vendors.
Problem Management
The goal of 'Problem Management' is to resolve the root cause of incidents and thus
to minimize the adverse impact of incidents and problems on business that are
caused by errors within the IT infrastructure, and to prevent recurrence of incidents
related to these errors. A `problem' is an unknown underlying cause of one or more
incidents, and a `known error' is a problem that is successfully diagnosed and for
which a work-around has been identified. The CCTA defines problems and known
errors as follows:
A problem is a condition often identified as a result of multiple Incidents that exhibit common symptoms. Problems can also be identified from a single significant Incident, indicative of a single error, for which the cause is unknown, but for which the impact is significant. A known error is a condition identified by successful diagnosis of the root cause of a problem, and the subsequent development of a Work-around.
Problem management is different from incident management. The principal
purpose of problem management is finding and resolves the root cause of a problem
and prevention of incidents; the purpose of incident management is to return the
service to normal level as soon as possible, with smallest possible business impact.
Configuration Management
Configuration Management is a process that tracks all of the individual Configuration
Items (CI) in a system.
Change management
The goal of Change Management is to ensure that standardized methods and
procedures are used for efficient handling of all changes, in order to minimize the
impact of change-related incidents and to improve day-to-day operations.
Release Management
Release Management is used for platform-independent and automated distribution of
software and hardware, including license controls across the entire IT infrastructure.
Proper software and hardware control ensures the availability of licensed, tested, and
version-certified software and hardware, which will function as intended when
introduced into the existing infrastructure. Quality control during the development
and implementation of new hardware and software is also the responsibility of
Release Management. This guarantees that all software meets the demands of the
business processes. The goals of release management are:
Plan the rollout of software Design and implement procedures for the distribution and installation of
changes to IT systems Effectively communicate and manage expectations of the customer during the
planning and rollout of new releases Control the distribution and installation of changes to IT systems
The focus of release management is the protection of the live environment and its services through the use of formal procedures and checks.
By words:
ITIL:
Incident: automatically triggered by the server itself. Like MOM I mean alerts
Service Call: People who are generated raise a call.
Backup:
Policy: 5 day differential (sun – thu) 2 day full backup (Friday – Sat)
5 tapes we are keeping into fire proof. Another two tapes. One goes to HDFC bank and other send it to other site. Total 7 takes will come out in a week
In tape library 32 tapes are there…..every day 1st tape, 31st is storage drive, one is IO (IO Box),
Through bar code only it recognizes the tapes.
After finishing the backup we have to remove from the tape library. We have to keep it into fire proof.
HW long Ur going to keep in fire proof.
Differential tapes in 3 months. Full backup is 6 months….and year end and month end backups are going to keep preeminently. And year end last backup also
Dell LT O 3 tape library 400 native mode/ 800 compressive
Tape library model no is power old 132 T Dell.
Configuration Card 5i RAID- SCSI Card
Through that card only we are connecting the backup tape library to the server.
We have only single head tape library, so we can only write single tape at once.
Array Configuration: to create or implement a RAID control concept. We need to configure array configuration.
Through this only array will recognize and we will configure RAID
Array version - 5i
Citrix:
with the help of the RSA FOB virtually, they are connecting to the client network. They are authenticating to the web page to the citrix server. Login to the remote sessions
the major advantage is we can take the multiple session at the single time.
Port no : 1495, version 9.0----------- ICA Protocol
SMS:
They are extracting the batch files. It applies during user logins.
Final
1. HP, Dell and IBM – latest models
Latest servers in HP: in DL series
HP ProLiant DL585 G2
HP Proliant DL580 G4
Scalability, availability and adaptability in a highly serviceable 4U chassis
Latest servers in HP: in ML series
HP ProLiant ML570 G4
Latest servers in HP: in BL series
PowerEdgeTM R900
4-Socket, Quad-Core 4U Rack Server
PowerEdgeTM 6950
4-Socket, Dual-Core 4U Rack Server
HP BLc3000 Enclosure 2 AC Power Supplies 4 Fan Full ICE License
IBM
IBM System Storage™ DS4800 processed 4,016,222 transactions per minute (tpmC) with a
price/performance of $2.98/tpmC [1], versus the HP Integrity Superdome's performance of
1,231,433 tpmC at $4.82/tpmC [1]
IBM System x3850 M2 takes performance, efficiency and reliability to the next level. Featuring
an unmatched combination of x86 performance and scalability with a balanced design, the
x3850 M2 delivers unrivaled reliability, providing confidence in your IT solution deployments.
An easy upgrade path provides the necessary flexibility to deliver an optimized solution for scale-
up database, enterprise applications and server consolidation through virtualization services.
2. Remote management cards in Dell(Rack and D-Rack), Hp(ILO) and IBM(RSA)
HP: ILO makes it possible to perform activities on a HP server from a remote location. The iLO
card has a separate network connection (and its own IP address) to which one can connect via
HTTPS. Possible options are:
reset the server (in case the server doesn't respond anymore via the normal network card)
power-up the server (possible to do this from a remote location, even if the server is shut down)
take over the screen
mount remote physical CD/DVD drive or image.
access the server's IML (Integrated Management Log)
remote console (in some cases however an 'Advanced license' maybe required for some of the
utilities to work)
Dell:
Dell DRAC:
The DellTM Remote Assistant Card II (DRAC II) and Dell Remote Access Card III (DRAC III) provide IT administrators with continuous access to servers. Administrators also achieve full control of the server hardware and operating system from any client system running a Web browser, even if the server is down or hung.
The Dell remote-access architecture consists of hardware and software components that allow administrators to do the following:
Access a server after a server failure, power outage, or loss of a network connection (using a network interface card (NIC) or modem)
Remotely view a server's internal event logs and power-on self test (POST) codes for diagnostic purposes
Manage servers in multiple locations from a remote console Manage servers by redirecting the console output to a remote console (graphic and text) Perform an orderly shutdown of a server for maintenance tasks Diagnose a server failure and restart the server
Alert the administrator using alphanumeric page, numeric page, e-mail, or Simple Network Management Protocol (SNMP) trap when a server detects an error
IBM RSA
However it is IBM's Remote Supervisor Adapter (and the popular RSA II) that represents the next
generation of comprehensive server management. The IBM RSA II is a PCI card service processor
and it is standard in some servers and an option in others. It manages the BMC located on the server
motherboard, and augments the BMC capability so you can perform systems management functions
whether your server is operational or not.
As shown in the table below, the RSA II provides an extensive range of remote server management
features. The Virtual KVM feature for example provides full graphic console redirection. You can use
a local desktop to access and control a remote server, run applications and receive system alerts in
whatever form you choose. So no longer is there a need for any external KVMoIP appliances at the
remote site.
Another model is the RSA SlimLine which is an internal card that includes the BMC and uses a
dedicated Ethernet connector on the server for communication. The BladeCenter’s management
module also uses a modified version of the RSA with an integrated KVM switch to provide access to
individual server blades.
Vendor Service
Processor
Software Model Type Features
IBM RSA (Remote
Supervisor
Adapter)
IBM
Director
RSA II,
SlimLine
RSA
PCI
Card
Command line & Web interface;
Virtual KVM (with logging of last
screen before failure); Virtual media
access; UDP/TCP Ethernet connection;
Remote power control; Local logs &
alerts; Secure SSH, SSL & LDAP
access
3. management Tools
IBM Director
IBM's service processors can accessed with the IM/IMG then managed using IBM Director, an integrated suite of system management tools that enables administrators to locally or remotely track the usage and performance of their server's processors, disks, and memory. IBM Director extends the basic RSA II software by providing a central platform for monitoring and managing all the IBM hardware resources. And the IBM + Opengear service management can be extended even further as Director also will seamlessly integrate with higher-level systems management offerings such as Tivoli, HP OpenView, Microsoft SMS and MOM, CA Unicenter, BMC and Altiris.
Dell OSMA:
Dell Management Tool (OMSA) - open manage server administrator 7.0
Dell OpenManage™ Server Administrator Storage Management provides enhanced features for configuring a system's locally-attached RAID and non-RAID disk storage. Storage Management enables you to perform controller and enclosure functions for all supported RAID and non-RAID controllers and enclosures from a single graphical or command-line interface without requiring use of the controller BIOS utilities. The graphical interface is wizard-driven with features for novice and advanced users and detailed online help. The command-line interface is fully-featured and scriptable. Using Storage Management, you can protect your data by configuring data-redundancy, assigning hot spares, or rebuilding failed physical disks. You can also perform data-destructive tasks. All users of Storage Management should be familiar with their storage environment and storage management.
Storage Management supports SCSI, SATA, ATA, and SAS but not fibre channel.
NOTE: Starting with Dell OpenManage 5.0, Array Manager is no longer an installable option. If you have an Array Manager installation and need information on how to migrate from Array Manager to Storage Management, refer to the product documentation prior to Storage Management 2.1 or Dell OpenManage 5.1.
Take Control with Dell Systems Management.
Dell's approach to systems management is to provide inherently manageable, standards-based platforms along with a comprehensive set of standards-based tools for proactive management throughout the computing life cycle. Dell server, storage, networking, and client solutions are designed to help simplify and automate the administration of your technology resources-and to help you control your IT investment.
The advantages of our interoperable management solutions derive from Dell's commitment to:
Open manageability —Dell's instrumented clients, servers, storage, printers and network platforms interface seamlessly with most standards-based management tools and consoles. Dell systems management solutions and platforms provide the pro-active management information and control functions you need to optimize deployment, health status monitoring, fault recovery, change management and more.
Industry standards —Dell champions open standards within the industry because they are the foundation for management systems that can deploy, monitor and upgrade heterogeneous computing environments. Standards also give you greater choice in the selection of your systems management solution, providing more flexibility to better meet your specific requirements.
Strong partnerships —Dell partners with industry-leading companies to deliver integrated, "best-in-class" technologies, services and standardized components to provide customers with cost-effective broad-based systems management functionality.
HP- HP Integrated.4. Array controller Models
Array 6i HP:
HP Smart Array 6i ControllerThe new Smart Array 6i controller is an Ultra320 intelligent array controller for entry-level, hardware-based fault tolerance for protection of OS, applications, and logs. Most models have one internal-only channel. The DL380 G4 has a second channel for optional duplex backplane support or external tape support. The Smart Array 6i controller provides one of the most cost effective alternatives to software-based RAID in the market today.
Designed as an integrated component on the system board on select ProLiant DL and BL servers, the Smart Array 6i controller and 128MB BBWC Enabler bundle provide increased performance and worry-free transportable battery backed write cache data protection for all server internal storage needs, without consuming a PCI slot.
ModelsSmart Array 6i Controller
Smart Array 6i Controller N/A
Battery Backed Write Cache Enabler
128MB Battery Backed Write Cache Enabler Option Kit 346914-B21
Target EnvironmentsThe Smart Array 6i Controller offers superior investment protection to the following environments:Non-RAID Current storage operations where, until now, there has not been a perceived need for data
protection, security, or performance gains.Software RAID Current storage operations using software RAID where growing data storage requirements
demand the robustness, efficiency, and performance increases available with entry-level hardware RAID.
Dell – 4DC
Array controls on HP( Array 6i), Dell (4DC) and IBM (ACU)
ACU: Array Configuration Utility (ACU) is a DOS-based application for Configuring and managing arrays. ACU provides a means to reate /delete Arrays, manage spares, and initialize the drives attached to the controller. It can also manage multiple controllers, if present in the System, but only one controller at a time.
5. SAN – Latest Models and how does it work
HP Proliant DL585 Storage server 5.4.0
SAN
A SAN is a dedicated network that is separate from LANs and WANs. It is generally used to connect all the storage resources connected to various servers. It consists of a collection of SAN Hardware and SAN software; the hardware typically has high inter-connection rates between the various storage devices and the software manages monitors and configures the SAN.
SANs originated to overcome the problems with network attached storage (NAS) devices, which - like ordinary servers - are difficult to manage and difficult to expand the capacity on. NAS devices also add to the traffic on the network and suffer from the delays introduced by the operating systems' network stacks.
A SAN is made up of a number of fabric switches connected in a network. The most common form of SAN uses the Fibre Channel fabric protocol (with Fibre Channel switches). Alternatively ISCSI could be used with IP switches.
IBM Express Model SAN switches
Cisco MDS 9124 Express for System Storage
The Cisco MDS 9124 Express for System Storage is designed to address the needs of small- and medium-sized businesses with a wide range of SAN capabilities. It can be used as part of SAN solutions from simple single-switch configurations to larger multi-switch configurations in support of fabric connectivity and advanced business continuity capabilities.
6. HP Blade Servers………How it designed
HP Blade C7000 servers, upgrades and parts.
The HP Blade System C7000 provides power, cooling and I/O infrastructure needed for today
and future tech center environments. Designed for easy set-up, this system now includes a 3-inch
LCD Insight Display for readability.
Vibrant carries a wide array of Used HP BladeSystems.
Used HP Blade C7000 FeaturesSpecifications Description
Device Bays
Up 16 Half-Height BladesUp to 8 Full Height BladesMixed configurations supported
Power Supply Up to 6 x 2250W
Height 10U
Single-Phase Model Power
6 x IEC-320 C202 PCI and 4 shared
PCI/EISA slots
Ethernet
HP 1Gb Ethernet Pass-Thru ModuleCISCO Catalyst Blade Switch 3020GbE2c Ethernet Blade Switch
Fibre ChannelHP 16 port 4Gb FC Pass-Thru ModuleBrocade 4Gb SAN Switch
Warranty 3-year limited; onsite
7. Scripts – VB Scripts and GPO
Scripts – WMS, WSH scripts
Using a LDAP query retrieve the information. Based on your requirement you will edit it.
Example 1 - Script to Create a User in Active Directory
On this page we concentrate on the essential VBscript commands necessary to build a User account in Active Directory Users and Computers. For example, GetObject("LDAP://rootDSE") and .Create("User"). Even though I am experienced at creating VBScripts, I still run manually through creating the object in Active Directory Users and Computers, the menus actions help me to rehearse the stages in my scripts.
Prerequisites
I recommend that you logon at a Windows Server 2003 domain controller. If you are a long way from the server, Remote Desktop would be a suitable alternative. If that is not possible, you could get these scripts to work from an XP machine as a non-administrator. However, why introduce extra complications? Especially at the beginning, you want easy success, with fewest obstacles.
Instructions for Creating a User Account in Active Directory
1. You should run this VBScript on a Windows Active Directory domain. 2. Copy and paste the example script below into notepad or a VBScript
editor. 3. Decide whether to change the value for strUser. DomGuy2 is not a
particularly attractive name. 4. Save the file with a .vbs extension, for example: Users .vbs. 5. Double click Users .vbs and check the Users container for strUser.
Script to Create a User in a Named OU (Organizational Unit)
' Users .vbs' Sample VBScript to create a User in Users .' Author Guy Thomas http://Computerperformance.co.uk/' Version 1.3 - September 2005' ------------------------------------------------------' Option ExplicitDim strUserDim objRootLDAP, objContainer, objNewUserstrUser = "DomGuy2"
' Bind to Active Directory, Users container.Set objRootLDAP = GetObject("LDAP://rootDSE")Set objContainer = GetObject("LDAP://cn=Users," & _objRootLDAP.Get("defaultNamingContext"))
' Build the actual User.Set objNewUser = objContainer.Create("User", "cn=" & strUser)objNewUser.Put "sAMAccountName", strUserobjNewUser.SetInfo
WScript.Quit
' End of free sample Create Users VBScript.
VBScript Tutorial - Learning Points
Note 1: The first 10 lines explain the purpose of the script and declare the variables.
Note 2: The simple, but clever command, which allows the script to work with any domain is: GetObject("LDAP://rootDSE"). Crucial, this statement binds WSH / VBScript to Active directory. The next line puts the focus on the Users container, as that is where the user will be born. Incidentally, the correct syntax is cn=users, whereas OUs that you create need the OU= prefix, for example OU=Accounts,.
Note 3: sAMAccountName controls the logon name, this is the name that users should enter in the dialog box after they press the Ctrl Alt Delete, logon sequence.
Note 4: .Create is a method to build an object. See how we use "User" not "Computer" or "OU".
Note 5: When creating or modifying users, invariably you need .put and .SetInfo. The .put method is the equivalent of selecting a box in Active Directory Uses and Computers, in this example sAMAccountName sets the correct property and .put unloads the value set by strUser. .SetInfo is the VBScript equivalent of pressing the OK button in the GUI. In both cases it represents the final act of creating or modifying the User object.
Note 6: This script represents 'work in progress'. For a real production script you would need to enable the account, and most likely, add several other properties, for example givenName. My desire is to get you started. Build the script in stages, understand each component, then add another section.
Example 2: Script to Create a User in a Named OU (Organizational Unit)
Prerequisites
Create a new OU. I called my OU Accounts, what name will your choose?
Instructions for Creating a User Account in a Named OU
1. Copy and paste the example script below into notepad or a VBScript editor.
2. Find the strContainer, and then change to the name of your OU. 3. Decide whether to change the value for strUser. 4. Save the file with a .vbs extension, for example: ComputerOU.vbs. 5. Double click ComputerOU.vbs and check the Computers container for
strComputer.
' UserOU.vbs' Sample VBScript to create a User in a named OU.' Author Guy Thomas http://Userperformance.co.uk/' Version 2.4 - September 2005' ------------------------------------------------------' Option ExplicitDim objRootLDAP, objContainer, objUser, objShellDim strUser, strName, strContainer
strUser = "BookKeeper21"strName = "Bookie"strContainer = "OU=Accounts ," ' Note the comma
' Bind to Active Directory, Users container.Set objRootLDAP = GetObject("LDAP://rootDSE")Set objContainer = GetObject("LDAP://" & strContainer & _objRootLDAP.Get("defaultNamingContext"))
' Build the actual User.Set objUser = objContainer.Create("User", "cn=" & strUser)objUser.Put "sAMAccountName", strUserobjUser.Put "givenName", strNameobjUser.SetInfo
' Optional section to launch Active Directory Uses and UsersSet objShell=CreateObject("WScript.Shell")objShell.Run "%systemroot%\system32\dsa.msc"
WScript.Quit
' End of Sample UserOU VBScript.
VBScript Tutorial - Learning Points
Note 1: The key difference between the two scripts is: strContainer = "OU=Accounts ,". Trace how VBScript applies this variable to set the Organizational Unit.
Note 2: This command looks easy to script: GetObject("LDAP://" & strContainer & _. However it took me ages to get the speech marks and ampersands (&) just right.
Note 3: objShell.run. This optional section is just me having a little fun. What this section does is open the Active Directory Users and Users MMC ready for you to inspect the new User account. My other reason for adding this code is show that the script has executed successfully, otherwise I just sit and wonder if it has finished yet.
Note 4: I suggested in Example 1 that you could add other attributes, trace how I added givenName through strName. To see what I mean, I suggest that you alter the value from "Bookie" to a more realistic name.
8. Clusters – how to connect two nodes
Cluster is a group of computers, called nodes that function as a single computer/system to provide high availability and high fault tolerance for applications or services. Windows 2003 Servers can participate in a cluster configuration through the use of Cluster Services. If one member of the cluster (the node) is unavailable, the other computers carry the load so that applications or services are always (with a small interruption) available.
All nodes of the cluster use a Shared Disk – an external disk or disk subsystem which is accessible for all nodes through SCSI (2 Nodes) or Fiber Channel (more than 2 nodes). All data will be stored on the shared disk or an external disk subsystem (for example Exchange databases).
Every node has a local Exchange 2003 installation with a unique configuration for every cluster node. Each Cluster with Exchange 2003 has at a minimum one Exchange Virtual Server (EVS). An EVS is the logical node that will be used for all cluster operations. An EVS contains an IP address, network name, physical disk and an application.
A cluster can be …
Active/Active or Active/Passive
Microsoft recommends only Active/Passive clusters – I will give you the reason later.
The number of cluster nodes supported by Windows 2003 Enterprise and Datacenter is 8 nodes. Windows Server 2003 Standard and Web Editon doesn’t support a Cluster.
In an Active/Passive cluster - If one node in the cluster fails, the active cluster failover to another node which becomes Active. This is called Failover. If the failed node is back online, a Failback can be manually initiated or automatically configured in the Cluster Group properties.
Every cluster node must have two network interfaces. One network interface for the cluster communication called the private LAN and one network interface called the public LAN. You can link a cluster with two nodes with a simple cross link cable. If more than two nodes exist in the cluster you have to use a dedicated switch / hub.
The private NIC is used for the Heartbeat communication (Cluster communication). A Heartbeat is much like a ping which can be used to test if the other cluster node is still available. If the heartbeat fails, the Failover process occurs
Quorum Drive Configuration Information
This article provides information about configuring the quorum drive.
MORE INFORMATION
When you install Microsoft Cluster service, you must configure storage at the hardware level so that the operating system and Cluster service have two separate physical devices for cluster usage. For example, in Disk Administrator or Disk Management, the following disks should be displayed: • Disk 0 (usually drive C)• Disk 1 (quorum)• Disk 2 (data drive)
At a minimum, you must create at least one physical drive for the quorum disk and a separate physical drive for data. Each drive must be formatted as NTFS.
NTFS architecture is structured to enable file attribute indexing on a disk volume. This functionality enables the file system to efficiently locate files that match certain criteria so that sorting and searching processes function faster. However, you should not place any input/output (I/O) intensive programs on your quorum drive. Heavy input/output traffic from another source could interfere with the cluster's ability to write to the disk, which may cause the quorum resource to fail. If the quorum resource fails, the entire cluster may fail as well.
It is recommended that you configure the quorum disk size to be 500 MB; this size is the minimum required for an efficient NTFS partition. Larger disk sizes are allowable but are not currently needed. It is also recommended that you configure some form of fault tolerance at the hardware level to be used for the quorum drive, such as hardware mirroring or hardware RAID. If the quorum drive is lost, the cluster may not be available.
The quorum resource plays a crucial role in the operation of the cluster. In every cluster, a single resource is designated as the quorum resource. A quorum resource can be any resource with the following functionality: • It offers a means of persistent arbitration. Persistent arbitration means that the quorum resource
must allow a single node to gain physical control of the node and defend its control. For example, Small Computer System Interface (SCSI) disks can use Reserve and Release commands for persistent arbitration.
• It provides physical storage that can be accessed by any node in the cluster. The quorum resource stores data that is critical to recovery after there is a communication failure between cluster nodes.
Windows 2003 introduces a new quorum resource type called Majority Node Set (MNS). MNS is tailored for geographically dispersed clusters.
How to restore the cluster quorum to a Windows 2000 or Windows 2003 node running Active Directory
Details:To restore the quorum to a node that is a domain controller and is running Active Directory, the node must be in Directory Services Restore Mode. Cluster services cannot be running in this
mode, so the cluster quorum must be restored separately, after System State is restored and the node has been rebooted. The following steps will allow for restoration of System State, and include steps to recover the cluster quorum as well.
Note: The steps outlined below will work for clusters whether using VERITAS Backup Exec (tm) 8.6 or 9.0 4454, however, only Backup Exec 9.0 4454 (and later) is capable of fully protecting Windows 2003 servers.
To restore the cluster quorum to a node running Active Directory:
Note: If possible, take the other nodes in the cluster offline before restoring the cluster quorum. If the nodes cannot be taken offline, you should use the -f option with the clrest.exe command, explained in step 8.
1. To restore System State, start the computer in safe (repair) mode (restart the computer and then press <F8> when prompted to select an operating system), and then select Directory Services Restore Mode. If this is a local restore, you must also start the Backup Exec services before you restore System State data.
2. On the Backup Exec navigation bar, click Restore
3. In the Restore Selections pane, click System State
4. In the Properties pane, under Settings, click Advanced
5. Clear the Restore cluster quorum option. This option must not be selected.
6. Start the restore operation. During the restore, the cluster quorum files are copied to the default location %SystemRoot%\cluster\BackupExec.
7. When the restore has completed, reboot the target node
8. After the reboot is complete, run clrest.exe from the command line to restore the cluster quorum from the default location to the quorum disk: clrest <path> where path is the complete path to the cluster quorum. Typically, the pathname is %SystemRoot%\cluster\BackupExec (for Windows 2000) and \windows\repair\bootablesystemstate\clusterdatabase (for Windows 2003). A path is required for the clrest command. Note: Make sure to select in Folder Options to Show Hidden Files if attempting to view the quorum files.Clrest is located in the {drive letter}:\Program Files\Veritas\Backup Exec\NT directory in 9.0 by default.
You can include other options on the command line to force the restore to proceed even if other cluster nodes are online, and/or if the disk signatures do not match and to specify another disk as the quorum disk: clrest path [-f] {drive letter]where [-f] forces the restore to proceed even if other cluster nodes are online and/or the disk signatures do not match.
When this option is selected, the cluster service for any nodes that are online is stopped. This option also allows the drive letter of the disk that the cluster quorum was on, to remain the same,
even if the configuration has changed and the disk signatures contained in the restore media do not match the disk signatures contained in the cluster quorum.
[drive letter] specifies another drive letter for the quorum disk. If you use this option, the drive letter on which the cluster quorum resides will be changed to the same drive letter as previously specified. Otherwise, the drive letter on which the cluster quorum resides will stay the same as it was previously.
9. Once the restore of the cluster quorum is completed, use the cluster administrator to bring the other cluster nodes online
9. Citrix and Meta ware versions
CITRIX: Latest version is 4.0
The corporate and government IT managers in attendance shared their experiences in running
desktop applications on a server, which is the Citrix specialty.
It's done by installing the Citrix "ICA client" on the user's PC, thin client computer or mobile
device to gain access to desktop applications running on the Citrix MetaFrame Presentation
Server. Citrix claims to have 120,000 corporations and government customers -- for a total of 50
million ICA clients -- using this approach in some fashion, if not for their entire user base. Citrix
spares the IT department from having to distribute desktop software on the actual desktop. And
some corporations use Citrix for disaster-recovery back-up. At the Citrix conference, IT
managers said it's not only easier to upgrade desktop applications when they're located on the
centralized Citirx server than on the actual desktop, but they see some security advantages in it as
well.
10. Vmware (vmotion)VMware® VMotion™ enables the live migration of running virtual machines from one physical
server to another with zero downtime, continuous service availability, and complete transaction
integrity. VMotion allows IT organizations
Advantages:
• Continuously and automatically allocate virtual machines within resource pools.
• Improve availability by conducting maintenance without disrupting business operations
VMotion is a key enabling technology for creating the dynamic, automated, and self-optimizing
data center.
How does it work?
Live migration of a virtual machine from one physical server to another with VMotion is
enabled by three underlying technologies.
First, the entire state of a virtual machine is encapsulated by a set of files stored on shared
storage such as Fibre Channel or iSCSI Storage Area Network (SAN) or Network
Attached Storage (NAS). VMware’s clustered Virtual Machine File System (VMFS)
allows multiple installations of ESX Server to access the same virtual machine files
concurrently.
Second, the active memory and precise execution state of the virtual machine is rapidly
transferred over a high speed network, allowing the virtual machine to instantaneously
switch from running on the source ESX Server to the destination ESX Server. VMotion
keeps the transfer period imperceptible to users by keeping track of on-going memory
transactions in a bitmap. Once the entire memory and system state
ESX Server
Hardware
ESX Server
Hardware
VMotion Technology
OS OSOSOS
App App App
VMware VMotion moves live, running virtual machines from one host to another while
maintaining continuous service availability.
has been copied over to the target ESX Server, VMotion suspends the source virtual
machine, copies the bitmap to the target ESX Server, and resumes the virtual machine on
the target ESX Server. This entire process takes less than two seconds on a Gigabit
Ethernet network.
Exchange
If you one day are faced with a relatively large corrupt Mailbox Store, restoring it can, depending on things such as backup hardware, backup application and network speed, be quite time consuming. Now the last thing you want to deal with in such a situation is frustrated users (or even worse a yelling CEO!).
So how can you get your users to calm down (and your CEO to s… up) and get back to work while you concentrate on getting the Mailbox Store back to life? There’s one simple answer and that is, you can create a dial-tone database and thereby get message flow and mailbox access recovered almost instantly. By using a dial-tone database your users can start to receive and send mail again, they can even go check out old messages that existed in their mailbox on the Exchange server (if their Outlook client has been configured to use cached mode that is), bear in mind though they have to switch between Online and Offline mode when prompted with the Outlook 2003 Exchange Recovery Mode dialog box. I’ll talk more about Outlook 2003 Recovery mode in “Demystifying The Exchange Dial-tone Restore Method (Part 2)”.
Using the dial-tone database restore method means that you, while restoring one or more corrupted Mailbox Stores from the most recent backup, have users connect to a new empty or blank Mailbox Store. The dial-tone restore method is by no means new; it’s been used with previous versions of Exchange as well, but now that we have the Exchange Server 2003 Recovery Storage Group (RSG) feature, the method becomes even more attractive when restoring Mailbox Stores within your Exchange messaging environment.
Note:With previous versions of Exchange a dedicated Exchange recovery server was required. Using a separate Exchange recovery Server meant you first had to restore the required Mailbox Store(s) or database to the recovery server, then either export the data from the restored database(s) to PST files using Exchange Server Mailbox Merge Wizard (ExMerge) or copy the whole Exchange database from the recovery server to the production server. As an Exchange database often is several gigabytes in size, this meant you typically had to copy large amounts of data over the wire which, depending on the network, could add several hours to the total recovery time.
Using the Recovery Storage Group feature makes it possible to restore Mailbox Stores without the need to build and use a separate Exchange Recovery Server; instead you can simply restore the Mailbox Store(s) directly to the Recovery Storage Group (RSG) on the respective Exchange Server or any other Exchange 2003 Server in the same Administrative Group. This makes it an easy and painless process to merge data from the restored Mailbox Store(s) to the dial-tone database, or swap the restored database from the Recovery Storage Group (RSG) to the dial-tone database in the original Storage Group, then merge data from the dial-tone database to the restored Mailbox Store. I’ll also talk more about swapping databases in “Demystifying The Exchange Dial-tone Restore Method (Part 2)”.
Note:If you’re not familiar with the Recovery Storage Group (RSG) feature, I recommend you checkout MS KB article: 824126 - How to use Recovery Storage Groups in Exchange Server 2003 which does a great job explaining how you can recover Mailbox Stores or individual mailboxes using by restoring a Mailbox Store to the RSG.
Creating the Dial-tone Database
Alright we’re ready to have the dial-tone database created, so if it’s not already the case you first need
Roles:
Here I am playing a key role Active Directory and Backup Administration. I need to
check the backup logs, backing is completed successfully. We have a MOM Team, it
will generate the alerts in respective to MOM. I am taking care of AD Alert’s and
backups. Like Disk space low issues, automated services, CPU Utilization, Server
Availability, Server Health check, Hardware Failures and DNS issues and moreover I
can say user creations, DL Creations, Mail Box moments and I am in a part of taking
care about the Anti virus bad clients.
We are using HP OVSD tool to monitor the Queue. All these issues.
RAID 5 and 10?
Common Name(s): RAID 5.
Technique(s) Used: Block-level striping with distributed parity.
Description: One of the most popular RAID levels, RAID 5 stripes both data and parity
information across three or more drives. It is similar to RAID 4 except that it
exchanges the dedicated parity drive for a distributed parity algorithm, writing data
and parity blocks across all the drives in the array. This removes the "bottleneck"
that the dedicated parity drive represents, improving write performance slightly and
allowing somewhat better parallelism in a multiple-transaction environment, though
the overhead necessary in dealing with the parity continues to bog down writes. Fault
tolerance is maintained by ensuring that the parity information for any given block of
data is placed on a drive separate from those used to store the data itself. The
performance of a RAID 5 array can be "adjusted" by trying different stripe sizes until
one is found that is well-matched to the application being used.
RAID5 versus RAID10 (or even RAID3 or RAID4)
First let's get on the same page so we're all talking about apples.
What is RAID5?
OK here is the deal, RAID5 uses ONLY ONE parity drive per stripe and many RAID5 arrays are 5 (if your counts are different adjust the calculations appropriately) drives (4 data and 1 parity though it is not a single drive that is holding all of the parity as in RAID 3 & 4 but read on). If you have 10 drives or say 20GB each for 200GB RAID5 will use 20% for parity (assuming you set it up as two 5 drive arrays) so you will have 160GB of storage. Now since RAID10, like mirroring (RAID1), uses 1 (or more) mirror
drive for each primary drive you are using 50% for redundancy so to get the same 160GB of storage you will need 8 pairs or 16 - 20GB drives, which iswhy RAID5 is so popular. This intro is just to put things into perspective.
RAID5 is physically a stripe set like RAID0 but with data recovery included. RAID5 reserves one disk block out of each stripe block for parity data. The parity block contains an error correction code which can correct any error in the RAID5 block, in effect it is used in combination with the remaining data blocks to recreate any single missing block, gone missing because a drive has failed. The innovation of RAID5 over RAID3 & RAID4 is that the parity is distributed on a round robin basis so thatThere can be independent reading of different blocks from the several drives. This is why RAID5 became more popular than RAID3 & RAID4 which must synchronously read the same block from all drives together. So, if Drive2 fails blocks 1,2,4,5,6 & 7 are data blocks on this drive and blocks 3 and 8 are parity blocks on this drive. So that means that the parity on Drive5 will be used to recreate the data block from Disk2 if block 1 is requested before a new drive replaces Drive2 or during the rebuilding of the new Drive2 replacement. Likewise the parity on Drive1 will be used to repair block 2 and the parity on Drive3 will repair block4, etc. For block 2 all the data is safely on the remaining drives but during the rebuilding of Drive2's replacement a new parity block will be calculated from the block 2 data and will be written to Drive 2.
Now when a disk block is read from the array the RAID software/firmware calculates which RAID block contains the disk block, which drive the disk block is on and which drive contains the parity block for that RAID block and reads ONLY the one data drive. It returns the data block. If you later modify the data block it recalculates the parity by subtracting the old block and adding in the new version then in two separate operations it writes the data block followed by the new parity block. To do this it must first read the parity block from whichever drive contains the parity forthat stripe block and reread the unmodified data for the updated block from the original drive. This read-read-write-write is known as the RAID5 write penalty since these two writes are sequential and synchronous the write system call cannot return until the reread and both writes complete, for safety, so writing to RAID5 is up to 50% slower than RAID0 for an array of the same capacity. (Some software RAID5's avoid the re-read by keeping an unmodified copy of the original block in memory.)
Now what is RAID10?
RAID10 is one of the combinations of RAID1 (mirroring) and RAID0 (striping) which are possible. There used to be confusion about what RAID01 or RAID10 meant and different RAID vendors defined them differently. About five years or so ago I proposed the following standard language which seems to have taken hold. When N mirrored pairs are striped together this is called RAID10 because the mirroring (RAID1) is applied before striping (RAID0). The other option is to create two stripeSets and mirror them one to the other, this is known as RAID01 (because the RAID0 is applied first). In either a RAID01 or RAID10 system each and every disk block is completely duplicated on its drive's mirror. Performance-wise both RAID01 and RAID10 are functionally equivalent. The difference comes in during recovery where RAID01 suffers from some of the same problems I will describe affecting RAID5 while RAID10 does not.Now if a drive in the RAID5 array dies, is removed, or is shut off data is returned by reading the blocks from the remaining drives and calculating the missing data using the parity, assuming the defunct drive is not the parity block drive for that RAID block. Note that it takes 4 physical reads to replace the missing disk block (for a 5 drive array) for four out of every five disk blocks leading to a 64% performance
degradation until the problem is discovered and a new drive can be mapped in to begin recovery. Performance is degraded further during recovery because allDrives are being actively accessed in order to rebuild the replacement drive (see below).
If a drive in the RAID10 array dies data is returned from its mirror drive in a single read with only minor (6.25% on average for a 4 pair array as a whole) performance reduction when two non-contiguous blocks are needed from the damaged pair (since the two blocks cannot be read in parallel from both drives) and none otherwise.
Mirroring?
Mirroring is one of the two data redundancy techniques used in RAID (the other being
parity). In a RAID system using mirroring, all data in the system is written
simultaneously to two hard disks instead of one; thus the "mirror" concept. The
principle behind mirroring is that this 100% data redundancy provides full protection
against the failure of either of the disks containing the duplicated data. Mirroring
setups always require an even number of drives for obvious reasons.
The chief advantage of mirroring is that it provides not only complete redundancy of
data, but also reasonably fast recovery from a disk failure. Since all the data is on the
second drive, it is ready to use if the first one fails. Mirroring also improves some
forms of read performance (though it actually hurts write performance.) The chief
disadvantage of RAID 1 is expense: that data duplication means half the space in the
RAID is "wasted" so you must buy twice the capacity that you want to end up with in
the array. Performance is also not as good as some RAID levels.
Parity
Mirroring is a data redundancy technique used by some RAID levels, in particular
RAID level 1, to provide data protection on a RAID array. While mirroring has some
advantages and is well-suited for certain RAID implementations, it also has some
limitations. It has a high overhead cost, because fully 50% of the drives in the array
are reserved for duplicate data; and it doesn't improve performance as much as data
striping does for many applications. For this reason, a different way of protecting
data is provided as an alternate to mirroring. It involves the use of parity information,
which is redundancy information calculated from the actual data values.
Cross realm uses for ticket granting service for cross domain
authentication.
Kerberos Authentication: After giving the password at client end checks the time
stamp with domain controller of Global catalogue with the use of NTP protocol ( port
number 123 )
If the time difference between the DC and client should not be exceed more than 5
mins.
After finishing the time stamp matching session ticket with encrypted password and
it releases the two tickets with help of KDC ( Key distribution Centre ).
One is for sends the request to logon and another one sends the permission whether
accepting or not.
After providing the authentication from Kerberos LDAP finishes the logon process
with port number 389
Kerberos uses to protocols UDP and TCP with same port number 88.
After that it checks for password which is maintaining in DC if it matches it will start
authenticating with domain.
Replmon
Replmon.exe: Active Directory Replication Monitor
This GUI tool enables administrators to view the low-level status of Active Directory
replication, force synchronization between domain controllers, view the topology in a
graphical format, and monitor the status and performance of domain controller
replication.
You can use ReplMon to do the following:
1. See when a replication partner fails.
2. View the history of successful and failed replication changes for
troubleshooting purposes.
3. Create your own applications or scripts written in Microsoft Visual Basic
Scripting Edition (VBScript) to extract specific data from Active Directory.
4. View a snapshot of the performance counters on the computer, and the
registry configuration of the server.
5. Generate status reports that include direct and transitive replication partners,
and detail a record of changes.
6. Find all direct and transitive replication partners on the network.
7. Display replication topology.
8. Poll replication partners and generate individual histories of successful and
failed replication events.
9. Force replication.
10. Trigger the Knowledge Consistency Checker (KCC) to recalculate the
replication topology.
11. Display changes that have not yet replicated from a given replication partner.
12. Display a list of the trust relationships maintained by the domain controller
being monitored.
13. Display the metadata of an Active Directory object's attributes.
14. Monitor replication status of domain controllers from multiple forests.
Repadmin.exe: Replication Diagnostics Tool
This command-line tool assists administrators in diagnosing replication problems
between Windows domain controllers.
Administrators can use Repadmin to view the replication topology (sometimes
referred to as RepsFrom and RepsTo) as seen from the perspective of each domain
controller. In addition, Repadmin can be used to manually create the replication
topology (although in normal practice this should not be necessary), to force
replication events between domain controllers, and to view both the replication
metadata and up-to-dateness vectors.
Repadmin.exe can also be used for monitoring the relative health of an
Active Directory forest. The operations replsummary, showrepl, showrepl /csv,
and showvector /latency can be used to check for replication problems.
Usually, the Knowledge Consistency Checker (KCC) manages the replication topology
for each naming context held on domain controllers.
Important:
During the normal course of operations, there is no need to create the replication
topology manually. Incorrect use of this tool can adversely impact the replication
topology. The primary use of this tool is to monitor replication so that problems such
as offline servers or unavailable LAN/WAN connections can be identified.
1. How to conform if the software package deployed using group policy. Has got installed in the user PC.
2. in one DC one user has been deleted the OU by admin1 ……delete by one administrator, in other DC the same OU is getting updated in admin 2 (Lost and found object)
3. what are the two attributes, which reflect while replication happening4. how do u see the by using GPO …which software has been installed in the
machines5. hw to install the software package for 500 machines…….can u just give the steps6. hw do deploy patch in enterprise environment7. hw to un-install a package8. if Kerberos fail, what will happen, is there any other authentication 9. when you need to install DNS server in member servers, what is the use of it10. Active directory integrated DNS in member server install?11. what the log files and what is the use of log files
Answers:
1. Software deployment tools are there …SMS …..Package……how to diploye…..SMs or some other tool……
MBSA 2.0.1 is compatible with Microsoft Update and Windows Server Update Services and the SMS
Inventory Tool for Microsoft Update (ITMU). MBSA 2.0.1 offers customers improved Windows
component support, expanded platform support for XP Embedded and 64-bit Windows, as well as
more consistent and less complex security update management experience.
Unless specifically noted, all references to MBSA 2.0 in the MBSA TechNet pages also apply to MBSA
2.0.1.
Legacy Product Support: For customers using legacy products not supported by MBSA 2.0.1,
Microsoft Update, and WSUS, Shavlik Technologies provides a free MBSA 2.0.1 companion tool called
Shavlik NetChk Limited.
2. only one OU you can create and delete …hw the same OU name will come in other machines
3. GPMC………..gpo is one object in in group policy4. whats is the GPMC……..password policy……….hw u will apply……where u
will apply5. hirarchichy……site and domain and OU….6. 500……Distribution point(SMS)…….7. hw to deployed …..the enterprise environement…..
SUS: Microsoft SUS is a free patch management tool provided by Microsoft to help network administrators deploy security patches more easily. In simple terms, Microsoft SUS is a version of Windows Update that you can run on your network.
Software Update Services leverages the successful Windows Automatic Updates
service first available in Windows XP, and allows information technology
professionals to configure a server that contains content from the live Windows
Update site in their own Windows-based intranets to service corporate servers
and clients.
Software Update ServicesThe server features include:
Built-in security. The administrative pages are restricted to local administrators on the computer that hosts the updates. The synchronization validates the digital certificates on any downloads to the update server. If the certificates are not from Microsoft, the packages are deleted.
Selective content approval. Updates synchronized to your server running Software Update Services are not made automatically available to the computers that have been configured to get updates from that server. The administrator approves the updates before they are made available
for download. This allows the administrator to test the packages being deploying them.
Content synchronization. The server is synchronized with the public Windows Update service either manually or automatically. The administrator can set a schedule or have the synchronization component of the server do it automatically at preset times. Alternatively, the administrator can use the Synchronize Now button to manually synchronize.
Server-to-server synchronization. Because you may need multiple servers running Microsoft SUS inside your corporation in order to bring the updates closer to your desktops and servers for downloading, Microsoft SUS will allow you to point to another server running Microsoft SUS instead of Windows Update, allowing these critical software updates to be distributed around your enterprise.
Update package hosting flexibility. Administrators have the flexibility of downloading the actual updates to their intranet, or pointing computers to a worldwide network of download servers maintained by Microsoft. Downloading updates might appeal to an administrator with a network closed to the Internet. Large networks spread over geographically disparate sites might find it more beneficial to use the Microsoft maintained download servers. These are the actual Windows Update download servers. In a scenario like this, an administrator would download and test updates at a central site, then point computers requiring updates to one of the Windows Update download servers. Microsoft maintains a worldwide network of these type servers.
Multi-language support. Although the Software Update Services administrative interface is available only in English or Japanese, the server supports the publishing of updates to multiple operating-system language versions. Administrators can configure the list of languages for which they want updates downloaded.
Remote administration via HTTP or HTTPS. The administrative interface is Web-based and therefore allows for remote (internal) administration using Internet Explorer 5.5 or higher.
Update status logging. You can specify the address of a Web server where the Automatic Updates client should send statistics about updates that have been downloaded, and whether the updates have been installed. These statistics are sent using the HTTP protocol and appear in the log file of the Web server.
Download Software Update Services Server 1.0 with Service Pack 1 HERE (33mb)
Microsoft SUS Server limitations
Though very good as what it does, Microsoft’s patch management tool does have
a few limitations:
It does not push out service packs; you need a separate solution for that. It only handles patches at operating system level (including Internet
Explorer and IIS), but not application patches such as Microsoft Office, Microsoft Exchange Server, Microsoft SQL Server, etc.
It requires Windows 2000 and up, so it cannot patch Windows NT 4 systems.
It cannot deploy custom patches for third party software.
It does not allow you to scan your network for missing patches, so you cannot check if everything has been installed correctly. There is no easy reporting system for this.
This means that you still require a patch management solution to perform the
above tasks. Microsoft does not plan to add the above features, since it
promotes Microsoft SMS server as a tool for that. So, Microsoft SUS server is
ideal for operating system patches if used in conjunction with a patch
management tool.
Read more on how to overcome SUS's limitations by using a 3rd party tool called
GFI LANguard Network Security Scanner.
Windows Automatic Update ClientTo use SUS on your network you will need to use the Windows Automatic Update
Client.
The client is based on the Windows Automatic Updates technology that was
significantly updated for Windows XP. Automatic Updates is a proactive pull service
that enables users with administrative privileges to automatically download and
install Windows updates such as critical operating-system fixes and Windows security
patches. The features include:
Built-in security: Only users with local administrative privileges can interact with Automatic Updates. This prevents unauthorized users from tampering with the installation of critical updates. Before installing a downloaded update, Automatic Updates verifies that Microsoft has digitally signed the files.
Just-in-time validation: Automatic Updates uses the Windows Update service technologies to scan the system and determine which updates are applicable to a particular computer.
Background downloads: Automatic Updates uses the Background Intelligent Transfer Service (BITS), an innovative bandwidth-throttling technology built into Windows XP and newer operating systems, to download updates to the computer. This bandwidth-throttling technology uses only idle bandwidth so that downloads do not interfere with or slow down other network activity, such as Internet browsing.
Chained installation: Automatic Updates uses the Windows Update technologies to install downloaded updates. If multiple updates are being installed and one of them requires a restart, Automatic Updates installs them all together and then requests a single restart.
Multi-user awareness: Automatic Updates is multi-user aware, which means that it displays different UI depending on which administrative user is logged on.
Manageability: In an Active Directory environment, an administrator can configure the behavior of Automatic Updates using Group Policy. Otherwise, an administrator can remotely configure Automatic Updates using registry keys through the use of a logon script or similar mechanism.
Multi-language support: The client is supported on localized versions of Windows.
This update applies to the following operating systems:
Windows 2000 Professional with Service Pack 2 Windows 2000 Server with Service Pack 2 Windows 2000 Advanced Server with Service Pack 2 Windows XP Professional Windows XP Home Edition
Note: Windows 2000 Service Pack 3 (SP3) and Windows XP Service Pack 1 (SP1) include the
Automatic Updates component, eliminating the need to download the client component separately.
Download Windows automatic updating (SUS Client) HERE (1mb)
Administrator Control via PoliciesThe Automatic Updates behavior can be driven by configuring Group Policy settings
in an Active Directory environment.
Administrators can use Group Policy in an Active Directory environment or can
configure registry keys to specify a server running Software Update Services.
Computers running Automatic Updates then use this specified server to get updates.
The Software Update Services installation package includes a policy template file,
WUAU.ADM, which contains the Group Policy settings described earlier in this paper.
These settings can be loaded into Group Policy Editor for deployment. These policies
are also included in the System.adm file in Windows 2000 Service Pack 3, and will be
included in the Windows Server 2003 family, and in Windows XP Service Pack 1.
8. NTLM
System Login Process:
Kerberos uses as its basis the Needham-Schroeder protocol. It makes use of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of "tickets" which serve to prove the identity of users.
The KDC maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove an entity's identity. For communication between two entities, the KDC generates a session key which they can use to secure their interactions
The security of the protocol relies heavily on participants maintaining loosely synchronized time and on short lived assertions of authenticity called Kerberos tickets.
What follows is a simplified description of the protocol. The following abbreviations will be used:
AS = Authentication Server TGS = Ticket Granting Server SS = Service Server.
TGT = Ticket Granting Ticket
Briefly, the client authenticates to AS using a long-term shared secret and receives a ticket from the AS. Later the client can use this ticket to get additional tickets for SS without resorting to using the shared secret. These tickets can be used to prove authentication to SS.
In more detail:
User Client-based Logon Steps:
1. A user enters a username and password on the client.
2. The client performs a one-way function on the entered password, and this becomes the secret key of the client.
Client Authentication Steps:
1. The client sends a cleartext message to the AS requesting services on behalf of the user. Sample message: "User XYZ would like to request services". Note: Neither the secret key nor the password is sent to the AS.
2. The AS checks to see if the client is in its database. If it is, the AS sends back the following two messages to the client:
o Message A: Client/TGS session key encrypted using the secret key of the user.
o Message B: Ticket-Granting Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS.
3. Once the client receives messages A and B, it decrypts message A to obtain the client/TGS session key. This session key is used for further communications with TGS. (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS.
Client Service Authorization Steps:
1. When requesting services, the client sends the following two messages to the TGS:
o Message C: Composed of the Ticket-Granting Ticket from message B and the ID of the requested service.
o Message D: Authenticator (which is composed of the client ID and the
timestamp), encrypted using the client/TGS session key.
2. Upon receiving messages C and D, the TGS retrieves message B out of message C. It decrypts message B using the TGS secret key. This gives it the "client/TGS session key". Using this key, the TGS decrypts message D (Authenticator) and sends the following two messages to the client:
o Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key) encrypted using the service's secret key.
o Message F: Client/server session key encrypted with the client/TGS session key.
Client Service Request Steps:
1. Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the SS. The client connects to the SS and sends the following two messages:
o Message E from the previous step (the client-to-server ticket, encrypted using service's secret key).
o Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using client/server session key.
2. The SS decrypts the ticket using its own secret key and sends the following message to the client to confirm its true identity and willingness to serve the client:
o Message H: the timestamp found in client's recent Authenticator plus 1, encrypted using the client/server session key.
3. The client decrypts the confirmation using the client/server session key and checks whether the timestamp is correctly updated. If so, then the client can trust the server and can start issuing service requests to the server.
4. The server provides the requested services to the client.
Drawbacks
Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers.
Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have time availability period and, if the host clock is not synchronized with the clock of Kerberos server, the authentication will fail. The default configuration requires that clock times are no more than 10 minutes apart. In
practice, Network Time Protocol daemons are usually used to keep the host clocks synchronized.
The administration protocol is not standardized, and differs between server implementations. Password changes are described in RFC 3244.
Since the secret keys for all users are stored on the central server, a compromise of that server will compromise all users' secret keys.
Group policies successive event id 1704
For GPUpdate events: 1500,1501,1502 and 1503
For SMB erros event id:1058 and in 2000 id 1000
solution: 1. On the domain controller, click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
3. In the right pane, double-click enablesecuritysignature, type 1 in the Value data box, and then click OK.
4. Double-click requiresecuritysignature, type 1 in the Value data box, and then click OK.
5. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
6. In the right pane, double-click enablesecuritysignature, type 1 in the Value data box, and then click OK.
7. Double-click requiresecuritysignature, type 0 in the Value data box, and then click OK.
8. After you change these registry values, restart the Server and Workstation services. Do not restart the domain controller, because this action may cause Group Policy to change the registry values back to the earlier values.
9. Open the domain controller’s Sysvol share. To do this, click Start, click Run, type \\Server_Name\Sysvol, and then press ENTER. If the Sysvol share does not open, repeat steps 1 through 8.
10. Repeat steps 1 through 9 on each affected domain controller to make sure that each domain controller can access its own Sysvol share.
11. After you connect to the Sysvol share on each domain controller, open the Domain Controller Security Policy snap-in, and then configure the SMB signing policy settings. To do this, follow these steps:a. Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy.
b. In the left pane, expand Local Policies, and then click Security Options.
c. In the right pane, double-click Microsoft network server: Digitally sign communications (always).
Note In Windows 2000 Server, the equivalent policy setting is Digitally sign server communication (always).
Important If you have client computers on the network that do not support SMB signing, you must not enable the Microsoft network server: Digitally sign communications (always) policy setting. If you enable this setting, you require SMB signing for all client communication, and client computers that do not support SMB signing will not be able to connect to other computers. For example, clients that are running Apple Macintosh OS X or Microsoft Windows 95 do not support SMB signing. If your network includes clients that do not support SMB signing, set this policy to disabled.
d. Click to select the Define this policy setting check box, click Enabled, and then click OK.
e. Double-click Microsoft network server: Digitally sign communications (if client agrees).
Note For Windows 2000 Server, the equivalent policy setting is Digitally sign server communication (when possible).
f. Click to select the Define this policy setting check box, and then click Enabled.
g. Click OK.
h. Double-click Microsoft network client: Digitally sign communications (always).
i. Click to clear the Define this policy setting check box, and then click OK.
j. Double-click Microsoft network client: Digitally sign communications (if server agrees).
k. Click to clear the Define this policy setting check box, and then click OK.
12. Run the Group Policy Update utility (Gpupdate.exe) with the force switch. To do this, follow these steps:a. Click Start, click Run, type cmd, and then click OK.
b. At the command prompt, type gpupdate /force, and then press ENTER.
For more information about the Group Policy Update utility, click the following article number to view the article in the Microsoft Knowledge Base:
298444 (http://support.microsoft.com/kb/298444/) A description of the Group Policy Update utility
Note The Group Policy Update utility does not exist in Windows 2000 Server. In Windows 2000, the equivalent command is secedit /refreshpolicy machine_policy /enforce.
For more information about using the Secedit command in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
227302 (http://support.microsoft.com/kb/227302/) Using SECEDIT to force a Group Policy refresh immediately
13. After you run the Group Policy Update utility, check the application event log to make sure that the Group Policy settings were updated successfully. After a successful Group Policy update, the domain controller logs Event ID 1704. This event appears in the Application Log in Event Viewer. The source of the event is SceCli.
14. Check the registry values that you changed in steps 1 through 7 to make sure that the registry values have not changed.
Note This step makes sure that a conflicting policy setting is not applied at another group or organizational unit (OU) level. For example, if the Microsoft network client: Digitally sign communications (if server agrees) policy is configured as "Not Defined" in Domain Controller Security Policy, but this same policy is configured as disabled in Domain Security Policy, SMB signing will be disabled for the Workstation service.
15. If the registry values have changed after you run the Group Policy Update utility, open the Resultant Set of Policy (RSoP) snap-in in Windows Server 2003. To start the RSoP snap-in, click Start, click Run, type rsop.msc in the Open box, and then click OK.
In the RSoP snap-in, the SMB signing settings are located in the following path:
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
Note If you are running Windows 2000 Server, install the Group Policy Update utility from the Windows 2000 Resource Kit, and then type the following at the commmand prompt:
gpresult /scope computer /v
After you run this command, the Applied Group Policy Objects list appears. This list shows all Group Policy objects that are applied to the computer account. Check the SMB signing policy settings for all these Group Policy objects.