Windows Networking

IPSec

2010-03-15T06:37:00.000-07:00

What is IPSec
- IPSec is used to secure data sent between two computers
- IPSec not only keeps the data confidential through encyrption, but also ensures the authenticity of the data through mutual authentication.
- IPSec is a standard tht can be used between different platforms.

IPSec Protocols
- IPSec primarily uses two protocols
* Encapsulating Security Paiload (ESP)
* Authentication Header (AH)
- ESP is used for encryption for the payload
- AH is used for authentication of sending (and recieving) computer.

Tunnel Mode vs Transport Mode
Tunnel Mode is used to secure data travelling between two gateways. Typicall this would be used if the gateways were connected via an unsecure network. This mode is very seldom used.

Transport Mode is used to secure data between computers within a network. This is the default mode and is used most often.

Authentication Methods
IPSec supports three authentication methods:
- Kerberos - used in AD environment
- Certificates - used when AD is not available or when stronger security is needed
- Preshared Key - should only be used in test environments.

Configuring IPSec in Server 2008

Open Group Policy management editor
Windows settings > IP Security Policy

The 3 policy is not assigned.
Client (Respond Only) means the clients are not going to initiate IPSec communication, because they typically dont have secure data to worry about.
If there is a server set with IPSec, Clients will communicate via IPSec

Server (Request Security) In this case any computer that has assigned this policy when it communicates with any other machine, it will make a request, hey i would like to communicate securely via ipsec and if other party is capable of communicating, then they will have secure communication. If other party is not capable of communicating via ipsec, then the server says, its ok, then we will communicate unsecurely anyway.

If we have old windows 98 machineswhich doesnt support then we can implement IPSec policy

Secure Server (Require Security). This means the server says, are you going to communicate with me? then its going to be IPSec or else cannot communicate.

The way how to assign policy is, right click and assign, you can have one assigned at a time.

How to Create New Policy
Right Click IPSec, Create New Policy
We create new Policy name Secure DNS Lookup, where anyone who is going to use DNS lookup thought this server they have to use this policy

Activate Default response rule means do you want to create a rule within this policy that is just a default response to any other IPSec requests. In other words for some reason you are trying to communicate with another computer, that has IPSec configured, maybe slightly different than this computer, do you want to ahead with that request by default and communicate securely? or you want to make it, its only done explicitly that you create a rule on this policy. Typically we would set it yes, so that if anyone have configured ipsec it will communicate securely

Authentication Method select Kerberos v5 because we dont have CA and finish the IPSec create policy wizard.

Eventhough we have named the policy as Secure DNS lookup, we havent secured anything yet

We have created the policy, now we need to create a rule, click Add and you get IPSec Rule wizard.

This rule does not specify tunnel
If you want tunelling, enter the ip address the computer on other side, select network type,
Add IP Filter List,

Now click add to add specific filter

if you are worried about specific type of traffic then tick Mirrored Match packets with exact opposite source and destination address, click Next, Select
Source Adress = Any
Destination = DNS Servers
Select Protocol = TCP
Port = 53

Filter Action
Permit = Non IPSec
Request Security = If no IPSec still the traffic will go ahead
Require Security = if no IPSec no traffic

Select Authentication method as Kerberos, Finish

Setting up Routing

2010-03-15T03:35:00.000-07:00

To Add routing, go to Server Roles Click Network Policy and Access Services
in Role Services click Routing and Remote Access Services

To open go to Administrative Tools, Routing and Remote Access
Now right click server name, and Click Configure and Enable Routing and Remote Access
In the Wizard click Custom Configuration

in Select Services tick LAN routing and click finish then start service

now go IPv4, and in general section you will see 2 network interface with 2 ip ranges
now this server is fully confiugred routing enabled. the 2 networks 192.168.11 and 192.168.10 will be able to talk each other.

On-Link means directly connected, dont have to go through another router.

Metric is needed if there are more than one way to get into a single destination, metric will help the router to determine which way to try first, whichever destination have lower value will try first.

route add 192.168.15.0 mask 255.255.255.0 192.168.15.100

now check the routing table, this time instead of On-link it says 192.168.15.100 because im not connected to 192.168.15 network. so its going to send it to another router or another gateway which has ip address of 192.168.15.100 and the system will determine which interface its goin out, in this case its going out with 192.168.10.100 interface and the reason why is because

the 10 network has a default gateway, and the 11 network does not. and what that means is if i get an ip address that i dont know where it is suppose to go, then i will send it to my default gateway.

when adding static route from GUI we have the capablity to manually select which network interface that we want to send the packet out.

when adding static route in GUI the route doesnt show in IP routing table and in route print. This is the reason why it is not user friendly to add the route in GUI.

To delete a route
route delete 192.168.15.0

Inbound and Outbound filters
in IPv4, right click general and go properties

what you can do with this filters is we can control what traffic can come into the router and can go out of this router.

Click Inbound filter, click New
i want to say if anyone coming in from 192.168.15.0 255.255.255.0
or by specific ip address 192.168.15.243/255.255.255.255 (put 255 in all 4 places, that means one computer)

now if 192.168.15.243 try to go through this router, it wont because we have filter to recieve all traffics except 192.168.15.243

now we are saying if 192.168.15.243 came in and was looking for any computer in 192.168.16.0 network then we are not going to allow it.

Static vs Dynamic Routing

Static Routing - All routers have their routing table configured and updated manually

Dynamic Routing - Routers communicate with each other to share their routing information with each other.

Managing DHCP

2010-03-15T00:54:00.000-07:00

Open DHCP console
Right click DHCP server name, and click Add/Remove Bindings and it will open a window showing all the
network connections or networks that this server is connected to. This gives us the opportunity to let the server know which networks we want to provide DHCP services to.
In this following example the dhcp server is set to service to 192.168.10 network

to locate where the dhcp database is stored, right click and go properties

open the database path

dhcp.mdb file is the actualy dhcp database file
and the highlighted are dhcp logs and the rest of the files are supporting files to the database.

open backup and new folder, you would see another dhcp.mdb file which is the back up file.

DHCP server automatically backs itself up once in a hour, it essentially resorts itself it occurs a failure.

Nacks = Negetive Acknowledgement which is where dhcp server refuses requests made by a client
Declines = Client specifically refusing a offer from a dhcp server
Release = a client has requested dhcp server that i want to release this ip addresses, i want to release this lease back to you

Conflict detection attempts, the default 0 means that there is no conflict detection on dhcp server. if you set it to 1, what dhcp server will do is, everytime when its going to handout an ip address first thing its going to do is ping to the ip address to see if it gets a response. if it does get a ip address then it will move to a different ip address to give out to the client. if it did not get response that means that ip address is not in use. disadvantage of this is it will delay the handout of an ip address.

Fundamentals of IPv6

2010-03-14T09:10:00.000-07:00

Disadvantages of IPv4
- Not enough Addresses
- Cluttered the Internet Routing Tables
- Difficult to Configure
- Security was Optional (ipsec is optional)

IPv6 Solutions
- Plenty of Addresses (3.4 x 10 Power 38)
- Simplified the Internet Routing Tables
- Easy and Automated Configuration
- Security is Required (ipsec is required, not optional)

in IPv6 all addresses are 128 bits long
128 bits is too long to look at, so what we are going to do is we will take 128 bit and devide them into 16 bit chunks, then take those 16 bit chunks and convert them into hexadecimal number which gives a ip address which looks like FE80:0000:00000:0000000:05EE:00FF:0238:47B1, and here we end up with 8 hexadecimal numbers seperated by colons

we can further simplify this by supressing the leading zeros
for example in real world, 0049 you would simply say it as 49, this concept is true with hexadecimal numbering as well.
Example : FE80:0000:00000:0000000:05EE:00FF:0238:47B1
and endup with FE80:0:0:0:5EE:FF:238:47B1

Further compress by expressing a single congiguous set of 0 blocks into "::"

FE80:0:0:0:5EE:FF:238:47B1

Here we have 3 zeros, what we can do is we can take that and turn that into double colon :: to represent those zeros and we endup with FE80::5EE:FF:238:47B1 which is our final ip address version 6

this is still difficult to understand, ipv6 is not designed for an average person to understand, ipv6 is designed with simpicity and the only people who needs to understands are network administrators.

In ipv6 there are 3 different types of addresses
* Unicast (one to one)
      - Global Address
      - Link-Local Addresses
      - Unique Local Addresses
* Multicast (one to many)
* Anycast (one to one of many)

Global addresses are address which are set to be available on the internet, these will be recorganize by internet routers.

Link-Local address will always start with FE80
Unique Local Address will always start either FC or FD, if you see address start with FC or FD its a local address and is not valid on the internet.

Implementing SSL for IIS 7

2010-03-14T07:37:00.000-07:00

Secure Socket Layer (SS) allows you to encrypt data sent back and forth from servers to clients.

What this does is encrypt data send back and forth from servers to clients.
SSL uses port 443
Data being sent back and forth between the server and client is encrypted using certificates.
Using SSL does require more processing overhead for encryption and decryption, and may reduce the apprearance of the speed of the server.

To implement SSL, first we need a SSL Certificate
You can
- Buy one from third party
- Use a self-signed certificate from server
- User a certificate generated from server 2008 / server 2003 certificate authority
- Use the sharepoint certificate that was generated during sharepoint configuration.

Then we need to install the certificate
After that we need to set a binding for the sharepoint site so that it can use HTTPS and port 443
Then instruct the users to access the sharepoint -80 site using https:// instead of http://

To create SSL certificate, go to IIS Manager / Server Certificates

To enable SSL on SharePoint and select Edit Binding
Click Add https, Port 443, and select SSL from the drop down box

Create Internal URLs
Go to Central Administration / Opertions / Alternate Access Mappings / Add Internal URLs
in Alternate Access Mapping Collection Select SharePoint - 80
URL, put https://web1-globo/
Zone select Intranet

Install IIS 7 FTP SMTP

2010-03-14T05:14:00.000-07:00

Controlling Access to a Web Site with IIS 7 manager and FTP Tools

Scenario
Globomantics hired a developer to customize sharepoint. We have already created sharepoint site, now we need to allow management access to that site to the developer.

So what do we need to do?

1. You'll enable remote Management in IIS 7 and IIS Manager Credentials
2. You'll create an IIS Manager User account for our developer
3. You'll then provide specific access for the sharepoint site to your developer's account
4. Last, we'll provide FTP access for our developer for easy access to the file folders for the site.

To create user account, goto IIS Manager
Enable Remote connections
User Windows credentials or IIS Manager credentials, click apply

Now you will notice management service is stopped, click start to start management service

Go back to IIS Manager

double click IIS Manager Users, add user

Now go to Sites / Sharepoint - 80
go to IIS Manager Permissions, we are going to allow persmission for our developer to access only this particular website
click allow users, select IIS Manager and select user

so far what we have done is,
we have enabled remote management
we have created IIS user account for developer
and also we have given access to developer only for sharepoint site.

If you want to allow developer to Sharepoint central administration page,
go IIS Manager permissions and add user

Now we need to add IIS Manager client to vista and connect to sharepoint server

Before we install IIS Manager client, go control panel from vista client
program and features, Turn on windows features, and turn on IIS Management Console

now go to iis.net/downloads
and dowlnoad IIS 7.0 Manager for Remote Administration
Now in programs open IIS Manager in client machine

We have enable the developer to connect only to sharepoint site. there for click connect to a site

Go next and put sharepoint developer username and password
Click Install Certificate and then connect

Setup FTP
FTP is a role service, optional part of IIS

You'll need to neable FTP for IIS, but you'll also need to restrict FTP access only for your
web developer as well. we will need to allow where he can put stuff, so that he cannot put files whereever he wants.

FTP Management Console provides infrastructure to manage an FTP site. IIS 7 uses IIS 6 managment console for FTP server management.

No go to Administrative Tools, IIS 6.0 Manager
Go to Default FTP Site and start
Right click Default FTP Site / Properties
First change the name to SharePointFTP

Go to Security Accounts Tab
Turn Off anonymous connections. this means a user needs to have a very specific access to acces this FTP server

Go to Home Directory Tab, we can allow which folders that developer can access to.

Browse folder, and you will see wss is the folder created when installing sharepoint
folder 80 is default sharepoint site, and 14453 is administration site.
we will give developer to access wss folder
we will need to give read access as well as write access

Go to Directory Security Tab
We can give access based upon IP address

Except 192.168.5.128 all computers are denied access to ftp site.

Now we need give permissions to web developer to sharepoint site
right click SharePointFTP / permissions and add web developer

Now we need to test FTP

In client PC use command line ftp

We can login using web developer user account, but we cannot login annonymously

We can use secure FTP by installing FTP for IIS 7
To do that we need to uninstall old FTP
Download and install Microsoft FTP Publishing Service for IIS 7

Configure SMTP
Developer requests SMTP be installed and configured on sharepoint on the webserver for email alerts delivdered to users.
SMTP server is a feature that needs to be installed on the web server then also configured seperately on sharepoint site.

To install SMTP go to
Server Manager / Features / Add Features / Tick SMTP Server and Add Required Features
Click Next and Install

Open IIS Manager 6, ane expand you will see SMTP Virtual Server

Now check with IIS that SMTP is available

Now check SMTP settings in sharepoint

Install IIS 7 and SharePoint

2010-03-13T06:58:00.000-08:00

In this tutorial we will look at two different flavours of website capabilities in windows server 2008
application server vs web server and which one you should select.

Here our goal for globomantic project we need to install share point service

We need to setup web server setup to pre for our sharepoint services. There's two web-type server roles available, Web Server and Application Server. Which one should we choose?

For sharepoint and other high level web apps/distributed apps:
The Application Server Role is requied for SharePoint Services Installation.

The Web Server Role is good if you have is a basic web site or maybe an ASP or PHP content managment system that requires a database on the back end.

This Application Server more for heavy duty internal use

Think Web Server for External Sites.

Go to server WEB1, and add Application Server Role
In Role services select Web Server IIS, go next
In Web Server Role, keep as it is and go next and then press install

Go to Web Server (IIS) and start Web Management Service & ASP.NET State Service

Now we have successfully installed web server and the application server.

Go to IIS Manager, and Sites, and Default Website
If you want to add files to the website, go Actions Expore and copy files to wwwroot folder

Now our server is ready to install sharepoint server

Once we got sharepoint services installed, we will create new sharepoint site for Globomantics
Operations Staff

Download sharepoint from microsoft site and install with basic installation to WEB1 server

Once you finish the setup, go to http://web1-globo/
to access sharepoint site

Now lets create a site for globomantics
go site actions and create / Web Pages / Sites and Workspaces put site name and then create

Now you can go to sharepoint site http://web1-globo/
Site Actions / Site Settings to get into administration interface
Go to people and groups and you can add users who can have access to sharepoint

TS Network Load Balancing

2010-03-13T02:50:00.000-08:00

Scenario
Tom is concerned that Terminal Service machine might fail in the most critical of times. He is admant that you do whatever you need to so that he and the other staffs have access to the office-based report writing software as close to 100% of the time. Here is our options:

1. Network Load Balancing--Distributes work load to different machines to alleviate stress on the machines and provide scalability. Based for web-based stuff.

2. Failover Clustering-Multiple machines acting like one machine for high availability in case one machine fails. Best for Fault Tolerance (in case one machine blows up) and for database servers.

3. Terminal Service Load Balancing - Requires at least two machines with TS configuration. Load balancing just redirects TS requests to the servers that's less busy.

In the above image, all 3 servers have TS running on them, and as request come in from client whichever server is least busy gets that particular request.

Round Robin DNS basically circulates the requests to different servers.

In clustering all three machines act like one machine. If one machine goes down, the others keep going to provide services.

If one machine goes down, not that of a big deal because we have 2 other machines operating as fail over clusters. The other 2 machines pick up the slack and it takes off where the other machine left off.

Since we already have a TS machine built, we'll use our Deployment Service Machine to capture an image of it and then deploy it on another virtual machine.

1. First we need to create a Capture Image so we can grap whats on TS1
2. Then we need to run the utility called sysprep on TS1 so we can use the OS and all its fun features we've installed as a clean image.
3. Then we capture the image by rebooting the machine and using the Capture image we created to boot up with .
4. After the capture is complete we can deploy using deployment service as normal. We are going to make a duplicate machine of TS1 using deployment service.
After we have a duplicate machine then we will use Terminal Service Load Balancing through TS session broker to create a highly available solution.

First create Capture image, so we can grab the stuff from TS1 and save it as image and create a dublicate machine.

Create Capture Image
Go to WDS server, go to Boot Images to create capture image

Our capture image needs to match architecture of the OS that we are going to capture.
If your network card is not PXE enabled, then use create discover boot image
Once you create boot image for 32bit, you can use it forever

Once boot image is created, rightclick and select Add Boot Image.

Now the image is ready to boot up a machine using network boot sequence
We need to boot TS1 server using new image

Sysprep
now go to TS1 server, open sysprep
select OOBE
Tick Generalize
select Reboot

Capture image of TS1
now it will take sometime to strip out the name of the machine, UID. but it will keep all the softwares u installed, keep joined to the domain.

Now when server roots, it will prompt to press F12 from keyboard for network boot.
Press F12

Now you should see 3 network boot images, select the new boot image name grabIT

Now select which drive to capture, type image name,

Go Next

Select a where to save the new image
You can browse TS1 C drive, TS1 will capture a image of TS1 and save it on its C drive itself.
Tick upload images to WDS Server
Enter WDS Server name, and connect
then select image group name
Now press Finish, and it will take sometime to finish creating image.

Now go to WDS Server, go to the image group and see if the new image is there.
If its not there, right click and add the image.

Now we can use the new image to deply another server.

When you reboot TS1 it will boot with setup windows, this is not what we want, we want the server to boot up with previous settings.

To do that go to Hyper-V Manager, Screenshots, select After video, right click and apply

What it is going to do is, revert back to original state before we took snapshot
Hit Apply

Now setup new server, and boot from network

Select boot image x64

select the appropriate image.
now proceed with normal windows setup

now check the new machine if all softwares and settings are same as TS1

Setup TS Session Broker
Now we need to setup TS Session Broker, in order to manage the load balancing so that when one machine is busy the other machine will pick up.

one thing to remind is the TS Session broker must be a memeber of the domain.

To add TS Session Broker, go to Terminal Service and add role

Check list for TS Session Broker

add TS1 and TS2 to to Session Directory Computers Local Group
To do that go to computer management, local users and groups, double click session directory computers and select object type as Computers, and add TS1 and TS2

Now we need to Configure Terminal Server to join a firm in TS Session Broker.

Go to Server Manager, Terminal Service, Terminal Serivice Configuration
and you would see down below Member of firm TS Session broker = No

Member of firm in TS Session Broker, doesnt look like a link, double click it
Go to TS Session Broker Tab,

Enter TS Session Broker Server name
Enter Firm Name
Tick Participate Session Broker Load Balancing
Tick Use IP address redirection
Select IP to be used for reconnection, this would help to reconnect disconnected sessions.

Now do the samething to TS2

in TS2, TS Session Broker Server Name, we need to put TS1, and use same firm name.

Now we need to configure DNS for TS Session Broker Load Balancing

To do that go to DNS and create AAA records, we need to mention TS server firm name, NOT the server name. instead of TS1 or TS2 we need to mention firm name.

The farm name is the virtual name that clients will use to connect to the terminal server farm.
now we have same record point to 2 ip address.

Note : By default DNS Round Robin is enabled when using DNS on windows 2008 based domain controller. The enable round robin tab is available in advance tab of DNS server properties.

now to test this from a client PC go to
http:\\globotsfarm.globomantics.com\TS

Installing Remote Apps

2010-03-11T07:17:00.000-08:00

After installing MS Office to TS Server

Go to Terminal Service, TS RemoteApp Manager

Click Add RemoteApp Programs

Select the applications that you want to be available

Click Properties, Tick the program available through TS Web Access

Now you need to add users to TS Web Access Computer Group

Now go to IIS Manager

Click TS then click Browse

When you install TS and when you include Web Access in there, it creates a website on localhost for remote access.

Distributing Applications to users using Group Policy

go to TS TS RemoteApp Manager and select the application
and then create a RDP file or create a windows installer package

TS Gateway

TS Gateway Manager

add which computers can connect to TS Gateway

TS Gateway settings

Go settings and enter TS gateway server name to connect

Terminal Service

2010-03-11T06:14:00.000-08:00

What makes up Terminal Services?

1. The Terminal Services Server Role - The foundation of using TS

2. TS Remote App - A Role services installed with the terminal services server role, it allows you to make applications available on the server available for use by client machines via a short cut through TS Web Access.

3. TS Licensing - TS requires more licenses, and the TS licensing Role Service allow you to more easily manage TS licenses.

4. TS Session Broker - Install this role services only when you want to have multiple TS servers operating in a "farm" for highly available applications. TS session broker allows clients to reconnect to disconnected sessions.

5. TS Web Access - This role service allows users to access TS Remote Apps through a web page.

6. TS Gateway - A role service to provide terminal services to users outside of your network.

Configuring TS

1. Install TS services on your requirement.
2. Select Authentication Method
3. Select Licensing Mode
4. Select Users Group
5. Choose a Server Authentication Certificate for SSL Encryption
6. Create Authorization Policies for TS Gateway
7. Select User Groups that can connect through TS Gateway
8. Create a TS CAP for TS Gateway
9. Create TS RAP for TS Gateway

Building RODC

2010-03-11T00:27:00.000-08:00

Building a Read-Only Domain Controller

- An RODC allows users that the administrator allows to log into a particular location.
- The RODC downloads only the User account information that it needs - it does not upload anything to the writeable (or Full) domain controllers.
- You dont need to have a Global Catalog on the RODC - you can use Universal Group Caching to cut down on replication traffic.
- Better yet, you can use the Server Core Installation to provide 2 important advantages.

1. You dont need a high end computer
2. You can administrate teh server core function using MMC's
RODC is good for remote locations which they dont have much physical security in this example, remote location name is "Dallas" in NY-DC1 create OU for Dallas, and inside Dallas OU, create DallasUsers and DallasComputers

Now go to AD Sites and Services
Right click Sites, and Create Newsite name Dallas
Note: To create Sites you need Enterprise Administrator rights.

Now we have our site created, now we need to add in our Read Only Domain Controller
We do need to wait for our domain controllers to talk each other, for replication etc.

In this tutorial first i setup a server core installation and make it as a RODC

Step 1. Setup server core installation
After finishing server core instllation, join to NY-DC1 and login using NY-DC1 administrator priviledge
download and install CoreConfigurator2.msi

After installing run the core configurator script, CoreConfigurator.exe
Using CoreConfiguration, setup IP address and join to NY-DC1

Now run DCPROMO
Select Add a domain controller to an existing domain

Type Domain DNS Name NY-DC1
Tick Install and Configure DNS
Untick Configure Global Catalog
Tick Make the server as RODC

Select AD Site, Dallas
Save answer file

Run the DCPROMO

Now go to NY-DC1 and connect to Dallas RODC using MMC to manage remotely in DC1, open mmc

add Snap-ins
add DNS, AD users and computers, Sites and Services,
Add Computer Management, in Another Computer type name of RODC

Now in MMC, go to Active Directory Users and Computers, expand it
right click name of domain controller, and click Change Domain Controller and Select RODC, Click OK

Now you will get a message, The selected Domain Contorller is Read only....etc

Now you can save the mmc as RODC to desktop

Now go to NY-DC1, AD Domain Services / Domain Controllers
Right click RODC/Properties/Password Replication Policy

Now you will see NY-DC1/Users which means any user in NY-DC1 can get in to RODC

Remove it, if you really want to decide who can login and who cannot login to RODC

Now we need to add user, click Add
Select Allow passwords for the account to replicate to this RODC
Make sure you APPLY, after adding users

In NY-DC1, go to Dallas OU, Go to DallasUsers and right click a user
(Before that make sure go view and advance features is on) right click user, and go password replication, and you can see which users can login to this domain controller

Any other user cannot login unless they have global catalog or universal group caching, if that is present, users can use user principle name (email style login)

if that is not present, only the users that is added to the list in RODC/Password Replication Policy will be able to login

Now go to Advanced button, click Prepopulate Passwords, Enter user name so what here we are doin is prepopulating passwords for user

NY-DC1 will be sending password for the use to RODC

Fine Grained Password Policy

2010-03-07T05:23:00.000-08:00

A Feature in server 2008 that allows an override of the Domain Password Policy Requirement

Password Setting Objects (PSO)

Normally you have only one password policy settings in your entire domain, but by creating PSO you can specify multiple password policies for individual users or for groups that users are part of.
Your domain functional level must be at server 2008 level (all your domain controllers must be server 2008)
We'll need to go into ADSI edit to create password policy objects, and link them to the user account or group they'll apply to.

STEPS

1. Open ADSI edit, go to system and you will find password settings container, double click and open it.

2. Create new PSO, right click, new, object

3. Select a class msDS-PasswordSettings

4. Common-Name Value : ExecutivesPasswordPolicy

5. Password Settings Precedence password settings precedence basically determines if the user is part of
different groups that have multiple PSO applied to them. example user1 is in 2 groups, and each of these 2 groups has different password settings applied so the highest value, the value in the Password Settings Precedenec will win.
example Value 1

6. Password Reversible encryption status for user accounts, Value FALSE

7. Password History Length for user accounts, Value 5

8. Password complexity status for user accounts, Value FALSE

9. Minimum Password Length for user accounts, Value 4

10. Minimum Password Age for user accounts, Value 1:00:00:00
days:hrs:min:sec

11. Maximum password age for user accounts, Value 90:00:00:00

12. Lockout threshold for lockout of user accounts, Value 20

13. Observation Window for lockout of user accounts, Value 0:00:20:00
This means, if user1 try all 20 attempts in 20 minutes then he will get locked out

14. Lockout duration for locked out user accounts, Value 0:01:00:05
Value is 1hr 5 sec

15. Link this PSO to appropriate group, to do this click More Attributes

16. In Select property to view, select msDS-PSOAppliesTo

17. In Edit Attribute type distinguishName for the object that we are linking to, click add
You can add additional users, or groups if you want to. This is the only people that we want this particular PSO to be applied to.
Click Finished

Note: Syntax DN stands for Distinguish name

HOW TO FIND DISTINGUISH NAME

Open server manager
Go to Roles Section
Expand Active Directory Domain Services
Expand your domain
Expand OU
Go to view manu, and turn on advanced features
now right click users group and go properties
Click Attribute Editor in Attribute Editor search fo

Note: PSO can be applied to users and groups, NOT OU'sr distinguishedName

Group Policy Loopback Processing

2010-03-06T19:22:00.000-08:00

loopback processing works at computer level

if computerlockdown policy has loopback processing, it takes one of 2 things

it take either all of my settings will add to desktoplockdown settings, or all of my settings will replace desktoplockdown

so whoever has loopback processing wins

group policy that has loopback processing is generally computer side group policy

group policy works at the computer level of the group policy object side

Example

For example user1 has desktoplockdown policy
user1 log into PC1, desktoplockdown policy will apply to him
if PC1 is in a OU that has computerlockdown policy applied or linked to it
When user1 login to PC1, there is 2 things that can happen
PC1 has loopback processing, if loopback processing says replace, then desktoplock down has no say what user1 can or cant do
at that point user1 is subjected to computerlockdown policy

Windows Deployment Services WDS

2010-03-04T05:06:00.000-08:00

An image can take on a hard drive, stored on a server and then deploy via broadcast to several
machines all at once.

Steps
1. Join the machine to the domain
2. Install the WDS role
3. Add images from windows 2008 install disk (and vista, if you are deploying clients)
      - You'll need to add these two images from the source folder
           * The boot.wim
           * The install.wim
       - Also, if you are planning on deploying 32-bit and 64-bit editions, you'll need to grab the WIM files
from both the 32-bit and 64-bit disks

Note: To install windows operating system from a windows deployment services server, either the client computer must be PXE-enabled, or you must use the windows server 2008 version of windows preinstllation environment (windows PE)

PXE means the pc should be able to boot from its network card

WDS Role Services
1. Deployment Server, which provides full functionality of windows deployment service, with this one we can create and customize images
2. Transport server is used if you want to transmit data using multicasting

To configure WDS, click Action and use Configuration wizard

Install images folder contains available operating systems that you want to install
Boot image only allows the machine to bootup to install the server

NOTE: There is a boot image available in vista disc, DO NOT USE IT. Do not use vista install.vim file.
Because when you use vista isntall.vim file you can deploy only one machine at a time.

We can install vista using server 2008 install.vim file. For example if you want to install 10 vista clients at the
same time, you cannot do from vista install.vim, but from server 2008 install.vim you can do.

Now i need to install server 2008 into 3 machines at the sametime
Create 3 virtual machines, and select deploy using network based server

Now go Server Manager, Windows Deployment, Multicasting
Rightclick, Create Muticast Transmission
Select which operating system to install

now reboot the clients i am going to install server 2008

Unattended installation
right click image group and select unattended installation file

Hyper-V

2010-03-03T23:22:00.000-08:00

Hyper-V A server role in windows server 2008 enterprise edition that allows you to run multiple operating systems in virtual machines in a single machine.

Virtual Machine - A software based instance of an operating system that uses shared physical hardware

VHD - Virtual Hard Disk - A file that lives in physical HDD that acts like physical HDD on a virtual machine.

gpresult

2010-02-23T05:12:00.001-08:00

gpresult is a command line utility for active directory that will display the effects of group policy on a local or remote machine. You can use it to create reports on GPOs affecting users and computers. It’s available for Server 2000, 2003, 2008, Microsoft, windows xp, vista, and 7. (Requires opening ports on firewall.) The group policy results reports will save as either HTML or XML documents showing the applied GPOs and which GPOs affect which settings in group policy. It’s a toll that can be used in a workgroup or domain (active directory)

commands used…
gpresult /R

gpresult /H Test.html

gpresult /S DESKTOP101 /USER my\gandrews /H Test.html