Windows Management and Scripting

A wealth of tutorials Windows Operating Systems SQL Server and Azure

Archive for the ‘Windows 2003’ Category

How to use DFSR to configure of Active Directory replication groups

Posted by Alin D on June 3, 2011

While most admins would agree that Windows Server 2003 R2’s new replication engine, Distributed File System Replication, is light years ahead of FRS (File Replication Service), it seems very few really understand how to deploy it properly. Perhaps years of fighting FRS and keeping a fresh supply of Burflags in their hip pockets has given them tunnel vision. Fortunately, learning to configure a healthy DFS environment using DFSR is something any Active Directory administrator can do.

DFSR, in addition to the domain namespace management functionality that has been around since Windows 2000 Server, allows configuration of replication groups to simply replicate data without defining a namespace. We can configure replication groups to replicate data from a file server in a remote site to a server in the hub site. That server is easily attached to a storage area network or other storage configuration for large data storage for the enterprise. Administrators can then back up the data at the hub site without worrying about the remote sites.

A typical replication group would have two servers — the hub server and a server in a remote site (or perhaps multiple servers in the remote site). The hub would have a share for each remote site, and the share would be on a storage device. Admins typically refer to the server at the remote site as the source (where data is created and changed) and the server at the hub site as the target (where data is received and backed up).

Configuring replication groups (RGs)

While Distributed File System Replication has similar components to FRS, they work a little differently. Figure 1 shows a typical configuration: three remote sites, with each site having one file server. Each file server has a single shared folder that is replicated to a share on the server at the hub site. Thus, on the hub site there will be three shares – one for each remote shared folder.

When creating a replication group (RG) there are two options: multipurpose replication anddata collection. For backing up remote sites to the hub, we will use data collection. In the configuration, you will select the source server (at the remote site or branch office) and the hub server and identify the folders on each to replicate. You will then configure bandwidth throttling and a replication schedule. Be careful here, as improper configuration at this point is a leading cause of failure. Make sure you carefully analyze the available bandwidth on your network and the amount of data you have to replicate. If you choose a bandwidth that’s too small and schedule it too infrequently, you will have a major backlog of data.

Initial replication

After configuring the replication group, the information will be replicated to all domain controllers. The time it takes depends on your Active Directory infrastructure and network. Initially, the source server you selected in the RG configuration will be designated with a “primary” flag. This is somewhat like the old Burflags D4 or D2 setting in FRS; but, once again, it doesn’t work the same way. In DFSR, this primary designation will last until initial replication has completed before it is removed and never used again.

I have seen several cases where administrators think they can force replication from the source server to the target like they did with the FRS Burflags method (by forcing the source server to have the isPrimary designation). Using theDFSRAdmin command, you can tell which servers still have the isPrimary designation and have not initially replicated. The replication group name in this example is “DFS2″:

C:>dfsradmin membership list /rgname:dfs2/attr:memname,rfname,isprimary
MemName    RfName    IsPrimary
CORP-DC2   DFS2      No
SRV2       DFS2      No

Note: It is sometimes necessary to use the DFSRAdmin utility to reset the isPrimary value to true if initial replication does not work. Once initial replication has occurred, setting isPrimary will have no effect.

The flow

This is where things get interesting. On the hub (target) server, under the replicated folder, will be a hidden folder called “dfsrprivate,” with five subdirectories as shown in Figure 2. The contents of these subdirectories are:

  • Conflict and Deleted — Holds files that have changed on the target server for comparison to files on the source server to see whether to replicate changes.
  • Deleted
  • Installing
  • PreExisting — During initial replication, if the target server has files that the source server does not have, they are placed in this directory. If the file on the target server is different from that of the source, the file is placed into the Conflict and Deleted folder and DFSR replicates only the changed blocks of the file.
  • Staging — This is used for outgoing data (similar to FRS). It is incorrect to say that the data in this directory is files. They are actually changes(RDC signatures, RDC hashes, USN Journal data, etc.) as well as file data. There could be many of these entries on a single file, as there is not necessarily a 1:1 relationship between entries in the staging directory and the physical files.

Remember that this is still a multi-master replication engine with bidirectional replication. Even though it is set up with a “source” and “target,” this is only in the mind of the administrator. Data can replicate from the target server (hub site) to the source server (remote site) just as easily. When a file is changed (on either node of the replication group), it will trigger replication to the other replication node

Note: Yes, you can change the properties on a replication group to be unidirectional, but it is not recommended and quite dangerous. That action will prevent the normal file comparison between the two servers in the RG and will break replication. Don’t do it!

It is not uncommon to have large amounts of data in the staging directory, but it should move pretty quickly. For example, I’ve heard of cases where upwards of 250,000 files were in the staging directory. Remember that it’s not necessarily a problem that there are files there, as I’ve also seen cases where admins see all these files in the staging directory, assume they are backlogs, start trying to fix it and end up making matters a whole lot worse.

For additional information on Distributed File System Replication, check out Microsoft’s DFS Step-by-Step Guide.

 

 

 

 

About these ads

Posted in Windows 2003 | Tagged: , , , , | 1 Comment »

Event Tracing for Windows

Posted by Alin D on January 28, 2011

While most Windows developers know of Event Tracing for Windows (ETW) as a logging and tracing mechanism, many administrators have never heard of it. Simply put, ETW includes event logging and tracing capabilities provided by the operating system. Implemented in the kernel, it traces events in user mode applications, the operating system kernel and kernel-mode device drivers.

Event Tracing for Windows is used by a number of core OS components and some third-party applications to provide event logging and tracing. Although it required access to a checked build of Windows to gather ETW information when first released with Windows 2000, more recent versions provide built-in tools with normal (free) Windows builds.

Getting started with Event Tracing for Windows

When diagnosing and troubleshooting Windows Server issues, it seems there is never too much data. The admin is always looking for additional details on what is going on with various components to pinpoint the problem. As such, there are a number of tools like

Process Monitor, Process Explorer, Performance Monitor (Perfmon) and Performance Analysis for Logs (PAL) that dig considerably deeper than the event log, but there are times when we need to dig even further down than that.

ETW allows additional instrumentation for gathering data that would not otherwise be available and has a number of advantages. For example:

it uses per-processor kernel buffers from a non-paged pool that are not impacted by application crashes or hangs

it uses very low CPU overhead

it’s available for x86, x64 and IA64 architectures

it can enable and disable tracing without rebooting or restarting applications

Event Tracing for Windows may seem like a great tool, but using it is another issue since there is no GUI or user guide. It also requires a few preliminary steps just to produce output that can be used for analysis.

In order to provide useful output you need a consumer. The consumer built in to Windows Server is Tracerpt.exe. As you can imagine, there are a number of flags for Tracerpt to provide specific output formats, so it’s important to become familiar with the Tracerpt and Logman utilities that are native in Windows Server 2003 and up, as well as Windows 7 and Vista.

It’s also important to understand the architecture for ETW. As you can see in Figure 1, the controllers are used to start and stop a tracing session. The tool used to do this in Windows Server 2003 and 2008 is Logman.exe.

Figure 1. The ETW architecture

       Image credit: Microsoft Corp.

Windows Server 2003 also contains a handful of event providers that return specific events, including the following Active Directory-related providers:

Active Directory: CoreActive Directory: KerberosActive Directory: SAMActive Directory: NetLogon

For instance, specifying Active Directory: Kerberos as a provider will only return Kerberos-specific events.

Event providers differ between Windows versions, however. For example, Windows Server 2003 has 22 providers, while Windows 2008 has 387. This gives more power to the trace and offers more granularities. Yet when it comes to LDAP traffic, the Active Directory: Core provider appears to give the same detail for either Windows version.

You can also combine event providers into a single trace. Since Kerberos authentication was involved in the example above, I used the Active Directory: Kerberos and the Active Directory: Core providers and applied the Logman option-pf, as shown in the following example:

Logman Create Trace CoreKerb –pf c:etwinput.txt –o c:etwcoreKerb

The –pf option reads an input text file (input.txt in this case). The format of the input file is shown in Figure 2.

Figure 2. Input text file format
event_tracing_fig4

Putting Event Tracing for Windows to work

The best way to explain ETW is with a case study. Recently, I was contacted by an engineer who needed information about how Active Directory was responding to an LDAP request for a Unix client authenticating against an AD domain controller. He used a Unix command to see the bind request/response on the Unix side and wanted to see similar output on the Windows side. The output looked something like this:

[23/Sep/2010:15:04:44 +0200] conn=31 fd=65 slot=65 connection from 10.50.20.173 to 10.50.12.119

[23/Sep/2010:15:04:44 +0200] conn=31 op=0 BIND dn="uid=dorsa,ou=people,o=Corp.net" method=128 version=3

[23/Sep/2010:15:04:44 +0200] conn=31 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=dorsa,ou=people,o=corp.net"

[23/Sep/2010:15:04:44 +0200] conn=31 op=1 SRCH base="ou=people,o=hp.com" scope=2 filter="(|(uid=dorsa)(cn=mdilln.dodgcty))" attrs=ALL

[23/Sep/2010:15:04:44 +0200] conn=31 op=1 RESULT err=0 tag=101 nentries=2 etime=0

[23/Sep/2010:15:04:44 +0200] conn=31 op=2 UNBIND

[23/Sep/2010:15:04:44 +0200] conn=31 op=2 fd=65 closed – U1

[23/Sep/2010:15:04:44 +0200] conn=29 op=-1 fd=64 closed error 11 (Resource temporarily unavailable) -

To work through the output, I used the NTDS Diagnostics registry key at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics and defined the LDAP Interface for a value of 5. It only provided the elapsed time of the operation and wasn’t close to the Unix output, so I decided to try Event Tracing for Windows. Since this was on Windows Server 2003, I used the Active Directory: Core provider, which gave LDAP details.

Below are the steps and commands I used to create an ETW trace and generate a log. The commands were used to dump LDAP data during authentication for the Unix engineer. I also created a C:ETW directory to store all my data.

C:>Logman Query Providers – This command lists all available providers. Note that the provider we are interested in for LDAP information is the Active Directory: Core provider.

Logman create trace “LDAP1” –p “Active Directory: core” –o c:etwLDAP1 LDAP1 – This is the name of the trace (we’ll see it when we look at the list of traces). -identifies identifies Active Directory: Core as the provider we want to use.-o specifies the path for the output (.etl) file as C:etwldap1 . The output file will be saved as LDAP1_000001.etl. Note that when the trace runs a second time the output file will be named LDAP1_000002.etl, etc.

Once the trace is executed successfully with the Logman create trace command it can be seen in the queue with the command: C:>Logman Query. A sample output is shown in Figure 3. The LDAP1 trace is shown in the red box outline in the figure. Note that there are a number of traces I defined which can be reused simply by starting and stopping them.

Figure 3. ETW trace (click to enlarge)
event_tracing_fig2_sm

The following command starts the trace:

Logman Start LDAP1

Issuing Logman Query at this point would show LDAP1 as “Running”.

Reproduction operations are then needed to reproduce the problem or situation you want to trace. In this case, I performed a logon and ran some LDIFDE commands to perform LDAP searches. Having these commands ready as soon as the trace starts will minimize the noise in the trace and make it easier to read.

Next, stop the trace: Logman Stop LDAP1

The C:ETW directory now shows that the LDAP1 trace file LDAP1_000002.etl was created:

C:ETW>dir ldap1*
Volume in drive C has no label.
Volume Serial Number is 309D-BA04

Directory of C:ETW

10/13/2010 04:22 PM     1,015 ldap1
10/13/2010 04:20 PM     262,144 LDAP1_000001.etl
01/21/2011 02:12 AM     262,144 LDAP1_000002.etl

Because this is the second time running that trace, the file name was bumped to 000002.

Since the .etl log is unreadable we can use Tracerpt to give us some useful data. The command for this example would be:

TRACERPT LDAP1_000001.etl -o Ldap1.csv

-of sets the file type (default CSV) (See online help for more formats.)-o represents the output file name default, which is dumpfile.csv and produces the most interesting dump of LDAP activity-Summary, -Report represents statistical data (not used in this example)

Opening the LDAP1.csv file in Excel (or Notepad) will allow a look at the data. Figure 4 shows part of my output file with the LDAP requests and responses highlighted. As you can see, the search and bind requests from the text are in column A, while in column B you can see the start and end of the requests, which can be paired up. Further to the right you can see the user data, the filter and scope of the LDAP request, and so on.

Figure 4. View of LDAP1.csv data (click to enlarge)
event_tracing_fig3_sm

The exciting thing about Event Tracing for Windows is that the opportunities with providers seem endless. Providers for Group Policy, Kerberos, LDAP clients, Netlogon, FSRM, IIS and many more are all available in Windows Server 2008.

While I used to rely exclusively on event logs and similar log files, I can now go a level deeper with Event Tracing for Windows and get a lot more verbose data to help me solve whatever problem I’m troubleshooting. The commands to produce the traces and reports are very easy to use as well. Of course, you can find more command options and details online.

Posted in Windows 2003, Windows 2008 | Tagged: , , , , , , , , | Leave a Comment »

Get Mcsa Certified Easily and Quickly

Posted by Alin D on December 3, 2010

Get Mcsa Certified Easily and Quickly

Get MCSA 2003 Certification in Days

According to our survey, over 85% of the candidates acknowledge that they have spent needless time and money before finding the most suitable solution to pass the exams. It doesn’t matter if you are just starting out and looking for the most suitable way to get certified, or a skilled technician looking for the most efficient way to get certified, we have the right solution for you.

We provide the following to help you get certified in the most convenient way

24/7, around the clock, consulting service that will assist you, guide you and help you, until you get certified. This price also includes; exam vouchers and all other related expenses. There is no further cost to attain your certification.

Our Guarantee

We will refund any payment that you make, should you for any reason fail to get certified. The refund is an unconditional total refund of any moneys paid.

Why MCSA 2003

The Microsoft Certified Systems Administrator (MCSA) certification will advance your career by ensuring that you have the skills to successfully manage and troubleshoot system environments running on the Microsoft Windows operating system.

This internationally recognized (MCSA) Microsoft Certified Systems Administrator training provides expert instruction on the Microsoft? Windows Server 2003 family, making it easier to deploy, manage, and use. Achieving the Microsoft Certified Systems Administrator (MCSA) on Microsoft Windows 2003 credential provides a valid and reliable measure of technical proficiency and expertise to successfully manage and maintain the typically complex computing environment of medium to large-sized companies operating on the Microsoft Windows Server 2003 System.

MCSA 2003 Certification Requirement:

1. Core exams (three exams required):

•Networking systems (two exams required):

Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment.

Exam 70-291: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure.

• Client operating system (one exam required)

Exam 70-620: TS: Microsoft Windows Vista Client, Configuring.

Exam 70-270: Installing, Configuring, and Administering Microsoft Windows XP Professional.

Exam 70-210: Installing, Configuring, and Administering Microsoft Windows 2000 Professional.

2. Elective exams (one exam required):

Exam 70-089: Designing, Implementing, and Managing a Microsoft Systems Management Server 2003 Infrastructure.

Exam 70-227: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition.

Exam 70-228: Installing, Configuring, and Administering Microsoft SQL Server 2000 Enterprise Edition.

Exam 70-235: TS: Developing Business Process and Integration Solutions Using BizTalk Server 2006.

Exam 70-236: TS: Microsoft Exchange Server 2007, Configuring.

Exam 70-262: TS: Microsoft Office Live Communications Server 2005 – Implementing, Managing, and Troubleshooting.

Exam 70-284: Implementing and Managing Microsoft Exchange Server 2003.

Exam 70-299: Implementing and Administering Security in a Microsoft Windows Server 2003 Network.

Exam 70-350: Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004.

Exam 70-431: TS: Microsoft SQL Server 2005 – Implementation and Maintenance.

Exam 70-445: Microsoft SQL Server 2005 Business Intelligence – Implementation and Maintenance.

Exam 70-500: TS: Microsoft Windows Mobile 5.0, Implementing and Managing.

Exam 70-501: TS: Windows Server 2003 Hosted Environments, Configuring, and Managing.

Exam 70-620: TS: Microsoft Windows Vista Client, Configuring.

Exam 70-624: TS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops.

Exam 70-630: TS: Microsoft Office SharePoint Server 2007, Configuring.

Exam 70-631: TS: Microsoft Windows SharePoint Services 3.0, Configuring.

With rich experience in writing, often in the major websites, newspapers published articles and welcomed by a large number of readers,and articles written by others with a large number of quote.

Article from articlesbase.com

Posted in Windows 2003 | Tagged: , , , , , , , , , , , , , | Leave a Comment »

How to transfer some or all of the FSMO Roles from one DC to another

Posted by Alin D on September 23, 2010

Windows 2008/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active DirectoryIn most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in this article.
The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller. However, the transfer process is not initiated automatically by the operating system, for example a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process – this must be considered when shutting down a domain controller that has an FSMO role for maintenance, for example.
In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior to transferring the role to ensure that any changes have been recorded before the role change.
However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in the Seizing FSMO Roles article.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:

  • Active Directory Schema snap-in
  • Active Directory Domains and Trusts snap-in
  • Active Directory Users and Computers snap-in

To transfer the FSMO role the administrator must be a member of the following group:

FSMO Role Administrator must be a member of
Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator
Infrastructure

Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

  1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
  2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.
  3. Select the domain controller that will be the new role holder, the target, and press OK.
  4. Right-click the Active Directory Users and Computers icon again and press Operation Masters.
  5. Select the appropriate tab for the role you wish to transfer and press the Change button.
  6. Press OK to confirm the change.
  7. Press OK all the way out.

Transferring the Domain Naming Master via GUI
To Transfer the Domain Naming Master Role:

  1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
  2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller.
  3. Select the domain controller that will be the new role holder and press OK.
  4. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
  5. Press the Change button.
  6. Press OK to confirm the change.
  7. Press OK all the way out.

Transferring the Schema Master via GUI
To Transfer the Schema Master Role:

  1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll
  1. Press OK. You should receive a success confirmation.
  2. From the Run command open an MMC Console by typing MMC.
  3. On the Console menu, press Add/Remove Snap-in.
  4. Press Add. Select Active Directory Schema.
  5. Press Add and press Close. Press OK.
  6. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.
  7. Press Specify …. and type the name of the new role holder. Press OK.
  8. Right-click right-click the Active Directory Schema icon again and press Operation Masters.
  9. Press the Change button.
  10. Press OK all the way out.

Transferring the FSMO Roles via Ntdsutil
To transfer the FSMO roles from the Ntdsutil command:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.  C:WINDOWS>ntdsutil ntdsutil:
  1. Type roles, and then press ENTER.
ntdsutil: roles fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

  1. Type connections, and then press ENTER.
fsmo maintenance: connections server connections:
  1. Type connect to server , where is the name of the server you want to use, and then press ENTER.
server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:
  1. At the server connections: prompt, type q, and then press ENTER again.
server connections: q fsmo maintenance:
  1. Type transfer . where is the role you want to transfer.

For example, to transfer the RID Master role, you would type transfer rid master:
Options are:

Transfer domain naming master Transfer infrastructure master Transfer PDC Transfer RID master Transfer schema master
  1. You will receive a warning window asking if you want to perform the transfer. Click on Yes.
  2. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
  3. Restart the server and make sure you update your backup.

Posted in Windows 2003, Windows 2008 | Tagged: , , , , , , , , , , , , , , | Leave a Comment »

Easy 10 tips for effective Active Directory design

Posted by Alin D on September 23, 2010

Active Directory design is a science, and it’s far too complex to cover all the nuances within the confines of one article. But I wanted to share with you 10 quick tips that will help make your AD design more efficient and easier to troubleshoot and manage.

1: Keep it simple

The first bit of advice is to keep things as simple as you can. Active Directory is designed to be flexible, and if offers numerous types of objects and components. But just because you can use something doesn’t mean you should. Keeping your Active Directory as simple as possible will help improve overall efficiency, and it will make the troubleshooting process easier whenever problems arise.

2: Use the appropriate site topology

Although there is definitely something to be said for simplicity, you shouldn’t shy away from creating more complex structures when it is appropriate. Larger networks will almost always require multiple Active Directory sites. The site topology should mirror your network topology. Portions of the network that are highly connected should fall within a single site. Site links should mirror WAN connections, with each physical facility that is separated by a WAN link encompassing a separate Active Directory site.

3: Use dedicated domain controllers

I have seen a lot of smaller organizations try to save a few bucks by configuring their domain controllers to pull double duty. For example, an organization might have a domain controller that also acts as a file server or as a mail server. Whenever possible, your domain controllers should run on dedicated servers (physical or virtual). Adding additional roles to a domain controller can affect the server’s performance, reduce security, and complicate the process of backing up or restoring the server.

4: Have at least two DNS servers

Another way that smaller organizations sometimes try to economize is by having only a single DNS server. The problem with this is that Active Directory is totally dependent upon the DNS services. If you have a single DNS server, and that DNS server fails, Active Directory will cease to function.

5: Avoid putting all your eggs in one basket (virtualization)

One of the main reasons organizations use multiple domain controllers is to provide a degree of fault tolerance in case one of the domain controllers fails. However, this redundancy is often circumvented by server virtualization. I often see organizations place all their virtualized domain controllers onto a single virtualization host server. So if that host server fails, all the domain controllers will go down with it. There is nothing wrong with virtualizing your domain controllers, but you should scatter the domain controllers across multiple host servers.

6: Don’t neglect the FSMO roles (backups)

Although Windows 2000 and every subsequent version of Windows Server have supported the multimaster domain controller model, some domain controllers are more important than others. Domain controllers that are hosting Flexible Single Master Operations (FSMO) roles are critical to Active Directory health. Active Directory is designed so that if a domain controller that is hosting FSMO roles fails, AD can continue to function — for a while. Eventually though, a FSMO domain controller failure can be very disruptive.
I have heard some IT pros say that you don’t have to back up every domain controller on the network because of the way Active Directory information is replicated between domain controllers. While there is some degree of truth in that statement, backing up FSMO role holders is critical.
I once had to assist with the recovery effort for an organization in which a domain controller had failed. Unfortunately, this domain controller held all of the FSMO roles and acted as the organization’s only global catalog server and as the only DNS server. To make matters worse, there was no backup of the domain controller. We ended up having to rebuild Active Directory from scratch. This is an extreme example, but it shows how important domain controller backups can be.

7: Plan your domain structure and stick to it

Most organizations start out with a carefully orchestrated Active Directory architecture. As time goes on, however, Active Directory can evolve in a rather haphazard manner. To avoid this, I recommend planning in advance for eventual Active Directory growth. You may not be able to predict exactly how Active Directory will grow, but you can at least put some governance in place to dictate the structure that will be used when it does.

8: Have a management plan in place before you start setting up servers

Just as you need to plan your Active Directory structure up front, you also need to have a good management plan in place. Who will administrator Active Directory? Will one person or team take care of the entire thing or will management responsibilities be divided according to domain or organizational unit? These types of management decisions must be made before you actually begin setting up domain controllers.

9: Try to avoid making major logistical changes

Active Directory is designed to be extremely flexible, and it is possible to perform a major restructuring of it without downtime or data loss. Even so, I would recommend that you avoid restructuring your Active Directory if possible. I have seen more than one situation in which the restructuring process resulted in some Active Directory objects being corrupted, especially when moving objects between domain controllers running differing versions of Windows Server.

10: Place at least one global catalog server in each site

Finally, if you are operating an Active Directory consisting of multiple sites, make sure that each one has its own global catalog server. Otherwise, Active Directory clients will have to traverse WAN links to look up information from a global catalog.

Posted in Windows 2003, Windows 2008 | Tagged: , , , , , , , , , , | Leave a Comment »

Setting Up Server 2003 as a RADIUS with DD-WRT

Posted by Alin D on September 6, 2010

A co-worker of mine was having some difficulties in setting up a RADIUS for his wireless network which is what prompted this particular article. For setting up your wireless infrastructure there are times when you need a more centrally controlled solution for the authentication problem. This is where RADIUS, and more to the point Microsoft’s IAS, steps in. For your trivia needs RADIUS stands for Remote Authentication Dial-In User Service, while IAS stands for Internet Authentication Service. Normally I would be setting this up under Server 2008 but our needs were calling for Server 2003. I may follow-up with how to do this under Server 2008 as well and even delve into putting together an IAS farm. The WAP being used is a Buffalo WHR-125 with a fairly current build of DD-wrt v24 SP2 (09/24/09) on it.

First off before installing IAS we will be in need of a certificate for it to use. There are several ways of achieving this. The first method, and easiest/cheapest, is creating a self-signed certificate using the IIS 6 Resource Kit from Microsoft. A particular program need from this is SelfSSL so run through a custom installation and install SelfSSL. Open up a command prompt and navigate to where SelfSSL installed at and here is how we will be constructing a certificate:

C:Program FilesIIS ResourcesSelfSSL>selfssl /N:CN=server.domain.local /K:1024 /V:1825

This will get you your self-signed certificate. Of course you can use 3rd party certificates as well. Another method is to issue one from an internal CA. Don’t forget to implement CA best practices when using one. I personally would opt for a self-signed certificate unless you already have a CA available.

Next up is getting our IAS installed. You will find this from Add/Remove Programs Add/Remove Windows Components. In there look for Networking Services and go into Details. Internet Authentication Service will be displayed just a few down. Once installed open up the mmc for IAS and let’s get into configuration. Though we should set up our users first. I went with creating a security group named Wireless Authentication and added my users in there. Note that you will need to allow these users for remote access as well. One way is to go into the user’s properties and on the Dial-In tab select Allow access. This isn’t my preferred method though as it creates more work. The other method I shall detail a bit later.

Bring up your IAS controls and you’ll see categories available. We need to get ourselves configured for our access point. To do this we will create a RADIUS Client. Right click on RADIUS Clients and select New RADIUS Client. Give the policy a name and point it to the address of the access point. Next menu is selecting our vendor which we will want to keep as RADIUS Standard for our configuration, as well as most configurations. Put in a key for this client and note it down as we will need to configure it in the WAP later on. No need for the Message Authenticator attribute as it is used by default with EAP, which is what we will be configuring. For more information about it read here.

We have our client configured on the server but we are also in need of a Remote Access Policy. Right click the Remote Access Policies and select New Remote Access Policy. We will go with the first option for setting up our policy, though creating a custom policy is easy enough as well. On the next screen Access Method we will select Wireless. On the next screen we can put our group to use. Add in your Wireless Authentication group, unless you prefer to control things at the user level. I prefer security groups so that is what we will use. Select PEAP for the authentication method. Check the configuration of it to ensure that EAP-MSCHAP V2 is selected and that the proper certificate is selected as well. If you get an error when selecting Configure complaining about certificates then you need to go back and verify that you have a properly issued certificate. This is where most problems stem from. In the configuration you may also wish to enable Fast Reconnect. I have read about some clients having issues with this but have not had any problems in my configuration. Your mileage may vary. Disable it if you are having problems authenticating clients routinely. Finish this wizard and you’ll have your policy. We’re not quite done with it yet though.

Bring up the properties on your newly created policy. On the encryption tab you will want only Strongest encryption checked. If there are authentication issues though, you will want to enable the others for diagnostics until you figure out what is properly supported by your WAP. This is also where we can enable the alternate method for allowing our users. Go to the Advanced tab and add Ignore-User-Dialin-Properties set to True. This will ignore the setting on your user’s Dial-in tab and truly allow you to control access via groups. Otherwise user settings will trump group settings, which can make for a headache in troubleshooting. Last thing to do is right click the root folder, Internet Authentication Service, and select Register server in Active Directory. What this does is add your server to the RAS and IAS Servers security group, which enables it to read accounts from your AD. Once we are done here we can finally go configure our access point.

This is specific to DD-WRT, so be sure to verify how to configure your own access point. Connect to your access point and go to the Wireless tab, then Wireless Security. Set it to WPA2 Enterprise and make sure you are using AES, unless you have a reason not to. Put in the address for your IAS server and now would be a great time to make sure that it is a static address. Leave the port as 1812 as IAS listens on that out of the box. Finally put in the preshared key that you configured from earlier. Save then apply and your access point is in business. All that is left is configuring your clients.

This is best done through Windows’ wireless configuration. Manually create a new connection configured with your WAP’s SSID and go into the Security settings on it. Set it to use PEAP and if you are using a non-domain joined machine, that also does not have the certificate that you configured the server with, then tell it not to validate the certificate and also not to use your domain logon and password. Connect wirelessly to your access point and see if you’re successful. If you are not then check your server’s System event log for errors. If you are getting bad username/password errors, and you know your username and password are correct, then start looking at your encryption and configured authentication protocols to make sure they all match. If you are seeing errors about no matching policy then make sure you have your user in the right group or matching the criteria of your policy. That covers the majority of problems you will run into when configuring IAS. Even if you don’t have a use for IAS as a RADIUS it is a good idea to set it up a few times for learning purposes when pursuing an MCSE.

Posted in Windows 2003 | Tagged: , , , , , , , , , , , , , , , , , | Leave a Comment »

Pass Mcse 70-290 Exam Easily

Posted by Alin D on September 5, 2010

Pass Mcse 70-290 Exam Easily

MCSE 2003 70-290 Certification

Get Certified in Days

According to our survey, over 85% of the candidates acknowledge that they have spent needless time and money before finding the most suitable solution to pass the 70-290 exams. It doesn’t matter if you are just starting out and looking for the most suitable way to get certified, or a skilled technician looking for the most efficient way to get certified, we have the right solution for you.

We provide the following to help you get certified in the most convenient way

24/7, around the clock, consulting service that will assist you, guide you and help you, until you get certified. This price also includes; exam vouchers and all other related expenses. There is no further cost to attain your certification.

Our Guarantee

We will refund any payment that you make, should you for any reason fail to get certified. The refund is an unconditional total refund of any moneys paid.

Why MCSE 2003

MCSE 2003 70-290 Certifications are among the most specialized certifications available today. The MCSE 2003 70-290 Certification give you industry recognition for your expertise for business solutions based on the Microsoft Windows? 2003 platform and Microsoft 2003 server software. Implementation responsibilities include installing, configuring, and troubleshooting network systems. The MCSE 2003 credential is one of the most widely recognized technical certifications in the industry, a credential in high demand. By earning the premier MCSE credential, individuals are demonstrating that they have the skills necessary to lead organizations in the successful design, implementation, and administration of the most advanced Microsoft Windows platform and Microsoft server products.

MCSE 2003 Certification Requirement:

1. Core exams (six exams required)

• Four networking system exams: (four exams required)

Exam 70-290: Managing and Maintaining a Windows Server 2003 Environment.

Exam 70-291: Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure.

Exam 70-293: Planning and Maintaining a Windows Server 2003 Network Infrastructure.

Exam 70-294: Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure.

• One client operating system exam: (one exam required)

Exam 70-620: TS: Microsoft Windows Vista, Configuring.

Exam 70-270: Installing, Configuring, and Administering Microsoft Windows XP Professional.

Exam 70-210: Installing, Configuring, and Administering Microsoft Windows 2000 Professional.

• One design exam:

Exam 70-297: Designing a Windows Server 2003 Active Directory and Network Infrastructure.

Exam 70-298: Designing Security for a Windows Server 2003 Network.

2. Elective exams (one exam required)

Exam 70-089: Designing, Implementing, and Managing a Microsoft Systems Management Server 2003 Infrastructure.

Exam 70-227: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition.

Exam 70-228: Installing, Configuring, and Administering Microsoft SQL Server 2000 Enterprise Edition.

Exam 70-229: Designing and Implementing Databases with Microsoft SQL Server 2000 Enterprise Edition.

Exam 70-235: TS: Developing Business Process and Integration Solutions Using BizTalk Server.

Exam 70-236: TS: Microsoft Exchange Server 2007, Configuring.

Exam 70-262: TS: Microsoft Office Live Communications Server 2005 – Implementing, Managing, and Troubleshooting.

Exam 70-281: Planning, Deploying, and Managing an Enterprise Project Management Solution.

Exam 70-282: Designing, Deploying, and Managing a Network Solution for a Small- and Medium-Sized Business.

Exam 70-284: Implementing and Managing Microsoft Exchange Server 2003.

Exam 70-285: Designing a Microsoft Exchange Server 2003 Organization.

Exam 70-297: Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure.

Exam 70-298: Designing Security for a Microsoft Windows Server 2003 Network.

Exam 70-299: Implementing and Administering Security in a Microsoft Windows Server 2003 Network.

Exam 70–301: Managing, Organizing, and Delivering IT Projects by Using Microsoft Solutions Framework 3.0.

Exam 70–350: Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004.

Exam 70–431: TS: Microsoft SQL Server 2005 – Implementation and Maintenance.

Exam 70-445: Microsoft SQL Server 2005 Business Intelligence – Implementation and Maintenance.

Exam 70-500: TS: Microsoft Windows Mobile Designing, Implementing, and Managing.

Exam 70-501: TS: Microsoft Windows Server 2003 Hosted Environments, Configuring, and Managing.

Exam 70-620: TS: Microsoft Windows Vista, Configuring.

Exam 70-624: TS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops.

Exam 70-630: TS: Microsoft Office SharePoint Server 2007, Configuring.

Exam 70-631: TS: Configuring Microsoft Windows SharePoint Services 3.0.

With rich experience in writing, often in the major websites, newspapers published articles and welcomed by a large number of readers,and articles written by others with a large number of quote.

Posted in Windows 2003 | Tagged: , , , , , , , , , , , , , , , , | Leave a Comment »

How to repartition Windows Server 2003 with Partition Magic Server fast and easily

Posted by Alin D on September 4, 2010

How to repartition Windows Server 2003 with Partition Magic Server fast and easily

Why repartition Windows Server?

Many Server people encountered the problem that the partition run out of space, especially the system C drive. A Server should run 24*7, so no one wants to delete the partitions, recreate larger partition and reinstall Windows as the solution Microsoft explains. The best solution is to repartition Windows server. Generally, you’ll complete the work within several to 30 minutes. With some Server partition software, you can extend NTFS system partition without reboot computer. It saves much time and money.

Ensure data security when repartition Windows Server 2003

The security and stability are undoubtedly the most significant aspects for Server computers since a Server computer usually stores the most important classified and daily-used files. However, even a slight error on server computer might directly leads to exposure of the whole network to the outside.

Based on the enhanced data protection technology and copy wizard built in Partition Wizard Server Edition, it is highly recommended with its excellent advantages while repartition Windows 2003 server as the “Magic Server Partition Manager”. The reason is that it is able to extend NTFS system partition without reboot to maximize the server performance and minimize the downtime of the server.

Which tool to repartition Windows Server 2003?

The first and most famous partition software is Partition Magic, but there is no Partition Magic Server for Windows 2003. In the market, there are many Partition Magic alternatives for Windows Server, for example, Acronis Disk Director, Partition Wizard Server, etc. Then which tools is better to repartition Windows 2003 Server? Of course, different people have different choice, but in many technical forums, the professionals recommend Partition Wizard Server, the reasons include:

Enhanced data protection technology helps you resize, merge partition without data loss, even when power off or hardware problem occurred.
Hot Resize feature helps you extend NTFS partition without reboot to suspend Server running.
Disk and partition copy feature helps you backup data or migrate to another disk without reinstalling Windows.
Changes made on partitions can be previewed before applying to the hard disk.
With user-friendly interface, no professional assistance or experience in using Partition Magic is required.
Change cluster size, partition type ID, partition serial number and Logical <=> Primary partition to improve computer and disk performance.
How to repartition Windows Server 2003?

It is extremely easy to repartition Windows 2003 Server. With the absolutely user-friendly interface, the functions of Partition Wizard Server are easy to get access to, no matter whether you’ve got experience in using Partition Magic or not.

Any operations you do on the Server will be listed in the “Operations Pending” column, making sure no changes take place on your partitions before you click “Apply”. So if you are not sure about your operation, just close this partition software and nothing will be changed.

Step by step instructions to resize Server partition.

Step 1: launch Partition Wizard, right-click the partition and select “Move/Resize” to shrink this partition.

In the pop up window, drag the left borderline of this data partition rightwards.

After step 1, there will be Unallocated space created behind the system partition.

Step 2: Right-click the system partition and select “Move/Resize”. In the pop up window, drag the right borderline rightwards.

Now the system partition has been extended, click “Apply”.

Besides, resize partitions, merge partitions without data loss, Partition Wizard Server has other features, for example, convert dynamic disk to basic, hide/unhide partition, set Active partition, change cluster size, ect.

With Server partition software to resize partitions, you’ll save much time and money.

However, you’d better backup the important files, as no partition software is 100% secure.

Jordan is one of the editors of HDD TOOL, which provides common solutions to solve hard disk drive and operating system problem freely.

Posted in Windows 2003 | Tagged: , , , , , , , , , , , | 1 Comment »

Windows 2003 low disk space

Posted by Alin D on September 3, 2010

Windows 2003 low disk space

When Windows server 2003 has been used for a while, some problem may come to you like notice of low disk space on 2003 c drive. When reporting low disk space errors, you may check your disk space and found that the disk space is not what totals the size by adding different partitions together. Something may have stolen your disk space and you did not know where you can gain more disk space to c partition. However redistributing disk space of your Windows server 2003 seems reasonable.

 

How can we rearrange partition size and assign more disk space to c drive since it keeps noticing you that low disk space. Disk Management provided by Windows won’t be able to perform the safe partition resizing job but some partition software like partition magic server is able to do the trick. Shrink some large partition to make free unallocated space without losing files and then redistribute the free space to c drive safely by extending c partition with partition magic server. Here is the detailed tutorial to do the trick http://www.geeksdo.com/windows-server-2003-low-disk-space.html

 

Windows Server 2003 is an operating system for servers. Microsoft Windows launched it earlier. When server’s boot partition runs out of space, several problems can arise; like the server might operates slowly, there would be no more space for new software and applications and the most dreadful problem;  the server may freeze out in launching some application. These problems could be fatal for the company owing the server and its customers.

 

To overcome this problem, there are two possibilities, first possibility is to reinstall Windows Server 2003 in your server which might result in loosing of data and also a lot of time, Second possibility is to extend the allocated memory of the boot partition. Surely the later possibility is preferable. There are many ways to do so. Windows Server 2003 has a building feature named as “disk manager” which can be employed to extend the allocated memory. In order to use disk manager for resizing your disk, follow the following instructions;

- Double click “My Computer”

- Go to “Manage”

- Go to “Storage”

- Go to “Disk Management”

- Right click on your boot partition

There you will face two options;

1-“Shrink”

2-“Extend”

 

If you want to shrink the boot partition some unallocated space would be added to it. But if you use the feature of Extent, you will have to delete the other partitions, in order to create some memory, which could be later allocated to the boot partition. In this way you can solve the memory related problems in Windows Server 2003.

 

In the market some software are available. They can help you in extending your boot partition memory professionally. Like Partition Manager Server, Acronis Disk Director Server, Partition Wizard Server and Partition Assistant Server etc. To know the best partition software, you are free to read server partition software review.

Posted in Windows 2003 | Tagged: , , , , , , , , , | Leave a Comment »

Windows Server 2003 partition software helps resize partition on Windows 2003 Server easily

Posted by Alin D on September 2, 2010

Windows Server 2003 partition software helps resize partition on Windows 2003 Server easily

What would you do if system C drive running out of space on Windows Server 2003? Do you want to extend C drive on 2003 Server without reinstalling Windows? Is there Windows Server 2003 partition software which can help you to resize or merge partition to fix drive low disk space warning, conduct other basic and advanced partitioning operations to maximize Windows Server hard disk performance, as well as optimize the usage of the disk? This question can be found on many Windows Server forums and the answer is YES. Partition Wizard Server is just the typical Windows Server 2003 partition software.

Ensure data security with Windows Server 2003 partition software

The security and stability are undoubtedly the most significant aspects for server computers since a server computer usually stores the most important classified and daily-used files. However, even a slight error on server computer might directly leads to exposure of the whole network to the outside. So if you want to resize partition on Server, you have to choose a reliable and safe partitioning software.

Based on the enhanced data protection technology and copy wizard built in Partition Wizard Server Edition, it is highly recommended while partitioning server 2003 as Magic Server Partition Software. This Windows Server partition software could extend NTFS system partition without reboot to maximize the server performance and minimize the downtime of the server.

Easy to use Windows Server 2003 partition software

We can use server partition software to maximize the functions of partitions on Windows Server 2003 system and minimize the server downtime by extending the system partitions without reboot. But if this Windows Server 2003 partition software is too difficult to use, no one would like to use it.

Actually, most of users consider it as headache to resize partitions on Windows Server 2003, because it is too much difficult for people who are not specialized in computer. Don’t worry, with its absolutely user-friendly interface of Partition Wizard Server, no professional assistance or experience in using Partition Magic is required.

How to resize partition on Windows Server 2003

Step 1: launch Partition Wizard, right-click the partition and select “Move/Resize” to shrink this partition.

In the pop up window, drag the left borderline of this data partition rightwards.

After step 1, there will be Unallocated space created behind the system partition.

Step 2: Right-click the system partition and select “Move/Resize”. In the pop up window, drag the right borderline rightwards.

Now the system partition has been extended, click “Apply”.

Benefits you can get from this Windows Server partition software
Enhanced data protection technology helps you resize, merge partition without data loss, even when power off or hardware problem occurred.
Hot Resize feature helps you extend NTFS partition without reboot to suspend Server running.
Disk and partition copy feature helps you backup data or migrate to another disk without reinstalling Windows.
Wipe disk/partition/Unallocated space to protect your data security.
Convert dynamic disk to basic without data loss or reformatting.
Changes made on partitions can be previewed before applying to the hard disk.
With user-friendly interface, no professional assistance or experience in using Partition Magic is required.

 

It will save much time and money to resize or merge partitions without rebuilding the Server, but remember to backup your important files, as no Server partition software is 100% secure.

Please note, Partition Wizard Home edition is free to home users but the Server edition is commercial.

Jordan is one of the editors of HDD TOOL, which provides common solutions to solve hard disk drive and operating system problem freely.

Posted in Windows 2003 | Tagged: , , , , , , , , , | Leave a Comment »

 
Follow

Get every new post delivered to your Inbox.

Join 351 other followers

%d bloggers like this: