J Blog

Single AD and your Remote WAN offices

James.Kindon — Wed, 02 Jul 2008 02:27:00 GMT

Over the last 12 months, I have been undertaking a centralisation of AD project across over 100 Sites. If you read through some of my previous AD design and implementation articles, you will see that i push the single AD path quite heavily inline with both Microsoft reccomendations and real world experience

Unfortunately, there are one or two small bugs that still need to be addressed in a Single AD environment, with remote sites that do not host a Domain Controller. In reality, with sites that have 4 or 5 computers, there is not a justification of cost to implement a local DC at each site. Whilst this would be a Fantastic environment to work in, its simply not something that can always be justified.

The biggest problem that i have found so far, is that when a WAN link drops at a remote site, certain functions of everyday network no longer work, the biggest is local drive mappings. For example, say you have an XP machine that hosts a small POS application, and all other clients MAP to this machine. If the WAN link drops, the user can logon with Cached Credentials, but drive mappings to other machines fail, due to no local GC being contactable to provide authentication. This may be ok for an hour or so, but when you start talking of days without a Link being restored, this becomes a very serious matter

The ony work around to date that i have found is to emulate a workgroup environment temporarily. When i say emulate, i mean drop back to the Authentication of mapped drives occuring at a SAM level, rather than AD. This isnt as bad as it sounds, considering that cached computer security settings from a GPO still apply so your security isnt breached

Basically, i have created a small script that runs as a startup script within GPO whilst the link is up, that creates a local user account on each machine. When the Link drops and is not returned to an operation state (time period set by internal SLA's) we simply guide the local staff in logging in with the local account, and mapping drives to the appropriate machine - to enhance efficiency, you can even create a set of batch or vbs files to take care of this all for your users depending on your environment. a local logon script still runs and makes life much easier. This must be run as a startup script rather than a logon script as local users do not have permissions to create users

This runs on all local machines, uncluding terminal services, and includes the appropriate group membership for the loca user to allow both local, and TS access when no link is present.

2008 Server introduces RODC's, which will start taking care of a lot of these problems, especially for sites that may contain a local 2008 file and print server. 2008 Group Policy also allows for local user create via GPO, which will make this script redundant (yay!) and make life much easier

Here is the code that i am currently using - its simple and easy - feel free to use it as you see fit

James

DIM strUserName
DIM strFullName
DIM strDescr
DIM strPassword
DIM strComputer

Set WshNetwork = WScript.CreateObject("WScript.Network")

strUserName = "LanLogon"
strFullName = " WAN Down"
strDescr = "Local Logon Account WAN Link is Down"
strPassword = "PassWord0099"
strComputer = WshNetwork.ComputerName

Set colAccounts = GetObject("WinNT://" & strComputer & "")
colAccounts.Filter = Array("user")
result = false
For Each objAccount In colAccounts
if (objAccount.Name = strUserName) then
result = true
end if
Next

If result= false Then
set objSystem = GetObject("WinNT://" & strComputer)
set objUser = objSystem.Create("user", strUserName)
objUser.FullName = strFullName
objUser.Description = strDescr
objUser.SetPassword strPassword
objUser.SetInfo

Set objUserGroup = GetObject("WinNT://" & strComputer & "/Users")
Set objRemoteGroup = GetObject("WinNT://" & strComputer & "/Remote Desktop Users")
objUserGroup.Add(objUser.ADsPath)
objRemoteGroup.Add(objUser.ADsPath)

End If

Server 2003 R2 - Server 2008 File Screening

James.Kindon — Mon, 23 Jun 2008 23:09:00 GMT

One of the most underused and most powerful (and awesome) features of the R2 release of Server 2003 and standard in 2008, is file screening.....This is a really really cool feature that gives you complete control of what is stored on your server - the control is unbeleivable, you can block on file types, size, user, etc

A great run through as usual from the guys on the windowsnetworking site is worth a read

http://www.windowsnetworking.com/articles_tutorials/Implementing-File-Screening-Windows-Server-2003-R2.html

Have a try of this on your own servers, i guarrantee you will find a use for it, and tie it in with storage quotas etc, and your control over your file servers takes a step in a whole new direction

James

Group Policy Security Filtering

James.Kindon — Mon, 02 Jun 2008 05:33:00 GMT

One of the common requirements of GPO is making sure it only applies to certain servers or objects, you may have a terminal server that you dont want certain GPO's being assigned to, yet this server sits in the same OU as multiple other servers that do need to GPO in question to be applied

What are your options? Basically there are two

1) Create an additional OU for the objects in questions that you do not want the policy to apply too, move the object to it (If its a sub OU then you will need to block policy inheritence from above) and you are done

In a more complex environment, segmenting OU's like this may not be an acceptable solution, so we have a second option that allows you to keep your AD structure as is, yet allows more control on which objects get what policy. This is known as Security Filtering

2) Group Policy Security Filtering

This is pretty much a self explanatory procedure. Basically, you control the security on the Policy, the same as you would on a NTFS share. You can allow or deny permissions on users and groups, to actually apply the persmission.

Best practices on this are similar to NTFS permissions, the primary being, dont use the deny permission. A basic simple set of steps is as follows

I would also reccomend using Group Policy Management Console for this task

1) Create a Group
2) Add your objects to the group (Users, Computers, Servers)
3) Create your GPO
4) Under the delegation TAB of the GPO, Advanced, Remove the groups you do not wish the policy to apply to and add your newly created group that you do want the policy to apply to)
5) Assign the allow read and apply group policy settings
6) Link the GPO to the OU that holds the objects.

You have now ensured that users within your group, can apply the policy, you have also ensured that no other objects will

Simple Yes

For the "how to" and some more in depth reading, this is the best link I have found
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

James

Active Directory Sites and Services

James.Kindon — Wed, 28 May 2008 06:29:00 GMT

The long forgotten configuration of Sites and Services - amazing how many times its not actually configured, yet its the crux of Active Directory replication and control of rogue and uncontrolled logon traffic across your WAN links... Figured it would be a good time to document the basics on some of the configuration and why it should be done - not a hugely indepth article, but enough to give some understanding of how it works, why it should be done, and the problems you will get if you don't do it...

Enjoy

http://www.block.net.au/help/AD-Sites/

James

Active Directory & Why You Should Use It

James.Kindon — Mon, 26 May 2008 04:44:00 GMT

I banter regularly across forum posts about why Workgroups are Evil and why Active Directory is the source of all things good in the Windows World....Why do like it? Because it makes me happy....I have virtually no overhead adminstration for management of users, groups, Printers, Shares, Drives, Resource Assignment etc....Active Directory is A logical, Efficient and Easy way of making me look good in my job - And the best thing is, you can use it in any environment - from 2 users, to 50,000 users - its perfectly scalable for businesses of all Shapes and Sizes...no limits! All you need is your Server Operating System and away you go...

Need help convincing management of why you should implement Active Directory - hopefully this will help

http://www.block.net.au/help/Why-AD/

Enjoy - as always, anything i have missed, let me know

James

D-D-D-DNS In A Windows Domain Environment

James.Kindon — Thu, 15 May 2008 00:12:00 GMT

Domain Naming Service..... Experienced Admins good friend, and the not so experienced or new Admins worst nightmare - Why? Lack of clear cut basic understanding of what DNS does in the Windows Domain World.....So here we go, an article on the basics of DNS and how it functions in a Windows Domain Environment - what you should and shouldn't do and how simple it is to actually configure

This is just a small guide that barely touches on what DNS can do, but will get you out of trouble when it comes to setting a basic Windows Domain

http://www.block.net.au/help/DNS-Basics/

James

Active Directory Design & The Real World

James.Kindon — Wed, 14 May 2008 00:35:00 GMT

Ever been in position where you have to decide between Single Active Directory, Child Domains or Seperate Forest Architectural Designs? So have I...Numerous times...and it can get quite complex without asking the right questions and taking a holistic approach to your company and business structure as a whole....Design goes past simply Active Directory Modelling and what you would like to do, but also calls upon Management and company direction for the future...

The most confusing parts and the hardest Questions to answer are often "Do I use child domains and if so Why?" or "Do I use a seperate Forest, and again, why?" The reality is, these are indeed hard questions to answer without having the right background information on your company and what they want to do. Decisions can change in a split second depending on a response from a CEO, or Director or any Departmental manager, and if you already have a structure in place, this can be hard to change....

I have posted an article based on my experience in the AD world when it comes to design, I have worked in numerous companies that have charged me with the role of redesigning and future proofing their AD Architecture, and so far so good, The key point i had to learn very quickly was take a step back from the Technical world and focus just as heavily on the business roles and plans for the future.

As always, I am open to review and comments, and stress that this is only what i have seen and done in the past, you may find that your needs and questions are different from mine, but i hope that i can pass through some sort of guidance and help with what i have dealt with in both the Technical and Business Worlds

http://www.block.net.au/help/ad-architecture/

James

Web Based GAL Management? Yes Please!

James.Kindon — Mon, 12 May 2008 23:21:00 GMT

I'm not a huge person for putting myself out there and pushing products - but this is one of the exceptions - rDirectory -

I came across this software when looking for a nicer way to manage the GAL than installing the Support Tools and giving people access to AD....this was fantastic - nice gui, nice functionality, and the best thing is, the community version is free - no strings attached - the enterprise edition pretty much lets loose on every part of AD and your management feel of AD is entirely new - but for the basic tasks such as an HR person managing the GAL....this rocks...

http://www.namescape.com/

Enjoy

Replacing a Domain Controller

James.Kindon — Sun, 11 May 2008 22:52:00 GMT

Morning,

I have posted an article on how to replace a domain controller - a simple concept, yet a fairly unkown process when it actually comes time to do it..... Listed within is step by step guidelines based on the who knows how many times i have done it so feel free to use, abuse, and comment on anything within the article - I am very open to suggestions in improvements and anything thats been missed - but this should get most people through the migration

http://www.block.net.au/help/replace-dc/

Cheers

Introduction

James.Kindon — Sat, 10 May 2008 07:47:00 GMT

So Kieran has been good enough to lend me a space where i can let out all the things that annoy me about the IT world, as well as post some hopefully helpful articles based on my experience in the Directory Services world over the last few years, my aim is to try and tackle some of those common everyday problems and projects that we all face as Admins and Architects, that havent yet been documented clearly....As well as post up some of the things that i have found within Windows Server, Active Directory and Exchange that you may or may not be aware of, little ways of making your life easier along the way

I am no different to any of you, but i do have a passion for Active Directory, and one for sharing knowledge with others that can benefit from it and make their lives easier in the workplace

You may know me around the Experts Exchange Site as Jay_Jay70 (terrible name - dont ask) and those that do, will know i have a few pet hates and a few things that i swear by and will stick up for until the end....I am sure you will find them as these postings grow - and i spend more quality time on the phone to India with Symantecs amazing support team etc etc etc....

Enough for now, this is my first personal blog ever, so play nice and i welcome any feedback on the article and posts that come in the future

Cheers

James