2011 in review

January 3, 2012 Leave a Comment

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

The concert hall at the Syndey Opera House holds 2,700 people. This blog was viewed about 10,000 times in 2011. If it were a concert at Sydney Opera House, it would take about 4 sold-out performances for that many people to see it.

Click here to see the complete report.

Filed under System Information Tagged with , , , ,

VM Backup – Win Server 2008 R2 & Hyper-V

December 16, 2011 Leave a Comment

VM Backup – Backing up Virtual Machines with Windows Server 2008 R2 & Hyper-V

Overview

Virtual machines are basically made of files. They contain configuration files, virtual hard disks, snapshot files and saved state files. While running computers are virtual machines can benefit from virtualization, a lot of thought needs to be taken in order to protect the contents of the virtual machines and the VMs themselves, so that if something goes wrong, you can perform a pre-defined list of steps to successfully restore the VMs to a functional and running state.

Note: To install Windows Server Backup, log on to the computer by using the local Administrator account or another account with Administrator privileges. To perform backups or recoveries by using Windows Server Backup, you must be a member of the Administrators or Backup Operators groups.

Performing the backup

To perform the actual VM backup follow these steps:

1. Open Windows Server Backup from the Administrative Tools folder. In the Actions pane, click “Backup Once” (you can, of course, create a schedule for this backup).

 

2. In the “Backup Options” page, select “Different Options” and click Next.

3. In the “Select Backup Configuration” page, select “Custom” and click Next.

4. In the “Select Items for Backup” page, click “Add Items“.

5. In the “Select Items” window, click to select the volumes where the VM configuration files and VM hard disks are located. Also note that while it may look possible to select individual folders, do NOT select individual folders. Only select the entire volume. Failing to select the right volumes will result in a failure for the backup procedure and even if it will seem to you that all items were backed up, in fact you will not be able to restore your VMs. Click Ok.

6. Back in the “Select Items for Backup” page, click “Advanced Settings“.

7. In the “Advanced Settings” window, click to select “VSS Full Backup” and click Ok.

8. Back in the “Select Items for Backup” page, click Ok.

9. In the “Specify Destination Type” page, select the destination for the backup. I chose Local Drives, but you can also perform the backup on remote shares. Click Next.

10. In the “Select Backup Destination” page, use the drop-down list to select your destination. If you plan to backup on an external USB drive, make sure the computer recognizes it before you get to this spot. Also make sure that the destination volume contains enough free disk space for the backup to be place in. Remember that volume level backup are ALWAYS full, therefore if you’ve got 500 GB worth of VMs in one volume, you’ll need to have as much space as that (and preferably more) on your destination volume. Click Ok.

11. In the “Confirmation” page click Backup and let the backup procedure begin.

12. If you immediately switch to the Hyper-V management console, you’ll see that the VMs are being snapshotted. This is not equivalent to taking a Hyper-V snapshot, which in fact is not really a true snapshot and has nothing in relation to VSS snapshots. Because the VSS writer was registered, and because the Integration Services (Components) are installed and enabled on the VMs, they will be successfully backed up without being paused, saved or turned off. In addition, the ICs will inform the VMs that a backup procedure is taking place on the parent partition, so any VSS-aware application that is running inside the VM will also be triggered (which is very important for applications such as SQL, Exchange and so on).

13. Windows Server Backup begins to write the file(s) to disk.

14. When finished, click Close.

Summary

Backing up virtual machines can be a little different than backing up a traditional system.  Because a virtual machine is nothing more than a collection of files, it is important to be especially mindful of the backup process. One oversight along the way can mean a failed VM backup.  Hopefully this article has prepared you to backup your Virtual Machines with Hyper-V using Windows Server Backup.

 

 

Source: Petri

Filed under Backup, Domain Controller, Server, Server 2008, System Information, VM Tagged with , , , , ,

How many FSMO Roles?

October 12, 2011 Leave a Comment

Flexible Single Master Operation Roles

1. Domain Naming Master —ForestWide Roles

2. Schema Master —ForestWide Roles

3. RID Master (Relative ID Master) — Domain Wide Roles

4. PDC Emulator — Domain Wide Roles

5. Infrastructure Master — Domain Wide Roles

 

Relative ID (RID) Master: — it assigns RID and SID to the newly created object like Users and computers. If RID master is down (u can create security objects up to RID pools are available in DCs) else u can’t create any object one its down. The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object.

PDC emulator: It works as a PDC to any NT Bdcs in your environment

It works as Time Server (to maintain same time in your network)

It works to change the passwords, lockout etc. The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time

  • Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
  • Account lockout is processed on the PDC emulator.
  • Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.

At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

 

Infrastructure Master: This works when we are renaming any group member ship object this role takes care. When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Domain Naming Master: Adding / changing / deleting any Domain in a forest it takes care,. This DC is the only one that can add or remove a domain from the directory. There can be only one domain naming master in the whole forest.

Schema Master: It maintains structure of the Active Directory in a forest. The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There can be only one schema master in the whole forest.

Filed under Active Directory, Server, Server 2003, Server 2008, System Information Tagged with , , , ,

What is a backup?

August 19, 2011 Leave a Comment

A backup is an exact copy of a file (including documentation) that is kept on a storage medium (usually in a compressed state) in a safe place (usually at a remote location) for use in the event that the working copy is destroyed. Notice that we placed emphasis on “including documentation”, because every media holding backups must include a history or documentation of the files on the media. This is usually in the form of labels and identification data on the media itself, on the outside casing, and in spreadsheets, hard catalogs, or data ledgers in some form or another. Without history data, restore media cannot locate your files, and the backup is useless. This is why you can prepare a tape for overwriting by merely formatting the label so that the magnetic head thinks the media is blank.

 

Various types of backups are possible, depending on what you back up and how often you back it up, as the following list describes:

  • Archived backup: A backup that documents (in header files, labels, and backup records) the state of the archive bit at the time of copy. The state (on-off) of the bit indicates to the backup software that the file has been changed since the last backup. When Windows Server 2008 Backup does an archived backup, it sets the archive bit accordingly.

 

  • Copy backup: An ad hoc “raw” copy that ignores the archive bit state. It does not set the archive bit after the copy. A copy backup is useful for quick copies between DR processes and rotations or to pull an “annual” during the monthly rotation

 

  • Daily backup: This does not form part of any rotation scheme. It is just a backup of files that have been changed on the day of the backup. We question the usefulness of the daily backup in Backup, because mission-critical DR practice dictates the deployment of a manual or automated rotation scheme. In addition, Backup does not offer a summary or history of the files that have changed during the day

 

  • Normal backup: A complete backup of all files (that can be backed up), period. The term normal is more a Windows Server 2008 term, because this backup is more commonly called a full backup in DR circles. The full backup copies all files and then sets the archive bit to indicate (to Backup) that the files have been backed up. You would do a full backup at the start of any backup scheme. You would also need to do a full backup after making changes to any scheme. A full backup, and documentation or history drawn from it, is the only means of performing later incremental backups. Otherwise, the system would not know what has or has not changed since the last backup.

 

  • Incremental backup: A backup of all files that have changed since the last full or incremental backup. The backup software sets the archive bit, which thereby denotes that the files have been backed up. Under a rotation scheme, a full restore would require you to have all the incremental media used in the media pool, all the way back to the first media, which contains the full backup. You would then have the media containing all the files that have changed (and versions thereof) at the time of the last backup.

 

  • Differential backup: This works exactly like the incremental, except that it does not do anything to the archive bit. In other words, it does not mark the files as having been backed up. When the system comes around to do a differential backup, it compares the files to be backed up with the original catalog. Differential backups are best done on a weekly basis, along with a full, or normal, backup, to keep differentials comparing against recently backed up files.

Filed under Active Directory, Backup, Server, Server 2003, Server 2008, System Information Tagged with , , , ,

Active Directory Roles

August 10, 2011 Leave a Comment

Active Directory Certificate Services (AD CS)

 

AD CS provides functions necessary for issuing and revoking digital certificates for users, client computers, and servers. Includes these role services: Certification Authority, Certification Authority Web Enrollment, Online Certificate Status Protocol, and Microsoft Simple Certificate Enrollment Protocol (MSCEP).

 

Active Directory Domain Services (AD DS)

 

AD DS provides functions necessary for storing information about users, groups, computers, and other objects on the network and makes this information available to users and computers. Domain controllers give network users and computers access to permitted resources on the network.

 

Active Directory Federation Services (AD FS)

 

AD FS complements the authentication and access management features of AD DS by extending them to the World Wide Web. Includes these role services and subservices: Federation Service, Federation Service Proxy, AD FS Web Agents, Claims-Aware Agent, and Windows Token-Based Agent.

 

Active Directory Lightweight Directory Services (AD LDS)

 

AD LDS provides a data store for directory-enabled applications that do not require AD DS and do not need to be deployed on domain controllers. Does not include additional role services.

 

Active Directory Rights Management Services (AD RMS)

 

AD RMS provides controlled access to protected e-mail messages, documents, intranet Web pages, and other types of fi les. Includes these role services: Active Directory Rights Management Server and Identity Federation Support.

 

Application Server

 

Application Server allows a server to host distributed applications built using ASP.NET, Enterprise Services, and .NET Framework 3.0. Includes more than a dozen role services.

 

DHCP Server

 

DHCP provides centralized control over Internet Protocol (IP) addressing. DHCP servers can assign dynamic IP addresses and essential TCP/IP settings to other computers on a network. Does not include additional role services.

 

DNS Server

 

DNS is a name resolution system that resolves computer names to IP addresses. DNS servers are essential for name resolution in Active Directory domains. Does not include additional role services.

 

Fax Server

 

Fax Server provides centralized control over sending and receiving faxes in the enterprise. A fax server can act as a gateway for faxing and allows you to manage fax resources, such as jobs and reports, and fax devices on the server or on the network. Does not include additional role services.

 

File Services

 

File Services provide essential services for managing fi les and the way they are made available and replicated on the network. A number of server roles require some type of fi le service. Includes these role services and subservices: File Server, Distributed File System, DFS Namespace, DFS Replication, File Server Resource Manager, Services for Network File System (NFS), Windows Search Service, Windows Server 2003 File Services, File Replication Service (FRS), and Indexing Service.

 

Network Policy And Access Services (NPAS)

 

NPAS provides essential services for managing routing and remote access to networks. Includes these role services: Network Policy Server (NPS), Routing And Remote Access Services (RRAS), Remote Access Service, Routing, Health Registration Authority, and Host Credential Authorization Protocol (HCAP).

 

Print Services

 

Print Services provide essential services for managing network printers and print drivers. Includes these role services: Print Server, LPD Service, and Internet Printing.

 

Terminal Services

 

Terminal Services provide services that allow users to run Windows-based applications that are installed on a remote server. When users run an application on a terminal server, the execution and processing occur on the server, and only the data from the application is transmitted over the network. Includes these role services: Terminal Server, TS Licensing, TS Session Broker, TS Gateway, and TS Web Access.

 

Universal Description Discovery Integration (UDDI) Services

 

UDDI provides capabilities for sharing information about Web services both within an organization and between organizations. Includes these role services

 

Web Server (IIS)

 

Web Server (IIS) is used to host Web sites and Web-based applications. Web sites hosted on a Web server can have both static content and dynamic content. You can build Web applications hosted on a Web server using ASP.NET and .NET Framework 3.0. When you deploy a Web server, you can manage the server configuration using IIS 7.0 modules and administration tools.

 

Windows Deployment Services (WDS)

 

WDS provides services for deploying Windows computers in the enterprise. Includes these role services: Deployment Server and Transport Server.

 

Windows SharePoint Services

 

Windows SharePoint Services enable team collaboration by connecting people and information. A SharePoint server is essentially a Web server running a full installation of IIS and using managed applications that provide the necessary collaboration functionality.

 

Windows Server Update Services

 

Microsoft Windows Server Update Services (WSUS) allows you to distribute updates that are released through Microsoft Update to computers in your organization using centralized servers rather than individual updates.

 

 

Filed under Active Directory, Server, Server 2003, Server 2008, System Information Tagged with , , , ,

Using 32-bit and 64-bit versions of the MMC

August 9, 2011 Leave a Comment

The /32 and /64 parameters for the mmc command are meaningful only on 64-bit Windows versions. The 64-bit versions of the Windows operating system can run both 32-bit and 64-bit versions of the MMC. For 32-bit versions of the MMC, you use 32-bit snap-ins. For 64-bit versions of the MMC, you use 64-bit snap-ins. You can’t mix and match MMC and snap-in versions, though. The 32-bit version of the MMC can be used only to work with 32-bit snap-ins. Similarly, the 64-bit version of the MMC can be used only to work with 64-bit snap-ins. In most cases, if you aren’t sure which version to use, don’t use the /32 or /64 parameter. This lets the Windows operating system decide which version to use based on the snap-ins contained in the .msc file you are opening.

 

When a console contains both 32-bit and 64-bit snap-ins and you don’t specify the /32 or /64 parameter, Windows will open a subset of the configured snap-ins. If the console contains more 32-bit snap-ins, Windows will open the 32-bit snap-ins. If the console contains more 64-bit snap-ins, Windows will open the 64-bit snap-ins. If you explicitly use /32 or /64 with a console that contains both 32-bit and 64-bit snap-ins, Windows will open only the snap-ins for that bitness. On 64-bit systems, 32-bit versions of snap-ins are stored in the %SystemRoot%\SysVoL64 folder and 64-bit versions of snap-ins are stored in the %SystemRoot%\System32 folder. By examining the contents of these folders, you can determine when 32-bit and 64-bit versions of snap-ins are available.

Filed under Active Directory, Commands, Server, Server 2008, System Information Tagged with , , , , ,

Kerberos Troubleshooting Tools

August 1, 2011 1 Comment

Windows Server 2008 provides several tools that can be used when troubleshooting Kerberos Authentication

 

Klist.exe: Kerberos List: This tool is installed on Windows Server 2008 domain controllers and is available for download as part of the Windows Server 2003 Resource Kit tools.

 

Kerberos List is a command-line tool that is used to view and delete Kerberos tickets granted to the current logon session. To use Kerberos List to view tickets, you must run the tool on a computer that is a member of a Kerberos realm.

 

Kerbtray.exe: Kerberos Tray: Kerberos Tray is available for download as part of the Windows Server 2003 Resource Kit tools.

 

Kerberos Tray is a graphical user interface tool that displays ticket information for a computer running Microsoft’s implementation of the Kerberos version 5 authentication protocols. You can view and purge the ticket cache by using the Kerberos Tray tool icon located in the notification area of the desktop. By positioning the cursor over the icon, you can view the time left until the initial TGT expires. The icon also changes in the hour before the Local Security Authority (LSA) renews the ticket.

 

Tokensz.exe: Kerberos Token Size: Kerberos Token Size is available for download from the Microsoft download center.

 

You can use Kerberos Token Size to verify if the source of the Kerberos errors stems from a maximum token size issue. The tool will simulate an authentication request and report the size of the resulting Kerberos token. The tool will also report the maximum supported size for the token.

 

Setspn.exe: The Setspn utility is installed on Windows Server 2008 domain controllers and is included in the Windows Server 2003 Support Tools.

 

The Setspn utility allows you to read, modify, and delete the Service Principal Names (SPN) directory property for an Active Directory service account. Because SPNs are security-sensitive, you can only set SPNs for service accounts if you have domain administrator privileges.

 

Ksetup.exe: The Ksetup utility is installed on Windows Server 2008 domain controllers and is included in the Windows Server 2003 Support Tools.

 

The Ksetup utility configures a client connected to a server running Windows Server 2008 to use a server running Kerberos V5. The client then uses a Kerberos V5 realm instead of a Windows Server 2008 domain.

 

Ktpass.exe: The Ktpass utility is installed on Windows Server 2008 domain controllers and is included in the Windows Server 2003 Support Tools.

 

The Ktpass utility is used to configure a non–Windows Server Kerberos service as a security principal in the Windows Server 2008 AD DS.

 

W32tm.exe: Windows Time: This tool is included in Microsoft Windows server and client operating systems.

 

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service.

Filed under Active Directory, Security, Server 2008, System Information Tagged with , , ,

Intrasite and Intersite Replication

August 1, 2011 2 Comments

The description of how AD DS replication works applies to both intrasite and intersite replication. In both cases, the domain controllers use the same processes to optimize the replication process. However, one of the main reasons to create additional sites in AD DS is to manage replication traffic. Because all of the domain controllers within a site are assumed to be connected with fast network connections, replication between these domain controllers is optimized for maximum speed and reduced latency. However, if the replication traffic has to cross a slow network link, conserving network bandwidth is a much more significant issue. Creating multiple sites allows for this conservation of network bandwidth by enabling features such as data compression and scheduled AD DS replication.

 

Intrasite Replication

 

The primary goal for replication within a site is to reduce replication latency, that is, to make sure that all domain controllers in a site are updated as quickly as possible. To accomplish this goal, intrasite replication traffic has the following characteristics:

 

  • The replication process is initiated by a notification from the sending domain controller. When a change is made to the database, the sending computer notifies a destination domain controller that changes are available. The changes are then pulled from the sending domain controller by the destination domain controller using a remote procedure call (RPC) connection. After this replication is complete, the domain controller notifies another destination domain controller, which then pulls the changes. This process continues until all the replication partners have been updated.
  • Replication occurs almost immediately after a change has been made to the AD DS information. By default, a domain controller will wait for 15 seconds after a change has been made and then begin replicating the changes to other domain controllers in the same site. The domain controller will complete replication with one partner, wait 3 seconds, and then initiate replication with another partner. The reason the domain controller waits 15 seconds after a change is to increase the efficiency of the replication in case additional changes are made to the partition information.
  • The replication traffic is not compressed. Because all the computers within a site are connected with fast network connections, the data is sent without compression. Compressing the replication data adds an additional load on the domain controller server. Uncompressed replication traffic preserves server performance at the expense of network utilization.
  • Replication traffic is sent to multiple replication partners during each replication cycle. Whenever a change is made to the directory, the domain controller will replicate the information to all direct replication partners, which might be all or some of the other domain controllers in the site.

 

Intersite Replication

 

The primary goal of replication between sites is to reduce the amount of bandwidth used for replication traffic. This means that intersite replication traffic has the following characteristics:

 

  • Replication is initiated according to a schedule rather than when changes are made. To manage replication between sites, you must configure a site link connecting the two sites. One of the configuration options on the site link is a schedule for when replication will occur. Another is the replication interval setting for how often replication will occur during the scheduled time. If the bandwidth between company locations is limited, the replication can be scheduled to happen during nonworking hours.
  • Replication traffic is compressed down to about 40 percent of the noncompressed size when replication traffic is more than 32 KB in size. To save bandwidth on the network connection, the bridgehead servers in each site compress the traffic at the expense of additional CPU usage.
  • Notifications are not used to alert a domain controller in another site that changes to the directory are available. Instead, the schedule determines when to replicate. Note You can disable compression for intersite replication and enable notifications.
  • Intersite replication connections can use either an Internet Protocol (IP) or a Simple Mail Transfer Protocol (SMTP) transport. SMTP can be used as a transport protocol only for the configuration, schema, and application directory partitions, not for the domain partition. The connection protocol you use is determined by the available bandwidth and the reliability of the network that connects company locations.
  • Replication traffic is sent through bridgehead servers rather than to multiple replication partners. When changes are made to the directory in one site, the changes are replicated to a single bridgehead server (per directory partition) in that site, and the changes are then replicated to a bridgehead server in the other site. The changes are replicated from the bridgehead server in the second site to all the domain controllers in that site.
  • You can easily modify the flow of replication between sites. Almost every component of intersite replication can be changed.

Filed under Active Directory, Server 2008, System Information Tagged with , , , ,

Encrypting File System in Server 2008

August 1, 2011 Leave a Comment

The Encrypting File System (EFS) is one feature made possible by reparse points in Windows Server 2008 that enhances security for local files on NTFS volumes. EFS is useful for securing files on any system, but it is most useful on systems that can easily be stolen or physically compromised, such as notebook and tablet PCs. EFS is integrated within NTFS and therefore is applicable only to files on NTFS volumes. FAT16 and FAT32 volumes do not support EFS. Only files can be encrypted; folders cannot, even on NTFS volumes. However, folders are marked to indicate that they contain encrypted data. EFS are designed to protect files locally, and therefore don’t support sharing of encrypted files. You can store your own encrypted files on a remote server and access those files yourself. The data is not encrypted during transmission across the network, however, unless you use Internet Protocol Security (IPsec) to encrypt IP traffic (assuming you are using TCP/IP as the network protocol for transferring the file).

Filed under Active Directory, Server 2008, System Information Tagged with , ,

Exchange Internet Protocol Access Components

July 19, 2011 Leave a Comment

Exchange Server 2003 comes with a set of four Internet protocol services. These let you extend the reach of Exchange users beyond Microsoft’s very good, but proprietary, electronic messaging protocol MAPI. The four services are Hypertext Transmission Protocol (HTTP), which supports Outlook Web Access (OWA); Post Office Protocol (POP3); Internet Message Access Protocol (IMAP4); and Network News Transfer Protocol (NNTP):

 

HTTP:  HTTP is the core protocol that supports web access. OWA uses the HTTP protocol to give users access to everything in their Exchange mailboxes, as well as items in public folders, using a web browser such as Microsoft Internet Explorer. On the server side, OWA is supported by Windows Server 2003s Internet Information Server.

 

POP3 Server:  Exchange Servers POP3 server gives users with standard POP3 e−mail clients, such as Eudora or Outlook Express, limited access to their Exchange mailboxes. Users can download mail from their Exchange Inboxes, but that’s all. Users have no direct access to other personal or public information stores or to their schedules. This is due to limitations in the POP3 protocol itself, not in Microsoft’s implementation of the protocol.

 

IMAP4 Server:  The Exchange IMAP4 server goes one better than POP3, adding access to folders in addition to the Exchange Inbox. With IMAP4, folders and their contents can remain on the Exchange server, be downloaded to the computer running your IMAP4 client, or both. You can keep Exchange Server based folders and their contents in sync with the folders on an IMAP4 client.

 

NNTP Server:  The NNTP server lets you bring all those exciting Usenet newsgroups into your Exchange servers public folders, where your users can read and respond to them with the same e− mail clients that they use to read other public folders.

Filed under Exchange Server, System Information Tagged with

Older posts

Follow

Get every new post delivered to your Inbox.

Join 56 other followers