Archive for March, 2010

As always, as new features come, old features go. There are inevitably a few that have

found themselves on the “deprecated list” this time around, and so will not be continued in

Exchange Server 2010 and beyond. Since this is a much shorter list than the “new features”,

Here they are:

• There are some major changes in Exchange Server clustering: in Exchange Server 2007

you had LCR (Local Continuous Replication), CCR (Cluster Continuous Replication) and

SCR (Standby Continuous Replication) – three diff erent versions of replication, all with

their own management interfaces. All three are no longer available in Exchange Server

2010.

• Windows Server Fail-over Clustering has been removed in Exchange Server 2010.

Although seriously improved in Windows Server 2008, a lot of Exchange Administrators

still found the fail-over clustering complex and diffi cult to manage. As a result, it was still

prone to error and a potential source of all kinds of problems.

Storage Groups are no longer available in Exchange Server 2010. The concepts of a database,

log fi les and a checkpoint fi le are still there, but now it is just called a database. It’s

like CCR in Exchange Server 2007, where you could only have one database per Storage

Group.

• Owing to major reengineering in the Exchange Server 2010 databases, the Single

Instance Storage (SIS) is no longer available. This means that when you send a 1 MB

message to 100 recipients, the database will potentially grow by 100 MB. This will surely

have an impact on the storage requirements in terms of space, but the performance

improvements on the Database are really great. I’ll get back on that later in this chapter.

Advertisements

Problem

You want to ensure that users can only authenticate to Active Directory using strong authentication protocols.

Solution

Using a graphical user interface
  1. Open the Group Policy Management Console snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain you want to administer, and expand the Group Policy Objects container.

  3. Right-click on the GPO that controls the configuration of your domain controllers and select Edit. (By default, this is the Default Domain Controller Policy, but it may be a different GPO in your environment.) This will bring up the Group Policy Object Editor.

  4. Browse to Computer Configuration Windows Settings Security Settings Local Policies Security Options.

  5. Double-click on “Network security: LAN Manager Authentication Level.” Place a check mark next to “Define this policy setting.”

  6. Select “Send NTLMv2 responses only/refuse LM & NTLM.” Click OK.

  7. Wait for Group Policy to refresh, or type gpupdate /force from the command prompt of a Windows Server 2003 domain controller. On a Windows 2000 DC, use the secedit command with the /refreshpolicy switch.

Discussion

Microsoft operating systems have supported different flavors of LAN Manager (LM) and NT LAN Manager (NTLM) authentication since the earliest days of Windows. LM authentication is an extremely old and weak authentication protocol that should no longer be used in production environments unless absolutely necessary. By default, Windows 2000 Active Directory supported client authentication attempts using LM, NTLM, or NTLMv2; Windows Server 2003 supports only NTLM and NTLMv2 out of the box.

The strongest NTLM authentication scheme you can select is to refuse LM and NTLM authentication from any client, and to only respond to clients using NTLMv2. Depending on your client configuration, though, enabling this option may require changes on the client side as well. You can apply the same setting to a GPO linked to your Active Directory domain to ensure that all of your clients will use NTLMv2 instead of older, weaker protocols.


Problem

You want to enable or disable anonymous access to the information stored in the Active Directory database.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers (ADUC) snap-in.
  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
  3. Navigate to the Builtin container. Double-click on the Pre-Windows 2000 Compatible Access group.
  4. Click the Members tab.
  5. Select the Everyone group and click the Remove button. Click Yes and then OK to confirm.
  6. Select the Anonymous Logon user and click the Remove button. Click Yes and then OK to confirm.
  7. If the Authenticated Users group is not present in the group membership list, click Add to include it and then click OK.

Using a command-line interface

You have three command-line choices to modify the Pre-Windows 2000 Access security group: net localgroup, DSMod, or AdMod. net localgroup takes the following syntax:

> net localgroup ”

Pre-Windows 2000 Compatible Access” Everyone /delete

> net localgroup “Pre-Windows 2000 Compatible Access” “Anonymous Logon” /delete

> net localgroup “Pre-Windows 2000 Compatible Access” “Authenticated Users” /add

To update the group membership using DSMod so that it only includes Authenticated Users, enter the following:

> dsmod group “cn=Pre-Windows 2000 Compatible Access,cn=Builtin,

<DomainDN>” -chmbr “cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>”

To use AdMod, use the following syntax:

> admod b “cn=Pre-Windows 2000 Compatible Access,cn=Builtin,

<DomainDN>” member::”cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>”

Discussion

Anonymous access to Active Directory is controlled by membership in the Pre-Windows 2000 Compatible Access security group, located in the cn=Builtin container. This group is named like that because some legacy applications and operating systems, most notably Windows NT 4.0 RAS servers, required anonymous access to the information stored in AD in order to function properly. The default membership of this group depends on whether you selected “Permissions compatible with pre-Windows 2000 operating systems” or “Permissions compatible with only Windows 2000 and Windows 2003” when you ran dcpromo. If you selected the former, the Everyone group and the Anonymous Logon SID were added to Pre-Windows 2000 Compatible Access; if the latter, only Authenticated Users was added.

In the DSMod, AdMod, and VBScript solutions, the Authenticated Users group was specified using an SID and it resides in the ForeignSecurityPrincipals container. This is because Well-Known SIDs such as Everyone (S-1-1-0) and Authenticated Users (S-1-5-11) are not maintained within Active Directory itself and are therefore stored in the FSP container.


Problem

You want domain controllers to reject LDAP queries from certain IP addresses. This can be useful if you want to prohibit domain controllers from responding to LDAP queries for certain applications or hosts.

Solution

Using a command-line interface

The following adds network 10.0.0.0 with mask 255.255.255.0 to the IP deny list:

> ntdsutil “ipdeny list” conn “co t s <DomainControllerName>” q

IP Deny List: Add 10.0.0.0 255.255.255.0

*[1] 10.0.0.0 GROUP MASK      255.255.255.0

NOTE: * | D – uncommitted addition | deletion

IP Deny List: Commit

[1] 10.10.10.0 GROUP MASK 255.255.255.0

NOTE: * | D – uncommitted addition | deletion

Discussion

The IP deny list is stored as an octet string in the lDAPIPDenyList attribute of a query policy.

When the IP deny list is set, domain controllers that are using the default query policy will not respond to LDAP queries from any IP address specified in the deny list address range. To test whether a certain IP address would be denied, run Test x.x.x.x (where x.x.x.x is an IP address) from the IP Deny List subcommand in ntdsutil.

By setting the IP deny list on the default query policy, you would effectively restrict the IP address range from querying any domain controller in the forest. If you need to restrict queries only for a specific domain controller, you’ll need to create a new LDAP query policy and apply it to only the domain controller in question.

Problem

You want to enable anonymous LDAP access for clients. In Windows 2000 Active Directory, anonymous queries were enabled by default, although they were restricted. With Windows Server 2003 Active Directory, anonymous queries are disabled by default except for querying the RootDSE.

Solution

Using a graphical user interface
  1. Open ADSI Edit.

  2. In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.

  3. In the left pane, right-click on the Directory Service object and select Properties.

  4. Double-click on the dSHeuristics attribute.

  5. If the attribute is empty, set it with the value 0000002.

  6. If the attribute has an existing value, make sure the seventh digit is set to 2.

  7. Click OK twice.

Problem

You want to enable SSL/TLS access to your domain controllers so clients can encrypt LDAP traffic to the servers.

Solution

Using a graphical user interface
  1. Open the Control Panel on a domain controller.

  2. Open the “Add or Remove Programs” applet.

  3. Click on Add/Remove Windows Components.

  4. Check the box beside Certificate Services and click Yes to verify.

  5. Click Next.

  6. Select the type of authority you want the domain controller to be (select “Enterprise root CA” if you are unsure) and click Next.

  7. Type the common name for the CA, select a validity period, and click Next.

  8. Enter the location for certificate database and logs, and click Next.

  9. After the installation completes, click Finish.

  10. Now open the Domain Controller Security Policy GPO.

  11. Navigate to Computer Configuration Windows Settings Security Settings Public Key Policies.

  12. Right-click on Automatic Certificate Request Settings and select New Automatic Certificate Request.

  13. Click Next.

  14. Under Certificate Templates, click on Domain Controller and click Next.

  15. Click Finish.

  16. Right-click on Automatic Certificate Request Settings and select New Automatic Certificate Request.

  17. Click Next.

  18. Under Certificate Templates, click on Computer and click Next.

  19. Click Finish.

Problem

You want to create a quota that will apply to any new folders created on a file server.

Solution

Using a graphical user interface
  1. Open the File Server Management MMC snap-in. Navigate to File Server Management File Server Resource Manager Quota Management.

  2. Right-click on Quotas and select “Create quota.” Under “Quota path,” specify the directory that this quota should apply to or click Browse to navigate to it using Windows Explorer.

  3. Select the radio button next to “Auto apply template and create quotas on existing and new subfolders.”

  4. Create the remainder of the quota.

Using a command-line interface

The following command will create an auto-quota on the D:\ drive based on the “DefaultAutoQuota” template:

	> dirquota autoquota /path:d:\* /sourcetemplate:"DefaultAutoQuota"

Discussion

When you create a new disk quota, by default the quota will apply only to the individual folder that you specify. By using auto-templates, you can configure a quota that will automatically be applied to any subfolders that are created beneath the folder you named in the quota definition. This is a useful setting for many scenarios, such as specifying an auto-quota for a root folder that houses your users’ home folders or roaming profiles so that any new user will receive the auto-quota by default. Every time a new subfolder is created to which an auto-quota applies, a new quota entry will be automatically created that can be viewed within the File Resource Manager.

Problem

You want to create a disk quota on a file server.

Solution

Using a graphical user interface
  1. Open the File Server Management MMC snap-in. Navigate to File Server Management File Server Resource Manager Quota Management.

  2. Right-click on Quotas and select “Create quota.” Under “Quota path,” specify the directory that this quota should apply to or click Browse to navigate to it using Windows Explorer. Select the radio button next to “Create quota on path.”

  3. To base the quota on a quota template, select the “Derive properties from this quota template (recommended),” and select the template from the drop-down box. To manually specify a quota, select the “Define custom quota properties” radio button. Click on Custom Properties to define the properties for this quota; the process is similar to the steps used in defining a quota template.

  4. Click Create.

Using a command-line interface

The following command will create a 100 MB soft disk quota entry on the D:\ drive:

	> dirquota quota add /path:d:\* /limit:100mb /type:soft

Using VBScript
	'---------SCRIPT CONFIGURATION------------------------
	strComputer = "<ComputerName>"   ' Use "." for local computer
	strDomain = "<DomainDN>"         ' e.g. RALLENCORP
	strUser = "<UsersAMAccountName>" ' e.g. jsmith
	strDeviceID = "<DriveLetter>"    ' e.g. D:
	'-----------------------------------------------------

	Set objWMIService = GetObject("winmgmts:" _
	    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2"

	Set objAccount = objWMIService.Get _
	    ("Win32_Account.Domain=strDomain,Name=strUser")
	Set objDisk = objWMIService.Get _
	    ("Win32_LogicalDisk.DeviceID=strDeviceID")
	Set objQuota = objWMIService.Get _
	    ("Win32_DiskQuota").SpawnInstance_

	objQuota.QuotaVolume = objDisk.Path_.RelPath
	objQuota.User = objAccount.Path_.RelPath
	objQuota.Limit = 10485760
	objQuota.WarningLimit = 8388608
	objQuota.Put_

Discussion

Once you’ve created one or more quota templates, you can specify actual disk quotas that apply to folders that reside on a particular hard drive. It’s a good idea to create quotas based on templates rather than specifying them manually, since this will simplify the administration of your file server. (For example, if you need to change a quota template after it is initially created, you can specify that those template changes should be automatically propagated to any quotas that are based on that template.) Otherwise you can create a quota manually, specifying the same information as is required when creating a quota template.

Problem

You want to create and manage disk quota templates on a Windows file server.

Solution

Using a graphical user interface
  1. Open the File Server Management MMC snap-in. Navigate to File Server Management File Server Resource Manager Quota Management.

  2. Right-click on Quota Templates and select “Create quota template.”

  3. If you want to copy information from an existing template, select it in the “Copy properties from quota template (optional)” drop-down box and click Copy.

  4. Under Settings, enter a Template Name and optional Label.

  5. Under Space Limit, specify the disk space limit in KB, MB, GB, or TB. Select either “Hard quota: do not allow users to exceed limit” or “Soft quota: Allow users to exceed limit (used for monitoring).”

  6. In the Notification Threshold section, you can specify one or more actions that Windows will take when a user reaches a certain percentage of her quota limit.

  7. Click Add to create a new notification. Under “Generate notifications when usage reaches (%),” specify the percentage of the disk quota that should initiate the notification.

  8. To send an email notification, on the E-mail Message tab, place a checkmark next to “Send e-mail to the following administrators” and/or “Send e-mail to the user who exceeds the threshold.” On this tab you can also specify the subject and body of the email message to be sent to the user.

  9. To generate a message in the Event Log, go to the Event Log tab and place a checkmark next to “Send Warning to Event Log.” Under the Log Entry text box, specify the text of the message that should be logged.

  10. To run a command when a threshold is generated, go to the Command tab and place a checkmark next to “Run this command or script.” Under “Command settings,” specify any command-line arguments and the working directory. Under “Command security,” specify the account that the script should run as: Local Service, Network Service, or LocalSystem.

  11. To generate one or more reports when a threshold is generated, go to the Report tab and place a checkmark next to “Generate reports.” Select one or more of the following reports to be generated:

    • Duplicate files
    • File screening audit
    • Files by File Group
    • Files by Owner
    • Large Files
    • Least Recently Accessed Files
    • Most Recently Accessed Files
    • Quota Usage
  12. To email the reports, place a checkmark next to “Send reports to the following administrators” and specify one or more email addresses separated by semicolons, and/or place a checkmark next to “Send reports to the user who exceeded the threshold.”

  13. Once you’ve created one or more notification thresholds, click OK to create the quota template.

Discussion

While you can create disk quotas manually, disk quota templates allow you to create consistent quota settings for multiple quotas on a single server as well as on multiple servers. In addition to the space limitation that’s imposed by the quota, you can specify whether it is a hard or a soft quotathat is, whether a user is prohibited from saving files when they’ve gone over their quota (a hard quota), or just the OS makes note of the fact that a user has overrun his quota without preventing him from saving additional files. You can also specify what types of notifications (if any) will be generated when a user exceeds a defined quota threshold: sending an email to an administrator when a user exceeds 85 percent of her quota, generating an Event Viewer message when she exceeds 95 percent, etc. You can configure multiple notification thresholds for a single quota; no notifications are configured by default.

Problem

You want to install the File Server Resource Manager on a Windows Server 2003 R2 computer.

Solution

Using a graphical user interface
  1. Open the Configure Your Server wizard. Click Next to bypass the initial Welcome screen.

  2. On the Server role screen, select File Server and click Next. Click Next twice to begin.

  3. On the File Server environment screen, select one or more of the following optional components:

    Replicate data to and from this server

    Installs DFS Replication Service

    Manage a SAN (Storage Area Network)

    Installs Storage Manager for SANs

    Share files with UNIX systems

    Installs Microsoft Services for NFS

    Share files with Apple Macintosh computers

    Installs File Services for Macintosh

  4. Click Next to continue. Reboot the server if prompted to do so.

Discussion

Installing the File Server role on a Windows Server 2003 R2 computer enables a number of mandatory components, as well as provides the options to configure optional pieces to enable additional functionality. At a minimum, the File Server role will install Storage Reporting, Disk Quotas, File Screening, and the DFS Management MMC snap-in.