Archive for January, 2011


Active Directory is Microsoft’s implementation of a directory service. A directory service holds information about resources within the domain. Resources are stored as objects and include users, computers, groups, printers, and more.

In Windows Server 2008, five different server roles support Active Directory:


>Active Directory Domain Services

>Active Directory Certificate Services

>Active Directory Federation Services

>Active Directory Lightweight Directory Services

>Active Directory Rights Management Services


The primary role is Active Directory Domain Services. The other roles add to the capabilities of Active Directory. Objects include users, computers, groups, and more. The Active Directory database is stored only on servers holding the role of domain controllers.


A significant benefit of using Active Directory Domain Services is that it enables you as an administrator to manage desktops, network servers, and applications all from a centralized location.



A read-only domain controller (RODC) hosts a read-only copy of the Active Directory database. This is somewhat of an untrue, because changes can be made to the database. However, the changes can come only from other domain controllers, and the entire database isn’t replicated; instead, only a few select objects are replicated.


Usually, domain controllers are considered peers where they are all equal (with a few exceptions). Any objects can be added or modified such as adding a user or a user changing their password on any domain controller. These changes are then replicated to other domain controllers. However, with RODCs, changes to the domain controller can come only from other domain controllers. Moreover, the changes are severely restricted to only a few select objects.


The huge benefit of the RODC is that credentials of all users and computers in Active Directory are not replicated to the RODC. This significantly improves the security of domain controllers that are placed at remote locations.


Network Access Protection (NAP) is an added feature that can help protect your network

from remote access clients. NAP helps you protect the network from the clients.

Within a local area network (LAN), you can control client computers to ensure they are safe and healthy. You can use Group Policy to ensure that it’s locked down from a security perspective and that it is getting the required updates. Antivirus and spyware software can be pushed out, regularly updated and run on clients. You can run scripts to ensure that all the corporate policies remain in place.


However, you can’t control a client accessing your network from a hotel or someone other Place. It’s entirely possible for a virus-ridden computer to connect to your network and cause significant problems. The solution is NAP, which is a set of technologies that can be used to check the health of a client. If the client is healthy, it’s allowed access to the network. If unhealthy, it’s quarantined and allowed access to remediation servers that can be used to bring the client into Compliance with the requirements. Health policies are determined and set by the administrator.


In the network you  use Windows Software Update Services (WSUS) to approve and  install the updates on clients. Since the VPN client isn’t in the network, they might not have the required updates. The client would be quarantined, and a WSUS server could be used as a remediation server to push the updates to the client. Once the updates are installed, the client could be rechecked and issued a health certificate and then granted access to the network.


2010 in review

Posted: January 2, 2011 in Uncategorized

The stats helper monkeys at mulled over how this blog did in 2010, and here’s a high level summary of its overall blog health:

Healthy blog!

The Blog-Health-o-Meter™ reads Wow.

Crunchy numbers

Featured image

A helper monkey made this abstract painting, inspired by your stats.

The average container ship can carry about 4,500 containers. This blog was viewed about 19,000 times in 2010. If each view were a shipping container, your blog would have filled about 4 fully loaded ships.


In 2010, there were 140 new posts, growing the total archive of this blog to 309 posts. There were 3 pictures uploaded, taking up a total of 258kb.

The busiest day of the year was January 8th with 1,136 views. The most popular post that day was Secure Your Vista In 10 Steps.

Where did they come from?

The top referring sites in 2010 were,,,, and

Some visitors came searching, mostly for different types of threats, asus k8n-vm drivers, con2prt windows 7, windows server 2003 active directory domain rename tools, and asus k8n-vm driver.

Attractions in 2010

These are the posts and pages that got the most views in 2010.


Secure Your Vista In 10 Steps November 2009


Using the Group Policy Editor to Customize the Start Menu and Taskbar August 2009
1 comment


Asus K8N VM Drivers [on request] September 2009


Windows Server 2003 Active Directory Domain Rename Tool January 2010
1 comment


Enabling DNS Server Debug Logging March 2010