Active Directory is made up of components that constitute its logical and physical structure. To administer Active Directory, we must understand the purpose of these components

 

Logical Structure: The logical structure of Active Directory provides methods for organizing network resources such as computers, printers, users and groups. It is made up of objects, organizational units, domains, domain trees, and forests.

 

1. Objects

The object is the most basic component of the logical structure. Object classes are template for the types of objects that can be created in Active Directory. Each object class is defined by a group of attribute. Attributes define the possible values that can be associated with an object. Each object has a unique combination of attribute values.

 

2. Organizational units

Organizational units are container objects that are used to group other objects in a manner that supports your administrative purposes. By grouping objects by organizational unit in a logical fashion, it becomes easier to locate and administer objects. We can also delegate the authority to administer an organizational unit.  Organizational units can be nested in other organizational units. By nesting organizational units, we can further simplify the administration of objects.

 

3. Domains

Domains are the core functional units in the Active Directory logical structure. A domain is a collection of objects that share a common directory database, security policies, and security relationships with other domains.  Domains provide the following three functions:

  • • Serve as an administrative boundary for objects
  • • Help to manage security for shared resources
  • • Serve as a unit of replication for objects

 

4. Domain Trees

Domains can be grouped together in hierarchical structures that are called trees. When a second domain is added to a tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain. A child domain may in turn have its own child domain.  The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name. In this manner, a tree has a contiguous namespace.

 

5. Forests

Forests are made up of one or more trees, although a single two-level tree is recommended for most organizations. A two-level tree is when all child domains are made children of the forest root domain to form one contiguous tree. The first domain in the forest is called the forest root domain, and the name of that domain is used to refer to the forest. A forest is a complete instance of Active Directory. By default, the information within Active Directory is shared only within the forest. In this way, the forest is a security boundary for the information contained in the instance of Active Directory.

 

Physical Structure: The physical structure of Active Directory models the physical structure of the network, and is made up of domain controllers and sites. The physical structure of Active Directory defines where and when replication and logon traffic occur, and is used to and manage network traffic. The physical structure enables you to optimize network traffic by determining when and where replication and logon traffic occur.  The elements of the Active Directory physical structure are:

 

1. Domain controllers Domain controller performs storage and replication functions. A domain controller can support only one domain. A domain can have one or more domain controllers.

 

2. Active Directory sites Created mainly to optimize replication traffic and to enable users to connect domain controllers by using reliable, high speed connection. A site is a group of well-connected computers. When sites are established, domain controllers within a single site communicate frequently. This communication minimizes the latency within the site. Latency is the time required for a change that is made on one domain controller to be replicated on other domain controllers. You create sites to optimize the use of bandwidth between separated domain controllers. There can be multiple domains in a single site and single site can have multiple sites.

 

Note: We use Logical structure to organize the network resources and Physical structure to manage the network traffic.

 

Advertisements

Active Directory enables a single sign-on, which makes the complex processes of authentication and authorization transparent to the user. A single sign-on is made up of authentication, which verifies the credentials of the connection attempt, and authorization, which verifies that the connection attempt is allowed. With a single sign-on, users do not have to manage multiple sets of credentials and can access the resources for which they are authorized without thinking about the processes that occur behind the scenes. However, as a systems engineer, we must understand how these processes work in order to troubleshoot the Active Directory structure.

 

The single sign-on process occurs as follows:

 

  1. The user enters credentials at a workstation to perform an interactive logon.
  2. The credentials are encrypted by the client and sent to a domain controller for the client’s domain.
  3. The encrypted credentials that are sent from the client are matched against the encrypted credentials on the domain controller. A Kerberos service, the Key Distribution Center (KDC), resides on each domain controller and stores the encrypted user credentials. If the credentials sent by the client match the credentials stored by the KDC, the process continues.
  4. The domain controller creates a list of the domain-based groups to which the user belongs.
  5. The domain controller queries the global catalog to identify the universal groups to which the user belongs. If the domain controller has Universal group membership caching enabled, the global catalog is not queried and the Universal group memberships are obtained from the cache on the domain controller.
  6. The KDC issues the client a ticket-granting ticket (TGT). The TGT contains the encrypted security identifiers (SIDs) for the groups of which the user is a member.
  7. The client requests access to a resource that resides on a specific server.
  8. The client uses the TGT to gain access to the ticket-granting service (TGS), on the domain controller.
  9. The TGS issues a service ticket, which is also called a session ticket, for the server where the resource resides to the client. The session ticket contains the SIDs for the user’s group memberships.
  10. The client presents the session ticket to the server where the resource resides. The Local Security Authority (LSA) on the server uses the information in the session ticket to create an access token.
  11. The LSA compares the SIDs in the access token with the groups that are assigned permissions in the resources discretionary access control list (DACL). If they match, the user is granted access to the resource.

 

Record type

Name

Description

A Address Record Maps a hostname to an IP address
PTR Pointer Record Maps an IP address to a hostname
CNAME Alias Record Maps an alias to a hostname
MX Mail Exchanger Record Specifies a mail route for a domain
NS Name Server Record Specifies name servers for a given domain
SOA Start of Authority Record Contains administrative data about a zone, including the primary name server
SRV Service Record Maps a particular service (e.g., LDAP) to one or more hostnames

One important resource record to note is the SRV record type. SRV records are used extensively by domain controllers and Active Directory clients to locate servers that have a particular service.

 

AGDLP briefly summarizes Microsoft’s recommendations for implementing role based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. 

AGDLP, which stands for Accounts, Global groups, Domain Local groups and Permissions, refers to the practice you use to properly assign permissions to your network resources and utilize groups in such a way that managing those permissions and group memberships is simplified and configured to allow for multiple domain resource access.

AGDLP is applied when planning and implementing the construction of users and groups as well as the setting of NTFS permissions on the resources concerned.”

Using AGDLP allows admins to set up their Windows environments so they can greatly reduce problems related to user account management and permissions management headaches. Yet even those who have gone through MCSE training still fail to use this simple strategy when setting up their strategy for groups and permission assignments.

There have been many times I’ve had to correct my customers’ groups/permissions-related issues because they chose to only use individual accounts, or just Domain Local groups or just Global Groups, when assigning permissions to their resources. Then they add a new domain, create a new resource, add a new user or when someone leaves an organization and is replaced, it becomes a serious nightmare when trying to get the permissions setup properly after those changes have been made.

Using AGDLP gives you the following benefits:

  • You can assign local resource access to users in other domains
  • A user’s access to a resource can be removed, simply by removing their account from the appropriate group.
  • If you set up your permissions properly, when a new user is created, you only need to add them to the appropriate group and their permissions will setup little to no additional work.

Following an AGDLP strategy:

  1. A: Create a user Account(s)
  2. G: Create a global group and add the user account(s) you created in step as members
  3. DL: Create a Domain Local group in the domain that contains the resource you wish to give access to and then add the global group from step 2 as a member of this Domain Local group
  4. P: Assign permissions on the resource using the domain local group created in a step.

Note: Make sure to backup the information of the tasks scheduled.

Symptoms:

–          Error while trying to open the Configured Tasks.

–          Error while trying to access the properties of the tasks.

–          Status message of tasks as: “Could not Start”

–          This normally happens in Microsoft Windows 2003 / 2003 R2

Error

Could_not_start

 

Resolution:

–          Stop the “Task Scheduler “Service.

–          Delete all the files in this path: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S- 1 – 5 – 18

–          Restart the Service and check if it works.

–          If not then restart the server.

–          The issue will be resolved.

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

19,000 people fit into the new Barclays Center to see Jay-Z perform. This blog was viewed about 92,000 times in 2012. If it were a concert at the Barclays Center, it would take about 5 sold-out performances for that many people to see it.

Click here to see the complete report.

VMware Hypervisors

Posted: October 12, 2012 in ESX, VM, VMWare
Tags: , ,

In IT, a Hypervisor, also called virtual machine manager (VMM), is one of many hardware virtualization techniques allowing multiple operating systems, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program. The Hypervisor presents to the guest operating systems a virtual operating platform and manages the execution of the guest operating systems. Multiple instances of a variety of operating systems may share the virtualized hardware resources. Hypervisors are very commonly installed on server hardware, with the function of running guest operating systems, that themselves act as servers.

The Core of the vSphere product suite is the Hypervisor.

Hypervisor is the virtualization layer that serves as the foundation for the rest of the product line of VMware.

In the latest version of vSphere (5), the hypervisor comes in the form of VMware ESXi.

Type 1 and Type 2 Hypervisor:

Hypervisors are generally grouped into two classes: type 1 hypervisors and type 2 hypervisors. Type 1 hypervisors run directly on the system hardware and thus are often referred to as bare-metal hypervisors. Type 2 hypervisors require a host operating system, and the host operating system provides I/O device support and memory management.

VMware ESXi is a type 1 bare-metal hypervisor. (In earlier versions of vSphere, VMware ESX was also considered a type 1 bare-metal hypervisor.) Other type 1 bare-metal hypervisors include Microsoft Hyper-V and products based on the open source Xen hypervisor like Citrix XenServer and Oracle VM.

 

In other words, Type 1 hypervisor runs directly on the hardware; a Type 2 hypervisor runs on operating system.

 

This is a significant difference from earlier versions of the VMware vSphere product suite. In earlier versions of VMware vSphere, the hypervisor was available in two forms: VMware ESX and VMware ESXi. Although both products shared the same core virtualization engine, supported the same set of virtualization features, leveraged the same licenses, and were both considered baremetal installations, there were still notable architectural differences. In VMware ESX, VMware used a Linux-derived Service Console to provide an interactive environment through which users could interact with the hypervisor. The Linux-based Service Console also included services found in traditional operating systems, such as a firewall, Simple Network Management Protocol (SNMP) agents, and a web server.

Open vSwitch Configuration

Posted: October 12, 2012 in ESX, VM, VMWare
Tags: ,

Hey All,

Found the below link while browsing through the web about Open vSwitch Configuration. It is really well written by Scott Lowe…

Have a look at the below link :

http://blog.scottlowe.org/2012/10/04/some-insight-into-open-vswitch-configuration/

Symptoms:

–          The Server service fails to start and the below events are recorded

Event ID: 7023

Source: Service Control manager

Type: Error

Description: The Server service terminated with the following error: More data is available.

–          Not Enough storage is available to process this command.

Event ID: 7001

Source: Service Control manager

Type: Error

Description: The Netlogon service depends on the server service which failed to start because of the following error: More data is available.

–          System Error 8 has occurred. Not enough storage is available to process this command.

–          If you try to start the Server Service manually, the following errors may occur: A System error has occurred: System Error 234 has occurred.

–          You will not be able to execute any command in the Server.

–          You get error message when you open the Network connections (ncpa.cpl)

Observations:

–          Other services may fail to start because these services are dependent on the Server Service.

–          The Server service queries the registry value above for its entries. The buffer for the amount of information that the Server service can accept when it queries is approximately 32 KB. If there are more than 32 KB in that entry, the Server service will fail to start and return the error “More data is available,” or “Not enough storage is available.”

–          It looks like certain software’s can also cause for this error, those maybe the Norton Antivirus, Acronis trueImage, Seagate DiscWizard, IBM antivirus, Microsoft Bitdefender, Symantec Endpoint Protection or AVG, Try Disabling them or uninstalling and check if the problem persists.

–          You can instantly rectify this error if you restart the server, but the error re-occurs in 2 to 3 days.

Resolution:

PLEASE BACKUP YOUR REGISTRY FIRST BEFORE YOU MAKE ANY CHANGES

This issue may be cause of two reasons, one is the NullSessionPipes and the other is IRPStackSize.

  1. NullSessionPipes

The Cause of these errors is due to too much data stored in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes

The Server service queries the registry value above for its entries. The buffer for the amount of information that the Server service can accept when it queries is approximately 32 KB. If there are more than 32 KB in that entry, the Server service will fail to start and return the error “More data is available,” or “Not enough storage is available.”

The Solution is to remove any unnecessary entries from this value in the registry.

The Default information stored in this key is:

COMNAP

COMNODE

SQL\QUERY

SPOOLSS

LLSRPC

EPMAPPER

LOCATOR

  1. IRPStackSize

Go to the below Registry entry to edit the IRPStackSize

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

If you do not have the Registry entry then create one manually, but make sure the name should be correct as it is case sensitive.

To create the Registry entry follow the below steps:

–          Open REGEDIT

–          Proceed to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

–          Click Edit, and point to New and then click DWORD Value

–          Type IRPStackSize , Click Edit and then modify the Value

–          The Value should be 0x00000050 in Hexadecimal or 80 in Decimal. This should resolve your issue, normally values are provided to 1 to 15 in decimal notation. Better if you provide higher value so that the problem doesn’t come back.

–          Restart the Server after the changes are done.