Blog Archives

Free Active Directory Reporting Tool

This should come in handy for lots of people.  Need to get some reports out of your Active Directory system?  Then this tool can help, its a called SmartR from Imanami, and its free.  There are additional report packs you could buy, but I’ve found it comes with just about everything I would need. It has a good wizard interface and can generate nicely formatted reports in a flash.  Output options are HTMl, XLS and XML. 

I needed to generate a report of all my AD users and find which groups they belonged to.  To be more specific, I was trying to get a list of all our Distribution lists and find out who was in each one.  I was able to accomplish both reports quickly and easily with this tool.

Advertisements

Question to answer:

Here is a question I have to answer and get more information on…

“Can you control Radius servers (standalone or proxy) through Active Directory Sites and Services”? 

If so, I have to find out how and play around with it.

Computer System upgrades

This weekend I will be doing some computer system upgrades to my home computer systems. Not all of this will be accomplished this weekend, but the following is a list of items I plan to take care of starting today and finishing by mid week next week.

1. Install new memory into main computer, this is 2GB of DDR800 PC6400 DDR2 high performance RAM. Replacing another set of high performance RAM that never did work well with my motherboard, and was only 1GB.

2. Install upgraded CPU for the main computer. Installing new Intel P4 D 3GHz Dual-Core processor, replacing older 3.2GHz HT P4 processor. Slightly less MHz than the old processor, but provides dual-core support and better performance for Vista when we do that upgrade.

3. Install new Processor for the multimedia computer. Installing new AMD Athlon 64 2.4GHz CPU to replace the AMD Semperon 1.8GHz (mobile) chip that is currently in the unit.

4. Install new server computer. I will be adding a Dell Optiplex GX260 SFF desktop class machine as a server to my home network. This will end up powering Active Directory, DNS, DHCP and some other services on my home network. This will replace older and very slow compaq desktop that is on its last leg. This is a 2.4GHz P4, 512MB RAM, 20GB hard drive system, its small, cool and quiet. Perfect for my “server closet”.

In addition, the following upgrades are planned for the coming months…

1. Upgrade existing home photo printer. Currently have HP PhotoSmart 7550. Will be selling this on ebay to purchase new photo printer.

2. Upgrade existing LCD Flat panel monitor. Will be selling existing unit to purchase a new better model, at least 19″.

When NT4 servers can't find the PDC and all else fails

Recently I ran into a major problem with my Active Directory and NT4 setup. I maintain a network made up of 2 NT4 BDCs and about 10 Active Directory Domain Controllers. The domain is in 2003 interim mode and we also run Exchange 5.5 on 4 other NT4 member servers. Last week we renamed a few domain controllers and assigned new IP addresses (on the 2003 side). As a precaution I kept the old IP address on one of the major domain controllers until I could get time to manually modify all the legacy servers lmhosts files. We also shutdown the domain controller that was used to get us to Active Directory, basically I took a dell desktop that would run NT, and made it a BDC. Then I promoted it to a PDC and upgraded the OS to Server 2003 and installed Active Directory. Well its time to de-commission that box and we shut it down last week as well. On Monday, I created a new user account and immediately got reports of strange problems, the user was getting prompted for logon credentials in Outlook and could not stay online.

I looked around and couldn’t find anything wrong and wasn’t too concerned at this point. Later I realized that my NT4 BDCs were not able to find a PDC any longer. I assumed it was because we shutdown the upgraded domain controller and so we powered it back on hoping it would help. This did not fix the problem so I began working on the issue by online research and posting questions in newsgroups. Finally I found a guy on Experts-exchange that was very helpful and worked with me on EE for hours before we figured out the issue. By troubleshooting and much testing we found that NetBIOS lookups to the PDC emulator (running 2003) were failing. From 2003 we could map drives, browse to NT4 without a problem, only from NT4 to 2003 was there an issue. Lastly we found that its bad to have a multi-homed domain controller, especially the one we were using for the PDC Emulator. I removed the second (old) IP address from the server and everything started to work just fine. I could get into the user manager in NT4 and updates started to be processed without a problem.

So it turns out the main cause of the issue was not the renames, or IP change, or even shutting down an old DC. It was simply that we had more than 1 IP Address on our PDC Emulator server. Removing that fixed the issue. I think we can now power down the upgraded DC again and proceed further with the migration. Too bad it took so long to figure this out, but at least it is working normally now.

Active Directory Troubles

UPDATE: 11-21-06

I was able to resolve my issues last night. The transition from a single DC to a multi DC and back again went very smoothly. It also gave me a chance to redo the computer names a bit more geared towards Battlestar Galactica characters. Sisko has now been renamed to Adama, and is once again the only DC on my home network. I plan to take another server currently in pieces, and put it back into use as a backup server, it will literally be my backup server. This machine will handle physical backups of the other servers and also be an additional DC for my AD network. I hope to have everything finished by the end of the long weekend!]]>

TECH: Exchange Migration and permissions testing

Introduction

This posting will review the approach taken in a test environment to accomplish a simulation migration of our existing NT4 domain to server 2003 with Exchange 2003. All work was done offline on a private network IP scheme on an isolated switch to prevent communication problems with the production network. Access was limited to a hardwired laptop and a test desktop. Testing was performedwith a user/mailbox on Exchange 5.5, and another user/mailbox on Exchange 2003. Migration Process

The following are the steps in order that were used to perform a test migration of the NT4 domain. Directory exports from Exchange 5.5 were used to re-create the Exchange 5.5 Directory in a test environment.

Server Setup

? Initial NT4 PDC was create for the domain utilizing VMWARE and was updated to SP6A. Names utilized were duplicates of production network.
? Two additional NT4 BDCs were created;one to simulate a BDC, the other was create to perform the upgrade to Server 2003 and AD. Both were installed as BDCs and were updated to SP6A.
? Three NT4 member servers were created for use with Exchange 5.5. All were installed as member servers, and updated to SP6A. Each server was named the same as in production.
? Exchange 5.5 was installed on a member NT4 server, creating a duplicate of our existing Exchange 5.5 system. Org and site names were duplicated from Production.
? Exports of the Exchange Directory were imported and were also used to create the NT4 user accounts/mailboxes used in production. This populated the NT4 user database with usernames and blank passwords. New Mailboxes were created for users on their respective servers
? A test workstation was setup on the test NT4 domain. An exchange outlook profile was created for the exchange 5.5 user.
? Tests were performed to verify that DLs and inter-org mail flow was working.
? The last NT4 BDC that was created initially was promoted to a PDC (automatically making the original PDC a BDC).
? The OS on the new PDC was upgraded to Server 2003.
? The Active Directory Installation Wizard was run to upgrade our domain to AD.
? The AD wizard installed DNS locally on the PDC, but HOSTS files were still maintained on all NT4 servers, just as in production.
? A desktop was hardwired to the isolated switch and setup as an AD-client using a user account in AD. This was to verify that AD had successfully upgraded our NT4 domain to AD.
? A new server was installed also using VMWARE using server 2003 operating system. Server was installed as a member server of the AD domain. This was for use with the migration to Exchange 2003. SP1 was installed on the server and all updates and patches were applied.
? A temporary OU was created in AD to house the objects from the ADC replication process.
? Exchange 2003 was installed on this new 2003 server, along with the ADC and SRS. This new Exchange 2003 server was joined to our existing Exchange 5.5 site.
? The ADC replicated all Exchange 5.5 objects such as DLs, custom recipients, etc, into AD. The DLs were replicated to AD as universal distribution groups.
? Testing was performed between Exchange 5.5 users and Exchange 2003 users to verify mail flow and DL functionality. All tests completed successfully. No loss of public folder permissions was experienced. Although error 9552 in the Exchange 2003 server event log was experienced. But no loss of permissions was observed.

The above information was a test of a migration approach for an NT4 domain to Active Directory in a mixed mode domain. DLs are used in Exchange 5.5 public folders as security objects. Technically, when the ADC replicated the Exchange 5.5 DLs to AD as Universal Distribution Groups, once a user accesses a public folder where a DL is used as a security object, that Universal Distribution Group should automatically get converted to a Universal Security Group. However, since our domain is in mixed mode, this conversion failed. The result should have been a loss of all permissions on the public folder in question, leaving only the owner with any permissions to the folder. What I found in this test is that everything still worked, users of both Exchange 5.5 and Exchange 2003 were able to use the public folders without a problem. I called Microsoft support on this issue and they were not able to explain why this worked, as they agreed with their KB articles that it should have caused permissions problems on all public folders using DLs on the client permissions of public folders.]]>

Active Directory Project

Well, finally after months of planning, I was able to upgrade my company’s NT4 Domain to Server 2003 with Active Directory. I’m going back to New York again, (was there last week as well), to start setting up exchange 2003 to upgrade our existing Exchange 5.5 system. I’ll also be installing new file servers, tape backup systems and re-organizing the server room in our New York office. And for this week, I get to fly first class!

Home Network – Part 3

Microsoft Active Directory:
My home network is built on Microsoft’s Active Directory. I use active directory to organize my user accounts (all two of them), my computer and group policies. With group policies I can set common variables for all my workstations, servers, etc. This way I don’t have to hand configure everything, its all automatic. Group Policies are a great way to manage your network workstations or servers. There are other solutions here, some people like to run Linux at home, and I’ll admit, I do too from time to time. I love linux, but there are still too many apps I use that require Windows. From time to time I demo some of the latest Linux distributions and try things out. I think its great, and if I had a 4th computer to run it on, I’d probably run a linux server or desktop as well. Some people like novell, some people like MAC, its up to you. This is just how I am doing thing. I have group policies set to add customization to my desktop mainly. Things like a browser title, automatic update settings, common software distribution, etc.

Domains, e-mail and more:
I guess I can’t go much further without explaining how I also do my domain names and websites. I’ll write more about this topic later on as a how to and what you should know for getting your own domain and website. But for now, I’ll keep it simple. I own several domain names which I use for various purposes. I have one domain that is for all my server equipment, like my hosting server that hosts my website and some other websites I host for people (for free unfortunately). These servers are in a data center and I simply “rent” the server from them on a month to month basis because its cheap and does what I want it to do. Plus they take care of maintenance and problems. Then I have a primary domain name I used to use for my hosting company’s website. The backend server domain ended with a .net and the primary domain is a .com. These extensions can be anything you like, but I stuck with a traditional format. Then I have a third domain for my personal website which is mainly for my family and my blog, etc. Here is where the bulk of my incoming and ougoing e-mail comes from, the other two domains are mainly for servers and a now closed hosting company. I do have some other domains, but don’t really used them yet. I’ll be expanding that later on as well.

E-mail:
So now you know I have a shared hosting server which hosts my websites and most functions of my domain names. Now when it comes to e-mail, you’d naturally assume this server also handled mail for my domains as well right? If you said yes, you’d be wrong. I’m using a service called Rollernet which is a mail forwarding service. Since my ISP restricts incoming traffic on port 25, it was necessary to setup SMTP on a non-custom port. However, this causes a problem because when someone on the internet sends me an e-mail, most mail servers only send mail on port 25. So if I’m running SMTP on a non-custom port, how do I get my mail? Here is how. Rollernet’s servers are listed as the MX records for my domains. This means, that when you send me an e-mail, its actually received on port 25 by rollernet. They take the mail, queue it, do some scans on it for viruses, spam etc, then they forward that mail to my home mail server on a custom SMTP port. Of course I have this port setup in my cable modem and firewall to allow it to be forwarded to my mail server which resided on my LAN. Now here is the complicated part. My home mail server received mail on a custom SMTP port and is received by NoSpamToday, which is my SMTP level SPAM filter. NoSpamToday (NST for short), filters for SPAM, viruses etc, and basically makes sure that the message is valid before it allows it in to my mailbox. Now NST is not a mail server, its just a SMTP server, so another component is needed here, thats where 602 Lan Suite (LS for short) comes in. NST received a message for me on a custom SMTP port. Once it makes sure that the message is valid, it then forwards that message to 602LS which receives the message on the standard SMTP Port 25. 602LS receives the message and performes a few checks of its own, like scanning it again for viruses, doing aother SPAM check and finally delivering it to my mailbox. 602LS also has a built in webmail server, so I can check my webmail from anywhere in the world. This is also where port forwarding comes in as the ports for webmail need to be setup to route to my home mail server from the outsite. Using my public DNS zone, I can add a record for webmail to my domain, so I can go to http://webamil.mydomain.com/mail and get to my web interface. This way I don’t have to use DynDNS or any of those services, since my public IP on my cable modem rarely changes. Now if it were to change, I’d have to manually update that in my DNS zone. So watch out for that if your using this scenario. I am aware of it and know what to do, so for me its not a big deal, but if your new to this, don’t set this up and wonder why it breaks 9 months later. Keep an eye on your public IP.

Lets now talk about outgoing mail. I don’t know if your like me, but I find myself in situations at work and abroad where I find that my company network or hotel network restricts SMTP servers to their own servers and won’t let you send mail using your own SMTP configuration. For example, at work I run a simple server monitor that sends alerts. But my company has a firewall in place that limits outgoing SMTP traffic on port 25. Now I bet your wondering where the SMTP component from IIS comes in to the picture from my previous post. Here it is. I am running IIS on my mail server but only the SMPT component. So I setup Microsoft’s SMTP service to listen on a custom port (different from my incoming SMTP port for normal e-mail from Rollernet). This way, I can setup my monitoring server to use my custom SMTP server at home to send the alerts. So in my situation, my monitor program detects a problem with a server in my office, it sends an alert to my home mail server on a custom SMTP port. My SMTP server then relays that message to my shared hosting server which then sends it to the desired recipient on a standard SMTP port. This way, I can use SMTP wherever I am, still get my messages or alerts sent and accomplish my tasks. This custom SMTP service is protected by a username and password and relaying with it is denied. Relaying on NST is also forbidden. Ok, so how about my home PC? Ok, simple, we use outlook on our home PC, so outlook is setup to send/receive mail from 602LS through POP3 and standard SMTP. We send a message from outlook, it is received by my home mail server on port 25, which then forwards that mail to my shared hosting server. Some ISPs also restrict outgoing SMTP traffic, so here you may need to setup a custom port on your public SMTP server and configure your mail server to send all outgoing mail over a “SmartHost” or custom SMTP configuration. My shared hosting server then delivers the mail over standard SMTP to the recipient’s mail server.

So in summary, yes this is a complicated setup, and no it may not be for everyone. But I will say this, there is a degree of pride that goes into setting soemthing like this up. Now I’m a Microsoft Engineer, so I’ve been doing networking for a long time. No this is not the way to go about setting up a business or large company. Obviously I’d recommend using Exchange or more powerful mail servers and betters ISP connections. But if your a techie and want to setup a really cool home network, this guide might just help point you in the right direction.

Other Services:
Lets talk remote access. So how do I manage this home network when I’m not home. Easy, RDP. There are lots of people around that don’t like RDP, its not very secure, and has its issues like any other software or technology. For me however, its perfect. I simply forward port 3389 from my cable modem to my firewall and from my firewall to my PC, I can remotely manage any machine on my home network. Now I took it a step further, and actually setup a custom RDP port on my other machines, like my servers and second desktop. This has the advantage of being easy to individually RDP into any machine on my home network without first having to remote into my home pc and then into another machine. In conjunction with DNS for easy naming, its a snap. All you need to remember is the custom port number for each machine. I only have a few so its no big deal, if you have many machines I’d recommend finding a better way, such as VPN. Through RDP I can remote control, and virtually manage any server or desktop on my home network.

Web management: I also use a program called Remotely Anywhere (www.remotelyanywhere.com). Its a great application that runs as a service on Windows. With it, you can remote control, Transfer files, totally manage all aspects of the machine right from a web browser. Its very robust and powerful, with tons of additional features too numberous to mention. Its one of the best web based remote control/management solutions I know of. This can also be setup on a custom port, so it will need port forwarding configured for it as well.

FTP: I used to have a NAS server with FTP setup so I could FTP directly to my RAID5 storage device. Now that its gone, I don’t really use FTP anymore so I removed it. I use an FTP site on my shared hosting server temporarily if I ever need to send anything through FTP. I can grab it from home later.

Internet Access: Because my cable modem and firewall do NAT, its very easy to provide for internet access to my workstations and servers on my home network. The firewall is the gateway on my network, and Microsof’t DNS handles all DNS related operations on my network. My DNS server is configured to forward all requests for external host names to my ISP’s DNS server. It then caches the results and can reply much faster to any requests my workstations or servers make. Internet access is basically a simple NAT solution provided by my firewall and cable modem.

Points of Failure:
With a system like this there are other considerations that need to be taken into account. Amoung them are power, redundancy, damage, replacement, etc. For example, if my power goes out what happens. Well for me I have my critical equipment on a UPS. Since this is a home network and not a critical system, the UPS will keep my servers and internet connection up and running for 5 minutes. This should be sufficient as long as the power isn’t out for long, which is isn’t usually. What if my firewall or cable modem goes bad. Well then I have a problem, as with my ISP I have to have them come and activate a new cable modem. So I’d first have to buy a replacement and then have them install it. This can be done usually by the next day. So what if my mail server or other network equipment is damaged. Well, for mail, if my home mail server becomes unavailable, mail will queue at rollernet, so I won’t loose any e-mail. I can even redirect that mail to my shared hosting server if I wanted to so I could get to it. If some of my network gear fails, it will obviously need to be replaced. I’d try to repalce it with exactly the same modem so that if it had a configuration with it, I could easily restore a backup config file to immediately get my network back up and running.

Security: What about security, how secure is this setup? Very secure. Even considering I have ports forwarded into my LAN from the outside. This often makes security experts very nervous and for good reason, but again, this is not the NSA, I don’t have anything on my home network worth anything to anyone but me. That is not an excuse for having bad security. First, I have a double NAT solution, so even if someone could hack in past my cable modem, they couldn’t get further than my firewall. If they could get past my firewall by some miracle, they would not be able to access anything on my network, since all network traffic between workstations and server is encrypted through Kerberos. The worst they could do if map out my network and find my IP addresses. DOS attacks are also a possability, but there isn’t much that can be done about that anyway. Again, I’m not saying good security isn’t important, and the measures I’ve taken are sufficient for my needs. Please don’t think I’m advocating bad security measures.

Thanks for taking time to read this post, I know it was long. Keep an eye out for more tech posts in the near future. I’ll also post some images giving you a visual of how all this works. Here is a simple visual aid of what I’m talking about above.]]>

Home Network – Part 2

Server Hardware:
Older model Compaq IPAQ desktops (small form factor, single drive,

Server Software:
Microsoft Windows Server 2003 Standard Edition (NOT FREE)
NoSpamToday – http://www.nospamtoday.com (FREE for 10 email addresses)
Microsoft IIS (only the SMTP component) (FREE if you own OS)
602 Lan Suite – http://www.602software.com (Free for 5 mailboxes)
AVG antivirus (for scanning incoming e-mail and server drives) – http://www.grisoft.com (Free)
Remotely Anywhere (not free)

Network configuration:
Single 2003 Active Directory domain
Using Microsoft DHCP and DNS

Desktop:
Custom built home computer, 3.2GHz CPU, 1GB of OCZ Platinum DDR-800 RAM, approximately 800GB of onboard storage (sata 150) running Windows XP professional with SP2 as a domain member.

Previous items:
I used to have a Dell PowerVault 705N NAS server. It had 300GB of RAID5 storage but I very recently sold it on eBay.

Network (IP) Services used:
SMTP
DHCP
DNS
POP3
RDP (3389) (remote desktop)
Remotely Anywhere (custom)
FTP

Ok, this is the nuts and bolts which make up the core of my home network. In the next post, I’ll discuss how it all works, and ties together.

]]>

Company Migration Project

1. Little to no end user interruption
2. No loss of email connectivity
3. All work must be done by internal IT staff
4. No third party tools can be used

Existing Network:

1 NT4 PDC in NYK and 1 NT4 BDC in Switzerland. Two Exchange 5.5 servers in NYK, one in Switzerland and one in Hong Kong. There are also various software packages that sit on top of the Exchange infrastructure that must remain intact, such as RightFax (email faxing), Goodlink (mobile email) etc. Exchange is installed on member servers, none of the Exchange servers are installed on a PDC/BDC.

Desired result:

2003 Active Directory Domain with Exchange 2003 Enterprise Edition. Exchange servers will be in two-server clusters. 4 hub offices will house the Exchange clusters.

Migration Path:

In order to accomplish the above design goals and satisfy all the requirements, taking into account the existing network infrastructure, the following design should prove to be successful.

First, we will install a new server into our existing NT4 domain and make it a BDC for the domain. We will then, promote the new BDC to a PDC and allow time for replication. Once replication is complete, we will take the old PDC offline (by unplugging network connection or shutting down). We will then upgrade the new NT4 PDC to Server 2003 and run DCPROMO to install Active Directory. This process should preserve all existing user accounts, machine accounts, groups, permissions, etc. So far we satisfy all requirements.

Next, we upgrade or replace all existing NT4 BDCs. Once all NT4 servers are removed, we can then upgrade our new Active directory domain to Server 2003 Native Mode. As no more NT4 servers will be participating as domain controllers.

NOTE: During this time, all existing Exchange 5.5 servers will be maintained as NT4 member servers of the 2003 domain. Exchange 5.5 will continue to handle mail for us until the upgrade to Exchange 2003.

Exchange 2003 Migration:

For this part, we will install our first Exchange 2003 server (on a 2003 Enterprise Edition server installed as a member server) into our existing Exchange 5.5 site. To the exchange site, we are just adding a new server. The Exchange deployment tools will walk us through installing the Active Directory Connector and all necessary connection agreements. The SRS will also be installed. One Exchange 2003 server per hub office will be installed initially. Once we verify that the ADC is working properly and the “Move mailbox” wizard is available, all Exchange 5.5 user mailboxes will be moved to an Exchange 2003 server. Once all Exchange 5.5 mailboxes, public folders, distribution lists, custom forms, etc, are replicated over to the new Exchange 2003 servers, the existing Exchange 5.5 servers will be shut down to verify connectivity and that no “behind the scenes” issues exist. Once our Exchange organization has been verified to be functioning correctly with no further references to the Exchange 5.5 servers, we can then begin to de-commission them. This will be done by removing all references to Exchange 5.5 as replication partners on all public folders, and other exchange resources. Then the servers can be deleted from the Exchange 5.5 server administrator.

During this migration process, the only end user interruption noticed will be during the move mailbox process, as users will be logged out of their exchange mailboxes during a mailbox move. Mail flow is not affected since we installed Exchange 2003 into our existing Exchange 5.5 site, so the routing group is the same. The only remaining task to complete is something I left out above. Before Exchange 5.5 can be shut down or de-commissioned, the SMTP connector will need to be moved from one of the Exchange 5.5 servers to one of the Exchange 2003 servers. Once this is complete, and mail flow has been verified, then the Exchange 5.5 servers can be removed.

The end result is a quick, efficient migration/upgrade to Server 2003 and Exchange 2003. A final note here is on Clustering. The reason we did not use our clusters to install the first Exchange 2003 server is that there are certain components of Exchange that will not function on a cluster. Such as the SRS and ADC. This is why we will be using a standalone server in all hub offices for the initial move to Exchange 2003. Once we have Exchange 2003 up and running globally, we can then introduce our Exchange 2003 Clusters and then move mailboxes once more to the clusters. Once finished, the SMTP (bridgehead) can be moved to the appropriate cluster and the initial Exchange 2003 standalone servers can be removed.

The initial plan was to do a parallel migration, basically creating a whole new system in parallel to our existing system. This plan has many problems and would not have worked for us. End users would have received all new machine profiles, outlook profiles would have been lost, etc. This would have created too much work for our internal IT staff and caused too much interruption to end user connectivity. Not to mention mail flow and interoperability with Exchange 5.5 and Exchange 2003 is much more complicated when installed in separate Exchange Organizations. Third party tools would almost certainly be needed to maintain the level of co-existence we would have needed.
]]>