Chris Beams’s Blog

Active Directory and more….

Archive for May, 2009

AD Recovery – W2008 – Netbackup

Posted by chrisbeams on May 15, 2009

http://technet.microsoft.com/en-us/magazine/cc462796.aspx

So I have to admit I am a little behind in terms of W2k8 and AD.  It looks like the whole recovery mechanism has changed, it looks interesting and I will be giving the recovery a go over the weekend to see how it fits into the overall AD Recovery picture. Does this mean we don’t need third party products???

 

Chris

Posted in Active Directory | Tagged: | Leave a Comment »

.NET and System.DirectoryServices.Protocols

Posted by chrisbeams on May 15, 2009

http://msdn.microsoft.com/en-us/library/bb332056.aspx

http://msdn.microsoft.com/en-us/library/bb267453.aspx

Something I need to progess is my .Net related AD skills. I have done a considerable amount of ASP.NET but none of it really related to Active Directory. Recently I have had a couple of requests to look at health checks around the directory and how they can be globally achieved.  Looking at the tools available none of them do everything you want and some of them cost a considerable amount of cash.  Perhaps writing something yourself is the only way to go ?

Anyone got any hints or tips on what they are doing?

Chris

Posted in .Net | Tagged: | Leave a Comment »

TEC 2009

Posted by chrisbeams on May 15, 2009

Something I need to go to this year is the TEC 2009 three day forum

http://www.tec2009.com/

Getting to hear all the latest info from the gurus in the directory services area. A great list of speakers including a couple of MVPs. Just need to find the money 🙂

Cheers

Chris

Posted in Active Directory | Tagged: , | Leave a Comment »

Active Directory – Recovery

Posted by chrisbeams on May 12, 2009

I wonder how many people out there have a proven domain and/or forest recovery process. We can all follow the MS White paper but it’s a lengthly process. What happens if your company wants a 4 hour turn around of a multi domain globally distributed forest. How likely is domain or forest failure anyhow? I think a schema change is a possibility but a very remote one. I guess more likely is user error, deleting an Ou perhaps.

So really we need object recovery, and potentialy worst case scenario recovery for a corrupt schema.

I have used the Quest product and also normal ntbackup. The Quest product is v cool but also costs money which in these times is tricky.

I am going to have a play in my VM lab at home and upload my results

Cheers
Chris

Posted in Active Directory | Tagged: , | 3 Comments »

Group Policy – Preferences – Variables List

Posted by chrisbeams on May 11, 2009

Excellent post on the use of variables in GPP

http://trycatch.be/blogs/roggenk/archive/2009/05/11/group-policy-preferences-tips-amp-tricks-1-variables-list.aspx

Cheers

Chris

Posted in Group Policy Preferences | Tagged: | Leave a Comment »

Group Policy – Windows 2008 Group Policy Spreadsheet

Posted by chrisbeams on May 10, 2009

 released a little while ago the Windows 2008 Group Policy Spreadsheet, this contains all the information you require about all the GPOS availabled under 2008:

 http://www.microsoft.com/downloads/details.aspx?FamilyID=2043b94e-66cd-4b91-9e0f-68363245c495&displaylang=en

Posted in Group Policy, Windows 2008 | Tagged: , | Leave a Comment »

DNS – GlobalName Zone

Posted by chrisbeams on May 10, 2009

Spotted this after mention of something similar it in a meeting , looks like a good function in Windows 2008 as we all desperately try to move away from WINS.

http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/DNS-GlobalNames-Zone-Deployment.doc

 extract

This document can help you implement the Domain Name System (DNS) GlobalNames Zone feature on Microsoft® Windows Server™ 2008. The GlobalNames Zone is a new feature that provides single-label name resolution for large enterprise networks that do not deploy WINS and where using DNS name suffixes to provide single-label name resolution is not practical.

Posted in DNS | Tagged: , , | Leave a Comment »

Windows Server 2008 – Poster Guide

Posted by chrisbeams on May 10, 2009

 Spotted these a while ago  on the Microsoft web site , pretty good poster guide to some of the improvments in AD 2008 and Server 2008:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2b9e44e-0bbd-47cb-bc09-b3d48be7f867&DisplayLang=en

Posted in Windows 2008 | Tagged: | Leave a Comment »

Group Policy – Find All OUs with Block Inheritence Enabled

Posted by chrisbeams on May 10, 2009

 There is an attribute on every OU that has group policy linked to it called:

gPOptions

If this equals 0 then block inheritence is off

If this equals 1 then block inheritence is on

Posted in Group Policy | Tagged: | Leave a Comment »

Security Descriptor – String Format

Posted by chrisbeams on May 10, 2009

four main components of a security descriptor: owner (O:), primary group (G:), DACL (D:), and SACL (S:).

O:owner_sid
G:group_sid
D:dacl_flags(string_ace1)(string_ace2)… (string_acen)
S:sacl_flags(string_ace1)(string_ace2)… (string_acen)

for example

“O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)”

Owner = Account Operators

Group = Domain Admin

Dacl = everything in the bracket

Sacl = everything after the S: in the brackets

So this gives you :

 Revision:  0x00000001
    Control:   0x0004
        SE_DACL_PRESENT
    Owner: (S-1-5-32-548)
    PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512)
DACL
    Revision: 0x02
    Size:     0x001c
    AceCount: 0x0001
    Ace[00]
        AceType:       0x00 (ACCESS_ALLOWED_ACE_TYPE)
        AceSize:       0x0014
        InheritFlags:  0x00
        Access Mask:   0x100e003f
                            READ_CONTROL
                            WRITE_DAC
                            WRITE_OWNER
                            GENERIC_ALL
                            Others(0x0000003f)
        Ace Sid      : (S-1-0-0)
SACL
Revision: 0x02
        Size:     0x001c
        AceCount: 0x0001
        Ace[00]
            AceType:       0x02 (SYSTEM_AUDIT_ACE_TYPE)
            AceSize:       0x0014
            InheritFlags:  0xc0
                SUCCESSFUL_ACCESS_ACE_FLAG
                FAILED_ACCESS_ACE_FLAG
            Access Mask:    0x000d002b
                                DELETE
                                WRITE_DAC
                                WRITE_OWNER
                                Others(0x0000002b)
            Ace Sid:       (S-1-1-0)

Posted in Active Directory | Tagged: , | 1 Comment »