Archive for the ‘Active Directory’ Category

Active Directory

1) Review User Accounts and remove retired accounts.

2) Run Microsoft’s Domain Controller Diagnostics – From a command prompt, run dcdiag.exe (on DC only). If the commands are unrecognized, install Windows Support Tools.

3) Verify that approved password policy is being enforced.

4) Review the domain controller disk space reports.

5) Check your backups – AD backup includes capturing system state, information related to AD database, logs, registry, boot files, SYSVOL and other system files.

6) Check to make sure that AD replication is working correctly. To check, you can run the following command:
repadmin /showrepl

7) Check event logs for persistent errors.

8) Perform defragmentation to increase performance as large directories running for long time can get large and fragmented.

9) Verify integrity of AD DS database files with respect to AD semantics using NTDSUTIL.

DNS

1) Review DNS Records for obsolete static entries.

2) Ensure DNS Scavenging is configured.

3) Clean up forwarders

4) Remove stale zones

5) Remove WINS dependencies (DNS is fully capable of providing all long and short name resolution services)

6) Security Aspects
– Allow only secure dynamic updates for all DNS zones. This ensures that only authenticated users can submit DNS updates using a secure method, which helps prevent the IP addresses of trusted hosts from being hijacked by an attacker.
– If the server running the DNS Server service is a domain controller, use AD ACLs to secure access control of the DNS Server service.

DHCP

1) As always, check logs for critical DHCP related events. It would be recommended to implement a proactive monitoring solution for real-time data.

2) Frequent maintenance of the DHCP database is needed to keep it functioning properly and to recover whitespace. While DHCP is configured to do online maintenance to the database by default when there are no client requests; for busy DHCP servers, which possibly doesn’t have downtime, it is recommended to run offline maintenance against the dhcp.mdb file on a quarterly or half-yearly basis.
On a DHCP server computer, open a command prompt (Administrative access)
Use the Jetpack.exe tool to perform offline compaction.
Syntax: jetpack database_name temporary_database_name

Example:
cd WINDOWS\system32\dhcp
net stop dhcpserver
jetpack dhcp.mdb tmp.mdb
net start dhcpserver

This should work for both Windows Server 2003 and Windows Server 2008

1) Make sure that the iLO management processor is installed and running. I won’t go into that but here is a nice article about iLO setup – http://adyamarathon.wordpress.com/ilo-setup/
2) This is a schema-free integration using the iLO Web Interface.
3) For the web interface to be accessible, the iLO software version should be 1.80 and later.
4) To access the Web GUI for iLO, type the DNS name or IP address in the browser URL.

(Note: If the page fails to load, that may be because of SSL certificate not being accepted. In Internet Explorer, go to Tools and then Internet Options and then click Advanced tab. Check the Use SSL 2.0/3/0 and TLS 1.0. Click Apply and then OK. Restart the browser window and try again and you will get the browser page as shown in the above screenshot.)

5) Login using the username given on the iLO tag that is attached to the server. This is usually “Administrator” and the password which is also given on the same tag.
6) After successful login, you will be able to view the following screen.

7) Now, click the Administration tab and the Directory Settings, as shown below.

8) Next, you will see a page that requires choosing Authentication settings and entering Directory Server settings. Choose “Use Directory Default Schema”

(Note: I have entered the Directory Server Address as one of the Domain Controllers. The LDAP port is by default – 636. For Directory User Context, I have entered the user group giving permission for access.)

9) Next after applying the settings, click the “Administer Groups” button which takes you to the page for setting Group Administration. Select one that you want to view/modify.

10) For “Administrator Group Settings”, you would want to grant access as “Yes” to all the options. You can choose according for other types of users and also custom special user groups for iLO.

11) Go back to “Directory Settings” page. Click “Test Settings” button to run Directory Tests.

12) To confirm that iLO is actually functioning after the server is powered down, click the “Virtual Devices” tab. Then click the “Virtual Power” link.

13) In the page that shows setting for Virtual Power, select the method to power on the server. By default the method is “Momentary Press”. Click the “Virtual Power” button. Click the “Submit” button for Power Configuration Settings which is “Yes” by default. This will result in powering on the server (machine).

14) Click the “Remote Console” tab and then the “Remote Console” in the left pane, which results in popup window that lets you access the server (machine) remotely.

This article explains the steps taken to export DHCP scopes from one server and import them to another or from old to new server. I have tried and tested them for DHCP on Windows Server 2003.

Run the following from command prompt using administrator login. You can try running this from any domain computer.

C:\> netsh dhcp server \\dhcpservername1 export C:\DHCPServerScope1 all

This exports the DHCP scope from this server to a file called “DHCPServerScope1” under C drive.

If the above method does not work due to invalid path error, which is possible; then you can export the scopes by logging into the DHCP server. You can then export and save the scopes to the local or shared folder. After this, to import the scopes, you can log into the other DHCP server and again using “netsh.exe” utility import the configurations of the scopes to the other DHCP server (Recommended)

To export scopes following syntax can be used:

netsh dhcp server export <Filename> <ScopeList>

Example:

C:\>netsh dhcp server export c:\scopes\DHCPServerScope1 10.0.0.1

To import scopes following syntax can be used:

netsh dhcp server import <Filename> all

Example:

C:\>netsh dhcp server import c:\scopes\DHCPServerScope1 all