Ben’s Blog

Today we covered the final two chapters in the book: 11 and 12.

Chapter 11 was all about the day to day maintenance of the AD database.  Since AD is a database, and a living one at that, we must make sure we keep it in shape so that it runs as efficiently as possible.  To do this, we run one of two AD defragmentation: online or offline.

Online Defragmentation happens on a regular basis — once every 12 hours — and involves cycling through the AD database looking for tombstones that are set to be cleaned.  (Tombstones are what’s left behind when something is deleted from AD — it’s left with a tombstone that lives on for another 60 days (does this make them zombies??)).  At the 60 day mark, those tombstones are deleted by AD’s Online Defragmentation.  The upside is that the server doesn’t have to be taken down in order for this to occur, but the downside is that the size of the database doesn’t actually change.  So, if you need  a more powerful, database-reducing activity, the Offline Defragmentation is the way you’ll need to go.

Offline Defragmentation is a slightly more complicated process, and should only be done when reducing the size of the AD Database is the primary goal.  It involves taking the DC offline, booting into Directory Services Restore Mode and running the NTDSUtil command (Files | Compact To C:\Backup).

We also looked at backing up AD, which can be done via the default Windows Server backup program, NTBACKUP (or your competent 3rd party choice).  If using NTBACKUP, you’ll just do a backup of the System State, and that will grab the AD database and settings along with it.

To restore the AD database, you have a couple of options.  You can choose to either do a non-authoritative restore, or an authoritative restore.  The differences lie in how you’d like your data to propagate throughout the network.

The easiest and most common type of restore you would be performing would be the non-authoritative.  What happens in a non-authoritative restore is that directory information is replaced, but is flagged indicating “Hey, I’m probably out of date”.  When AD replication occurs, if any information comes down the pike that is deemed newer, or more relevang, that newer, more relevant information replaces the older information established by the non-authoritative restore.  Typically you would perform this type of AD restore on a new server that you want to designate as a DC, and just have the new information replicate to the server.

When you accidently delete a user and that change has worked it’s way through AD, you would need to perform an authoritative restore.  Authoritative restores replace a particular object, and then indicate it as “authoritative”, so that when AD replication occurs, it is flagged as the most recent and relevant, and that change is then replicated throughout Active Directory.

Moving on to Chapter 12, we discussed the various scenarios you might encounter when installing Windows Server 2003 in an organization, including making the decision to either upgrade or migrate (meaning new equipment, moving just the data over).  We looked at several tools that might be needed in such scenarios.

Homework:

• Take Home Test #6 – download it here.
• Continue work on MS E-Learning modules!

Back in the 60s and 70s, when what we now know as the Internet was in its most infant-est stages, we were mostly concerned with *how* to get packets from one computer to another.  Rarely were we concerned about securing those packets — the mere fact that we could take them from one computing device and “magically” transport them to another computational device seemed miraculous, and frankly, there wasn’t a large need to secure the data at that time — getting your hands on equipment to do that sort of thing was very expensive in those days, and therefore our data seemed to subscribe to a “Security by Obscurity” security model.  We developed network transport models that didn’t take today’s seemingly obvious security needs into consideration.

Nowadays, when any teenager with a couple hundred  bucks can grab our data and exploit it, we need ways of securing that data and protecting ourselves (and our jobs!).  The problem is is that we are still using those same old protocols with no security mechanisms.  The best solution would be to create and use brand new protocols with security built in, but we know for compatibility reasons, this is generally not possible.  So, what we can do instead is employ a technique that will “wrap” our insecure packets with a level of security.

The specific technology I’m talking about is IPSec.  IPSec is used in conjunction with insecure technologies, like FTP, to encode those packets and make them secure.  What’s cool about IPSec is that it only needs the two communicating nodes in order to work.  All of the infrastructure in between can just forward the packets as normal.

IPSec runs in one of two modes: transport mode and tunnel mode.  Transport mode secures the traffic between two computer nodes; tunnel mode secures the traffic between two routers.  Most of the time we will configure IPSec to run in transport mode, especially if we are sending traffic across Internet infrastructure we don’t control.

Next, we looked at deploying IPSec.  The easiest way to do so is to simply set up a GPO requiring it.

Homework:

• Take Home Test #6 – download it here.
• Continue work on MS E-Learning modules.  They’re due in a few weeks!!!

Today in class we covered chapter 6, the second chapter of Word.  We explored some slightly more advanced ways of formatting our documents and maybe, hopefully, picked up a tip or two to make our document creation a little faster.

Homework:

• Chapter 6 Fill in the Blank
• Chapter 6 Matching
• Project 2E
• Project 2F

Today, we covered chapter 8, the chapter on SMTP.  Then we went home!

Homework:

• No homework this time.  Aren’t I a nice guy?

Today we discussed the variousu ways we have to connect to network devices.  Many times, for us, that will mean the patch cable in the back of our computers connecting to the wall (unshielded twisted pair), but many times, especially in the server room, this could mean serial cables as well.  In really old networks, this could mean coaxial cable as well.

Next, we took some time and constructed our own patch cables.  We looked at straight-through cables, crossover cables, and rollover  cables.

Homework:

• Chapter 6 Review Questi0ns.

Today’s class covered chapters 10 and 11.

For us, that meant a slight break from the normal intensity that is NSA 150/151, and a look at the larger picture of safety and customer service.

Computers are electronic objects.  As such, they have the capacity to hurt us.  Just like any electronic object.  Are the chances good that they’ll hurt us?  No, but anything we can do to improve our odds of not being hurt or killed is a good idea in my book!

So, how not to get hurt?  Well, first of all, I’d suggest leaving the guts of the power supply and any CRT monitors you may still have alone!  Printers?  Well, be careful.   The main thing to remember with printers is not to get yourself destroyed, but to keep the area around you clean.  So doing things like not turning hte printer upside down to shake something out is a good idea.

Also, dealing with safety, cords can be a monumental issue.  So any cables that are on the floor need to be packed under a floor cable guard, and it’s generally a good idea to bind up any cables coming off the back of a desk up out of the way.  I realize that I’m a hypocrite on both of these counts, but note that I said it’s a good idea, not that I necessarily follow that good idea.  Heh.

My wife will appreciate taking care to keep the environment safe as well.  As tempting as it is, please do not put old computers and monitors in the trash, as these electrical components have lead in them that can then leak into our water supply.

We also talked about protecting the computer itself.  It’s a known fact that electrostatic discharge can fry the snot out of computers, and to keep ESD at a minimum is absolutely required.  We can do this by way of anti-static mats, wristbands and just grounding yourself against metal inside the computer case (my favorite grounding spot?  The power supply.).

The next chapter covered communication skills.  It’s no secret that most computer people are NOT people people too.  And most normal people are not computer people.  This combination can equal disaster, and it’s important as professionals to remember that not everyone knows the facts that you do about computers.  In summary, pick out something you know very little about and think you’d feel if someone berated you for not knowing about it.  There ya go.

Homework:

• Chapter 10 Review Questions
• Chapter 11 Review Questions

We had a big day today, covering 3 chapters, and finishing up our discussion on Group Policy.  Next week, we’ll finish up the remaining two chapters in the book and work the remaining time on our “Show Me the Money” network implementation!!

Anyway, chapter 8 covered the user and computer environments when configured by Group Policy.  The first area of focus was the area of security policies.  As you know from previous discussion (earlier today!?) that we can configure security policies on our machines to allow or disallow (or block, even) certain kinds of behavior, or limit that behavior to certain individuals.  The nice thing is is that, using Group Policy, we can configure those settings once in a GPO and then assign it to a large number of computers by attaching that GPO to an object associated with the computers we wish to control (inside the Sales OU, for example).

We also looked at a concept called Folder Redirection.  With Folder Redirection, we are able to control where user files end up during backup or in day-to-day use.  A common use of Folder Redirection is to configure a GPO that makes the client computers store files on a network location instead of on the local computer when a user saves in the “Documents” folder.  To the end user, nothing is too different from their home machine, but the files are actually saved to the server without the user having to know to save their documents to the \\srv-01\files\ directory.  It’s just easier that way.  Especially if we ever have to move those files!   Oh, and also, the .zap files only work on software assigned to user groups — not computers.  Very important!

Disk Quotas, we’ve looked at before, are ways of limiting your users from gobbling up a bunch of server space.  Especially in this day of digital media, it’s not uncommon for users to rip a  bunch of CDs to their computers thinking they’re storing them on their local HDD, when in fact they are being stored on the server (aha! Folder Redirection!).  Disk Quotas ensures that your server doesn’t get filled up with a bunch of 320 kbps Menudo .mp3 files.

Chapter 9 talked about the installation of software titles via Group Policy.  This is perhaps one of the most useful things you can do with GP — imagine having to install something like MS Office onto 200 computers (especially if you only had 1 disc) — it would be a nightmare!

By copying the disc to a network share and then configuring a GPO to put that software onto the computers that fell within its scope, you could install that software automatically, with no walking around and mindlessly configuring.

There is a downside, however.  In order for GP to install software programs, the program installation file must be a Windows Installer file (.msi extension).  .EXEs won’t work, unfortunately, unless you want to configure a .zap file.  .Zap files work like old .ini files and simply are directions for GP to use .EXEs in their deployments.  The downside is that the installations often will need user intervention and in many cases will need someone with local administrator rights present.

Finally, Chapter 10 covered GP management, and here’s where things can get fun.  Or hairy.  Or both, if that’s your thing.

Group Policy is an object just like anything else, and can therefore have an ACL attached to it.  This ensures that certain users within an OU keep from having GPOs attached to them.  For example, if I wnated a particular user in an OU to *not* have their taskbar locked, I could place a deny read on that particular GPO for that particular user.

In addition, I can use something called WMI filters.  WMI stands for Windows Management Instrumentation, and is used in Windows 2003 to filter down for particular requirements on our machines.  For example, if I want to apply a certain GPO to only Windows XP machines, I could apply a WMI filter that selects out Windows XP machines.  How, you ask?  Well, WMI uses a mechanism that is very similar to the SQL database language, and a query is written in very much the same way.  So to only apply a particular GPO to Windows XP machines, I would apply a WMI filter that looks like this:

SELECT * from Win32_operatingsystem WHERE caption = "Microsoft Windows XP Professional"

The downside here, of course, is that I can only apply 1 WMI filter to a GPO.  (I can use the same WMI filter attached to several GPOs though).

Homework:

• Take Home Test #05 – download it here!
• Continue working on MS E-Learning Modules!

Today’s topic is one of those quintessential networking topics — security.  Today was our first real discussion about the various security methodologies that are out there, but we definitely have brushed over them before.

As you’ll remember, there are several approaches we can take when looking to secure our intellectual property, and we should choose several in order to protect it.  We can choose authorization methods, which have the network require that people prove they are who they say they are (usually by way of username and password) before being allowed access to network assets — as well as setting up user rights and permissions to go along with their accounts.

We looked at the built-in groups that  come with Windows’ initial installation and discussed some of the things users in those groups can do.  For instance, we talked about two common local groups — the administrators and power users groups.  We talked about how the groups are similar in that they have elevated rights, but how the administrator account is able to accomplish so much more (driver installation and most “system” tasks).

We also talked about setting security templates — collections of security settings that we can apply to our machines so that we aren’t spending an inordinate amount of time tweaking mundane settings.  We discussed how Windows comes with its own security templates and how we can come up with our own and apply them to our computers.

The EFS (Encrypted File System) was also discussed — how the file system itself can encrypt files that are only open-able by the user that created them.  In order to do this, you must have the NTFS file system in place.

Finally, we discussed the Microsoft Baseline Security Analyzer (MBSA), which will comb through your system and compare it to the current state your server should be (regarding updates) and known security implementations (requiring compelx passwords, etc.).  It will then show you a report you can use to harden your network, which is a good idea, all around.

Homework:

• Take Home Test #5 – download it here.
• Continue work on MS E-Learning Modules!!!

Welcome to first day of Microsoft Word.  We dug in with Chapter 5, hopefully learned a lot, and were on our way.

Homework:

• Chapter 5: Matching
• Chapter 5: Fill-in-the-Blank
• Chapter 5: Project 1C
• Chapter 5: Project 1D

Today we talked about chapter 7, virtual servers.  Virtual servers, in the context of Exchange, refers to the services that are running on that physical server, such as POP3, IMAP, NNTP, etc.  It is possible to stop, start and restart those servers independently of the physical server, which makes the entire network infrastructure more stable.

Homework:

• Because I’m such a nice guy, have the week off.