Showing posts with label Windows Server 2003. Show all posts
Showing posts with label Windows Server 2003. Show all posts

Wednesday, April 8, 2009

How to force users to logon on one domain controller

Hello,

The scenario is : one active directory site with two domain controllers.
Question: How to force users to logon only on one domain controller?
The answer to this question resides in the srv records priority. See here how to do it:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/AQuickTiptodesignateadomaincontrollerforclientauthentications.html
You can verify the priorities by dns mmc console or by using nslookup like this:
http://technet.microsoft.com/en-us/library/cc738991.aspx

Tuesday, March 24, 2009

How to recover from the failure of a subdomain single domain controller

Supposing that your unique domain controller from a subdomain had a hardware failure, those are the 2 steps you need to follow to recover:
1) Remove orphaned domain from Active Directory:
http://support.microsoft.com/kb/230306/en-us
2) Restore the server through reinstallation of the operating system and subsequent restore of Active Directory from backup:
http://technet.microsoft.com/en-us/library/cc782127.aspx

Monday, May 26, 2008

Restrict DHCP on Windows 2003

A few months ago, I was facing off the problem of assigning ip address only to our domain computers. Anyone from the outside should not get an ip from our network. The result of all my conclusions are here. I hope those will help somebody in the future.
There are a few ways to restrict dhcp:
1. Create a dhcp scope with only reserved IP addresses for domain computers. But this will not stop people that manually configure their ip addresses on computers to access your network and is usually not practical if you have many computers.
2. Switches that can manage port access by mac address filtering. The drawback of this approach is that mac addreses can be spoofed.
3. The third and the last option is also the most secure of all: 802.1x authentication for wired clients. 802.1X for wired networks provides authentication and authorization protection at the switch port. Port-based network access control uses the physical characteristics of a switched LAN infrastructure to authenticate devices attached to a LAN port. Use of the port is denied if the authentication process fails. Alternately, the port can be assigned to a VLAN that does not contain important resources. For this you must have switches that support 802.1x authentication, a IAS server installed and certificate services deployed on Windows 2003. This is the help: http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en

Thursday, January 31, 2008

Export RRAS configuration

This is a vey useful command line backup option i use it frequently.
netsh routing dump > Routing.txt
netsh RAS dump > RAS.txt
Then we can use netsh exec on another server to import the configuration.
If you want to export other settings, just look at other netsh command line switches.

Tuesday, January 29, 2008

RRAS server logging and debugging

RRAS logging

To view who logged in, how long, etc you have to go to remote acces logging and on properties tab of the local file log, check authentication request. You will see in windows\system32\logfiles the results.

RRAS debugging

We can debug RAS connections using RAS logs. To enable RAS logs run command
netsh ras set tracing * enabled . Then, we check the logs at %windir%\tracing directory.
Error code related to RRAS are listed here http://support.microsoft.com/kb/q163111/
After we resolve the issue, we disable RAS logs by command:
netsh ras set tracing * disabled