Monday, March 30, 2009

DCPromo with R2 and DHCP lease Process

I have posted two articles on the Windows Live space, covering DCPromo and DHCP lease process. SkyDrive is new toy for me to reach out to you guys and share what I have. Please click on below picture to get there and enjoy the both documents. fell free to make modifications and use if as it is needed, there is no copy rightssmile_wink , as long as you leave some comment you are most welcome to own the both documents

image

Oz Casey Dedeal

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

http://smtp25.blogspot.com (Blog)
http://telnet25.wordpress.com/ (Blog)

Friday, March 27, 2009

What Does Active Directory integrated DNS mean to you

This is the question asked to one of my fried during the interview and after talking to my body I decided to write this up and provide some very basic information which will be very helpful for those who needs to brush up or learn the basic DNS and active directory integration.

The DNS is the back bone of ADDS (directory services). When Domain controller (authentication server) reboots it registers several dynamic records into DNS database so that the Authentication server can provide services to its clients. Simply when user gets in front of workstation presses CTRL ALT DELETE and supply user name and password to gain access to domain (Boundary of DNS name space, Boundary of authentication) the Domain controller who is taking to client at that time does several basic task

1. User supplied user name and password, requesting to log on to domain.

2. Domain controller received the information , logon request to domain and its resources

3. Domain controller compared given information , checked existing database (.DIT database)

4. Domain controller verified , Prepared a token for the user

5. Token has , things like membership of the user and all other good stuff you can imagine

6. Token is being passed to use, and user star seeing a desktop

Great now we saw basic service provided by Domain controller and a typical client serviced by the domain controller. Same as going to bank and getting money from your account, imagine they check your ID, back account and so on to give access to you to your own account.

DNS is very important if DNS was not there, Where Domain controller would register records and how he would claim to be a domain controller? Where client would go to locate a domain controller in absence of DNS

The similar questions and scenarios easy can be populated and the importance of DNS becomes life critical. You will hear this a lot if you don’t have health DNS, your active directory wont function and your exchange server will go ***Bananas***smile_regular

Where does DNS information within the active directory? DNS information is being kept in the domain partition of active directory. In MultiMate replication model the domain partition of active directory is being replicated to any other available domain controllers. So if you have one DC/DNS (Active directory integrated DNS) you are replication domain partition, as well as DNS information regardless other DC’s are DNS servers or not.

So why not to make DNS part of standard DC implementation and have redundant DNS server within our organization will be great question to ask ourselves.

If you remember Active directory 2003 and above Microsoft added fourth partition called “”application” partition to keep application specific data.

AD integrated DNS mean the DNS data in part of .DIT database and it is getting replicated to all other available domain controllers within your domain. Of course this makes clients happier, in multi-master replication model client can register or located resources to any available DNS servers and gain access to resources, thus making DC’s integrated DNS makes the more sense and secures the critical DNS data for your organization.

Oz Casey Dedeal

MVP (Exchange)

MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Wednesday, March 25, 2009

RPC OVER HTTPS SCRIPT

I have received  many inquiries in regards to RPC over HTTPS script over months, and to be honest I am very happy many people found the script very easy to use.

I finally decided to put it on the sky ready for those who needs to download the script, please don't forgot to leave some comment which is all ask for smile_omg

Click here to get it,

RPCScript

Oz Casey Dedeal

MVP (Exchange)

MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

MX Record and Mail Delivery in Basic



Mail Exchanger record is the record tells other DNS servers who the authoritative mail server is for the requested SMTP name space.

If my SMTP name space is “@smtp25.org” I typically expected to have or would have below records in the public DNS servers for senders to be able to send my mail servers e-mails.

MX (Mail exchanger record) tells other DNS servers, who is the authoritative mail server for the requested SMTP mail domain.

A record specifies the FQDN for the server, FQDN pointing to unique IP address, Let’s say I am going to e-mail you, here what happens in a simple way.

I use my outlook to send mail to you, I insert your mail address as destination, you@yourDomain.com, My exchange server takes the message, contacts to its configured DNS server.(normal internal AD/DNS integrated DNS)
AD/DNS server , sees the requested domain is YourDomain.com and uses it’s configured forwarders to perform recursive query, and ask the question ( generally works this way) , who is responsible mail server for SMTP domain YourDomain.com?

The configured Forwarder on the internal DNS servers, normally are ISP DNS server and they do the heavy lifting and they go out the internet and ask the same question to other DNS name servers.


I need to know the IP address of the mail server for the domain YourDomain.com, who has this information? Assuming there is least one DNS server who claims to be authoritative for your SMTP domain and the mail server record so the DNS server do know where to pass the SMTP traffic too, (YourDomain.com) says


***Hey I am the authoritative mail server for requested SMTP name space and here is my IP address*** and provides the IP address to the requested ISP DNS server.
*** DNS query wont fail if there is no MX records, MX record in reality is not needed for mail delivery, the DNS servers do search in this order, Look MX record first, Look A record second, Look Cname record third***


The part become tricky is, some mail gateways or DNS servers will fail the query and be mean if there is no MX record for the destination mail server, meaning it is up to sender to talk to strangers or not.
When ISP DNS server finds the IP address for intended SMTP server if passes the IP address back to AD/DNS server, AD/DNS server passes it to exchange server and exchange server established SMTP connection on port 25
I hope this helps to understand the basic mail flow

Oz Casey Dedeal

MVP (Exchange)

MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Friday, March 13, 2009

DCPromo and some DNS Best Practices

Below are the steps to promote a member server to be the domain controller in the existing forest. I am listing some best practices and recommendations going forward. Most of the listings below are pretty basic nothing advance. I am surprised to find many people are no aware of the basic and hence I am putting all these one more time to my student's attention.

**Here is the Doc version if you wish to download**

  • Make sure the server has configured correctly, the TCP/IP stack and DNS server is pointing to ***Existing DC/DNS***
  • After initial replication point the DC/DNS to itself as primary DNS server and to its neighbor DC/DNS server as secondary preferred DNS
  • ***Never*** point DC/DNS servers to ISP DNS server as their primary or secondary DNS ( most command killing mistake)
  • Don't use more than 1 NIC, DC's don't like multiple NIC cards
  • Forward the recursive queries which your domain is not authoritative for to the ISP DNS servers and let them do the heavy work.
  • Go to your DNS, forward lookup zone locate _msdcs.yourDomain.org , go to properties , click on name servers and make sure all the servers listed there are domain controller and they are functioning properly.
  • Tune up your DNS as it is explained in this article.
  • Make sure you have added the server into domain prior running DCPromo (optional), this ensures proper communication with domain , created A record for the server in the DNS database on the existing domain.
  • Run DCPromo as always to install ***.DIT*** database and remember the .DIT database is partitioned database ( domain, configuration, schema, application)
  • Remember best practices for deciding RAID and distributing the database, logs and the SysVol.

Component

Operations Performed

RAID System

Operating system files

Read and write operations

RAID 1

Active Directory log files

Mostly write operations

RAID 1

Active Directory database and SYSVOL shared folder

Mostly read operations

  • The logs kept to be by itself
  • Active Directory database and SYSVOL shared folder kept together on the same drive

*** The reality many companies (enterprise) goes with 2 RAID one set*** if you end up installing all on the same drive and you have multiple DC"s that is fine as well, when budged is suitable fallow the best practices to have less headache and good performance.

After DCPromo make sure

The new DC is functioning as DC

  • Check Site and services to make sure the new DC appears , click start,run,dssite.msc , and under sites default-First-Site-Name, expend servers folder
  • Make sure the server objects is there, NTDS settings , KCC has replication connections to other DC's
  • Click start, run, cmd and type **net Share** configure the SysVol folder is visible
  • Check the logs to make sure DC is healthy.



Oz Casey Dedeal

MVP (Exchange)

MCITP (EMA), MCITP (SA)

MCSE 2003, M+, S+, MCDST Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Monday, March 9, 2009

Active Directory replication troubleshooting &Replication Headache





One of the primary tasks for most of the network administrators is to troubleshoot the replication issues among domain controllers. If you don't have several sites there is not much to worry about it. Conversely, it is a great deal if you do have it so, what would you do to troubleshoot the replication issues in active directory. Below are some nice tips will help you to troubleshoot replication related issues in active directory?

Quickly to see if all DCs are replication use

  • repadmin

    Repadmin /ReplSummary

Run below tools in verbose mode and investigate the output TXT file for further clues what might be causing the replication issues.

  • dcdiag,
  • netdiag
  • repadmin
  • DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
  • netdiag.exe /v > c:\netdiag.log (On each dc)
  • repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
  • dnslint /ad /s "ip address of your dc"

*Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's in the forest. If you have significant numbers of DC's this test could generate significant detail and take a long time. You also want to take into account slow links to dc's will also add to the testing time.

TIPS

  • Make sure TCP/IP Stack is configured correctly on all the domain controllers.
  • Issue ***IPConfig /All*** command from each DC and make use TCP/IP stack is configured correctly.
  • There are multiple ways to configure TCP/IP setting on each domain controller based on needs and scenario. One of the most common basic configuration is to point DC/DNS server to it's own IP as primary DNS server and to its neighbor DC/DNS as second (Alternate) DNS server and fallow the same configuration for rest of the domain controllers

  • Don't use multiple ***NIC's*** on the domain controllers, disable any other NIC card and make sure ***Register this connection to DNS*** is un-checked on the DC's.
  • It is good idea to re-name the NIC's as ***Production***, or *** Do not Enable *** for the disable interface
  • Use fallowing netdiag and dcdiag switches on the problems DC's

    • netdiag /v /fix
    • dcdiag /v /fix
  • On problems DC's use blow from command line and investigate if there is any errors occurs.

  • Ipconfig /FlushDNS
  • ipconfig /registerdns
  • net stop netlogon
  • net start Netlogon


Oz Casey Dedeal

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Blog: http://www.smtp25.blogspot.com

Saturday, March 7, 2009

MVP SUMMIT 2009








This year MVP summit was incredible. As first timer being at Redmond and getting to know Exchange product team and meeting with other MVP's was exciting and increable knowladge gain.


Our MVP lead and other managers have done incredible work and afford to keep this gathering in very high level professional, level as well as cozy and worthy in my opinion.



As much as I want to talk about Exchange 14 (-: yes I am dying to let you guys know the changes improvements etc, I won't be able to **YET**. here are some news if you like to check it out


Brian Tirch (MVP), Glen Scale (MVP), Oz Casey Dedeal (MVP) , James Chong (MVP),

James (MVP), John Fulbright(MVP), Oz Casey Dedeal(MVP)


James(MVP), Melissa(MVP Team Lead), Oz (MVP)








Oz Casey Dedeal(MVP), Daniel Petri(MVP)

There are many good things coming up, windows Server 2R (same code as Windows server 7) and Windows 7, Exchange 14 and many other new products and great improvements will make you very happy and satisfied and save big $$$ for your business.


***Seeing MVP’s still trying to help exchange community on Microsoft forums while listening conference was remarkable and unforgettable experience for me.***


Oz Casey Dedeal

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Blog: http://www.smtp25.blogspot.com