Archive for Active Directory

Oct
11

Clear OS – An Alternative to SBS?

by jeremy

Part five of a six part series looking at ClearOS, one of the major commercial alternatives to Small Business Server. In this post I look backup and recovery. Be sure to read part one for an overview of ClearOS and part two for an introduction to the installation process. Part three looks at the domain and file sharing. Part Four covers messaging solutions.

Part Five: Backup And Recovery

One important aspect of any server solution is the ability to restore the data in case of an accidental deletion, restore the server in case of a hardware failure, or recover from corruption. Unfortunately, this is on aspect where ClearOS is truly lacking. While there is a native backup utility in the marketplace, this only covers the configuration files. Let’s take a quick look at how Linux works, and how it configures the operating system. In Linux, ALL the system configuration information is stored in small, flat text files. Everything you need can be restored by just replacing the text file. So, for Clear OS to natively backup these files, all it needs to do is to locate the configuration files, and copy them to an external disk. ClearOS installs the configuration backup by default and you can manually backup the systems settings.

If you want to backup data or mailboxes on the server, you are instructed to purchase the Remote Server Backup Utility. This has a small, but recurring cost of $5 a year. Storage must be purchased separately; 50 GB is $250GB per year. Other size increments are available as well.

This being Linux, you do not need the ClearOS offsite storage to backup the data. You just have to manually configure it from a shell. Using cron jobs and rsync you can easily backup your data to an external USB disk or network drive, but you have to configure it all manually. There are no Volume Shadow Copy options on Linux, so if a file is open, you will have to skip the file.

If you are using Zarafa, the ClearCenter Remote Server Backup will backup your mailboxes as well. If you do not want to do it using the ClearCenter paid option, Zarafa has detailed documentation procedures on how to create a “dump” of the MySQL database where the mail is stored.

While I am appreciative of the options that ClearOs gives you, disaster recovery is not a topic for the faint of heart. If you want a complete, local backup of your data and mailboxes you will be required to set up the configuration manually in the shell. There are many third party applications and scripts that should get you going, and never forget, test, test, test your backup and restore procedure.

0 Categories : Active Directory, Jeremy

Oct
10

Clear OS – An Alternative to SBS?

by jeremy

Part four of a six part series looking at ClearOS, one of the major commercial alternatives to Small Business Server. In this post I look at the messaging server, Zarafa. Be sure to read part one for an overview of ClearOS and part two for an introduction to the installation process. Part three looks at the domain and file sharing.

Part Four: Messaging.

One current source of debate amongst Managed Service Providers is messaging solutions and the cloud. With the Small Business Server product line being canceled, many IT Professional are looking for an on premises alternative to Exchange Server. ClearOs includes Zarafa as a messaging soloution. The Zarafa messaging suite installs from the Marketplace, and I had installed it during the server setup. Zarafa supports the MAPI protocol. A client is required for the Outlook client and can be downloaded from Zarafa website. Setup is what you would expect, create a new profile, choose ‘other sever type’ Zarafa.

Outlook 2010 and Outlook 2007 worked out of the box. The most important aspect that I found was that single sign on works, exactly as it does with Outlook and Exchange. The solution is completely LDAP integrated. If the user changes their password for their computer log in, it does not need to be changed anywhere in the Outlook client. Features that you expect from the messaging platform, including Free Busy, Public Folders and resources scheduling are all available and work as expected.

Public folder setup was not as intuitive as I would have liked. I had to open a shell on the ClearOS server and create the public folder store manually. This can only be done from the shell, not the Web Interface. ClearOS has indicated that this is now a feature request as this should be available from the web interface.

After creating the Public Folder store, the public folder tree appeared in the webmail interface. If you have already created an Outlook Profile before you created the public folder store, you will need to remove the Outlook profile and recreate it. Once the Public Folder tree was visible in Outlook, I was able to right click, and create the ‘HR’ Calendar. Right clicking on my calendar allowed me to set permissions based on the Global Address list, including distribution groups, just as you would if there was an Exchange server on the back end.

You must enable the Public Folder to enable the Free Busy information to be shared. The Free/Busy information is published by the Outlook Client, and shared in a hidden Public Folder. If you don’t enable public folders before you set up the Outlook profile, your appointment will need to be recreated.

The final aspect to look at in the Outlook client is Offline usage. When opening Outlook while it is disconnected from the network, you are still able to open, read, and queue messages for delivery when you are reconnected. The end use experience is seamless when working offline. If you are on a laptop that is connected to the Internet, opening port 237 in the firewall allows you to work from outside the network, similar to Outlook Anywhere functionality in Exchange.

Overall there is very little configuration in the ClearOs web panel for Zarafa. The webmail interface is based off of the configuration URL, so you will want to install a valid SSL cert (use the SSL tool from the MarketPlace, of course). Ensuring that there is a valid SSL cert also allows your Outlook client connection to be encrypted as well. Once you create the public folder store, free busy works as expected as does the global address list. The end user would have no idea that the backed for this is not Exchange, but Zarafa instead. ClearOS does a remarkable job integrating the messaging platform into their server solution.

0 Categories : Active Directory, Jeremy

Oct
9

Clear OS – An Alternative to SBS?

by jeremy

Part three of a six part series looking at ClearOS, one of the major commercial alternatives to Small Business Server. In this post I look at the operation aspects of the server, primarily focusing on domain join and file sharing. Be sure to read part one for an overview of ClearOS and part two for an introduction to the installation process.

Part Three: General Operation

I have set up and installed a ClearOS server to see if I would be willing to use it to replace a Windows server environment. Previously in part two I detailed the installation process. Now I want to dive into the actual operation of the server. I am working with a Windows Vista Client on this network. I actually chose Vista for a specific reason. It is the “red-headed step child “of the Windows Client OS’s . If Vista works, anything will work. The first thing I did was log into the machine with a local account and check my IP address and network connectivity. I have an IP address from the ClearOS server, DNS points to the ClearOS server, NSlookup resolves clearos.linux.local (my server and domain name) . Everything here is looking good. I attempted to join it to the domain as I would if there was a Windows domain controller on the network. System – Properties, Domain, Change: linux. I entered my Winadmin Credentials, waited for a second, and received the positive news: Welcome to the LINUX domain.

I rebooted the Vista machine and at the login prompt I entered LINUX\Winadmin and my password and I logged in. Domain Join worked, worked properly, and was painless. There was no difference here than vs. joining a Windows domain.

I had a domain admin account, I can log in to my client machine. The next testing step is to create some users and file shares. Creating a user is done under the System tab of the ClearOs web interface. There is nothing new or unusual about this setup. You choose users, add, and add the user.

Enter the user’s information, and at the bottom of the page you have the option to add them to security groups if you have already created any. If you choose to install the Messaging application Zarafa, the options are here to set up the SMTP address, set the mail quota, and add aliases. I did not include a screen shot as it’s a really long form, but it’s a simple web page form, with everything you need for adding a user on one page.

As expected, limited and domain admin accounts work as they should on the Vista client. The Domain Admin account can install software and make system configuration changes. A limited user account can not. There is no difference here compared to a Windows domain. You are able to make limited domain users ‘local admins’ and assign them the right to log in via remote desktop.

The next thing I wanted to do was to create a share, and make sure that my users can access it. This is where I hit a wall. I clicked around for a bit on the different tabs, Server, File, no where can I create a share. Network, nope, it’s not there. I needed to find out how to create a share. I realized that this is an OS where nothing is installed, unless I choose to install it. To the MarketPlace! It turns out that I missed installing the application FlexShare when I did my initial install from the MarketPlace.

Flexshares are flexible share resources that allow an administrator to quickly and easily define data sharing, collaboration and access areas via web, file, FTP and/or e-mail (as attachments).

I quickly installed Flexshares and then went to create my share.

Ok, so I have an HR share, I allowed access to the HR group, it’s enabled. Being impatient that I am, I jumped back to my Vista box, logged in as an HR user, and I could not browse the share.

The actual next step is to enable the Share as a Windows File Share:

Going back to my Vista machine, I still can’t see the HR share, nor can I browse to it. I go back to the Flex Share, choose edit, and look at it:

Notice the Top Status is: “Disabled”. In the first screen shot, it is “enabled”

Once you set this back to Enabled, you can successfully browse the share from the Vista client. This seems to be a minor bug, or it could also be user error, as I was not able to recreate it consistently. This might just be something to be aware of when creating your shares. Another major consideration with the default implementation of Flex Shares in ClearOS is that using FlexShares, there is no way to dictate where your share is located in the file system. You can make changes in the system configuration files from a shell session, but this is not available in the web interface and changing it in the configuration files is not intuitive or simple. By default, FlexShares stores all data on the root partition. This is important to consider when you are sizing your server.

The next question is how to map these drives on a consistent basis. ClearOS provides for Login Scripts to be run. In the administration interface, browse to the Server, Windows Networking, mode. Make sure the logon script is enabled. By default, the file is called login.cmd, you can change it as necessary if you want to run a different name, or a VB Script. From a client workstation, you can open the share \\servername\Netlogon and upload the batch file to map drives. This is a hidden share, so you need to navigate to it directly. You can also set a Drive Letter Mapping for users home directories in this location as well.

There of course are no group policies to lock down the workstation, or to install software, or even to configure the firewall. Advanced configuration could be done with a login script; however, completely managing client workstations from a script could become cumbersome. The basic functionality of file and printer set up can be done with ease.

Domain join and file sharing work better than I could ever have hoped out of the box. The native support for home directories and logon scripts is a big positive aspect when choosing to use ClearOS. I tested several of my day to day tasks on domain joined machines and all of them worked. I was able to remotely manage the machine, log on via RDP and limit user access. Logon Scripts work, and I was able to use a VB script based on user group membership to map drives successfully. Clear OS is a complete file sharing solution. User and group set up is fast, easy and straight forward. It truly does ‘just work’. As a file server alone, that requires centralized administration, I would have no problem recommending ClearOS.

0 Categories : Active Directory, Jeremy, SBS 2011

Sep
26

When your SBS server says you are over 75 user limit when you aren’t, it’s time to clean up the AD

by amy

Log Name:      Microsoft-Windows-Small Business Server/Operational
Source:        Windows Small Business Server 2011 Standard
Event ID:      501
Description:
Windows Small Business Server 2011 Standard allows a maximum of 75 user accounts and computers. If you have more than this, use the Windows SBS Console to remove some computers or user accounts.

Once you start to get this error you’ll get it once a day until the issue is resolved. The problem is that SBS is detecting that your active directory contains more than 75 objects in a category. So it’s time to clean up your AD.

Here how I go about it:

1. Move all service accounts and templates into the Manage Service Account container. This container is new-ish active directory and is designed to house all of those service accounts that have to exist but aren’t really users. This exempts them from licensing.

2. Delete those user and computer accounts that haven’t logged in, in a long time.

First you need to identify them. To find computer accounts that haven’t logged in, in 4 weeks run this command: dsquery computer –inactive 4 Then move those machines into a ToBeDeleted OU so you can verify that they truly no longer exist. Do the same for user accounts. Once you have identified the accounts to be removed, delete them.

It’s not difficult to clean up your Active Directory. This maintenance activity should be done on a regular basis in all environments whether small or large. Regardless of the size it will help you stay within your purchased CAL limit.

—
Need some more help? That’s what we do. We help IT pros all over the world.
We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Get Support BlogFeed Blog Twitter Twitter Facebook LinkedIN

4 Categories : Active Directory, Amy Babinchak

Feb
1

How do Rejoin a Computer to the Domain without Losing it’s SID

by amy

This trick comes to be via my Active Directory study group. I suggest that everyone join a usergroup and/or a study group. It’s not that we don’t know AD, it’s that we forget or miss new features. A refresher course is fun too.

Occasionally a computer will come “disjoined” from the domain. The symptoms can be that the computer can’t login when connected to the network, message that the computer account has expired, the domain certificate is invalid, etc. These all stem from the same problem and that is that the secure channel between the computer and domain is hosed. (that’s a technical term. Smile )

The classic way to fix this problem is to unjoin and rejoin the domain. Doing so is kind of a pain because it requires a couple of reboots and the user profile isn’t always reconnected. Ewe. Further if you had that computer in any groups or assigned specific permissions to it those are gone because now your computer has a new SID, so the AD doesn’t see it as the same machine anymore. You’ll have to recreate all of that stuff from the excellent documentation that you’ve been keeping. Uh, huh, your excellent documentation. Double Ewe.

Instead of doing that we can just reset the secure channel. There are a couple of ways do this:

In AD right click the computer and select Reset Account. Then re-join without un-joining the computer to the domain. Reboot required.
In an elevated command prompt type: dsmod computer “Computer DN” – reset. Then re-join without un-joining the computer to the domain. Reboot required.
In an elevated command prompt type: netdom reset MachineName /domain DomainName /User0 UserName /Password0 {Password | *} The account whose credentials you provided must be a member of the local administrators group. No rejoin. No reboot.
In an elevate command prompt type: nltest /Server:ServerName /SC_Reset:Domain\DomainController No rejoin. No reboot.

6 Categories : Active Directory, Amy Babinchak

Jan
25

Active Directory Best Practices: Accidental Deletion and Container Redirection

by amy

My usergroup has an Active Directory study group going of which I am a member. Each week we review a chapter in the wonderful “Configuring Windows Server 2008 Active Directory 2nd Edition” self-paced training kit. The authors have done a fantastic job. All the members of the group are experienced long time IT professionals. We have 3 consultants, 2 internal IT and 1 looking for an internal IT position as members. We all have many years experience but decided that a refresher course was a good idea. Sure we all know how to use the basics in AD but we have probably missed some Best Practices, Tips and Tricks along the way. We’ve probably also forgotten some things that we knew but didn’t use often enough. This is the reason for the study group and all of the above has been absolutely true. It’s been fun as well, since we all have years of experience we bring those examples to the table and it makes for great geek conversation.

Here are a couple of the items that have made my Best Practices list so far:

Protecting from Accidental Deletion Now here is an under the radar item that is going to prove very useful. You can now protect OU’s, Containers, Groups and Objects from accidental deletion. It is as simple as a checkbox and for most new items in AD the box is checked by default. But for existing items it is not. You’ll need to go in and retro fit those with protection.

If you have a big complex AD then you can use PowerShell to fit the whole thing with this protection. But what is that Check box actually doing? It is changing the ACE permissions on the object. When that box is checked an ACE is added to Deny Everyone group Delete and Delete Subtree.

This isn’t the kind of thing that you’ll find yourself needing often (I hope) but now that you’ve read this, if you don’t go and set that check box you’ll kick yourself later.

Redirecting the Default Computer and User Containers New computers and users being left in the Computers and Users containers for long periods of time has long been one of my pet peeves. It distresses me that no one notice that this person or computer has not been subject to Group Policy, as the rest of the domain is. So when I found this little gem, it made my day.

The commands are: RedirCmp and RedirUsr to redirect anything that lands in the Computers container and the Users container respectively.

The command is entered in an elevated command prompt like this: redircmp “DN of OU for new computer objects” So simple! But you do need to be careful. Take a look at the Computers containers after you do this, there is no reference that it’s been redirected. Therefore, TODO make a note in the description of the container to remind you and future IT admins that this container is redirected and to where.

I have a few more items that have made my BP list but I’ll save those for another post. Keep reading!

0 Categories : Active Directory, Amy Babinchak

Aug
8

Return of the Brain Explosion: Mastering Remote Access

by amy

Join us on September 29th in Las Vegas as we gear up for the SMB Nation conference with a Masters Class in Implementing and Supporting Remote Access brought to you by members of our staff.

Last year we had a ball, training all day and freely pouring beer into the night. A true geek festival. We’re going to do it all over again. Since last year there’s been a dramatic proliferation of demand for remote access by your users. During this pre-day event we’re going to deep dive into the stuff that makes remote access to network resources reliable, secure and functional for your end users. When you implement this stuff you’ll be the hero! All the content is going to be delivered by Third Tier staff. This is your chance to pick their brains in person. Speakers include: Brian Higgins, Jeremy Anderson, Steve Banks, Amy Babinchak, Cliff Galiher and David Shackelford. That’s a lot of big brains for one room!

Space is limited. Last year we sold out! Registration is about to open. So save the date and keep an eye on this blog.

Here’s what we’re going to cover:

8:30am – doors open, meet & greet, welcome

9:00am – The day begins with DNS. A fitting start to a day full of understanding remote access technologies. DNS is the foundation to all network communications and we’ll show you how the packets flow, which DNS entries are critical and how to create them.

10:15 – break (15 min)

10:30 – So now you’ve got your DNS records in place and understand which remote access technologies require which kinds of records. This bring us to security. In this session we’ll demonstrate how to secure VPN remote access using Radius. You’ve seen that Radius option in your router, in your firewall and even in your server. So why aren’t you using it to secure remote access to your network? We’ll show you how it’s done.

12:00 – lunch break (30 min) Vendors Lunch.

1:00 – Remote Web Access is a very popular feature of Small Business Server. In this session we’re going to tear it down bit by bit and show you exactly how it works. There’s no OZ behind the curtain. Instead there’s built-in Windows technology. Leave from this session not only able to troubleshoot RWA but also able to create an RWA like interface for your non-SBS domains.

2:30 – break (15 min)

2:45 – Tablets, netbooks, iPads, Smart Phones, Apple, Microsoft, Android these devices are everywhere! Which apps can really empower your end users? Which apps are secure and can you make them more secure? In this session we’ll demo a bunch of stuff that it working in the real world for real clients.

4:15 – Final thoughts, dismiss

Later that same evening: PARTY with Third Tier at the local Pub.

0 Categories : Active Directory, Amy Babinchak, Brain Explosion, Brian Higgins, Cliff Galiher, Dave Shackelford, Jeremy, Networking, SBS 2011, SMB Nation, Steve

Nov
19

Complications from an SBS 2008 Migration

by amy

We ran across an interesting complication during an SBS 2003 to SBS 2008 migration. We run extensive checks on our SBS 2003 servers before performing migrations and this has always served us well. You may have even heard me talk on the various tasks we undertake and tests that we run. In this case we had a local client with an SBS 2003 server that we did not install. Further the previous hardware had failed causing the server to shutdown abruptly over and over again and we had imaged this SBS 2003 server onto new hardware about a year prior. Everything seemed fine with it though and the previous year had gone smoothly with this server.

We fully patched it. We defragmented the Exchange database. We ran the BPA. We updated the NIC drivers. We fixed up a journal wrap problem. We ran dcdiag to test DNS-AD integration. We ran gpupdate. We ran repadmin to test AD sync. We ran the BPA again and it told us that the server held none of the FSMO roles. !***!&*($&#*(&$*!!!!! Yikes. We verified all of them in the GUI. We verified all them using command prompt tools and it came back as holding all of the FSMO roles. Still the BPA persisted in claiming that it did not, so we postponed the migration while we gathered our thoughts. After consulting with everyone we could think of that was an expert in AD, it was concluded that if the AD itself knew that the server held the roles and all of the usual tests came back good that the BPA must be on drugs. The migration was scheduled.

We took a backup. We took an image. We mounted the image onto our virtual server. We started and finished the migration. We migrated the mailboxes, moved the data and generally progressed through the to do list smoothly. Then we noticed the event log in the SBS 2003 server. It said that a recent DC Promo was unable to complete and AD replication was halted until it finished. Sure enough when we tried to add a user as a test, the user did not sync between the servers. AD was not replicating. Testing AD pointed to a problem with the objects in the Computer OU and DNS-AD integration tests said that it was unable to find the PDC. It claimed records were missing that were not missing. Rather than turn back to an SBS 2003 server that no one was able to determine why the BPA said didn’t hold the FSMO roles, we decided our options were to press forward to try to fix the AD or create a new domain. Since everything was working, from the user perspective, we decided we had a bit of time to work on fixing AD before our 21 day migration period was up. Work began.

Moving forward with the migration we got to the point were we decided to uninstall Exchange 2003 and attempt a demotion of the SBS 2003 server. The uninstall of Exchange 2003 went along fine. However when we tried to demote the SBS 2003 server it informed us it thought it was the last replication of DNS in active directory. Hard stop.

To troubleshoot Active Directory we checked schema version on both the server and found it was set to 44. Good but we needed them to replicate with each other. So, we deleted the connection objects on both of the servers. Went into DSSITE on both servers and told it to check replication topology. Waited for some time and we got the connection object back. We forced replication and it was successful! Problem solved.

We thought, problem solved. Shortly thereafter we got a call from the client, Outlook was reporting Disconnected. A look at Exchange 2007 showed that all of the mailboxes were gone! But the good news was that the mailbox store was still the right size so we knew that they were in there. We just needed to connect to them. Exchange Command shell: get-mailboxdatabase |clean-mailboxdatabase to have all disconnect mailboxes show up in the Console then in the console, go to disconnectted mailbox, right click each mailbox and choose connect. Do this for each users mailbox and another problem solved.

Are we done yet? No, yet another issue reared it’s ugly head. Users with large mailboxes were getting a message that their mailbox was too big and they were blocked from sending or receiving email. <sigh> Look at the Mailbox size limitation in the SBS Console and it still held our settings to allows for larger mailboxes for the Standard User Role. Reapply the role. No change. Back into the Exchange Management Console we go. Here we set the mailbox size for the users directly.

No further problems have presented themselves so we believe that we have successfully migrated an SBS 2003 with AD problems over to SBS 2008. Overall it was a good learning experience for the technician involved and now we know that the BPA is never on drugs. Apparently it knows things about AD that AD doesn’t even know about itself.

—
So who wrote this blog and what do they do for a living anyway?
We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Get Support BlogFeed Blog Twitter Twitter Facebook LinkedIN

1 Categories : Active Directory, Amy Babinchak, Exchange, Migration, SBS 2008

Archive for Active Directory

Part Five: Backup And Recovery

Part Four: Messaging.

Part Three: General Operation

Search

Support