網頁

2012年6月30日 星期六

one-way DFSR on Windows Server 2008 R2 (part 2 of 3)

After prepare the related prerequisite, I will begin to setup the DFSR configuration by management utility.

Configure DFSR
In DFS Management, right-click “Replication” and select “New Replication Group…” in menu to launch New Replication Group Wizard
ScreenHunter_08 Jun. 13 18.24In New Replication Group Wizard, select the option of Replication Group Type as “Multipurpose replication group” next to click “Next >” button
ScreenHunter_09 Jun. 13 18.37Write down the name of replication group as “One Way Replication with…” and Optional description of replication group as “Data replicate from DMZ to Internal”, select Domain as “dw.com” next to click “Next >” button
ScreenHunter_11 Jun. 13 18.47Click “Add…” button for selecting Replication Group Members
ScreenHunter_12 Jun. 13 18.47From this location “dw.com” to enter the object name as “VBHV-FS-01;VBHV-FS-11” next to click “Check Names” button
ScreenHunter_13 Jun. 13 18.48After the object names are resolved, please click “OK” button
ScreenHunter_14 Jun. 13 18.49Check members progress now
ScreenHunter_15 Jun. 13 18.49When the members have already added, click “Next >" button
ScreenHunter_02 Jun. 14 20.30Due to I will create One-Way replication, select “No topology” option next to click “Next >” button
ScreenHunter_03 Jun. 14 20.30The warning message show up and tell us that the custom topology need to be created by ourselves after this wizard finishes.
ScreenHunter_04 Jun. 14 20.31Select Primary member as “VBHV-FS-01” next to click “Next >” button
ScreenHunter_06 Jun. 14 20.32Click “Add…” button to select a folder on the primary member
ScreenHunter_07 Jun. 14 20.33Click “Browse…” button for selecting local path of folder
ScreenHunter_08 Jun. 14 20.33Select a folder as “DMZ to Internal” next to click “OK” button
ScreenHunter_09 Jun. 14 20.34The Use name based on path option will be choose and name is “DMZ to Internal” as folder name. If doesn’t need to use custom name, please click “OK” button to go ahead.
ScreenHunter_10 Jun. 14 20.35Click “Next >” button
ScreenHunter_11 Jun. 14 20.36Click “Edit…” for selecting the local path of the replicated folder
ScreenHunter_12 Jun. 14 20.37Select “Enabled” option next to click “Browse…” button
ScreenHunter_13 Jun. 14 20.38Select a folder as “DMZ to Internal” next to click “OK” button
ScreenHunter_14 Jun. 14 20.38Click “OK” button
ScreenHunter_15 Jun. 14 20.39Click “Next >” button
ScreenHunter_16 Jun. 14 20.39If the settings are correct, click “Create” button to begin to create the new replication group.
ScreenHunter_17 Jun. 14 20.40When the status show “Success” word, we have already completed the New Replication Group Wizard now.
ScreenHunter_18 Jun. 14 20.40After click “Close” button, the warning message show up again and tell us that the replication never begin right now due to the configuration will depend on Active Directory Domain Services replication latency and polling interval.
ScreenHunter_19 Jun. 14 20.41Now the DFS Management about Replication setting is as follows:
ScreenHunter_20 Jun. 14 20.42Due to only create one replication path from VBHV-FS-01 to VBHV-FS-11, the reverse path from VBHV-FS-11 to VBHV-FS-01 also need to be created so that the topology will be fully connected.
Click “Connections” tab and “New Connection…” action
ScreenHunter_01 Jun. 30 14.20Change Sending member to “VBHV-FS-11” and Receiving member to “VBHV-FS-01”, disable “Create a second connection in the opposite direction” check box next to click “OK” button
ScreenHunter_03 Jun. 30 14.24Now the reverse replication has already been created.
ScreenHunter_04 Jun. 30 14.24Click “Memberships” tab, right-click “VBHV-FS-11” next to select “Make read-only” in menu
ScreenHunter_05 Jun. 30 14.25So do that will change Replicated Folder is read-only attribute.
ScreenHunter_06 Jun. 30 14.25Until now, we have already completed the one-way DFSR configuration.
In next article, I will confirm whether the replication function is normal.

<<<   one-way DFSR on Windows Server 2008 R2 (part 1 of 3)

2012年6月29日 星期五

Account Lockout (part 1 of 4)

If the Microsoft AD is the corporative authentication system, I believe the system manager ever suffers Account Lockout status from end users. It is a little difficult for us to verify why it is happened or what is the main reason.

For clearly know the reason, I search the related information by Google and find out an old Tool from Microsoft --- Account Lockout and Management Tools. I decide to build a lab to realize whether it is helpful utility and what it help us.

In my lab environment, the DC is 64-bit Windows Server 2008 R2 and the client version is the same as DC.
In this article, I will introduce to prepare the prerequisite of system environment. The related procedure is as follows:

Audit Policy Setting in GPO
In any Domain Controller, click “Start” –> "Administrative Tools” –> “Group Policy Management” to open Group Policy Management
ScreenHunter_01 Jun. 28 17.39Expand Forest/Domain tree and right-click the domain as “dw.com” to select “Create a GPO in this domain, and Link it here…” in menu
ScreenHunter_02 Jun. 28 17.41Key in new GPO name as “DW Domain Policy” next to click “OK” button
ScreenHunter_03 Jun. 28 17.42The new GPO as “DW Domain Policy” will be created now. When the mouse click it, the reminding message will show up. Please directly click “OK” button to ignore this message.
ScreenHunter_04 Jun. 28 17.42Right-click this new GPO and select “Edit…” in menu to open Group Policy Management Editor.
ScreenHunter_05 Jun. 28 17.44Expand “Computer Configuration” –> “Policies” –> “Windows Settings” –> "Security Settings” –> "Local Policies” and click “Audit Policy”, you will see all audit setting in the right panel.
ScreenHunter_06 Jun. 28 17.47Right-click “Audit account logon events” and select “Properties” in menu
ScreenHunter_07 Jun. 28 17.48Enable “Define these policy settings / Failure” check box next to click “OK” button
ScreenHunter_08 Jun. 28 17.48Right-click “Audit account management” and select “Properties” in menu
ScreenHunter_09 Jun. 28 17.49Enable “Define these policy settings / Success, Failure” check box next to click “OK” button
ScreenHunter_10 Jun. 28 17.49Right-click “Audit logon events” and select “Properties” in menu
ScreenHunter_11 Jun. 28 17.49Enable “Define these policy settings / Failure” check box next to click “OK” button
ScreenHunter_12 Jun. 28 17.50Right-click “Audit process tracking” and select “Properties” in menu
ScreenHunter_13 Jun. 28 17.50Enable “Define these policy settings / Failure” check box next to click “OK” button
ScreenHunter_14 Jun. 28 17.50Finally, the audit policy setting is as follows:
ScreenHunter_02 Jun. 29 11.10
Change New GPO Priority
At a command prompt, type “net accounts” to realize lockout policy in the default GPO
ScreenHunter_08 Jun. 29 16.58In Group Policy Management, change the order of new GPO as “DW Domain Policy” to the first order.
ScreenHunter_09 Jun. 29 16.58At a command prompt, type “gpupdate /force” to deploy policy right now
ScreenHunter_10 Jun. 29 16.59Now the lockout policy will be changed by new GPO
ScreenHunter_11 Jun. 29 16.59
Security Maximum log size setting in Event Viewer
In Event Viewer, right-click “Security” next to select “Properties” in menu.
ScreenHunter_16 Jun. 28 17.53Change “Maximum log size” field to 200MB and select “Overwrite events as needed (oldest events first)” option next to click “OK” to correct this file size.
ScreenHunter_17 Jun. 28 17.55
Enabling debug logging for the Net Logon serviceIn PDC Emulator of DC, there is two methods to enable it by KB 109626 --- Add Registry and Execute Command.
<Registry>
In “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters”, right-click “Parameters” and select “New” –> "DWORD (32-bit) Value” and key in “DBFlag” name
ScreenHunter_18 Jun. 28 18.00Double-click “DBFlag” to edit DWORD (32-bit) Value, that is to select “Hexadecimal” option, key in “2080FFFF” value data and click “OK” button
ScreenHunter_22 Jun. 28 18.14 At a command prompt, type net stop netlogon, and then type net start netlogon. This enables debug logging.
ScreenHunter_24 Jun. 28 18.23<Command>
To do the command as “nltest /dbflag:0x2080ffff
ScreenHunter_03 Jun. 29 13.38Note: After finish debugging, please run “nltest /dbflag:0x0” command to disable debug mode. Otherwise, maybe the netlogon.log file size will be over than the disk space in the future.
ScreenHunter_05 Jun. 29 13.45
Until now, the system prerequisite is ready for me. In next article, I will make an scenario about account lockout next to use the utility to realize what can help us.

Since 2010 Design by Davidwa
©Copyright Davidwa Inc. All rights reserved.