one-way DFSR on Windows Server 2008 R2 (part 2 of 3)

After prepare the related prerequisite, I will begin to setup the DFSR configuration by management utility.

Configure DFSR
In DFS Management, right-click “Replication” and select “New Replication Group…” in menu to launch New Replication Group Wizard
In New Replication Group Wizard, select the option of Replication Group Type as “Multipurpose replication group” next to click “Next >” button
Write down the name of replication group as “One Way Replication with…” and Optional description of replication group as “Data replicate from DMZ to Internal”, select Domain as “dw.com” next to click “Next >” button
Click “Add…” button for selecting Replication Group Members
From this location “dw.com” to enter the object name as “VBHV-FS-01;VBHV-FS-11” next to click “Check Names” button
After the object names are resolved, please click “OK” button
Check members progress now
When the members have already added, click “Next >" button
Due to I will create One-Way replication, select “No topology” option next to click “Next >” button
The warning message show up and tell us that the custom topology need to be created by ourselves after this wizard finishes.
Select Primary member as “VBHV-FS-01” next to click “Next >” button
Click “Add…” button to select a folder on the primary member
Click “Browse…” button for selecting local path of folder
Select a folder as “DMZ to Internal” next to click “OK” button
The Use name based on path option will be choose and name is “DMZ to Internal” as folder name. If doesn’t need to use custom name, please click “OK” button to go ahead.
Click “Next >” button
Click “Edit…” for selecting the local path of the replicated folder
Select “Enabled” option next to click “Browse…” button
Select a folder as “DMZ to Internal” next to click “OK” button
Click “OK” button
Click “Next >” button
If the settings are correct, click “Create” button to begin to create the new replication group.
When the status show “Success” word, we have already completed the New Replication Group Wizard now.
After click “Close” button, the warning message show up again and tell us that the replication never begin right now due to the configuration will depend on Active Directory Domain Services replication latency and polling interval.
Now the DFS Management about Replication setting is as follows:
Due to only create one replication path from VBHV-FS-01 to VBHV-FS-11, the reverse path from VBHV-FS-11 to VBHV-FS-01 also need to be created so that the topology will be fully connected.
Click “Connections” tab and “New Connection…” action
Change Sending member to “VBHV-FS-11” and Receiving member to “VBHV-FS-01”, disable “Create a second connection in the opposite direction” check box next to click “OK” button
Now the reverse replication has already been created.
Click “Memberships” tab, right-click “VBHV-FS-11” next to select “Make read-only” in menu
So do that will change Replicated Folder is read-only attribute.
Until now, we have already completed the one-way DFSR configuration.
In next article, I will confirm whether the replication function is normal.

<<<   one-way DFSR on Windows Server 2008 R2 (part 1 of 3)

one-way DFSR on Windows Server 2008 R2 (part 3 of 3)   >>>

Account Lockout (part 1 of 4)

If the Microsoft AD is the corporative authentication system, I believe the system manager ever suffers Account Lockout status from end users. It is a little difficult for us to verify why it is happened or what is the main reason.

For clearly know the reason, I search the related information by Google and find out an old Tool from Microsoft --- Account Lockout and Management Tools. I decide to build a lab to realize whether it is helpful utility and what it help us.

In my lab environment, the DC is 64-bit Windows Server 2008 R2 and the client version is the same as DC.
In this article, I will introduce to prepare the prerequisite of system environment. The related procedure is as follows:

Audit Policy Setting in GPO
In any Domain Controller, click “Start” –> "Administrative Tools” –> “Group Policy Management” to open Group Policy Management
Expand Forest/Domain tree and right-click the domain as “dw.com” to select “Create a GPO in this domain, and Link it here…” in menu
Key in new GPO name as “DW Domain Policy” next to click “OK” button
The new GPO as “DW Domain Policy” will be created now. When the mouse click it, the reminding message will show up. Please directly click “OK” button to ignore this message.
Right-click this new GPO and select “Edit…” in menu to open Group Policy Management Editor.
Expand “Computer Configuration” –> “Policies” –> “Windows Settings” –> "Security Settings” –> "Local Policies” and click “Audit Policy”, you will see all audit setting in the right panel.
Right-click “Audit account logon events” and select “Properties” in menu
Enable “Define these policy settings / Failure” check box next to click “OK” button
Right-click “Audit account management” and select “Properties” in menu
Enable “Define these policy settings / Success, Failure” check box next to click “OK” button
Right-click “Audit logon events” and select “Properties” in menu
Enable “Define these policy settings / Failure” check box next to click “OK” button
Right-click “Audit process tracking” and select “Properties” in menu
Enable “Define these policy settings / Failure” check box next to click “OK” button
Finally, the audit policy setting is as follows:

Change New GPO Priority
At a command prompt, type “net accounts” to realize lockout policy in the default GPO
In Group Policy Management, change the order of new GPO as “DW Domain Policy” to the first order.
At a command prompt, type “gpupdate /force” to deploy policy right now
Now the lockout policy will be changed by new GPO

Security Maximum log size setting in Event Viewer
In Event Viewer, right-click “Security” next to select “Properties” in menu.
Change “Maximum log size” field to 200MB and select “Overwrite events as needed (oldest events first)” option next to click “OK” to correct this file size.

Enabling debug logging for the Net Logon serviceIn PDC Emulator of DC, there is two methods to enable it by KB 109626 --- Add Registry and Execute Command.
<Registry>
In “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters”, right-click “Parameters” and select “New” –> "DWORD (32-bit) Value” and key in “DBFlag” name
Double-click “DBFlag” to edit DWORD (32-bit) Value, that is to select “Hexadecimal” option, key in “2080FFFF” value data and click “OK” button
At a command prompt, type net stop netlogon, and then type net start netlogon. This enables debug logging.
<Command>
To do the command as “nltest /dbflag:0x2080ffff”
Note: After finish debugging, please run “nltest /dbflag:0x0” command to disable debug mode. Otherwise, maybe the netlogon.log file size will be over than the disk space in the future.

Until now, the system prerequisite is ready for me. In next article, I will make an scenario about account lockout next to use the utility to realize what can help us.

 Account Lockout (part 2 of 4)   >>>