TECH INFO

Wednesday, 31 December 2014

ACCESS BASED ENUMERATION IN WINDOWS SERVER 2012 (ABE)

Q: What is access based enumeration

A: Access-based enumeration (ABE) displays only the files and folders that a user has permissions to access. It’s an inbuilt feature in windows server 2012 that you can enable it by using Share and Storage Management for the share were you want to enable it.

Example, if you enable access-based enumeration on a shared folder that contains many users’ home directories (Ill guide you on how to create users home directories in Active directory), users who access the shared folder can see only their personal home directories; other users folders are hidden from view. This can also be used on shares such as common areas, application areas and so on.

When planning your file server structure you should always keep in mind how you want to present the shares to the end user. If you are deploying your file server(s) in a domain with users accessing shared data in a common location I would suggest you take advantage of ABE or DFS with domain based namespace

Preliminary Steps: -

- In windows server 2012 server manager go to add roles and features and install File Server role

- Create a folder with in a drive that is going to be used as a parent folder

Implementing ABE:

- Open server Manager and click file and storage services

- Click on share, point on task and click new share

- Select SMB Share-Quick, select type a custom path and browse

- Locate where the shared folder is and click select folder then next

- Under Share Name give it a friendly name according to your needs and click next

- Under other setting that’s where you enable Access Based Enumeration by checking it then click next

- Under permission click customize permissions then click disable inheritance

- - Then click remove all inherited permissions from this object

- - Then click add, select a principal type administrator and click ok, under type select allow, applies to select this folder, sub folders and files, then under basic permission click full control

- - Repeat same procedure but this time round add domain admins

- - The last step is to add domain users but under applies to select this folder only and under basic permission leave the defaults, Click apply then ok

- - Click next to view summary then click create and close

- ABE is now fully functional but we need to add individual folders for domain users to that folder with appropriate permission so that a user can only see what folder is permitted.

Creating home Folders for Domain users in the share folder with their usernames:

- Open Active directory users and computers

- - Expand the OU (Organizational unit that contains the users)

- - Select all the users right click, go to properties and click on the profile tab

- In the profile tab select the checkbox for the home folder click connect, drive letter leave it the way it is then in the to: text box paste the network share path in the following format \\192.168.2.8\UserData\%username%

- Click Apply then ok, Users folders will be created in the SMB share folder with their domain usernames and with individual rights assigned to the individual folders.

Example With all the users’ folder created and ABE Implemented assuming the domain has 3 users John, Jane and Tom

The share folder looks like:

- But when john logs to his computer he sees :

In my next blog I’ll be talking about mapping the shared drive to individual users computers so that they can open it as a mapped drive and only see their individual folders,

Feel free to contact or make any improvement or correction to the above blog, hope this helps some Server administrators out there.

Tuesday, 20 May 2014

ADDING A SHARED LX – 350,300+ PRINTER SHARED ON WINDOWS XP ON WINDOWS SEVEN

ADDING A SHARED LX – 350,300+ PRINTER SHARED ON WINDOWS XP ON WINDOWS SEVEN

Windows seven comes preinstalled with Epson LX-300 + drivers but when adding a shared printer from windows XP it doesn’t always work, it searches on windows updates but never finds the drivers.

A simple solution for that:

· 1. Add an LX 300 printer in devices and printers and use any local port available e.g. LPT1

· 2. When the printer has installed successful right click the printer go to printer properties, click the port tab the add port

· 3. Select a local port under port name provide the URL to the shared as the port name e.g. \\192.168.2.230\epson lx 300, the second part shows the shared printer name

· 4. The make sure that is the active port on the printer and it should be ready to print

Thursday, 31 October 2013

Creating A forest Wide trust in AD with both incoming and outgoing trust

Introduction:

After having spent the last three days trying to get backups go to an offsite location an idea of creating a forest trust between the sites came up which I spent some more three days working on but finally the whole issue is now in the past.

The company has three locations with three subnets each having its own forest with a domain inside, this article covers the creation of forest wide trust between the three locations

Note: make sure DNS is working by making sure all DNS servers are able to resolve names in other domains, done by adding a conditional forwarder on each DNS server to the other servers:

Ø Open DNS manager , right click conditional forwarder and click new

Ø In the DNS Domain type the domain name e.g. TechNet. Local

Ø Where its written click here to add an IP type the IP address of the other DNS servers

Ø Select the store this conditional forwarder and replicate it as follows, the select all domain controllers in this domain (for windows 2000 compatibility)

Ø Repeat the previous steps in all the DNS servers

CREATING THE FOREST TRUST

The following steps shows creating a forest trust between 3 forests with all of them acting as trusted and trusting with both incoming and outgoing trust

Ø Open active directory domains and trust in one of the Domain controller

Ø Right click the domain name ,select properties then click the trust tab

Ø Click new trust

Ø In the trust name type the DNS name of the domain you want to create the trust with

Ø In the type of trust select forest trust and click next

Ø In the direction of trust click two way

Ø Side of trust select both this domain and the specified domain, click next

Ø Provide username and password for the specified domain

Ø In the outgoing trust authentication level – local forest select forest wide the click next

Ø In the outgoing trust authentication level – specified forest select forest wide the click next

Ø In the next screen confirm the details and click next to complete the creation

Ø In the next two screens you can confirm the outgoing and incoming trust if need be

To confirm the trust relationship and update routed names and suffixes click the name of the trusted or trusting domain and click properties.

Click the validate button and click yes validate the incoming or outgoing trust enter credentials for the specified domain and click ok

Repeat the above procedure for the third forest on the same forest that you were working on

Lastly on the second forest follow the above procedure to update the trust between the second and third server
Remember to update root hints in each DNS server, By adding FQDN names and IP addresses of the DNS servers Accessed through : Open DNS server > right click > select properties > click the root hints tab > click Add

Monday, 21 October 2013

Using GPO to configure desktop background for an organizational unit in AD-DS ….. WIN2K12

In windows server 2012 deployment of group policy to have same wallpaper or background for an organizational unit is a bit straight forward but sometimes it may be a bit frustrating when client computers background displays a blank black screen even after applying the group policy

GPO Creation

- Open server manager, click tools and select group policy management

- Open forest – domains- domain name – group policy objects

- Right click group policy objects – select new – give it a name that describes what the policy will do then ok

- Right click the newly created policy then select edit

- In the group policy management editor expand user configuration-policies-administrative template-desktop-desktop

- On the right , right click desktop wallpaper select edit

- Check the enable button the on the right select a path which all domain user and computers have read access permission to and the wallpaper name as follows … \\server\wallpaper\lodo.jpg

- Click ok

- If you don’t want users to change their respective workstation background.. expand administrative template – control pane - personalization-

- On the right double click prevent changing desktop background and click enable then ok

- Close the group policy editor

- In the group policy screen right click the organizational unit that you want to apply the group policy select link an existing GPO .. select the GPO that you’ve created then ok.

- If you want the GPO to apply the GPO in whole OU without exceptions right click it under the OU and select enforce

If still workstation’s desktops default to a blank screen even after logging off, below is a work around for that:

- Open group policy management

- Right click the policy that you created click edit to go to the group policy management editor

- Expand user configuration – select preferences –window settings – registry

- Right click registry select new then registry item

- In the dialogue box that pops up in the action box select replace

- In the hive select hkey_current_user

- In the key_path box expand hkey_current_user – conroll pane – desktop- on the lower part select wallpaper

- On the value type leave it as reg_sz

- Inside the valuepath paste a path with the background photo c:\windows\lodo.jpg

- Click apply then ok

- Close all windows

Wednesday, 16 October 2013

Mirroring Procedure For SQL Server 2008 With Service Pack Three Installed

Introduction to Mirroring

Mirroring is mechanism used by DBAs to ensure high availability of SQL database in production environment where the DB is to be up all the time, It has always been a headache for DBAs in this article I am going to cover SQL server 2008 with service pack 3 mirroring with two principals and a witness by use of certificates

I decided to come up with this article after spending almost 2 weeks trying to figure out what’s wrong with my set up i.e. after going through almost all blogs and official documents provided by Microsoft.

I will go through the process of configuration with high safety mode with automatic fail over

Preparation of the Servers:

- Ensure the principle, Mirror and witness server are hosted on separate hosts and unique server instance name

- Take the latest full back up of the database + transaction log backup and restore the same on the mirror server with no recovery

- Allow remote connections

a. On all the server instances by enabling the following protocols

Named pipes

Tcp/Ip

Shared Memory

After enabling the instances protocols restart the SQL server instances

b. Allow exceptions on the firewall for SQL server service in the following path - C:\Program Files\Microsoft SQL Server\MSSQL10.SQL2008\MSSQL\Binn

c. Change the start-up parameter for the SQL browser to automatic and add an exception for it in the firewall. The path for the browser is : C:\Program Files (x86)\Microsoft SQL Server\90\Shared

d. Open port 1433- TCP/IP and port 1434 – UDP

1^st Principal server Preparation:

1. Create a master key for encrypting the certificates

USE master;

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'p@ssw0rd2012';

2. Create a certificate to be used for authentication

USE master;

CREATE CERTIFICATE cert1

WITH SUBJECT = 'cert1 certificate';

Start_date = '1/17/2012';

expiry_date = '1/7/2020'; //remember to include expiry date and start date because by default the life span is one year

3. Create a mirroring endpoint

CREATE ENDPOINT Mirroring

STATE = STARTED

AS TCP (

LISTENER_PORT=7024

, LISTENER_IP = ALL

)

FOR DATABASE_MIRRORING (

AUTHENTICATION = CERTIFICATE cert1

, ENCRYPTION = REQUIRED ALGORITHM AES

, ROLE = ALL

);

4. Backup the certificate to a secure location and copy it across to the Mirror server and witness server using a secure method

BACKUP CERTIFICATE DEVKIHQ1 TO FILE = 'C:\cert.cer';

1^st Mirror Server preparation:

1. Repeat same procedure as on the Principal server as follows

USE master;

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'p@ssw0rd2012';

2. Create a certificate for authentication for the mirroring

CREATE CERTIFICATE MIRROR

WITH SUBJECT = 'MIRROR certificate ',

Start_date = '1/17/2012',

expiry_date = '1/7/2020';

;

3. Create mirroring endpoint

CREATE ENDPOINT Mirroring

STATE = STARTED

AS TCP (

LISTENER_PORT=7024

, LISTENER_IP = ALL

)

FOR DATABASE_MIRRORING (

AUTHENTICATION = CERTIFICATE MIRROR

, ENCRYPTION = REQUIRED ALGORITHM AES

, ROLE = ALL

);

4. Back up the certificate and use a secure method to copy it across to both principal and witness server

BACKUP CERTIFICATE MIRROR TO FILE = 'C:\MIRROR.cer';

2^nd Principal Preparation:

1. Create a login for the mirror server

USE master;

CREATE LOGIN MIRROR WITH PASSWORD = 'p@ssw0rd2012';

2. Create a user for the login mirror

CREATE USER MIRROR_user FOR LOGIN MIRROR;

3. Get authorization for the login from the certificate that you copied across from the mirror server

CREATE CERTIFICATE MIRROR

AUTHORIZATION MIRROR_user

FROM FILE = 'C:\MIRROR.cer'

4. Grant permission to mirroring endpoint for the login Mirror

GRANT CONNECT ON ENDPOINT::Mirroring TO [MIRROR];

2^nd mirror Preparation:

1. Create a login for the principal server

USE master;

CREATE LOGIN cert1 WITH PASSWORD = 'p@ssw0rd2012';

2. Create a user for the Login

CREATE USER DEVKIHQ1_user FOR LOGIN DEVKIHQ1;

3. Create a certificate for the principal server with authentication from the copied across certificate

CREATE CERTIFICATE prin1

AUTHORIZATION prin1_user

FROM FILE = 'C:\cert1.cer'

4. Grant permission for the user to access the mirroring endpoint

GRANT CONNECT ON ENDPOINT::Mirroring TO [prin1];

Witness Server Preparation:

1. Repeat the same procedure on the witness server

- Create key

- Create certificate

- Create mirroring endpoint

- Back up certificate and copy securely across all servers

2. Create a login for the mirror and principal server on the witness server and a certificate with authentication from respective certificates and allow connection to mirroring endpoint

- Repeat (2) on principal and mirror server for the witness login

Mirroring Procedure:

Before Mirroring starts you need to add host to each server host file in the following location

C:\Windows\System32\drivers\etc

Open the file called hosts using a notepad scroll downwards to the last line then add the IP address of the other two servers and the fully qualified domain name in this format

192.168.2.8 DEVKIHQ2MIR.devkigroup.local

After the last step on the last server the instances are ready for mirroring, Open the instance on the principal server using SQL Server Management Studio and follow this steps :

1. Right click database point to tasks the click mirror

2. Click configure security then next

3. On the include witness server leave as it is , click next

4. On the next screen choose the three servers to configure then click next, connect to the principal instance then click next, connect to the witness server instance and click next, connect to the witness server and click next

5. On the service account screen leave it as it is and click next, then finish then close

6. After closing click start mirroring button and that’s it