Wednesday, May 28, 2008

Netlogon and DHCP Client service



I remember asking many times in the interviews, about the DHCP client service. Here is the question, if exchange server has, or should configured with static IP address, why do we need to keep DHCP client service to be running? On it. Wouldn't ,it be better to disable it, and make exchange a little bit stronger, considering the best practice, is to disable services you don't need?

Active Directory is Multi-mater replication model with DNS integration. Many times, I refer the DNS as dynamic repository, where Servers, Workstation and other network applications publishes their own records (name and IP addresses and services, they provide) for client to locate them and offer these services to be used. Domain controllers will publish records in DNS claiming, they are domain controllers and they provide domain controller services to the clients, such as authentication service at the very basic and other similar services, such as DHCP, DNS, Remote access, Web services, Print Services, Multimedia, FTP, file service etc.

The servers are responsible for registering dynamic records into the DNS database. They also, refresh and update their own records. The servers refresh these records every 24 hours, by the help of NetLogon Service. (Domain controllers), the refresh process can be forced by restarting NetLogon service on the domain controllers if it is necessary for troubleshooting purpose.

When workstation starts, it will register host record (A records) into the DNS, and claim to be a workstation, along with the computer name and the IP address. Sometimes network administrators are adding these records into the DNS manually for various reasons as well.

The dynamically added records also will be refreshed, automatically every 24 hours. The way to force these records is to issue simple Ipconfig /RegisterDNS command or restarting the DHCP Client service. From Command line issuing below command simply will do the work, or if you prefer GUI, you need to go to services.msc snap in and locate the DHCP service and manually do the same steps.

  • net stop DHCP
  • net start DHCP

You will remember one of my previous posts telling a little story about DHCP client service. An Exchange administrator for an X company one day gets bored and he decides to make some improvements on production Exchange systems. He realize the exchange servers have static IP addresses , and he tells himself, why do I need DHCP client service running, let me disable them, and give more power to the Exchange boxes, and we disables the "DHCP client service" and leaves work early the same day without letting anyone the new improvements he has introduced.

Later on 12 exchange servers for X company gone crazy, and mail outage starts. Company spend quite a bit of time to figured of what was going wrong, they try to call the exchange admin and cannot reach him and try the most famous way to fix the problems, reboot the mail servers one by one. However, this even wont not do any good since the exchange admin not only stop the "DHCP client service" but also he sets them to disable permanently. Anyway the short story after reboot they end up calling Microsoft PS exchange support and Microsoft figures out in less than one minute the DHCP Client service was set to disable, they turn the service on ( restart) and set it to start automatic, and problem goes away.

I do not know what happened to Exchange admin on the X Company, but I heard he was in big trouble the next day. Manually created records in DNS will not get any time stamp and therefore they cannot become stale.

Make sure your DHCP client service is not set to disable on your exchange server (-: and do understand what it does

Oz Ozugurlu,

Systems Engineer

MCITP (EMA), MCITP (SA)

MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Tuesday, May 20, 2008

What would be the average deal size of an OCS deal with a large scale enterprise?



We recently implemented OCS for pilot usage. The environment I am working for has over 50.000 users all over USA. The product itself seems to be stunning in my opinion. The scalability of OCS is pretty much up to the implementation. Let me say this up front, believe or not standard OCS and Enterprise OCS can do same job, so what a company would get out from enterprise version is, being able to use paid version of SQL and bring redundancy to the environment. Each OCS server is capable of handling least 5000 users, and enterprise version can use same database (SQL) server, this is why you would pay more and get enterprise version of OCS.

Now, if the SQL server can be 64 BIT and I think for large scale environment this suits the best. There is ISA integration and front server called "edge OCS" server, which lets IM to be used from outside of the company network. The idea behind this implementation, is similar to front and backend server scenario.

Couple question I have asked during the implementation OCS to our Microsoft consultant and I will share those with you here at my blog.

Question

Is there a way to limit the size of a file transfer with Communicator?

Answer:

Not at present. However, there is a new product called Forefront for OCS that will allow content and attachment filtering. This is a new offering that is not available to the public yet. There is a TAP program that allows customers to use the product early, starting with Beta 1 in a lab and Beta 2 in production.

Question

Is there a way to limit the file size in OCS (when users send files each other?)

Answer:

The default limit on size is 4Gig

Question

Can we allow external users to attend meetings?

Answer:

Not without an Edge server which we did not install.

Question

Can we use automatic logon since the OCS server is installed in a different domain than the SIP domain

Yes

  • In the smtp25.org DNS zone create an A record (Root Empty Domain)
  • Name: SIP.SMTP25.org
  • IP: the IP of the actual OCS server (Located in Child Domain)
  • Create the SRV record but use SIP.SMTP25.org as the FQDN of the host for the SRV record.
  • This works because when the Certificate was created we used a SAN of SIP.SMTP25.org.

I would like to say thanks to our Microsoft Consultant Mack McMillan, for excellent support and clearing out the questions we had. With his help the pilot install was smooth, enjoyable and very easy. As pep work we needed to extend the Schema. Since there were several concerns extending schema from upper management, prior to start doing the work, we performed system stage backup, and did the schema extension on the root domain Schema master. The schema master want to talk to PDC emulator during the process, the idea behind this is similar as any other applications, fast replication from PDC emulator to other DC's, trough out the forest. As I said easier the installation wizard is rock, and there are great documentation available online.

I will write more about OCS on my blog in the near future

Visit this site (OCS)

Regards,,

Oz ozugurlu,

Systems Engineer

MCITP (EMA), MCITP (SA),

MCSE 2003 M+ S+ MCDST

Security Project+ Server+

oz@SMTp25.org

OCS SERVER (OFFICE COMMINICATOR)



We finally finished deploying OCS. Let me tell you this up front the OCS look rock. I am sure it will improve the work quality in a short time. So those of you who don't know much this is the product for internal Chat, file sharing, virtual meeting ( round table) and more. Installation of OCS is kinda of tricky, but the installation wizard is extremely helpful. It was easy to follow it trough.

Installation Tips:

Keep your database files on a separate Drive and keep transaction logs on separate drive if it is possible.

  • Installation Path: C:\Program Files\Microsoft Office Communications Server 2007\
  • Main service account name: RTCService
  • Conferencing service account name: RTCComponentService
  • Internal web farm FQDN: NHQOSC001.smtp25.org
  • External web farm FQDN: <Empty>
  • User database path: O:\LC Data\
  • User database log path: C:\LC Log\

Problem: Failed to activate Office Communications Server Standard Edition Server on machine

  • Event Type: Warning
  • Event Source: OCS Setup
  • Event Category: (1007)
  • Event ID: 30502
  • Date: 5/19/2008
  • Time: 3:10:55 PM
  • User: N/A
  • Computer: NHQOSC001
  • Description:
  • Failed to activate Office Communications Server Standard Edition Server on machine NHQOSC001.archq.ri.redcross.net.
  • Error: 80004002
  • Description: No such interface supported


Solution:

The command needs to be executed on the Root Domain rather than the Child domain. This scenario you are installing OCS on a child domain and there is empty root domain, so go to command prompt on the OCS server and execute following command

PS: RCODC3CHI005 is the name of the ROOT DC in this case.


LCSCmd.exe /Server /Role:SE /Action:Activate /Password:My$tr0ngPwd /RootDC:RCODC3CHI005 /GC:RCODC3CHI005



Problem:

  • Event Type: Warning
  • Event Source: Communicator
  • Event Category: None
  • Event ID: 1
  • Date: 5/20/2008
  • Time: 11:13:14 AM
  • User: N/A
  • Computer: OOZUGURLUPC
  • Description:

Communicator was unable to locate the login server. No DNS SRV records exist for domain smtp25.org, so Communicator was unable to login.

Resolution:

Please double-check the server name to make sure that it is typed correctly. If it is correct, the network administrator will either need to use manual configuration to specify the login server's fully-qualified domain name (FQDN), or add DNS SRV records for the smtp25.org domain in order to allow automatic client configuration. The DNS SRV records

  • _sipinternaltls._tcp.smtp25.org
  • _sipinternal._tcp.smtp25.org


Go to DNS Server

Create SRV record, new, other records, service record, on the service erase and type _sipinternaltls

Sip.smtp25.org (change the smtp25.org to your own domain)

Problem:

Office communicator cannot use auto sigh in, receiving following errors

"Cannot sign in because the server is temporary unavailable. If the problem persists, contact your system administrator"

Solution:

This is purely DNS issue; if you fix the previous issue you won't see this error. You can still make client work by configuring it to manual configuration, by clicking on left upper corner,

  • Tools
  • Options
  • Advance
  • Manual configuration
  • TLS
  • Name or IP address of the OCS Server

Regards,

Oz Ozugurlu

Systems Engineer

MCITP (EMA), MCITP (SA),

MCSE 2003 M+ S+ MCDST

Security Project+ Server+

oz@SMTp25.org

Monday, May 19, 2008

Read-Only Domain Controller (RODC) and Exchange 2007

A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches.

The idea behind the RODC is real good; I was very much impressed with even not having GUI at all. What really no good is that, Exchange won't be able to use RODC. This really made me upset, and I cannot stop thinking, why, why, why? Another culprit is that after installation of RODC you bumped into DOS, "hey we have power Shell finally, why not have the power Shell there, as default instead of having poor limited, DOS? Why, why, why?

Anyway, I hope someone will hear out our voice and make changes. Separating server roles is a great idea in my opinion. Windows suffered enough so far for having everything on the default server installation, this includes, games, Windows media player and all other bunch of services gets installed on default windows. I never did understand having solitaire, or windows media player on your root DC/GC. The examples I brought up might be minor details, but in reality it indicates the mentality.

Anyway, when I was talking our Microsoft consultant today, he told me Exchange could not use RODC, which made me upset. Just like in AD. Today we deployed OCS (Office communication server) all groups appeared on the default container for the OCS. Why is it so hard to put them into its own OU, why why, why? Why we don't have account called service account with different Icon, so that we can distinguish from regular user account

I believe little things make difference, and we would love to see those in the near future

Best Regards

Oz ozugurlu Systems Engineer

MCITP (EMA), MCITP (SA),

MCSE 2003 M+ S+ MCDST

Security Project+ Server+

oz@SMTp25.org

http://smtp25.blogspot.com

MCSE Class Ended on Last Saturday



Another MCSE Class ended on last Saturday. I wanted to say thanks to all of you attending the class and putting me up 120hr, lecture. I had a lot of fun and I hope you all did as well. Please complete all your exams and get in touch with me if you need anything.

My next MCSE class in starting on the June 21th, Saturdays and I will also be rolling into Exchange 2003 and 2007 class (combined Class). Those of you who have taken MCSE will know, exchange is the way to go (- : I am very much excited with exchange 2007 and it's all new look, futures. It will be a great class and I would love to see you there. I will also start teaching windows 2008 Classes scheduled within couple months.

Team,

Great job, good focus; and congratulation to all of you for completing the MCSE 2003 class, and becoming certified. I wish you all great success in your future aspirations. I know some of you already got new jobs which made me very proud.

Good job.

Best Regards,

Oz ozugurlu

Systems Engineer

MCITP (EMA), MCITP (SA),

MCSE 2003 M+ S+ MCDST

Security Project+ Server+

oz@SMTp25.org

http://smtp25.blogspot.com


Friday, May 16, 2008

WHICH FSMO ROLE IS THE MOST IMPORTANT

I am reading MS Tec-net discussing group and following up some post, in regards to a problem, and second person who is trying to help is writing back

"The PDCEmulator role is the more or less old PDC from NT4, but only used for backwards compatibility"

This statement above made me write this article. The question is, What FSMO role is the most important or less important always been asked to me in each MCSE class

Beside the function of emulating the PDC (Primary Domain Controller) for NT4 clients in the domain, below is the list what PDC Emulator does.

PDC Emulator

  • Synchronizes time over the domain, ensuring all clients have the same time - which is required for kerberos authentication (logons) to work properly.
  • Manages password changes made in the domain
  • Incorrect logons are forwarded to the PDC before the error is shown to the user - to check the password is in fact incorrect
  • Account lockouts are processed on the PDC emulator
  • Group policy management is always made on the PDC emulator, unless specified by the administrator
  • People will notice its downtime rather quickly ( missing PDC will generate tons of call to your help desk, trust me on this)
  • Usually the first one to be noticed if missing will be the PDC Emulator (due to its role as Domain Master Browser really in a multi-subnet network.)

In a single domain environment, the others might not be as important as PDC or I would say so quick or noticeable as an negative impact to your environment

Missing DNS master

If you were adding Domains the absence of Domain Naming Master , will be the problem, since the operation will fail.

Missing Schema master

If an application needs to make changes to the Schema and cannot contact to schema master you will have problems. For instance installing exchange will extend the schema, so you won't be able to install exchange, and this is end of the world to me (-:, hey when it comes to Exchange I should not be needing to list any other reason here why you and me would need Schema master to be here, when we want to install exchange server. (-:

Missing RID master

The RID master is the one most people would notice either first or right after the PDC Emulator since after adding about 500 users (security principals really) to a single DC you would run out of RIDs. If you are not adding 500 users per day (-: you don't have to worry about this role for today.

Missing Infrastructure master

This is another domain-specific role and its purpose is to ensure that cross-domain object references are correctly handled.

Conclusion:

Despite the name of PDC, and not having any NT 4.0 in the environment does not make the PDC emulator the less important role? In fact this is the most heavily used FSMO role and it is also the most important FSMO role (quick side effects). All FSMO roles are important, but the Missing PDC is going to give you the quickest headache you would ever wanted on monday early morning. Who is your PDC (-:


Regards,

Oz Ozugurlu

Systems Engineer

MCITP (EMA), MCITP (SA),

MCSE 2003 M+ S+ MCDST

Security Project+ Server+

oz@SMTp25.org

http://smtp25.blogspot.com

Sunday, May 11, 2008

WHAT IS THOMBSTONE PROCESS



What is Tombstone process and what happens to these objects is going to be the content of this little article. If you ever wonder what happens when an object gets , deleted in active directory, keep reading this article.

Tombstone Process in a basic way

  • Object got deleted
  • AD marks is as deleted object by setting the objects attribute called "isDeleted" to TRUE ,
  • At the same time, the AD strips most of the attributes from the object
  • Renames the object
  • Moves it to the object, to the special container in the object naming context
  • (NC) named CN= Deleted Objects
  • The object, now called a tombstone
  • Object is no longer visible from ADUC. ( administrators)

Here is the tricky part the Tombstone is visible to the Active Directory replication process. Why is that so? Remember multi-master replication model. In order to make sure the deletion is performed on all the DCs that host the object being deleted, Active Directory replicates the tombstone to the other DCs. Thus the tombstone is used to replicate the deletion throughout the Active Directory environment

I never did understand why it is so painful try to bring deleted object in AD, with build in tools. What I mean is, if we look at third party tools, Quest, Hyena etc, it is couple clicks to bring the deleted object from AD. Anyway, I would love to see the build in capabilities in AD as good as these third part tools or at least some close, but I know it won't happen for some reason (-:

The tombstone lifetime is determined by the value of the TombstoneLifetime attribute on the Directory Service object in the configuration directory partition.

  • Adsiedit
  • Configuration
  • DC name
  • CD=Configuration
  • DC=Forest domain
  • CN=Services
  • CN=Windows NT
  • Right click CN=Directory Service properties
  • The attribute name is TombstoneLifetime

On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days.

On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days.

Best Regards,

Oz Ozugurlu

Systems Engineer

MCITP (EMA), MCITP (SA)

MCSE 2003 (M+,S+) MCDST

Security+,Project+,Server+

http://smtp25.blogspot.com