Forum Replies Created
Re: Learning linux
Linux is the OS kernel, while Ubuntu is a Linux distribution.
A distribution consists of the Linux kernel and a selection of software. Most distributions contain the same core software (like GNU Coreutils, a set of commonly used commands), while they may differ significantly when it comes to both server and user applications. It’s a bit like with Windows 8 and the various editions of Windows Server 2012; same Windows kernel, different set of applications.
If you want to leave your Windows installation undisturbed you could install Linux to an external drive, but a VM might be worth considering. You could still keep the virtual hard drive on an external disk, of course.
Re: Using ISA as a firewallDumber;274465 wrote:Well those some people are mistaken then…
Read this first:
Some of those arguments make very little sense.
For instance, when some security professionals point out that making an ISA server a domain member makes it possible for any Domain Admin to reconfigure the firewall, the blog author replies “if you can’t trust your domain admins, you have bigger problems”. He seems oblivious to the fact that by trusting all members of the Domain Admin group, you also implicitly trust any workstation used by a member of that group, and every service running with administrative privileges on any domain controller.
His response to the concern that an attacker gaining access to Active Directory will also be in full control of the firewall, is “they’ll own everything else too, with the Firewall being the least of your problems”. So, if an attacker/insider manages to exploit a privilege escalation bug and obtain administrative privileges in AD, we might as well give him control of the firewall too, so he can send confidential data across the Internet? Really?
There are a few more poorly thought out arguments in that blog post, but the underlying problem is that the author doesn’t seem to consider well-established guidelines for network design and security as important, such as the principle of least privilege, the layered approach and diversity of defense.
In addition, the benefits of having ISA/TMG/UAG as a domain member are extremely limited. The blog mentions the ability to filter on users and groups if you deploy the Firewall Client, but in today’s heterogenous network environments with smart phones and tablets, the Windows-only Firewall Client is of limited use. Also, you can achieve more or less the exact same functionality by setting up an AD-integrated proxy server.
This leaves only integration with AD certificate services, but again, who says that your edge firewall also has to be the VPN concentrator?
Re: Multi Homed server & default gateway settingsSternfan2012;274457 wrote:Thanks for the fast reply.
Just as I finished the original post, I was thinking that my linux boxes (I have one with 8 NICs) all have DG set for each NIC – with no problems.
You don’t actually have gateways per NIC, you have them per host. Each “default gateway” setting generates a default route (0.0.0.0/0) in the routing table. Having a gateway setting for each NIC is actually quite misleading.
Most OSes will treat identical route entries with the same metric as redundant routes and attempt to load balance across them. If one or more of the gateways represent a NATed path, or if they don’t all actually represent a path to the 0.0.0.0/0 network, this has the potential to get ugly really fast.
Multiple default gateways makes no sense in most scenarios.
Re: 2003 to 2008r2 Help??
I’ll take the easy questions first:mi32mi32;274376 wrote:Will the 32bit to 64bit cause a problem?
Registering of the 2008r2 cal license for 75 user how ?
What is best before the migration to clean up the old servers?
Transferring programs from the old servers to the new?
The fact that 2008 R2 is 64-bit only should not cause any problems, unless you want to install applications that use ancient 16 bit components (deprecated in 1995, I believe). The 16 bit WOW subsystem doesn’t exist in 64 bit versions of Windows.
Plain CALs aren’t installed anywhere, you just keep the papers as proof that you are properly licensed. CAL restrictions aren’t enforced by the OS (unlike TSCALs/RDCALs).
You shouldn’t need to “clean up” the old servers, unless you’re experiencing AD or DNS issues. If there are errors in the Event Logs or if dcdiag or netdiag reports a problem, you should investigate.
There’s no way to transfer installed applications from one server (or PC) to another. You will need to reinstall any applications on the new server(s).mi32mi32;274376 wrote:What is the best guide you all have to migrate from the old 2003 servers to the bare metal install of windows 2008r2 on the new serversr?
Best practices for setting up OU in ad?
If you already have a working AD setup, there’s no need to alter the OU structure just because you’re upgrading the server OS. In fact, it’s probably best to either reorganize (if necessary) before you introduce the new servers, or wait until after the migration is complete. No need to introduce several new factors into the equation at the same time, it will only make troubleshooting harder.
To install a 2008 R2 domain controller in the existing network, you’ll need to do the following:
- run adprep (or probably adprep32, as the existing DCs are probably running 32 bit Windows 2003) on the DC that’s currently holding the Schema Master role
- install the 2008 R2 OS on the new server
- install the Domain Controller role on the new server (or jut run dcpromo) and make it a Domain Controller in your existing domain
The first step will extend the AD schema to accommodate a 2008 R2 DC. The adprep and adprep32 executables can be found in the ADPREP directory on the 2008 R2 DVD. You’ll need to run adprep32 from the command line, in the ADPREP directory on the DVD, with the /forestprep switch. Then repeat with the /domainprep switch once that’s done.
The 2nd and 3rd steps will simply install the new server as a DC in the domain. User accounts and GPOs will be replicated automatically.
If you’re planning to get rid of the 2003 servers entirely, you should install the DNS and DHCP roles on at least one of the new servers. If the DNS zone is Active Directory integrated (the default setting), you can serve the same zone from any number of AD DCs without problems.
To avoid IP conflicts when you migrate the DHCP service, enable conflict detection by increasing the value from 0 to, say, 1 or 2. Remember to enter the IP address of the new DNS server as a scope option.
Once the new domain controllers are active, you will need to move the five FSMO roles from the old DCs to the new ones before decomissioning the 2003 servers. You can do this from the command line (ntdsutil) or use the GUI tools.mi32mi32;274376 wrote:Also how do i get all the network drive swapped over efficiently ?
If the existing shares are accessed through DFS, it’s just a matter of adding a new folder target and remove the old one once replication is complete. You’re probably not that lucky. :)
I would recommend moving the shares using the following procedure:
- create a folder on the new server, set the appropriate permissions (temporarily add your administrative account if necessary) and share it
- copy all files from the existing share while the network is in use (some files will be inaccessible)
- schedule a few hours of downtime and copy any missing or altered files
- change the drive mapping to point to the new share, and deactivate the old share (important!)
- be prepared to fix any issues that may arise as a result of the share being moved (shortcuts using UNC paths etc)
I’ve found the xcopy /d switch to be most useful when migrating files between servers.mi32mi32;274376 wrote:Network printers switched over do I setup print server role for this? Do i have to reinstall on all users stations since these were installed with 32bit drives on server 2003 and no going to be 2008r2 64bit
You will still be using 32 bit drivers on 32 bit workstations, even if the print server is running 64 bit Windows. This is what you need to do:
- install the Print Server role on the new server
- install all printers
- add 32 bit drivers to all printers (yes, on the 64 bit server)
- deploy the printers using Group Policy
The old printer definitions will probably still be there and may need to be removed manually.mi32mi32;274376 wrote:Also best way to setup the network printers so multiple Ipads and wireless devices can print from them?
You can install the LPR and/or IPP service on the print server. That way, non-Windows devices should be able to print to any printer.mi32mi32;274376 wrote:Is it better to have this on the backup domain?
What do you mean by “backup domain”?mi32mi32;274376 wrote:Getting the GPO over so they work for the users?
As I mentioned, GPOs are replicated automatically to all DCs in a domain.
PS: Sorry I couldn’t include links to the relevant TechNet pages for dcdiag, netdiag, DHCP conflict detections and so on, but as a new user I’m not allowed to use links just yet. You’ll have to use Google.