Posts Tagged ‘Active Directory’

Resolve Quarantined Mailbox Issues in Exchange

Thursday, October 24th, 2013

Exchange 2010 will quarantine a corrupt, or poisoned, mailbox in the Information Store database. If a  mailbox is corrupt, dirty or poisoned, rather than forcing us to run eseutil or isinteg while the database is offline, Exchange just quarantines the mailbox. If you run into one of these, you can remove from the quarantine to run a mailbox repair by deleting a registry key. To figure out which key to run, first locate the GUID of the mailbox using PowerShell:

Get-MailboxStatistics -identity USERNAME | fl

Then copy the mailbox GUID and open up the registry and make a backup (which I do every time I change the registry btw) of the registry. Then view the following key:

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MSEXCHANGEIS\\PRIVATE-(DB GUID)\QUARANTINEDMAILBOXES\MAILBOXGUID

Delete the key for the mailbox that displays as poisoned. Then, restart the Information Store and run a quick iisreset.

Connect Casper to Active Directory

Wednesday, November 14th, 2012

Integrating any system into Active Directory can seem like a daunting task, especially for someone who’s not an AD administrator or doesn’t even has access to the directory service. JAMF Software has supported connecting Casper to AD for several versions of its product and has refined the connection process to be simple enough for someone with little or no AD experience to complete.

Connecting Casper to AD allows it to take advantage of existing user and group accounts, eliminating the tedium of creating them manually, and the user himself has one less password to remember. When his password changes the new password works immediately in Casper. Likewise, when a user’s account expires or is disabled then access to Casper ceases.

Gather the following information for the connection process:

  • Service account. This should be an AD account dedicated for Casper to use to authenticate to AD. It should be set not to expire and not to require changing at first login. This requires both the account name and its AD password.
  • The name of an AD Domain Controller (same as a Windows Global Catalog server, which assumes the role of an LDAP server).
  • The name of the organization’s NetBIOS domain.
  • The login names for any two user accounts in AD. Passwords aren’t required; these are used for testing lookups only.
  • The names for any two security groups in AD that include one or both test user accounts. These are used for testing lookups only. (Domain Users and Domain Admins are two common security groups.)

To connect Casper to AD do the following:

  1. Log in to the JAMF Software Server (JSS) for Casper using a local user account.
  2. Navigate to Settings tab –> LDAP Server Connections. Click on the Add LDAP Server Connection button. This begins a process that verifies the service account’s credentials and creates the user and group mappings between Casper and AD.
    New LDAP Server Connection button
  3. Select Active Directory as the LDAP server type and click the Continue button.
    LDAP server connection type
  4. For Host name enter the fully qualified domain name or IP address of the Domain Controller.
  5. For AD Domain enter the Windows NetBIOS domain name. Click the Continue button.
    Domain information
  6. Enter the name of the service account and its password that the JSS will use to authenticate and connect to AD. Click the Continue button.
    Service account
  7. If the Enter Test Accounts page appears then AD has accepted the service account’s credentials. Now, enter the account names of two AD users. These can be your own and a co-worker’s account. For the best results pick two users who are in very different parts of the organization. Click the Continue button.
    Test accounts
  8. The Verify Attribute Mappings page should display information about each user the JSS found in AD. Mappings are the pairing of attributes and values for an object in AD. In this case, verify the Username shown is actually the user’s short account name, verify Real Name shows the user’s first and last name, verify that Email displays the correct email address for each user, etc.New mappings
  9. Some fields may not be populated. That’s typically because the AD information is incomplete. If either user has information for a field but not the other then verify that information is correct or at least in the correct format.
  10. Casper may have wrongly mapped an attribute. For example, the telephoneNumber attribute may actually be phone in AD. To change the mapping click the edit button (ellipsis) to the right of the mapping and review the LDAP Attributes to see if another one is more suitable. Changing the attribute immediately changes the values for each user to help quickly identify better choices. Click the Return to Verify Mappings button when done.
    Edit mappings
  11. The new mappings appear in the list. Click the Continue button.
    New mappings
  12. Enter the two domain security groups and verify whether the test users are members. They may be members of one, both or none. Click the Continue button.
    Verify groups
  13. Finally, click the Save button to save the settings.
    Complete

Now, when adding new users to Casper, the JSS can pull the user information from AD.

  1. Navigate to Settings tab –> Accounts. Click on the Add Account from LDAP button.
    New Account button
  2. Enter the name of an AD user who should have privileges in the JSS. Click the Next button.
    Add User from LDAP Account
  3. If the lookup returns more than one result then locate the correct result and click the Add… link to the right.
    Result
  4. Grant the necessary privileges to the JSS and click the Save button.

At this point the newly added user should be able to log in to the JSS using his AD credentials. The JSS will also use the AD information for email alerts and other functions.

If the LDAP connection is ever deleted then existing LDAP user accounts will fail to work, even if the LDAP connection is recreated. Re-enabling users to log in will require adding their accounts and privileges again under the new LDAP connection.

Creating a binding script to join Windows 7 clients to Active Directory

Tuesday, July 3rd, 2012

There are some different ways to join Windows 7 to a domain.  You can do it manually, use djoin.exe to do it offline, use powershell, or use netdom.exe.

  • Doing so manually can get cumbersome when you have a lot of different computers to do it on.
  • With Djoin.exe you will have to run it on a member computer already joined to the domain for EACH computer you want to join since it will create a computer object in AD for each computer before hand.
  • Powershell is OK to use, but you have to set the script to unrestricted before hand on EACH computer.
  • Netdom is the way to go since you prep once for the domain, then run the script with Administrator privledges on whatever computers you want to join on the domain.  Netdom doesn’t come on most versions of Windows 7 by default.  There are two versions of netdom.exe, one for x86 and one for x64.  You can obtain netdom.exe by installing Remote Server Administration Tools (RSAT) for Windows 7, and then copying netdom.exe to a share.

A quick way to deal with both x86 and x64 architectures in the same domain would be to make two scripts.  One for x86 and one for x64 and have the appropriate netdom.exe in two different spots \\server\share\x86\ and \\server\share\x64\.

You’ll need to either grab netdom.exe from a version of windows 7 that already has it, or you’ll need to install RSAT for either x64 or x86 Windows 7 from here: http://www.microsoft.com/en-us/download/details.aspx?id=7887, which ever you will be working with.  Install that on a staging computer.   The following steps are how to get netdom.exe from the RSAT installation.

  1. Download and install RSAT for either x64 or x86.
  2. Follow the help file that opens after install for enabling features.
  3. Enable the following feature: Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools > AD DS Snap-ins and Command-Line Tools

netdom.exe will now be under C:\windows\system32

Create a share readable by everybody on the domain, and drop netdom.exe there.

Create a script with the following (From: http://social.technet.microsoft.com/Forums/en/ITCG/thread/6039153c-d7f1-4011-b9cd-a1f111d099aa):

@echo off
SET netdomPath=c:\windows\system32
SET domain=domain.net
CALL BATCH.BAT %passwd%
CALL BATCH.BAT %adminUser%
SET sourcePath=\\fileshare\folder\

::If necessary, copy netdom to the local machine
IF EXIST c:\windows\system32\netdom.exe goto join
COPY %sourcePath%netdom.exe %netdomPath%
COPY %sourcePath%dsquery.exe %netdomPath%
COPY %sourcePath%dsrm.exe %netdomPath%

:Join
::Join PC to the domain
NETDOM JOIN %computerName% /d:%domain% /UD:%adminUser% /PD:%passwd%

SHUTDOWN -r -t 0

Change domain and sourcepath to their real places.  Remove dsquery.exe and dsrm.exe if not needed.  If you’re just joining a domain, and not running anything after, then you don’t need them.

Create another script called “BATCH.BAT” that will hold your credentials that have access to joining computers to the domain.  Put BATCH.BAT in both places that house your Join-To-Domain script (…/x86 and …/x64)

@echo off
SET passwd=thisismypassword
SET adminuser=thisismyadminusername

  1. Ensure you have the scripts in the same directory.
  2. Open up a command prompt with Administrator privledges and change directory to the location of your scripts.

Runnning the first script will:

  1. Run a check to see if netdom, dsquery, and dsrm are installed under system32, if they are, it will then join the domain, if not it will attempt to download them from your share.
  2. Once it ensures it has the files it needs, it will join the computer to the domain under the “Computers” OU with its current computer name using the credentials set by BATCH.BAT.
  3. It will reboot when done.

This will work on both Server 2003 and Server 2008.

Installing and Configuring Active Directory Certificate Services

Wednesday, March 21st, 2012

This guide assumes that you have a Windows Server 2008 R2 installation on a physical or virtual machine, and that the system is a domain controller of an Active Directory domain:

  1. Open Server Manager. 
  2. Click on Roles on in the tree on the left, then click Add Roles
  3. Choose next to start the wizard. 
  4. Then enable the checkbox for Active Directory Certificate Services
  5.  Choose  next to start the AD CS role configuration
  6. Click on “Add Required Role Services”  to install the IIS and the related tools needed.
  7. Enable the check box for “Certification Authority Web Enrollment and click next.
  8. Choose “Enterprise” and click next.
  9. Choose “Root CA”and click next
  10. Choose “Create a new private key”
  11. Leave the default values for Configure Cryptography for CA and click next.
  12. Ensure that you have the proper values for Configure CA Name for your environment and click next. The default values will usually be right.
  13. Click next to set the default validity period  of 5 years
  14. Configure the locations of the database and logs if needed for your environment and click next
  15. You will now be prompted to configure IIS. 
  16. Make changes if needed, but be sure to leave Windows Authentication as it is required for Web Enrollment.
  17. After the  role configuration is complete, run IIS Manager from Administrative Tools.
  18. From the tree on the left, navigate to the default website. 
  19. Right click Default website, and choose bindings.
  20. Click the Add… button.
  21. Change the type to https, and choose the SSL certificate that matches the server’s FQDN, and click OK.

Using Archive Mailboxes in Exchange 2010

Wednesday, February 15th, 2012

Once upon a time, in a dark and dreary place, Exchange administrators (an already downtrodden lot mind you) had to let users archive their mail to pst files. These files, open while Outlook was open and distributed across the enterprise file servers, caused the poor Exchange administrators great pain and suffering as they were uncontrollable. The pst files roamed, causing great pains to SMB/CIFS, switching and other admins and these pst files worse of all had no policies applied to them.

Then came a bright knight in shining armor. She brought with her Exchange 2010 and stories of mailboxes that could be used for archival to replace the monstrosity pst files that had been in use for decades (ok, maybe just a decade, or a tad more, but close enough).

For environments running Exchange 2010, she explained that to configure archive mailboxes:

  • Open the Exchange Management Console from Administrative Tools
  • Click on Recipient Configuration
  • Click on the user who you would like to configure
  • Using the action pane, click on Enable Archive
  • To see an archive, log in to Outlook Web App with the user. You can then drag and drop some items into the online archive and change its name.

Then everyone realized that Microsoft, in their infinite wisdom, invented online archiving because it requires a CAL of its own. Each of the Exchange Admins then realized that the cost of said CAL would come from their own allotment of porridge!

The Impact of Directory Services on Xsan

Monday, January 23rd, 2012

When you’re dealing with file ownership and permissions, context is very important. Xsan volumes, from the point of view of an Xsan client, are local storage. There’s no daemon acting as gatekeeper or mediator, so when files are created or modified, the clients will use the standard mechanisms for assigning ownership and access rights, as they would with any local drive. In the absence of a shared authentication context, local user accounts will end up owning the files, and their permissions will be according to the default umask.

Mac OS X keeps track of such things by numerical User ID, and all Mac OS X systems start assigning local UIDs beginning with 501. It shouldn’be be too difficult to see how this can end badly. Users will potentially be able to overwrite files owned by other users, or access files they shouldn’t be able to, or not be able to access files that they should.

A directory service, therefore, is a key component in a proper deployment of Xsan. A directory service provides a shared context that will keep User ID collisions from happening. Also, users and groups can be managed centrally, and not on each workstation. This is especially important in large Xsan environments. Also, it will be possible to leverage Access Control Lists, and not POSIX permissions, to manage access to files and folders. POSIX permissions aren’t flexible enough to effectively manage the requirements of most Xsan environments.

It doesn’t matter whether you’re using Open Directory, Active Directory, or a Golden Triangle. You can even integrate Xsan with Novell’s eDirectory. Any of these will provide a much smoother and easy to manage Xsan.

Apple Education Licensing for Microsoft’s Active Directory

Tuesday, October 25th, 2011

We have recently had a number of requests for licensing for Active Directory environments running Apple and Linux client computers. There seems to be a bit of a debate about whether or not you need one CAL (Client Access License) for each user or device in the environment, if the devices are Apple or Linux computers. The cause for the confusion seems to be Microsoft’s External licensing. External licensing only applies to computers that are not part of your network, but instead are outside of the network (e.g. coming in over a WAN). It can be frustrating because I’ve had multiple customers tell me that different resellers and even Microsoft sales reps will give them different answers, and that’s been going on for years. I’ve spent a good amount of time with the Microsoft licensing desks, our Partner reps and a number of others to figure out the correct answer.

Licensing CALs for onsite systems can be done in a couple different ways:

  • Per-Device: Each computer that is bound to Active Directory receives a CAL
  • Per-User: Each user that uses a computer that is bound to Active Directory receives a CAL

In an environment where there are many users per device, then per-device licensing is always going to be cheaper (unless of course there are more devices than users, which wouldn’t make sense in a many to one environment). In a one-to-one environment where users come and go (e.g. by transferring between schools), but the number of computers remains somewhat static, per-device licensing still works out better as it simplifies license allocation.

Per-User CALs for education environments typically run around $1 USD per CAL for students. Per-User CALs for educators that work in the environment and are bound in that same environment typically run around $8 USD per CAL. If the systems aren’t bound, then licensing is only based on users that access file and print services, or other services; however, this becomes a bit of a challenge to calculate unless you reactively look at triggers that can be generated. But because most environments now use Active Directory binding on client systems, the CALs end up becoming one-to-one about as quickly as the computers become one-to-one.

But you should most definitely not take this article as being the rules set in stone. There are a number of scenarios that can change the licensing situation (most of them have to do with not binding clients or running computers that are offsite and/or employee owned). Contact Microsoft’s licensing desk using the contact information here, or contact a reseller like 318 for more more information.

Will the future require CALs? In an increasingly iOS and Android world, there are a few issues to sort out in many environments (e.g. IIS vs. AD licensing). This has so far ended up being in a case-by-case basis. 318 is a Microsoft reseller and can help you through these complex licensing issues, if you need it. Please feel free to contact your 318 Professional Services Manager, or sales@318.com if you would like more information.

Create a User in Active Directory

Friday, January 7th, 2011

Yesterday, we looked at copying Active Directory accounts, but we hadn’t yet looked at creating new users. To create a new user, it is usually best to first log into a machine that has the Remote Server Administration Tools to run the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in… or the domain controller itself.  You will need to use the administrator login or an account that has administrative privileges.  On the domain controller, after you have logged in, go to the Start menu. Then click on Programs, Administrative Tasks, and choose Active Directory Users and Groups.

At the top click on action, choose new and then user.  It will then ask you for information about the user.  First Name, Last Name and the user name that you want to have the user use. Click next when complete.  The next window will ask you to type in a password for the user and then confirm it.  Standard policy is that you have at least one small character, one large character, and one special character and be at least 8 characters long.

Copy a User in Active Directory

Tuesday, January 4th, 2011

Creating new users in Active Directory is a fairly straight forward process. But often times it is easier to copy a user than create a new one. If you have a user that belongs to all the groups as you want a new user to be apart of, you can make life easy by making a copy of that user. To do that, you will need to remote into the domain controller with the domain administrator account or an account with administrator privileges.

Once you log on, go to start and then click on programs and choose Administrative Tools. Choose Active Directory Users and Groups. The best thing to do is to search for the user that you want to model the new user after. Before you do the search, go to view and chose Advanced Options. Then do a search. To do a search click on the search button at the top. It is the second to last button

In the next box, type in the name of the user that you want to use as the model. Make sure that Entire directory is selected.

Right click on the user and go to properties. Then click on the object tab. It will list what Organizational Unit that the user is in. Navigate to that user by using the folders on the left side of the screen, then right-click on the user and choose copy. A window will come up and you will need to type in the new users information.

After you complete this process, you will be asked to provide a password. By default, there are some password policies that you will want to maintain. Make sure that the password has at least one lower case, upper case and special case character. It has to be at least 8 characters long.

Once that completes, the new user has been completed and is ready to use, unless you would like to change group memberships, policies, etc.

DAVE 8.1 Available

Friday, September 3rd, 2010

A new version of DAVE is now available. According to the latest release information from Thursby:

DAVE 8.1 is geared to professional use in design, publishing, production, colleges and businesses requiring enterprise Mac-Windows file/print integration with:

- Snow Leopard (OS X 10.6) and Leopard (OS X 10.5)

- Includes full Microsoft DFS support, not part of OS X

- Includes commercial grade network volume support for files/directories/home folders around Mac apps such as Adobe Creative Suite, Apple Final Cut Pro, Avid and Microsoft Office for Macs

- Native OS X/SMB *enterprise* network volume use can lead to loss of files and corruption since it is geared to home/small office work

More details: http://www.thursby.com/products/dave.html

Adding a User and Folder to FTP Running Active Directory in Isolation Mode

Thursday, January 21st, 2010

Note: For the purpose of these directions the username is MyUser

First, create a user in Active Directory (assuming, also, that there is an FTP users container in AD)

Next, create a home directory in the FTP share (for MyUser it might be D:\Company Data\FTP\MyUser *naming the home folder the same as the user name*)

Go to the command line use these commands to map the directories to the accounts:

iisftp /SetADProp MyUser FTPRoot “D:\company data\ftp”

*note the use of parenthesis outside the path to specify this directory since there is a space between company and data*

iisftp /SetADProp MyUser FTPDir LaBioMed

You can verify this by using the command line ftp localhost and logging in with the new user credentials

You can also create and delete a file to make sure it correctly edits the folder.

Note: If the password changes for the domain administrator account you must change it in IIS for this.

Moving Exchange Public Folders Between Information Stores

Wednesday, April 8th, 2009

Moving the Public Folders in Exchange 2003 from one Information Store to another located on the same server.

The only way to do this, previously, was to create another Exchange server and either use pfadmin to transfer the public folders, or to setup another Exchange server setup replication and then replicate again to the target Information Store. Either way, you will require another Exchange server.

Setting up and using PFADMIN:

http://support.microsoft.com/kb/822895

Setting up Public Folder Replicas:
http://www.msexchange.org/tutorials/PFMIGRATE.html (towards middle of page)

The steps outlined below will allow you to use only one.

1. Ensure there are no connections to Exchange (OWA, Outlook, etc.)
2. Login to Exchange System Manager (ESM)
3. Drill down to the Public Folder that you want to move. Make note of the application
4. Install adsiedit
a. http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en <- For Windows 2003 SP2
5. Drill down in ADSIedit to the public folder
a. Configuration
b. Services
c. Microsoft Exchange
d. Administrative Groups
e. Server
f. Information Store
6. Right mouse click the public folder on the right side that you want to move. Select “Move”
7. A new window will appear, drill down again to the information store that you wish to move the public folder to, and move it.
8. Go back to ESM
9. Go to Mail Box on originating Information Store (where you are moving from)
10. Right mouse click, and re-associate the public folder with the mailbox store. It will automatically redirect itself to the newly moved public folder in the new information store.
11. Reboot Exchange or Restart Exchange Services.

The process above was used to migrate data from one information to another located on a SAN that was connected to an Exchange server. The migration process first included the Mailboxes, then the System Mail Boxes, and lastly the Public Folders. If following that process, you can then safely delete the mailbox store from the originating Information Store, and then delete the original Information Store. (ensure there are no lingering accounts that have associated mailboxes to the old store).

Changing Passwords on Windows Computers

Tuesday, April 7th, 2009

For a Domain Password:
1. Go to Active Directory Users and Computers
2. Locate user account
3. Change Password for user account
4. Wait 15 minutes for Changes to propagate in large domain with more than 2 DCs
5. Done

Local Password Change on Windows Computers on a Domain:
1. Create batch file with following script:

net user usernamethatyouwantmakechangesto newpassword

2. Edit/Create GPO for OU that has computers in question
3. Place the script as Computer startup/shutdown script GPO
4. Wait for computer GPO to propagate, and users to shutdown/startup later that evening.
5. Done

Stand-alone Workstations:
1. Ensure Workstations are XP Pro (wont work on XP Home – you’ll have to use sneakernet for password changes)
2. Ensure Simple File Sharing is TURNED OFF (if not, then Sneakernet)
3. Get PsPasswd http://technet.microsoft.com/en-us/sysinternals/bb897543.aspx
4. Make a list of all windows computers on your network, and save it to a file (a computer on each line)
5. run: pspasswd @file -u localadministrator -p password username newpassword
6. Done

Ensure the credentials you are changing are not being used for any services (On Server and Workstation):
1. Start > run > services.msc
2. Click on “Standard “Tab
3. Sort by “Log On As”
4. Note which ones are being used by non system accounts. Ensure your changes are not going to effect them. If they are, please consider making separate service user accounts for the services in question, or change the password for the service as well.
a) Get to the Properties of the service
b) Click on the Log On tab
c) Enter in the correct changed password, and confirm it.

Terminal Server 2008 Load Balancing

Thursday, February 12th, 2009

Load balancing is fairly straight forward in Microsoft Windows Terminal Server 2008.  Before you get started you’ll need to have multiple terminal servers, a Windows 2008 Active Directory environment and a centralized location to store your user profiles. 

When setting up Terminal Servers with load balancing and redirected profiles, no single terminal server should get overloaded by users while another terminal server sits idle.  When a user tries to connect to the terminal server, the master terminal server checks the load on each one of the servers.  It then logs the user into the terminal server with the least load.  Since redirected profiles are setup, every user that logs in will have all of their desktop items, documents folder and pretty much everything that they will need.  The user does not even need to know that they are on a different terminal server then they were the last time that they logged in.

To install Terminal Server clustering first verify that you meet the prerequisites of centralized home folder storage, Active Directory 2008 and multiple terminal servers.  Then install the TerminalServer Session Broker service on each one of the servers.  Then on one of the servers, you need to add all of the terminal servers into the session directory under groups in Local Users and Groups.  You only need to add it on one server and the change will replicate.

The next thing you need to is setup an alias and put all of the IP addresses for the terminal servers to be associated with that alias.  Once complete, when you do an nslookup on that alias, it should display all of the IP addresses that you entered.           

Then you will need to make some changes to group policy.  It appears that you must have a 2008 Domain Controller setup with the most upgraded schema to be able to do this.   Go to Computer Settings -> Policies -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server and then TS Session Broker.  In here you need to put the name of the alias under Configure TS Session Broker Farm Name.  Then put the name of main terminal server in Configure TS Session Broker name.  Also you need to enable Join TS Session Broker and also User TS Session Broker Load Balancing.  After you have that setup, save the Group Policy Object (GPO) and attach it to the Organizational Unit (OU) that holds the terminal servers.

Once your group policies are in place you can focus on making the lives of your users a bit easier by enabling redirected user profiles.  First, you will need a place to put all of the user profiles.  Then you will want to move all of the users that need to access the terminal servers into a new Organizational Unit, create a new group policy object and enable folder redirection.  To enable folder redirection, go to User Configuration -> Policies -> Windows Settings and then Folder Direction.  Here, enable each folder redirection policy that you feel the users in the organization will need (this is different for everyone and can require a little testing to get it perfect).  While the choices are a lot to consider at first, Appdata, Desktop and My Documents are the most standard ones to choose and represent a great starting point.  The basic setting is what you will most likely want to use and then just put the root path to your profile in.  It will then give you an example of where everything will be stored and you will verify that the user names and the folders that you created on the network share are the same.

Once all of the users will be able to log into any of the terminal servers and get the same exact environment no matter which server they log into you are mostly done.  Setting up load balancing, the worry of one terminal server being over used is no longer something you need to worry about with 2008.  Once the cluster is setup, the master terminal server will take care of the rest.  

Citrix XenApp: New Look, New Features, Same Great Product

Wednesday, February 11th, 2009

Citrix XenApp has been around much longer that its new name would suggest. Formerly known as MetaFrame Presentation Server, XenApp has been a reliable solution for many years. It is the premier solution for application publishing and remote workplace access, while it also helps to ensure the highest level of security with built-in encryption.

 

Customizable Citrix Authentication Window

Customizable Citrix Authentication Window

XenApp provides a seamless workplace environment that enables IT departments to centralize the management of data and resources in a granular and automated fashion. As all of your information is hosted on company servers as opposed to being distribution across numerous client machines there is an inherently lower security risk of data being compromised, virus infestations and of course untrustworthy users.

 

XenApp is one of the most mature products of its type. XenApp provides greater advantages over most remote workplace applications in that it utilizes software that enables it to run across all platforms of systems. This ensures Windows, Mac and even Unix/Linux clients can access the same information in exactly the same way – using the native Windows applications published through a web or Citrix client interface. A unified approach to management drives down administrative overhead and expense by allowing IT departments to focus on one interface rather than having to support various individual systems all with their unique quirks or configurations.

Citrix in URL

Citrix in URL

 

With Citrix, a user simply browses to the website where the Application is hosted and logs in. From there, the end-user has access to all the applications that they have been granted access to.

Citrix Application Selection Dialog

Citrix Application Selection Dialog

 

Access to applications can be based on granular, user based settings or as a result of larger, more scalable group memberships either local to the Citrix server or based on Active Directory. Either way, each unique user can be provided a very specific and unique user experience tailored to their needs. For some users, you may allow access to a full Desktop environment while for others you may limit access to only a small subset of applications.

Citrix in Action

Citrix in Action

 

When you are looking to have an enterprise-level deployment of Mac OS X, Citrix can help to ease the transition burden. For example, many applications are not available to the Mac. If Mac OS X users are not able to access the corporate ERP system then they are not full citizens of the enterprise. The same goes with obtain support for various browser incompatibilities that may exist with corporate Intranets and obtaining features not available in the Mac versions of applications, such as being able to auto-archive in Microsoft Outlook (which is not a feature of Entourage). All-in-all, Citrix can help you ease into an enterprise switching campaign rather than force all of your users into a culture shock of new applications, new ways of doing things and compatibility problems.

Citrix is also a scalable solution. The clustering options in XenApp are far easier to configure than with Windows Terminal Server. The failover is fast and less infrastructure is required as the Citrix server is able to manage most of the workload.

318, Inc is a trusted Citrix Partner well versed in providing Remote Workplace and Application Publishing connectivity for organizations in both homogenous and heterogeneous environments. Allow our highly-skilled technology consultants assess and recommend the ideal Remote Workplace solution for your organization.

Installing Kerio 6 on Windows Server 2008 and Bind to Active Directory

Friday, December 5th, 2008

****Ensure that Active Directory is already configured on the server as Kerio LDAP and SLDAP ports will clash with AD’s port settings if the server also acts as a Domain Controller****

Kerio MailServer Setup and Install

* Download Kerio MailServer install file from Kerio’s website -

http://www.kerio.com/kms_download.html

* Run the install file and click ‘Next’ on the Wizard’s welcome screen

* In the following dialog, all important updates since the last version of Kerio MailServer are listed. Continue by clicking on ‘Next’

* On the next page, review the license agreement then click ‘Next’ to continue

* There will be the choice of doing a ‘Complete’ install (recommended) or a ‘Custom’ install.
The custom install allows you to select which components are installed but they are all essential besides the foreign-language packs.
Once install type has been specified, click ‘Next to continue

* In the next step, select the directory where Kerio MailServer will be installed and click ‘Next’. The default location is C:\Program Files\Kerio\

* Next, there will be an option to enable automatic startup of Kerio MailServer once installation has been completed (”Start Mail Server Engine service after installation finishes). Recommended that this is selected

* After the installation has completed, click ‘Next’. The Wizard then displays a screen where basic server parameters can be set

* Specify the name of the primary domain and domain name that resolves to the IP address of the server that Kerio MailServer is being installed on (A record should have already been created in DNS for mail) in the ‘Domain’ and ‘Hostname’ text fields. Click ‘Next’ to continue

* On the next page, specify the settings for the Administrator account (username, password, and confirm password). Click on ‘Next’ to continue

* Select a location, for the Store Directory, that has sufficient space for growth, then click ‘Next’

* Once the configuration Wizard has been completed, save the installation settings by clicking ‘Finish’
Kerio MailServer Engine, running as a service, will be started immediately after the installation is complete

Binding Kerio to AD

* Click Start > All Programs > Kerio > Administration Console

* Enter administration credentials that were specified during Kerio MailServer setup

* On the left-side navigation pane, go to ‘Services’

* Click on the properties on the main screen for LDAP and SLDAP and change the ports to 390 for LDAP and 637 for SLDAP. Click ‘Apply’ to save the changes and ensure that the services have started

* Download the Kerio Active Directory Extension from the Kerio website and run the install (no wizard will show up)

* Once the install is complete, to create a new user, click Start > Administrative Tools > Active Directory Users and Computers

* Go through the usual steps to create a new user and during the setup there will be a screen to create a Kerio email account for the new user

* To add existing users to Kerio, navigate to the ‘Users’ window in the Kerio Administration Console (under ‘Domain Settings’), then click on ‘Import’ on the bottom right then ‘Import from directory service’ on the floating window.
Select the Active Directory type from the drop-down then enter the administration credentials for Active Directory. This will provide a screen with all AD users that can then be imported.

Managing Global Address Lists in Exchange 2003

Thursday, December 4th, 2008

1. Open ‘Active Directory Users and Computers’ –
Start → All Programs → Administrative Tools → Active Directory Users and Computers

2. Select the user that you would like to update on the Global Address List

3. Right-click on that user and select ‘Properties’ in the resulting pop-up menu

4. Go to the ‘Exchange Advanced’ tab for the user

5. Check the box to ‘Hide from Exchange address lists’ and delete the ‘Simple Display Name’ to remove the user from the Global Address List. To add the user to the Global Address List, then un-check the ‘Hide from Exchange address lists’ and enter an alias in the ‘Simple Display Name’ text box.

6. Click on ‘Apply’ then click ‘OK’ to submit the changes.
The changes can take anywhere from a few minutes to a few hours to propagate.

7. To confirm updates via the Exchange System Manager then open the manager
Start → All Programs → Microsoft Exchange → System Manager

8. On the right side navigation panel go to
Recipients → All Global Address Lists → Default Global Address List

9. Right-click on ‘Default Global Address List’ then click ‘Properties’ on the pop-up menu.

10. Click on ‘Preview’ to generate the current Global Address List

Creating Alternate User Logins in Active Directory

Friday, May 30th, 2008

The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active Directory. The style of the UPN is based on Internet standard RFC 822, which is sometimes referred to as a mail address. The default UPN suffix is the forest DNS name, which is the DNS name of the first domain in the first tree of the forest.

You can add alternate UPN suffixes, which increase logon security. You can also simplify user logon names by providing a single UPN suffix for all users. The UPN suffix is only used within the Windows Server 2003 domain and is not required to be a valid DNS domain name.

[Before following the steps below, ensure that the Administrative account being used is a member of Enterprise Admins.]

To add additional UPN suffixes

1. Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then click Properties.
2. Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add.
3. Click OK to close the window.

When accessing Active Directory Users and Computers, the account tab now has the option to select this newly created UPN for login access.

Ubuntu 8.04 Released

Sunday, May 11th, 2008

ubuntulogo1.pngUbuntu 8.04 is now available – the first major release since 7.10. Code named Hardy heron, 8.04 will look familiar to long-time Ubuntu users. But under the hood, 8.04 sports a new kernel (2.6.24-12.13), a new rev of Gnome (2.22), improved graphical elements (such as Xorg 7.3), a spiffy new installer (Wubi), the latest and greatest in software, enhanced security and of course more intelligent default settings. The build is free to download the desktop version from ubuntu.com.

The new Ubuntu installer comes with a new utility called Wubi. Wubi can run as a Windows application, which means that Windows users will be able to more easily transition and learn about Ubuntu. Wubi can perform a full installation of Ubuntu as a file on a Windows hard drive. This means that you no longer need to install a second drive or perform complicated partitioning on an existing drive. When you boot up Ubuntu the system reads and writes to the disk image as though it were a standard drive letter, much like VMWare would do. Ubuntu can also be uninstalled as though it were a standard Windows application using Add/Remove Programs.

The new application set is solid. Firefox 3.0 comes pre-installed. Brasero provides an easier interface for burning CDs and DVDs. PulseAudio now gets installed by default (which is arguably a questionable decision but we found it worked great for us). The Transmission BitTorrent client is now included by default. Vinagre provides a very nice and streamlined VNC client for remote administration (although the latency for remote users is still a bit of a pain compared to the Microsoft RDP protocol). Inkscape has always been easy to install and use, but the popular Adobe Illustrator-like application it now comes bundled with Ubuntu.

In order to play nicer in the enterprise, the security infrastructure of Ubuntu has also had a nice upgrade. The Active Directory plug-in is provided using Likewise Open (unlike Mac OS X which sees a custom package specifically for this purpose). There is a new PolicyKit which provides policies similar to GPOs in Windows or MCX in Mac OS X. The default settings in 8.04 are also chosen with a bit more of a security mindset. New memory protection is built into 8.04, primarily to make exploits harder to uncover and prevent rootkits. Finally, UFW (uncomplicated firewall) is now built into the system to make firewall administration more accessible to the everyday *nix fan.

Network Administrators will be impressed by the inclusion of many new features. KVM is included in the Kernel and lib-virt and virtmanager are provided to make Ubuntu a very desirable virtualization platform. iSCSI support provides more targets with which to store those virtual machines and also expanded storage for those larger filers (eg – using Samba 3). Postfix and Dovecot provide a standardized mail server infrastructure out of the box. CUPS in 8.04 now supports Bonjour and Zeroconf protocols as well as the solid standbys of SMB, LPD, JetDirect and of course IPP. Those building web servers will be happy to see Apache 2, PHP 5, Perl, Python and Ruby on Rails (with GEM) and of course Sun Open JDK (community supported). If you need the database side of things there’s MySQL, Postgresql, DB2 and Oracle Database Express.

However, if you are just starting out keep in mind that Ubuntu Server does not come with a windowing system by default – so beef up those command line skills sooner rather than later! We are also still waiting for a roadmap for integrating much of the more Enterprise or Network-oriented packages. For example, we now have the PolicyKit and a solid Active Directory client. But how do we push out en masse the policies that we want our users to have post imaging?

So if you use Ubuntu or are interested in getting to know the Linux platform then 8.04 is likely a great move. It’s solid, stable and much improved over 7. It’s easier to migrate, virtualize and work in. The developers should be proud!

Domain Controller Capacity Planning In Active Directory

Friday, April 18th, 2008

The memory requirements per DC is calculated based on the number of DCs and how spread out they are. Any time we are doing this type of planning we start out with the number of users that interact with a given DC and how much replication it does with other DCs. If a DC is processing logins for 1,000 users then it can easily be run from a fairly unsubstantial host – as would be the example with a Global Catalog sitting at a smaller school. However, as the number of users interacting with a single DC goes up, the RAM goes up. The minimum recommended memory is approximately 2GB per 1,000 users and a minimum of 1 dual CPU system per 10,000 users – but again loads may vary based on various aspects of the domain.

In terms of bandwidth utilization the number of users logging in concurrently per school will use practically no bandwidth compared to a fiber connection if they have a DC at the school. However, if the school does not have a DC then you can expect approximately 64k per concurrent login for remote users not counting any network profiles or login scripts. More speed will allow for faster login windows which will in turn allow for the system load to decrease faster following large quantities of users logging in concurrently. The bandwidth utilization can be slightly higher than other LDAP types of environments for Windows hosts but not typically for Linux or Mac clients.

Policies will create additional load. The more layered the policies the higher this load will become. Flattening the policy structure as much as possible will help reduce this overhead. But in the beginning some monitoring and tuning will need to be done. Monitoring the Database Cache % Hit on the server, you will be able to track whether additional memory is required.

Disk space is typically not a factor when planning an Active Directory deployment. But before factoring the size of logs a good setup should accommodate for 4GB plus installers/drivers and .5GB per 1,000 users for non Global Catalogs and an additional 50% for Global Catalogs.

Create Mobile Accounts From Local Accounts in 10.4 and 10.5

Sunday, March 2nd, 2008

This setup can be performed locally or remotely via Apple Remote Desktop 1. Have the user change the local password to the network password via the System preferences, if this step is skipped , add the Keychain minder application as a login item.

http://www.afp548.com/article.php?story=20050306085715981

2 . Login as the 318admin account ( Create if necessary ) Do not use Fast User Switch!

3 . Verify the Bind for the system to Open or Active Directory

4 . Survey the existing home directory permissions viewing them numerically:

ls –lnd /Users/anna

# drwxr-xr-x+ 38 505 505 1292 Feb 29 14:36 anna

In this example 505 is the local users UID 5 . Obtain the UID of the local user:

id –u anna

# 505

6. Obtain the UID of the network user ,in this example the network username and local username are the same, the steps are the same if they are different

6.1 When using Active Directory Note “WALLCITY” is the NT STYLE DOMAIN for wallcity.org.

id –u ‘WALLCITY\anna’

# 138809240

6.2 When using Open Directory: Note iduro.wallcity.org is the Open Directory Server that the client is bound to.

dscl /LDAPv3/iduro.wallcity.org/ -read /Users/anna uidNumber

# uidNumber: 1035

Note the UID discovered for both the local user and the network user

7. Delete the local user account reference If configuring remotely via ARD, lock the screen before performing this step, so that the user cannot accidentally login during the process.

dscl . -delete /users/anna

8. Change the ownership (recursively) numerically using the network uid and the “staff” group in this example 138809240 is the AD network uid discovered on step 6.

chown -R 138809240:staff /Users/anna

9. Create the mobile account

9.1 For Leopard 10.5 Systems sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n anna Note: NO line break above

9.2 For Tiger 10.4 Systems Note: MCXCacher-Uanna sudo /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -U anna

10. Verify permissions where changed to network account numerically ls -lnd /Users/anna

# drwxr-xr-x+ 39 138809240 20 1326 Feb 29 16:04 /Users/anna

10.1 Verify uid->username resolution works (i.e. 138809240 equals anna or WALLCITY\anna and 20 equals staff as shown

ls -ld /Users/anna

# drwxr-xr-x+ 39 anna staff 1326 Feb 29 16:04 /Users/anna

Active Directory and FileMaker Security

Tuesday, August 8th, 2006

ARCHIVE: This was only applicable for earlier versions of Mac OS X Server

1. First of all you need to know how to bind a computer running Mac OS X Server to an Active Directory domain. Bind it in /Applications/Utilities/Directory Access.

a. Check Active Directory.
b. Click Configure.
c. Under Active Directory Forest, enter yourdomain.com.
d. Under Active Directory Domain, enter yourdomain.com.
e. Enter the name of the computer.
F. Click Apply then Restart.

*If you are ever having problems with authentication for the whole machine to the primary domain controller of your active directory domain, burning the link then rebinding with this utility is a good place to start.

2. Now you need to tell FileMaker Server 8 to authenticate to an external server.
a. In FileMaker Server 8, open FMS Admin.
b. Click on the Configure button.
c. Enter the address of the primary domain controller
d. You usually can leave the distinguished name blank.
e. Under login settings (since you are authenticating to an Active Directory, a Windows product), check Windows Authentication.
f. Login as a user who is a member of the fmsadmin security group in Active Directory.

*** If you haven’t added a user to this group yet, RDC into the Domain using an account with Administrative privileges and open Start > Programs > Administrative Tools > Active Directory Users and Computers. Make sure you add an account that the FileMaker server can use to the group.

g. Save your changes.

3. Or you need to tell FileMaker Server 9 to authenticate to an external server.
a. Open a web-browser and go to the url: http://filemakerserverip:16000/.
b. FileMaker Server admin will load.
c. Login.
d. Click clients.
e. In the Task List, click Configure external authentication.
f. Make sure under client authentication, filemaker and external server authentication is checked.
g. Click the FileMaker Pro Clients chic-let at the top.
h. Click the Configure Directory Service button.
i. Under directory server, enter your primary domain controller.
j. Leave the point of entry blank.
k. Check my directory server requires me to logon.
l. Enter your fully qualified domain login for the user that you put in the fmsadmin group (i.e., DOMAIN\User). Use exact capitals/lowercase letters.
m. Enter the password.
n. Save and quit.

4. Troubleshooting.
a. Make sure the External logins you specify in your FileMaker solution match those that are in Active Directory.
b. Make sure your groups in your files are lower case if you are running FM Server on a Mac (the groups pulled from AD will become lowercase on the Mac regardless of what they are in AD).