Network Access Protection (NAP)

Roaming  laptops - Users are always a health threat for any network. While laptops are away from the company, they might not receive the most recent software updates, antivirus updates, or configuration changes. Laptops might also be infected while exposed to unsecured networks, such as the Internet Cafe, Airports Networks e.t.c.  When this laptops that these "Roaming Users use" bring back to Company might not meet network requirements and can present health risks.

The Network Access Protection (NAP) feature in Windows Server 2008 platform, provides an integrated way of detecting the state of a network client that is attempting to connect to a network. When Roaming Laptops connect to Company local area network (LAN), they must meet specific health requirements, such as having recent updates installed. If they can’t meet those health requirements, they can be quarantined to a network where they can download updates, install antivirus software, and obtain more information about how to meet the requirements of the LAN.  When this process finish NAP provides a mechanism to automatically bring the client back into compliance and  allowing full access to Company Network.

Link

Transferring FSMO Roles in Windows 2008 Server

One of many system administrator roles is be to upgrade a current domain controller to a new hardware server. You use Windows Server 2003 Server for years and now it’s time to use a new Windows Server 2008 Server. “One” of the steps that required to successfully migrating your domain controller is to be able to successfully transfer the FSMO roles to the new Hardware Windows 2008 Server. While Active Directory in general uses a multimaster replication scheme for replicating the directory database between domain controllers, there are certain directory functions that require they be performed on some specific domain controller. These functions are defined by flexible single master operations (FSMO) roles. There are five different FSMO roles and they each play a different function in Active Directory:

• PDC Emulator
• RID Master
• Infrastructure Master
• Schema Master
• Domain Naming Master

A.Let’s start transferring the FSMO roles and first the Active Directory Schema Master.

(Keep in mind that all steps are done on the new Windows Server 2008 machine)

First we need to register the schmmgmt.dll in order to be able to use the Active Directory Schema snap-in.

1. Click Start > Run

2. Type regsvr32 schmmgmt.dll

3. Click ok

4. Click Start > Run, type mmc, then click OK

5. On the MMC > Click File > then click Add/Remove Snap-in.

6. From the left side, under Available Snap-ins, click on Active Directory Schema, then click Add > and then click OK

7. Right click Active Directory Schema, and then click Change Active Directory Domain Controller.

8. On the Change Directory Server, click the domain controller that you want to be the schema master role holder and then click on OK. (In our Case the New Windows 2008 Server)

9. You will receive a warning message that the schema snap-in is not connected to a schema operations master. That’s ok, as we have not yet set this Windows Server 2008 domain controller as a Schema Master Role holder. Click OK.

 

10. In the new console tree, right click Active Directory Schema and then click Operations Master.

11. On the Change Schema Master, you can see the current schema master role holder, and the targeted schema holder as well. Click Change, to Change the schema master holder.

12. Click YES to transfer the role.

13. Click OK

14. As you can see in the below, the current schema master is changed.

  

B. Let’s start transferring now the Domain Naming Master Role

1. Click Start > Administrative Tools > then click Active Directory Domains and Trusts

2. Right click Active Directory Domains and Trusts, and then click Change Active Directory Domain Controller.

3. On the Change Directory Server, click the domain controller that you want to be the Domain Naming master role holder and then click on OK. (In our Case the New Windows 2008 Server)

4. Right click Active Directory Domains and Trusts, and then click Operations Master.

5. On the Operations Master page, we are going to change the Domain Naming role holder, Click Change

6. Click YES to confirm the transfer of the Domain Naming role

7. The role will be transferred and a confirmation message will be displayed. Click OK

C. Let’s start transferring now the RID Master, PDC Emulator, and Infrastructure Master Roles.

1. Click Start > Administrative Tools > then click Active Directory Users and Computers.
2. Right click Active Directory Users and Computers, then click All Tasks > Operations Master.

3. On Operation masters, there is three Tabs, representing three FSMO roles (RID, PDC, Infrastructure). Click Change button under each of these three tabs to transfer the roles.

4. Click yes to confirm the role transfer.

5. The role will be transferred and a confirmation message will be displayed. Click OK

6. On the the Infrastructure role, once you click on the Change button you will receive the following message.

By default, when you first install your first Domain Controller, it holds the five roles and beside that it is a Global Catalog. At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain.

Important

• Unless there are only one or two domain controllers in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
• In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.

Click Yes

That's it!!!!!

You have successfully transferred the five FSMO roles to the new Windows Server 2008 Domain Controller.

Windows 8

Microsoft Corp. 29/02/2012 announced the availability of the Windows 8 Consumer Preview — the next milestone of the Windows operating system.  This latest preview will be made available for download.....


Link

Errors 1030 and 1058 in my error logs....

You may experience one or many errors and events if Group Policy (errors 1030 and 1058 in error logs)  is applied to the computers on your network. To determine the cause of the issue, you must troubleshoot the configuration of the computers on your network. Follow these steps to troubleshoot the cause of the issue:

1. Examine the DNS settings and network properties on the servers and client computers.
2. Examine the Server Message Block signing settings on the client computers.
3. Make sure that the TCP/IP NetBIOS Helper service, the Net Logon service, and the Remote Procedure Call (RPC) service are started on all computers.
4. Make sure that Distributed File System (DFS) is enabled on all computers.
5. Examine the contents and the permissions of the Sysvol folder.
6. Make sure that the Bypass traverse checking right is granted to the required groups.
7. Make sure that the domain controllers are not in a journal wrap state.
8. Run the dfsutil /purgemupcache command. The Dfsutil.exe program is included in the Windows 2000 Server Support Tools and the Windows Server 2003 Support Tools.

Link

Active Directory monitoring and health checkup.

I recommended to you to run the following test once a month and keep the log files for trend analysis as well, on all domain controllers
Dcdiag.exe /v >> c:\temp\pre_dcdiag.txt
This is a must and will always tell you if there is trouble with your DCs and/or services associated with it

Netdiag.exe /v >> c:\temp\pre_Netdiag.txt
This will let me know if there are issues with the networking components on the DC.  This along with the post test also is a quick easy way to ensure the patch I just installed is really installed (just check the top of the log)

Netsh dhcp show server >> c:\temp\pre_dhcp.txt
Some may not do this but I've felt the pain of a DHCP server somehow not being authorized after a patch.  This allows me verify the server count and names.

Repadmin /showreps >> c:\temp\pre_rep_partners.txt
This shows all my replication and if it was successful or not.  Just be aware that Global Catalogs will have more info here than a normal domain controller.

repadmin /replsum /errorsonly >> c:\temp\pre_repadmin_err.txt
This is the one that always takes forever but will let you know who you are having issues replicating with.