Cmd relating to IP networks on Windows

Ping PING: Test the network connection with a remote IP address ping-t [IP or host] ping-l 1024 [IP or host] The-t option allows you to make pings continuously until Ctrl-C. If you have specified the-t option you can always have statistics without stopping the ping by pressing Ctrl + BREAK (aka Ctrl + Break) This command is also useful to generate network load by specifying the packet size with the-l and the packet size in bytes. Tracert TRACERT: Displays all IP addresses intermediaries through which passes a packet between the local machine and IP address specified. tracert [@ IP or host name] tracert-d [@ IP or host name] This command is useful if the ping does not reply, to determine at what level the connection fails. IpConfig IPCONFIG: Displays or refreshes the configuration TCP / IP ipconfig / all [/ release [adapter]] [/ renew [adapter]] / flushdns / displaydns / registerdns [-a] [-a] [-a] This command executed without options, displays the current IP address, netmask and default gateway at the network interfaces known on the local machine. / all: Displays all network configuration, including DNS, WINS, DHCP lease, etc. … / renew [map]: Renews DHCP configuration for all adapters (if an adapter is specified) or a specific map with the parameter map. The card name is the one shown with ipconfig without parameters. / release [adapter]: Sends a message DHCPRELEASE DHCP server to release the current DHCP configuration and cancel the IP address configuration for all adapters (if an adapter is specified) or a specific map with a parameter map. This parameter disables TCP / IP for adapters configured to automatically obtain an IP address. / flushdns: Empty the cache and resets the DNS client resolver. This option is useful to exclude the negative cache entries and all other entries added dynamically. / displaydns: Shows the cache of the DNS client resolver, which includes both entries preloaded from the local hosts file and all resource records recently obtained for name queries resolved by the computer. The DNS Client service uses this information to quickly resolve frequently queried names, before querying its configured DNS servers. / registerdns: Refreshes all DHCP leases and re-registers DNS names. NetStat NETSTAT: Display the state of the TCP / IP on the local machine NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]-a Displays all connections and listening ports (server-side connections are normally inhibited). -e Displays Ethernet statistics. Can be combined with the-s option. -n Displays addresses and port numbers in numerical form. -p proto Shows connections for the protocol specified by proto, proto may be TCP or UDP. Used with the-s option to display per-protocol statistics, proto may be TCP, UDP, or IP. -r Displays the contents of the routing table. -s Displays statistics by protocol. By default, statistics on TCP, UDP and IP are displayed, the-p option can be used to specify a subset of default. interval: Redisplay selected statistics, with a pause "interval" seconds between each display. Press Ctrl + C to stop displaying statistics. Poster-abnov processes that use the internet connection (local IP address, port, remote IP address and the PID of the process that uses the connection as its name). Route ROUTE: Displays or modifies the routing table ROUTE [-f] [command [destination] [MASK netmask] [gateway]-f Clears the routing tables of all gateway entries. Used in conjunction with a orders, tables are cleared before executing the command. -p Makes residual entry in the table after the reboot of the machine command Specifies one of four commands: DELETE: Deletes a route. PRINT: Prints a route. ADD: Adds a route. CHANGE: Modifies an existing route. destination Specifies the host. MASK If the MASK keyword is present, the next parameter is interpreted as the netmask parameter. netmask: Provided, it specifies the value of mask subnet to assign to this route entry. Not specified, it takes the default 255.255.255.255. Gateway: Specifies the bridge. METRIC: Specifies the cost metric for the destination Arp ARP: Resolving IP addresses into MAC addresses. Displays and modifies the translation tables of IP addresses to physical addresses used by the resolution protocol ARP addresses. ARP-s adr_inet adr_eth [adr_if] ARP-d adr_inet [adr_if] ARP-a [adr_inet] [-N adr_if]-a Displays the ARP entries by interrogating the active protocol data assets. If adr_inet is specified, only IP addresses and physical the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed. -g Same as-a. adr_inet Specifies an internet address. N-adr_if Displays ARP entries for the specified network interface by adr_if. -d Deletes the host specified by adr_inet. -s Adds the host and associates the Internet address adr_inet with the physical address adr_eth. The physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent. adr_eth Specifies a physical address. adr_if specified, it specifies the Internet address of the interface where the translation table addresses should be amended. Not specified, the first applicable interface will be used. Nbtstat NBTSTAT: Update cache file Lmhosts. Displays protocol statistics and TCP / IP using existing NBT (NetBIOS over TCP / IP). NBTSTAT [-a remote name] [-A IP address] [-c] [-n] [-r] [-R] [-s] [S] [interval]-a (card status) List the name table of the remote machine (name unknown). -A (card status) List the name table of the remote machine (IP address). -c (cache) Lists the remote name cache including the IP addresses. -n (names) Lists local NetBIOS names. -r (resolved) Lists names resolved by broadcast and via WINS. -R (Reload) Purge and reload the table cache of remote names. -S (Sessions) List sessions table with the destination IP addresses. -s (sessions) List sessions table converting destination IP addresses to host names via the hosts file. An Example: nbtstat-A IP @ This command returns the NetBIOS name, system name, users connected … from the remote machine. Telnet TELNET telnet telnet The telnet command allows access in Terminal mode (Screen liabilities) to a remote host. It also check if any TCP service running on a remote server after specifying the IP address on TCP port number. Thus we can test whether the SMTP service, for example, runs on a Microsoft Exchange server using the IP address of the SMTP connector and then 25 as the port number. The ports are the most common: ftp (21) telnet (23) smtp (25) www (80) kerberos (88) pop3 (110) nntp (119) and nbt (137-139). Hostname HOSTNAME: Displays the name of the machine Ftp FTP Client File Upload ftp-s:-s this option allows to run FTP in batch mode: Specifies a text file containing FTP commands. NSLookUp Nslookup: DNS sends queries to a DNS server of your choice nslookup [domain] [dns server] The nslookup command can send requests to a DNS server. By default, if you do not put the DNS server, the command will use whatever is configured for your network interface (the one you use to surf the Internet, for example) but you can force the use of another server. For example, to ask the DNS server 10.0.0.3 IP address corresponding to address http://www.commentcamarche.net: nslookup http://www.commentcamarche.net 10.0.0.3Si you do not specify any parameters for nslookup, open a shell awaiting requests from you. NetSh NetSh: configure the network in Windows
Publié dans Configuration - machine | Laisser un commentaire

URL mapping for an Existing SharePoint Website via AAM

Target

create the root site collection upon a Web application with the URL
http://intranet.companyname.com, instead of the original :

format

 1. Confirm that http://:81 has been created successfully and the root site collection is accessible.

2. In Central Administration, switch to Application Management page, select Create or extend Web applications, and then Extend an existing Web application.

3. In the next page, please fill the following key blanks: Web Application: http://:81/ Create a new web site: Port: 80 Host Header: intranet.companyname.com Load Balance URL: intranet.companyname.com:80 Zone: Intranet Click OK to finish the configurations. You can confirm if the extended Web application is correctly added by going to Alternate Access Mappings page of Operations page under Central Administration site.

4. On the DNS server of your Active Directory domain, add the following DNS entry in the Forward Lookup Zones called "companyname.com": New Alias (CNAME) Alias Name: intranet FQDN for target host: .companyname.com

5. Empty the DNS cache in a test client (ipconfig /flushdns) and try to access the site via http://intranet.companyname.com

———————————————————————–

Apply host headers You can apply host headers at two different levels: The Web application (IIS Web site) level The site collection level In most cases, applying a host header at the Web application level makes it impossible to access host-named site collections. This is because IIS will not respond to requests with host names that differ from the setting in IIS. However, you can access host-named site collections if you configure the IIS Web site of the Default zone without a host header, and only apply host headers to the IIS Web sites in the other zones. This allows you to use the Default zone with host-named site collections, which are considered to be in the Default zone, while allowing you to use alternate access mapping functionality in the other zones for path-based site collections. To apply host headers at the Web application (IIS Web site) level: 1.Click Start, point to All Programs, then point to Microsoft Office Server, and then click SharePoint 3.0 Central Administration. 2.On the Central Administration home page, click Application Management. 3.On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application. 4.On the Create or Extend Web Application page, in the Adding a SharePoint Web Application section, click Create a new Web application. 5.On the Create New Web Application page, in the IIS Web Site section, configure the host headers for your new Web application by typing the URL you want to use to access the Web application in the Host Header box. The host header value specifies the binding to create for the IIS Web site and ensures that IIS only responds to requests sent to the specified host header. You can manually modify IIS bindings from the IIS Manager, but this is not recommended. Any changes you make using the IIS Manager will not affect Office SharePoint Server 2007. If Office SharePoint Server 2007 tries to provision an IIS Web site on another computer in the farm for the same Web application and zone, the binding specified on the Create New Web Application page is used. If you want to modify an existing binding for an IIS Web site, remove the Web application from the zone and then re-extend the Web application into the zone with the binding you want to use. Configure a host-named site collection Office SharePoint Server 2007 ships with a set of Web services for various user and administrative tasks. One of these administrative tasks is creating a new site. The CreateSite Web method does not support the creation of host-named site collections. A workaround for this issue is to write a Web service that wraps the API sample code. There are several additional configuration options to consider when provisioning a new Office SharePoint Server 2007 site. Specifying the appropriate site template during site creation will determine which preconfigured Web Parts and other user interface elements are available on the new site. In a hosting scenario, you will probably want to select either a team site template (value of “STS#0” when creating the site) or a blank site with no Web Parts or prebuilt lists (value of “STS#1”). In a hosting environment, consider specifying site quotas on each newly provisioned Office SharePoint Server 2007 Web site. Although support for site quota templates is not included in the sample Web services, you can add site quotas and use them to create a site quota template based on predetermined limits. Create a host-named site collection using SQL authentication Working with the SQL membership provider in a hosting scenario requires some additional steps to properly configure and manage a host-named site collection. When you create any site, you need to specify a user who will be the site owner. This implies that the owner already exists as a user in your membership directory. To simplify this and other SQL membership provider tasks, use the MembershipSiteAdmin.exe tool.

 see: http://technet.microsoft.com/en-us/library/cc424952.aspx http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=39 http://www.tech-faq.com/understanding-host-name-resolution.shtml http://www.infopathdev.com/blogs/janice/archive/2009/02/16/sharepoint-host-headers.aspx http://vspug.com/spfromscratch/2008/02/28/alternate-access-mappings-in-server-farm/ http://blogs.developpeur.org/themit/archive/2006/11/28/sharepoint-2007-host-header-mode.aspx http://technet.microsoft.com/en-us/library/cc262778.aspx http://technet.microsoft.com/en-us/library/cc424952.aspx http://blogs.technet.com/josebda/archive/2006/11/07/installing-rtm.aspx http://www.sharepointdiy.com/tutorials/ie-7-login-prompt-after-installing-moss http://blogs.msdn.com/sharepoint/archive/2007/03/19/what-every-sharepoint-administrator-needs-to-know-about-alternate-access-mappings-part-2-of-3.aspx http://blogs.msdn.com/sharepoint/archive/2007/03/06/what-every-sharepoint-administrator-needs-to-know-about-alternate-access-mappings-part-1.aspx http://books.google.ch/books?id=UnwBAmgvQ3oC&pg=PA343&lpg=PA343&dq=dns+host+a+sharepoint&source=bl&ots=5wTs_k6fkW&sig=fe6tA8XeagbMF1TCtyK2NMBS_1Y&hl=fr&ei=DxBDS6iYBMGksAaotsGgAQ&sa=X&oi=book_result&ct=result&resnum=8&ved=0CDAQ6AEwBzgU#v=onepage&q=dns%20host%20a%20sharepoint&f=false http://dhruvshahsp.blogspot.com/2009/03/host-headers.html https://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.sharepoint.portalserver&tid=0f001896-1815-421f-8453-caca6abc6579&mid=11ef1ef0-1148-4ec1-bcb5-0b71c00bbdde&cat=&lang=&cr=&sloc=&p=2 http://support.citrix.com/proddocs/index.jsp?topic=/access-gateway-91/agee-client-connect-cvpn-sharepoint-dns-resolution-tsk.html http://technet.microsoft.com/en-us/library/bb727005.aspx http://www.c-sharpcorner.com/UploadFile/rifaqats/AlternateAccessMappings05052009050512AM/AlternateAccessMappings.aspx http://www.eggheadcafe.com/software/aspnet/30213632/change-web-site-url-name.aspx http://certcities.com/editorial/columns/story.asp?EditorialsID=370 http://vspug.com/andynoon/2007/07/04/defining-multiple-authentication-providers-to-a-single-moss-2007-web-application/ http://vspug.com/andynoon/2007/07/04/defining-multiple-authentication-providers-to-a-single-moss-2007-web-application/

Publié dans Non classé | Laisser un commentaire

Microsoft Office SharePoint Server 2007 Security Model

Accessibility MOSS web applications utilize IIS web sites and application pools. As is the case with any web site, a unique combination of IP address, port number, and host header on each web site is required in order for the web site to run properly. Additionally, the web site must maintain a unique identity with respect to other nodes on the network in order for users on the network to be able to access the web application. Network configurations and services that exist between the users and the MOSS server including DNS, WINS, firewalls, routers, switch ports, virtual LANs, must also be configured in such a manner as to permit the user to access the IIS web site. In an Extranet configuration, an externally facing host name or IP address must be published so that users can access the web application. The hardware configuration of the MOSS server, the network configuration of the MOSS network, and the IIS configuration of the web sites for the MOSS web applications provide user accessibility to the web application. Authentication In order for people to use a MOSS web application, the web application must validate the person’s identity. This process is known as authentication. MOSS is not a directory service and the actual authentication process is handled by IIS, not MOSS. However, MOSS is responsible for authorization to MOSS sites and content after a user successfully authenticates. Authentication happens like this: A user points their browser at a MOSS site and IIS performs the user validation using the authentication method that is configured for the environment. If the user authentication is successful, then MOSS renders the web pages based on the access level of the user. If authentication fails, the user is denied access to the MOSS site. Authentication methods determine which type of identity directory can be used and how users are authenticated by IIS. MOSS supports three methods of authentication: Windows, ASP.NET Forms, and Web Single Sign-On. Windows Authentication is the most common authentication type used in MOSS intranet deployments because it uses Active Directory to validate users. When Windows Authentication is configured, IIS uses the Windows authentication protocol that is configured in IIS. NTLM, Kerberos, certificates, basic, and digest protocols are supported. When Windows authentication is configured, the security policies which are applied to the user accounts are configured within Active Directory. For example, account expiration policies, password complexity policies, and password history policies are all defined in Active Directory and not in MOSS. When a user attempts to authenticate to a MOSS web application using Windows authentication, IIS validates the user against NTFS and Active Directory, and once the validation occurs the user is authenticated and the access levels of that user are then applied by MOSS. Figure 2 below, taken from Microsoft TechNet, illustrates the MOSS authentication process. Anonymous access is considered to be a Windows authentication method because it associates unknown users with an anonymous user account (IUSR_MACHINENAME). Anonymous access is commonly used in internet Web sites and in situations where web site users will not have their own user accounts. Since exposing content to unknown users is risky, this configuration is disabled by default. In order to configure anonymous access to a MOSS web application, anonymous access must be enabled in IIS, enabled in the MOSS web application, and the anonymous user account must be provisioned throughout the MOSS Web application. Even when anonymous access is configured, there are still several limitations compared to a Windows user. By default, anonymous users are only allowed to read, and they are unable to edit, update, or delete content. Additionally, anonymous users are not able to utilize personalization features such as Microsoft Office integration, check-in/check-out and email alerts. The ASP.NET Forms authentication method is commonly used in situations where a custom authentication provider is required. In other words, where a custom LDAP, SQL Server, or other type of identity repository will be storing user account information. This is common in extranet environments, such as partner collaboration sites, where it is not practical to create Active Directory user accounts for users or a different type of directory is required. The Web Single Sign-On authentication method is used in environments that have federated identity systems or single sign-on systems configured. In this type of environment, an independent identity management system integrates user identities across heterogeneous directories and provides the user validation for IIS. Some examples of identity management systems with single sign-on capability include Microsoft Identity Information Server with Active Directory Federation Services, Oracle Identity Management with Single Sign-On and Web Access Control, Sun Microsystems Java System Identity Manager, and Netegrity SiteMinder. Large enterprises often implement federated identity models to ease the administration of user provisioning and de-provisioning for systems that span across companies. Single Sign-On systems are used to consolidate user accounts across heterogeneous systems, allowing the end user to authenticate to systems with one set of credentials, rather than to use a different set of credentials for each unique system. In MOSS, it is possible to configure web applications to use a combination of authentication methods. This provides a great deal of flexibility because it makes it possible to serve a web application to different user bases which have different identity requirements. For example, an organization may have a Project Collaboration Web site that is used by employees and partners. For security and compliance reasons, it is necessary to store employee user accounts in Active Directory and partner user accounts in a SQL Server database. In this case, MOSS can be configured to use Windows authentication and ASP.NET Forms authentication. This is achieved by defining various zones and associated authentication methods to the zones. In the example above, an intranet zone would be configured with Windows authentication and an extranet zone would be configured with ASP.NET Forms authentication. Access As explained in previous sections, the composition of a MOSS web application includes sites, content pages, and web parts. MOSS has several management controls in place for provisioning access to and within a web application. Users, groups, permissions, and permission levels are used to configure access within a MOSS Web application. MOSS provides management and configuration functionality for these objects. In MOSS, users are added from the directory service such as Active Directory. Once users are added to a site collection, they are added to groups and assigned permissions on sites, lists, and items. MOSS supports the creation of SharePoint groups, for which the memberships are maintained within MOSS. Additionally, Active Directory security groups may also be used directly in MOSS. Active Directory group memberships are managed in Active Directory. Users and groups gain access or are restricted access to sites and Web Parts based upon permission levels set for the users and groups. Permissions are individual rights that may be performed by a user in a site, list, or item and so these types of permissions are referred to as Site Permissions, List Permissions, and Item Permissions, respectively. There are over thirty permissions in MOSS. Permissions are applied to users and groups using permission levels. Permission levels allow roles to be defined, consisting of unique combinations of individual permissions. MOSS provides some default permission levels such as “Contribute and “Full Control,” but in addition to using the default permission levels, custom permissions can be created in cases where a more appropriate name is required or a unique combination of permissions is more appropriate than what is available by default. Existing permission levels may be copied and used as starting point when creating custom permission levels. Permissions are assigned to users and groups in a similar fashion as in the Windows operating system. Much like the access control lists that allow assigning permissions to users and groups on Windows folders, MOSS provides similar access control lists on sites, lists, and items. The relationship between sites, lists, and items is hierarchical in nature and the default behavior within MOSS web applications is that the permissions are inherited by child objects from the parent objects. In cases where business requirements are such that a child object is required to have different permissions than the parent object, then the permission inheritance chain may be broken manually using the access control list of the child object and the child object may be configured with permissions different from its parent. When this type of modification is made then all child objects of the modified object inherit the new settings. To provide an example of this, imagine a MOSS site that contains a document library, which contains a set of documents. By default, the document library will inherit permissions from its parent site and each document contained within the document library will inherit permissions from the document library. Say, for instance, that there is a requirement that the document library has different permissions than the site; perhaps a group of users should be able to read contents of a site, but not be able to view contents of a document library. The permissions for the document library may be configured accordingly. Doing so will achieve the desired result and not affect the permissions of the parent site. Additionally, individual document (item) permissions may be configured so that they have different permissions than the modified document library. Keep in mind that since the relationship between the objects is hierarchical, users must at least have read access to the parent in order to gain access to the child object. Figure 3 The access control lists for sites, lists, and items are very similar. However, lists provide one additional configuration menu called advanced settings, which allows an added layer of security to be set on the child items. Within advanced settings specifications may be made such that users can view all items or view only their own items. There is also a setting for specifying that users can edit all items, their own items, or no items in the list. Figure 4 Additionally, document libraries can contain folders and it is possible to set permissions on these folders. Figure 5 Audiences Not all MOSS Web Parts have access control lists: only those Web Parts which contained items such as lists and document libraries. However, all Web Parts do support audiences. Audiences are used to target content to users. SharePoint Groups, AD Groups, AD Users, and global audiences may be used to define the audience of a particular Web Part. Audiences allow the restriction and filtering of certain content that exists on a content page to users who otherwise have some level of access to the page. For example, an organization may have a MOSS portal that serves employees, contractors, and partners. Perhaps there is an employee announcement Web Part on the home page. It may not be appropriate for contractors and partners to view the employee announcements. It is possible to target the employee announcements Web Part to a specific audience, in this case a security group called employees. Figure 6 Search In MOSS, users are able to search for content across many different content sources such as MOSS portals, Web sites, network file shares, structured data stored in line of business systems, and people profiles stored within Active Directory and other custom data sources. The MOSS security model is fully integrated with the search feature and therefore all of the content access concepts that apply to sites, web parts, and items also apply to search results. For example, if a user does not have read access to a particular document library and the user performs a search, that user’s search results will not include any links to the document library or any documents contained within that document library. Likewise, if a user only has read access to a particular document and the user opens a link to that document from a search results page, that user will be unable to edit that document. There are several management controls available with MOSS that allow for custom tailoring of how content is crawled, what content can be searched, and how the search results appear to the end users who are performing the search. Using these controls, MOSS search can be configured to meet unique security and compliance requirements for searching content. Administration In MOSS, there are two types of administrators that are configured, which allows the responsibilities associated with server component configuration to be separated from those responsibilities associated with content management and content access management. Central Administrators are used to configure SharePoint components on a server. By default these administrators don’t have access to modify content contained within site collections. Central Administrators are able to grant themselves access to content contained within site collections and events related to this are tracked in the event log for auditing purposes. Site Collection Administrators are assigned at the site collection level and have full control over content contained in that site collection. Site Collection Administrators are able to perform all the necessary tasks involved with administering content including the ability to restore content that has been deleted from the Recycle Bin and override check-out of documents. Site Collection Administrators are configured in a separate menu than where other types of users are provisioned and it is impossible for other types of users to revoke permissions from Site Collection Administrators. Hardware, Software, and Network Beyond the context of the MOSS application itself, there are several security related topics that have to do with the way MOSS is installed and configured in a network environment. It is important to understand the server and network topology of a MOSS deployment because many of the security considerations exist at this level. The major software components included in a MOSS installation are the Windows Operating System, IIS, .NET Framework, SQL Server, and MOSS. As an ASP.NET application, the principles of .NET code access security apply to MOSS installations. Configuration files on MOSS servers such as machine.config and web.config are used to prevent or allow code from being run on MOSS systems. MOSS is designed to be scalable so that it can be configured to serve small workgroups, large enterprises, or serve public Internet sites. The MOSS application is divided into several different services that can run on one server in a single server deployment or divided across multiple servers in a server farm deployment. Servers in a server farm can have various roles, meaning that they have certain services running on them. For example a two-server farm may include a database server that runs only the database components and a web server than runs the web applications and application services. MOSS servers are required to communicate with each other and with end users and this communication occur on channels. It is certainly possible to secure these channels, and MOSS does support doing so. For example, it is possible to use SSL to secure a channel between a Web server and a client machine or IPSec to secure a channel between two servers. On the network, there are several other areas that relate to the security of MOSS. Servers exist as nodes on a TCP/IP network and networks can be running a wide variety of hardware including switches, routers, firewalls, and load balancers. The network security of a MOSS server farm depends upon the configuration on these network devices. For example, a network may be configured with multiple network segments, DMZs, or VLANs. MOSS servers can be configured to operate in unique TCP/IP network environments. http://sharepointmagazine.net/technical/administration/microsoft-office-sharepoint-server-2007-security-model
Publié dans Microsoft - MOSS 2007 | Laisser un commentaire

Microsoft – enable full network map

To enable this functionality locally on a machine,

start the Group Policy Editor (GPE–gpedit.msc) as Administrator

navigate to the Local Computer Policy, Computer Configuration , Administrative Templates, Network, Link-Layer Topology Discovery branch.

Double-click "Turn on Mapper I/O (LLTDIO) driver " and set it to Enabled, and select the check boxes for "Allow operation while in domain" and "Prohibit operation while in public network,"

Publié dans Microsoft - Server Roles | Laisser un commentaire

Active Directory Certificate Services and Rights Management

Active Directory Certificate Services and Rights Management
 
ADCS (Active Directory Certificate Services) 

When you install the Active Directory Certificate Services, you create an additional name for the Zertifierungsstelle. The name cannot be changed  after the installation  (LORPKI) 

Add Role – Active Directory Certificate Services
 
Four types of roles 

  • Zertifierungsstelle
  • Here is acting the most important role service, which is the basis of certificate services. It is repsonsible for the build and the management of certificates
  • Zertifierungsstellen – Web enrollment
  • When installed, this service can procure certificates with the the Web address http:// <server> / certsrv
  • Online responder
  • Registrierungsdient for network devices 

the ADCS can be installed as  "Standalone" or "entrerprise"  modus

If entrerprise is selected, Certificate Services are integrated into Active Directory.

Select this option if the cA is a memeber of a doamin nd can use Directory Service to issue and manage certificates
.
To create certificates correctly for the server without issue  , the server  needs to be a member of the Cert Publishers group. This group is located in the Builtin OU. (runs automatically)
 
 
The Certificate Templates are managed with the snap-in certificate templates. This starts when you choose in the context menu certificate templates in the admin console Zertifierungsstelle . 
  
 
Each Zertifierungsstelle has its own security administration, which is accessed from the context menu in the properties on the Security tab. Certificates are created on the basis of the certificate templates to Certificate Services, the data and the name of the applicant are read out automatically from Active Directory. 
  
Standalone CA
Select this option if this CA does not use Directory service data to issue or manage certificates. A standalone CA can be a memeber of a domain 
 
is used to issue  S / MIME or SSL Certificates if no admin directory assistance is needed . It runs completely independent from the Active Directory
 
Configuring the Online Certificate Status Protocol
 
If a Certificate Authority, CA is used in the company, it’s worth to configure the Online Certificate Status Protocol (OCSP). detailed information about the current status of the certification request are available for the client.

Online Responder management can be started from the Administrative Tools program group.
 
When you install the responder role of the online service, you should manage the OCSP response signing in the certificate template console ..
 
 
The next step must be the configuration of the Certificate Authority yet.
 
You opening the snap-in to manage Zertifierungsstelle and go to the properties of Zertifierungsstelle in the console.
Select the Extensions tab.
In the Select Option field extensions from the access point information.
Click Add
Would like to place the address of the OCSP server is the default http://lorSrv001/ocsp
 
Confirm the location Dilaogfeld Add OK
 
 

Creating a restricted configuration in the administrative console of the Online Responder
 
Open the Online Responder snap in (Start / Run / oscp.msc
Click in the console tree, lock configuration
Click the Actions pane lock configuration, add, and enter the necessary data. In the third window, click Select Certificate for an existing enterprise CA.

Security for certification bodies to manage.

Sign on the animal card certificate management to control the rights of groups (rights should not be assigned to individual users.

Installing the Entreprise Root CA

Publié dans Microsoft - Admin Directory | Laisser un commentaire

Installation Admin Directory & Hyper V (dev machine)

Installation Hyper – V
 
Architecture Hyper V
 
 
 
 
L’ensemble des communications des partitions enfants vers  le matériel transit sur un bus de communication des partions enfants vers le materiel transiste sur un bus de communication virtuel à haute vitesse (VM bus)
 
Hyper V ne supporte pas les accès aux ports USB ni les accès directs vers le materiel
 
 
Preparation de l’installation
 
Il est nécessaire d’activer l’option matérielle DEP (Data execution Prevention) Cette option est appelée XD (Execute disable) sur les processeurs intel
 
Avec Windows server 2008 R2, les paramètres  TCP/IP , ainsi que les paramètres d’appartenance au sein d’un domaine sont généres automatiquement
 
Il faut déterminer les paramètres suivants:
 
Nom de l’ordinateur (computer name), chaque ordinateur doit disposer d’un nom DNS et aussi NetBios unique. les noms NetBios sont limités à 15 caractères en majuscules. Les noms d’hôtes TCP/IP peuvent utiliser jusqu’à 63 cractères sur la base des caractères a-z, A-Z, les nombres de 0 à 9 et le tiret – (ne pas utiliser underscore _) lors de l’installation du serveur
 
Windows server 2008 non R2 doit faire l’objet d’une mise à jour obligatoire:
 
Add Hyper V role
If your version is a windows server 2008 version V0 Candidate – add add-in Hyper V 
 
Release for x64
Do not add  virtual machines yet !!!!!!!!!
 
Step 2 – Install Admin directory
 
Step 2.1 Install DNS 
 
deploy role DNS:
 
1) assign TCP / IP
IP: 172.24.65.201
Subnet Mask: 255.255.255.0
Default gateway: 172.24.65.1
Preferred DNS server 172.24.65.201
 
Change the computername
Computer – properties
Primary DNS: lorsinclair.com
NETBIOS LORSRV001
 
Enable DNS server role in 2008
 
 
 
Forward lookup area
Build a new zone –  primary zone – zone name "lorsinclair.com" – next – file name "lorsinclair.com.dns" – next – "allow both non secure dynamic updates" – finish
 
Reverse lookup Zones
 
add new zone – next – primary zone  – ipv4reverse lookup zone – next – option : assign Network ID "172.24.65"  –> reverse lookup zone name: 65-24-172.in.addr.arpa  – next –  "allow both non secure dynamic updates" create a new file with file name.
 
Test feature:
 
nslookup
Result: Default Server: lorsrv001.lorsinclair.com
Address: 172.24.65.201
  
if it doesn’t work – enable activation function DNS
command: ipconfig / registerdns
 
Internet connection should work:
 
only when everything works
 
Step 2.2. Installation admin directory
 
Role : active directory domain services
 
Step 2.2.1 run the active directory domain services Installation wizard (dcpromo.exe) (this option comes automatically when you click on the active directory domain services role)
 
start wizard- option: use advanced mode installation – next – option : create a new domain in a new forest – next – "lorsinclair.com"
 
Domain Netbios name : LORSINCLAIR – next – option forest functional level:  "windows server 2008 r2" –
 
 
Option: No do not create the DNS delegation
 
next –
Database folder: c:\windows\NTDS
log files folder : c:\windows\NTDS
SYSVOL folder : c:\windows\SYSVOL
 
assign a password ——
next
 
restart computer
 
 
step 2.2.2  integratation of  DNS admin directory:
 
 right click on zone :DNS – LORSRV001 – Forward Lookup zone –  lorsinclair.com – right click-  tab general  – click button change on feld typ – choose option primary zone and check option : Store the zone in Active Directory (available only if DNS server is a domain controller
 
right click on zone :DNS – LORSRV001 – Forward Lookup zone –  lorsinclair.com – right click-  tab general  – click button change on feld Replication : All DNS servers in this domain  – change – to all DNS servers running on domain controllers in this forest: lorsinclair.com 
 
if you type  nslookup , you will observe a mistake : standard server unknown — address ::1
 
to repare: go to the change adapter setting – local area connection (ncpa.cpl) – choose option : obtain DNS server address automatically  
 
Step 2.2.3 Execute Diagnostic
 
dcdiag /v (complete diagnostic)
dcdiag /v > c:\dcdiag.txt (pipe with build of a log file)
 
test on
LORSRV001 passed test Connectivity
LORSRV001 passed test Advertising
LORSRV001 passed test FrsEvent
LORSRV001 failed test DFSREvent
 
 
LORSRV001 passed test SysVolCheck
LORSRV001 passed test KccEvent
LORSRV001 passed test KnowsOfRoleHolders
LORSRV001 passed test MachineAccount
LORSRV001 passed test NCSecDesc
LORSRV001 passed test NetLogons
LORSRV001 passed test ObjectsReplicated
LORSRV001 passed test Replication
LORSRV001 passed test RidManager
LORSRV001 passed test Service
 LORSRV001 failed test SystemLog
LORSRV001 passed test VerifyReferences
ForestDnsZones passed test CheckSDRefDom
ForestDnsZones passed test CrossRefValidation
DomainDnsZones passed test CheckSDRefDom
DomainDnsZones passed test CrossRefValidation
Schema passed test CheckSDRefDom
Schema passed test CrossRefValidation
Configuration passed test CheckSDRefDom
Configuration passed test CrossRefValidation
lorsinclair passed test CheckSDRefDom
lorsinclair passed test CrossRefValidation
lorsinclair.com passed test LocatorCheck
lorsinclair.com passed test Intersite – Tauch an dieser Stelle Fehler auf,  geben Sie den Namen des Tests und sas Ergebnis failed  in einer Suchmashine ein
 
 

Test Server muss  seinen Standort auflösen können 

nltest /dsgetsite
es darf kein Fehler auftreten ("default-First-Site-Name")
 
rename standort: default first site name -> Lor
 
ueberprüfen domainkontrollerliste:
nltest / DCLIST: lorsinclair
 
alle Domänencontroller sollten mit ihren volständigen Domänennamen ausgegeben werden
 
 
 
 
Start Service: NtFrs: Datenreplikation
To verify that everything works:
dcdiag.exe
NamenauflöSUNG testen:
nslookup
rename standort: default first site name -> Olympus
ueberprüfen domainkontrollerliste:
nltest / DCLIST: lorsinclair
 
Installing Virtual Machine: Hyper V
Step 1 – Network ajpouter a virtual manager:
Name: ……
External checked
Enable virtual LAN identification: not checked
 
Local people adapt its connection parameters and automatically switches to the new connection (local area connection 3):
IP 172.24.65.201
Subnet: 255.255.255.0
Gateway: 172.24.65.1
DNS: 172.24.65.201
 
Installing Hyper V Server – Server 2008
Attachment to the admin directory (domain membership)
Set TCP/IPv4 Properties:
IP 172.24.65.203
Subnet: 255.255.255.0
Gateway: 172.24.65.1
DNS: 172.24.65.201
 
Renommwer computer LorSrv003
Domain: lorsinclair.com
 
Test
 
 
Publié dans Microsoft - Server Roles | Laisser un commentaire

Driver

Help xou to find the right driver:
 
Publié dans Non classé | Laisser un commentaire