Welcome to Slamet Raharjo's World

Thursday, December 02, 2010 2:26 AM

Active Directory Data Restoration Procedures

Rekan, berikut satu lagi alur restoration AD, alur ini lebih di tekankan terhadap kerusakan AD (misal kerusakan salah satu DC) yang ringan

yang tidak terlalu berimbas secara global (forest wide accident), sbb :

Good Luck.

Share this post:

|

Posted by sraharjo | 1 comment(s)

Thursday, December 02, 2010 1:42 AM

Active Directory Database Restoration Procedures

Rekan, berikut sedikit saya sharing Alur Active Directory Database Restoration Procedures,

Prosedur ini dapat di manfaatkan in cases Active Directory (Domain Controller) yang kita miliki sedang sakit

dan sudah tidak bisa di sembuhkan dengan obat biasa, yang mau tidak mau harus dengan restoration proccess.

Good Luck.

Share this post:

|

Posted by sraharjo | with no comments

Thursday, December 02, 2010 1:08 AM

Active Directory Ports

Berikut list port yang di gunakan untuk komunikasi dengan ataupun antar Active Directory.

Port tersebut harus di pastikan sudah di buka di firewall (windows firewall and another firewall).

		TCP	UDP	ICMP
RDP	Remote Desktop	3389
DNS	DNS Download	53
DNS	DNS Queries		53
WINS Replication	WINS	42
WINS Replication	WINS		42
ICMP	echo-request			8
	info-request			15
	mast request			17
	timestamp			13
NetBIOS Services	Name Resolution Service	*137*	137
	Datagram Services (Browsing)		138
	Session Service (net use)	139
SMB	Input	445
SMB	Output		445
Remote Storm		1025
NTP	NTP	123
NTP	NTP		123
Content Replication	Content_Repl	507
Kerberos	Kerberos-Secure		750
	Kerberos_v5	88 + 464
	Kerberos_v5		88 + 464
LDAP	LDAP	389
	LDAP		389
	LDAP over SSL/TLS	636	636
	Global Catalog	3268
	Global Catalog over SSL/TSL	3269
Replication	Active Directory	RPCSS Dynamic

Untuk Penambahan Port Tertentu yang ingin di lakukan melalui command prompt, dapat di lakukan

dengan mengetikan syntax netsh firewall, contohnya dengan command sebagai berikut :

netsh firewall add portopening tcp 3389 139_tcp_AD_PORTS enable
netsh firewall add portopening tcp 139 139_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 445 445_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 137 137_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 138 138_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 53 53_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 53 53_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 42 42_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 42 42_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 137 137_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 1025 1025_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 123 123_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 123 123_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 507 507_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 750 750_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 88 88_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 88 88_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 464 464_tcp_AD_PORTS enable subnet
netsh firewall add portopening udp 464 464_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 389 389_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 636 636_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 445 445_udp_AD_PORTS enable subnet
netsh firewall add portopening udp 161 161_udp_AD_PORTS enable subnet
netsh firewall add portopening tcp 162 162_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 42424 42424_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 5000 5000_tcp_AD_PORTS enable subnet
netsh firewall add portopening tcp 5001 5001_tcp_AD_PORTS enable subnet

Good luck.

Share this post:

|

Posted by sraharjo | with no comments

Wednesday, December 01, 2010 9:53 AM

Active Directory Virtualization (10 Important Considerations)

In any case, since domain controllers are the most important machines in a Microsoft-based environment, and having failed DCs hanging out there can have adverse effects on many network services, devices and applications, you should really consider carefully planning your setup, just like you would for physical servers. For example, here are some important considerations:

If you virtualize your DCs, you should configure the VMs running the domain controllers to always start when the parent starts, no matter what their running state was (this is configurable in the virtual machine settings).
If you virtualize your DCs, configure any other virtual machines to start automatically but with a delayed start time to allow the domain controllers to start up prior to the other virtual machines.
If you virtualize your DCs, you should configure the domain controller virtual machines to shutdown (and not save state) if the physical computer is shutdown.
Plan and test managing of the Hyper-V environment in case all the virtual domain controllers fails to start.
You should NEVER use saved state/snapshots with domain controllers, unless there's only one DC.
Just like in physical servers, ALWAYS have more than one domain controller.
Spread the domain controllers across separate physical machines. There's no point running all DCs on the same Hyper-V host server if it fails for some reason.
Disable time synchronization for the domain controllers. They are supposed to be the source of time in the domain, and you don't want them to take the time from their host, which then takes the time from the domain controller.
Make sure you plan, text and implement a good and working System State backup for at least some of your DCs. This is mostly true for Global Catalogs and FSMO Role holders.
If you have more than one Hyper-V server hosting virtual machines running domain controller roles, you might want to plan a method of quickly transferring these VMs between the physical Hyper-V hosts. This can be accomplished by using Power Shell scripts or VM management tools such as SCVMM 2008.

Good luck, Happy VM Deployment. //'); //]]> //'); //]]> //'); //]]> //'); //]]> //'); //]]> //'); //]]> //'); //]]> //'); //]]>

Share this post:

|

Posted by sraharjo | with no comments

Wednesday, December 01, 2010 4:51 AM

Active Directory Super Command

DC DIAGNOSTIC COMMAND:

********* DCDIAG /S:DC1 >C:\DIAG.TXT (>c:\diag.txt = printing dcdiag info into c:\diag.txt file)

COMPAR- TWO DC's DIFF..

********* DSASTAT /S:DC1,DC2 /b:"CN=DOMAIN CONTROLLER,DC=domainname,DC=COM"

To verify communication with other domain controllers

********* netdiag /test:dsge

To ensure that the operations masters are functioning properly

********* dcdiag /s:servername /test:fsmocheck

To determine whether a site has at least one global catalog server

********* nltest /dsgetdc:domainmae /gc /site:sitename

To Verify Status of Global Catalog Server

******* dcdiag /v /s:servername | find "%"

To Verify whather a site has Bridgeheads Server

***** Repadmin /Bridgeheads /Verbose

To monitor the replication progress on a new global catalog server

********* dcdiag /v /s:servername

To Detecting Null Server-Reference Attributes

********* ntfrsutl ds > c:\ntfrsutl.txt

To Rollback Defualt Security temple before appling new Security template

*********

secedit /generaterollback /cfg c:windows\security\templates\securedc.inf /rbk ooops.inf /log ooops.log

*****To Redirect Computer folder to new Organization Unit****

rediremp ou=lockdown,dc=domainname,dc=com ****

****Replication DC to DC****

Repadmin /Syncall

Repadmin /Syncall /A /e /P

*****GPO Troubleshooting*****

dcgpofix /target:domain

dcgpofix /target:DC

dcgpofix /target:Both

*****Apply Security template on local PC or Server

Secedit /Configure /db c:\dc3.sdb /cfg c:windows\security\Template\secureserver.inf /log sercureserver.log

****To Creat Application partition on DNS Server by using DNSCMD****

dnscmd Server1 /createdirectorypartition app1.companyname.com

dnscmd Server1 /enlistdirectorypartition app1.companyname.com

dnscmd Server1 /unenlistdirectorypartition app1.companyname.com

dnscmd server1 /deletedirectorypartition app1.companyname.com

*****Troubleshooting Replication ******

repadmin /kcc

repadmin /showreps

repadmin /bridgeheads

DSASTAT /S:DC1,DC2 /b:"CN=DOMAIN CONTROLLER,DC=domainname,DC=COM"

DSASTAT -S:domaincontroller1;domaincontroller2

dsastat -s:rosebud;milquestoast

dcdiag /test:topology

dcdiag /test:replication

********* Time Services Managements ****

w32tm /config /manualpeerlist:"ntp.colby.edu, tick.gatech.edu" /update (US-EST Time)

net time /querysntp

w32tm /monitor

*****FSMO******

----Find which server holding what roles---

Netdom Query FSMO

dsquery server -hasfsmo rid

dsquery server -hasfsmo pdc

dsquery server -hasfsmo infr

dsquery server -hasfsmo name

dsquery server -hasfsmo schema

****To FSMO Details****

Dcdiag /test:knowsofroleholders /v

****To Transfer FSMO Roles from one DC to another DC*****

Ntdsutil:

Ntdsutil:roles

fsmo Maintenance: Connections

Server Connections: Connect to Domain_Controller

Server Connections:Quit

-> fsmo Maintenance:Transfer PDC or RID OR Domain naming master or Schema master

**To Seize Roles**

-> fsmo Maintenance:Seize Schema master or Rid master or PDC master or Domain naming master

***Cleaning Metadata***

ntdsutil:

ntdsutil:metadata Cleanup

Metadata Cleanup:Connection

Connection:Connect to Server Servername (Domain Naming Master)

Quit

Select Operation Target

List Domain

Locate the domain you want to remove the metadata (Pick Number)

select domain number (Number= 0 or 1)

List Sites

Select Site Number (Number= 0 or 1)

List Servers in Site

Select Server number (Number = 0 or 1)

Quit

remove Selected Server

Quit

******How to change DSRM Password********

ntdsutil:set DSRM password

Reset DSRM Administrator Password:reset password on server servername

Reset DSRM Administrator Password:reset password on serve null (Local)

quit

****How to Restore AD Databse****

ntdsutil:auth-restore

authoritative restore:Restore subtree ou=sales,dc=temple,dc=com (i.e Subtree Restore)

authoritative restore:Restore Databse (Entire AD Database from last backup)

authoritative restore:Restore Object (Object Only)

Repadmin /option <Servername> +disable_inboubd_rep (Disable replication)

Repadmin /Syncall /A /e /P (BIG GUN)

Repadmin /option <servername> -disable_inbound_rep (Enable replication)

Share this post:

|

Posted by sraharjo | with no comments

Wednesday, December 01, 2010 4:13 AM

Active Directory FSMO Placement

Certain domain and enterprise-wide operations not well suited to multi-master placement reside on a single domain controller in the domain or forest. The advantage of single-master operation is to prevent the introduction of conflicts while an operation master is offline, rather than introducing potential conflicts and having to resolve them later. Having a single-operation mastermeans, however, that the FSMO role owner must be available when dependent activities in the domain or enterprise take place, or to make directory changes associated with that role.

The Active Directory Installation Wizard (Dcpromo.exe) defines five FSMO roles: schema master, domain master, RID master, PDC emulator, and infrastructure. The schema master and domain naming master are per-forest roles.

The remaining three, RID master, PDC emulator, and infrastructure master, are per-domain roles. A forest with one domain has five roles. Every additional domain in the forest adds three domain-wide roles. The number of FSMO roles in a forest and potential FSMO role owners can be determined using the formula ((Number of domains * 3)+2).

A forest with three domains (A.com, with child and grandchild domains of B.A.com and C.B.A.com) has eleven FSMO roles:

1 Schema master - forest-wide A.COM

1 Domain naming master - forest-wide A.COM

3 PDC emulators (A.com, B.A.com, and C.B.A.com)

3 RID masters (A.com, B.A.com, and C.B.A.com)

3 Infrastructure masters for each respective domain. (A.com, B.A.com, and C.B.A.com)

When you create the first Active Directory domain controller of a forest, Dcpromo.exe assigns all five roles to it. When you create the first Active Directory domain controller of a new domain in an existing forest, the system assigns all three domain

roles to it. In a mixed mode domain containing Microsoft Windows NT 4.0 domain controllers, only the domain controllers that are running Microsoft Windows Server 2003 or Microsoft Windows 2000 Server can hold any of the domain or forest wide

FSMO roles.

FSMO availability and placement

Dcpromo.exe performs the initial placement of roles on domain controllers. This placement is often correct for directories with few domain controllers. In a directory with many domain controllers the default placement is unlikely to be the best match to your network.

On a per-domain basis, select local primary and standby FSMO domain controllers in case a failure occurs on the primary FSMO owner. Additionally, you may want to select off-site standby owners in the event of a site-specific disaster scenario.

Consider the following in your selection criteria:

Ø If a domain has only one domain controller, that domain controller holds all the per-domain roles.
Ø If a domain has more than one domain controller, use Active Directory Sites and Services Manager to select direct replication partners with persistent, "well-connected" links.
Ø The standby server may be in the same site as the primary FSMO server for faster replication convergence consistency over a large group of computers, or in a remote site in the event of a site-specific disaster at the primary location.
Ø Where the standby domain controller is in a remote site, ensure that the connection is configured for continuous replication over a persistent link.

General recommendations for FSMO placement

Place the RID and PDC emulator roles on the same domain controller. It is also easier to keep track of FSMO roles if you host them on fewer machines.

If the load on the primary FSMO load justifies a move, place the RID and primary domain controller emulator roles on separate domain controllers in the same domain and active directory site that are direct replication partners of each other.

As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.

Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are:

Single domain forest:

In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

Multidomain forest where every domain controller in a domain holds the global catalog:

If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.

At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grandchild domains, will fail if this is not the case.

In a forest at the Forest Functional Level Windows Server 2003, you do not have to place the domain naming master on a global catalog.

Most importantly, confirm that all FSMO roles are available using one of the management consoles (such as Dsa.msc orNtdsutil.exe).

Share this post:

|

Posted by sraharjo | 1 comment(s)

Sunday, November 28, 2010 10:32 PM

Dynamic Data Center For Cloud Computing

Suatu hari sempat ada seorang rekan saya menanyakan kepada saya, saya memiliki komputer di rumah, katanya : selain saya pake buat browsing internet, saya juga dapat menyimpan data saya di web sites tertentu, kok jaman sekarang mudah sekali ya, gratis *** menyimpan data di internet ? Kalau tiap orang di kasih space penyimpanan data sebesar 10 GB, lalu kalau yang menyimpan itu 10, 100, 1000 atau bahkan lebih dari 1 juta orang bagaimana caranya kok web tersebut masih bisa menampung ?Pertanyaan yang sederhana memang, tetapi saya sendiri tidak mudah menjawabnya, Benar juga apa yang rekan saya tanyakan, kenapa selama ini saya tidak pernah mau tau tentang hal itu, akhirnya saya dengan berat hati menjawab terhadap rekan saya tersebut, eh sory banget, saya belum bisa menjawabnya, soalnya masih abu-abu, nanti kalau saya asal jawab terus jawabannya ternyata ngawur, ya pasti saya akan merasa sangat bersalah, dan informasi yang saya berikan tidak valid secara teori dan fakta.Bermodalkan pertanyaan yang diberikan rekan saya tersebut, saya cari informasi ke sana dan ke sini, terutama informasi dari internet, nah di dapatlah satu titik terang dengan yang namanya teknologi Cloud Computing.Tapi apa hubungannya antara teknologi cloud computing dengan pertanyaan rekan saya tadi ? ternyata hubungannya memang baik-baik saja, eh salah, maksudnya hubungannya sangat erat sekali, di dalam teknologi cloud computing salah satu komponen pembangunnya adalah teknologi virtualisasi.Lalu apalagi tuch teknologi virtualisasi ? pertanyaan ini muncul dengan sendirinya dari diri saya, kok malah nyambungnya ke yang namanya virtualisasi, selama ini yang saya kenal adalah visualisasi, maklum di kantor kalau ada project apapun harus di buat dokumentasi dan hasil dokumentasi tersebut di masukkan ke dalam katagori mem-visualisasikan object, maklum saja IT katanya fisiknya tidak jelas apa yang di kerjakan, tetapi walupun banyak orang yang bilang begitu, saya tinggal tanya balik, kok kenapa IT diperlukan kalau memang tidak jelas apa yang di kerjakan? Kenapa perusahaan sampai memerlukan orang IT? Dan si user yang yang saya tanya tadi kelabakan tidak bisa menjawab.Kita lanjut lagi ke teknologi virtualisasi, pada intinya virtualisasi ini adalah mendayagunakan object fisik seoptimal mungkin untuk memberikan effort yang lebih optimal terhadap bisnis. Kalau jaman dulu kita sudah kenal dengan yang namanya VPN (Virtual Private Network), yaitu network yang berjalan di dalam network, arti sederhananya misalnya seperti ini, pada saat kita bisa terkoneksi ke internet melalui modem, maka kita menjalankan suatu applikasi dimana dengan applikasi ini seolah-olah nantinya terbentuk jalur khusus yang menghubungkan komputer kita langsung seolah-olah terhubung secara LAN dengan dengan komputer di datacenter.Nah dari teknologi simple ini, istilah dan konsep virtualisasi semakin di kembangkan oleh para pemain IT baik itu pakar IT maupun perusahaan yang bergerak di bidang IT, hasilnya sekarang kita mengenal yang namanya virtualisasi server.Virtualisasi server secara sederhananya adalah membangun server di dalam server, maksudnya begini, jika kita memiliki satu buah mesin (satu buah fisik server), maka biasanya kita hanya menginstall mesin tersebut dengan operating system tertentu dan kemudian server yang sudah terinstall operating sytem ini kita install applikasi sesuai peruntukannya, issue yang muncul jika ada banyak applikasi, kita gabung diinstall di server yang sama, maka tidak jarang terjadi bentrok applikasi dan kinerja serverpun jadi terganggu, parahnya lagi server bisa secara intermitten (tidak terduga) akan berhenti operasional secara total, wah sangat mengerikan bukan bagi kita orang IT ?Dari issue yang muncul tersebut akhirnya terjawab sudah, sekarang diciptakan yang namanya teknologi virtualisasi, pemain teknologi virtualisasi ini cukup berkembang, diantaranya adalah Microsoft Hyper-V, VMWare dan Citrix.Mengenal dan apalagi mempelajari teknologi virtualisasi merupakan suatu hal yang sangat menarik, karena teknologi ini akan menjadi platform pembangunan infrastruktur di masa depan, sebelum kita bicara lebih jauh tentang virtualisasi, kita luruskan terlebih dahulu mengenai konsep ataupun istilah cloud computing.

Selengkapnya dapat di download di : http://wss-id.org/files/folders/ddc/entry40576.aspx

Share this post:

|

Posted by sraharjo | 1 comment(s)

Wednesday, September 15, 2010 10:35 PM

Windows Server 2008 R2 Remote Desktop Services & Hyper-V, Solusi Jitu Cost Effective

Suatu waktu yang sangat tidak dinanti akhirnya datang juga, hari atau tanggal yang sangat tidak saya *** sukai *** yaitu di saat software-software yang ada sudah mulai memasuki masa expired, jika penggunaan software ini ingin terus berlanjut maka mau tidak mau solusinya yaitu dengan renewal subscription, andai kata price licensi per user U$$ 100, mungkin untuk 2 user saja sich nilainya masih ok, tetapi bagaimana kalau memiliki 100 user ? artinya U$$ 100 x 100 = U$$ 10.000 , weleh weleh, itu baru satu software, belum software yang lainnya yang minta jatah renewal tahunan.

Itu pengalaman saya dahulu sebelum beralih dari citrix ke RDS (Remote Desktop Services), dari dulu memang teknologi remote application ini yang saya cari, akhirnya microsoft mengerti juga keinginan saya (entah taunya dari angin mana), maka mulai windows 2008, microsoft memperbaiki teknologi Terminal Servicenya yang sekarang berganti nama menjadi Remote Desktop Services.

Jika dulu untuk licensi citrix per user U$$ xxx , maka untuk RDS cukup U$$ xx saja, artinya bisa saya kalkulasi penghematan yang sangat signifikan, tetapi tidak mengesampingkan kehandalan services ke client tentunya, support dan service ke client tetap menjadi priority utama sebelum saya memutuskan teknologi harus di bawa ke mana.

Wal hasil, sudah setahun lamanya saya memanfaatkan teknologi RDS ini untuk handle 2 factory yang berlokasi di Jawa Barat dan Jawa Timur dengan user yang lumayan banyak yang secara simultan dan continue mengakses applikasi ERP secara remote di Head Office (Jakarta), server yang di fungsikan secara fisik cukup 2 server saja, tetapi masing-masing server fisik di dalamnya saya aktifkan roles Hypervisor (Hyper-V) untuk hosting beberapa VM (Virtual Machine), hasilnya untuk handle 20 sampai 30 user secara bersamaan dapat di handle dengan mudah dan ringan.

Untuk RD Gateway saya cukup aktifkan di salah satu fisik server, dan untuk Terminal Servicenya (RD Session Host) di aktifkan di tiap VM di mana load balancing beban di atur oleh RD Session Broker, pokoknya sangat lengkap fitur Terminal Services di Win 2008 R2 ini.

Satu lagi, teknologi hypervisor juga sudah saya terapkan untuk beberapa roles penting infrastructure lainnya, diantaranya untuk DHCP server, bayangkan saja jika suatu DHCP server yang ada di server fisik tewas, jika ganti hardware maka mau tidak mau DHCP server yang sudah authorize di Active Directory harus dibersihkan dulu supaya DHCP server yang baru ini bisa di terima di Domain, dan ini bukan perkara mudah, jika kita bangun DHCP server dengan teknologi Hypervisor yaitu under VM (Virtual Mesin), maka jangan repot-repot, cukup import DHCP server tersebut ke server lain yang sudah terinstall hypervisor, langsung up and run dalam hitungan menit saja, karena server Active Directory akan mengenali DHCP server yang di import tersebut sebagai mesin sama dengan yang tewas tadi.

Ada satu petuah dari orang bijak, anak ayam bisa kita jadikan elang jika kita bisa memperlakukannya seperi elang, artinya, OS (Operating System) apapun yang kita gunakan, asalkan kita mau explore isinya, maka akan menjadi kendaraan hebat untuk kita jadikan teman ataupun alat perang di dunia IT.

Gb. 1 Contoh Screen Capture Untuk Login ke Portal RDS :