November 2011 Entries
ADDS: 1 - Introducing and designing

What is ADDS?

 Every Microsoft oriented infrastructure in today's enterprises will depend largely on the active directory version built by Microsoft. It is the foundation stone on which all other products (Exchange, update services, office communicator, the system center family, etc) rely on to get their information.

And that is just looking at it from an infrastructure perspective.

A well designed and implemented Active Directory implementation makes life for IT personnel and user alike a lot easier. Centralised management and the abilities opened up  by having it in place are ample.

 But what is Active Directory Domain Services?

We can look at ADDS as a centralised directory containing all objects your infrastructure runs on in one way or another. Since it is a Microsoft product you'll obviously not be seeing linux or mac clients listed in here (exceptions exist) but in general we can say it contains everything your company has in place in one form or another.

 The domain name services.

The domain naming service (or DNS for short) is a service which translates IP address (the identifiers for each computer in your domain) into readable and easy to understand names. This service is a prequisite for ADDA to work and having wrong record in a DNS server will make any ADDS service fail.


Generally speaking a DNS service will be run on the same server as the ADDS service but it is worth wile to remember that this is not necessary. You could, for example, run your DNS services on a linux box (which would need special preparing to host an ADDS integrated DNS zone) and run the ADDS service of another box…

Where to start?


If the aim is to put in place a first time implementation of ADDS in your enterprise there are plenty of things to consider depending on what you are going to do in the long run. Great care has to be taken when first designing and implementing as having it set up wrong will cause a headache down the line. It is for that reason that I like to start building from the bottom up and start with a generic installation of ADDS (which will still differ for every client) and make it adaptable for future services which can hook in to the existing environment.


Adapting existing environments is out of scope for this document (and series) although it is possible to take the pointers and change your existing environment to run in a smoother manor. Take great care when changing things as one small slip of the hand can give you a forest wide failure…


Whenever starting with an ADDS deployment I ask the client the following questions:

  •  What are your long term plans and goals?
  •  How flexible do you want it?
  • Are you currently linux heavy and want to keep this or can we go for an all Microsoft design?

Those three questions should give some sort of indicator what direction can be taken and if the client has thought about some things themselves :). 

The technical side of things

 What is next to consider is what kind of infrastructure is already in place. For these series I'll keep it simple and introduce some general concepts without going in to depth on integrating ADDS with other DNS services.

 Building from the ground up means we need to consider our layers on which our infrastructure will rely. In my view that goes as follows:

  •  Network (WAN/LAN links and physical sites
  • DNS Namespacing
  • All in one domain or split up in different domains/forests?
  • Security (both for ADDS and physical sites)
  • The network side of things

 Looking at how the network is currently set up can potentially teach us a large deal about the client. Do they have multiple physical site? What network speeds exist between these sites, etc…

Depending on this information we will design our site links (which controls replication) in future stages.

DNS Namespacing

Maybe the single most intresting thing to know is what the domain will be named (ADDS will need a DNS domain with the same name) and where this will be hosted.


Note that active directory can be set up with a singe name (aka contoso instead of contoso.com) but it is highly recommended to never do this. If you do end up with a domain like that for some reason there will be a lot of services that are going to give you good grief in the future (exchange being one of them). So one of the best practises would be always to use a double name (contoso.com or contoso.lan for example).

Internal namespace

A single namespace is just what it sounds like. You have a DNS domain which is different internally from what the client has as an external namespace.

f.e. contoso.com as an external name (out on the internet) and contoso.lan on the internal network.

his setup is has its advantages in that you have more obscurity from the internet in the DNS side of this but it will require additional work to publish services to the web.

External namespace

Quite like the internal namespace only here you do not differ the internal namespace of the company from what is known on the internet. In this implementation you would host your own DNS servers for the external domain inside the network. Or in other words, any external computer doing a DNS lookup would contact your internal DNS server for the resolution.

Generally speaking this set up is a bad idea from the security side of things.

Split DNS

Whilst using an external namespace design is fairly easy it involves a lot of security risks. Opening up you ADDS DSN servers for lookups exposes your entire network to the internet and should be avoided at any cost.

And that is where the "split DNS" design comes in. In this setup up would still have the same namespace internally and externally but you would be using different DNS servers for lookups on the external network who have no records of your internal resources unless you explicitly publish them.

All in one or not?

In determining your active directory design you can look at the following possibilities: 

  • Single forest, Single domain
  • Single forest, multiple domains
  • Multiple forests, multiple domains

I've listed the possibilities for design in increasing order of administrative magnitude. Microsoft recommends trying to use a single forest, single domain in as much situations as possible. It is, however, always possible that you require your services to be seperated from your users in a resource forest with trusts set up between the different forests.

To start out I would go with the single forest design to avoid complexity unless there are strict requirements to have multiple forests.

Security

What kind of security is required on the domain and does this reflect the physical security on the sites? Not every client can afford to have a domain controller in a secluded server room on every site and it is exactly for that reason that Microsoft introduced the RODC (read only domain controller).

A RODC is a domain controller that has been limited in functionality, in essence it will only cache the data you explicitly tell it to cache and in the case of a DC compromise (it being stolen) only a limited number of accounts will need to be affected.

Th- Th- Th- That’s all folks!

Well at least for now! In future editions of this series we’ll be walking through the different task that need to be done and the thought which needs to be put in to it. But for all editions we’ll be going from the concept of running a single forest, single domain with a split DNS setup…

See you next time!

One Comment Filed Under [ General Platforms ]
Build guides: Windows 2008 R2 Server

The first of the build guides just got published! And you can find it in the "Build Guide" section or by following link: Click here...

Exerp:

In this first part of the build guide series we look at building a Microsoft Windows 2008 R2 server. Whilst installing the basic operating system on a server is fairly straightforward it is as good a place as any to start as we lay the foundations for the rest of our infrastructure.

In future parts of this series we will look at automating this install as much as possible, after all, we want our time spent on working with the awesome technologies available out there instead of installing servers all day now don’t we :).

Add Comment Filed Under [ General Platforms ]
Local Area Connection bind order in Windows

Small tool but saved my butt on numourous occassions... It actually allows you to adapt the bind order on the MS_TCPIP stack! Very handy if you're getting strange pingback address (APIPA?) like 160.254.x.x... You could get this solved using the host file but this tool adds a whole new dimension to this:

http://archive.msdn.microsoft.com/nvspbind

Add Comment Filed Under [ General Platforms ]
DAG's and reseeding

Sometimes you just wish Exchange would not act as a total baby!

I worked on a case today which had 2 Exchange 2010 servers in a DAG with about 6 mailboxes, all in healthy status. All but one that is. This DataBaseCopy just would not come back into sync and was stuck in the eternal Resynchronizing loop from hell. So our client cried for help.

First thing you would want to do is to get a status of the database by running get-mailboxdatabasecopystatus -id "databasename\servername" | fl. This should return you something in this format:

RunspaceId                                 : 9d5ba0d8-78ff-4b51-bbd9-254953d36ecb
Identity                                        : Databasename\servername
Name                                          : Databasename\servername
DatabaseName                           : DatabaseName
Status                                         : Mounted
MailboxServer                             : Servername
ActiveDatabaseCopy                   : servername
ActivationSuspended                   : False
ActionInitiator                              : Unknown
ErrorMessage                     :
ErrorEventId                     :
ExtendedErrorInfo                :
SuspendComment                   :
SinglePageRestore                : 0
ContentIndexState                : Healthy
ContentIndexErrorMessage         :
CopyQueueLength                  : 0
ReplayQueueLength                : 0
LatestAvailableLogTime           :
LastCopyNotificationedLogTime    :
LastCopiedLogTime                :
LastInspectedLogTime             :
LastReplayedLogTime              :
LastLogGenerated                 : 0
LastLogCopyNotified              : 0
LastLogCopied                    : 0
LastLogInspected                 : 0
LastLogReplayed                  : 0
LogsReplayedSinceInstanceStart   : 0
LogsCopiedSinceInstanceStart     : 0
LatestFullBackupTime             :
LatestIncrementalBackupTime      :
LatestDifferentialBackupTime     :
LatestCopyBackupTime             :
SnapshotBackup                   :
SnapshotLatestFullBackup         :
SnapshotLatestIncrementalBackup  :
SnapshotLatestDifferentialBackup :
SnapshotLatestCopyBackup         :
LogReplayQueueIncreasing         : False
LogCopyQueueIncreasing           : False
OutstandingDumpsterRequests      : {}
OutgoingConnections              :
IncomingLogCopyingNetwork        :
SeedingNetwork                   :
ActiveCopy                       : True

RunspaceId                       : 9d5ba0d8-78ff-4b51-bbd9-254953d36ecb
Identity                         : MailboxName\servername
Name                             : MailboxName\servername
DatabaseName                     : Mailboxdatabasename
Status                           : FailedAndSuspended
MailboxServer                    : Servernamethatfailed
ActiveDatabaseCopy               : servername
ActivationSuspended              : True
ActionInitiator                  : Service
ErrorMessage                     : The required log file 2103 for MailboxName\servername is missing on the active copy. If
                                    you removed the log file, please replace it. If the log file is lost, the database
                                   copy will need to be reseeded using Update-MailboxDatabaseCopy.
                                  
ErrorEventId                     : 2059
ExtendedErrorInfo                :
SuspendComment                   : The database copy was automatically suspended due to failure item processing. At '03
                                   /11/2011 16:23:14' the copy of 'mailboxdatabase' on this server experienced an error t
                                   hat requires it be reseeded. For more detail about this failure, consult the Event l
                                   og on the server for other storage and "ExchangeStoreDb" events. The passive databas
                                   e copy has been suspended.
                                  
SinglePageRestore                : 0
ContentIndexState                : Failed
ContentIndexErrorMessage         : Catalog is dismounted externally for database {0b5d6c24-09dc-4648-958c-eb61b2bd778a}
                                   .
CopyQueueLength                  : 3753
ReplayQueueLength                : 0
LatestAvailableLogTime           : 03/11/2011 16:22:17
LastCopyNotificationedLogTime    : 03/11/2011 16:22:17
LastCopiedLogTime                :
LastInspectedLogTime             :
LastReplayedLogTime              :
LastLogGenerated                 : 3753
LastLogCopyNotified              : 3746
LastLogCopied                    : 0
LastLogInspected                 : 0
LastLogReplayed                  : 3695
LogsReplayedSinceInstanceStart   : 0
LogsCopiedSinceInstanceStart     : 0
LatestFullBackupTime             :
LatestIncrementalBackupTime      :
LatestDifferentialBackupTime     :
LatestCopyBackupTime             :
SnapshotBackup                   :
SnapshotLatestFullBackup         :
SnapshotLatestIncrementalBackup  :
SnapshotLatestDifferentialBackup :
SnapshotLatestCopyBackup         :
LogReplayQueueIncreasing         : False
LogCopyQueueIncreasing           : False
OutstandingDumpsterRequests      : {}
OutgoingConnections              :
IncomingLogCopyingNetwork        :
SeedingNetwork                   :
ActiveCopy                       : False

Now generally speaking you would do a suspend-mailboxdatabasecopy -id "mailboxdatabase\servername" followed by an update-mailboxdatabasecopy -id " " -DeleteExistingFiles which would update the passive copy and resume the Storage Group COpy. Yet once in a while you'll run in to a case where this won't work as the gap is to large for Exchange to cover. In that case you'll have to perform the highly regarded "manual reseeding procedure"! This is somewhat disruptive for your users and risky unless you keep your head in the game.

These would be the steps you follow:

  1. Suspend the database copy
  2. Go to the passive node and remove all the database and log files (fun yet?)
  3. Dismount the database from Exchange
  4. Go to the log files folder on the active node and move them all to a different folder
  5. Now copy the EDB file from the active node to the passive node
  6. Mount the database once this is completed
  7. Resume the storage group copy
  8. Drink cocktails on the beach as your sync is healthy (not required but highly recommended)

All in all this should get your copy back in order. Not exactly the way you'd want to (aka without down time) but it get's the job done.

 

5 Comments Filed Under [ General Exchange ]
Disabling IPv6

I often see that people want to disable IP v6 on their windows machine but instead of disabling it completly they uncheck the box on the network adaptor. Unfortunately that is not enough....

In general I would say "leave it enabled" but there are always specific cases where you want to disable it. The only products I would strongly advise against disabling it are the SBS products. For some reason disabling IP v6 on these boxes can cause massive issues in communications between the different applications running on the server.

So if you do want to disable IP v6 follow this support document from Microsoft and use both the registry key as well as the checkmark box:
http://support.microsoft.com/kb/929852

Enjoy...

*Update 05/12/2011*
Based on the following information I'm going to take a stand and advise against disabling IPv6. I know for one that the MS Exchange services require IPv6 and cause problems if you haven't disabled them as stated above.
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx