How do I install Active Directory on Windows Server 2012 using Server Manager?

If you’re new to Windows Server 2012, or have simply avoided using the graphical Server Manager tool that was introduced in Windows Server 2008, it might not be immediately obvious how to set up a new Active Directory (AD) domain. There are two stages to this process: installing the Active Directory Domain Services (AD DS) components and then configuring a new domain.

Install the AD DS components:

1. Start Server Manager from the Start screen or desktop Task Bar.
2. On the Server Manager Dashboard, select Manage in the top right corner and then Add Roles and Features from the menu.
3. Click Next in the Add Roles and Features Wizard.
4. On the Installation Type screen, select Role-based or Feature-based installation and clickNext.
5. On the Server Selection screen, chose a server to promote to a domain controller from the list and click Next.
6. On the Server Roles screen, check Active Directory Domain Services. Click Add Featuresin the pop-up dialog box and click Next on the Server Roles screen.

1. On the Features screen click Next to accept the default AD feature list.
2. Read the notes on the AD DS screen and click Next.
3. Click Install on the Confirmation screen and Close when the installation has completed.

Once the AD DS components are installed, you can use Server Manager to promote the local server to a domain controller. If you look again in the top right corner of Server Manager, you should see a notification icon. Click the icon and you’ll see there’s a post-deployment configuration task to promote the server to a domain controller.

You can also access this post-deployment task if you select AD DS in the left pane of Server Manager and then click More… on the yellow alert bar. Whatever method you choose to start the post-deployment task, you’ll be taken to the Active Directory Domain Services Configuration Wizard.

Configure a new AD forest:

1. On the Deployment Configuration screen of the Active Directory Domain Services Configuration Wizard, select Add a new forest and then type the name of the root domain. In this example, I’m using ad.contoso.com. Click Next.
2. On the Domain Controller Options screen, confirm the forest and domain functional levels, enter a Directory Services Restore Mode (DSRM) password and then click Next.

1. Click Next on the DNS Options screen. DNS delegation is not required unless you’re integrating with an existing DNS infrastructure.
2. On the Additional Options screen, confirm the assigned NetBIOS name for the domain and click Next.
3. Confirm the directory paths and click Next.
4. Check the selected options on the Review Options screen and click Next.
5. Once the pre-requisite checks have finished, click Install and reboot the server after the install has completed successfully.

After rebooting, Active Directory will be installed on the server and you will be able to access the directory via the AD tools that are accessible from the Tools menu in Server Manager.

Read More

Use Active Directory Administrative Center to Create PowerShell Commands in Windows Server 2012

How can I use Active Directory Administrative Center (ADAC) in Windows Server 2012 to create PowerShell commands?

The PowerShell History Viewer is a new feature in the Windows Server 2012 Active Directory Administrative Center (ADAC). If you have never had a reason to use ADAC before because other AD management tools get the job done, this feature alone makes it worth taking a look.

Many system administrators still haven’t taken their first steps in learning PowerShell, Microsoft’s command-line management system for Windows. Windows administrators tend to be less well versed in command-line management than their UNIX counterparts, as the GUI is often easier to use for one-off tasks – and, let's face it, command line management hasn’t always been Microsoft’s strong point.

That all changed a few years ago with the introduction of PowerShell, a completely new command-line management system for managing every aspect of Windows configuration and third-party applications. PowerShell is much more sophisticated than previous command line tools on Windows, and as such it comes with a steep learning curve.

To help system administrators overcome some of the initial hurdles with PowerShell and encourage its use, Microsoft included the PowerShell History Viewer in ADAC. Much like Exchange 2013, ADAC is a GUI tool that runs PowerShell commands in the background to perform the actual tasks, so everything you do with ADAC already has an associated PowerShell command, which can now been seen with the help of the History Viewer.

Using the PowerShell History Viewer in ADAC

Let’s have a look at how you can access the PowerShell commands used to drive ADAC. Log in to Windows Server 2012 and follow the steps below:

• Switch to the Start screen and type Active Directory. At the top of the search results, you should see an icon for the Active Directory Administrative Center. Click the icon to start ADAC.
• In the left pane of ADAC, click ad (local).
• In the central pane, right-click the Users container and select New > User from the menu.
• In the Create User dialog, add the details for a new AD user and click OK.
• At the bottom of ADAC, click on the arrow at the far right of the WINDOWS POWERSHELL HISTORY bar to expand the history.

You’ll see the PowerShell commands used to create the new user above, plus any other commands used in previous ADAC sessions. You can copy these commands directly into the PowerShell console.

Read More

How can I create an Active Directory site in Windows Server?

Active Directory gives system administrators the option to define sites, consisting of one or more subnets. While it may not be necessary to define sites in all AD deployments, they can come in useful if you have geographically dispersed offices that are separated by slow wide area network (WAN) links. If you have plenty of bandwidth linking offices, so that Active Directory can replicate in a timely fashion, it may not be necessary to create AD sites.

The design of an AD site topology depends on many factors, including network link speed, the number of objects in each domain, and the amount of non-AD traffic flowing over your WAN links. This article is not intended to be a best-practices document, and you should refer to Microsoft TechNet for more information on AD design.

Why Create AD Sites?

If you have slow network links between offices and need to control AD replication, sites can provide a way to improve reliability. Client PCs will also be able to find a domain controller that is physically close to them for logon. And other applications that rely on AD, such as Exchange Server, can use site topology information to locate services that are close by.

Create a site in Active Directory

Log in to Windows Server 2012 with a domain administrator account from the forest root domain, or as an Enterprise Administrator.

Rename the default first site

There’s always one site in AD, which is the default first site if you haven’t created your own sites or renamed the default site.

• Open Server Manager from the Windows Server 2012 Start screen, or using the icon on the desktop Taskbar.
• Select Active Directory Sites and Services from the Tools menu in Server Manager.
• In the left pane of the Active Directory Sites and Services management console, expand Sites.

Assuming you’ve never configured AD sites in your domain before, you’ll see the default first site.

• Right-click Default-First-Site-Name and select Rename from the menu.
• Give the site a meaningful name and press Enter.

If you expand the site and the Servers folder, you should see a list of the domain controllers in your domain.

Add additional sites

Now that you’ve renamed the first default site, it’s time to add more sites.

• Right-click the Sites folder in the left pane and select New Site from the menu.
• In the New Object – Site window, give the new site a name, click DEFAULTIPSITELINK and thenOK.

You’ll see a message telling you to add at least one subnet to the site; and to either install a minimum of one domain controller (DC) in the site or move an existing DC to the new site. Don’t forget you should also have at least one Global Catalog (GC) server in each site.

The DEFAULTIPSITELINK represents the WAN link between my two sites. Depending on the topology of your network and the number of sites, you may need to create additional links. Site links allow you to set the cost, i.e. should the link be used in preference to a slower link, the replication frequency and schedule.

Add subnets

AD sites aren’t much use without subnets, so now let’s add some subnets and assign them to our sites.

• Right-click the Subnets folder under Sites and select New Subnet from the menu.
• In the New Object – Subnet window, add a subnet. In this example, the subnet I’m adding is 10.160.0.0 with a subnet mask of 255.255.0.0. So in the Prefix box I need to type 10.160.0.0/16. If you’re not sure how to write the prefix, you can use a subnet calculator to help you out.
• In the Select a site object for this prefix box, I’m going to select my default Washington site. Now click OK.

You can add more than one subnet to an AD site.

Read More

How to Integrate Microsoft Lync 2010 with BlackBerry Enterprise Server (BES)

Do you have Lync 2010 and BES servers running in your enterprise? Did you know there is a Lync app for BlackBerry devices? Integrating Lync Instant Messaging (IM) with your BES server will give your users the ability to have Lync IM sessions while they are on the go.

Overview of the BES Collaboration Service

The Lync IM integration with BES is provided by the installation of the BlackBerry Collaboration Service. This service can be installed on your existing BES server or on a separate server that is dedicated to just the BlackBerry Collaboration Service. Using a dedicated server for the BlackBerry Collaboration Service will maximize your available TCP connections, allowing the service to respond to any increase of requests. The service works by creating an encrypted connection between your Lync server and the Lync app on your BlackBerry device. When IM sessions are started, the device sends the encrypted message to the BlackBerry Collaboration Service using Port 8181, after validation with the Lync server and AD, the service sends the message to the Lync server.

For environments with both BES 10.1 and BES 5, unfortunately you will need to install 2 different versions of BlackBerry Collaboration Service due to limited support on the new version. BlackBerry Collaboration Service 10.1 is only supported for devices running OS 10 or higher, so for devices that are older you will need the BlackBerry Collaboration Server 5.0.4 version. The following features are available on BlackBerry devices when integrated with Lync:

• Initiate and manage IM sessions on their BlackBerry devices
• Search their Lync contacts list
• Manage their contacts and group contacts
• Send email messages to Enterprise IM contacts or conversation participants
• Users can view the presence of their contacts and their conversation history in the Enterprise IM app Users can email their conversations to themselves and their contacts

Install on the BlackBerry Collaboration Service Server: Prerequisites

There are a few requirements that need to be met before any installation or configuration can begin with the BlackBerry Collaboration Services. The requirements should be prepared in the following order on the BlackBerry Collaboration Service server.

1. The service account that is used to run the BlackBerry Collaboration Service needs to be added in the RTCUniversalServerAdmins group if you plan on utilizing automatic provisioning of the BlackBerry Collaboration Service within AD. If you want to manually provision, add the service account into the RTCComponentUniversalServices group.
2. Install the Microsoft SQL Server Native Client (sqlncli_x64.msi).
3. Download and install the Microsoft Unified Communications Managed API 2.0 Core Redist 64-bit.
4. Using Server manager,  enable Microsoft .NET Framework 3.5 SP1.
5. Locate and install the following files from the Microsoft Lync Server 2010 installation files:
   • Microsoft Visual C++ 2008 Redistributable Package (vcredist_x64.exe)
   • Microsoft SQL Server Native Client (sqlncli_x64.msi)
6. Install the ucmaredist.msi file from the Microsoft Unified Communications Managed API 2.0 Core Redist 64-bit that was downloaded in step 3.
7. Install the ocscore.msi file from the Microsoft Office Communications Server 2007 R2, Core Components
8. You will need to install a web certificate with the following settings under the Personal Certificate folder for the local computer account.
• Subject Name =  FQDN of your Lync Server pool
• Subject Alternative Names = FQDN of your Lync Server pool and the FQDN of the server that the BlackBerry Collaboration Service is installed on.
• Friendly =  OCSConnector

Install the BlackBerry Collaboration Service

After all the perquisites have been completed you can continue with installing the BlackBerry Collaboration service, which can be installed on the same server as your current BES server or on a separate server.

• Logon to the server with which you will be installing the component with the service account that installed the BES server. Typically this is the BESadmin account. If this is the same server as your BES server, stop all the BES services. If you’re on a separate server, stop all the BES services on your BES server.
• Run the BES installation files for the version that you are going to install (such as the BlackBerry Collaboration Service 10.1.0).
• During the setup, select use existing configuration database.
• You will now be prompted to verify your database name and database server.

During the setup options select the BlackBerry Collaboration Service component:

• Select your Lync server which will be Instant Messaging Server
• Type the name of your  Lync server in the HOST field
• Type the FQDN of the Lync pool
• Type Port number

• You may be prompted to restart the server. Click OK.
• Log back in the server using the BESadmin account and finalize the installation. You will need to restart all BES services.
• If you added the BES service account to the RTCUniversalServerAdmins group, the BlackBerry Collaboration Service is automatically provisioned as a trusted application.

Deploy the Enterprise Instant Message Client

You have now completed the installation of BlackBerry Collaboration Service which means you can now start publishing the app for Instant Messaging.

• Download the BlackBerry Enterprise Instant Messaging Client 3 app to the BES 10.1 server and place in a shared folder that the BESadmin account has access to.
• Logon to the BES 10.1 BDS  (BlackBerry Device service) go to the Software > Applications> and select Add or update applications.

• Select the zip file that you placed in the shared drive and upload to the BDS and Publish the application.
• Go back to Software. Select Create a Software Configuration, then enter a name for the configuration and click Save.

• Click on the new software configuration you just made and select the Applications tab, then selectEdit.

• Click Add applications to software configuration and select the Enterprise Instant Messaging App you just published and click on Save.

• To deploy the app you will need to assign the Software configuration to a group or users.
• After deploying the software configuration, go the devices work partition and open BlackBerry World.
• Click on the Company apps and select the Enterprise IM app to download and install to the device.

• Once it is installed you can login to the IM server using your credentials.

Read More

Excel Password Recovery Instructions (.xls)

ften when an employee departs, they take important Excel passwords with them. This guide outlines how to use a simple Excel password recovery application to crack lost or forgotten passwords, allowing you to unlock password-encrypted Microsoft Excel documents quickly as possible.

Step 1: Download and Install the Office Password Recovery Utility

To perform the following recovery steps, you'll need to grab the download of Office Password Recovery Pro, available directly here. (2.1Mb)

(Please note: The full version of this software requires the purchase of a 5-use license)

Recover Excel Passwords - Automatically!

Few things are more frustrating that needing to access a document or file that is protected by a forgotten password. However, it's time to stop worrying about re-creating lost work because we have a better solution: Office Password Recovery Pro!


-Automatically recover lost passwords on any Excel Document

Once you've downloaded the program, run the install with the default options.

Step 2: Navigate to the Protected File and Begin the Recovery Process

Click the Open button on the top left, navigate to the protected spreadsheet file:

The Open button launches the Recovery Wizard.

The Wizard gives you the option of simply decrypting the spreadsheet (aka. removing the password protection entirely) or displaying the original document password:

Recovery Option 1: 100% Instant Document Decryption

This option is the quickest way to access your file, but strips all password protection from the document, so you'll need to setup password protection on the file again if you want to lock it down in the future.

With this option, the application securely pings the Password Solutions' server to determine the type of encryption used on the file and determines the best decryption method for removing the password from the Excel workbook:

When prompted, choose where you’d like to save the unlocked, decrypted version and hit OK.

Success! The program now offers to automatically open your unlocked document.

Recovery Option 2: 'Recover the Password to Open'

If the document is password-protected and you’d like to recover the original password (perhaps for use in opening other Office documents) select Recover the Password to Open.

You’ll then be asked a couple questions to aid in determining the password schema. These are geared at narrowing the applications search for possible matches, but are not required.

If you don’t have any idea, simply leave all default selections, press the Next button twice and then click Finish.

Office Password Recovery then starts attempting to crack the password using a number of built-in 'attack schemes' and millions of unique password combinations.

Once your password has been recovered, the program clearly notifies you of the results:

Note: Even the passwords on individual sheets within your Excel workbook are recovered, giving you complete access across the entire workbook.

If you’re stuck and just can’t find that password, we highly recommend downloading Office Password Recovery Pro and running through these steps.

Read More

How a Cisco Switch functions on an Ethernet network

Many of us use switches every day but never really think about how they work. Whether you are studying to become a CCNA or just want to learn more about how a switch really functions, this article is for you.

Hubs vs. Switches

Prior to switches, Hubs were the standard for connecting devices on a local area network (LAN). The problem with hubs was that everything that went through them had to share the bandwidth of the link, bandwidth was wasted because all traffic was sent to all devices, and there were a lot of collisions because the hub didn’t do anything to prevent them. A switch fixes these problems.

What do switches do?

Here are some facts about switches that you should know:

• Switches work at Layer 2 of the OSI model, not Layer 1 like a hub
• Switches switch Ethernet frames
• Switches don’t look at IP address information, only Ethernet MAC addresses
• Switches keeps a table of all MAC addresses traversing the switch and what port they are on (this table is called the bridge forwarding table or CAM table)
• Switches only sends traffic to the devices that are the destination for that traffic, saving bandwidth
• Each device connected to the switch gets the full bandwidth of the switch port because the switch prevents collisions

Flooding

Now that you know that the switch has the bridge forwarding table and uses that to intelligently send traffic, a common question is, “what if the destination MAC address for the traffic that the switch receives is not in the bridge forwarding table?” What does the switch do with that Ethernet frame? The answer is that the switch will flood that frame out all ports on the switch. The switch will then monitor the traffic for the response from that frame and see what device, on what port, responded to that flooded frame. That information will be put in the bridge forwarding table so that, next time, the switch won’t have to flood that traffic.

Bridge forwarding table

To see the bridge forwarding table on a Cisco switch, just type show mac-address-table, like this:

Port speed & Duplex

Of particular importance when it comes to switches are port speed and duplex. The speed of a port can be set to 10Mb, 100Mb, or 1000Mb (1GB), or Auto negotiate, depending on what the switch and the connecting device offers. Most switch ports and devices use auto negotiate to find the best speed and duplex available. However, this doesn’t always work. Some devices have trouble with this and you may have to go in to the switch and hardcode the speed or duplex.

Speaking of duplex, what is duplex? Duplex is set to either half, full, or is auto negotiated. A half duplex connection is where only one device can send or receive at a time. A full duplex connection is where both devices can send and receive at the same time.

Thus, if you have a 100Mb half-duplex connection, only sending at 100Mb OR receiving at 100Mb can happen at the same time. If you have a 100Mb full duplex connection, you can effectively get 200Mb out of the link because you could be sending 100Mb and receiving 100Mb at the same time.

Here is how you see the current speed and duplex of a switch port using the show interfacecommand:

Most administrators will hard-code the port speed and duplex of servers to prevent auto negotiation. You don’t want your switch to reboot one night and, in the morning, have the email server connecting to the network at 10Mb half-duplex. You want the email server to either run at 1GB full duplex (for example) or not work at all.

Types of Switches

There are a number of different types of switches. You can buy a “dumb” switch for about $10 these days. It has no manageability and probably only 4-8 ports. From there, you can go up to an unmanaged 24 or 48 port switch.

However, most business users prefer a managed switch so that you can get statistics on switch traffic, see your bridge forwarding table, troubleshoot connections, and hard-code port speeds and duplex.

There are many brands of managed switches including, of course, Cisco. These managed switches come in sizes from just a few ports, all the way up to over 96 ports. You can even buy chassis-based switches, costing tens of thousands of dollars, like a Cisco Catalyst 6500 series switch. The chassis-based switches can have blades (cards) that perform not just switching but also routing, intrusion detection, and other services.

Another type of switch is called a Layer 3 switch. A Layer 3 switch is a switch that also has the routing functionality of a router but no WAN ports. Layer 3 switches are used primarily when a large company wants to use VLAN’s to segregate their network into logical networks

Read More

How to Setup VLAN Trunking Protocol (VTP) on Cisco Switches

In our last article about VLAN’s (Read ore about it on the What is a VLAN? How to Setup a VLAN on a Cisco Switch article), we learned about how VLAN’s provide greater performance and security for your LAN. Unfortunately, if you have more than a couple of switches, configuring VLAN’s can be a real pain. To make life easier, Cisco developed VLAN Trunking Protocol (VTP). Let’s find out what VTP can do for you.

How can VTP help me?

Say that you have 20 switches in your large office building. On each of these switches, you have four VLAN’s. Without VTP, you have to create each of these four VLANs on each of these switches. With VTP, you only have to create the four VLANs once, on one switch, and all other switches learn about the four VLANs.

In other words, the job of VTP is to distribute VLAN configuration information between all the switches.

How does it work?

The job of VTP is best explained from the perspective of the VTP server. All switches, by default, are VTP servers. The VTP server is where you would create, remove, or modify VLANs.

This VTP server sends an advertisement, across the domain, every 5 minutes or whenever a change is made in the VLAN database. That advertisement contains all the different VLAN names, VLAN numbers, what switches have ports in what VLANs, and a revision number. Whenever a switch receives an update with a larger revision number than the last one it applied, it applies that revision.

Keep in mind that VTP is a Cisco proprietary protocol. So, to use VTP between your switches, you must have all Cisco switches.

VTP Modes

VTP switches can be in three different modes. Those modes are:

• Server – the default where all VLAN adds, changes, and removals are allowed
• Client – where no changes can be made, only new revisions can be received from the VTP server switches.
• Transparent – where local VLAN information can be changed but that information is not sent out to other switches. Transparent switches also do not apply VTP advertisements from other switches but they do forward those advertisements on.

Usually, you would want a few of your core switches to be servers and all remaining remote or access layer switches to be clients. You would only make changes on the server switches and those changes would be propagated to the client switches.

What about pruning?

VTP pruning is the process of not sending IP broadcast traffic for certain VLANs to switches that do not have any ports in that VLAN. The switches that choose not to send these broadcasts know that they can not do this because of VTP. With VTP telling them what ports the other switches have, this switch knows that they don’t have to send them broadcast packets, because they know that the other switches don’t need them.

Pruning saves LAN bandwidth because broadcasts don’t have to be sent to switches that don’t need them.

How do you configure VTP?

To configure VTP, you use the vtp global configuration mode command. With this command you can specify the following:

• VTP domain – the name of the VTP domain. All switches communicating with VTP in the same domain, must have the same VTP domain name.
• VTP mode – either server, client, or transparent
• VTP password – a password to control who can and cannot receive VTP information
• VTP pruning – VTP pruning is either turned on or off

Here is a sample configuration:

To see what is going on with VTP, you can use show vtp status, like this:

Article Summary

In summary, here is what we have learned:

• VTP is used to distribute VLAN configuration information between switches
• VTP is Cisco proprietary and can only be used on Cisco switches.
• By using VTP, you can also prune your VLANs, saving bandwidth
• The command to configure VTP is the global configuration mode command, vtp
• The command to check status is the privileged mode command, show vtp status

Read More

What is a VLAN? How to Setup a VLAN on a Cisco Switch

Have you ever wondered what a Virtual LAN (or VLAN) is or been unclear as to why you would want one? If so, I have been in your place at one time too. Since then, I have learned a lot about what a VLAN is and how it can help me. In this article, I will share that knowledge with you.

What is a LAN?

Okay, most of you already know what a LAN is but let’s give it a definition to make sure. We have to do this because, if you don’t know what a LAN is, you can’t understand what a VLAN is.

A LAN is a local area network and is defined as all devices in the same broadcast domain. If you remember, routers stop broadcasts, switches just forward them.

What is a VLAN?

As I said, a VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by switches. Normally, it is a router creating that broadcast domain. With VLAN’s, a switch can create the broadcast domain.

This works by, you, the administrator, putting some switch ports in a VLAN other than 1, the default VLAN. All ports in a single VLAN are in a single broadcast domain.

Because switches can talk to each other, some ports on switch A can be in VLAN 10 and other ports on switch B can be in VLAN 10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However, these devices can all communicate because they are on the same VLAN. Without additional configuration, they would not be able to communicate with any other devices, not in their VLAN.

Are VLANs required?

It is important to point out that you don’t have to configure a VLAN until your network gets so large and has so much traffic that you need one. Many times, people are simply using VLAN’s because the network they are working on was already using them.

Another important fact is that, on a Cisco switch, VLAN’s are enabled by default and ALL devices are already in a VLAN. The VLAN that all devices are already in is VLAN 1. So, by default, you can just use all the ports on a switch and all devices will be able to talk to one another.

When do I need a VLAN?

You need to consider using VLAN’s in any of the following situations:

• You have more than 200 devices on your LAN
• You have a lot of broadcast traffic on your LAN
• Groups of users need more security or are being slowed down by too many broadcasts?
• Groups of users need to be on the same broadcast domain because they are running the same applications. An example would be a company that has VoIP phones. The users using the phone could be on a different VLAN, not with the regular users.
• Or, just to make a single switch into multiple virtual switches.

Why not just subnet my network?

A common question is why not just subnet the network instead of using VLAN’s? Each VLAN should be in its own subnet. The benefit that a VLAN provides over a subnetted network is that devices in different physical locations, not going back to the same router, can be on the same network. The limitation of subnetting a network with a router is that all devices on that subnet must be connected to the same switch and that switch must be connected to a port on the router.

With a VLAN, one device can be connected to one switch, another device can be connected to another switch, and those devices can still be on the same VLAN (broadcast domain).

How can devices on different VLAN’s communicate?

Devices on different VLAN’s can communicate with a router or a Layer 3 switch. As each VLAN is its own subnet, a router or Layer 3 switch must be used to route between the subnets.

What is a trunk port?

When there is a link between two switches or a router and a switch that carries the traffic of more than one VLAN, that port is a trunk port.

A trunk port must run a special trunking protocol. The protocol used would be Cisco’s proprietary Inter-switch link (ISL) or the IEEE standard 802.1q.

How do I create a VLAN?

Configuring VLAN’s can vary even between different models of Cisco switches. Your goals, no matter what the commands are, is to:

• Create the new VLAN’s
• Put each port in the proper VLAN

Let’s say we wanted to create VLAN’s 5 and 10. We want to put ports 2 & 3 in VLAN 5 (Marketing) and ports 4 and 5 in VLAN 10 (Human Resources). On a Cisco 2950 switch, here is how you would do it:

At this point, only ports 2 and 3 should be able to communicate with each other and ports 4 & 5 should be able to communicate. That is because each of these is in its own VLAN. For the device on port 2 to communicate with the device on port 4, you would have to configure a trunk port to a router so that it can strip off the VLAN information, route the packet, and add back the VLAN information.

What do VLAN’s offer?

VLAN’s offer higher performance for medium and large LAN’s because they limit broadcasts. As the amount of traffic and the number of devices grow, so does the number of broadcast packets. By using VLAN’s you are containing broadcasts.

VLAN’s also provide security because you are essentially putting one group of devices, in one VLAN, on their own network.

Article Summary

Here is what we have learned:

• A VLAN is a broadcast domain formed by switches
• Administrators must create the VLAN’s then assign what port goes in what VLAN, manually.
• VLAN’s provide better performance for medium and large LAN’s.
• All devices, by default, are in VLAN 1.
• A trunk port is a special port that runs ISL or 802.1q so that it can carry traffic from more than one VLAN.
• For devices in different VLAN’s to communicate, you must use a router or Layer 3 switch.
• Even if you've worked on Cisco networks for a while, be sure to check out TrainSignal's

Read More

How To Create Additional Domain Controller (ADC) In Windows Server 2008

Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP.

ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system.

Note: You may remember that ADPREP was used on previous operating systems such as Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2.

What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but generally the different types of operations that ADPREP can perform include the following:

• Updating the Active Directory schema
• Updating security descriptors
• Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder
• Creating new objects, as needed
• Creating new containers, as needed

To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller please perform these tasks:

Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as a regular member server, none of the following tasks are required.

Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2. For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participate as a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4).

First, you should review and understand the schema updates and other changes that ADPREP makes as part of the schema management process in Active Directory Domain Services (AD DS). You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment.

You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest (you do have backups, don't you?).

Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media handy, you may use the evaluation version that is available to download from Microsoft's website. You can also use an MSDN or Technet ISO image, if you have a subscription to one of them.

Windows Server 2008 Trial Software:
http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx

If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO file, ISO/BIN converter/extractor/editor).

Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe.

Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).

To perform this procedure, you must use an account that has membership in all of the following groups:

• Enterprise Admins
• Schema Admins
• Domain Admins for the domain that contains the schema master

Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu.

Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if you want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better...

Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista.

In the Command Prompt window, type the following command:

adprep /forestprep

You will be prompted to type the letter "c" and then press ENTER. After doing so, process will begin.

ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.

When completed, you will receive a success message.

Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to run it from a non-DC, you will get this error:

Adprep cannot run on this platform because it is not an Active Directory Domain
Controller.
[Status/Consequence]
Adprep stopped without making any changes.
[User Action]
Run Adprep on a Active Directory Domain Controller.

Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

In the Command Prompt window, type the following command:

adprep /domainprep

Process will take less than a second.

ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode you will get this error:

Adprep detected that the domain is not in native mode
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Configure the domain to run in native mode and re-run domainprep

Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

If you're running a Windows 2008 Active Directory domain, that's it, no additional tasks are needed.

If you're running a Windows 2000 Active Directory domain, you must also the following command:

adprep /domainprep /gpprep

Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

If you're running a Windows 2003 Active Directory domain, that's it, no additional tasks are needed. However, if you're planing to run Read Only Domain controllers (RODCs), you must also

type the following command:

adprep /rodcprep

If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2.

Process will complete in less than a second.

Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

To verify that adprep /forestprep completed successfully please perform these steps:

1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools.

2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

3. Click Action, and then click Connect to.

4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.

5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domainwhere forest_root_domain is the distinguished name of your forest root domain.

6. Double-click CN=ForestUpdates.

7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.

8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revisionattribute value is 5, and then click OK.

9. Click ADSI Edit, click Action, and then click Connect to.

10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.

11. Double-click Schema.

12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.

13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersionattribute value is set to 47, and then click OK.

Read More