I Give Up.

‘I give up’ is not a phrase you will hear from me all that often. But I just can’t take any more. Novell has me at my wits end. I can’t believe people use this with any sort reliability.

Throughout my months of toying with it I have issues and stopping blocks with each and every component. Some servers require many, many components to effectively work.

Here’s a brief run down of just a couple of the annoyances:

Updates and patches come rapid fire (about two per day) and often leave the system broken. I have had them cause dependency issues each time I have applied them. This will do crazy stuff from switching the physical network card that eth0-2 are assigned or out right breaking NSS. In fact, every update I have run broke NSS. You just can’t have that in a production environment. Technically you could script an auto-updater, however, per Novell support “Automating the updates might have its own risks […] because of that, rug doesn’t have a –force option the way RPM does.”

Things that should be done by installers must be done manually. A great example of this is having to manually enable remote administration of a GroupWise server. For example, you need to share out /usr/local/gw using samba. But first you have to install and configure samba. That’s essentially all the docs say on the subject is to ‘install samba’. Not ‘Download package X, install it using command Y, tweak this directive in X.conf, and so on’. So I installed Samba from source. After struggling to get it integrated into the eDirectory I discover Novell-Samba. Who knew, they just said ‘Install samba’.
The install process for the OS and packages drives me insane! The OES cd set consists of 10 CDs. During the initial install you are asked to supply almost all 10 CDs in varying order and you have to re-insert a number of them multiple times. It also asks for the Suse Core 2 CD2 and 3. Which end up being the Suse Linux Enterprise Server disk 3 and 4. I figured that out just out of desperation and feeding it random CDs.

The documentation is lacking. It assumes that all Novell customers are intimately familiar with Novell terminology and technology (see previously mentioned GroupWise/samba example).

GroupWise acts as an open relay by default and no settings changes will help that. Users hate the GroupWise client, the outlook plug-in makes Outlook buggy and slow. The cross platform GroupWise client (Linux and Mac) is really bad. The only way to remedy this is to purchase an expensive third party app

I purchased the only (at the time) official Novell Press book for Open Enterprise entitled “Open Enterprise Server, Administrators Handbook, Suse Linux Edition”. Being the only official book I assumed it would be comprehensive and cover anything and everything relating to OES. What I found was that it is entirely based on a pre-release version of OES and a large number of important things have changed since it was published. In fact, a couple of things the book tells you to do regarding updates will break an otherwise happy server.

Overall I would just Novell to hammer all these things out, test thoroughly and make the docs useful. Don’t assume everyone using the product is a 15 year Novell-Netware veteran.

Help! My Identity Has Been Thefted… Again!

Well, not really.  This time it was only my debit card.

I received word, last Saturday evening, from bank (National City) that my debit card had been used for a ‘card-in-hand’ transaction at a gas station in Canada (they made a physical card containing my debit card information on the back strip).  The women from the bank asked if had been in Canada earlier that day.  After telling her that I was at home all day she informed me that my card number had likely fallen prey to the recent rash of debit card information thefts.

From what I was able to gather from previously reading about this, is that a number of merchants illegally retained debit card PIN information and the information was subsequently stolen and used all over Canada and Europe.

The woman from the fraud department at National City informed me that the transaction had occurred about an hour earlier, that she saw no additional fraudulent transactions (I verified with my online account view), that my card had been frozen to prevent further charges and that the bank maintains no liability policy.  In other words I was not responsible for the transaction in any way.  She asked that I stop by a branch and fill out an ‘Affidavit of Fraud’ and that a new debit card was being mailed first thing Monday.

All and all I was very impressed with quickness of detection and the fact that they took the initiative and corrected things.  They turned what could have been a disaster into only a minor inconvenience.

I am, however, unimpressed with the fact that government still has not passed any law that will hold the vendor(s) accountable for allowing the information to be compromised.  I am certain that once a law of this sort passes, the frequency of these sort incidents will drop like a stone.

The number of articles about this whole debacle indicate that hundreds of thousands of others have also fallen victim.  A couple from security focus are as follows:

Seven arrested in online fraud crackdown
Debit-card fraud underscores legal loopholes
Debit-card fraud continues
Citibank issues ATM fraud statement

A Crash Course in Active Directory

Contents

Basics

Uses DNS for name resolution

WINS and NetBios aren’t needed unless a legacy app requires it

AD’s Tree is called the ‘Directory Information Tree’ (DIT)

It is based on the ‘Extensible Storage Engine’ (ESE)

AD Consists of two types of objects. Containers and non-containers (or leaf nodes)

All objects have a ‘Globally Unique Identifier’ (GUID)

Hierarchical paths in AD are known as ‘ADsPaths’

ADsPaths are normally referred to using LDAP standards

 Starts with a 'programmatic identifier' (progID)  followed by ://  separate each part with a comma  prefix each part with dc= (dc stands for domain name component)    prl.pbb.local becomes  LDAP://dc=pbb,dc=pbb,dc=local

A distinguished name (DN) is used to reference an object in a DIT

A relative distinguished name (RDN) is used to reference an object within its parent container

 To reference Alice's object in prl_biz ou within the prl ou it would look like this.  LDAP://cn=albin,ou=prl_biz,ou=prl,dc=pbb,dc=pbb,dc=local

The available DN’s are as follows

 CN = Common Name  L  = Locality  ST = Street of Province Name  O  = Organization Name  OU = Organization Unit  C  = County  STREET = Street address  DC = Domain Component  UID = User ID

domains and domain trees

A domain controller (DC) can be authoritative for one and only one domain.

Containers (the object type) may contain other container objects as well as leaf nodes.

An OU is the other type of container and can have group policies applied to it, and a container (the object) can not.

Each forest has a child container called ‘Configuration’ which has a child container called ‘Schema’

Global Catalog (GC)

Used to perform forest wide searches

Accessed via LDAP on port 3268

Uses progID of GC://

The GC is read-only and can not be directly updated

Objects available in the GC are members of the PAS (Partial Attributes Set)

To add/remove attributes use the AD Schema snap-in for mmc

Flexible Single Master of Operations (FSMO – pronounced fizmo)

Certain actions in the forest/domain will only be done by the FSMO regardless of how many other DC’s you have.

 Schema Master (forest-wide)    Only machine allowed to make schema changes.  Changes made on other DCs will be refered to the FSMO    Domain Naming Master (forest-wide)    PDC Emulator (domain-wide)    PW synching and PDC legacy compatibility.  Browser Master    RID Master (domain-wide)    Relative ID Master, All security principals have a Security Identifier (SID).    Infrastructure Master (domain-wide)    Maintains cross-domain object references (phantom references).  User is in domainA but a member of a group in domain B

 NTDSUTIL:   howto: [1]  download: support pack [2]  Allows transfer of FSMO roles to other DCs.  If the FSMO server dies you can ungracefully force the role to another dc -- known as 'seizing' the role. [3]

Groups

3 scopes…

 Domain Local: membership available only within domain.  May contain other groups (admin group)

 Domain Global: membership available only within domain.  Used to define roles (enterprise admin, backup admin, exchange admins, sql admins, ect.)

 Universal: Forest Wide

2 types…

 distribution: generally used as messaging lists for email and im (exchange distro lists)

 security: sid is passed to as auth token

The type of a group may be converted at any time.

Naming Contexts (NC) and Application Partitions

Breaks up replication of DCs. can be based on political, geographic or bw related things.

Consists of 3 predefined naming contexts, each represents a different aspect of AD data.

 Configuration NC: (forest) holds data pertaining to LDAP, Exchange, subnets

 Schema NC: (forest) defines types of data AD can store

 Domain NC: (domain) domain specific, users, groups, computers, ect.

 Application Partitions: User defined NCs.  Can not contain security principals

To retrieve a list of NCs you query the RootDSE entry.

 LDAP util  how to: [4]  download: support tools [5]   LDAP util can be used to view the RootDSE entry.  Connection -> Connection -> enter name of DC

… incomplete

Schema

The schema is located under the configuration container. It is the blueprint for datastorage in ad. each object has a corresponding class. IE user class, user object type.

 Active Directory Service Interfaces (ADSIEdit)  how to: [6]  download: support tools [7]   Can be viewed using and AD viewer such as ADSIEdit (MMC snap-in) or LDP

Schema is made of two types of ad objects…

classes:
attributes:

… Very Incomplete

Replication

Note: details regarding cross-domain replication omitted.

Connection Objects define what DCs replicate with each other and how often. Generally managed by the DC

Knowledge Consistency Checker (KCC) is what generates the connection objects.

 RepAdmin  how to: [8]   Command line tool for admining replication
ReplMon  how to: [9]  Graphical util for managing and monitoring replication

Each DC maintains its own separate ‘Update Sequence Number’ (USN). It is a 64bit value assigned to each update transication. Each update increments the USN value. Like the serial number in DNS.

Each DC maintains its highest combined USN for all NCs in the highestCommittedUSN value of the RootDSE. The values are always different from DC to DC for a given replication.

If time is off by 5minutes or more on a DC it will not be able to replicate.

Originating Update (write)  The point of origin for an update (on which DC was this update made)
Replicated Update (write)  A change that did not originate on the DC in question.

Each DC has a GUID called the DSA GUID. It is used to uniquely identify a DC and is the objectGUID of the NTDS settings object for the DC in the configuration container.

The High-WaterMark Vector (HWMV) is a table maintained independently by each DC. Keeps info on where a DC last left off when replicating the NC with a specific partner.

The up-to-dateness vector (UTDV) is a table maintained independently by each DC. It is used for replication dampening to reduce traffic and endless replication.

An example of how an object is modified during replication…

1.  A user is created on serverA.  2.  The object (user) is replicated to serverB.  3.  The object is subsequently modified on serverB.  4.  The new changes are replicated back to serverA.
1.  Creation of the object on ServerA    1. values are set to defaults defined for user creation    2. users USN is set to 1000 (the USN of this transaction)    3. version number is set to 1.    4. timestamp is set to the time of creation    5. originating-server GUID is set to the GUID of the server    6. originating-server USN is set to 1000 (USN of this transaction)
2.  Replication of the object to serverB    serverB adds a copy of the object as a replicated write.  USN 2500 is assigned to the object.  This value is written to the USNCreated and USNChanged attributes of the object.
3.  Password changed for user on serverB.    1. Password value is set    2. passwords USN is set to 3777 (USN for this transaction)    3. users version number is set to 2.    4. timestamp is updated    5. originating-server GUID is set to the GUID of serverB    6. originating-server USN is set to 3777 (USN of this transaction)
4.  Password change replication to serverA    serverA generates a transaction USN of 1333.  USNChanged is set to 1333.  Originating-server GUID is set to that of serverB

… Incomplete (missing conflict resolution section)

AD and DNS

DC Locator

Resource Records used to AD

Delegation Options

… incomplete (duh)

Profiles

A profile is created on each computer a user logs into. It is %systemDrive%\Documents and Settings\%userName%

It creates various data files including NTUSER.DAT. This file contains the user portion of the registry. This includes the screen saver, wallpaper, myDocuments location, etc.

Settings specific to the computer in question are also applied to the user via the AllUsers\NTUSER.DAT on the given machine.

You use the ADUC (Active Directory Users and Computers) tool to set the roaming profile info for a given user.

To have the profile deleted from the local machine upon logout set the following key on the computer (computer and teaching labs!)…

 HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonDeleteRoamingCache

With a server based default user profile you can add icons to desktop, bookmarks, ect. It should exist under the NETLOGON share.

Group Policy

Group Policies are referred to GPOs or group policy objects. they contain a large amount of configuration info that is applied to all users automatically.

 Group Policy Management Console (GPMC)  howto: [10]  Allows for editing, viewing resultant set of policies (RSOP) and runing reports.

Three states a policy item can exist in are enabled, disabled or un-configured. unconfigured is the default for everything.

The structure of the templates in the editor looks like…

User Configuration    Software Settings    Windows Settings    Administrative Templates    Computer Configuration    Software Settings    Windows Settings    Administrative Templates

These are generated from the Administrative Template (ADM) files in the system volume.

By default workstations and member servers refresh GPOs every 90 minutes and DCs every 5.

On non DCs 1 to 30 minutes (randomly generated) will be added to the refresh time to avoid everyone checking in at once.

GPOs allow admin to remote deploy applications to users OR computers. MSI is the only way this works.

MSIs can be modified for the environment. This process is known as creating a ‘transform’.

You can set an MSI to auto-install when someone attempts to open a file with an extension that an MSI app can read.

If an install is assigned to the user portion of the GPO it will install when the user logs into a machine and uninstall upon log off. If its installed to the computer it is available to any user who logs into it.

MS Windows Installer  howto: [11]   Used to generate MSI files
Install Shield  site: [12]  The best tools in the installer maker.  3rd party
Installer Design Studio (scriptlogic)  site: [13]  The one scriptlogic makes.  Looks very easy to use and is fairly inexpensive.
Group Policy Settings Reference (document) : [14]
Group Policy Homepage : [15]
MSN docs for Group Policy : [16]

Backup, Recovery and Maintenance

Backup up AD

Restoring a DC

Restoring AD

FSMO recovery

DIT Maintenance

… Incomplete (duh)

Exchange Integration

… incomplete (duh)

Links

Common admin tasks: [17]

Remote Administration: [18]

All information gleaned from…

Active Directory 3d Edition, O’Reilly Publishing By: Joe Richards, Robbie Allen & Alistair G. Lowe-Norris