Month: February 2009

Windows 2008R2 features part V: DHCP Split-scope

DHCP is the mechanism that gives most client these days the tools (ip address) for connectivity. Most companies however do not realize the importance of the DHCP service and do not cluster nor have another server as standby when the DHCP server fails. If the DHCP server fails, most clients will not receive a new ip address and will seize to work on the network. While clustering is improved in Windows 2008 and sort of made easy for administrators, most of them are reluctant to implement a failover cluster for DHCP. In Windows 2008 R2 we have Split-Scopes, remember the 80-20 rule for DHCP servers, it kinda the same, but then made easy. For this article we have a single domain controller and two Windows 2008R2 servers.

Read more

Visio Stencils

<update> The links are now actually working.. you can download them again </update> My previous studiographic.nl website was not too great.. so I moved everything over to the blog.. if you are looking for the Visio Stencils for Virtualization.. check Visio Stencils….. _R

Read more

Safari 4.0 beta is out

I am one of the few people using Safari next to IE(7/8) as their standard browser during day to day internet surfing. Many try to get me into Firefox with all the new applets and plugins like password and URL sync between hosts.. but nothing beats the new Safari 4.0 is my humble opinon… finally […]

Read more

Tunnel DMZ to Internal

When you have servers in the DMZ that are members of your internal AD (not best practice ok.. ) .. you find yourself shooting holes in the firewall to allow RPC, SMB and other protocols. In that case perhaps an IPSEC tunnel can help you out.. when you use a tunnel between your internal and DMZ hosts, the firewall only has to allow UDP 500 and ESP protocol (protocol 50). No high ports required. To set it up use the following guide.

Read more

Default Logon Domain

When you use Windows 7, Windows 2008 R2 or Vista / Windows 2008 you almost always have to type the domain name during logon.. eg Type your username as ROOTDOMAINUser… annoying: yes.. go to the following group policy to specify the default domain logon: ComputerAdministrative TemplatesSystemLogonAssign a default domain for logon  and set your default logon […]

Read more

Free training?

Organizing a free training can give your business new customers, thats probably the idea behind free trainings seminars from Twice IT; you can follow a short course in exchange for some feedback on a blog.. So out of curiosity I attended the 3 hour Powershell course, and here’s my feedback ..

Read more

RSS feeds

Many of you use RSS feeds, to subscribe to a feed from this website, hoover over the category you are interested in and select RSS for the feed. If you would like to subscribe to all of the posts I’ve made, use the .All Posts Category.. or use the direct link: feed://blog.studiographic.nl/?feed=rss2 _R

Read more

Windows 2008R2 features part IV: Managed Service Accounts & Password Reset's

So we have deployed the Managed Service Accounts, and now we want a password policy set on them.. usually the service accounts have a different password policy set, so most of you will probably use PSO’s (Password Setting Object). In my demo I’ve set a new policy stating that the max age of a password is only 10 minutes ( msDS-MaximumPasswordAge: 0:00:10:00). I’ve set the PSO’s msDS-PSOAppliesTo attribute to be the Active Directory Group “Service Accounts” so that all managed service accounts that are member of this group MUST change their password every 10 minutes. For the sanity check, I’ve also created a simple useraccount and added that to the group also. Now we only needed to wait 10 minutes.. When logging in as the user onto the SQL box, I indeed got the message that I needed to change my password. My demo users’ pwdLastSet attribute indeed jumped from : 2/4/2009 4:58:20 PM W. Europe Standard Time;  to pwdLastSet: 2/4/2009 5:28:05 PM W. Europe Standard Time; 

Read more

Windows 2008R2 features part III: Managed Service Accounts

Password policies can help administrators secure their environment, letting users change their passwords on regular basis makes it harder for hackers to get in to a system by guessing a password. There is one group of accounts though that usually do not have the password policy applied to.. they almost never change their password and when they do.. it is a load of work for the admin, there is service downtime involved.. and after the password has been changed.. it will be not be changed for a long time.. Yes, I’m talking about Service Account.. the accounts administrators usually apply the “Password Never Expires” option to. These accounts usually have more rights to systems, perhaps even local Administrator access to machines (like SQL or mail) or even worse (Don’t tell me you have these in place) Domain Admin rights. Changing passwords for these accounts is crucial to the security of your environment. To make life easier Windows 2008 R2 introduces the Managed Service Accounts, with these, you can easily change the password of an account, and the client computers where these service accounts are operational will change the password in the service configuration.

Read more