How to create an external trust between two separate domains/forests

A trust is a relationship established between domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust like External, Realm, Forest and shortcut. This can be applied in both Windows Server 2003 and Windows Server 2008. External trust is necessary when users from two different domains want to access resources such as printers and files of two domains. In this article, I am going to talk about external trust.

For this article, I will consider followings.

FQDN	IP
Dc1.A.com.au	192.168.100.2
Dc2.B.com.au	192.168.200.2

Prerequisite:

1. Both Domain controllers must ping each other by IP
2. Proper routing necessary if resides in separate subnet
3. Add dc1 as a host in the DNS record of dc2
4. Add dc2 as a host in the DNS record of dc1
5. Add dc1.A.com.au in the Name Server list in dc2
6. Add dc2.B.com.au in the Name Server list in dc1
7. Add 192.168.100.2 as a secondary DNS in the TCP/IP property of dc2
8. Add 192.168.200.2 as a secondary DNS in the TCP/IP property of dc1
9. An user account with Domain Admin and Enterprise Admin Rights

Step1: Add Host Record and Name Server record

Log on to  PDC (Dc1.A.com.au) using domain admin credentials. Start menu>Administrative Tools>DNS>Expand Name Server>Expand Forward Lookup Zones>Right Click on A.com.au

Click on New Host>Type dc2 and IP 192.168.200.2 and check Create PTR>OK

Right Click on Name Server (NS)>Click Property>Click on Name Servers Tab

Click Add>Type FQDN i.e. dc2.B.com.au and IP 192.168.200.2 click Add

Log on to PDC (Dc2.B.com.au) using domain admin credentials. Start menu>Administrative Tools>DNS>Expand Name Server>Expand Forward Lookup Zones>Right Click on B.com.au

Click on New Host>Type dc1 and IP 192.168.100.2 and check Create PTR>ok

Right Click on Name Server (NS)>Click Property>Click on Name Server Tab

Click Add>Type FQDN i.e. dc1.A.com.au and IP 192.168.100.2 click Add

Now ping both DC’s using IP, NetBios Name or FQDN and check proper reply

Step2: Creating Trust

One way Trust between two DC. Example: One way trust allows users from dc1 (outgoing) get access to dc2 (incoming) but dc2 doesn’t get access to dc1).

Creating incoming trust in dc2

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: incoming, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Trust Password page, type the trust password twice, and then click Next.

With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust.

9. On the Trust Selections Complete page, review the results, and then click Next.

10. On the Trust Creation Complete page, review the results, and then click Next.

11. On the Confirm Incoming Trust page, do one of the following:

· If you do not want to confirm this trust, click No, do not confirm the incoming trust.

· If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.

12. On the Completing the New Trust Wizard page, click Finish.

Creating outgoing trust in dc1

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: outgoing, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next:

· Click Domain-wide authentication.

· Click Selective authentication.

9. On the Trust Password page, type the trust password twice, and then click Next.

10. On the Trust Selections Complete page, review the results, and then click Next.

11. On the Trust Creation Complete page, review the results, and then click Next.

12. On the Confirm Outgoing Trust page, do one of the following:

· If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.

· If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.

13. On the Completing the New Trust Wizard page, click Finish.

if you want both sides get access to both sides then change above configuration to Both Way trust in dc1. Then Dc2 will automatically be configured with trust relation.

Transitioning from Exchange 2007 to Exchange 2010—-Step by Step

Exchange Server 2007 and Exchange Server 2010 are similar in architecture so the transition process is more straightforward. The following procedure illustrates a typical transition from Exchange Server 2007 to Exchange 2010:

 

Prerequisite:

 

Run Dcdiag, Netdiag and check FSMO roles functioning perfect.

All domains in an existing Active Directory forest have to be running in native mode.

The Active Directory forest has to be running on a Windows Server 2008 forest functionality level.

Each site in Active Directory should have at least one PDC, schema master and the Global Catalog server on a Windows Server 2008 SP2 level. It is recommended to have 64-bit type Domain Controllers and Global Catalog Servers for optimal performance preferably Windows Server 2008 x64 SP2 or Windows Server 2008 R2

All Exchange Server 2007 servers must have Exchange Service Pack 2 installed.

The Internet facing Active Directory sites must be the first sites that will be migrated to Exchange Server 2010.

Windows Server 2008 SP2 64 bit or Windows Server 2008 R2.

Internet Information Server needs to be installed for CAS.

Web Certificates must be installed in server holding CAS

Windows Remote Management (WinRM) 2.0

PowerShell 2.0 (Windows Server 2008 feature if R2 version)

.NET Framework 3.5 (Windows Server 2008 feature)

Desktop Experience (Windows Server 2008 feature)

Net. TCP Services started and set automatic (services.msc)

Disable TCP/IP6 from Registry (if you use tcp/ip4)

2007 Office System Converter

Better to Prepare a document showing task list and systems build info. Tick one after one when finishing a task accordingly.

Precautions:

Backup Active Directory global Catalog servers, Exchange servers and Servers that interoperate with Exchange Server, such as gateway systems or replicated directory servers. It is also a best practice to turn off any replication to other environments during the transition process, such as Forefront Identity Manager (previously named ILM, MIIS, IIFP, and MMS).

Please bear in mind that an in-place upgrade to Exchange Server 2010 in any scenario is NOT supported!

Please be aware that Win2k8 AD and Exchange 2010 (HT, MT, CAS, ET Role, Unified Messaging) are based on 64 bit architecture.

Migration from Windows 2003 AD Forest to Windows 2008 AD Forest and Forest Preparation

Create user with domain admin, schema admin and enterprise admin role from existing AD

Log on using new user name

Bring the AD forest and domains to Windows Server 2003 Functional Level

Insert Win2k8 Server DVD into Win2k3 DC

Use elevated command prompt using domain\username (where user name must be above mentioned) Start Menu>Run type runas /user:domain\username cmd.exe

Provide Password

d:\sources\adprep\adprep.exe /forestprep where d: is DVD ROM

d:\sources\adprep\adprep.exe /domainprep /gpprep

d:\Setup and select upgrade option to use existing DC

Transfer FSMO Roles for a new Win2k8 DC with new Hardware

Make one DC as GC

Replicate AD database, GPO or wait tomstone to replicate

Retire Windows 2003 DC

Run DCPROMO (Uncheck this is last remaining DC)

Raise new Domain Functional level to Win2k8

Insert Exchange 2010 DVD into DC to upgrade AD

Open command prompt and change directory to DVD rom

Type Setup.com /PrepareSchema

Type .\Setup /PrepareAD /OrganizationName:organisation_name

 

Transition Sequencing:

Once you have finished prerequisite, you have to take the installation order of the Exchange Server 2010 servers into account to minimize the impact:

Exchange Server 2010 Client Access Server. The Client Access Server can work with an Exchange Server 2007 Mailbox Server as well as an Exchange Server 2010 Mailbox Server.

Exchange Server 2010 Hub Transport Server (New Internal and External Connector). Documents all the policies you have in existing HT and apply same in new HT server.

Exchange Server 2010 Mailbox Server. After you have installed the Mailbox Server role and established a proper Public Folder replication between Exchange Server 2007 and Exchange Server 2010, you can start moving mailboxes to the new Exchange 2010 Mailbox Server. Of course, the Public Folder replication needs only be configured when Public Folders are used in Exchange Server 2007.

The Edge Transport Server can be installed at any time, since an Exchange Server 2010 Edge Transport Server can be subscribed to an Exchange Server 2007 SP2 Hub Transport Server. Use Export and Import option for all policies applied in previous ET server.

Finally Unified Messaging

 

Transitioning from Exchange Server 2007 to Exchange Server 2010

1. Prepare Windows Server 2008 (RTM or R2) x64 edition server for the first Exchange 2010

2. Install the AD LDIFDE tools on the new Exchange 2010 server (to upgrade the schema).

3. Install necessary prerequisites (WWW for CAS server role) including web certificates.

4. Install CAS server role servers and configure per 2010 design. Validate functionality.

5. Transfer OWA, ActiveSync, and Outlook Anywhere traffic to new CAS servers.

6. Install Hub Transport role and configure per 2010 design.

7. Transfer inbound and outbound mail connector to the new 2010 HT servers.

8. Install mailbox servers and configure Databases (DAG if needed).

9. Create public folder replicas on Exchange 2010 servers using Exchange 2010 Public Folder tool.

10. Move mailboxes to Exchange 2010 using Move Mailbox Wizard.

11. Re-home the Offline Address Book (OAB) generation server to Exchange Server 2010.

12. Transfer all Public Folder Replicas to Exchange Server 2010 Public folder stores.

13. Delete Public and Private Information Stores from Exchange 2007 servers.

14. Remove Exchange 2007 Edge Transport subscription

15. Uninstall all Exchange 2007 servers.

Test Procedure:

Double check Exchange Roles and services are started

Check event logs

Check internal and external connector

Test OWA and Email using test user

Run BPA

 Verify with the system build info you created at beginning to check what you might have missed out or not!

Key Factors:

The following key factors differentiate a 2007 to 2010 transition from a 2003 to 2010 transition:

Exchange admin groups and routing groups are already out of the picture.

The Recipient Update Service is no longer part of the transition process.

The public folder hierarchy does not need to be re-homed. Indeed, because public Folders are not required for Exchange Server 2007, they might not even be part of the transition.

One added advantage of transition from Exchange Server 2007 to Exchange Server 2010: if Outlook clients are at 2007 levels or above, the move mailbox process does not result in downtime, making the end user transition experience completely transparent.

Further Study

Transition from Exchange 2003 to Exchange 2010 

Watch TechNet Video on Transition from Exchange 2007 to Exchange 2010

Understanding Network Access Protection (NAP) in Windows Server 2008

Network Access Protection (NAP) is a platform you can install in Windows Server 2008 for enforcing computer system health requirements on Client machine before they are allowed to access network resources. NAP can ensure that the system complies with a particular update level and configuration requirements such as firewall state, malware removal tools, windows update and Antivirus.

Microsoft also recommends integrating third party tools with existing systems architecture to verify health status of computer systems. NAP includes a set of APIs that you can use to incorporate other tools for health policy validation, controlling access to the network, remediation, and ongoing compliance. With the release of Windows Server 2008, Microsoft introduces Network Policy Server (NPS) as Remote Authentication Dial-In User Service (RADIUS) and VPN server. It replaces Internet Authentication Server (IAS) in Windows Server 2003. NPS performs health evaluation and determines what access to grant NAP clients. When an access request is received, NPS extracts the client’s statement of health (SoH) and forwards it to the NAP Administration Server. Based on the Statement of Health Requests (SoHRs) from the System Health Validators (SHVs) and the health policies, NPS creates a System Statement of Health Response (SSoHR) that states whether the client complies. Every client must demonstrate that they comply with rules of NAP Administration Server. IPSec, IEEE802.1x, VPN, Terminal Server gateway and DHCP are available for enforcing network restrictions on noncompliant hosts.

System Health Validator and Agents

A System Health Validator (SHV) is an element on the NAP client that can be matched to a System Health Agent (SHA). An SHA corresponds to one or more health requirement servers. Health requirements are windows firewall, antivirus, antispyware and windows update.

NAP Scenarios

Desktop computers can pose a threat to the network if they are missing updates, are configured poorly, or have become infected by malware.

Roaming Laptops can be missing updates or the most recent antivirus signatures because the user has not connected the laptop to the corporate network for several weeks. A laptop faces potential attack when used in wireless networks, or when left unattended in a place accessible by untrustworthy individuals. With NAP, administrators can verify the health state of laptops each time they reconnect to the organization’s network, whether via a VPN or when the user returns to the office.

Some organizations allow their users to connect to the corporate network through a VPN using their own home computers. These computers are not under the control of the organization and unmanaged. With NAP, however, network administrators can inspect the health state of these systems every time they establish a VPN connection, and limit access if the systems do not meet health requirements.

Businesses allow all sorts of people to visit their premises: Consultants, partners, friends of employees, recruits and vendors may all ask for access to your network. Administrators can evaluate those computers and isolate them on a restricted network like a separate VLAN. Presumably the restricted network would include Internet access to enable the visitors to access their own e-mail accounts and other outside resources.

Further Study:

How to configure NAP (RADIUS)

How to configure VPN Server

How to configure WSUS

McAfee e-policy Orchestrator

Understanding Windows Firewall for Windows Server 2008 and Windows 7

The best way to justify a local firewall in windows server 2008 and windows 7 is to put another layer of security in place and to make your computer happy to maintain communication with internet. In ordinary terms, windows firewall is in place to protect you from bad guys in internet and allow good stuff in your computer. Windows firewall is greatly improved for both home users and enterprise user even though home user will not be able customize windows firewall because this is a bit geeki stuff. However, default firewall will be in place and UAC will pop up asking consent whether you want to allow/disallow this or that to happen. Here, I am going to talk about enterprise users who will consider deploying windows firewall to protect themselves from malicious software, spyware and attacks from internet.

The new graphical interface is for managing the Windows Firewall locally and through Active Directory group policies. Another improvement, I would like to mention here is windows services control through Windows Firewall. I had nightmare with conficker virus that spread faster then rocket using port 135-139 and use windows services to run it continuously in windows SP SP2 and disable active directory account policy. In conficker virus situation, scvhost was compromised. Windows Service Hardening will help to reduce the impact in several ways: The firewall will block abnormal behaviour such as a service that does not need to access the network trying to send out HTTP traffic. Microsoft Windows Server 2008 and Windows 7 make intelligent use of outbound filtering by blocking system services from initiating network connections except for what they require to function properly. Inbound filtering is what will stop malicious network traffic such as Nimda, Slammer, Sasser, conficker, Blaster, or anything else that sends unwanted network traffic or suspicious traffic to windows server. New Windows firewall also integrates with Active Directory users, group and computers and support IPSec and tcp/ip version6. To manage the new Windows Firewall via Group Policy, simply open Group Policy management>select specific group policy object>right click>click edit then navigate to Computer Configuration>Windows Settings>Security Settings>Windows Firewall with Advanced Security in the Group Policy.

Windows Firewall Screenshots:

 

Deploy Windows Media Player 11 using Windows Server Update Services (WSUS)

Log on to WSUS Server using Administrative credential

Open Administrative Tools>Windows Server Update Services>Right Click on update>click on import

Now Microsoft update catalog will be presented to you via IE, Search Windows Media Player on the Catalog.  Add Media Player according to your system architecture

Click on view basket>click import and wait for import to be completed

Windows Server Update Services>Right Click on update>click search>Type Windows Media Player>Select all>right click and approve selected to the desired desktop group.

 

Keywords: WSUS, Windows Media Player 11

Further Study:  Windows Media Player 11 , WSUS

Understanding User Account Control (UAC) in Windows Server 2008 and Windows 7

User Account Control (UAC) helps prevent unauthorized changes/access to a computer by asking privileged password. When a user designated with elevated privilege logs on to Windows 7 and Windows Server 2008, two access tokens are issued: a full access token and a filtered standard user access token. The filtering process removes the administrative privileges and disables the Administrative group Security Identifiers (SIDs), resulting in a filtered standard user access token. The standard user token is then used to start the Windows desktop (explorer.exe) and all subsequent child processes. Consequently, all applications run with the standard user token by default and only when an administrator with granted privileged permission can run specific application with a full access token. These internal processes happens in an Windows 7 and Windows 2008 operating systems to provide you with extra security so that you can make sure what you doing before it applied into operating systems.

When you log on to a computer, it verifies with Microsoft Active Directory RID master about your roles/privileges/authority in an Active Directory infrastructure and provide you with necessary pre-defined attributes assigned in Microsoft Active Directory and Group Policy Object. For Example: Domain Admins, Schema Admins, Enterprise Admins, Account Operator, Administrator, Power Users, Domain users, users, Cert Publisher and many more. If you log on to a standalone computer, Windows 7 and Windows server 2008 still verify with local account policies whether you are a power user, administrator or user.

The Credential Prompt (asking username and password)  and consent prompt (allow/disallow user to perform a task) are two components of UAC. Even though if you are a member of domain admins or administrator you will ask your consent to perform task like changing date/time, modify registry, running application, modifying any OS related tasks. A standard user can perform installation task in windows 7 and windows server 2008 unless user is part of Admin group.

Running registry in elevated command prompt

Start menu>run> type runas /user:domain\username cmd.exe.

Provide Password

In the new Command Prompt window that opens up, type regedit.exe.

Respond to the UAC elevation prompt.

UAC Group Policy Settings

Microsoft GPO support management of UAC through group policy object. GPO settings are available in Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

Benefits of UAC

Stop malware add schedule task

Stop Spam sites and spyware to run installer

Stop malware to run command, script

Create a local windows firewall to protect windows systems despite having top level firewall like ISA or squid

Prevent running inappropriate application as a standard user

Prevent modification of registry key

If you still don’t like UAC then you can disable UAC completely from Control Panel>User Account>UAC>uncheck UAC>OK>restart

To Disable from Registry

go to Start menu>run>type regedit.exe

Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system

create a DWORD named LocalAccountTokenFilterPolicy with a value of 1 and reboot computer.

Screenshots

   Keyword: User Account Control, Windows 7 and Windows Server 2008, GPO

      

Step by Step Guide on Exchange Server 2010 Edge Transport Role

Edge Transport Role in Exchange Server 2010 provides an important layer of security between external and internal messaging infrastructure. The Edge server analyses messages and can identify spam, content, connection trends and take the appropriate action to prevent delivery of potentially harmful content, spam, and other undesired messages. So, all message coming to and going form entire organization scanned through Edge Transport Server and verify with the policies deployed in it then pass through toward external networks. The Edge Transport server plays a vital role in the messaging infrastructure, protecting the organization from attack and the preventing delivery of unnecessary email, which ultimately can save an organization’s reputation, reduce administrative overhead, and increase productivity.

Installation Prerequisite:

Windows Server 2008 x64 SP 2 or Windows Server 2008 R2

Microsoft .NET Framework 3.5

Windows Remote Management 2.0

Windows PowerShell V2

Active Directory Lightweight Directory Services (AD LDS)

Exchange Server 2010 HT, CAS, Mailbox Roles installed in a separate Windows Server 2008 computer

Installation:

   

Edge Transport Config:

Now from Start>All Programs>Microsoft Exchange Server 2010>Exchange Management Console you have to configure Anti-Spam, Receive Connectors, Send Connectors, Transport Rules, Accepted Domains tabs available in Edge Transport console. on Anti-Spam tab, you have to configure Content Filtering, IP Allow List, IP Allow List Providers, IP Block List, IP Block List Providers, Recipient Filtering, Sender Filtering, Sender ID and Sender Reputation through action pan.

EdgeSync Config on an Edge Transport Server:

In Edge Transport Server, Open the Exchange Management Shell> Type following

New-EdgeSubscription –FileName “C:\Edgeinfo.xml”

Copy the Edge subscription file to the Hub Transport server into C:\Edgeinfo.xml

In Hub Transport Server, Open Exchange Management Console>Organization Configuration>Hub Transport section

In the action pane, click New Edge Subscription>New Edge Subscription Wizard.

Click Browse>select Active Directory site>Select Default First Site

Browse to the location of the Edge subscription file you copied from the Edge Transport server and click Next>Finish

Verify synchronization to the Edge Transport server’s AD LDS and review the application log in Event Viewer on both Hub and Edge Transport servers

Further Study:

Microsoft Tech

Edge Transport Overview

Key Words: Edge Transport, Exchange 2010, AD LDS, Windows Server 2008