Archive for December 2012

Fine Grained Password Policy Example

Introduction

One of the nice features introduced in Windows Server 2008R2 AD DS is the ability to configure fine grained password policies through GUI.. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain

Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of User objects) and Global Security Groups. They cannot be applied to Computer objects.

Instructions

  • Log into your DC and type Start > Run > gpmc.msc or Start > Administrative Tools > Group Policy Management
  • Expand Forest: yourforest.com.
  • Expand Domains: yourdomain.com.
  • Click Default Domain Policy and Click Settings in the right hand pane
  • Check the current Password Policy

  • When you have finished noting the settings you currently have you can minimise the Group Policy Console
  • Next type Start > Run > adsiedit.msc
  • Right-click on ADSIEdit > connect to:

  • Click OK
  • Expand to Default Naming content > DC=yourdomain,DC=com\CN=System\CN=Password Settings Container\

  • Right-Click Password Settings Container and click New > Object.

  • Select msDS-PasswordSettings > Next

  • Type a Value such as NewPasswordPolicy > Next

  • This box msDS-PasswordsSettingsPrecedence as you can see above is an integer value that is used to resolve conflicts if multiple PSOs are applied to a user or group object. If you have multiple PSOs, the PSO with the lowest priority takes precedence. Try typing 10 > Next

  • Type False for the box above msDS-PasswordReversibleEncryptionEnabled > Next

  • Type 24 for msDS-PasswordHistoryLength to stop people keeping the same password for 2 years (24 months) > Next

  • Type True for msDS-PasswordComplexityEnabled to allow complexity of Caps, Lower Case, Numbers and Special Characters > Next

  •  Type 8 for msDS-MinimumPasswordLength for the minimum characters a password can be > Next
  • Now we get into the next section of configuration where different rules apply.
  • When you use ADSI Edit to create the following Password Settings objects (PSOs), enter the values of the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format.
  • Please see this link for detailed settings
  • http://technet.microsoft.com/en-us/library/cc754461.aspx

  • Type 1:00:00:00 for msDS-MinimumPasswordAge for a 1 day age of password before a user can change it > Next

  • Type 42 for msDS-MaximumPasswordAge. This will set 42 days before a user is prompted to change their Password > Next

  • Type 10 for the amount of Password Attempts that are made before the account is locked out > Next

  • Type 30 for msDS-LockoutObservationWindow. This setting specifies how long the system should collect bad password attempts to compare to the msDS-LockoutThreshold value. The Lockout Observation window must be smaller than or equal to the lockout duration for a password policy

  • Type 0:00:30:00 for msDS-LockoutDuration to set a 30 minute account lockout duration. The lockout duration must be greater than or equal to the lockout observation time for a password policy > Next

  • You can either click Finish or Click on More Attributes

  • Select Both for Select which Properties to View
  • Click the Drop down on Select a Property to View and choose msDS-PSOAppliesTo
  • Click Edit Attribute

  • In Edit Attribute, add the distinguished names of users or global security groups that the PSO is to be applied to, and then click Add. E.g CN=Users,DC=testdomain,DC=Local
  • You are all Complete with a separate Password Policy applied to a subset of your Active Directory

Link to Step by Step Guide

http://technet.microsoft.com/en-us/library/cc770842.aspx

IPv6 Explained

Overview

IPv6 (Internet Protocol version 6) is the latest revision of the Internet Protocol (IP), the primary communications protocol upon which the entire Internet is built. It is intended to replace the older IPv4, which is still employed for the vast majority of Internet traffic as of 2012. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 running out of addresses.

Each device on the Internet, such as a computer or mobile telephone, must be assigned an IP address, a number with a certain number of binary digits (each presented by one bit), in order to communicate with other devices. With the ever-increasing number of new devices being connected to the Internet, there is a need for more addresses than IPv4 can accommodate. IPv6 uses 128-bit addresses, allowing for 2128, or approximately 3.4×1038 addresses — more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses. IPv4 allows for only 4,294,967,296 unique addresses worldwide (or fewer than one address per person alive in 2012), but IPv6 allows for around 4.8×1028 addresses per person; a number unlikely to ever run out. However, this means the two protocols are not compatible, complicating the transition to IPv6.

Why IPv6?

  • Depletion of IPv4 addresses by 2013
  • No more NAT (Network Address Translation)
  • Simplified Routing
  • No Broadcasting, Multicasting only
  • IPv6 will never run out of addresses
  • Data encryption built-in
  • Current equipment can be used
  • Support for mobile devices

IPv4 vs IPv6

IPv4

  • Broadcast ARP-MAC Address
  • IP Address acquisition (Static/DHCP)
  • APIPA (Automatic IP Addressing)
  • 32 Bit IP Address

  • 4 octets of 8 bits
  • Decimal numbering system
  • Subnet Mask defines the network or sub-network

IPv6

  • No Broadcast
  • Multicast. ND Neighbour Discovery Messages
  • Hexadecimal numbering system
  • 8 Blocks of 16 bits each

  • No more Subnet Masks, just Subnet Prefix Lengths
  • Separator is a colon > :

IPv6 Rules

  • Leading zeros may be omitted

2001:0DA8:E800:0000:0260:3EFF:FE47:0001 > 2001:DA8:E800:0:260:3EFF:FE47:1

  • Consecutive blocks of zeros can be written as a double colon ::

2001:0DA8:E800:0000:0000:0000:0000:0001 -> 2001:DA8:E800::1

  • Only one double colon per IP Address
  • Hexadecimal has 4 characters max. We use hexadecimal as binary would be too long and large and difficult to type

Useful Conversion Chart for Hexadecimal/Decimal/Binary

IPv6 Address Scopes

Three categories of IP addresses are supported in IPv6:

  • Unicast – An identifier for a single interface. A packet sent to a unicast address is delivered to the interface identified by that address. It can be link-local scope, site-local scope, or global scope.
  • Multicast – An identifier for a group of interfaces (typically belonging to different nodes). A packet sent to a multicast address is delivered to all interfaces identified by that address.
  • Anycast – An identifier for a group of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to the closest member of a group, according to the routing protocols’ measure of distance. Anycast addresses are taken from the unicast address spaces (of any scope) and are not syntactically distinguishable from unicast addresses. Anycast is described as a cross between unicast and multicast. Like multicast, multiple nodes may be listening on an anycast address. Like unicast, a packet sent to an anycast address will be delivered to one (and only one) of those nodes. The exact node to which it is delivered is based on the IP routing tables in the network
  • Reserved

Link-Local Unicast address

  • Only used for communications within the local subnetwork (automatic address configuration, neighbor discovery, router discovery, and by many routing protocols). It is only valid on the current subnet
  • Routers do not forward packets with link-local addresses
  • They are allocated with the FE80::/64 prefix -> can be easily recognized by the prefix FE80. Some books indicate the range of link-local address is FE80::/10, meaning the first 10 bits are fixed and link-local address can begin with FE80, FE90,FEA0 and FEB0 but in fact the next 54 bits are all 0s so you will only see the prefix FE80 for link-local address
  • Same as APIPA 169.254.x.x in IPv4, it is assigned when a DHCP server is unavailable and no static addresses have been assigned
  • Usually created dynamically using a link-local prefix of FE80::/10 and a 64-bit interface identifier (based on 48-bit MAC address)

Global Unicast address

  • A Unicast address acts as an identifier for a single interface. An IPv6 packet sent to a Unicast address is delivered to the interface identified by that address.
  • Unicast packets sent through the public Internet
  • Globally unique throughout the Internet
  • Starts with a 2000::/3 prefix (this means any address beginning with 2 or 3). But in the future global Unicast address might not have this limitation

Site-Local/Unique Local Unicast address

  • Allows devices in the same organization, or site, to exchange data.
  • Starts with the prefix FEC0::/10. They are analogous to IPv4′s private address classes.
  • Site-local addresses are no longer supported (deprecated) by RFC 3879 so you might not see it in the future.

Special Addresses in IPv6

  • ::/96 The zero prefix denotes addresses that are compatible with the previously used IPv4 protocol.
  • ::/128 An IPv6 address with all zeroes in it is referred to as an unspecified address and is used for addressing purposes within a software.
  • ::1/128 This is called the loop back address and is used to refer to the local host. An application sending a packet to this address will get the packet back after it is looped back by the IPv6 stack. The local host address in the IPv4 was 127.0.0.1
  • 2001:db8::/32 This is a documentation prefix allowed in the IPv6. All the examples of IPv6 addresses should ideally use this prefix to indicate that it is an example
  • fec0::/10 This is a site-local prefix offered by IPv6. This address prefix signifies that the address is valid only within the local organization. Subsequently, the usage of this prefix has been discouraged by the RFC.
  • fc00::/7 This is called the Unique Local Address (ULA). These addresses are routed only within a set of cooperating sites. These were introduced in the IPv6 to replace the site-local addresses. These addresses also provide a 40-bit pseudorandom number that reduces the risk of address conflicts
  • ff00::/8 This prefix is offered by IPv6 to denote the multicast addresses. Any address carrying this prefix is automatically understood to be a multicast address
  • fe80::/10 This is a link-local prefix offered by IPv6. This address prefix signifies that the address is valid only in the local physical link

Transition Techniques

  • Dual Stack Techniques allowing IPv4 and IPv6 to co-exist together in the same network
  • Tunneling Techniques to avoid order dependencies when upgrading hosts, routers or regions
  • Translation Techniques to allow IPv6 only devices to communicate with IPv4 only devices

IPV6 vs IPV4: what are they, what’s the difference, which is most secure?

Comparitech have written a useful article on IPV6 vs IPV4: what are they, what’s the difference, which is most secure? Please see the below link for the article.

https://www.comparitech.com/blog/vpn-privacy/ipv6-vs-ipv4/

 

ESXi / ESX 4/5hosts with visibility to RDM LUNs being used by MSCS nodes with RDMs may take a long time to boot or during LUN rescan

The Problem

We were finding some of our IBM x3850 VMware ESXi 4.X Servers were taking a long time to boot up, somewhere in the region of 30 minutes which was unacceptable during upgrades and general maintenance. We are running vSphere 4.1 U3.

The Explanation

During a boot of an ESXi host, the storage mid-layer attempts to discover all devices presented to an ESXi host during the device claiming phase. However, MSCS LUNs that have a permanent SCSI reservation cause the boot process to elongate as the ESXi host cannot interrogate the LUN due to the persistent SCSI reservation placed on a device by an active MSCS Node hosted on another ESXi host.

Configuring the device to be perennially reserved is local to each ESXi host, and must be performed on every ESXi host that has visibility to each device participating in an MSCS cluster

Solution for VMware vSphere 4.X

Modify this advanced configuration option below on the affected ESXi/ESX hosts to speed up the boot process:

  • ESXi/ESX 4.1: Change the advanced option scsi.CRTimeoutDuringBoot TO 1
  • ESXi/ESX 4.0: Change the advanced option scsi.UWConflictRetries to 80

We also adjusted a setting in the BIOS

  • Log onto IMM of the server (see Server list for IMM IP address), and remote control to server. Reboot
  • Enter BIOS when prompted by pressing F1.
  • Go to System settings>Devices and I/O ports>Enable/disable Adaptor Option ROM Support
  • Disable any empty slots in UEFI option ROM

Solution for VMware vSphere 5.X

  1. Determine which RDM LUNs are part of an MSCS cluster.
  2. From the vSphere Client, select a virtual machine that has a mapping to the MSCS cluster RDM devices.
  3. Edit your virtual machine settings and navigate to your Mapped RAW LUNs.
  4. Select Manage Paths to display the device properties of the Mapped RAW LUN and the device identifier (that is, the naa ID)
  5. Take note of the naa ID, which is a globally unique identifier for your shared device.
  6. Log into Putty and type the following commands. One per line for each RDM Disk

Server 1 Database Server example with 4 X RDM LUNs example

  • esxcli storage core device setconfig -d naa.60050768028080befc000000000000z1 –perennially-reserved=true
  • esxcli storage core device setconfig -d naa.60050768028080befc000000000000z2 –perennially-reserved=true
  • esxcli storage core device setconfig -d naa.60050768028080befc000000000000z3 –perennially-reserved=true
  • esxcli storage core device setconfig -d naa.60050768028080befc000000000000z4 –perennially-reserved=true

Confirm that the correct devices are marked as perennially reserved by running the command:

  • esxcli storage core device list | less

More Information

http://kb.vmware.com/externalId=1016106

http://www-947.ibm.com/support