Considerations when upgrading Active Directory schema to Windows Server 2016

Every new release of Windows Server provides new schema attributes for Active Directory. If you are running earlier versions of Active Directory, such as Windows Server 2012 R2, in your environment and if you would like to use the new schema attributes that ship with Windows Server 2016, you are required to upgrade your existing schema to Windows Server 2016. This article explains the approach that you will need to follow when upgrading Active Directory schema in a production environment. While the Active Directory schema upgrade process is quite simple, a failure in the schema upgrade might cause downtime for your production environment.

Test schema updates in test environment

Your first task is to ensure that the schema updates you are going to apply to a production environment are tested in a test environment. In a test environment, you would need a domain controller that is running Windows Server 2012 R2 and one more domain controller to ensure the schema changes can be replicated. You will be required to execute the ADPrep tool, located under the Windows Server 2016 media in \Support folder. The following commands need to be executed to upgrade the schema:

  • ADPrep /ForestPrep: Use this command to run a forest-wide schema update operation.
  • ADPrep /DomainPrep: Use this command to run a domain-wide schema update operation.

Once you have executed these commands, verify the schema in Active Directory. To ensure ADPrep /ForestPrep completed successfully, use ADSIEdit and then check the value of “Revision” attribute under ActiveDirectoryUpdate container. The value must be set to 16.

Active Directory schema upgrade approach for a production AD forest

Once you have tested the schema in the test environment, you can follow a steady approach to upgrade the schema in the production environment. Note that it is important to understand that if you decide to restore Active Directory to the previous schema state, you have no option other than restoring the complete Active Directory forest. When updating the schema, an isolated environment must be created that will be used to upgrade the schema. The environment will have a single domain controller running Windows Server 2012 R2. The complete approach is highlighted below:

Step 1: Create a new Active Directory site called “Schema-Upgrade.” You will create this Active Directory in the production Active Directory.

Step 2: Move one production domain controller to the “Schema-Upgrade” AD site.

Step 3: Run KCC (Knowledge Consistency Checker) to ensure connection objects are created between the domain controller in the “Schema-Upgrade” site and domain controllers in the nearest locations. This step is required to ensure an Active Directory replication connection object has been created between domain controllers.

Step 4: Force replication to ensure a “Full Active Directory Replication Cycle” is completed.

Step 5: Remove Active Directory connection objects with other domain controllers. This is to ensure the Schema is applied only the domain controller in the “Schema-Upgrade” AD Site.

Step 6: Once the schema update is successful, verify the update by running the LDP.exe utility and performing the below steps:

  1. Run LDP.exe tool, go to Connection and then click on Bind.
  2. Click Ok. Next click on View, Tree, and then select the following LDAP path from the dropdown list: CN=Schema,CN=Configuration,DC=<DomainName>,DC=<Com>
  3. Click OK to run the LDP query against the above LDAP path.
  4. In the right pane, check objectVersion: 87 attribute. If it is 87, admin ADPrep command successfully extended the schema.

Tip: The ObjectVersion attribute contains the schema version of the Active Directory forest. This attribute is modified when you upgrade the schema of the current Active Directory forest.

At this point, the schema update has been applied successfully to the domain controller running in the “Schema-Upgrade” Active Directory. You might want to execute all necessary tests to ensure new schema attributes have been populated successfully in the domain controller in the “Schema-Upgrade” site. You also need to check Systems, Active Directory and Applications Events to ensure there are no errors or warnings reported. Once you have confirmed and the results are passed for schema testing, enable the replication with other domain controllers.

It’s simple — but be careful

While the Active Directory schema upgrade process is very simple as you would be required to run only a few commands on a domain controller, a failure in the schema upgrade process many completely take your entire Active Directory environment down and may require you to restore the Active Directory forest using the Active Directory forest restore methods.

Source: http://techgenix.com/upgrading-active-directory-schema/?li_source=LI&li_medium=tg-afterpost

 

Python: Check if a File or Directory Exists

Python: Check if a File or Directory Exists

There are quite a few ways to solve a problem in programming, and this holds true especially in Python. Many times you’ll find that multiple built-in or standard modules serve essentially the same purpose, but with slightly varying functionality. Checking if a file or directory exists using Python is definitely one of those cases.

Here are a few ways to check for existing files/directories and their nuances. Throughout these examples we’ll assume our current working directory has these files and directories in it:

drwxr-xr-x  3 scott  staff  102 Jan 12 10:01 dir  
-rw-r--r--  1 scott  staff    5 Jan 12 09:56 file.txt
lrwxr-xr-x  1 scott  staff    8 Jan 12 09:56 link.txt -> file.txt  
lrwxr-xr-x  1 scott  staff    3 Jan 12 10:00 sym -> dir  

Notice that we have one directory (dir), one file (file.txt), one file symlink (link.txt), and one directory symlink (sym).

Checking if a File Exists

This is arguably the easiest way to check if both a file exists and if it is a file.

import os  
os.path.isfile('./file.txt')    # True  
os.path.isfile('./link.txt')    # True  
os.path.isfile('./fake.txt')    # False  
os.path.isfile('./dir')    # False  
os.path.isfile('./sym')    # False  
os.path.isfile('./foo')    # False  

Note that os.path.isfile does follow symlinks, so we get True when checking link.txt.

isfile is actually just a helper method that internally uses os.stat and stat.S_ISREG(mode) underneath, which we’ll touch on later.

Checking if a Directory Exists

Like the isfile method, os.path.isdir is the easiest way to check if a directory exists, or if the path given is a directory.

import os  
os.path.isdir('./file.txt')    # False  
os.path.isdir('./link.txt')    # False  
os.path.isdir('./fake.txt')    # False  
os.path.isdir('./dir')    # True  
os.path.isdir('./sym')    # True  
os.path.isdir('./foo')    # False  

Again, just like isfile, os.path.isdir does follow symlinks. It is also just a simple wrapper around os.stat and stat.S_ISDIR(mode), so you’re not getting much more than convenience from it.

Checking if Either Exist

Another way to check if a path exists (as long as you don’t care if the path points to a file or directory) is to use os.path.exists.

import os  
os.path.exists('./file.txt')    # True  
os.path.exists('./link.txt')    # True  
os.path.exists('./fake.txt')    # False  
os.path.exists('./dir')    # True  
os.path.exists('./sym')    # True  
os.path.exists('./foo')    # False  

As you can see, it doesn’t care if the path points to a file, directory, or symlink, so it’s almost like you’re using isfile(path) or isdir(path). But actually, internally it is just trying to call os.stat(path), and if an error is thrown then it returns False.

Advanced

Throughout the article I’ve been mentioning how all of the above methods utilize the os.stat method, so I figured it would be useful to take a look at it. This is a lower-level method that will provide you with detailed information about files, directories, sockets, buffers, and more.

Like all the other methods we’v already covered, os.stat follows symlinks, so if you want to get the stat info on a link, try using os.lstat() instead.

Since every operating system is different, the data provided by os.stat varies greatly. Here is just some of the data that each OS has in common:

  • st_mode: protection bits
  • st_uid: owner’s user id
  • st_gid: owner’s group id
  • st_size: size of file in bytes
  • st_atime: time of last access
  • st_mtime: time of last modification
  • st_ctime: time of last metadata change on Unix, or time of creation on Windows

You can then use this data with the stat module to get interesting information, like whether a path points to a socket (stat.S_ISSOCK(mode)), or if a file is actually a named pipe (stat.S_ISFIFO(mode)).

If you need some more advanced functionality, then this is where you should go. But for 90% of the time you’re dealing with directories and files, the os or os.path modules should have you covered.

Although, one valid use-case might be when you’re doing multiple tests on the same file and want to avoid the overhead of the stat system call for each test. So if you have quite a few tests to do then this will help you do it more efficiently.

Source: http://stackabuse.com/python-check-if-a-file-or-directory-exists/

Python loggin lib  – log to a file

6.28.8.1 Basic example – log to a file

Here’s a simple logging example that just logs to a file. In order, it creates a Logger instance, then a FileHandler and a Formatter. It attaches the Formatter to the FileHandler, then the FileHandler to the Logger. Finally, it sets a debug level for the logger.

import logging
logger = logging.getLogger('myapp')
hdlr = logging.FileHandler('/var/tmp/myapp.log')
formatter = logging.Formatter('%(asctime)s %(levelname)s %(message)s')
hdlr.setFormatter(formatter)
logger.addHandler(hdlr) 
logger.setLevel(logging.WARNING)

We can use this logger object now to write entries to the log file:

logger.error('We have a problem')
logger.info('While this is just chatty')

If we look in the file that was created, we’ll see something like this:

2003-07-08 16:49:45,896 ERROR We have a problem

The info message was not written to the file – we called the setLevel method to say we only wanted WARNING or worse, so the info message is discarded.

The timestamp is of the form « year-month-day hour:minutes:seconds,milliseconds. » Note that despite the three digits of precision in the milliseconds field, not all systems provide time with this much precision.

Source : 6.28.8.1 Basic example – log to a file

16.6. logging — Logging facility for Python — Python 3.6.4 documentation

This module defines functions and classes which implement a flexible event logging system for applications and libraries.

The key benefit of having the logging API provided by a standard library module is that all Python modules can participate in logging, so your application log can include your own messages integrated with messages from third-party modules.

The module provides a lot of functionality and flexibility. If you are unfamiliar with logging, the best way to get to grips with it is to see the tutorials (see the links on the right).

The basic classes defined by the module, together with their functions, are listed below.

  • Loggers expose the interface that application code directly uses.
  • Handlers send the log records (created by loggers) to the appropriate destination.
  • Filters provide a finer grained facility for determining which log records to output.
  • Formatters specify the layout of log records in the final output.

For tutorial information and discussion of more advanced topics, see

Source : 16.6. logging — Logging facility for Python — Python 3.6.4 documentation

Install Exchange 2016 in Windows Server 2012 R2

Install Exchange 2016 in Windows Server 2012 R2

Exchange 2016 is latest version of Email server from Microsoft. If you are coming from Exchange 2013, there are few new features introduced in Exchange 2016. RTM version of Exchange 2016 have been released in October 2015. The installation of Exchange 2016 is similar to the installation of Exchange 2013. The major difference between Exchange 2016 and Exchange 2013 is, Exchange 2016 now have just two roles, Mailbox and Edge Transport server roles as opposed to Exchange 2013 which had Mailbox, Client Access and Edge Transport server roles. In this post, I will show steps to Install Exchange 2016 in Windows Server 2012 R2. You can also check the latest updates and service packs to install the latest version of Exchange 2016.

Install Exchange 2016 in Windows Server 2012 R2

Exchange 2016 co-existence is supported with Exchange 2010 (with SP3 update rollup 11 or greater) and Exchange 2013 (with cumulative update 10 or higher). There are different prerequisites for different installation scenario you must follow before you install Exchange 2016, so make sure you follow them. The diagram below shows a network scenario with two hosts, MBG-DC01 and MBG-EX01. MBG-DC01 is a domain controller and MBG-EX01 is Exchange 2016. Both hosts are running Windows Server 2012 R2 operating system.

Exchange 2016 Scenario

Here are prerequisites for this type of scenario.

  1. Active Directory forest functional level must be at least Windows Server 2008 or higher.
  2. Active Directory site must contain at least one Global Catalog server and a writable domain controller.
  3. Exchange server must be member of domain controller.
  4. User must have Enterprise Admin, Schema Admin and Domain Admin rights before you start the installation of Exchange 2016.

Installation Steps: 

Log on to MBG-EX01 server and install remote server administration toolkit using PowerShell cmdlet Add-WindowsFeature RSAT-ADDS. Open PowerShell as Administrator and install the RSAT tool.

RSAT

Run following commands to install required windows components in MBG-EX01 (Mailbox Server). Reboot the server after installing these roles and features.

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

1.powershell

Download and install .NET Framework 4.5.2 in Mailbox server. Install it first, installation order is important.

2. .Net Framework Installation

Then download and install Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit in Mailbox server.

Microsoft UCM

Start the installation of Exchange 2016. You will be asked to install the updates.

check for updates

Choose Connect to the Internet and check for updates option and click Next. The setup will download and install the required updates and the setup will present you with Introduction page as shown below.

Introduction

Go through the Introduction page and click next.

Accept License Agreement

Choose I accept the terms in the license agreement option and click next.

recommended settings

Choose to use recommended settings and click next.

Mailbox role

Check Mailbox role and click next.

location

Browse the installation location and click next.

Exchange Organization

Type the name of Exchange organization and click next.

malware

Choose no and click next. Choosing no will actually enable the malware protection.

install

The installation will go through the readiness check as shown above. Make sure you don’t get any errors. Above warning simply states that the setup will now prepare installation using Setup /PrepareAD command and no Exchange 2010 or Exchange 2013 servers have been detected in this network. Click install button to start the Exchange 2016 installation.

begin installation

The installation will now begin. The setup will install all the required components for Mailbox server.

completed setup

The setup is now completed. Click finish to close the installation wizard. Now reboot the Exchange server. You can check current build and version of Exchange server using following cmdlet,

[PS] C:\Windows\System32>Get-ExchangeServer | fl name,edition,admindisplayversion

version

You can also view the setup log file located in <system drive>\ExchangeSetupLogs\ExchangeSetup.log path. The log shows all the details of Exchange installation. Also shows details of installation error if any.

You can now logon to Exchange Admin Center using the URL, https://localhost/ecp

EAC

Enter the username and password and click sign in.

EAC logged in

In this way you can install Exchange 2016 in Windows Server 2012 R2. You can now create mailbox databasecreate mailboxes, setup incoming and outgoing email, and so on.

Source : Install Exchange 2016 in Windows Server 2012 R2

Configure Shadow Copy of Shared Folder in Server 2012

Configure Shadow Copy of Shared Folder in Server 2012

Shadow copy feature in Server 2012 is used to restore previous versions of files and folders. Shadow copy backup feature is must faster than traditional backup solution. But this doesn’t mean that traditional back solution is replaced by shadow copies. Shadow copies can be very handy in certain scenarios where one needs to restore earlier version of files or folder. To configure shadow copy of shared folder in Server 2012, you have to first enable the shadow copy feature. In this post, I will show steps to enable and configure shadow copy of shared folder in Server 2012. The shadow copy feature can be used for both shared and non-shared folders and files.

Shadow copy is a snapshot of the data on the drive or folder. After taking a snapshot of the data, the server keeps track of changes of the data. These changes are stored on the same drive as original file, but can be changed. Shadow copy does not copy all the files and folders but instead keeps track of these changes utilizing certain amount of disk space. This is the reason you can’t use shadow copy for traditional backup replacement. Shadow copy can take many snapshots as long as the specified disk space is available. When the allocated disk space is full, shadow copy deletes the older snapshot. The steps shown in this post works for both Server 2012 and 2012 R2.

Enable and Configure Shadow Copy of Shared Folder in Server 2012

To enable Shadow Copy feature, right-click the drive that contain the shared folders and click Configure Shadow Copies option as shown below.

configure shadow copies

Or, open the Properties of drive which contain the shared folders. Select Shadow Copies tab in the Properties dialog box. Select the volume. Click Enable.

Configure Shadow Copy of Shared Folder in Server 2012

After clicking Enable, you will see little warning about default schedule settings. You can always change the default settings.

Default Schedule Warning

Click Yes on the warning dialog box. Click Settings on Shadow Copies tab to change the allocated space for shadow copy. This is the space used by Shadow Copies to store different versions of snapshots.

Shadow Copy Size

Click the Schedule button to change the shadow copy schedule settings. Tweak the settings that fits your environment and click OK.

Advanced Option

You can now access the shared folders and see the previous versions. Open the Properties of the shared folder from local server or client PC over the network. Select the Previous Versions tab. You can see the list of previous versions files. You can open it by click the Open button.

Open Previous Version of File

This is how you can configure volume shadow copies in Windows Server 2012. Volume shadow copies can be configured on Server 2008 and Windows 7. But this feature has been depreciated in Windows 8. Instead, new feature called File History has been introduced in Windows 8.

Shadow Copies for a Single Folder

Shadow Copies for a Single Folder (Windows servers/clients)

  •  

    It has always irritated me that Shadow Copies is enabled for an entire Volume, as I would like to use it on 1 or 2 folders only.

    One solution I’ve come up with is to take advantage of creating a Volume inside an empty folder.

    I have tested this on Windows Servers 2008 R2 and 2012.

    This is how on Windows Server 2012 (very similar on 2008 R2):

    1. Open up Computer Management and select Disk Management under Storage.
    2. Right-click the Volume in which you’d like a folder with Shadow Copies.
    3. Click Shrink Volume.
    4. Select an amount to shrink that’s big enough for your folder and small enough to leave enough for the original Volume.
    5. Click Shrink.
    6. Right-click the new unallocated space and select New Simple Volume.
    7. Click Next twice.
    8. Select Mount in the following empty NTFS folder and click Browse.
    9. Select the Volume in which you’d like to place the folder.
    10. Click New Folder and give it a name.
    11. click OK and Next.
    12. Name the Volume Label the same as your Folder name (makes it easier to administer) and click Next.
    13. Click Finish.
    14. In order for the restoring of previous files to work, you will need to assign this new volume a drive mapping as well.
    15. Right-click the new Volume and click Change Drive Letter and Paths.
    16. Click Add and choose a drive letter and click OK.
    17. Close the Computer Management.
    18. You can now share the folder on the original Volume.
    19. Right-click the drive letter you chose for the folder Volume and select Configure Shadow Copies.
    20. Enable Shadow Copies for the drive letter found in the list of volume.
    21. Configure the settings as you like.
    22. One important note is that in order to restore previous versions of a file, you need to do it from the drive letter; it doesn’t work from the folder.

    Hope this will help those who’ve been looking for a way to do this.

    You could of course just skip some of the steps above and create a « normal » volume with a drive letter and then just share that and enable Shadow Copies, but that’s completely up to you. 🙂

Source : Shadow Copies for a Single Folder

McAfee Support – Prevent mass mailing worms from sending mail, ePol.

Could you tell us how could you disable the Acess protection policy (either by ePO or VSE )?

If you have done this options in VSE on ePO managed client then the settings will revert back to its original after the policy enforcement .

Kindly do this action on ePO server and check the status

Steps:

1)kindly select your computer name on ePO conslole

2)click action under the ePO console

3)select agent and modify policies on single machine

4)select VSE8.x as product and edit the access protection policies

5)select the antivirus standar protection and untick the « Prevent mass mailing worms sending mail »

OAS.JPG

Source : McAfee Support Community – Prevent mass mailing worms from sending mail – McAfee Support Community

How To Configure SFTP server on CentOS?

How to configure a SFTP server on CentOS 7

Introduction

I have put together a how-to showing how to setup a SFTP server on CentOS with full CHROOT.

Source Video: https://www.youtube.com/watch?v=d4D6xqQigH8

Steps (6 total)

1 Start the SSHD service and ensure it starts with the server

# systemctl enable sshd.service
# systemctl start sshd.service

2 Setup the SSH Deamon – some VI knowledge required

# vi /etc/ssh/sshd_config

Comment the following line (add a hash before it)

Subsystem sftp /usr/local/libexec/sftp-server

and add the following just below it, I recommend using tab instead of spaces

Subsystem sftp internal-sftp

Now scroll to the end of the config file and add the following to create the match rule:

Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

Save the config file and close it. (Press ESC and type ‘wq!’)

3 Reload the SSH Deamon

# systemctl restart sshd.service

4 Let’s add the user(s) and group (I used John as an example):

# groupadd sftponly
# useradd john -g sftponly -s /bin/false
# passwd john

5 Add folders (for the user to read and write data from):

# mkdir /home/john/datadir
# chown root /home/john
# chmod 755 /home/john
# chown john /home/john/datadir
# chmod 755 /home/john/datadir

6 Stop SELinux from interfering with our jail

# setsebool -P ssh_chroot_rw_homedirs on

References

Best Free Monitoring system for Linux

Source : Best Free Monitoring system for Linux