Result

Custom Search

Monday, October 26, 2009

Changing The Tombstone Lifetime Attribute in Active Directory

Tombstone is a container object that contains the deleted objects from Active Directory. Actually when an object is deleted from Active Directory, it is not physically removed from the Active Directory for some days. Rather, the Active Directory sets the ‘isDeleted' attribute of the deleted object to TRUE and move it to a special container called Tombstone, previously known as CN=Deleted Objects.

The tombstones cannot be accessed through Windows Directories or through Microsoft Management Console (MMC) snap-ins. However, tombstones are available to Directory Replication Process, so that the tombstones are replicated to all the domain controllers in the domain. This process ensures that the object deleted is deleted from all the computers throughout the Active Directory.

The tombstone lifetime attribute is the attribute that contains a time period after which the object is physically deleted from the Active Directory. The default value for the tombstone lifetime attribute is 60 days. However, you can change this value if required. Usually tombstone lifetime value is kept longer than the expected replication latency between the domain controllers so that the tombstone is not deleted before the objects are replicated across the forest.

The tombstone lifetime attribute remains same on all the domain controllers and it is deleted from all the servers at the same time. This is because the expiration of a tombstone lifetime is based on the time when an object was deleted logically from the Active Directory, rather than the time when it is received as a tombstone on a server through replication.

Changing Tombstone Lifetime Attribute

The tombstone lifetime attribute can be modified in three ways: Using ADSIEdit tool, using LDIF file, and through VBScript.

Using ADSIEdit Tool

The easiest method to modify tombstone lifetime in Active Directory is by using ADSIEdit. The ADSIEdit tool is not installed automatically when you install Windows Server 2003. You need to install it separately by installing support tools from Windows Server 2003 CD.

If you haven't got your CD's in hand, you can simply download the Windows 2003 SP1 Support Tools from Firewall.cx here.

To install ADSIEdit tool and to modify tombstone lifetime in Active Directory using this tool, you need to:

1. Insert the Windows Server 2003 CD.
2. Browse the CD to locate the Support\Tools directory.
3. Double-click the suptools.msi to proceed with the installation of support tools.
4. Select Run command from the Start menu.
5. Type ADSIEdit.msc to open the ADSI Editor, as shown below:

The ADSI Edit window appears:

6. Expand Configuration node then subsequently expand CN=Configuration, DC Firewall, DC=cx node.
7. Expand CN-Services node.
8. Drill down to CN=Directory Service under CN Windows NT , as shown in the figure below:

9. Right-click CN=Directory Service and select Properties from the menu that appears

The CN=Directory Service Properties window appears, as shown below:

10. Double-click the tombstoneLifetime attribute in the Attributes list.

The Integer Attribute Editor window appears, as shown below:

11. Set the number of days that tombstone objects should remain in Active Directory in the Value field.

12. Click OK .

The Tombstone Lifetime has now been successfully changed.

Other Ways Of Changing The Tombstone Lifetime Attribute

Using an LDIF file

To change the tombstone lifetime attribute using LDIF file, you need to create a LDIF file using notepad and then execute it using LDIFDE tool. To change the tombstone lifetime attribute using LDIF file, you need to:

1. Create a text file using notepad with the following content:

dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, , changetype: modify
replace: tombstoneLifetime
tombstoneLifetime:
-

2. Provide the appropriate values in the text between <>. For example put the name of your Active Directory Forest Root domain in the and put the number of days you want to set for tombstone lifetime in .

3. Don't forget to put "-" on the last line.

4. Save the file with .ldf extension.

5. Open the Command Prompt and type the following command on the command prompt:

Ldifde –v –I –f

The Tombstone Lifetime is successfully changed.

Using a VBScript

To change tombstone lifetime using VBScript, you need to type the following code with appropriate values and execute the script.

intTombstoneLifetime =
set objRootDSE = GetObject("LDAP://RootDSE")
set objDSCont = GetObject("LDAP://cn=Directory Service,cn=Windows NT," & _ "cn=Services," & objRootDSE.Get("configurationNamingContext") )
objDSCont.Put "tombstoneLifetime", intTombstoneLifetime
objDSCont.SetInfo
WScript.Echo "The tombstone lifetime is set to " & _ intTombstoneLifetime

Article Summary

This article explained what the Active Directory Tombstone attribute is and how you can change it to control delete operations performed by the Active Directory replication process. We covered three different methods in great detail to give all the necessary information so these actions can be covered by any Windows Administrator.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

Posted by Free-ebooks-softwares at Monday, October 26, 2009 3 comments
Labels:

Configuring Windows Server Roaming Profiles Share The roaming profiles allow the mobile users of a company to always work with their personal sett

The roaming profiles allow the mobile users of a company to always work with their personal settings from any network computer in a domain. Roaming profiles are a collection of personal user settings of a user, saved at a central location on a network.

These settings and configurations are recovered on any network computer as soon as users log in with their credentials.

The roaming user profiles functionality is very useful because it allows mobile users to log on to a variety of computers located at different places and get the same look and feel of their own personalized desktops. However, roaming user profiles in Windows Server 2003 does not allow you to use encrypted files.

A roaming profile is made up of folders that appear under the folder under Documents and Setting , as shown below:

The detailed description of each folder is as follows:

  • Desktop : This folder contains all the files, folders, and shortcuts data that is responsible for the appearance of your desktop screen.
  • Favorites : This folder contains the shortcuts of the favorite and frequently visited websites of the user.
  • Local Settings : This folder contains temporary files, history, and the application data.
  • My Documents : This folder contains documents, music, pictures, and other items.
  • The Recent : This folder contains the most recently accessed files and folders by the user.
  • Start Menu : This folder contains the Start menu items.
  • Cookies : This folder contains all cookies stored on the user's computer.
  • NetHood : This folder contains shortcuts to sites in My Network Places .
  • PrintHood : This folder contains the shortcuts of printers configured for the user's computer.
  • Application Data : This folder contains the program-specific and the security settings of the applications that the user has used.
  • Templates : This folder contains the templates for applications such as Microsoft Word and Excel.
  • SendTo : This folder contains the popular Send To destination on right-clicking a menu.

Creating Roaming User Profiles

You can create roaming user profiles on Windows NT Server 4.0, Windows 2000 Server, or Windows Server 2003 based computers. In addition, you can use Windows NT Workstation 4.0, Windows XP Professional, or Windows 2000 Professional based computer that is running Windows NT Server Administration Tools to create roaming user profiles.

The three major steps involved in creating a roaming user profile include creating a temporary user profile on a local computer, copying that profile to a network server, and then defining the user's profile location through the group policy.

To create a roaming user profile, follow the steps given below:

1. Log on as Administrator, or as a user of local administrator group or Account Operators local group in the domain.

2. Open Administrative Tools in the Control Panel and then click Active Directory Users and Computers, as shown above.

3. Click Users folder under Local Users and Groups node, Right-click Users and then click New User in the menu that appears, as shown below:

Note: If you are using Active Directory then click Users folder under Active Directory Users and Computers node.

The New User dialog box appears as shown below.

4. Provide the User logon name and the Password for the user for whom the roaming profile is being created in their respective fields. Click on Next.

5. Enter the user password and clear the User must change password at next logon option:

6. Click Create , click Close, and then quit the Computer Management snap-in.

7. Log off the computer and then Log on to your workstation using the user account that you have just created on your server.

8. Verify that a folder with the user name is created under the Documents and Settings folder, as shown below:

9. Configure your desktop by adding shortcuts and modifying its appearance.

8. Configure the Start menu by adding desired options to it.

10. Log off.

Copying The Profile To Your Server

A temporary profile with all the required settings is configured on your local computer. You need to now copy this local profile to a network server which can be accessed centrally by all the computers.

Try not to user a domain controller for this purpose because domain controllers have many other tasks to do, so it is better to keep them away from this task. You can however, choose a member server for this purpose. Make sure that the member server you choose is regularly backed up otherwise you may loose all your roaming profiles.

To copy the profile to a network server, you need to:

1. Log on as Administrator and then create a Profile folder on a network server.

Windows uses Profile folder by default to store roaming user profiles. Although you can give a different name to this folder but this folder is traditionally named as Profile folder.

2. Share the Profile folder and give everyone the full control at share level.

3. Open Control Panel , and then click System icon. The System Properties dialog box appears.

4. Click Advanced tab, and then click Settings under User Profiles section, as shown below:

The User Profiles dialog box appears.

5. Click the temporary user profile that you had created and then click Copy To , as shown in the Figure below:

Next, The Copy To dialog box appears, a shown below.

6. Type the network path of the Profile folder in the Copy Profile To field.

A folder with the temporary user name will be created automatically under the Profiles folder.

7. Click Change.

8. The Select User or Group dialog box appears.

9. Enter the name of the temporary user that you have created.

10. Click OK four times on all the windows that you have opened recently.

11. Open Administrative Tools in the Control Panel and then click Computer Management , as shown in the second screenshot in this article.

12. Click Users folder under Local Users and Groups node, as shown below:

13. Double-click the temporary user account that you had created.

14. The Properties window for the user account appears as shown in the figure below.

15. Click the Profile tab and then type the path of Profile folder that you had created on a network server in the Profile path field:

16. Click OK and then quit the Computer Management snap-in.

This completes the process of creating a roaming user profile. Now when the user logs into any computer in the domain using his/her credentials, a copy of the user profile stored on the network will be copied to that computer with all the latest changes that the user might have made.

Usually when there are a few roaming profiles enabled in a domain then the login and log off become extremely slow. This happens mostly when roaming users save large files on their computers. Each time a logs off or logs on to a different computer the large files take long time to save on the network and recover from the network.

The solution to this problem is to use Folder Redirection along with roaming user profiles. The Folder redirection feature allows you to redirect folders such as Application Data, Desktop, My Documents, and Start Menu to a different network location. These folders are typically used to save the large files. When Folder Redirection is used then Windows understand that those particular folders need not be touched each time a roaming user logs in/off. These folders will only be touched by Windows when a user actually tries to open a file from them.

Another solution to control the growing size user profiles is to create Mandatory User Profiles for the users. However, you can use such profiles when you want to provide identical desktop configurations to all the roaming users. When mandatory user profiles are configured for the users, the users are not allowed to change their profile settings and thus the profiles size always remain manageable. To make a roaming user profile mandatory, you need to rename the Ntuser.dat file as Ntuser.man in the user's profile folder.

Article Summary

Roaming user profiles are simply collections of settings and configurations that are stored on a network location for each user. Once you perform some fairly simple configurations, every time a user logs on to a machine in your domain with his domain credentials, that user's settings will follow him and automatically be applied to his log-on session for that particular machine.

This article covered the creation of roaming user profiles in a Windows server active directory.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

Posted by Free-ebooks-softwares at Monday, October 26, 2009 0 comments
Labels:

Windows Group Policies - Configuring Domain Group Policy

Windows 2003 Group Policies allow the administrators to manage a group of people accessing a resource efficiently. The group policies can be used to control both the users and computers.

They give better productivity to administrators and save their time by allowing them to manage all the users and computers centrally in just one go.

The group policies are of two types, Local Group Policy and Domain-based Group Policy. As the name suggests, the Local Group Policies allow the local administrator to manage all the users of a computer to access the resources and features available on the computer. For example an administrator can remove the use of Run command from the start menu. This will ensure that the users will not find Run command on that computer.

The Domain-based Group Policies on the other hand allow the domain/enterprise administrators to manage all the users and the computers of a domain/ forest centrally. They can define the settings and the allowed actions for users and computers across sites, domains, and OUs through group policies.

There are more than 2000 pre-created group policy settings available in Windows Server 2003/ Windows XP. A default group policy already exists. You only need to modify it by setting values of different policy settings according to your specific requirements. You can also create new group policies to meet your specific business requirements. The group policies allow you to implement:

  • Registry based settings : Allows you to create a policy to administer operating system components and applications.
  • Security settings : Allows you to set security options for users and computers to restrict them to run files based on path, hash, publisher criteria, or URL zone.
  • Software restrictions : Allows you to create a policy that would restrict users to run unwanted applications and protect computers against virus and hacking attack.
  • Software distribution and installation : Allows you to either assign or publish software application to domain users centrally with the help of a group policy.
  • Automation of tasks using computer and User Scripts
  • Roaming user profiles : Allow mobile users to see a familiar and consistent desktop environment on all the computers of the domain by storing their profile centrally on a server.
  • Internet Explorer maintenance : Allow administrators to manage the IE settings of the user's computers in a domain by setting the security zones, privacy settings, and other parameters centrally with the help of group policy.

Configuring a Domain-Based Group Policy

Just as you used group policy editor to create a local computer policy, to create a domain-based group policy you need to use Active Users and Computers snap-in from where you can open the GPMC .

Follow the steps below to create a domain-based group policy

1. Select Active Directory Users and Computers tool from the Administrative Tools.
2. Expand Active Directory Users and Computers node, as shown below.
3. Right-click the domain name and select Properties from the menu that appears.

The properties window of the domain appears.

4. Click the Group Policy tab.
5. The Group Policy tab appears with a Default Domain Policy already created in it, as shown in here:

You can edit the Default Domain Policy or create a new policy. However, it is not recommended to modify the Default Domain Policy for regular settings.

We will select to create a new policy instead. Click New to create a new group policy or group policy object. A new group policy object appears below the Default Domain Policy in the Group Policy tab, as shown below:

Once you rename this group policy, you can either double-click on it, or select it and click Edit.

You'll next be presented with the Group Policy Object Editor from where you can select the changes you wish to apply to the specific Group Policy:

In this example, we have selected to Remove Run menu from Start Menu as shown above. Double-click on the selected setting and the properties of the settings will appear. Select Enabled to enable this setting. Clicking on Explain will provide plenty of additional information to help you understand the effects of this setting.

When done, click on OK to save the new setting.

Similarly you can set other settings for the policy. After setting all the desired options, close the Group Policy Object editor . You new group policy will take effect.

Article Summary

Domain Group Policies give the administrator great control over its domain users by enhancing security levels and restricting access to specific areas of the operating system. These policies can be applied to every organisation unit, group or user in the active directory or selectively to the areas you need. This article shows you how to create a domain group policy that can then be applied as required.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

About the writers

GFI Software provides the single best source of network security, content security and messaging software for small to medium sized businesses.

Alan Drury is member of the Firewall.cx team and senior engineer at a large multinational company, supporting complex large Windows networks.

Posted by Free-ebooks-softwares at Monday, October 26, 2009 0 comments
Labels:

Windows Group Policies - Configuring Local Group Policy

Windows 2003 Group Policies allow the administrators to efficiently manage a group of people accessing a resource. Group policies can be used to control both the users and the computers.

They give better productivity to administrators and save their time by allowing them to manage all the users and computers centrally in just one go.

Group policies are of two types, Local Group Policy and Domain-based Group Policy. As the name suggests, Local Group Policies allow the local administrator to manage all the users of a computer to access the resources and features available on the computer. For example an administrator can remove the use of the Run command from the start menu. This will ensure that the users will not find Run command on that computer.

Domain-based Group Policies allow the domain / enterprise administrators to manage all the users and the computers of a domain / forest centrally. They can define the settings and the allowed actions for users and computers across sites, domains and OUs through group policies.

There are more than 2000 pre-created group policy settings available in Windows Server 2003 / Windows XP. A default group policy already exists. You only need to modify the values of different policy settings according to your specific requirements. You can create new group policies to meet your specific business requirements. Group policies allow you to implement:

  • Registry based settings: Allows you to create a policy to administer operating system components and applications.
  • Security settings: Allows you to set security options for users and computers to restrict them to run files based on path, hash, publisher criteria or URL zone.
  • Software restrictions: Allows you to create a policy that would restrict users running unwanted applications and protect computers against virus and hacking attacks.
  • Software distribution and installation: Allows you to either assign or publish software application to domain users centrally with the help of a group policy.
  • Roaming user profiles: Allows mobile users to see a familiar and consistent desktop environment on all the computers of the domain by storing their profile centrally on a server.
  • Internet Explorer maintenance: Allows administrators to manage the IE settings of the users' computers in a domain by setting the security zones, privacy settings and other parameters centrally with the help of group policy.

Using Local Group Policy

Local Group Policies affect only the users who log in to the local machine but domain-based policies affect all the users of the domain. If you are creating domain-based policies then you can create policy at three levels: sites, domains and OUs. Besides, you have to make sure that each computer must belong to only one domain and only one site.

A group policy object (GPO) is stored on a per domain basis. However, it can be associated with multiple domains, sites and OUs and a single domain, site or OU can have multiple GPOs. Besides this, any domain, site or OU can be associated with any GPO across domains.

When a GPO is defined it is inherited by all the objects under it and is applied in a cumulative fashion successively starting from local computer to site, domain and each nested OU. For example if a GPO is created at domain level then it will affect all the domain members and all the OUs beneath it.

After applying all the policies in hierarchy, the end result of the policy that takes effect on a user or a computer is called the Resultant Set of Policy (RSoP).

To use GPOs with greater precision, you can apply Windows Management Instrumentation (WMI) filters and discretionary access control list (DACL) permissions. The WMI filters allow you to apply GPOs only to specific computers that meet a specific condition. For example, you can apply a GPO to all the computers that have more than 500 MB of free disk space. The DACL permissions allow you to apply GPOs based on the user's membership in security groups.

Windows Server 2003 provides a GPMC (Group Policy Management console) that allows you to manage group policy implementations centrally. It provides a unified view of local computer, sites, domains and OUs (organizational units). You can have the following tools in a single console:

  • Active Directory Users and Computers
  • Active Directory Sites and Services
  • Resultant Set of Policy MMC snap-in
  • ACL Editor
  • Delegation Wizard

The screenshot below shows four tools in a single console.


A group policy can be configured for computers or users or both, as shown here:

The Group Policy editor can be run using the gpedit.msc command.

Both the policies are applied at the periodic refresh of Group Policies and can be used to specify the desktop settings, operating system behavior, user logon and logoff scripts, application settings, security settings, assigned and published applications options and folder redirection options.

Computer-related policies are applied when the computer is rebooted and User-related policies are applied when users log on to the computer.

Configuring a Local Group Policy

To configure a local group policy, you need to access the group policy editor. You can use Group Policy Editor by logging in as a local administrator from any member server of a domain or a workgroup server but not from a domain controller.

Sometimes this tool, or other Active directory tools that you need to manage group policy, does not appear in Administrative Tools. In that case you need to follow steps 1-10 given below to add Group Policy Editor tool in the console.

1. Click Start->Run and type mmc. The Console window appears, as shown below:

2. Select Add/remove Snap-in from the File menu.

The Add/Remove Snap-in window appears, as shown below:
3. Click Add.
4. The Add Standalone Snap-in window appears.
5. Select Group Policy Object Editor snap-in from the list.
6. Click Add and then click OK in Add/remove Snap-in window.

The Select Group Policy Object window appears, as shown below:

7. Keep the default value “Local Computer”
8. Click Finish.

The Local Computer Policy MMC appears, as shown below.

You can now set the Computer Configuration or User Configuration policies as desired. This example takes User Configuration setting.

9. Expand User Configuration node:

10. Expand Administrative Templates and then select the Start Menu and Taskbar node, as shown in Figure 7.

11. Double-click the settings for the policy that you want to modify from the right panel. In this example double-click Remove Run Menu from Start Menu.

The properties window of the setting appears as shown in the below screenshot:

12. Click Enabled to enable this setting.

Once you click on 'OK', the local policy that you have applied will take effect and all the users who would log on to this computer will not be able to see the Run menu item of the Start menu.

This completes our Local Group Policy configuration section. Next section (coming soon) covers Domain Group Policies, that will help you configure and control user access throughout the Active Directory Domain.

Article Summary

Group policies are an Administrator's best friend. Group policies can control every aspect of a user's desktop, providing enhanced security measures and restricting access to specified resouces. Group policies can be applied to a local server, as shown on this article, or to a whole domain, covered next.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

About the writers

GFI Software provides the single best source of network security, content security and messaging software for small to medium sized businesses.

Alan Drury is member of the Firewall.cx team and senior engineer at a large multinational company, supporting complex large Windows networks.

Posted by Free-ebooks-softwares at Monday, October 26, 2009 1 comments
Labels:

Creating Windows Users and Groups (Windows 2003)

In a Windows server environment, it is very important that only authenticated users are allowed to log in for security reasons. To fulfill this requirement the creation of User accounts and Groups is essential.

User Accounts

In Windows Server 2003 computers there are two types of user accounts. These types are local and domain user accounts. The local user accounts are the single user accounts that are locally created on a Windows Server 2003 computer to allow a user to log on to a local computer. The local user accounts are stored in Security Accounts Manager (SAM) database locally on the hard disk. The local user accounts allow you to access local resources on a computer

On the other hand the domain user accounts are created on domain controllers and are saved in Active Directory. These accounts allow to you access resources anywhere on the network. On a Windows Server 2003 computer, which is a member of a domain, you need a local user account to log in locally on the computer and a domain user account to log in to the domain. Although you can have a same login and password for both the accounts, they are still entirely different account types.

You become a local administrator on your computer automatically because local computer account is created when a server is created. A domain administrator can be local administrator on all the member computers of the domain because by default the domain administrators are added to the local administrators group of the computers that belong to the domain.

This article discusses about creating local as well as domain user accounts, creating groups and then adding members to groups.

Creating a Local User Account

To create a local user account, you need to:

1. Log on as Administrator, or as a user of local administrator group or Account Operators local group in the domain.

2. Open Administrative Tools in the Control Panel and then click Computer Management, as shown in Figure 1.


Figure 1

3. Click Users folder under Local Users and Groups node, as shown in Figure 2.


Figure 2

4. Right-click Users and then click New User in the menu that appears, as shown in Figure 3:


Figure 3

The New User dialog box appears as shown in Figure 4.

5. Provide the User name and the Password for the user in their respective fields.

6. Select the desired password settings requirement:

Select User must change password at next logon option if you want the user to change the password when the user first logs into computer. Select User cannot change password option if you do not want the user to change the password. Select Password never expires option if you do not want the password to become obsolete after a number of days. Select Account is disabled to disable this user account.

7. Click Create , and then click Close .


Figure 4

The user account will appear on clicking Users node under Local Users and Groups on the right panel of the window.

You can now associate the user to a group. To associate the user to a group, you need to:

8. Click Users folder under Local Users and Groups node.

9. Right-click the user and then select Properties from the menu that appears, as shown in Figure 6:


Figure 5

The Properties dialog box of the user account appears, as shown in Figure 6.

10. Click Member of tab.

The group(s) with which the user is currently associated appears.

11. Click Add.


Figure 6

The Select Groups dialog box appears, as shown in Figure 7.

12. Select the name of the group/object that you want the user to associate with from the Enter the object names to select field.

If the group/object names do not appear, you can click Advanced button to find them. Also if you want to choose different locations from the network or choose check the users available, then click Locations or Check Names buttons.

13. Click OK .


Figure 7

The selected group will be associated with the user and will appear in the Properties window of the user, as shown in Figure 8:


Figure 8

Creating a Domain User Account

The process of creating a domain user account is more or less similar to the process of creating a local user account. The only difference is a few different options in the same type of screens and a few steps more in between.

For example you need Active Directory Users and Computers MMC (Microsoft Management Console) to create domain account users instead of Local Users and Computers MMC. Also when you create a user in domain then a domain is associated with the user by default. However, you can change the domain if you want.

Besides all this, although, a domain user account can be created in the Users container, it is always better to create it in the desired Organization Unit (OU).

To create a domain user account follow the steps given below:

1. Log on as Administrator and open Active Directory Users and Computers MMC from the Administrative Tools in Control Panel, as shown in Figure 9.

2. Expand the OU in which you want to create a user, right-click the OU and select New->User from the menu that appears.


Figure 9

3. Alternatively, you can click on Action menu and select New->User from the menu that appears.

The New Object –User dialog box appears, as shown in Figure 10.

4. Provide the First name, Last name, and Full name in their respective fields.

5. Provide a unique logon name in User logon name field and then select a domain from the dropdown next to User logon name field if you want to change the domain name.
The domain and the user name that you have provided will appear in the User logon name (pre-Windows 2000) fields to ensure that user is allowed to log on to domain computers that are using earlier versions of Windows such as Windows NT.


Figure 10

6. Click Next.

The second screen of New Object –User dialog box appears similar to Figure 4.

7. Provide the User name and the Password in their respective fields.

8. Select the desired password settings requirement:

Select User must change password at next logon option if you want the user to change the password when the user first logs into computer. Select User cannot change password option if you do not want the user to change the password. Select Password never expires option if you do not want the password to become obsolete after a number of days. Select Account is disabled to disable this user account.

9. Click Next.

10. Verify the user details that you had provided and click Finish on the third screen of New Object –User dialog box.

11. Follow the steps 9-13 mentioned in Creating a Local User Account section to associate a user to a group.

Creating Groups

Just like user accounts, the groups on a Windows Server 2003 computer are also of two types, the built in local groups and built in domain groups. The example of certain built in domain groups are: Account Operators, Administrators, Backup Operators, Network Configuration Operators, Performance Monitor Users, and Users. Similarly certain built in local groups are: Administrators, Users, Guests, and Backup operators.

The built in groups are created automatically when the operating system is installed and become a part of a domain. However, sometimes you need to create your own groups to meet your business requirements. The custom groups allow you limit the access of resources on a network to users as per your business requirements. To create custom groups in domain, you need to:

  1. Log on as Administrator and open Active Directory Users and Computers MMC from the Administrative Tools in Control Panel, as shown in Figure 9.
  2. Right-click the OU and select New->Group from the menu that appears.

The New Object –Group dialog box appears, as shown in Figure 10.

3. Provide the name of the group in the Group name field.

The group name that you have provided will appear in the Group name (pre-Windows 2000) field to ensure that group is functional on domain computers that are using earlier versions of Windows such as Windows NT.

4. Select the desired group scope of the group from the Group scope options.

If the Domain Local Scope is selected the members can come from any domain but the members can access resources only from the local domain.

If Global scope is selected then members can come only from local domain but can access resources in any domain.

If Universal scope is selected then members can come from any domain and members can access resources from any domain.

5. Select the group type from the Group Type options.

The group type can be Security or Distribution . The Security groups are only used to assign and gain permissions to access resources and Distribution groups are used for no-security related tasks such as sending emails to all the group members.


Figure 11

6. Click OK.

You can add members to group just as you add groups to members. Just right-click the group in Active Directory Users and Computers node in the Active Directory Users and Computers snap-in, select Properties, click Members tab from the Properties window of the group and then follow the steps from 11-13 from Creating Local User Accounts section.

Article Summary

Dealing with User & Group accounts in a Windows Server environment is a very important everyday task for any Administrator. This article covered basic administration of user and group accounts at both local and domain environments.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

About the writers

GFI Software provides the single best source of network security, content security and messaging software for small to medium sized businesses.

Alan Drury is member of the Firewall.cx team and senior engineer at a large multinational company, supporting complex large Windows networks.

Posted by Free-ebooks-softwares at Monday, October 26, 2009 0 comments
Labels:

InterVLAN Routing

Introduction

Surely most of you network gurus would agree without a doubt that the invention of VLANs for networks are as good, if not better, as the invention of the mouse for computers!

Being able to create new network segments using the existing backbone and without rewiring is, for most administrators, a dream come true! Add the ability to move users or deparments between these networks with a just few keystrokes and you're in paradise.

VLANs have certainly become popular and are very welcomed in every administrator's or engineer's network. However, they also raised several issues which troubled many of us. One major issue concerns routing between existing and newly created VLANs.

The Need For Routing

Each network has it's own needs, though whether it's a large or small network, internal routing, in most cases, is essential - if not critical. The ability to segment your network by creating VLANs, thus reducing network broadcasts and increasing your security, is a tactic used by most engineers. Popular setups include a separate broadcast domain for critical services such as File Servers, Print servers, Domain Controllers e.t.c, serving your users non-stop.

The issue here is how can users from one VLAN (broadcast domain), use services offered by another VLAN?

Thankfully there's an answer to every problem and in this case, its VLAN routing:

The above diagram is a very simple but effective example to help you get the idea. Two VLANs consisting of two servers and workstations of which one workstation has been placed along with the servers in VLAN 1, while the second workstation is placed in VLAN 2.

In this scenario, both workstations require access to the File and Print servers, making it a very simple task for the workstation residing in VLAN 1, but obviously not for our workstation in VLAN 2.

As you might have already guessed, we need to somehow route packets between the two VLANs and the good news is that there is more than one way to achieve this and that's what we'll be covering on this page.

VLAN Routing Solutions

While the two 2924 Catalyst switches are connected via a trunk link, they are unable to route packets from one VLAN to another. If we wanted the switch to support routing, we would require it to be a layer 3 switch with routing capabilities, a service offered by the popular Catalyst 3550 series and above.

Since there are quite a few ways to enable the communcation between VLANs (InterVLAN Routing being the most popular) there is a good chance that we are able to view all possible solutions. This follows our standard method of presenting all possible solutions, giving you an in-depth view on how VLAN routing can be setup, even if you do not have a layer 3 switch.

Note: The term 'InterVLAN Routing' refers to a specific routing method which we will cover as a last scenario, however it is advised that you read through all given solutions to ensure you have a solid understanding on the VLAN routing topic.

VLAN Routing Solution No.1: Using A Router With 2 Ethernet Interfaces

A few years ago, this was one of the preferred and fastest methods to route packets between VLANs. The setup is quite simple and involves a Cisco router e.g 2500 series with two Ethernet interfaces as shown in the diagram, connecting to both VLANs with an appropriate IP Address assigned to each interface. IP Routing is of course enabled on the router and we also have the option of applying access lists in the case where we need to restrict network access between our VLANs.

In addition, each host (servers and workstations) must either use the router's interface connected to their network as a 'default gateway' or a route entry must be created to ensure they use the router as a gateway to the other VLAN/Network. This scenario is however expensive to implement because we require a dedicated router to router packets between our VLANs, and is also limited from an expandability prospective.

In the case where there are more than two VLANs, additional Ethernet interfaces will be required, so basically, the idea here is that you need one Ethernet interface on your router that will connect to each VLAN.

To finish this scenario, as the network gets bigger and more VLANs are created, it will very quickly get messy and expensive, so this solution will prove inadequate to cover our future growth.

VLAN Routing Solution No.2: Using A Router With One Ethernet (Trunk) Interface

This solution is certainly fancier but requires, as you would have already guessed, a router that supports trunk links. With this kind of setup, the trunk link is created, using of course the same type of encapsulation the switches use (ISL or 802.1q), and enabling IP routing on the router side.

The downside here is that not many engineers will sacrifice a router just for routing between VLANs when there are many cheaper alternatives, as you will soon find out. Nevertheless, despite the high cost and dedicated hardware, it's still a valid and workable solution and depending on your needs and available equipment, it might be just what you're looking for!

Closing this scenario, the router will need to be configured with two virtual interfaces, one for each VLAN, with the appropriate IP Address assigned to each one so routing can be performed.

VLAN Routing Solution No.3: Using A Server With Two Network Cards

We would call this option a "Classic Solution". What we basically do, is configure one of the servers to perform the routing between the two VLANs, reducing the overal cost as no dedicated equipment is required.

In order for the server to perform the routing, it requires two network cards - one for each VLAN and the appropriate IP Addresses assigned, therefore we have configured one with IP Addresses 192.168.1.1 and the other with 192.168.2.1. Once this phase is complete, all we need to do is enable IP routing on the server and we're done.

Lastly, each workstation must use the server as either a gateway, or a route entry should be created so they know how to get to the other network. As you see, there's nothing special about this configuration, it's simple, cheap and it gets the job done.

VLAN Routing Solution No.4: InterVLAN Routing

And at last.... InterVLAN routing! This is without a doubt the best VLAN routing solution out of all of the above. InterVLAN routing makes use of the latest in technology switches ensuring a super fast, reliable, and acceptable cost routing solution.

The Cisco Catalyst 3550 series switches used here are layer 3 switches with built-in routing capabilities, making them the preferred choice at a reasonable cost. Of course, the proposed solution shown here is only a small part of a large scale network where switches such as the Catalyst 3550 are usually placed as core switches, connecting all branch switches together (2924's in this case) via superfast fiber Gigabit or Fast Ethernet links, ensuring a fast and reliable network backbone.

We should also note that InterVLAN routing on the Catalyst 3550 has certain software requirements regarding the IOS image loaded on the switch as outlined on the table below:

Image Type & Version

InterVLAN Routing Capability

Enhanced Multilayer Image (EMI) - All Versions YES
Standard Multilayer Image (SMI) - prior to 12.1(11)EA1 NO
Standard Multilayer Image (SMI) - 12.1(11)EA1 and later YES

If you happen to have a 3550 Catalyst in hand, you can issue the 'Show version' to reveal your IOS version and find out if it supports IP routing.

In returning to our example, our 3550 Catalyst will be configured with two virtual interfaces, one for each VLAN, and of course the appropriate IP Address assigned to them to ensure there is a logical interface connected to both networks. Lastly, as you might have guessed, we need to issue the 'IP Routing' command to enable the InterVLAN Routing service!

The diagram above was designed to help you 'visualise' how switches and their interfaces are configured to specific VLAN, making the InterVLAN routing service possible. The switch above has been configured with two VLANs, VLAN 1 and 2. The Ethernet interfaces are then assigned to each VLAN, allowing them to communicate directly with all other interfaces assigned to the same VLAN and the other VLAN, when the internal routing process is present and enabled.

Access Lists & InterVLAN Routing

Another common addition to the InterVLAN routing service is the application of Access Lists (packet filtering) on the routing switch,to restrict access to services or hosts as required.

In modern implementations, central file servers and services are usually placed in their own isolated VLAN, securing them from possible network attacks while controlling access to them. When you take into consideration that most trojans and viruses perform an initial scan of the network before attacking, an administrator can smartly disable ICMP echoes and other protocols used to detect a live host, avoiding possible detection by an attacker host located on a different VLAN.

Summary

InterVLAN is a terrific service and one that you simply can't live without in a large network. The topic is a fairly easy one once you get the idea, and this is our aim here, to help you get that idea, and extend it further by giving you other alternative methods.

The key element to the InterVLAN routing service is that you must have at least one VLAN interface configured with an IP Address on the InterVLAN capable switch, which will also dictate the IP network for that VLAN. All hosts participating in that VLAN must also use the same IP addressing scheme to ensure communication between them. When the above requirements are met, it's then as simple as enabling the IP Routing service on the switch and you have the InterVLAN service activated.

Next in line is the Virtual Trunk Protocol (VTP), a protocol that ensures every administrator's and engineer's life remains nice and easy .... how can this be possible?

Posted by Free-ebooks-softwares at Monday, October 26, 2009 0 comments
Labels:

Saturday, September 26, 2009

How To Configure Dynamic DNS Server On A Cisco Router

How To Configure Dynamic DNS Server On A Cisco Router


Hosting your own webserver or email server would normaly require a static IP address from your ISP. This ensures that your services are always reachable using the same IP address or domain name.

If you had a domain name, e.g firewall.cx, you would then map your static IP address to your domain (via DNS) so when you hit your domain name, you would be directed to your statically assigned IP address and access the resources you need.

While this is the recommended setup for most companies doing serious business, it doesn't really apply to home users or small branch offices because of the increased cost for static IP addresses.

Luckily, a few years back, a couple of new DNS providers came up with Dynamic DNS or DDNS. DDNS providers essentially allow you to register and create a Fully Qualified Domain Name (FQDN) without cost and, by using their clients (usually programs installed on a PC in your local network), you can instanteously update your FQDN every time your ISP changes your IP address. This eliminates the need for a static IP address, since your DDNS provider will automatically update its DNS records with your dynamic IP address every time it changes.

From Cisco IOS version 12.4 onwards, Cisco routers have built-in support for a variety of DDNS providers, making it much easier and more reliable as you no longer require a PC in your network that will run the DDNS provider's client.

This article aims to teach you how you can configure your Cisco router so it can support DDNS with a variety of DDNS providers.

Example Scenario

Consider the following network diagram. It shows the simple logic of how DDNS works:

DHCP Server diagram

Firstly we need to configure our Cisco router to register and send its periodical updates to the DDNS provider. Once received, the DDNS provider updates the relevant DNS records, in our example, firewallcx.no-ip.info.

When an Internet host queries the DDNS provider for the domain firewallcx.no-ip.info, it will then point the host towards the public IP addresses currently assigned to the router, that is, 195.162.29.1. As the ISP changes the IP address it assigned to the Cisco router, the router in turn will also update its DDNS provider. This way, the domain firewallcx.no-ip.info is always updated no matter how many times its IP address changes.

So, without further delay, here's how you can configure your Cisco router to register with the following DDNS providers:

1) No-ip.com

2) Dyndns.com

Case No.1: No-ip.com

First step is to enable the DNS service and configure an IP name server (public DNS server) so it can successfully resolve Internet domain names. For our example, we are using Public DNS servers.

R1# configure terminal
R1(config)# ip dns server
R1(config)# ip name-server 4.2.2.6
R1(config)# ip name-server 4.2.2.5

Next, we need to enable the DDNS update service and give it a name (no-ip), and then select the update method to be used, for this example, it's HTTP:

R1(config)# ip ddns update method no-ip
R1(DDNS-update-method)# HTTP

Now we add the authentication details. The router will use this information to authenticate to the DDNS provider so it can then update the necessary hostname. We should note that each DDNS provider uses its own authentication method & parameters. In No-ip.com's case, it makes use of a login name & password, where the login name is your registered email address.

The command will look something like this:

add http://email:password@dynupdate.no-ip.com/nic/update?hostname=&myip=

As we said, the login name is your registered email address. This means that the full syntax above will contain two '@' characters, which can create a problem with the URL sent to the DDNS provider. Also, the '?' character cannot be inserted straight into the command as the router will think you're asking for help and give you errors!

In order to overcome all possible problems, we've replaced these characters with their equivalent HTML codes, so the @ becomes %40, and the ? becomes %3F:

The will be substituted with the FQDN that needs to be updated (firewallcx.no-ip.info) which we will configure next, and the will be substituted with the IP address of the interface we have enabled for the DDNS updates.

In the next step, we set the update interval, to ensure the FQDN is updated as frequently possible, but without causing problems to the DDNS provider:

R1(DDNS-HTTP)# interval maximum 0 0 5 0

The above command sets the update interval to 0 Days, 0 Hours, 5 Minutes and 0 Seconds.

All that's left now is to set the FQDN we'll be updating and enable the DDNS service on our public interface (usually your Dialer 0 or public Ethernet interface):

R1(DDNS-update-method)# interface dialer0
R1(config-if)# ip ddns update hostname firewallcx.no-ip.info
R1(config-if)# ip ddns update no-ip

This completes the setup and your router should start sending its updates to the DDNS provider.

If you see that your FQDN hasn't been updated after 5-10 minutes, then you can also use the following debug commands (hit CTRL-Z first) to get an idea of what's happening in the background:

R1# debug ip ddns update

Here are the results of our debug:

Jan 23 14:26:51.859: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
Jan 23 12:26:51.859: DYNUPD: SWIF goingdown 'Virtual-Access3'
Jan 23 14:27:05.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Jan 23 12:27:05.091: DYNUPD: SWIF comingup 'Virtual-Access3'
Jan 23 12:27:07.883: DYNDNSUPD: Adding DNS mapping for firewallcx.no-ip.info<=> 195.162.29.1
Jan 23 12:27:07.883: HTTPDNS: Update add called for firewallcx.no-ip.info<=> 195.162.29.1

Case No.2: Dyndns.com

Dyndns.com requires a similar configuration as our previous DDNS provider, however, the HTTP authentication string is slightly different, and you'll need to adjust your update interval to once a day rather than every 5 minutes. The interval adjustment is very important as Dyndns.com is unfortunately less forgiving than No-ip.com and will lock your account if multiple updates occur without your IP address having been changed!

The following cli code is the actual configuration required up till the authentication method:

R1# configure terminal
R1(config)# ip dns server
R1(config)# ip name-server 4.2.2.6
R1(config)# ip name-server 4.2.2.5
R1(config)# ip ddns update method dyndns
R1(DDNS-update-method)# HTTP

The HTTP authentication string required for Dyndns.com will look something like this:

add http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=
&myip=

Notice that the authentication string is slightly different. As with our previous example, to ensure we overcome all possible problems, we'll replace the '@' and '?' characters with the HTML equivalent codes, so the @ becomes %40, and the ? becomes %3F. Here's the full picture:

Again, the will be substituted with the FQDN that needs to be updated (firewallcx.dyndns.info) which we will configure next, and the will be substituted with the IP address of the interface we have enabled for the DDNS updates.

In the next step, we set the update interval to ensure the FQDN is updated as frequently as possible, but without causing problems to the DDNS provider, for Dyndns.com, that's once a day:

R1(DDNS-HTTP)# interval maximum 1 0 0 0

The above command sets the update interval to 1 Days, 0 Hours, 0 Minutes and 0 Seconds.

All that's left now is to set the FQDN we'll be updating and enable the DDNS service on our public interface (usually your Dialer 0 or public Ethernet interface):

R1(DDNS-update-method)# interface dialer0
R1(config-if)# ip ddns update hostname firewall.dyndns.info
R1(config-if)# ip ddns update dyndns

This completes the setup and your router should start sending its updates to the DDNS provider.

If you see that the your FQDN hasn't been updated after 5-10 minutes, then you can also use the following debug commands (hit CTRL-Z first) to get an idea on what's happening in the background:

R1# debug ip ddns update

Here are the results of our debug:

Jan 24 12:26:51.859: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
Jan 24 12:26:51.859: DYNUPD: SWIF goingdown 'Virtual-Access3'
Jan 24 12:27:05.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Jan 24 12:27:05.091: DYNUPD: SWIF comingup 'Virtual-Access3'
Jan 24 12:27:07.883: DYNDNSUPD: Adding DNS mapping for firewall.dyndns.info<=> 195.162.49.4
Jan 24 12:27:07.883: HTTPDNS: Update add called for firewall.dyndns.info<=> 195.162.49.4

Article Summary

In this article we've covered how to enable and configure Dynamic DNS for popular no-ip.com and dyndns.com. We've seen the process in great depth and analysed all commands required to get the service up and running, but also debug it in case of problems.

Closing, we hope the article comes in handy and answers your questions regarding the configuration of DDNS on Cisco routers.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

Posted by Free-ebooks-softwares at Saturday, September 26, 2009 0 comments
Labels:

How To Configure DHCP Server On A Cisco Router

How To Configure DHCP Server On A Cisco Router

DHCP (Dynamic Host Configuration Protocol) is the protocol used by network devices (such as PCs, network printers, etc) to automatically obtain correct network parameters so they can access network and Internet resources such as IP Address, Default Gateway, Domain Name, DNS Servers and more.

A DHCP Server is considered necessary in today's networks. Devices usally found providing this service are Windows servers, routers and layer 3 switches.

This article describes how to configure basic DHCP parameters on a Cisco router, enabling it to act as a DHCP server for your network.

Example Scenario

For the sake of this article, suppose we have the network shown in the following diagram, for which we would like to enable the DHCP service on our Cisco router.

The router will act as a DHCP server for the 192.168.1.0/24 network. IP Addresses already assigned to our switch (192.168.1.2) and File Server (192.168.1.5) will be excluded from the DHCP pool, to ensure they are not given out to other hosts and cause an IP address conflict.

DHCP Server diagram

First step is to enable the DHCP service on our router, which by default is enabled.

R1# configure terminal
R1(config)# service dhcp

Next step is to create the DHCP pool that defines the network of IP addresses that will be given out to the clients. Note that 'NET-POOL' is the name of the DHCP IP Pool we are creating.

R1(config)# ip dhcp pool NET-POOL
R1(dhcp-config)# network 192.168.1.0 255.255.255.0

This tells the router to issue IP addresses for the network 192.168.1.0, which translates to the range 192.168.1.1 - 192.168.1.254. We will have to exclude the IP addresses we want later on.

We now define the DHCP parameters that will be given to each client. These include the default gateway (default-router), dns servers, domain and lease period (days).

R1(dhcp-config)# default-router 192.168.1.1
R1(dhcp-config)# dns-server 192.168.1.5 195.170.0.1
R1(dhcp-config)# domain-name Firewall.cx
R1(dhcp-config)# lease 9

The 'domain-name' and 'lease' parameters are not essential and can be left out. By default, the lease time for an IP address is one day.

All we need now is to exclude the IP addresses we don't want our DHCP server giving out.

R1(dhcp-config)# ip dhcp exclude-address 192.168.1.1 192.168.1.5
R1(dhcp-config)# ip dhcp exclude-address 192.168.1.10

This excludes IP addresses 192.168.1.1 - 192.168.1.5 & 192.168.1.10. As you can see, there's an option to exclude a range of IP addresses or a specific address.

The above configuration is all you need to get the DHCP server running for your network. We'll provide a few more commands you can use to troubleshoot and ensure it's working correctly.

The following command will allow you to check which clients have been served by the DHCP:

R1# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.1.6 0100.1e7a.c409 Jan 19 2009 03:06 PM Automatic
192.168.1.7 0100.1e7a.c3c1 Jan 19 2009 09:00 PM Automatic
192.168.1.8 0100.1ebe.923b Jan 19 2009 02:25 PM Automatic
192.168.1.9 0100.1b53.5ccc Jan 19 2009 02:03 PM Automatic
192.168.1.11 0100.1e7a.261d Jan 19 2009 07:52 PM Automatic
R1#

Notice that IP addresses 192.168.1.5 & 192.168.1.10 have not been given out to the clients.

Article Summary

In this article we've covered how a Cisco router can be used as a basic DHCP server and the various options available. We also saw how you can obtain general information about the service. There are more options available with the DHCP service, however this basic article should cover most of your network needs.

Future DHCP articles will explore advanced options and debugging for more complex networks containing VLANs and IP Telephony.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

Posted by Free-ebooks-softwares at Saturday, September 26, 2009 0 comments
Labels:

Configuring Dynamic NAT On A Cisco Router

NAT (Network Address Translation) is a method that allows the translation (modification) of IP addresses while packets/datagrams are traversing the network. Dynamic NAT enables multiple internal hosts access to the Internet by assigning each host a unique real (Public) IP address for the duration of the session.

Once the internal host stops sending and receiving packets from the Internet, the router's NAT timeout will clear the Dynamic NAT entry from its NAT table, making the real IP address available to the next internal host.

The following steps explain basic Cisco router Dynamic NAT configuration. If you would like to read more on the NAT theory, be sure to read our popular NAT articles, which explain in great depth the NAT functions and applications in today's networks. Lastly, if you're only interested in Dynamic NAT, you can simply follow this link and read up on our theoretical example covered on Firewall.cx.

Example Scenario

The diagram below represents our example network, which consists of a number of internal clients trying to access the Internet via our router. The router is connected to the ISP via its serial interface. The company has been assigned the following Class C subnet: 200.2.2.0/29 (255.255.255.248). This translates to the following usable Public IP addresses: 200.2.2.1 - 200.2.2.6.

As one would expect, we need to sacrifice two IP addresses: one for the router's serial interface and one for the ISP's router. This leaves us with the following pool of usable Public IP addresses: 200.2.2.2 - 200.2.2.5.

The goal here is to configure the router to dynamically allocate the pool of Public IP addresses to our internal network.

Configure Dynamic NAT

Dynamic NAT configuration is a pretty straightforward process and is almost identical to other types of NAT configurations. The first step in any NAT configuration is to define the inside and outside interfaces. It is imperative that we define these interfaces for the Dynamic NAT service to function.

Set the fast ethernet 0/0 interface as the inside interface:

R1# configure terminal
R1(config)# interface fastethernet0/0
 R1(config-if)# ip nat inside

Next step is to set the serial interface S0/0 as the outside interface:

R1(config-if)# interface serial0/0
 R1(config-if)# ip nat outside
R1(config-if)# exit

Next step is to create our pool of Public IP addresses that will be handed out by the router to our internal hosts trying to connect to the Internet. Each time a host sends a packet destined for the Internet, the router will automatically allocate one of the Public IP addresses for the length of that session.

When the session is over, the NAT entry will timeout and the Public IP address is released, making it available once again to the Dynamic NAT pool. Let us define the NAT Pool:

R1(config)# ip nat pool Public-IPS 200.2.2.2 200.2.2.5 prefix-length 29

We now need to create an Access Control List (ACL) that will include local (private) hosts or network(s), depending on how large the internal network is.

This ACL will be applied to the NAT pool named 'Public-IPS', effectively controlling the hosts that will be assigned a Public IP address and therefore able to access the Internet.

You can use standard or extended access lists depending on your requirements:

R1(config)# ip nat inside source list 100 pool Public-IPS
R1(config)# access-list 100 remark == [Control NAT Pool Service]== R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any

The above command instructs the router to allow the 192.168.0.0/24 network to use the NAT Pool and provide each host with a unique Dynamic Public IP address. Note that Cisco router standard and extended ACLs always use wildcards (0.0.0.255).

Verifying Dynamic NAT operation

By viewing the Dynamic NAT table you can easily verify that the internal hosts are correctly being assigned a Dynamic IP address from the configured pool:

R1# show ip nat translations
Pro.. Inside global .......Inside local .......Outside local .......Outside global
---.. 200.2.2.2.......... 192.168.0.6........---....................---
---.. 200.2.2.3...........192.168.0.8........--- ...................---

As shown, two internal hosts (192.168.0.6 & 192.168.0.8) have each been assigned an external IP address from the pool we previously created.

These translations will eventually timeout if no activity is present from the internal hosts, however, if you need to forcibly clear them this can be easily done by entering the following command:

R1# clear ip nat translation *

Assuming no request has been sent right after the command was entered, the NAT translation table should be empty:

R1# show ip nat translations
Pro Inside global ...........Inside local .....Outside local .......Outside global

Lastly, you can obtain statistics on the Dynamic NAT service. This will help you monitor the usage of your Dynamic NAT pool and available public IP addresses:

R1# show ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces:
Serial0/0
Inside interfaces:
FastEthernet0/0
Hits: 8968 Misses: 2
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 100 pool Public_IPS refcount 2
pool PUBLIC: netmask 255.255.255.0
start 200.2.2.2 end 200.2.2.5
type generic, total addresses 4, allocated 2 (50%), misses 0
Posted by Free-ebooks-softwares at Saturday, September 26, 2009 0 comments
Labels:

Tuesday, June 16, 2009

Netmask Quick Reference Chart

There are plenty of these netmask references out there, but I prefer my own: hence this Tech Tip. We've never seen anybody use a network larger than a /4 (256M hosts), so we've truncated the table at that point.

Netmask Quick Reference
# bits # hosts Usable
hosts 		netmask Cisco mask
/4 268435456 268435454 240.0.0.0 15.255.255.255
/5 134217728 134217726 248.0.0.0 7.255.255.255
/6 67108864 67108862 252.0.0.0 3.255.255.255
/7 33554432 33554430 254.0.0.0 1.255.255.255
/8 16777216 16777214 255.0.0.0 class A network 0.255.255.255
/9 8388608 8388606 255.128.0.0 0.127.255.255
/10 4194304 4194302 255.192.0.0 0.63.255.255
/11 2097152 2097150 255.224.0.0 0.31.255.255
/12 1048576 1048574 255.240.0.0 0.15.255.255
/13 524288 524286 255.248.0.0 0.7.255.255
/14 262144 262142 255.252.0.0 0.3.255.255
/15 131072 131070 255.254.0.0 0.1.255.255
/16 65536 65534 255.255.0.0 class B network 0.0.255.255
/17 32768 32766 255.255.128.0 0.0.127.255
/18 16384 16382 255.255.192.0 0.0.63.255
/19 8192 8190 255.255.224.0 0.0.31.255
/20 4096 4094 255.255.240.0 0.0.15.255
/21 2048 2046 255.255.248.0 0.0.7.255
/22 1024 1022 255.255.252.0 0.0.3.255
/23 512 510 255.255.254.0 0.0.1.255
/24 256 254 255.255.255.0 class C network 0.0.0.255
/25 128 126 255.255.255.128 0.0.0.127
/26 64 62 255.255.255.192 0.0.0.63
/27 32 31 255.255.255.224 0.0.0.31
/28 16 14 255.255.255.240 0.0.0.15
/29 8 6 255.255.255.248 0.0.0.7
/30 4 2 255.255.255.252 0.0.0.3
/31 point to point links only
/32 1 1 255.255.255.255 single IP address use host notation

What's a netmask?

All devices on a local network have a unique IP address, but each address is inherently divided into two parts, a shared network part, and a unique host part, and this information is used by the TCP/IP stack for routing. When sending traffic to a machine with a different network part, it must be sent through a router for final delivery.

The dividing line between the network and host parts is determined by the subnet mask, and it's often seen in 255.255.255.0 notation. It looks like an IP address, and it uses a "1" bit to select, or "mask" the network part.

[IP address with mask]

In this case, the netmask of 255.255.255.248 represents 29 bits of network and 3 bits of host (totalling 32 bits, of course), and this give 8 possible IP addresses in this range. The first and last of the range are reserved addresses, giving 6 usable addresses that may be assigned to a device.

216.39.106.160 zero broadcast
216.39.106.161 available
216.39.106.162 available
216.39.106.163 available
216.39.106.164 available
216.39.106.165 available
216.39.106.166 available
216.39.106.167 ones broadcast
Posted by Free-ebooks-softwares at Tuesday, June 16, 2009 0 comments
Labels:

Thursday, April 9, 2009

Troubleshooting Linux(R) Firewalls

While Linux firewalls are inexpensive and quite reliable, they lack the supportcomponent of their commerical counterparts. As a result, most users of Linuxfirewalls have to resort to mailing lists to solve their problems. Our authorshave scoured firewall mailing lists and have compiled a list of the most oftenencountered problems in Linux firewalling. This book takes a Chilton's manualdiagnostic approach to solving these problems.The book begins by presenting the two most common Linux firewallconfigurations and demonstrates how to implement these configurations in animperfect network environment, not in an ideal one. Then, the authors proceedto present a methodology for analyzing each problem at various network levels:cabling, hardware components, protocols, services, and applications. Theauthors include diagnostic scripts which the readers can use to analyze andsolve their particular Linux firewall problems. The reference distributions areRed Hat and SuSE (for international market)
Image
http://rapidshare.com/files/105834053/0321227239.zip
Posted by Free-ebooks-softwares at Thursday, April 09, 2009 0 comments
Labels: ,

Linux Firewalls: Attack Detection and Response with iptables

  • AUTHOR: by Michael Rash
  • Publisher: No Starch Press; 15 September, 2007
  • ISBN: 1593271417
Book Description
System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection systems (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attack. Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You

Image
http://rapidshare.com/files/79905036/Linux.Firewalls.Attack.Detection.and.Response._1593271417_.pdf.7z
Posted by Free-ebooks-softwares at Thursday, April 09, 2009 0 comments
Labels: ,

Transcender Cisco CertificationTranscender Cisco Certification Exam Collection

NOTE: Please do not share this links on any other forums/websites or report them on rapidshare.... Things like these are hard to get and if they get reported and deleted ... I will not upload them again cause it takes a long time and secondly... many people will loose out on good content.
Image
http://rapidshare.com/users/6842H2

Password is mentioned as part of folder name
Posted by Free-ebooks-softwares at Thursday, April 09, 2009 0 comments
Labels:

Cisco CCNA Actual test

800 great Cisco CCNA 640-802 Exam Questions - Actual test - Latest Update

Image
http://rapidshare.com/files/204105301/640-802.rar.html
Posted by Free-ebooks-softwares at Thursday, April 09, 2009 0 comments
Labels:

20 English-learning ebooks

Dictionary Cambridge English Grammar - Check Your Vocabulary for IELTS.pdf
Advanced_English_C_A_E_Grammar_Practice.pdf
American Accent Training.pdf
Basic_English_Usage_[Oxford].pdf
Cambridge - English Vocabulary in Use - Elem.pdf
Cambridge - English Vocabulary in Use - Pre-int_Int.pdf
Cambridge - English Vocabulary in Use - Upp_Adv.pdf
English.Grammar_-_OUP_-_The_Oxford_Guide_To_English_Usage.PDF
Essential Grammar in Use Supplementary Exercises.pdf
Ins_and_Outs_of_Prepositions.chm
Jossey-Bass - English Brainstormers - Ready-to-Use Games and Activities that Make Language Skills Fun to Learn.pdf
L._Rozakis_--_English_Grammar_for_the_Utterly_Confused.pdf
Longman_English_Grammar_Practice_intermediate_Self_Study_Edition.pdf
New Grammar Practice pre-int with key.pdf
NTC's American Idioms Dictionary.pdf
phrasalverb.doc
Speak English Like An American.pdf
The A-Z of Correct English Common Errors in English.pdf
wEBSTER Essential vocabulary.pdf
Word Formation In English.pdf

Image
http://rapidshare.com/files/103526024/2bg9l4
Posted by Free-ebooks-softwares at Thursday, April 09, 2009 0 comments
Labels:

Learning with English Connection: (BBC) 9

3 levels: Beginner, Intermediate and Advanced. (Each level has 3 CD).
It is a software that teaches you English by listening and watching.
Each course is built in the following steps:
Rapid English
Grammar
How to say and speak (giving advice, order, opinion…).
Role Play (Practice)
Comprehension
The CD Number 9 is the famous software “ PRONUNCIATION POWER” I have found it in the same collection

CD 1 :
Image
http://rapidshare.com/files/29455239/cd_1.part1.rar
http://rapidshare.com/files/29455253/cd_1.part2.rar
http://rapidshare.com/files/29455027/cd_1.part3.rar

CD 2 :
Image
http://rapidshare.com/files/29459121/cd_2.part1.rar
http://rapidshare.com/files/29459124/cd_2.part2.rar
http://rapidshare.com/files/30359491/cd_2.part3.rar
http://rapidshare.com/files/30361981/cd_2.part4.rar
http://rapidshare.com/files/29456879/cd_2.part5.rar


CD 3 :
Image
http://rapidshare.com/files/30363475/cd_3.part1.rar
http://rapidshare.com/files/30363485/cd_3.part2.rar
http://rapidshare.com/files/30363414/cd_3.part3.rar
http://rapidshare.com/files/30362420/cd_3.part4.rar

CD 4 :
Image
http://rapidshare.com/files/30365655/cd_4.part1.rar
http://rapidshare.com/files/30365597/cd_4.part2.rar
http://rapidshare.com/files/30369530/cd_4.part3.rar
http://rapidshare.com/files/30365992/cd_4.part4.rar
http://rapidshare.com/files/30364549/cd_4.part5.rar


CD 5 :

Image
http://rapidshare.com/files/30371586/cd_5.part1.rar
http://rapidshare.com/files/30371541/cd_5.part2.rar
http://rapidshare.com/files/30371575/cd_5.part3.rar
http://rapidshare.com/files/30371588/cd_5.part4.rar

CD 6 :
Image
http://rapidshare.com/files/30372838/cd_6.part1.rar
http://rapidshare.com/files/30372970/cd_6.part2.rar
http://rapidshare.com/files/30372903/cd_6.part3.rar
http://rapidshare.com/files/30372877/cd_6.part4.rar
http://rapidshare.com/files/30372716/cd_6.part5.rar


CD 7 :
Image
http://rapidshare.com/files/30374575/cd_7.part1.rar
http://rapidshare.com/files/30374732/cd_7.part2.rar
http://rapidshare.com/files/30374700/cd_7.part3.rar
http://rapidshare.com/files/30374784/cd_7.part4.rar
http://rapidshare.com/files/30374786/cd_7.part5.rar
http://rapidshare.com/files/30373921/cd_7.part6.rar


CD 8 :
Image
http://rapidshare.com/files/30376709/cd_8.part1.rar
http://rapidshare.com/files/30376625/cd_8.part2.rar
http://rapidshare.com/files/30376794/cd_8.part3.rar
http://rapidshare.com/files/30376651/cd_8.part4.rar
http://rapidshare.com/files/30376661/cd_8.part5.rar
http://rapidshare.com/files/30375248/cd_8.part6.rar

CD 9 :
Image
http://rapidshare.com/files/30379321/PRONUNCIATION_POWER.part1.rar
http://rapidshare.com/files/30379088/PRONUNCIATION_POWER.part2.rar
http://rapidshare.com/files/30379445/PRONUNCIATION_POWER.part3.rar
http://rapidshare.com/files/30377400/PRONUNCIATION_POWER.part4.rar


Posted by Free-ebooks-softwares at Thursday, April 09, 2009 0 comments
Labels:

Learning to learn English cambridge university

This exciting new package provides a systematic course that enables students to become more effective learners and take on greater responsibility for their own learning. The Learner's Book is divided into two stages. Stage 1 contains activities that focus on styles, needs, organization, and motivation. Stage 2 covers various skills that include: extending vocabulary, dealing with grammar, listening, speaking, reading, and writing. Learners and teachers can select the skills and strategies they need and plan their own route through the materials. The course can be used in conjunction with a regular language course or presented as separate learner training sessions.
Image
http://rapidshare.com/files/25055487/learning_to_learn_english__audiobook_1_of_2__2_.mp3
http://rapidshare.com/files/25057968/learning_to_learn_english_2-2_cambridge.mp3
Posted by Free-ebooks-softwares at Thursday, April 09, 2009 0 comments
Labels:

E-Books for English Language Learning


Image

http://rapidshare.com/files/46225968/Business.Vocabulary.rar
http://rapidshare.com/files/46225772/Grammar_with_laughter.rar
http://rapidshare.com/files/46225407/1000_Quick_Writing_Ideas.rar
http://rapidshare.com/files/46225360/Jossey-Bass_-_English_Brainstormers.rar
http://rapidshare.com/files/46225105/Vocabulary_in_use_Advanced.rar
http://rapidshare.com/files/46224941/Webster.Essential.vocabulary_0764571656_.rar
http://rapidshare.com/files/46224896/Writing_Grammar__Usage__and_Style.rar
http://rapidshare.com/files/46224842/Vocabulary_Building.rar
http://rapidshare.com/files/46224504/Dictionary_Of_Financial_And_Business_Terms.rar
http://rapidshare.com/files/46224243/A_to_Z_Idioms.zip
http://rapidshare.com/files/46225564/Fun_with_Grammar.rar
Posted by Free-ebooks-softwares at Thursday, April 09, 2009 1 comments
Labels:

Cisco Networkers 2009 Barcelona Sessions

Image
Cisco Networkers 2009 Barcelona Sessions | 950 MB

Cisco Networkers 2009 takes place from Tuesday January 27 to Thursday January 29, 2009. In addition, on Monday January 26, we are offering Cisco Networkers delegates the option of attending Techtorials and 4-hour Labs at the same venue, at an extra cost.

Image
http://rapidshare.com/files/206167744/Cisco_Networkers_2009_Barcelona_Session.part01.rar
http://rapidshare.com/files/206179167/Cisco_Networkers_2009_Barcelona_Session.part02.rar
http://rapidshare.com/files/206190156/Cisco_Networkers_2009_Barcelona_Session.part03.rar
http://rapidshare.com/files/206200562/Cisco_Networkers_2009_Barcelona_Session.part04.rar
http://rapidshare.com/files/206210398/Cisco_Networkers_2009_Barcelona_Session.part05.rar
http://rapidshare.com/files/206102842/Cisco_Networkers_2009_Barcelona_Session.part06.rar
http://rapidshare.com/files/206113557/Cisco_Networkers_2009_Barcelona_Session.part07.rar
http://rapidshare.com/files/206124054/Cisco_Networkers_2009_Barcelona_Session.part08.rar
http://rapidshare.com/files/206135102/Cisco_Networkers_2009_Barcelona_Session.part09.rar
http://rapidshare.com/files/206146196/Cisco_Networkers_2009_Barcelona_Session.part10.rar
http://rapidshare.com/files/206156472/Cisco_Networkers_2009_Barcelona_Session.part11.rar
Posted by Free-ebooks-softwares at Thursday, April 09, 2009 0 comments
Labels:

ASA cisco video

Active_Standby_Failover_for_ASA_5500__QLM__by_Pranay.avi
ASA Security Context High Quality MP4 by Pranay
Cisco_ASA_5500_Series_Content_Security_and_Control_SSM__CSC-SSM__Installation__Setup_and_Activation_.avi
Cisco_IOS_Intrusion_Prevention_System__IPS__-_Products___Services_-_Cisco_Systems.flv
Cisco_IOS_Intrusion_Prevention_System__IPS__-_Products___Services_-_Cisco_Systems_2.flv
Cisco_SSL_VPN_Client_by_Pranay.avi
Configuring Event Action Rules.avi
Configuring IPsec Site-to-Site VPN.avi
Configuring the Meta Event Generator.avi
Configuring Transparent Firewall on the ASA and PIX Security Appliances (QLM) - iPOD
Configuring_the_ASA_5500_Series_with_the_CSC-SSM__QLM_by_Pranay.avi
Configuring_the_Base_License_Features_of_the_CSC-SSM_in_the_ASA_5500_Series__QLM_by_Pranay.avi
Configuring_the_Plus_License_Features_of_the_CSC-SSM_in_the_ASA_5500_Series__QLM_by_Pranay.avi
CSD_VPN_Concentrator_by_Pranay.avi
Hardening Cisco IOS Devices.avi
High_Availability_for_the_Cisco_ASA_5500_Series_Adaptive_Security_Appliance__Part_II_Active_Active_F.avi
Security_Monitoring_MARS-_Cisco_-_Cisco_Systems.flv
Site-to-Site_IPsec_VPN_Operations_part_2_by_pranay_2.avi
Upgrading_a_Sensor_to_IPS_5.0.avi
Image
http://rapidshare.com/files/207948326/Cisco-ASA.part1.rar
http://rapidshare.com/files/207948318/Cisco-ASA.part2.rar
http://rapidshare.com/files/207948346/Cisco-ASA.part3.rar
http://rapidshare.com/files/208188369/Cisco-ASA.part4.rar


Posted by Free-ebooks-softwares at Thursday, April 09, 2009 1 comments
Labels:
Subscribe to: Posts (Atom)