Wednesday 27 June 2012

Virtual Private Network (VPN) : Introduction & Practical Implementation

Definition

A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. The VPN uses "virtual" connections routed through the Internet from the business's private network to the remote site or employee.

Example

I am having a pharmaceutical company. When my medical representatives are  on field, visiting doctors and taking orders from medicals, I want them to keep their updates on server. They all have been given hand held devices to do this job. 

The problem is as they are on field and not in my network, they will not be able to access the server, but still I want to grant them access without bringing their devices into domain. How is it possible to access server from a system which is not in domain? 

Yes. It is possible through Virtual Private Network (VPN).

Comments

VPN is opposite of NAT. NAT allows systems in LAN to access Internet whereas VPN allows a system on Internet to access the LAN.

  • VPN dial-up is configured on laptop. The dial-up is configured using server IP running RRAS.
  • When VPN starts, it asks username and password. After authentication if the user have access rights then the laptop user receives IP from DC DHCP (If DHCP service is installed else an IP from a range we specify at the time of configuring the VPN Service).
  • A VPN tunnel (secured by different protocols) is created between laptop user and DC and access is given to shared files and folders.

Practical

Let's consider the following scenario.

VPN Example Diagram

We have a server computer with two NICs. 
  • NIC with IP address 192.168.1.10 is connected to the Internet.
  • NIC with IP address 10.0.0.1 is connected to the LAN switch.
There is a remote client (our Medical/Sales representative) with IP 192.168.1.15 who wants to access our local network to perform some updates or to access/share some data. VPN will help us here. So let's start with the practical.

Note: We are doing this practical using Oracle VM VirtualBox.

Step 1 : Add three NICs to the Server machine. 

(Why 3 ? we will tell it very soon. Go on performing it.)

Select Machine
Goto Settings
Network
Add 2 More Adapters and Refresh Mac Address of each.
Start the Machine

Adding NIC to a machine in Oracle VM VirtualBox

Step 2 : Configure the IP Address settings of each NIC.

Go to Network & Sharing Center
Manage Network Connections


Right Click & Disable Local Area Connection 3



Right Click on Local Area Connection 2
Properties
Uncheck Internet Protocol Version 6 (TCP/IPv6)
Select Internet Protocol Version 4 (TCP/IPv4)
Proprties & Configure as shown in the image.

IP Settings for NIC connected to LAN
Right Click on Local Area Connection 1
Properties
Uncheck Internet Protocol Version 6 (TCP/IPv6)
Select Internet Protocol Version 4 (TCP/IPv4)
Proprties & Configure as shown in the image.

IP Settings for NIC connected to Internet

Step 3 : Give user Dial-in Access

First create a user in AD for the remote client i.e. the Medical/Sales representative. Then
Right Click on the user
Properties
Dial In
Select Allow access -> OK


Step 4 : Install Role Netwrok Policy and Access Services

Goto Server Manager and Install Role Netwrok Policy and Access Services -> Next -> Next
Select Routing and Remote Access Services (2 more options will get selected automatically)
-> Next -> Install -> Close

Step 5 : Configuring Virtual Private Network (VPN) Service

Start -> Administrative Tools -> Routing and Remote Access

Right Click on SERVER(local) -> Configure and Enable Routing and Remote Access -> Next
Select Remote access (dial-up or VPN) -> Next



Select VPN -> Next

Now it asks for the NIC connected to Internet. (In our case 192.168.1.10)

Next select the LAN NIC. This is the NIC to which we are allowing access to the remote client. (i.e. 10.0.0.1)

As we have not installed DHCP, hence select From a specified range of addresses -> Next -> Click New and provide an IP range.

Keep "No, use Routing and Remote Access to authenticate connection requests" selected -> Next
-> Finish -> OK

With this we have configured the VPN service. Now on client, you have to just create a dialer.

Step 6 : Configuring Client

The IP configuration of client system is shown in the Image.


Restart the Server Computer (This step is important for success of the practical.)

Ping 192.168.1.10 -t and check that the client gets reply from server.

Step 7 : Create VPN Dialer

Now continuing on client,

Open Network and Sharing Center -> Set up a new connection or network


Connect to a work place -> Next

Use my Internet connection (VPN)


Select I'll setup my Internet connection later -> Next

Now you have to provide the IP of the server NIC connected to Internet i.e. 192.168.1.10 and a name to the connection -> Next

Here enter the credentials of the user we have made in the beginning of this practical and the dialer is ready.

Step 8 : Dial the VPN connection & Access the network

To start VPn connection, Double Click on Dialer and provide credentials of the user with Dial-in access -> Connect








And you are connected.

To access the Server, Start -> Run -> \\10.0.0.1 -> Ok and you can access the resources and do your work.

Tuesday 26 June 2012

Dynamic Host Configuration Protocol (DHCP)


In a network, you can assign IP addressed to clients and servers in two ways, i.e. either manually or automatically. Assigning addresses manually is quite an easy task if the network is small and limited but problem arises as the network grows larger. Just imagine an administrator trying to assign 500 IP addresses, subnet masks, default gateways, and other configuration settings required to run the network. Definitely this will not work.

In such a large network, a DHCP (Dynamic Host Configuration Protocol) server is used to centralize the process of IP address allocation.

The DHCP Address assignment (DORA process)



The lease process involves the following steps:

Discover | Offer | Request | Acknowledge (DORA) Process 



  • Discover The Windows XP Professional DHCP client requests an IP address by broadcasting a message (known as a DHCPDiscover message) to  the local subnet.

  • Offer The client is offered an address when a DHCP server responds with a DHCPOffer message containing an IP address, and associated configuration information, available for lease to the client.

  • Request The client selects the offered address and replies to the server with a DHCPRequest message.

  • Acknowledge The client is assigned the address, and the DHCP server sends an acknowledgment message (DHCPAck) approving the lease. Other  DHCP option information, such as default gateway and DNS server addresses, might be included in the message.

After the client receives acknowledgment, it configures its TCP/IP properties using any DHCP option information in the DHCPAck  message and completes the initialization of TCP/IP.

If no DHCP server responds to the client request, the Windows XP Professional–based client can proceed in one of two ways:

  • If APIPA is enabled, the client self-configures a unique IP address in the range 169.254.0.1 through 169.254.255.254.
  • If APIPA has been disabled, the client network initialization fails. The client continues to re-send DHCPDiscover messages in the background until it receives a valid lease from a DHCP server. The client makes four attempts to obtain a lease, one every five minutes.


The address Leases

A DHCP server maintain a list of all the IP addresses that the server has distributed to its client computers so that no address is assigned to two client computers at the same time. The server assigns an IP address to a client in the form of a lease that extends to six or eight days. 

A lease is a contract in which the IP address allocation is valid only up to a specific period. The default durations are 6 days for wired networks and 8 hours for wireless networks. These values can be modified.

When a client machine reaches half of the lease period then it sends a request to the DHCP server to extend the lease period. If the DHCP server is not found then one more request is sent at the half of remaining half i.e. at the time when 75% of the lease expires. If still there is no offer from the DHCP server, a final request is sent when 87.5% of lease gets expired. In case of no response from the DHCP server, the client machine starts searching for another DHCP Server on the network.

If a client machine shut downs properly or command ipconfig /release is executed then the DHCP server takes the IP address away from the client and now it can be assigned to any other machine. But if a client goes out of the network abruptly then DHCP server waits till the client machine joins the network again or the lease period expires so that the IP address can be assigned to some other machine.

Now let's configure perform the DHCP practical.

Practical

Install Role DHCP Server

Server Manager
Click on Roles Node
Add Roles -> Next
Select DHCP Server

Select Role DHCP Server
Next -> Select the network which this DHCP server will use for servicing clients. 

DHCP Network Selection
Next -> Click on Validate to verify the IP address of the preferred DNS server

Validate DNS Server IP Address
Keep WINS is not required for applications on this network and give Next

Now you have to add Scope of IP addresses that can be assigned by the DHCP server. Click on Add and Fill the details.

DHCP Scope

You can add more than one scope. 



Give next and select Disable DHCPv6 stateless mode for this server -> Next


Disable DHCPv6 stateless mode




Keep User current credentials selected and give Next & Install -> Close

Now start the Client Machine


Go to Network and Sharing Center
Change Adapter Settings
Select IPv4 -> Click properties & select 


  • Obtain an IP address automatically
  • Obtain DNS serve address automatically
Obtain an IP address dynamically @ Client machine
OK.

Now the the DORA process will be performed to obtain the IP address.

Connected to the mcitp.com server with dynamically assigned IP address
To check which IP address assigned, 
Right Click on the Local Area Connection
Click Status
Click Details
and you will see the IP address assigned by the DHCP server.

Sunday 24 June 2012

Configuring Network Address Translation (NAT) on Windows Server 2008

Introduction

Network Address Translation (NAT) allows an Internet Protocol (IP) network to maintain public IP addresses separately from private IP addresses. NAT is a popular technology for Internet connection sharing.

In it's most common configuration, NAT maps all of the private IP addresses on a home network to the single IP address supplied by an Internet Service Provider (ISP). This allows computers on the home LAN to share a single Internet connection. Additionally, it enhances home network security by limiting the access of external computers into the home IP network space.

e.g. In my office I have a LAN. I want to access Internet on every computer. I cannot afford to buy separate Internet connections for each system. Here NAT helps. I will purchase a single Internet connection for the Server computer and using NAT, I can allow the remaining computers in the network to share the Internet connection.

Practical

Consider the following scenario.

Network Address Translation (NAT) Example Diagram
We have a server computer with two NICs. 
  • NIC with IP address 192.168.1.10 is connected to the Internet.
  • NIC with IP address 10.0.0.1 is connected to the LAN switch.

There are four more computers viz. with IPs 10.0.0.2, 10.0.0.3, 10.0.0.4 and 10.0.0.5 on which we need to access the Internet. NAT will help us here. So let's start with the practical.

Note: We are doing this practical using Oracle VM VirtualBox.

Step 1 : Add three NICs to the Server machine. 

(Why 3 ? we will tell it very soon. Go on performing it.)

Select Machine
Goto Settings
Network
Add 2 More Adapters and Refresh Mac Address of each.
Start the Machine

Adding NIC to a machine in Oracle VM VirtualBox

Step 2 : Configure the IP Address settings of each NIC.


Go to Network & Sharing Center
Manage Network Connections

Right Click & Disable Local Area Connection 3



Right Click on Local Area Connection 2
Properties
Uncheck Internet Protocol Version 6 (TCP/IPv6)
Select Internet Protocol Version 4 (TCP/IPv4)
Proprties & Configure as shown in the image.

IP Settings for NIC connected to LAN
Right Click on Local Area Connection 1
Properties
Uncheck Internet Protocol Version 6 (TCP/IPv6)
Select Internet Protocol Version 4 (TCP/IPv4)
Proprties & Configure as shown in the image.

IP Settings for NIC connected to Internet

Step 3 : Install Role Netwrok Policy and Access Services

Goto Server Manager and Install Role Netwrok Policy and Access Services -> Next -> Next
Select Routing and Remote Access Services (2 more options will get selected automatically)
-> Next -> Install -> Close

Step 4 : Configuring Network Address Translation (NAT) Service

Start -> Administrative Tools -> Routing and Remote Access

Right Click on SERVER(local) -> Configure and Enable Routing and Remote Access -> Next
Select Network Address Translation (NAT) -> Next
Select the NIC connected to Internet (In our case NIC with IP Address 192.168.1.10) ->
Select NIC to which local network is configured. (In our case NIC with IP 10.0.0.1)

Do you remember we added 3 NICs though we need only 2 as per the diagram. We did that to see this window of selecting NIC connected to LAN. If we add only two NICs and do this practical then after selecting NIC connected to Internet, it automatically takes the other NIC as connected to LAN and this window is skipped.

-Next -> Finish


Step 5 : Configuring Client Machine

On Client, open Network and Sharing Center and configure the IPv4 settings of the NIC as shown in the following image.


IP Settings of Client Machine NIC
We are done with the practical. To test go to command prompt and execute the following ping commands from the client machine.
  • ping 10.0.0.1 -t
  • ping 192.168.1.10 -t

You will receive reply from both. A reply from 192.168.1.10 means you are allowed to access the public network i.e. the Internet.



Ping reply from both the NICs

Friday 15 June 2012

Managing Organizational Units, Users and Groups using AD commands


Introduction

What is a Domain?
Domains are the main logical structure in Active Directory because they contain Active Directory objects. Network objects such as users, printers, shared resources, and more are all stored in domains. Domains are also security boundaries.

What is an Organizational Unit?
An Organizational Unit (OU) is a container that enables users to organize objects such as users, computers, and even other OUs in a domain to form a logical administrative group. An OU is the smallest Active Directory component to which users can delegate administrative authority.

Why to use OU?
Using organizational units, you can create containers within a domain that represent the hierarchical, logical structures within your organization. You can then manage the configuration and use of accounts and resources based on your organizational model.


As shown in the figure, organizational units can contain other organizational units. A hierarchy of containers can be extended as necessary to model your organization's hierarchy within a domain. Using organizational units will help you minimize the number of domains required for your network.

You can use organizational units to create an administrative model that can be scaled to any size. A user can have administrative authority for all organizational units in a domain or for a single organizational unit.

Practical

Once you will go through the given exercise, you will be familiar with the working of various  AD commands.

Organizational Units

Designing the organizational structure with the help of Organizational Units (OU) is easy if you use GUI. Let's do the same thing using commands. This is helpful if you are working with Windows Server 2008 core as only a command prompt and notepad will be available.

We are going to design the following structure.


We are working with domain mcitp.com

We will use the dsadd command to create OU ciots and inside OU ciots other OUs Sales, Marketing and HR.

dsadd OU "ou=CIOTS, DC=mcitp, DC=com"

dsadd OU "ou=Sales, ou=CIOTS, DC=mcitp, DC=com"

dsadd OU "ou=Marketing, ou=CIOTS, DC=mcitp, DC=com"

dsadd OU "ou=HumanResource, ou=CIOTS, DC=mcitp, DC=com"


Oh By mistake instead of making OU as HR, I made HumanResource. Now there are two ways to rename.

Way 1 - Remove OU HumanResource and create a new OU as HR using dsrm and dsadd

dsrm "ou=HumanResource, ou=CIOTS, DC=mcitp, DC=com"

dsadd OU "ou=HR, ou=CIOTS, DC=mcitp, DC=com"

Way 2 - Rename the OU HumanResource to HR using dsmove

dsmove "ou=HumanResource, ou=CIOTS, DC=mcitp, DC=com" -newname "HR"

Now fire the dsquery command to check that all the OUs are created properly.

dsquery ou "dc=mcitp, dc=com"


You can also verify it in Active Directory Users and Computers Snap-in


Users & Groups

Each OU will have some users and groups. The users which perform the same task can be added to a group. Any permissions or changes applied to a group will be applied to all its users.

Let's learn how to create a user first. We have to create users S1, S2 and S3 in OU Sales. We will use Dsadd user command.

Dsadd user "CN=S1, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" 
-pwd admin@123 -mustchpwd yes

This will create a user S1 in OU Sales with default password as admin@123 and user will be asked to change the password at first login.

We will use the following command to create user S2.

Dsadd user "CN=S2, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" 
-pwd * -mustchpwd yes

This is same as previous. Only the password will be entered separately at the time of executing this command as shown in the following figure.


If I do not want that user S3 to change the password at first login, I will use the following command.

Dsadd user "CN=S3, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" -pwd admin@123

Now query and check that all the users are created in the OU sales using the following command.

Dsquery user "ou=Sales, ou=CIOTS, dc=mcitp, dc=com"


Note: When you create a user and do not provide the password then account will be disabled.

Next is to create a group Managers and adding S2 and S3 to this group. This task can be accomplished by using the following two commands. First command creates the group Managers.

Dsadd group "CN=Managers, ou=Sales, ou=CIOTS, dc=mcitp, dc=com"

and second command adds S2 and S3 to this group using Dsmod group

Dsmod group "CN=Managers, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" 
-addmbr 
"CN=S2, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" 
"CN=S3, ou=Sales, ou=CIOTS, dc=mcitp, dc=com"

Now to check that the users are added to the group fire the following query command (Dsget).

Dsget group "CN=Managers, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" 
-members

You can also verify it in Active Directory Users and Computers Snap-in.


When a user leaves our organization, we do not delete the account. Instead we disable it as follows.

Dsmod user "CN=S2, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" -disabled yes

S1 has changed the department. Now he is in marketing. In order to move the user from OU Sales to OU Marketing, use the following command (Dsmove).

Dsmove "CN=S1, ou=Sales, ou=CIOTS, dc=mcitp, dc=com" -newparent
"ou=Marketing, ou=CIOTS, dc=mcitp, dc=com"

And finally if you want to delete the entire OU structure use Dsrm command as follows.


dsrm -subtree -noprompt -c "OU=CIOTS,DC=mcitp,DC=com"

Wednesday 13 June 2012

RAID 5 : Concept & Practical Implementation

Implementing a RAID-5 volume requires a minimum of three and a maximum of 32 disks in the set. The physical disks do not need to be identical. However, there must be equal size blocks of unused space available on each physical disk in the set. The disks can be on the same or different controllers. As with striped volumes, you cannot add disks to a RAID-5 volume if you need to increase the size of the volume later.

If one of the disks in a RAID-5 volume fails, none of the data is lost.

RAID 5
Practical

Note - As we are working with Virtual Machine, so hard disk creation part is equivalent to attaching extra physical hard disks practically.

Steps
Attach three Hard Disks as HD1, HD2 and HD3 in Windows Server 2008 Click here to know how to add Hard Disk in Virtual Machine and Start the machine.

Start -> Control Panel -> Administrative Tools
Double Click on Computer Management
Select Disk Management
OK


Right Click on Disk 1 and Select New RAID 5 Volume ...



Next
Add all the three Hard Disks and Specify the amount of space in MB as 50 (Notice that the same value will be set for all 3 disks)


Assign drive letter N
Next
Check Perform quick format
Next -> Finish -> Yes


Notice the aqua color. The color codes are specific for each kind of RAID technology.

A New Volume (N:) is created. (you can check in My Computer). You can store some data in this drive.

Now we have to corrupt any of the disk. shut down the machine. Remove any one of the newly added hard disk from the machine. Click here to know How to remove a Hard Disk in Oracle VM VirtualBox and start the machine again.

Go to My Computer. Oh ! Though you have removed a disk but the New Volume (N:) is safe where we have stored some data.

Now 
Start -> Control Panel -> Administrative Tools
Double Click on Computer Management
Under the Storage node, Select Disk Management



The task is to recover from this failure. Purchase a new hard disk and attach it to the machine. In our case, shutdown machine. Create a new disk and add it to the machine  Click here to know how to add Hard Disk in Virtual Machine and Start the machine.




Go to Disk Management i.e.


Start -> Control Panel -> Administrative Tools
Double Click on Computer Management
Under the Storage node, Select Disk Management
Give OK for the new disk added.

Right Click on any of the failed disk and select Repair Volume


Select the purchased disk (we attached just now) and give OK -> Yes


Note - Do not delete the Missing Volume.

You have recovered from the failure and all the disks are healthy.


Conclusion: 

In RAID 5, We were able to recover from disk failure and there was no data loss due to the removal of hard disk from the machine.

Do you like this article?