Oct 072019
 
Microsoft Windows Server Logo Image

Today I’m going to be talking about Read Only Domain Controllers (RODC). An RODC is a Read Only Domain Controller for Active Directory Services inside of Microsoft Windows Server. It has become one of my favorite discoveries in the last 10 years for use with clients in certain situations.

A Read Only Domain Controller is similar to a regular Domain Controller, with the exception that the content is synchronized and available as a read-only copy. You cannot write to an RODC AD database.

Let’s explore RODC’s in more depth and find out what they are, why they are used, and use-case scenario examples.

What is an RODC

Read Only Domain Controllers were originally released with Windows Server 2008, and have been available on all versions since (including Windows Server 2008R2, Windows Server 2012/2012R2, Windows Server 2016, and Windows Server 2019).

A Domain controller that is an RODC contains a read-only cached copy of the Active Directory database. Additional sets of controls are available to control and limit this information and what is stored and cached.

Why an RODC

A Read Only Domain Controller is typically placed in situations and scenarios where a standard writable domain controller cannot be placed. The AD data/information can be filtered so that important items such as passwords, credentials, and other security sensitive information are not cached on that server. This provides a safety mechanism if the RODC is stolen or compromised (either physically, or virtually). You can control it so that only required information is cached, such as credentials for the users in the specific office.

RODC’s are meant to be used at remote offices and/or branch offices (ROBO) to allow services to function that rely on Active Directory such as file/print services and other Active Directory applications. Also, typically at these sites it either wouldn’t make sense or be safe to have a writable domain controller, however the RODC is needed to cache AD information, and enhance performance of these AD applications.

Offloading Active Directory requests to a single cached copy onsite on an RODC significantly reduces bandwidth pipe requirements versus having numerous computers and users authenticating and requesting Active Directory content over a site-to-site VPN between the main office and remote office/branch office.

Also, if you have an office with an unstable internet connection where the site-to-site VPN regularly has issues or isn’t always available, having an RODC available to handle Active Directory requests can keep that office online and functioning.

Scenarios for an RODC

In the past I’ve used Read Only Domain Controllers for a few different types of scenarios. I’ll get in to them below and explain why.

The scenarios:

  • AD Cache for ROBO (Remote Office Branch Office)
    • Unstable internet connection
    • AD Services at remote site (File/Print, LoB)
    • Numerous Users accessing Active Directory
    • Improve login times
  • ROBO with Potential Security issues (theft, lack of survailence, etc.)
    • Office is in remote area with delayed physical security response, risk of theft
    • Server physical security at risk, employees could have access
  • Corporate Infrastructure hosted in the Cloud
    • Domain Controller in the Cloud
    • Need a DC on-premise to handle logins and resource access

AD Cache for ROBO (Remote Office Branch Office)

Implementing an RODC in this situation is an excellent example. In a situation where an office has unreliable (intermittent or slow) internet but is critical to business continuity, an RODC can keep them up and running uninterrupted.

Typically, if you were just using a Site-to-Site VPN, if that connection went down, users wouldn’t be able to authenticate against Active Directory or access resources in Active Directory. Having an RODC on-site, allows them to authenticate (if their credentials are stored) and access resources.

As most IT professionals are aware, having a large number of users authenticating and accessing these resources over a VPN can use up the bandwidth pipe and cause issues. Having an RODC locally virtually eliminates VPN bandwidth usage to only Active Directory synchronization, and synchronization deltas.

Finally, having users authenticate locally instead of a saturated high latency VPN connection, improves their login time and performance.

ROBO with Potential Security issues (theft, lack of survailence, etc.)

If you have a remote site with security concerns, an RODC can help you with your security strategy.

If an RODC is physically stolen, only credentials that are filtered to be cached on that RODC are stored locally, this usually excludes administrative accounts as well as other users and services that aren’t accessed or used at the remote site. Also, because the domain controller isn’t writable, the thief cannot power on, inject data in to Active Directory and have it sync to your other domain controllers if they somehow gained access to your internal network.

The above also holds true for possible malicious employees who may have skills or knowledge, or allow other 3rd parties to have physical or virtual access to the server.

In the event of a disaster, restoring or recreating an RODC is easy and fast. Since it synchronizes from writable DCs on the network, the concerns of traditional writable domain controller restores don’t need to be considered.

Corporate Infrastructure hosted in the Cloud

If by chance most of your corporate infrastructure is hosted in the cloud, you know that you still need some on-premise resources and infrastructure to handle and offload bandwidth requirements between your LAN network and virtual cloud LAN network.

Typically, in most cases you’d have an on-site on-premise domain controller to handle local login and authentication, as well as resource access. But why use a fully writable domain controller, when you can use an easy to manage and maintain RODC?

Using an RODC at your local site allows you to offload services off the pipe, to the RODC, again limiting bandwidth requirements to AD synchronizations and delta synchronizations. This allows your bandwidth to be used for more important things like Line of Business applications, e-mail, etc.

As most IT professionals prefer simple and functional, this keeps simplified and easy to manage.

Conclusion

RODC’s are a perfect tool to compliment your IT infrastructure and help secure it as well. I’ve placed numerous Read Only Domain Controllers at customers branch offices, remote oil and gas sites, and in various other scenarios.

Not only have they kept these customers up and running during outages, but the ease of use and ease of management make it common sense to use this technology.

Oct 062019
 

As I regularly mention on the blog, I’m available to provide IT Consulting Services. I provide IT Consulting Services both on-site and remotely. I’m also available for engagements that require travelling, even internationally.

IT Consulting Services are provided to many customers both locally, and internationally.

For more information, to hire me as an IT Consultant, or contact me, please read on.

Who I help

Thanks to readers, I’ve been brought on board as an IT Consultant for a number of projects in a number of different types of situations.

I’ve been contracted to provide IT Consulting Services for:

  • Businesses (CTOs, Board of Directors, IT Directors, IT Managers)
  • Competitors (Managed Services Providers, IT Service Providers, Indirect competitors)
  • Consultants (Reorganization and Restructuring, Business Consultants, Efficiency Consultants)

Confidentiality is of upmost importance, and in cases where working with or for competitors, there will be no efforts or actions for competition.

IT Consulting Scenarios

There have been many different scenarios that I have provided IT Consulting Services. Please see below for some examples:

  • Assist competition with knowledge-gap or assist with project (implementation and/or migration)
  • Assist businesses or organizations IT departments with projects (implementation and/or migrations) to fill knowledge-gap
  • Provide IT Consulting Services as a backup/augmentation for competitors
  • Provide IT Consulting Services as a backup/augmentation for hired IT staff
  • Managed Services
  • Service geographical areas where the client organization does not have personnel or resources available
  • Service geographical areas where the competitor does not have personnel or resources available
  • Assist with specialty projects
  • Ability to travel with short-notice
  • Situations where special expertise are required for “geographically hard to access” offices or sites
  • Emergency support and resources for IT Professionals and IT Staff
  • Emergency support and resources for IT Service Providers
  • Emergency support and resources for Users
  • Travel to remote locations and/or offices for project work (implementations, migrations, etc.)
  • Training and Demonstrations

What I’ve done

Over the years, I’ve assisted providing IT Consulting Services for some extremely complex project work, as well as simple engagements. Below is an example of some of the work I’ve done that has been initiated by readers of my blog:

  • Numerous SBS 2008 to SBS 2011 to Windows Server (with Essentials Experience Role) Migrations
  • Numerous SBS 2011 to Windows Server (with Essentials Experience Role) Migrations
  • Numerous Microsoft Exchange 2010 to Exchange 2013 Migrations
  • Numerous Microsoft Exchange 2013 to Exchange 2016 Migrations
  • Numerous Microsoft Exchange 2016 to Exchange 2019 Migrations
  • Setup, Configuration, and Deployment of VMware Unified Access Gateways
  • Deployment and Migration of VMware Horizon View Servers from old versions to latest versions
  • Troubleshoot and rescue Microsoft Exchange Servers
  • Setup, Configuration, and Deployment of Veeam Backup and Replication
  • Setup, Configuration, and Deployment of Veritas Backup Exec
  • Point to Point Wireless Back hauls (including routing and firewall)
  • Point to Multi-point Wireless (Business and Enterprise Wireless Deployments)
  • Setup, Configuration, and Deployment of SAN (Storage Area Network) arrays
  • Setup, Configuration, and Deployment of VMware vSphere (including vCenter, ESXi, Shared Storage, and networking)
  • Setup, Configuration, and Deployment of HPe Servers, SANs, and other hardware
  • Backup and Disaster Recovery Consulting
  • Backup and Disaster Recovery solution design, implementation, support, and policy creation
  • Troubleshooting and assistance with HPe MSA Storage Arrays (SAN)
  • Design, Implement, and Support IT Solutions for environments that are geographical difficult to access or have limited access available
  • Solution Design (Servers, Storage, Networking, Software)
  • And much more

How to get in touch

For more information on how to hire me for IT Consulting Services, please visit https://www.stephenwagner.com/hire-stephen-wagner-it-services/. There is also contact information available here https://www.digitallyaccurate.com/contact-us/.

As a consultant, I put emphasis and focus on making engagement easy, simple, and keeping customer satisfaction in mind.

Please don’t hesitate to reach out!

Oct 062019
 

Today I wanted to do a brief post addressing Microsoft Exchange Backup and Disaster Recovery.

In the past week I’ve had over 30 people reach out to me via chat looking for help and advice in situations where:

  • A Cumulative Update Failed
  • Exchange Services will not start
  • Hardware Failure Occurred

In all of these cases the admins took a snapshot of their Exchange virtual machine (in Hyper-V or ESXi/VMware), and then restored it to the previous point when the failure occurred. This completely broke their Exchange install and possibly made it unrecoverable.

The above example is what you DO NOT want to do.

Microsoft Exchange Aware Backups

As per: https://docs.microsoft.com/en-us/exchange/high-availability/disaster-recovery/disaster-recovery?view=exchserver-2019

Exchange Server supports only Exchange-aware, VSS-based backups. Exchange Server includes a plug-in for Windows Server Backup that enables you to make and restore VSS-based backups of Exchange data. To back up and restore Exchange Server, you must use an Exchange-aware application that supports the VSS writer for Exchange Server, such as Windows Server Backup (with the VSS plug-in), Microsoft System Center 2012 – Data Protection Manager, or a third-party Exchange-aware VSS-based application.

You must use an Exchange-aware backup and/or disaster recovery application/software suite. These applications are aware of Exchange and designed to perform proper backups of Exchange, the mailboxes, and configuration. Not only do they backup the mailbox database and the VM running Exchange, but they also backup the system state and configuration of Microsoft Exchange.

Simply performing a VM snapshot is not supported and can break your Exchange installation.

Note that the configuration for Microsoft Exchange is stored inside of Active Directory, and not on the actual Exchange Server. Restoring the Exchange Server to a previous snapshot will cause a configuration synchronization gap between the Active Directory configuration and the mailbox database on the Exchange Server.

Options for Backup

There are plenty of options to perform Microsoft Exchange-aware backups.

If you’re looking for something free and easy, you could use the built-in Windows Server Backup function on Microsoft Windows Server. It’s perfect for special migration and upgrade jobs, homelabs, and small/micro sized businesses.

For larger organizations, I’ve used, setup, implemented, and managed the following backup applications:

There’s no excuse for not having a backup, especially if you call yourself a professional. You should always have a full working backup, especially before performing any type of maintenance, updates, or upgrades to your environment.

Microsoft Exchange Issues and Failures

Additionally, in the event of an issue, the solution isn’t always to restore from backup.

In most cases when something fails, it’s best practice to troubleshoot and correct the issue, instead of blasting away Exchange and restoring from backups.

Most Exchange installs can be saved simply by following standard troubleshooting procedures. Even if an Exchange Cumulative Update fails, you can fix what caused it to fail, and then re-run the installer/upgrader to attempt to recover! No backup restore needed!

Oct 052019
 
Linksys E4200v2 VLAN breakout picture

A great and useful purpose for old embedded Linux wireless routers, is to re-purpose them as VLAN breakout boxes!

If you’re like me, you probably have a bunch of old Linksys (or other brand) Linux embedded wireless routers sitting around your home. You probably also have VLANs running on your home network or homelab for various reasons.

Let’s get to it!

Why would we need to do this?

VLANs are great, but typically the money it costs for VLAN supported switches, APs, routers, and other devices is more than your typical home gear.

You may be able to justify these purchases for your core network infrastructure, but when your cabling out to individual rooms in your house or apartment, you may not want to spend a lot of money on switches for that room.

The cost of a gigabit embedded Linux router is usually a lot less than a manageable switch that provides VLANs. At the same time, if you’re a true geek you probably have at least 5 of these embedded Linux routers sitting around in boxes… Why spend money at all?

What does this accomplish?

As an example: In my basement I have a single Cat 5e Ethernet cable providing all VLANs in a trunk from my server room. In my basement I have all my multimedia devices, IoT devices, a wireless access point (with 3 SSIDs/VLANs), and more.

Instead of purchasing an expensive manageable switch that supports VLANs, I ended up flashing OpenWRT on a couple Linksys E4200v2 wireless access points. I then connect the OpenWRT device to my Ubiquiti UniFi Network Infrastructure.

Linksys OpenWRT Switch VLANs Picture
Linksys OpenWRT Switch On Panel

On the E4200 for my basement, I configured the WAN port to accept the incoming VLAN trunk and then configured the other LAN ports depending on their purpose. One of the LAN ports remains as a VLAN trunk for the Ubiquiti UniFi NanoHD wireless access point (as it needs all VLANs), and the other LAN ports untag traffic on various VLANs for specific purposes. One of these ports is the output for my main network LAN (which goes to a normal non-VLAN switch).

OpenWRT VLAN Configuration Settings Screenshot
OpenWRT VLAN Configuration Basement AP

All you have to do is make sure you label the ports so you know what VLAN or trunk you’re plugging in to.

This is why I call it a “VLAN Breakout Box”! I also make sure to disable all the wireless radios on the router as I don’t need these (it also reduces the load on the CPU, although negligible).

So how do we do this?

We use OpenWRT and flash it to compatible embedded Linux wireless routers, switches, and other devices. It can even be used on x86 hardware.

If we’re picky, we’d prefer embedded SBC (Single Board Computer) devices that have a switch-on-chip setup, so that the packet switching can be handled via hardware and not software. We want this for better performance.

You can download and find more information about OpenWRT here: https://openwrt.org/

Always make sure you know what you’re doing when flashing hardware. You may brick your device if you fail to follow instructions properly.

On a final note, one of the reasons why I prefer OpenWRT over DD-WRT, is that with the GUI, you can configure any acceptable VLAN ID, whereas on DD-WRT you’re restricted to a very limited number of VLANs.

Oct 052019
 
Ubiquiti UniFi Controller Login Screen

When deploying a new UniFi network using Ubiquiti UniFi hardware and the controller, you may wish to change the management VLAN, and/or the VLAN that the hardware uses to communicate with the UniFi Controller.

In this post, I’m going to go over how to do this, as well as troubleshoot if something should go wrong.

Please note that I’m focusing on the theory and understanding as to how communication is handled, instead of providing step by step instructions which is what readers are usually accustomed to on this blog.

Why would we do this?

Some users (myself included) like to avoid using the default management VLAN of 1. This can be for a number of reasons such as reducing the security vulnerability footprint, customizing for specific customers or environments, or we just like to change it from the default VLAN.

How do we do this?

When you choose to change the default management VLAN, typically you need to maintain a network/subnet on untagged VLAN1. This is because when you purchase or deploy new UniFi equipment, it will always try to obtain an IP on untagged VLAN 1, and try to contact the controller using this network.

By having a functioning “provisioning” network and subnet on VLAN 1, the devices can obtain their configuration, and provision from there.

Once the device is provisioned and attached to the UniFi controller, you can configure it to use a different VLAN as it’s management VLAN.

Keep in mind that you must make the controller available on both the untagged “provisioning” VLAN 1, as well as the new custom management VLAN as well. In my case, I make all the subnets routable so that the UniFi controller is available no matter what subnet and/or VLAN your on.

How do we secure this?

In my example above, I have very restrictive firewall rules on the firewall that is routing the different VLANs and subnets. The only traffic that is allowed to be routed to the untagged “provisioning” VLAN 1 is traffic destined for the UniFi controller, and only the ports that are required for provisioning. All other traffic is restricted, including internet access.

Essentially the only thing that functions on VLAN 1 is routing to the UniFi controller, and DNS for the lookup of the host record “unifi”.

What will happen if I’m doing this wrong?

If you’ve done this wrong, you may notice that original provisioning works, then the AP or switch disappear and go offline after the management VLAN change on the device. This is because it can’t contact the controller after it changes its default management VLAN to the new one you specified.

If the device never contacts the UniFi controller in the first place, then the device isn’t able to contact the controller on the untagged VLAN 1. You need to make sure that the various provisioning methods are available and functioning, and that the subnet is routable and firewall rules allow communication from that subnet to the UniFi controller.

How do we test this?

In my environment on untagged VLAN 1 as well as my custom management VLAN, you can open a browser and type in “unifi” and it will resolve and connect to the UniFi controller. This means it’s available on the default VLAN that the devices look for, as well as the custom management VLAN.

I find using the A host record the easiest way to do this. Please note that my UniFi controller only has one static IP address on the custom management VLAN.