How to Troubleshoot AD Replication using Repadmin Tool

How to Troubleshoot AD Replication using Repadmin Tool

Repadmin is a cmd application for diagnosing AD replication issues. Via Repadmin it is easy to view replication topology for every domain controller. And use this knowledge to manually change it and initiate replication communications between controllers. With Repadmin you can easily check replication metadata and relevance vectors (up-to-dateness (UTDVEC)).

Repadmin.exe is a built-in feature in Windows Server environment starting from 2008. It comes with AD Directory Services role and also can be setup in client OSes like Windows 10 with RSAT.

Command List

Repadmin.exe has lots of commands, lets focus on most popular ones:

  • /syncall – used to synchronize a certain DC with others
  • /prp – if you have a Password Replication Policy (PRP), this command helps to manage it
  • /queue – Shows the current queue of replication
  • /replicate – this command helps to perform replication from one DC to another
  • /replsingleobj – This command is handy if you need to replicate only one certain object between DCs
  • /replsummary – Shows a report of a current state of replication and health in AD
  • /showattr – is used when you need to see object attributes
  • /showbackup – this setting displays the last backup time
  • /showrepl – If you need to know current replication status use this one

How to Get General Replication Status

Let’s start from overall state of replication, run elevated cmd.exe (start->run->cmd.exe) and type in the following command:

repadmin.exe /replsummary

The output will show you any replication failures that exist in your AD environment.

How to Force Replication

Suppose you have replication failures and you need to force a replication after fixing networking connections failure. In elevated Command Prompt (cmd.exe) on any DC run:

repadmin.exe /syncall /Aped

In addition to /syncall command we have few flags that will synchronize all partitions (/A), using push notifications (/p), in enterprise mode across Active Directory sites (/e) using distinguished names instead of DNS names (/d).

How to Manage Inbound and Outbound Replication

It is possible to disable inbound and/or outbound replication with a possibility to reenable it later. To achieve that run the following commands in cmd under admin rights:

repadmin.exe /options DC01 +DISABLE_INBOUND_REPL

Disables inbound replication on a DC01

repadmin.exe /options DC01 +DISABLE_OUTBOUND_REPL

Disables outbound replication on a DC01

repadmin.exe /options DC01 -DISABLE_INBOUND_REPL

Enables inbound replication on a DC01

repadmin.exe /options DC01 -DISABLE_OUTBOUND_REPL

Enables outbound replication on a DC01

For example, the option to disable outbound replication is a good way to perform schema updates without the need to rebuild the entire Active Directory forest.

Credits: https://serverspace.us/support/help/how-to-troubleshoot-ad-replication-using-repadmin-tool/

.

How to Change Default Location for New User and Computer Accounts in AD

When you join a computer to the Active Directory domain or create a user, all these objects will be placed in default containers – Computers and Users. In order to place your new objects to relevant OUs with proper group policies you need to change their default location. This tutorial will show you how to do that.

Modification the default location for new user and computer objects is possible in Windows Server 2003 and above. And you need to have a user account with domain admin rights and perform commands directly from the server not from a management workstation.

By default design, new computers are stored in Computers container and new users in the Users container because containers can’t have policies linked, so even if there is a problem with AD because of GPOs there should be a possibility to join a device and sign in to it without group policies.

Modifying the Default Location for User and Computer Objects

First, we need to create or decide the OUs to which we want to redirect. One for computers another for users. In our example it will be Employees and Workstations. For this purpose, Microsoft created redirusr.exe and redircmp.exe which are located in %SystemRoot%\System32 folder.

Run Command Prompt (cmd.exe) as administrator, run the following commands, replacing the values for your environment:

redirusr.exe "OU=Employees,DC=office,DC=local"
redircmp.exe "OU=Workstations,DC=office,DC=local"
Default containers redirection in Active Directory

If you need to revert these settings back, then type the following:

redirusr.exe "CN=Users,DC=office,DC=local"
redircmp.exe "CN=Computers,DC=office,DC=local"

Now all your new users and computers will automatically join organizational units instead of default containers.

How to Configure Direct Access in Windows Server

How to Configure Direct Access in Windows Server

In this article, we’ll step by step describe how to deploy the Direct Access (DA) remote connection service on Microsoft Windows Server. Before we get started, let’s take a quick look at what the Direct Access service is. The Direct Access component was first introduced by Microsoft in Windows Server 2008 R2 and was designed to provide transparent access for remote computers to internal company network resources. When connecting through a DA, the user can take full advantage of the enterprise and domain services, and the IT support staff can manage and keep the computers up to date in terms of security. At its core, Direct Access is a lot like a traditional VPN connection to the corporate network. You can also call it “always on VPN”.

Difference Between Direct Access and VPN

Let’s look at the basic difference between Direct Access and VPN:

  • In order to establish the Direct Access connection, the user does not need to start the VPN client – the connection is made automatically when there is Internet access.
  • To establish a connection between the DA client and the server, you need to open port 443.
  • The user’s computer must be in an Active Directory domain.
  • The communication channel between the remote PC and the corporate gateway is encrypted with robust algorithms using IPsec.
  • It is possible to organize two-factor authentication using a one-time password system.

Difference Between the First Version of Direct Access and Latest

What are the major differences between the new Windows Server versions of Direct Access and the first version on Windows 2008 R2? The main difference is the reduced requirements for the related infrastructure. For example, here are some differences:

  • The Direct Access server no longer needs to be an edge server, it can now be behind NAT.
  • If you’re using Windows 8 Enterprise and later as the remote client, you don’t need to deploy an internal PKI infrastructure (client authentication will be handled by the Kerberos proxy located on the DA server).
  • Having IPv6 on the internal network of the organization is not necessary.
  • New Direct Access supports OTP (One Time Password) and NAP (Network Access Protection) without requiring Unified Access Gateway (UAG) deployment.

Direct Access Installation Requirements

Here are infrastructure requirements to deploy Direct Access based on Windows Server:

  • Active Directory domain and domain administrator rights.
  • A dedicated (recommended) DA server running Windows Server 2012 R2 and later, included in a Windows domain. The server has 2 network cards: one is on the internal corporate network and the other is on the DMZ network.
  • Dedicated DMZ subnet.
  • The external DNS name or IP address available from the Internet that Direct Access clients will connect to.
  • Traffic redirection configuration from TCP port 443 to DA server address.
  • Deployed PKI infrastructure for certificate issuance. The certificate authority must publish the Web Server certificate template and allow it to be auto-enrolled (Not needed for Windows 8 and above).
  • Clients must run Windows Professional / Enterprise edition.
  • AD Group that will consist of computers that are allowed to connect to the network via Direct Access.

Installing Remote Access Server Role

First we need to start the Server Manager console and use the Add Roles and Features wizard to install the Remote Access role.

Remote access server role
Remote Access Server Role

As part of the Remote Access role, you must install the Direct Access and VPN (RAS) service.

DirectAccess and VPN
Direct Access Role Services

Leave all other settings by default and restart the server after installation.

Configuring the Direct Access Service in Windows Server

Once the Remote Access service has been installed, open the Tools ⇒ Remote Access Management snap-in.

Remote access management
Remote Access Management Snap-in

The remote access console will start. Click on DirectAccess and VPNRun the Remote Access Setup Wizard. Now we only need to install Deploy DirectAccess only role.

This should open a window in the right half of which you can see the four steps (Step 1 – 4) of the DA service configuration graphically.

Remote Access Setup
Remote Access Setup

Step One: Remote Clients

Let’s say that we’re deploying full DirectAccess for client access and remote management.

Now you need to specify the AD security group that will contain the computer accounts that are allowed to connect to the corporate network via Direct Access (in this example, we will use alwayonvpn group).

Direct access client setup
Security Group of Direct Access

Enable DirectAccess for mobile only option – allows you to limit connection via DA only for mobile devices (laptops, tablets). This feature is implemented by polling clients via WMI.

The Force Tunneling option – means that remote clients when accessing any remote resources (including regular websites) always use DA servers (all external client traffic goes through the corporate gateway).


On the next step we need to specify a list of internal network names or URLs from which the client can check (Ping or HTTP request) that he is connected to the corporate network. You can also specify the help desk email address and the name of the DirectAccess connection (so that it will appear on the client’s network connections).

If necessary, you can enable the Allow DirectAccess clients to use local name resolution option, which allows the client to use the company’s internal DNS servers (DNS server addresses can be obtained by DHCP).

Configure corporate resources for network connectivity assistant
Direct Access Client Setup

Step Two: Remote Access Server

The next step is to configure the Remote Access server. In our example we will have an edge server (firewall) with two network cards, so we need to select – Behind an edge device (with two network adapters), one of which is on the corporate network and the other is connected directly to the Internet or DMZ subnet. You also need to provide the external DNS name or IP address on the Internet (which is where port 443 is pinged to the external interface of the DirectAccess server) that the DA clients should connect to.

remote access server setup
Network Topology Options

Then you must specify which NIC will be considered Internal (LAN) and which External (DMZ).

Now we need to generate a DA server certificate. To do this, create a new mmc snap-in, and add the Certificates console that manages local computer certificates.

certificates snap-in
Computer Certificates Snap-in

In the Certificate Management Console, request a new personal certificate by clicking on Certificates (Local Computer) ⇒ Personal ⇒ Certificates and selecting All Tasks ⇒ Request New Certificate…

request new certificate
Request New Certificate

Request a certificate through the Active Directory Enrollment Policy. We are interested in a certificate based on the Web Servers template.

In the new certificate request settings on the Subject tab, let’s fill out the fields that identify our company and on the Private Key tab, let’s specify that the certificate private key can be exported (Make private key exportable).

certificate creation options
Certificate Creation Options

Save the changes and request a new certificate from CA. Request and generate a new certificate.

Return to the DirectAccess server settings window and click the Browse button to select the generated certificate. Specify our certificate.

In the next step of the wizard, we’ll select a method for authenticating Direct Access clients. Specify that authentication with Active Directory credentials (username/password) is used. Select the checkbox of Use computer certificates and Use an intermediate certificate. Click the Browse button to specify the certificate authority that will be responsible for issuing client certificates.

DirectAccess Client Authentication Settings
DirectAccess Client Authentication Settings

Step Three – Infrastructure Servers

The third stage contains configuration of infrastructure servers. We need to specify the address of the Network Location Server, which is located inside the corporate network. Network Location Server (NLS) – is a server through which the client can determine that it is on the internal network of the organization, i.e. you do not need to use DA to connect. NLS server can be any internal web server (even with a default IIS page), the main requirement is that the NLS server must not be accessible from outside the corporate network.

Network Location Server
Network Location Server

Now let’s specify a list of DNS servers for name resolution by clients. It is recommended to leave the option Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended).

Then specify the DNS suffixes of internal domains in order of priority of their use.

Management settings window we will keep default.

Step Four – Application Servers

In this step we will configure application servers. This phase allows you to configure additional authentication and traffic encryption between the back-end application servers and DA clients. In this example we do not need this, so let’s leave the option Do not extend authentication to application servers.

This completes the Remote Access role configuration wizard, so we just need to save the changes.

After you finish, the wizard will create two new group policies – DirectAccess Client Settings and DirectAccess Server Settings that are attached to the root of the domain. You can either leave them as they are, or link them to the desired OU.

Direct Access Group Policies
Direct Access Group Policies

Test Direct Access on the Windows Client

To test how Direct Access works from the client side, let’s add a computer with Windows Enterprise OS to our direct access group (alwaysonvpn) and update Group Policy via gpupdate /force on it.

Disconnect the laptop from the corporate network and connect to the Internet via public Wi-Fi. The system automatically connects to the corporate network via DirectAccess. The connection name will be displayed in Network & Internet Settings.

You can verify if there is a DirectAccess established using the PowerShell command:

Get- DAConnectionStatus

If it returns ConnectedRemotely, then the DA is connected to the corporate network

How to Configure Zabbix Monitoring System

How to Configure Zabbix Monitoring System

Zabbix is an open-source enterprise level monitoring system. At the moment Zabbix is one of the most popular and functional free monitoring systems, with its easy installation and configuration. Zabbix server can be used for monitoring large infrastructures with hundreds of servers, as well as for small environment. In this article we will cover how to install and configure free monitoring system Zabbix with Linux Ubuntu based web interface. Install Zabbix agents on Windows and Linux server, and add new hosts to the system for monitoring.

Contents

  • Zabbix structure and functionality
  • Installing Zabbix server on Linux
  • Configuring Zabbix web interface
  • Installing Zabbix agent on Windows
  • Adding a device on a Zabbix server
  • Installing Zabbix agent on Linux

Zabbix Structure and Functionality

Zabbix is rather simple to install and configure. It is written in C++ (server, proxy and agent) and PHP (frontend). Zabbix server and Zabbix proxy can only run on Linux systems. The agent can be installed on many supported operating systems and platforms.

The Zabbix server installation package consists of:

  • Zabbix server binary
  • MySQL (MariaDB)/PostgreSQL databases
  • Apache2/Nginx web server with PHP frontend
  • Frontend files – .php, .js, .css, etc…

The scheme of work looks like this:

  1. The Zabbix agent sends data to the server
  2. The Zabbix server receives and processes the data
  3. If the received data is subject to the specified conditions, a trigger is triggered
  4. An active trigger signals a problem. A notification is displayed on the frontend, the notification emails is sent and needed actions are automatically performed. This depends on the configuration, for example Zabbix agent can restart the service that is being monitored.

Zabbix can work with all known protocols, thanks to a system of external scripts.

Installing Zabbix Server on Linux

In this article we will take a look at an example installation of Zabbix Server on Linux (using Ubuntu Server) through a batch manager.

Go to the download page https://www.zabbix.com/download and select the repository corresponding to your Linux distribution. Ready-made packages are available for all popular distributions.

For example, to install Zabbix 5 on Ubuntu 18.04 you have to select :

Zabbix Version 5 ⇒ OS Distribution (Ubuntu) ⇒ OS Version (18.04 Bionic) ⇒ Database (MySQL) ⇒ Web Server (Nginx or Apache).

Download and add a repository:

wget https://repo.zabbix.com/zabbix/5.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.0-1+bionic_all.deb
dpkg -i zabbix-release_5.0-1+bionic_all.deb
apt update

Now you can install the necessary packages:

apt install zabbix-server-mysql zabbix-frontend-php zabbix-nginx-conf zabbix-agent

Create a database and give the rights to the service account under whom Zabbix will access the database:

mysql -uroot
mysql> create database zabbix character set utf8 collate utf8_bin;
mysql> grant all privileges on zabbix.* to zabbix@localhost identified by 'Your Password';
mysql> quit;

Import the Zabbix database. You will need to enter the password that you specified for the zabbix@localhost user.

zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p Zabbix

Edit the configuration file /etc/zabbix/zabbix_server.conf, specify the password from the newly created user.

DBPassword=users password

Since in this example the web server is nginx, you need to change nginx.conf by removing “#” from the following lines:


listen 80;

server_name example.com;

Also change “example.com” to the domain name you want to log in to Zabbix web console, in this example it’s “test.zabbix.local“.

Now let’s set the time zone in PHP. In the /etc/zabbix/php-fpm.conf file lets remove “#” from the following line:

php_value[date.timezone] = Europe/Moscow

Additionally, you can set the following PHP settings in /etc/php.ini:

  • memory_limit 128M
  • upload_max_filesize 8M
  • post_max_size 16M
  • max_execution_time 300
  • max_input_time 300
  • max_input_vars 10000

Add the zabbix-server service to autostart and run it:

systemctl enable zabbix-server zabbix-agent nginx php7.2-fpm
systemctl restart zabbix-server zabbix-agent nginx php7.2-fpm

Configuring Zabbix Web Interface

Now you need to configure the frontend (web interface) of Zabbix. Open the previously specified URL of Zabbix server in your browser. In our example it is test.zabbix.local. Do not forget to register it on your DNS server.

Make sure that all installer requirements are OK.

Enter the data to connect to the database. Use the user and password you created earlier.

Enter the name of the Zabbix server. I recommend not to change the standard port – TCP 10051.

Note. The default Zabbix system uses two ports:

  • TCP 10050 is a passive agent port, on which the zabbix server polls clients;
  • TCP 10051 – the port on which zabbix server receives data from clients (active agent).

After that press Next Step and Finish. After successful installation, you will need to log in. Use “Admin” as login and “zabbix” as password, these are the default credentials.

This concludes the installation of the Zabbix Server.

Installing Zabbix Agent on Windows Server

Let’s try to install Zabbix agent on a Windows server and add it to our Zabbix monitoring. Download Zabbix agent for Windows here: https://www.zabbix.com/download_agents.

Select the desired version of the agent for Windows. For this example we will choose the “.msi x64” format (without OpenSSL). If you plan to install zabbix agent on servers/computers via Group Policy or SCCM, you can download the zip archive with binary and configuration files.

Start the installer, accept the license agreement, specify the requested data. Note that in the “Server or Proxy for active checks” field I entered the IP address in “IP:PORT” format. Since I left the port as standard, it will be serverip:10051.

Then click Next and Install.

Now we need to make sure that our agent is installed. The Zabbix agent service should appear in the services.msc list.

On the Windows client Firewall, you need to allow incoming connections from the Zabbix server:

New-NetFirewallRule -DisplayName "Zabbix" -RemoteAddress "ZabbixserverIP" -Direction Inbound -Protocol TCP -LocalPort 10050 -Action Allow

To make sure that the agent is working, you need to add our host to the Zabbix server and assign it checks.

Note. There are two types of checks in the Zabbix:
Passive – the Zabbix server asks for some data from the agent;
Active – the agent sends data to the server;

While installing the agent, we specified a server in IP:PORT format just for active checks.

Adding Device on a Zabbix Server

So We’ve installed the agent, now we need to add it on the monitoring platform via web-interface. Go to Configuration Hosts ⇒ Click Create host and fill in the data. Note that the host’s name must match the host name of the server with the agent or the value of the Hostname parameter in the agent config.

On the Templates tab, add some built-in Windows templates. Templates in Zabbix are sets of values, triggers, graphs and detection rules that can be assigned to one or more hosts.

These integrated templates have “active” in the end, which means that active checks will be used.

Click Add. To avoid waiting for the server and agent to connect with each other (usually takes a couple of minutes), restart the Zabbix Agent service on monitored host and check the agent’s log (C:\Program Files\Zabbix Agent\zabbix_agentd.txt).

The message “started [active checks #1]” indicates that active checks for this host have been found on the server. Now let’s look at the data that came to the Zabbix server from the agent. To do this in Zabbix, go to MonitoringLatest Data and select the desired host in the Hosts field.

This section shows the latest data that came to the server by selected hosts or groups of hosts. Note that there is a notification on the Zabbix dashboard that the BITS service is not running. This notification appears because we have assigned standard templates to our host. One of the templates was monitoring the BITS service and the corresponding trigger, which is triggered if the BITS service is not in status Running.

This concludes the configuration of the Windows Agent.

Installing the Zabbix Agent on Linux

Now let’s install the Zabbix agent on Linux. To install the Zabbix agent in Ubuntu Server using the package manager you need to download and install the Zabbix repository. Then we will install the zabbix agent from the repository:

wget https://repo.zabbix.com/zabbix/5.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.0-1+bionic_all.deb
dpkg -i zabbix-release_5.0-1+bionic_all.deb
apt update
apt install zabbix-agent

Before we run the zabbix agent, we need to edit the /etc/zabbix/zabbix_agentd.conf configuration file. In this file you need to specify the IP address of the Zabbix server for active checks:

Server=ServerIP
ServerActive=IP:10051
Hostname=testagent

After that we need to start the agent service:

service zabbix-agent start

Make sure the agent is successfully launched.

cat /var/log/zabbix/zabbix_agentd.log

Cannot parse list of active checks” string indicates that there are no active checks for this host on the server.

Similar to the Windows agent, you need to add your Linux host to the Zabbix server settings. Note the Hostname parameter in the host configuration in the server’s Zabbix interface must match the Hostname parameter that we specify in the Zabbix config.

Reboot the Zabbix agent and check the log.

Check that the agent data has appeared on the Zabbix server.

This completes the configuration of the Zabbix agent on your Linux system.

How to Set up VPN Server on Windows Server

How to Set up VPN Server on Windows Server

In this article we will show you how to install and configure a simple Windows Server based VPN server that can be used in a small organization.

Note. This manual is not recommended as a guide for organizing a VPN server in a large corporate network. As an enterprise-class solution, it is preferable to deploy Direct Access and use it for remote access.

The first thing that you need to do is install the “Remote Access” role. You can do this through the Server Manager console or PowerShell.

With the Remote Access role, we are interested in the DirectAccess and VPN (RAS) service. Let’s install it! Open Server Manager go to Add Roles and Features -> Click Next two times-> We need to install the Remote Access and IIS web server roles.

Web server role

Click Next three times and select DirectAccess and VPN (RAS), click next and Install.

When the wizard is finished, click the “Open the Getting Started Wizard” link and the RAS Server Configuration Wizard will start.

Install RAS Service Using PowerShell

You can install the RAS service using the following Powershell command:

Install-WindowsFeatures RemoteAccess -IncludeManagementTools

Configure Remote Access Service

Since we do not need to deploy the DirectAccess service, let us specify that we only need to install the VPN server.

The familiar Routing and Remote Access MMC console opens up. In the console, right click on the server name and click the Configure and Enable Routing and Remote Access option.

Enable routing and remote access

The RAS Server Setup Wizard is launched. In the wizard window, select “Custom configuration” and then select the “VPN Access” option.

When the wizard is finished, the system will offer to start the Routing and Remote Access service. Do it.

starting routing and remote access

Configure Firewall to Allow VPN

If there is a firewall between your VPN server and the Internet from which clients will connect, you need to open the following ports and redirect traffic to these ports to your VPN server:

For PPTP: TCP - 1723 and Protocol 47 GRE (also called PPTP Pass-through)
For SSTP: TCP 443
For L2TP over IPSEC: TCP 1701 and UDP 500

After installing the server, you must allow VPN access in the user account properties (Dial-in tab) for those users which you want to connect via VPN. If the server is joined to an Active Directory domain, this should be done in the user properties of the ADUC console. If the server is local, you can find it in user properties of the Computer Management console (Network Access Permission – Allow access).

Dial-in settings

Configure DHCP for VPN

If you are not using a DHCP server that distributes IP addresses to vpn clients, you should enable “Static address pool” on the IPv4 tab of the VPN server properties and specify the range of addresses to be distributed.

Note. IP addresses distributed by the server for routing purposes must not overlap with IP addressing on the VPN client side.

So it is only remains is to configure the VPN client and test it.