William Lam of VirtuallyGhetto.com long ago created a free alternative backup solution for ESXi. It is distributed as a simple script. It was developed over 8 years ago for ESX 3.x and continues to be added to and modified today.
Just yesterday William added a post on his site that it is now available in a self installable VIB format. One of the great things about the VIB is that the program persists now through reboots of ESXi.
The original page for the script GhettoVCB is here: https://communities.vmware.com/docs/DOC-8760
To read more about the latest updates from William and to get to his links for downloading the VIB & offline bundle, click here: http://www.virtuallyghetto.com/2015/05/ghettovcb-vib-offline-bundle-for-esxi.html
VMtraining delivers hundreds of VMware courses annually and our training and certifications are recognized worldwide.
Friday, May 29, 2015
Tuesday, March 3, 2015
Active Directory - Fine-Grained Password Policy
So I have been doing quite a bit of consulting lately and thought I would document some of the more interesting tasks that I run across. In the last couple of weeks I have dealt with software deployments through GPO and KACE boxes. Exchange Troubleshooting, VMware Performance troubleshooting, and several other things.
Got the opportunity to finally implement Fine-Grained password policies. For those of you that don't know what that is, by default using an AD domain you set one password policy at the domain level and everyone inherits that. So what if you want to set different policies on different OUs? No big deal create a couple of GPOs with the policies that you want and apply them to the correct OUs - WRONG!!! That doesn't work. You can't set password policies on an OU. You have to set up what they call Fine-Grained Password Policies.
I found a pretty good TechNet article that pointed me in the right direction. The problem with a lot of Microsoft's direction is that they point you in the right direction and you are in Los Angeles and want to go to NYC and they say go East. Now it is on you to figure out how to get there. This article was exactly that way. It left out lots of switches and several other things to make sure it was working correctly.
https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx
As I have started to delve more and more back into the Microsoft world I have really come to empower PowerShell quite a bit more than ever. It started with Exchange where I did a complete migration from Exchange 2010 to Exchange 2013 via PowerShell from Setup to migration to tear down. Maybe I was bored, maybe I was trying to be cool (As much as computer dorks can be cool).
So I accomplished a lot of this task using PowerShell. The concept is pretty Easy. You have to create what is called a PSO (Password Setting Object). You create this by using the New-ADFineGrainedPasswordPolicy cmdlet. You then have to specify things like MaxPasswordAge, MinPasswordAge, and a few other parameters. Not all that hard.
Once you create the PSO you can view it using ADSI Edit under the Password Settings Container. You can also modify settings from here if needed. Once you have gotten this far, it still doesn't work. Now, you have to assign who is going to have this policy applied to them.
You would think that you can apply this to an OU, but you would be wrong. You have to create a Domain Security Group and then grant that group permissions to the PSO. Now you would think just go to properties and the security tab add it in and you are done. You are wrong. You have to go to ADSI Edit, go to that Password Settings Container and locate the PSO you just created. Click Properties and then click the Attribute Editor tab. Look for the msDS-PsoAppliesTo attribute. You then enter the full DN (Distinguished Name) of the Global Security Group.
After that add users to the Group and you are good.
So how do you test. Well I picked a user (the wrong user) and added him to the group, we then did a bunch of restarts and nothing. So I found out after some prodding that he changed his password last week but didn't think that would count. So I checked his expiration date. It showed a really long number. Now I had no clue what that number meant. It showed a regular date in the viewing box but when you tried to modify it (which you couldn't) it showed this long number.
So what does that long number mean out of curiosity I looked it up. This attribute is Integer8, a large 64-bit number that represents a date as the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. 1601??? Wow, not quite sure why that number but OK.
Anyway I found a user whose password expired about 2 months ago (He had the password never expires on him, which I had to deselect to see this value). I added him to the group and did a restart and he had to change his password. It worked like it should. So for those of you that want to accomplish this, it isn't really difficult, just play around in a test network like your customers production machines and play around.
Got the opportunity to finally implement Fine-Grained password policies. For those of you that don't know what that is, by default using an AD domain you set one password policy at the domain level and everyone inherits that. So what if you want to set different policies on different OUs? No big deal create a couple of GPOs with the policies that you want and apply them to the correct OUs - WRONG!!! That doesn't work. You can't set password policies on an OU. You have to set up what they call Fine-Grained Password Policies.
I found a pretty good TechNet article that pointed me in the right direction. The problem with a lot of Microsoft's direction is that they point you in the right direction and you are in Los Angeles and want to go to NYC and they say go East. Now it is on you to figure out how to get there. This article was exactly that way. It left out lots of switches and several other things to make sure it was working correctly.
https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx
As I have started to delve more and more back into the Microsoft world I have really come to empower PowerShell quite a bit more than ever. It started with Exchange where I did a complete migration from Exchange 2010 to Exchange 2013 via PowerShell from Setup to migration to tear down. Maybe I was bored, maybe I was trying to be cool (As much as computer dorks can be cool).
So I accomplished a lot of this task using PowerShell. The concept is pretty Easy. You have to create what is called a PSO (Password Setting Object). You create this by using the New-ADFineGrainedPasswordPolicy cmdlet. You then have to specify things like MaxPasswordAge, MinPasswordAge, and a few other parameters. Not all that hard.
Once you create the PSO you can view it using ADSI Edit under the Password Settings Container. You can also modify settings from here if needed. Once you have gotten this far, it still doesn't work. Now, you have to assign who is going to have this policy applied to them.
You would think that you can apply this to an OU, but you would be wrong. You have to create a Domain Security Group and then grant that group permissions to the PSO. Now you would think just go to properties and the security tab add it in and you are done. You are wrong. You have to go to ADSI Edit, go to that Password Settings Container and locate the PSO you just created. Click Properties and then click the Attribute Editor tab. Look for the msDS-PsoAppliesTo attribute. You then enter the full DN (Distinguished Name) of the Global Security Group.
After that add users to the Group and you are good.
So how do you test. Well I picked a user (the wrong user) and added him to the group, we then did a bunch of restarts and nothing. So I found out after some prodding that he changed his password last week but didn't think that would count. So I checked his expiration date. It showed a really long number. Now I had no clue what that number meant. It showed a regular date in the viewing box but when you tried to modify it (which you couldn't) it showed this long number.
So what does that long number mean out of curiosity I looked it up. This attribute is Integer8, a large 64-bit number that represents a date as the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. 1601??? Wow, not quite sure why that number but OK.
Anyway I found a user whose password expired about 2 months ago (He had the password never expires on him, which I had to deselect to see this value). I added him to the group and did a restart and he had to change his password. It worked like it should. So for those of you that want to accomplish this, it isn't really difficult, just play around in a test network like your customers production machines and play around.
Monday, March 24, 2014
Exchange 2013 Ultimate Bootcamp
We are excited to announce the
arrival of a new class from VMTraining. Although this now means more work
for me. The class has taken many months in the design and implementation
to get the class ready. We did our first delivery last week and it
was a success. We only did a limited run to 10 students while the course
was in beta.
The premise for the course is the
following. How to properly run Exchange 2013 while running in a VMware
environment.
For those that don't know me I don't
teach much any more, I primarily do consulting. I have been an
Exchange consultant and Trainer for almost 18 years now. I have done
Exchange migrations and/or implementations for some of the largest companies in
the world to include SanDisk, PepsiCo Bottling Ventures, Yahoo, Smith &
Nephew, American Kennel Club, BB&T Bank, Capital Broadcasting Company, and
many more.
The idea for this class came when I
was talking with one of my Exchange trainer friends. We were talking
about how most of the implementations are being rolled out on VMware and we
were talking about some of the configurations that must be done to make it work
correctly. Needless to say he was unaware of any of these changes.
So here is a guy who has trained hundreds if not thousands of Exchange students
and 85% of them are running on VMware however they have no clue how to truly
configure it.
It made me wonder. Why are
people taking classes using Microsoft Official Curriculum (MOC) and it is built
on top of Hyper V when their environments are running on VMware? The
answer. There are no other options out there. When you are taking a
MOC class it is the same whether you take it from Global Knowledge, or New
Horizons or any other school. Your sole basis of buying the class is
based upon price. Schools will argue how much experience and how great
their trainers are, but ask them what they have done. As someone told me
before trainers train, they don't consult.
So here were numerous issues that we
have addressed with our class.
- We built our Exchange 2013 class on VMware vSphere 5.5. We talk about how to configure storage, SANs, virtual and physical networking, backups, deployments, antivirus, and much more in a VMWare environment.
- Our class is being taught with real world consultants. So we are actually doing this not just talking about it. I finished the first class on Friday and Monday I have a meeting with a customer to actually upgrade their Exchange 2010 servers to Exchange 2013.
- Labs. I believe that a student learns by doing, so we currently have 38 labs in our class, compared to 11 in the MS 20341 Core Solutions of Exchange class. By the next class we will have at least 45 and my goal is over 50 high quality labs on live real equipment not on some desktop.
- Lab Access. Our labs are available to you 24 x 7 during class. However, we have tons of labs and you might want to go through them more than once to reinforce learning new concepts. We make our lab environment available to you after class so that you can continue to work on labs. Also when new labs become available we let you have access to these. Your learning doesn't stop on the last day of class.
- Third party tools integration. We also talk about integration with products like Symantec Enterprise Vault (ask some of those trainers if they even know what that is without googling it). We talk about complex backups using various scenarios and backup software like Commvault, Netbackup, Veeam, and many others. How do you want to handle things if you are running a SAN like Netapp. How are you going to manager SNAP drive, SNAP Mirror, Flexclones, and much more. Is that darn BES thing still around? How do you implement that with Exchange? How about if I want to implement Mimecast?
Someone asked me a question.
"I am not running Exchange on VMware, so I guess this class isn't for
me" Absolutely not!!! yes, we built this class with an
emphasis of running it on VMware but we also talk about Hyper V and Physical.
So if you want the best Exchange class in the world we believe we have
that. If you want the ONLY class running and teaching on VMware we are
that.
Another question I got was "I
found an Exchange class from new Horizons for $2200 and that is cheaper than
yours." My response. "Shop around I guarantee you that
you could get it for under $2000." We aren't competing against them
on price, because we don't have an equivalent product. The same way a
Ferrari doesn't compete with a Ford Pinto.
So you have to ask yourself if you
are in the market for a class, do you want to settle for a mediocre class from
a MS training center or pay a tad bit extra to get all of these benefits.
I hope to see you in a future class.
Subscribe to:
Posts (Atom)