Servers

How To Install Postfix on CentOS

outgoing-mail-server

 

How To Install Postfix on CentOS

 

About Postfix

Postfix is free open source Mail Transfer Agent which works to route and deliver email. Cyrus is a server that helps organize the mail itself.

 

Step One —Install Postfix and Cyrus

The first thing to do is install postfix and Cyrus on your virtual private server and the easiest way to do this is through the yum installer.

yum install postfix

yum install cyrus-saslyum install cyrus-imapd

 

Say Yes to the prompt each time it asks. Once all components have downloaded, you will have postfix and cyrus installed.

 

Step Two—Configure Postfix

 

open up the Postfix’s main configuration file.

vi /etc/postfix/main.cf

 

The postfix configuration file is very handy and detailed, providing almost all of the information needed to get the program up and running on your VPS

Once logged into the the config file, uncomment(remove the # sign) my hostname and mydomain.

 

 

myhostname              = mail.nyasharashad.com

mydomain                = nyasharashad.com

 

You can copy and paste the the code below in your postfix config file , but make sure you replace the myhostname with your server name and mydomain with your domain.

soft_bounce             = no
queue_directory         = /var/spool/postfix
command_directory       = /usr/sbin
daemon_directory        = /usr/libexec/postfix
mail_owner              = postfix

# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody

myhostname              = mail.nyasharashad.com 
mydomain                = nyasharashad.com

mydestination           = $myhostname, localhost
unknown_local_recipient_reject_code = 550

mynetworks_style        = host
mailbox_transport       = lmtp:unix:/var/lib/imap/socket/lmtp
local_destination_recipient_limit       = 300
local_destination_concurrency_limit     = 5
recipient_delimiter=+

virtual_alias_maps      = hash:/etc/postfix/virtual

header_checks           = regexp:/etc/postfix/header_checks
mime_header_checks      = pcre:/etc/postfix/body_checks
smtpd_banner            = $myhostname

debug_peer_level        = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path           = /usr/sbin/sendmail.postfix
newaliases_path         = /usr/bin/newaliases.postfix
mailq_path              = /usr/bin/mailq.postfix
setgid_group            = postdrop
html_directory          = no
manpage_directory       = /usr/share/man
sample_directory        = /usr/share/doc/postfix-2.3.3/samples
readme_directory        = /usr/share/doc/postfix-2.3.3/README_FILES

smtpd_sasl_auth_enable          = yes
smtpd_sasl_application_name     = smtpd
smtpd_recipient_restrictions    = permit_sasl_authenticated,
                                  permit_mynetworks,
                                  reject_unauth_destination,
                                  reject_invalid_hostname,
                                  reject_non_fqdn_hostname,
                                  reject_non_fqdn_sender,
                                  reject_non_fqdn_recipient,
                                  reject_unknown_sender_domain,
                                  reject_unknown_recipient_domain,
                                  reject_unauth_pipelining,
                                  reject_rbl_client zen.spamhaus.org,
                                  reject_rbl_client bl.spamcop.net,
                                  reject_rbl_client dnsbl.njabl.org,
                                  reject_rbl_client dnsbl.sorbs.net,
                                  permit

smtpd_sasl_security_options     = noanonymous
smtpd_sasl_local_domain         = 
broken_sasl_auth_clients        = yes

smtpd_helo_required             = yes

 

Step Three— Finalize Postfix

 

After pasting in the proper configs, we are almost finished setting up postfix on our virtual server.

To forestall any errors, we need to execute two more steps

In the config we included virtual aliases with the line, virtual_alias_maps = hash:/etc/postfix/virtual; now we have to set up that database.

 

Open that file:

sudo vi /etc/postfix/virtual 

  Delete all the text within the file and then add the following single line, substituting an actual username for user, and the correct domain for example.com:

user@example.com   user\@example.com 

Save and exit.

Follow up by typing in this into terminal

 postmap /etc/postfix/virtual  

This will turn the virtual file into a lookup table, creating the database required for postfix to work.

Finally conclude by using this command, which will create the new file that postfix expects before sending anything out.

touch /etc/postfix/body_checks 

Once all that is completed we can finish up by configuring Cyrus.

Step Four—Configure Cyrus

The first step is to add the smtpd.conf file, which defines the authentication for Postfix/SASL, to the SASL directory:

 sudo vi /etc/sasl2/smtpd.conf  

Go ahead and copy and paste the following text in:

pwcheck_method: auxpropauxprop_plugin: sasldbmech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5   

Save and Exit.

Next, we need to configure the Cyrus file:

sudo vi /etc/imapd.conf  

Delete what is in the file currently, and paste the configurations below into the file, changing the default domain and server name to match your personal domain name.

virtdomains:		userid
defaultdomain:		example.com
servername:		example.com
configdirectory:	/var/lib/imap
partition-default:	/var/spool/imap
admins:			cyrus
sievedir:		/var/lib/imap/sieve
sendmail:		/usr/sbin/sendmail.postfix
hashimapspool:		true
allowanonymouslogin:	no
allowplaintext:		yes
sasl_pwcheck_method:	auxprop
sasl_mech_list:		CRAM-MD5 DIGEST-MD5 PLAIN
tls_cert_file:		/etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file:		/etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file:		/etc/pki/tls/certs/ca-bundle.crt

autocreatequota:		-1
createonpost:			yes
autocreateinboxfolders:		spam
autosubscribeinboxfolders:	spam 

 

Save and Exit.

Step Five—Install a Mail Client

Success! You have installed Postfix and Cyrus on your VPS(virtual private server). However, both of these programs relate to handling email rather than sending it. We can quickly install a method of sending messages from the command line.

There are a variety of clients we can use—here we will connect with MailX

sudo yum install mailx 

After you agree to the prompt, mailx will finish up installing.

Then, to send emails, type this command into terminal, substituting in the email that you are looking to send your message to.

mail user@example.org

Terminal will ask for a subject line. Type one in, then press enter. On the subsequent lines you can type your message. It will only be sent when you press enter, and type in a period.

Your letter will look something like this:

[root@demoserver ~]# mail user@example.org

Subject: HelloThis is a test message.

Regards, 

.EOT

Congratulations—now you have postfix installed and email running. You are all set to use your virtual private server to send email.

 

Advertisements
Servers

SQUID Proxy Server on Linux RHEL/CentOS – by Nyasha Charumbira

 

squii

 

When setting up your proxy server, you need to know the following items:

/etc/sysconfig/squid      :    Startup options for the config file.
/etc/squid/squid.conf    :    Main config file for the service.
/var/spool/squid            :    cache location on the proxy server.
/var/log/squid                :    Log files for the proxy server.


Let’s look at some of the main configuration options:

 

http_port                     :   Specifies the port to listen on
visable_hostname      :   Identifies the name of the squid server.
access_log                  :   Keeps track of the web pages that are downloaded.
Acl                              :   Defines an access control list
http_access                :   Defines which System or Network have access

Install & Configuring the Squid Proxy Server:

Step1: Install the package with the following command

       # yum install squid*  -y

Step2: To verify that package

      # rpm  –qa  /grep  squid

Step3: To start squid proxy

      # service squid start

Step3: Enable squid to start at boot

     # chkconfig squid on

Step4: Verify the service will start at boot
     # chkconfig  squid  –list

Web Proxy Sercurity:

Squid uses host-based security through the use of access control lists. These ACL’s are configured in the main config file, “/etc/squid/squid.conf”. In the config file, you can define an ACL for your network and give all other networks access to the proxy server.

1).Configure SQUID to Block Specific Website :

Add below rules for block specific website in squid configuration file. In this example we are blockwww.facebook.com , and http://www.youtube.com

# vim  /etc/squid/squid.conf

         acl blocksite1 dstdomain http://www.facebook.com
         acl blocksite2 dstdomain http://www.youtube.com
         http_access deny blocksite1
         http_access deny blocksite2


2). Block multiple domains with single file :

If you have number of websites,create a file “/etc/squid/blocksites.txt” and put website names in this file.

# vim /etc/squid/blocksites.txt

         http://www.herald.com
         http://www.iharare.com
         http://www.yahoo.com
         http://www.gmail.com
         ————-
         ————-
         http://www.amazon.com


:wq (save&quit)

Add above file in Squid Configuration file for block mentioned domains

# vim   /etc/squid/squid.conf

       acl  blocksites  dstdomain “/etc/squid/blocksites.txt”
       http_access deny blocksites


Client side configuration :

Open a webbrowser > Tools > Internet option > Network settings > and setup Squid server IP address and port # 3128.   

3). Configure Squid to Block Specific Keyword

Add below rules for block specific Keyword in squid configuration file. In this example we are block “mail” and “tube” keywords.

# vim  /etc/squid/squid.conf

         acl blockkey1 url_regex  mail
         acl blockkey2 url_regex  tube
         http_access deny blockkey1
         http_access deny blockkey2


4). Configure Squid to Block list of Keywords

If you have number of keywords,create a file “/etc/squid/blockkeywords.txt” and put keyword names in this file.

# vim /etc/squid/blockkeywords.txt

           Gmail
           Tube
           Facebook
           Social
           Media


:wq (save&quit)

Add above file in Squid Configuration file for block mentioned keywords.

# vim  /etc/squid/squid.conf

acl  blockkewords  dstdomain  “/etc/squid/ blockkeywords.txt ”
http_access deny blockkewords
                                  

                   Configure Squid for MAC Address based

5). Block single site for Single MAC Address
In this example we are block http://www.youtube.com site to system MAC address EC:A8:6B:F6:66:68

ACL Rule:

       acl blocksite1 dstdomain http://www.youtube.com
       acl sysmac1 arp  EC:A8:6B:F6:66:68
       http_access deny blocksite1 sysmac1


6). Block all sites for Single MAC Address

In this example we are block entire sites to system MAC address EC:A8:6B:F6:66:68

ACL Rule:

       acl sysmac1 arp  EC:A8:6B:F6:66:68
       http_access deny  sysmac1


7). Block single site for Multiple MAC Addresses

In this example we are block http://www.bsrtech.net site to system MAC addresses EC:A8:6B:F6:66:68,AT:B8:6D:F6:46:35 and etc…
create a file “/etc/squid/mac-addrs.txt” and put MAC Addresses in this file.

# vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        —————–
        —————–   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21


ACL Rule:

      acl blocksite1 dstdomain http://www.bsrtech.net
      acl sysmacs arp  “/etc/squid/mac-addrs.txt”
      http_access deny blocksite1 sysmacs


8). Block all sites for Multiple MAC Addresses

In this example we are block all websites to system MAC addresses EC:A8:6B:F6:66:68, AT:B8:6D:F6:46:35 and etc…
create a file “/etc/squid/mac-addrs.txt” and put MAC Addresses in this file.

# vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        —————–
        —————–   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21


ACL Rule:

       acl sysmacs arp  “/etc/squid/mac-addrs.txt”
       http_access deny  sysmacs


9). Allow Specific site for Single MAC Address

In this example we are allow http://www.bsrtech.net site to system MAC addresses EC:A8:6B:F6:66:68 and deny other sites.

ACL Rule :

      acl allowsite1 dstdomain http://www.bsrtech.net
      acl sysmac1 arp  EC:A8:6B:F6:66:68
      http_access allow allowsite1 sysmac1
      http_access deny sysmac1


10). Allow Multiple sites for Single MAC Address

In this example we are allow multiple sites to system MAC address EC:A8:6B:F6:66:68 and deny other sites.
create a file /etc/squid/allowsites.txt and put website names in this file.

# vim /etc/squid/allowsites.txt

         http://www.google.com
         http://www.rediff.com
         http://www.yahoo.com
         http://www.gmail.com
         ————-
         ————-
         http://www.amazon.com


:wq (save&quit)

ACL Rule :

      acl allowsites dstdomain  “/etc/squid/allowsites.txt”
      acl sysmac1 arp  EC:A8:6B:F6:66:68
      http_access allow allowsites sysmac1
      http_access deny sysmac1


11). Allow Specific site for Multiple MAC Addresses

In this example we are allow http://www.bsrtech.net website  to system MAC addresses EC:A8:6B:F6:66:68, AT:B8:6D:F6:46:35 and etc… and deny other sites.
create a file “/etc/squid/mac-addrs.txt” and put MAC Addresses in this file.

# vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        —————–
        —————–   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21


ACL Rule:

       acl allowsite1 dstdomain http://www.bsrtech.net
       acl sysmacs arp  “/etc/squid/mac-addrs.txt”
       http_access allow allowsite1  sysmacs
       http_access deny  sysmacs


12). Allow Multiple sites for Multiple MAC Addresses

In this example we are allow multiple websites  to system MAC addresses EC:A8:6B:F6:66:68,   AT:B8:6D:F6:46:35 and etc… and deny other sites.
Create a file “/etc/squid/allowsites.txt” and put website names in this file.

# vim /etc/squid/allowsites.txt

         http://www.google.com
         http://www.rediff.com
         http://www.yahoo.com
         http://www.gmail.com
         ————-
         ————-
         http://www.amazon.com


:wq (save&quit)

create a file “/etc/squid/mac-addrs.txt” and put MAC Addresses in this file.

# vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        —————–
        —————–   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21


ACL Rule:

      acl allowsites dstdomain  “/etc/squid/allowsites.txt”
      acl sysmacs arp  “/etc/squid/mac-addrs.txt”
      http_access allow allowsites  sysmacs
      http_access deny  sysmacssquii

Linux, Servers

Proxy Server Configuration on Ubuntu

squii

 

A proxy server is a computer that acts as an intermediary between a desktop computer and the internet and allows a client machine to make an indirect connection to network servers and services. There are many reasons why you might want to include a proxy server on your network:

  • To share internet connection on a LAN
  • To speed up internet surfing
  • To hide the IP address of the client computer for anonymous surfing
  • To implement internet access control
  • To scan outbound content
  • To circumvent regional restrictions

Clearly some of the above reasons are perfectly fitting for a business and some, well, may not fall in line with your best practices. Regardless, knowing how to install and configure a proxy server is a must-have skill for a network administrator. So, let’s take care of that. I will demonstrate installing the Squid proxy server on Ubuntu 16.04 server.Created with GIMP

Installation

This installation and configuration will be handled completely from the command line, so open up a terminal window and prepare to type.

The first thing we want to do (as with software installation on Ubuntu) is to update apt. From your terminal window, issue the command sudo apt-get update. Once that completes, you could also run an upgrade with the command sudo apt-get upgrade. Of course, should this upgrade the kernel, you’ll want to do a reboot, so schedule this accordingly.

Once the update/upgrade is complete, install Squid with the command:

sudo apt-get install squid3

The installation will pick up the necessary dependencies (libecap3, libltdl7, squid-purge, and squid-langpack) and complete without issue.

That is all there is to the installation. Now we move on to the configuration of a basic proxy server.

Configuration

The configuration of the Squid Proxy Server is handled in the /etc/squid/squid.conf. I will show you how to configure a very basic proxy server. The first thing we need to do is uncomment the line (by removing the # character):

#http_access allow localnet

To find that line, issue the command:

sudo grep -n http_access /etc/squid/squid.conf

As you can see (Figure A), the configuration option is found on line 1186 (of my installation). Open up the squid.conf file for editing, with the command sudo nano /etc/squid/squid.conf, and scroll down to that line and remove the # character.

Created with GIMP

Next you want to look for the line:

#acl localnet src

There will be a number of them (for different network IP schemes). You will want to uncomment the one that matches your network (say 192.168.0.0/16) and alter it to your needs. Say you run your internal network on the 192.168.1.0/255.255.255.0 network. Your localnet configuration option would look like:

acl localnet src 192.168.1.0/255.255.255.0

Restart squid with the command:

sudo service squid restart

That’s it. You now have a basic proxy server up and running on port 3128 and the IP address of the system you just installed Squid on. So you would then go to your client machines and configure them (either on a per-application or OS basis) to use that newly configured proxy via IP and port.

Make it work for you

Of course, Squid can do quite a bit more than serve as a basic proxy server. If you need to get deep into the various configuration options for Squid, make sure to take a look at the official documentation, where you can find out how to configure options for third-party applications, configure options for the neighbour selection algorithm, configure various network parameters, and much more. In the meantime, you can always take a look at the /var/log/squid/access.log and /var/log/squid/cache.log to see what Squid is doing on your network.

 

 

IF you are ussing CentOs will post it in my next blog

Microsoft, Servers

Active Directory

active direc

 

AD: Is a centralized database where it contains the information about the objects like users,
groups, computers, printers etc.
AD is a centralized hierarchical Directory Database.
AD is a searchable Database.
2003 O/S. when installed (gets installed as a stand alone server) to promoting to
to install A.D.

Domain Controller (D.C.)
A server where A.D. is installed is called D.C.

Functionality of A.D.:
Using A.D. we can organize, manage and control resources.
It provides single point of administration.

Purpose of A.D.:

1. Provides user logon authentication services.
2. To organize and manage user A/Cs, computers, groups and n/w resources.
3. Enables authorized users to easily locate n/w resources.

Features of A.D.:
1. Fully integrated security system with the help of Kerberos.
2. Easy administration using group policy.
3. Scalable to any size n/w
4. Flexible (install/uninstall)
5. Extensible (modify the schema)

New features in 2003
6. Rename computer name & Domain names.
7. Cross –forest trust relationship.
8. Site-to-Site replication is faster.

Evolution of LDAP:
Earlier we had no database standard; hence TTU & ISO introduced X-500
LDAP (Light Weight Directory Access Protocol): It is an industry standard directory access protocol used for querying and providing communication among the objects in A.D.
It is directory access protocol.
It runs on the port no. 389.
DAP: It is based on OSI model.
LDAP: Is based on TCP/IP model

Tools used for:
Active Directory Domains and Trusts: Implementing trusts
Raising domain/forest functional levels
Adding user logon suffixes
Active Directory Sites and Services: Configuring intrasite/intersite replication, Configuring global catalog, Creation of sites, site links, subnets. ,Scheduling replication
Active Directory Users and Computers: Managing users/groups
Managing computers.

Managing OUs
Managing Group Policy (Domain Level)
Managing Operations masters.
Raising domain functional level.
Domain controller security policy:
Set account, audit and password policies
Set user rights Permissions or policies Pertains only to the DC where you set.
Domain security policy:
Set account, audit and password policies
Set user rights Permissions or policies pertain to the DC as well as to all the domains within.

ADC is a back up for DC
ADC maintains a back up copy of A.D., which will be in read only format.
ADCs provide fault tolerance & load balancing. There can be any no. of ADCs for a DC. ADCs should be placed and maintained offsite away from the DC.
ADC maintains same domain name.

Verifying whether the server is configured as DC or ADC.
Start>run>cmd>net accounts
For DC we will find “primary”
For ADC we will find “Backup”

ACTIVE DIRECTORY COMPONENTS
LOGICAL STRUCTURE                   PHYSICAL STRUCTURE
Domains                                            Sites
Trees                                          Domain controllers
Forest
Organizational units

A.D. Components:
• Logical structure is useful for organizing the network.
• Logical components cannot be seen
• Physical structure is useful for representing our organization for developing the
organizational structure.
• It reflects the organization (mirrors)
• Physical structure can be seen. Ex. Site – India, US, UK etc.

TREE:
A tree is a group of domains which share contiguous name space.
If more than one domain exits we can combine the multiple domains into hierarchical tree structures.
The first domain created is the root domain of the first tree.
Additional domains in the same domain tree are child domains.
A domain immediately above another domain in the same domain tree is its parent.

FOREST:
Multiple domain trees within a single forest do not form a contiguous namespace. I.e. they have non-contiguous DNS domain names
Although trees in a forest do not share a name space, a forest does have a single root domain, called the forest root domain
The forest root domain is, by definition, the first domain created in the forest.
The two forest wide predefined groups – Enterprise.
Administrators and schema administrators reside in this domain.
Physical structure

SITES:
Site is a combination of TCP/IP, subnets, connected with high-speed links.
Sites provide replication
There are 2 types of replications

1. Intrasite replication
2. Intersite replication

Intrasite Replication: It is a replication with in the same site. It offers full time replication between DC & ADC when they are within the same site.
Intersite Replication: It is a replication between two different sites.
Intersite replication is implemented when the sites are away from each other.

-It requires a site link
-Site link is a logical connection between sites, which can be created & scheduled.
-Site link offers communication only at scheduled intervals.
Implementing sites:

Forceful replication:
On DC
Start >programs> admin tools > ADSS > expand sites > default first site>servers
>Expand DC server > NTDS settings >right click on automatically generated>replicate now>ok.
Repeat the same for DC & ADC

Creating a site:
Open ADSS>Right click on sites>New site>Site name (e.g. UK, US)
Select default site link>Ok
Moving ADC into another site:
Select ADC>Right click on ADC>Select move>Select site.
Creating a Site link:
Expand inter site transports>Right click on IP>Select new site link
Link name (ex. Link US –UK)

Scheduling a site link:
Expand inter site transport>IP>Double click on site link>Change schedule
Click on replication not available>set the timings>click on replication available.

KCC: (Knowledge Consistency Checker): It is a service of A.D., which is responsible for intimating,
or updating the changes made either in DC or ADC.
Active Directory is saved in a file called NTDS.DIT
C:\windows\ntds\ntds.dit

NTDS.DIT – New Technology Directory Services. Directory Information Tree
It is a file logically divided into four partitions.
1. Schema partition
2. Configuration partition
3. Domain partition
4. Application partition

It is a set of rules schema defines AD, it is of 2 parts classes & attributes.
Ad is constructed with the help of classes and attributes.

. Schema: Logical partition in AD database “template” for AD database.
• Forms the database structures in which data is stored.
• Extensible
• Dynamic

Protect by ACL (Access Control Lists) DACL’s and SACL’s (Directory&System
ACL’s)
One schema for AD forest.
Collection of objects is called class.
Piece of information about the object is called attribute.

 Configuration Partition: Logical partition in AD database.
• “map” of AD implementation
• Contains information used for replication logon searches.
• Domains
• Trust relationships
• Sites& site links
• Subnets
• Domain controller locations.

. Domain Partition:
• Logical partition in AD database.
• Collections of users, computers, groups etc.
• Units of replication.
• Domain controllers in a domain replicate with each other and contain a full copy of the
domain partition for their domain.
• DCs do not replicate domain partition information for other domains

Application Partition:
• It is a newly added partition in win2003. It can be added or removed
• It can be replicated only to the specified DCs.
• Useful when we are using AD integrated services like DNS, TAPI services etc..

FSMO roles: (Flexible Single Master Operations):
Forest wide Master Operation
1. Schema master
2.Domain Naming master

Domain wide master operation
3. PDC emulator
4. RID master
5. Infrastructure master

Schema Master:
Responsible for overall management of the entire schema in a forest.
The first DC installed acts as a schema master in the entire forest.
There can be only one schema master in the entire forest

Domain Naming Master:
Responsible for addition /removal of domains.
It maintains the uniqueness of domain names.
There can be only one DNM in the entire forest.

PDC emulator:
PDC provides backward compatibility for existing NT BDCs and workstations. (If it is running in
mixed mode)
PDC updates the password changes made by the users.
It is also responsible for synchronizing the time.
There can be only one PDC emulator per domain.

RID master:
Responsible for assigning unique IDs to the objects created in the domain.
There can be only one RID master per domain

SID – Security Identifier it maintains a access control list. It is divided into two
1. DID (Domain Identifier)
2. RID (Relative Identifier)
parts.
For knowing the SID of the user
>Start>run>cmd> who am I /user

 Infrastructure master:
Responsible for maintaining the updates made to the user & group membership. It also maintains universal group membership.
There can be only one infrastructure master per domain
The term flexibility means we can transfer any of the 5 roles from DC to ADC.
Transfer of Roles

We can transfer the roles for some temporary maintenance issues on to ADC and again we can transfer back the roles onto DC.
We can transfer the roles in two ways
1. Command mode
2. Graphical mode

GLOBAL CATALOG
It is a service responsible for maintaining information about the objects and serving the requests made by the users by providing the location of the object. Global Catalog runs on the port number 3268.
All types of queries are first heard on this port number and forward the query to port no.389

(LDAP’s).Maintains the complete information about the objects within the same domain and partial
information about other domains.
GC communicates to infrastructure master.
If DC & ADC are located in the same location only one GC is enough.
If the DC&ADC are located remotely to avoid network traffic we need to configure ADC as GC Infrastructure master contacts global catalog for obtaining the updates about user & group
membership and universal group membership.
The primary functions of GC is to maintain universal group membership information, to easily locate the objects with in the AD.:

Configuring a Global catalog server.
Either on ADC or on Child DC
>Start >program>admin tools> ADSS> expand sites >default first site>server>
On NTDS right click> properties>check the box Global Catalog.

Installing Child DC:
Requirements:
Parent DC
Member server or stand alone server
Static IP
DNS
NTFS volume with 250 MB of free HDD space

Functional Levels:
1. Domain Functional Level:
A) Windows 2000 mixed
B) Windows 2000 native
C) Interim
D) Windows 2003 server
2. Forest Functional Level:
a) Windows 2000 mixed
b) Interim
c) Windows 2003 server.

Windows 2000 mixed:
By default when we install 2000 or 2003 o/s it gets installed in win 2000 mixed mode.  This mode supports older versions of win2003. We can add NT, 2000 flavors in 2003 networks.

Windows 2000 native:
It supports only 2000 and 2003; Native mode can have 2000&2003 flavors only.

Interim:
This mode can have NT and 2003. Useful when we upgrade NT to 2003
Windows 2003 server:
This mode supports only 2003 server family.
We can’t join NT/2000 domains.

Types of Trusts:
Trust relationships in Windows server2003:
Default two way transitive Kerberos trusts (intra forest)
Shortcut – one or two away transitive Kerberos trusts (intraforest)

Reduce authentication requests
Forest-one or two way- transitive Kerberos trusts.
WS2003 forests WIN 2000 does not support forest trusts
> Only between forest roots
>Creates transitive domain relationships.

External – one way non-transitive NTLM trusts.
Used to connect to /from win NT or external 2000 domains.- manually created.
Realm – one or two way non-transitive Kerberos trusts.
Connect to /from UNIX MT Kerberos realm.

Establishing Trusts:
The Domain where we have user accounts is called trusted domain.
The domain where we have resource is called trusting domain.
Trust between parent and child is two way transitive trusts.
Ex; A trusts B, automatically B trusts A this is a two way trust.
Trust between parent and Grandchild domain is called implicit trust.
One-way trust or Non-transitive Trust: A trusts B, but B doesn’t trust A.

Transitive trust (2 ways):
If A trusts B, B automatically trusts A

One way incoming trust:
It means A is getting the resources from B and B is offering the resources.
One way out going trust:

A is offering resources to B and B is getting resources from A
Benefits of Domain Functional Level:
Win 2003 server Level:
The moment we raise the functional level, form mixed mode to win 2003 mode we get the following benefits.
Universal groups
Group nesting
Domain renaming tools

User Management:
User Account: User A/Cs is useful for assigning to the user to participate in the network.
There are two types of accounts
Domain User Accounts
Local User Accounts
1. Domain User Accounts: These are created in the AD and they proved centralized management of users besides easy administration.

2. Local User Accounts: These can be created on the Local machines where the client works. Ex.
2000 prof. XP prof. < win2003 member server etc.
These accounts do not provide centralized management.
Suitable only for smaller organizations where there is no server.

Servers

how to configure DHCP server in Linux

dhcp-what-how-dhcp-server-messages-logo

 

From my last article I pointed out what is a dhcp server and what it does. Anyone with a basic knowledge of computer networking knows that in order for two hosts communicate on the same network using TCP/IP model, both hosts need to have an unique IP address.

I use Centos and Redhat to do the installations./ Therefore this tutorial is linked to those Linux distributors. You should have a basic understanding of the VI editor commands for you to be able navigate through the config files.

DHCP Server Installation

Login as root user #su

# yum install dhcp

Basic DHCP Configuration

By default DHCP server configuration does not include any subnets on which DHCP server should lease IP addresses. Therefore, depends on your Linux system you may get a following error message when you attempt to start DHCP with default dhcpd.conf configuration file.

Starting ISC DHCP server: dhcpdcheck syslog for diagnostics. ... failed!

check the log file which will show you where the error is lying exactly.

 

No subnet declaration for eth0 (some IP address).

As it happens very often your server may be connected to multiple network subnets. In order to start DHCP server at least one subnet must be defined in DHCP configuration file /etc/dhcp/dhcpd.conf.

N.B if your server has access to more than one subnet, DHCP requires all subnets to be defined even though there isn’t immediate intention to enable DHCP service on that subnet.

Below is the simplest example of DHCP configuration file:

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

 

This configuration file instructs DHCP server to listen for DHCP client requests on subnet 10.1.1.0 with netmask 255.255.255.0. Furthermore, it will assign IP addresses in range 10.1.1.3 – 10.1.1.254. It also defines an empty definition of subnet with network ID 192.168.0.0.

Alter above code with your subnet and insert it into /etc/dhcp/dhcpd.conf. When ready restart your DHCP server with

# /etc/init.d/isc-dhcp-server restart

DHCP default and max lease time

At this point we can add to our DHCP configuration another setting and that is to set default and max lease time expiry.

  • default-lease-time is a value in seconds in which a leased IP address expiry will be set to if DHCP client does not ask for any other specific expiry lease time
  • max-lease-time is a value in seconds which defines a maximum expiry time for an IP address leased by DHCP server
default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

 

Define DNS server

Another configuration parameter possible to be set by DHCP server to its client is a definition of DNS server. If you want your clients to use DNS server with an IP address 8.8.8.8 and 10.1.1.1 you can do it by including an option “domain-name-servers” to DHCP’s configuration file.

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option domain-name-servers 10.1.1.1, 8.8.8.8;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option routers 10.1.1.1;
}

Set default gateway

DHCP also allows for client’s gateway configuration.To set any client on the local network to use default gateway 10.1.1.1, add line “option routers 10.1.1.1” into dhcpd.conf file as demonstrated below:

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option domain-name-servers 10.1.1.1, 8.8.8.8;
  option routers 10.1.1.1;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option routers 10.1.1.1;
}

DHCP will now set DHCP client with gateway 10.1.1.1.

 

Host specific configuration

There maybe a need to set static IP address to a particular host on the network such as printer, web server and etc. In this case it is posible to amend DHCP server configuration to lease a choosen IP address to a specific host defined by its MAC address.

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option domain-name-servers 10.1.1.1, 8.8.8.8;
  option routers 10.1.1.1;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

host printer {
  hardware ethernet 00:16:d3:b7:8f:86;
  fixed-address 10.1.1.100;
}

host web-server {
  hardware ethernet 00:17:a4:c2:44:22;
  fixed-address 10.1.1.200;
}

The above DHCP configuration file will permanently assign the IP address 10.1.1.100 to a host “printer” with a MAC address 00:16:d3:b7:8f:86 and IP address 10.1.1.200 to host “web-server” with MAC address 00:17:a4:c2:44:22.

Servers

Proxy server

proxyserverno20_06

Proxy server is an intermediary server between client and the interner. Proxy servers offers the following basic functionalities:

  • Firewall and network data filtering.
  • Network connection sharing
  • Data caching

Proxy servers allow to hide, conceal and make your network id anonymous by hiding your IP address.

Purpose of Proxy Servers

Following are the reasons to use proxy servers:

  • Monitoring and Filtering
  • Improving performance
  • Translation
  • Accessing services anonymously
  • Security

Monitoring and Filtering

Proxy servers allow us to do several kind of filtering such as:

  • Content Filtering
  • Filttering encrypted data
  • Bypass filters
  • Logging and eavasdropping

Improving performance

It fasten the service by process of retrieving content from the cache which was saved when previous request was made by the client.

Transalation

It helps to customize the source site for local users by excluding source content or substituting source content with original local content. In this the traffic from the global users is routed to the source website through Translation proxy.

Accessing services anonymously

In this the destination server receives the request from the anonymzing proxy server and thus does not receive information about the end user.

Security

Since the proxy server hides the identity of the user hence it protects from spam and the hacker attacks.

Type of Proxies

Following table briefly describes the type of proxies:

Forward Proxies

In this the client requests its internal network server to forward to the internet.

internet_technologies_tutorial

Open Proxies

Open Proxies helps the clients to conceal their IP address while browsing the web.

internet_technologies_tutorial

Reverse Proxies

In this the requests are forwarded to one or more proxy servers and the response from the proxy server is retrieved as if it came directly from the original Server.

internet_technologies_tutorial

Architecture

The proxy server architecture is divided into several modules as shown in the following diagram:

internet_technologies_tutorial

Proxy user interface

This module controls and manages the user interface and provides an easy to use graphical interface, window and a menu to the end user. This menu offers the following functionalities:

  • Start proxy
  • Stop proxy
  • Exit
  • Blocking URL
  • Blocking client
  • Manage log
  • Manage cache
  • Modify configuration

Proxy server listener

It is the port where new request from the client browser is listened. This module also performs blocking of clients from the list given by the user.

Connection Manager

It contains the main functionality of the proxy server. It performs the following functions:

  • It contains the main functionality of the proxy server. It performs the following functions:
  • Read request from header of the client.
  • Parse the URL and determine whether the URL is blocked or not.
  • Generate connection to the web server.
  • Read the reply from the web server.
  • If no copy of page is found in the cache then download the page from web server else will check its last modified date from the reply header and accordingly will read from the cache or server from the web.
  • Then it will also check whether caching is allowed or not and accordingly will cache the page.

Cache Manager

This module is responsible for storing, deleting, clearing and searching of web pages in the cache.

Log Manager

This module is responsible for viewing, clearing and updating the logs.

Configuration

This module helps to create configuration settings which in turn let other modules to perform desired configurations such as caching.

Servers

DHCP SERVER

IntroDHCP1.png

DHCP like DNS is a network service that is vital to networking and the internet.

But What exactly is DHCP, and What does it do?

The key to understanding DHCP is to understand that all network devices on a network and the Internet need an IP address to operate.

There are two ways that the device can acquire an address. They are

  1. Manual Address assignment
  2. Automatic assignment using DHCP

Almost all networks use automatic assignment using DHCP (Dynamic host configuration protocol) as it is easier and more reliable.

In order to have automatic assignment on your  network you need to have a DHCP server on that network.

All network devices (PCs,Tablets,Smart phones) come equipped with a DHCP client, and when they boot up they contact the DHCP server, and request an IP address.

You don’t need to tell the client the IP address of the DHCP server as the client uses a broadcast mechanism to locate it.

This means that the DHCP server must be located on the same broadcast networks as the client.

Provided everything is working OK they get an IP address, and usually they also get the address of the DNS servers so that they can resolve domain names.

IP addresses from a DHCP server are normally leased, and must be renewed periodically.

The renewal process happens in the background, and doesn’t require any user intervention.

The screen shot below shows the IP address, DNS address and lease duration of my IP address.

You can find your own details by using the ipconfig /all command.

DHCP-IP-Address

On large networks an administrator must set up and manage the DHCP server, but on home networks it is built into the router, and doesn’t normally need any manual intervention.

Although on home networks you don’t need to configure the DHCP server you do need to tell the clients (computers) to use a DHCP for IP addresses.

DHCP Address Ranges

When configuring a DHCP server you will need to assign address ranges for the IP addresses.

When a client requests an IP address the DHCP server will assign the client an IP address from the address range.

On Home networks the home router is usually pre-configured to assign IP addresses in the 192.168. address range.

Below is a screen shot of my home router default DHCP settings:

DHCP-address-range-BT-HomeHub

 

Notice that the hub/router is using a static IP address (192.168.1.254)and this address range is outside the address range that the dhcp server is configured to allocate 192.168.1.64 -192.168.1.253.

It is also important to note that the addresses 192.168.1.1 -192.168.1.63 are not part of the allocated range.

You can use addresses in this range to assign to devices that require a static IP address.

Missing DHCP Server

If the client cannot find a DHCP server then It may auto assign an IP address from a reserved range 169.254.0.0-169.254.255.255 or simply have an IP address of 0.0.0.0.

Note: Different versions of windows use different default IP addresses

In either case it is unlikely to work correctly.

You can find out whether or not your client (windows) has an IP address by using the ipconfig command at a command prompt.

ipconfig ./all   -This command will show IP and DNS settings

ipconfig ./release  -This command will release the IP address

ipconfig ./renew -This command will renew the IP address