Wednesday, December 4, 2013

What is Active Directory?

Active Directory is Microsoft's Directory Server. It provides authentication and authorization mechanisms as well as a framework within which other related services can be deployed (AD Certificate Services, AD Federated Services, etc). It is an LDAP compliant database that contains objects. The most commonly used objects are users, computers, and groups. These objects can be organized into organizational units (OUs) by any number of logical or business needs. Group Policy Objects (GPOs) can then be linked to OUs to centralize the settings for various users or computers across an organization.

What is a domain and what is a forest?

A forest is a security boundary. Objects in separate forests are not able to interact with each other, unless the administrators of each separate forest create a trust between them. For example, an Enterprise Administrator account for domain1.com, which is normally the most privileged account of a forest, will have, no permissions at all in a second forest named domain2.com, even if those forests exist within the same LAN, unless there is a trust in place.
If you have multiple disjoint business units or have the need for separate security boundaries, you need multiple forests.
A domain is a management boundary. Domains are part of a forest. The first domain in a forest is known as the forest root domain. In many small and medium organizations (and even some large ones), you will only find a single domain in a single forest. The forest root domain defines the default namespace for the forest. For example, if the first domain in a new forest is named domain1.com, then that is the forest root domain. If you have a business need for a child domain, for example - a branch office in Chicago, you might name the child domain chi. The FQDN of the child domain would be chi.domain1.com. You can see that the child domain's name was prepended forest root domain's name. This is typically how it works. You can have disjoint namespaces in the same forest, but that's a whole separate can of worms for a different time.
In most cases, you'll want to try and do everything possible to have a single AD domain. It simplifies management, and modern versions of AD make it very easy to delegate control based on OU, which lessens the need for child domains.

I can name my domain whatever I want, right?

Not really. dcpromo.exe, the tool that handles the promotion of a server to a DC isn't idiot-proof. It does let you make bad decisions with your naming, so pay attention to this section if you are unsure. (Edit: dcpromo is deprecated in Server 2012. Use the Install-ADDSForest PowerShell cmdlet or install AD DS from Server Manager.)
First of all, don't use made up TLDs like .local, .lan, .corp, or any of that other crap. Those TLDs are notreserved. ICANN is selling TLDs now, so your mycompany.corp that you're using today could actually belong to someone tomorrow. If you own mycompany.com, then the smart thing to do is use something like internal.mycompany.com or ad.mycompany.com for your internal AD name. If you usemycompany.com as an externally resolvable website, you should avoid using that as your internal AD name as well, since you'll end up with a split-brain DNS.

Domain Controllers and Global Catalogs

A server that responds to authentication or authorization requests is a Domain Controller (DC). In most cases, a Domain Controller will hold a copy of the Global Catalog. A Global Catalog (GC) is a partial set of objects in all domains in a forest. It is directly searchable, which means that cross-domain queries can usually be performed on a GC without needing a referral to a DC in the target domain. If a DC is queried on port 3268 (3269 if using SSL), then the GC is being queried. If port 389 (636 if using SSL) is queried, then a standard LDAP query is being used and objects existing in other domains may require a referral.
When a user tries to log in to a computer that is joined to AD using their AD credentials, the salted and hashed username and password combination are sent to the DC for both the user account and the computer account that are logging in. Yes, the computer logs in too. This is important, because if something happens to the computer account in AD, like someone resets the account or deletes it, you may get an error that say that a trust relationship doesn't exist between the computer and the domain. Even though your network credentials are fine, the computer is no longer trusted to log into the domain.

Domain Controller Availability Concerns

I hear "I have a Primary Domain Controller (PDC) and want to install a Backup Domain Controller (BDC)" much more frequently that I would like to believe. The concept of PDCs and BDCs died with Windows NT4. The last bastion for PDCs was in a Windows 2000 transitional mixed mode AD when you still had NT4 DCs around. Basically, unless you're supporting a 15+ year old install that has never been upgraded, you really don't have a PDC or a BDC, you just have two domain controllers.
Multiple DCs are capable of answering authentication requests from different users and computers simultaneously. If one fails, then the others will continue to offer authentication services without having to make one "primary" like you would have had to do in the NT4 days. It is best practice to have at least two DCs per domain. These DCs should both hold a copy of the GC and should both be DNS servers that hold a copy of the Active Directory Integrated DNS zones for your domain as well.

FSMO Roles

"So, if there are no PDCs, why is there a PDC role that only a single DC can have?"
I hear this a lot. There is a PDC Emulator role. It's different than being a PDC. In fact, there are 5 Flexible Single Master Operations roles (FSMO). These are also called Operations Master roles as well. The two terms are interchangeable. What are they and what do they do? Good question! The 5 roles and their function are:
Domain Naming Master - There is only one Domain Naming Master per forest. The Domain Naming Master makes sure that when a new domain is added to a forest that it is unique. If the server holding this role is offline, you won't be able to make changes to the AD namespace, which includes things like adding new child domains.
Schema Master - There is only one Schema Operations Master in a forest. It is responsible for updating the Active Directory Schema. Tasks that require this, such as preparing AD for a new version of Windows Server functioning as a DC or the installation of Exchange, require Schema modifications. These modifications must be done from the Schema Master.
Infrastructure Master - There is one Infrastructure Master per domain. If you only have a single domain in your forest, you don't really need to worry about it. If you have multiple forests, then you should make sure that this role is not held by a server that is also a GC holder unless every DC in the forest is a GC. The infrastructure master is responsible for making sure that cross-domain references are handled properly. If a user in one domain is added to a group in another domain, the infrastructure master for the domains in question make sure that it is handled properly. This role will not function correctly if it is on a global catalog.
RID Master - The Relative ID Master (RID Master) is responsible for issuing RID pools to DCs. There is one RID master per domain. Any object in an AD domain has a unique Security Identifier (SID). This is made up of a combination of the domain identifier and a relative identifier. Every object in a given domain has the same domain identifier, so the relative identifier is what makes objects unique. Each DC has a pool of relative IDs to use, so when that DC creates a new object, it appends a RID that it hasn't used yet. Since DCs are issued non-overlapping pools, each RID should remain unique for the duration of the life of the domain. When a DC gets to ~100 RIDs left in its pool, it requests a new pool from the RID master. If the RID master is offline for an extended period of time, object creation may fail.
PDC Emulator - Finally, we get to the most widely misunderstood role of them all, the PDC Emulator role. There is one PDC Emulator per domain. If there is a failed authentication attempt, it is forwarded to the PDC Emulator. The PDC Emulator functions as the "tie-breaker" if a password was updated on one DC and hasn't yet replicated to the others. The PDC Emulator is also the server that controls time sync across the domain. All other DCs sync their time from the PDC Emulator. All clients sync their time from the DC that they logged in to. It's important that everything remain within 5 minutes of each other, otherwise Kerberos breaks and when that happens, everyone cries.
The important thing to remember is that the servers that these roles run on is not set in stone. It's usually trivial to move these roles around, so while some DCs do slightly more than others, if they go down for short periods of time, everything will usually function normally. If they're down for a long time, it's easy to transparently transfer the roles. It's much nicer than the NT4 PDC/BDC days, so please stop calling your DCs by those old names. :)

So, um...how do the DCs share information if they can function independently of each other?

Replication, of course. By default, DCs belonging to the same domain in the same site will replicate their data to each other at 15 second intervals. This makes sure that everything is relatively up to date.
There are some "urgent" events that trigger immediate replication. These events are: An account is locked out for too many failed logins, a change is made to the domain password or lockout policies, the LSA secret is changed, the password is changed on a DC's computer account, or the RID Master role is transferred to a new DC. Any of these events will trigger an immediate replication event.
Password changes fall somewhere between urgent and non-urgent and are handled uniquely. If a user's password is changed on DC01 and a user tries to log into a computer that is authenticating againstDC02 before replication occurs, you'd expect this to fail, right? Fortunately that doesn't happen. Assume that there is also a third DC here called DC03 that holds the PDC Emulator role. When DC01is updated with the user's new password, that change is immediately replicated to DC03 also. When thee authentication attempt on DC02 fails, DC02 then forwards that authentication attempt to DC03, which verifies that it is, indeed, good, and the logon is allowed.

Let's talk about DNS

DNS is critical to a properly functioning AD. The official Microsoft party line is that any DNS server can be used if it is set up properly. If you try and use BIND to host your AD zones, you're high. Seriously. Stick with using AD Integrated DNS zones and use conditional or global forwarders for other zones if you must. Your clients should all be configured to use your AD DNS servers, so it's important to have redundancy here. If you have two DCs, have them both run DNS and configure your clients to use both of them for name resolution.
Also, you're going to want to make sure that if you have more than one DC, that they don't list themselves first for DNS resolution. This can lead to a situation where they are on a "replication island"where they are disconnected from the rest of the AD replication topology and cannot recover. If you have two servers DC01 - 10.1.1.1 and DC02 - 10.1.1.2, then their DNS server list should be configured like this:
Server: DC01 (10.1.1.1)
Primary DNS - 10.1.1.2
Secondary DNS - 127.0.0.1
Server: DC02 (10.1.1.2)
Primary DNS - 10.1.1.1
Secondary DNS - 127.0.0.1

OK, this seems complicated. Why do I want to use AD at all?

Because once you know what you're doing, you life becomes infinitely better. AD allows for the centralization of user and computer management, as well as the centralization of resource access and usage. Imagine a situation where you have 50 users in an office. If you wanted each user to have their own login to each computer, you'd have to configure 50 local user accounts on each PC. With AD, you only have to made the user account once and it can log into any PC on the domain by default. If you wanted to harden security, you'd have to do it 50 times. Sort of a nightmare, right? Also imagine that you have a file share that you only want half of those people to get to. If you're not using AD, you'd either need to replicate their username and passwords by hand on the server to give seemless access, or you'd have to make a shared account and give each user the username and password. One way means that you know (and have to constantly update) users' passwords. The other way means that you have no audit trail. Not good, right?
You also get the ability to use Group Policy when you have AD set up. Group Policy is a set of objects that are linked to OUs that define settings for users and/or computers in those OUs. For example, if you want to make it so that "Shutdown" isn't on the start menu for 500 lab PCs, you can do that in one setting in Group Policy. Instead of spending hours or days configuring the proper registry entries by hand, you create a Group Policy Object once, link it to the correct OU or OUs, and never have to think about it again. There are hundreds of GPOs that can be configured, and the flexibility of Group Policy is one of the major reasons that Microsoft is so dominant in the enterprise market.

Friday, November 22, 2013

File Descriptor

In Unix like system File descriptor is abstract indicator for accessing file and are represented in integer value.  FD is a computer program term and highly used while programming in Unix like system using language like C, This is similar to file handle in windows like system.

By default operating system 3 file descriptor namely from 0-2. Where 0 represent standard input (stdin), 1 for standard output (stdout) and 2 for standard errors (stderr).


Operating system keeps index entry of opened files somewhere in Kernal’s address space which can be generally referred as file descriptor table. When a user process use open() or socket() (system calls to interface to the kernel) you are returned a file descriptor, which is an integer (These entries are represented by integers like ...100, 101, 102....)  And are maintains its file descriptor table in its address space. When a process want to access the file it passes the file descriptor to kernel with system call which in turns reads the file on behalf and returns the handle or result.

bit and bytes

byte (represented by the upper-case letter B), is a contiguous sequence of a fixed number of bits that is used as a unit of memorystorage and instructions execution incomputers.
A bit (represented by a lower case b) is the most basic unit of information in computing and communications. Every bit has a value of either zero or one. Although computers usually provide ways to test and manipulate single bits, they are almost always designed to store data and execute instructions in terms of bytes.
The number of bits in a byte varied according to the model of computer and its operating system in the early days of computing. For example, the PDP-7, for which the first version of UNIX was written, had 18-bit bytes. Today, however, a byte virtually always consists of eight bits.
Whereas a bit can have only one of two values, an eight-bit byte (also referred to as an octet) can have any of 256 possible values, because there are 256 possible permutations (i.e., combinations of zero and one) for eight successive bits (i.e., 28). Thus, an eight-bit byte can represent any unsigned integer from zero through 255 or any signed integer from -128 to 127. It can also represent any character (i.e., letter, number, punctuation mark or symbol) in a seven-bit or eight-bit character encoding system, such as ASCII (the default character coding used on most computers).
Multiple bytes are used to represent larger numbers and to represent characters from larger character sets. For example, two bytes (i.e., 16-bits) can store any one of 65,536 (i.e., 216) possible values, that is, the unsigned integers between 0 and 65,535 or signed numbers from -32,768 to 32,767. Likewise, the range of integer values that can be stored in 32 bits is 0 through 4,294,967,295, or -2,147,483,648 through 2,147,483,647.
A maximum of 32 bits is required to represent a character encoded in Unicode, which is an attempt to provide a unique encoding (i.e., identification number) for every character currently or historically used by the world's languages. However, the majority of the world's languages only need a single-byte character encoding because they use alphabetic scripts, which generally have fewer than 256 characters.
The word byte can also refer to a datatype (i.e., category of data) in certain programming languages and database systems. The C programming language, for example, defines byte to be synonymous with the unsigned char datatype, which is an integer datatype capable of holding at least 256 different values.

Kilobytes, Megabytes, Gigabytes, Terabytes, Petabytes
Because bytes represent a very small amount of data, for convenience they are commonly referred to in multiples, particularly kilobytes (represented by the upper-case letters KB or just K), megabytes (represented by the upper-case letters MB or just M) and gigabytes (represented by the upper-case letters GB or just G).
A kilobyte is 1,024 bytes, although it is often used loosely as a synonym for 1,000 bytes. A megabyte is 1,048,576 bytes, but it is frequently used as a synonym for one million bytes. For example, a computer that has a 256MB main memory can store approximately 256 million bytes (or characters) in memory at one time. A gigabyte is equal to 1,024 megabytes.
One terabyte (TB) is equal to 1024 gigabytes or roughly one trillion bytes. Onepetabyte is equal to a 1024 terabytes or about a million gigabytes. Some supercomputers now have a petabyte hard disk drive (HDD) capacity and a multipetabyte tape storage capacity. The prefix peta is an alteration of penta, the Greek word for five.
An exabyte is 1024 times larger than a petabyte. The prefix exa is an alteration ofhexa, the Greek word for six. As of 2005, exabytes of data are rarely encountered in a practical context. For example the total amount of printed material in the world is estimated to be around a fifth of an exabyte. However, the total amount of digital data that is now created, captured and replicated worldwide might be several hundred exabytes per year.

Origins
The term byte was coined by Werner Buchholz, a researcher at IBM, in 1956 during the early design phase for the IBM Stretch, the company's first supercomputer. It was a modification of the word bite that was intended to avoid accidentally misspelling it as bit. In 1962 Buchholz described a byte as "a group of bits used to encode a character, or the number of bits transmitted in parallel to and from input-output units."
Byte is also sometimes considered a contraction of BinarY digiT Eight. IBM used to teach that a Binary Yoked Transfer Element (BYTE) was formed by a series of bits joined together "like so many yoked oxen." Binary refers to the fact that computers perform all their computations with the base 2 numbering system (i.e., only zeros and ones), in contrast to the decimal system (i.e., base 10), which is commonly used by humans.
The movement toward an eight-bit byte began in late 1956. A major reason that eight was considered the optimal number was that seven bits can define 128 characters (as against only 64 characters for six bits), which is sufficient for the approximately 100 unique codes needed for the upper and lower case letters of the English alphabet as well as punctuation marks and special characters, and the eighth bit could be used as a parity check (i.e., to confirm the accuracy of the other bits).
This size was later adopted by IBM's highly popular System/360 series of mainframe computers, which was announced in April 1964, and this was a key factor in its eventually becoming the industry-wide standard.
If computers were used for nothing other than binary calculations, as some once were, there would be no need for bytes. However, because they are extensively used to manipulate character-based information, it is necessary to have encodings for those symbols, and thus bytes are necessary.

Latency

          Latency is the amount of time a message or data packets takes to traverse a system. You must have heard of Network Latency, so in computer networking it is an expression of how much time it takes for a data packet to get from one source system to destination another. It is more accurately measured as the time required for a packet to be returned to its sender over a interconnected network.
         
So if latency is low then network performance is good and on the other hand if latency is high then there supposed to be some problem with communication medium. In fact Latency depends on the speed of the transmission medium (e.g., copper wire, optical fiber or radio waves) and the delays in the transmission by devices along the way (e.g., routers and modems).

        Latency and throughput are the two very important terms to confuse about in data communication over the network. In fact both are fundamental measures of network performance with slightly different context. The latency measures the amount of time between the start of an action and its completion; throughput is the total number of such actions that occur in a given amount of time. Latency is measured in time (e. g. seconds,milliseconds) whereas throughput is measured in volume of data per unit time (e.g. gb/hr).

Sunday, September 1, 2013

What is firewall?

In Information technology industry all the networks in the worlds tends to connect each other through world wide web (internet), in today's scenarios it is mandatory for each network of every business establishment to pose its private network (Intranet LAN) to more risk prone internet to grow its business through online publishing and marketing. here is risk for organisation or any individual connected to internet and not bothering about what type of communication or data transfer happening internally. so, firewall is a mechanism which keeps tracks of any communication between its private network(LAN, Intranet etc)  and the public network (internet).



Firewall is computer hardware or software base network security system which controls incoming or outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on a rule set defined.A firewall establishes a barrier between a trusted, secure internal network and another network (e.g. Internet) that is not assumed to be secure and trusted. 

Firewalls are termed as  network devices which enforce an organization's security policy, different organisation can implement network security policy in the firewall system with various methods, . These methods filter network tra ffic at one or more of the seven layers of the ISO network model, most commonly at the application, transport, and network, and data-link levels. In addition, researchers have developed some newer methods, such as protocol normalization and distributed firewalls though they are not popular yet.

Friday, August 30, 2013

What is Kernel?


Kernel is heart of any Operating system.Its primary function is to manage the computer's hardware and resources and allow other programs to run and use these resources.here the resource includes any input/output device, Memory, central processing unit, disk etc 

The kernel acts as an intermediary between the computer hardware and various programs/application/shell.


Kernel typically performance following task :-
  • I/O management
  • Process management
  • Device management
  • File management
  • Memory management