Month: May 2015

Master the Forest: Top Active Directory Interview Questions & Answers | Lazy Admin Blog

Posted on Updated on

Part 1: The Logical vs. Physical Structure

Understanding how AD is organized is the first step in mastering the service. Interviewers often look for the distinction between how objects are managed (logical) and how traffic flows (physical).

Logical Components

These define the administrative boundaries and hierarchy:

  • Forest: The uppermost boundary. It contains one or more trees that share a common schema and global catalog.
  • Tree: A collection of domains that share a contiguous namespace (e.g., corp.com and dev.corp.com).
  • Domain: The primary unit of replication and security. All objects in a domain share a common database (ntds.dit).
  • Organizational Unit (OU): Containers used to organize objects within a domain. OUs are primarily used to delegate administration and apply Group Policy.

Physical Components

These define how AD exists on hardware and over the network:

  • Domain Controllers (DC): The servers that host the AD database and handle authentication.
  • Sites: A grouping of IP subnets connected by high-speed links. Sites are used to control replication traffic and ensure users log on to a local DC rather than one across a slow WAN link.

Part 2: The Core “Under the Hood” Mechanics

The Active Directory Database

The database is stored in %systemroot%\ntds as ntds.dit. Key files include:

  • edb.log: Transaction logs (changes are written here first).
  • res1.log / res2.log: Reserve logs to ensure the system can write to disk if space runs out.
  • edb.chk: The checkpoint file that tracks which transactions have been committed to the database.

The Global Catalog (GC)

The GC is a partial, read-only replica of every object in the forest. It allows users to search for resources (like a printer in another domain) without needing to query every single DC in the forest.

SYSVOL Folder

The SYSVOL folder is a shared directory on every DC that stores the domain’s public files, including:

  • Login scripts (Netlogon share).
  • Group Policy Templates.
  • It is kept in sync across all DCs using the File Replication Service (FRS) or DFSR.

Part 3: Protocols and Naming

LDAP (Lightweight Directory Access Protocol)

LDAP is the language used to talk to Active Directory. It follows the X.500 standard and uses TCP/IP.

  • Distinguished Name (DN): The full path to an object (e.g., CN=JohnDoe,OU=Sales,DC=corp,DC=com).
  • Relative Distinguished Name (RDN): Just the object’s name (e.g., JohnDoe).
  • UPN (User Principal Name): The “email-style” login name (e.g., johndoe@corp.com).

Part 4: Essential Admin Tools

ToolPurpose
ADSIEditA low-level “registry editor” for Active Directory objects and attributes.
LDPA tool for performing LDAP searches and operations manually.
RepadminThe go-to command-line tool for diagnosing replication health.
NetdomUsed for managing trust relationships and joining computers to domains via CLI.
Dcpromo(Legacy) The command to promote or demote a Domain Controller.

Common Interview Scenario: “My Replication is Broken”

Answer: I would start by checking connectivity between sites. Then, I would use repadmin /showrepl to see which naming contexts (Domain, Configuration, or Schema) are failing. I’d also check the DNS SRV records to ensure the DCs can find each other.

#ActiveDirectory #SysAdmin #WindowsServer #ITJobs #TechInterview #Microsoft #Networking #ITOps #LazyAdmin

This entry was posted in Active Directory, Interview, Windows and tagged , , , , , , , , , .

Troubleshooting VMware Tools Upgrade Failures on Windows Server 2003 | Lazy Admin Blog

Posted on Updated on

In the world of legacy infrastructure, Windows Server 2003 virtual machines (VMs) occasionally hit a “brick wall” during VMware Tools upgrades. While VMware continues to investigate the root cause, the community has identified a manual “scrubbing” process to bypass the installer errors and force a clean installation.

🛑 Pre-Requisites & Data Collection

Before performing a manual registry cleanup, VMware Support recommends gathering the following data to help identify the underlying issue:

  1. Version Mapping: Note the current “from” version and the target “to” version.
  2. Upgrade Method: Are you using the “Interactive” installer, “Silent” switches, or vCenter’s “Automatic” update?
  3. Historical Data: Open the Windows Event Viewer, search for Event Source: MsiInstaller, and look for Event ID: 1034 to find traces of previous installation attempts.

🛠️ The Fix: Manual Registry & System Scrubbing

[!CAUTION] Warning: This procedure involves modifying the Windows Registry. Incorrect changes can destabilize your OS. Always take a full VM Snapshot and a Registry Backup before proceeding.

1. Registry Cleanup (Installer Keys)

Log in as an Administrator, open regedit, and navigate to/delete the following keys if they exist:

  • HKEY_CLASSES_ROOT\Installer\Features\05014B32081E884E91FB41199E24004
  • HKEY_CLASSES_ROOT\Installer\Products\05014B32081E884E91FB41199E24004
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\05014B32081E884E91FB41199E24004
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\05014B32081E884E91FB41199E24004
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B150AC107B12D11A9DD0006794C4E25
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3B410500-1802-488E-9EF1-4B11992E0440}
  • HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.

2. Service Removal

Deep-seated services can block the new installer. Delete these keys under CurrentControlSet\Services:

  • VMTools
  • VMUpgradeHelper
  • VMware Physical Disk Helper Service
  • vmvss

3. File System Cleanup

Once the registry is clear, you must remove the physical binary remnants:

  1. Open Windows Explorer.
  2. Delete the folder: %ProgramFiles%\VMware\VMware Tools.
  3. Restart the Virtual Machine. This step is non-negotiable as it clears the memory and releases hooks on drivers.

🚀 Final Step: Fresh Installation

After the reboot, the system will be “clean” of previous VMware Tools traces. You can now mount the VMware Tools ISO through your vSphere client and run a fresh installation.

Pro-Tip: If the VM has other VMware products installed (like vCenter Server), do not do a blanket search-and-destroy for the term “VMware” in the registry. Stick strictly to the keys listed above to avoid breaking other applications.

This entry was posted in VMware and tagged , , , , , , , , , , , .

Troubleshooting vSphere Client Timeouts: “The remote server took too long to respond” | Lazy Admin Blog

Posted on Updated on

If you are seeing the error “The request failed because the remote server [vCenter Name/IP] took too long to respond” specifically when checking the Storage View of a VM or Datacenter, you are likely hitting a timeout related to Single Sign-On (SSO) authentication latency.

🛠️ The Quick Fix: Manual Login

The most common trigger for this timeout is using the “Use Windows Session Credentials” checkbox during login. While convenient, this pass-through method often fails to communicate efficiently with SSO when complex domain trusts are involved.

To solve this immediately:

  1. Log out of the vSphere client.
  2. Manually type your username (e.g., domain\user or user@domain.com) and password.
  3. Do not check the “Use Windows Session Credentials” box.

🏗️ The Permanent Fix: Identity Source Configuration

If manual login works but you want to restore the functionality of session credentials, the issue lies in how vCenter communicates with your external domains.

1. Adding External Domains

Ensure your Active Directory or LDAP identity sources are correctly configured. Refer to VMware KB 2035510 for the specific procedure on adding external domains to the SSO identity sources.

2. Default Domain Order

Even if a domain is added, if it is low on the priority list, the search request may time out before finding the user.

  • Log into the vSphere Web Client as an SSO Administrator (administrator@vsphere.local).
  • Navigate to Administration > Single Sign-On > Configuration.
  • Go to the Identity Sources tab.
  • Add your trusted domains to the Default Domains list.
  • Reorder the domains: Move your most frequently used production domain to the top of the list.
  • Save the configuration.

This entry was posted in VMware and tagged , , , , , , , , , , , .

Storage Interview Questions

Posted on

What is LUN masking?

LUN (Logical Unit Number) Masking is an authorization process that makes a LUN available to some hosts and unavailable to other hosts.

LUN Masking is implemented primarily at the HBA (Host Bus Adapater) level. LUN Masking implemented at this level is vulnerable to any attack that compromises the HBA.

Some storage controllers also support LUN Masking.

LUN Masking is important because Windows based servers attempt to write volume labels to all available LUN’s. This can render the LUN’s unusable by other operating systems and can result in data loss.

 

What is SAN zoning?

SAN zoning is a method of arranging Fibre Channel devices into logical groups over the physical configuration of the fabric.

SAN zoning may be utilized to implement compartmentalization of data for security purposes.

Each device in a SAN may be placed into multiple zones.

 

What are hard and soft zoning?

Hard zoning is zoning which is implemented in hardware. Soft zoning is zoning which is implemented in software.

Hard zoning physically blocks access to a zone from any device outside of the zone.

Soft zoning uses filtering implemented in fibre channel switches to prevent ports from being seen from outside of their assigned zones. The security vulnerability in soft zoning is that the ports are still accessible if the user in another zone correctly guesses the fibre channel address.

 

What is port zoning?

Port zoning utilizes physical ports to define security zones. A users access to data is determined by what physical port he or she is connected to.

With port zoning, zone information must be updated every time a user changes switch ports. In addition, port zoning does not allow zones to overlap.

Port zoning is normally implemented using hard zoning, but could also be implemented using soft zoning.

 

What is WWN zoning?

WWN zoning uses name servers in the switches to either allow or block access to particular World Wide Names (WWNs) in the fabric.

A major advantage of WWN zoning is the ability to recable the fabric without having to redo the zone information.

WWN zoning is susceptible to unauthorized access, as the zone can be bypassed if an attacker is able to spoof the World Wide Name of an authorized HBA.

 

What is a World Wide Name (WWN)?

A World Wide Name, or WWN, is a 64-bit address used in fibre channel networks to uniquely identify each element in a Fibre Channel network.

Soft Zoning utilizes World Wide Names to assign security permissions.

The use of World Wide Names for security purposes is inherently insecure, because the World Wide Name of a device is a user-configurable parameter.

For example, to change the World Wide Name (WWN) of an Emulex HBA, the users simply needs to run the `elxcfg` command.

 

What are the classes of attacks against SANs?

  • Snooping: Mallory reads data Alice sent to Bob in private
    Allows access to data
  • Spoofing: Mallory fools Alice into thinking that he is Bob
    Allows access to or destruction of data
  • Denial of Service: Mallory crashes or floods Bob or Alice
    Reduces availability

 

What are some attacks against FCP?

  • Node Name / Port Name spoofing at Port Login time
  • Source Port ID spoofing on dataless FCP commands
  • Snooping and spoofing on FC-AL
  • Snooping and Spoofing after Fabric reconfiguration
  • Denial of Service attacks can be made in User mode

 

What is FCAP (Fibre Channel Authentication Protocol)?

FCAP is an optional authentication mechanism employed between any two devices or entities on a Fibre Channel network using certificates or optional keys.

 

What is FCPAP (Fibre Channel Password Authentication Protocol)?

FCPAP (Fibre Channel Password Authentication Protocol) is an optional password based authentication and key exchange protocol which is utilized in Fibre Channel networks.

FCPAP is used to mutually authenticate Fibre Channel ports to each other. This includes E_Port’s, N_Port’s, and Domain Controllers.

 

What is SLAP (Switch Link Authentication Protocol)?

SLAP is an authentication method for Fibre Channel switches which utilizes digital certificates to authenticate switch ports.

SLAP was designed to prevent the unauthorized addition of switches into a Fibre Channel network.

 

What is FC-SP (Fibre Channel – Security Protocol)?

Fibre Channel – Security Protocol (FC-SP) is a security protocol for Fibre Channel Protocol (FCP) and fiber connectivity (Ficon).

FC-SP is a project of Technical Committee T11 of the InterNational Committee for Information Technology Standards (INCITS).

FC-SP is a security framework which includes protocols to enhance Fibre Channel security in several areas, including authentication of Fibre Channel devices, cryptographically secure key exchange, and cryptographically secure communication between Fibre Channel devices.

FC-SP is focused on protecting data in transit throughout the Fibre Channel network. FC-SP does not address the security of data which is stored on the Fibre Channel network.

 

What is ESP over Fibre Channel?

ESP (Encapsulating Security Payload) is an Internet standard for the authentication and encryption of IP packets.

ESP is defined in RFC 2406: IP Encapsulating Security Payload (ESP).

ESP is widely deployed in IP networks and has been adapted for use in Fibre Channel networks. The IETF iSCSI proposal specifies ESP link authentication and optional encryption.

ESP over Fibre Channel is focused on protecting data in transit throughout the Fibre Channel network. ESP over Fibre Channel does not address the security of data which is stored on the Fibre Channel network.

 

What is DH-CHAP?

DH-CHAP (Diffie Hellman – Challenge Handshake Authentication Protocol) is a forthcoming Internet Standard for the authentication of devices connecting to a Fibre Channel switch.

DH-CHAP is a secure key-exchange authentication protocol that supports both switch-to-switch and host-to-switch authentication.

DH-CHAP supports MD-5 and SHA-1 algorithm-based authentication.

 

How are iSCSI, iFCP and FCIP secured over IP networks?

The IETF IP Storage (ips) Working Group is responsible for the definition of standards for the encapsulation and transport of Fibre Channel and SCSI protocols over IP networks.

The IPS Working Group’s charter includes responsibility for data security:

Security including authentication, keyed cryptographic data integrity and confidentiality, sufficient to defend against threats up to and including those that can be expected on a public network. Implementation of basic security functionality will be required, although usage may be optional.

The IPS Working Group has created RFC 3723: Securing Block Storage Protocols over IP.

RFC 3723 defines the use of the existing IPsec and IKE (Internet Key Exchange) protocols to secure block storage protocols over IP.

 

This entry was posted in Interview and tagged .

Monitoring Disk Command Aborts on ESXi: Identifying Storage Overload | Lazy Admin Blog

Posted on Updated on

When your storage subsystem is severely overloaded, it cannot process commands within the acceptable timeframe defined by the Guest Operating System. The result? Disk Command Aborts. For Windows VMs, this usually triggers after 60 seconds of silence from the storage array.

Aborted commands are a critical red flag indicating that your storage hardware is overwhelmed and unable to meet the host’s performance expectations. Monitoring this parameter is essential for proactive datacenter management.

Here is how you can track these aborts using two primary methods: the vSphere Client and esxtop.

💻 Method 1: vSphere Client (Graphical Interface)

This method provides a visual, historical look at command aborts across your infrastructure.

  1. Navigate to Hosts and Clusters.
  2. Select the object you want to monitor (Host or Cluster).
  3. Click on the Monitor tab, then Performance, and select Advanced.
  4. Click Chart Options.
  5. Switch the metric grouping to Disk.
  6. Select Commands aborted from the list of measurements.
  7. Click OK.

🛠️ Method 2: esxtop (Command Line Interface)

For real-time, granular troubleshooting, esxtop is the definitive tool. It monitors the ABRTS/s (Aborts per Second) field, specifically tracking SCSI aborts.

Steps to Configure esxtop for Aborts:

  1. Open Putty and log in to your ESXi host via SSH.
  2. Type esxtop and press Enter.
  3. Type u to switch to the Disk Device view.
  4. Type f to change the field settings.
  5. Type L to select Error stats.
  6. Press Enter, then press W to save these settings for future sessions.

You will now see the ABRTS/s column. This number represents the SCSI commands aborted by the guest VM during the 1-second collection interval.

📈 Thresholds and Interpretation

If you are deploying a monitoring tool, the critical threshold for ABRTS/s is 1. A value of 1 or higher means SCSI commands are actively being aborted by the guest OS because the storage is not responding.

What is Ideal?

In an ideal scenario, ABRTS/s should always be 0.

What is Real-World?

In a busy production environment, you may see this value fluctuate between 0 and 0.xx. This occurs during “peak hours”—for instance, when multiple servers on the host are running disk-intensive backup operations simultaneously, leading to temporary storage saturation. However, any consistent spike above 1 requires immediate investigation into path failures, array congestion, or complete storage unresponsiveness.

This entry was posted in VMware and tagged , , , , , , , , , , , .

How to install NIC Teaming Driver and configure NIC Teaming in a Cisco UCS B200-M3

Posted on

The Cisco NIC Teaming Driver is contained in the UCS-related Windows Utilities ISO. You can download it from http://www.cisco.com. Depending on your platform, choose either Cisco UCS B-Series Blade Server Software or Cisco UCS C-Series Rack-Mount UCS-Managed Server Software. Once you have installed Windows on the blade you can proceed to install the teaming software.

First let us see how to install the NIC teaming driver on the server.

Step 1 In Windows, open a command prompt with administrator privileges.
Step 2 At the command prompt, enter enictool -p “drivers_directory”The Cisco NIC Teaming Driver is installed using the .inf files located in the specified directory.Example:This example installs the teaming driver using the .inf files located in the temp directory:

C:\> enictool -p "c:\temp"

Once the driver is installed, you need to configure the teaming on the desired NICs.

Step 1 In Windows, open a command prompt with administrator privileges.
Step 2 To create a team, enter enictool -c “list of connections” -m modeThe mode options are as follows:

  • 1—Active Backup
  • 2—Active Backup with failback to active mode
  • 3—Active Active (transmit load balancing)
  • 4—802.3ad LACP

Example:This example creates a team of two NICs in Active Backup mode:

C:\> enictool -c "Local Area Connection" "Local Area Connection 2" -m 1
Step 3 To delete a team, enter enictool -d “list of connections” Example:This example deletes a team of two NICs:

C:\> enictool -d "Local Area Connection" "Local Area Connection 2"
Step 4 To view additional options and usage information, enter enictool /?Use the displayed command option information to configure load balancing method, load balancing hash method, and other options.

This entry was posted in Cisco UCS, Windows and tagged .

How to install and configure Multipathing I/O on a computer running Windows Server 2008

Posted on Updated on

To install Multipath I/O

  1. Open Server Manager.To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Features area, click Add Features.
  3. On the Select Features page of the Add Features Wizard, select Multipath I/O, and then click Next.
  4. On the Confirm Installation Selections page, click Install.
  5. When installation has completed, click Close.

To install Multipath I/O on a computer by using the Server Manager command line, complete the following steps.

To install Multipath I/O by using a command line

  1. Open a Command Prompt window with elevated privileges.Right-click the Command Prompt object on the Start menu, and then click Run as administrator.
  2. Type the following, and press ENTER. ServerManagerCmd.exe -install Multipath-IO
  3. When installation has completed, you can verify that Multipath I/O has installed by entering the following command and reviewing the query results in the command window. Multipath I/O should show in the list of installed packages. ServerManagerCmd.exe -query

IC347745[1]

Removing Multipath I/O

To remove Multipath I/O, complete the following steps.

To remove Multipath I/O

  1. Open Server Manager.To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Features area, click Remove Features.
  3. On the Select Features page of the Add Features Wizard, select Multipath I/O, and then click Next.
  4. On the Confirm Installation Selections page, click Install.
  5. When installation has completed, click Close.

To remove Multipath I/O by using the Server Manager command line, complete the following steps.

To remove Multipath I/O by using a command line

  1. Open a Command Prompt window with elevated privileges.Right-click the Command Prompt object on the Start menu, and then click Run as administrator.
  2. Type the following, and press ENTER. ServerManagerCmd.exe -remove Multipath-IO
  3. When removal has completed, you can verify that Multipath I/O was removed by entering the following command and reviewing the query results in the command window. Multipath I/O should not be in the list of installed packages. ServerManagerCmd.exe -query
To claim an iSCSI-attached device for use with MPIO

Open the MPIO control panel, and then click the Discover Multi-Paths tab.
  1. Select the Add support for iSCSI devices check box, and then click Add. When prompted to restart the computer, click Yes.
  2. When the computer restarts, the MPIO Devices tab lists the additional hardware ID “MSFT2005iSCSIBusType_0x9.” When this hardware ID is listed, all iSCSI bus attached devices will be claimed by the Microsoft DSM.

This entry was posted in Windows and tagged .

How to update Offline Windows Servers to the latest Patch Level using WSUS

Posted on Updated on

Update Offline Windows Servers to the latest Patch Level using WSUS      

WSUS (Windows Server Update Services) is a method to update windows servers that are offline.

The best way to achieve patch management like this is to set up a WSUS server. What I am going to discuss is the downloading of patches from one machine that is connected to the Internet and copying the patches to an offline machine using a memory stick or DVD. This is a good solution when you have to update the patch level once to a  few machines. It is not practical as a long term solution as every time Microsoft releases a patch you would have to manually update the off line servers.

First, download WSUS from http://download.wsusoffline.net/ Extract the file to a directory. Open the directory and run Update Generator.

Tick the box beside the OS you want to download updates for. In the image above Windows 7 / Windows Server 2008 R2 x64 is selected. If you want to select any other options, go ahead and then click, “Start”.

The updates will start to download. As a rough idea of the download time, the updates for Vista x64 was 2.5GB, Windows Server 2008R2 was 800MB.

Next step is to copy the WSUS folder to some sort of removable media, a memory stick, DVD, external hard disk etc. Insert it into the server you want to update.

Open the WSUS folder, open the folder, “client” and run the update executable.

This will update your system to the latest patch level.

This entry was posted in Windows and tagged , .

Not enough server storage is available to process this command

Posted on

Here is the offending registry value:

HKEY_LOCAL_MACHINE
\SYSTEM
\CurrentControlSet
\Services
\LanmanServer
\Parameters
IRPStackSize DWORD 0x0000000f (15)

Check for the presence of the value named IRPStackSize. If it doesn’t exist, create it as type DWORD and make sure you have the capitalization absolutely correct (5 upper case, 7 lower case characters), because the system strangely seems to depend on that.

With base set to decimal, enter the value 16 or higher. 15 is the default, so entering 15 should have the same effect as removing that value altogether.

This entry was posted in Windows and tagged .