Azure Data Factory helps Microsoft give back (Article)

Source: Microsoft
Microsoft Philanthropies, a division of Corporate, External, and Legal Affairs (CELA), manages millions in donations every year to organizations around the world. Accurate tracking and data management is critical for reporting, but also allows Microsoft to share with the community about its philanthropic initiatives. Microsoft IT developed a solution for CELA using Azure Data Factory, SQL Server, and Power BI to consolidate data, streamline donation processing, and simplify reporting.
Azure Data Factory helps Microsoft give back (Article)

Microsoft’s new tool for building line-of-business apps is now in public preview

Source: Microsoft more
innovations Microsoft PowerApps allows anybody to build basic business apps without having to touch any code. These apps can run on the web and on mobile (through the PowerApps apps for iOS and Android). Microsoft first announced a private preview of this project last November but starting today, it’s open for anybody who wants to give it a try. Building apps in PowerApps is mostly a… Read More
Microsoft’s new tool for building line-of-business apps is now in public preview

Plugins

Source: SANS security tip
Every plugin or add-on you install in your browser can expose you to more danger. Only install the plugins you need and make sure they are always current. If you no longer need a plugin, disable or remove it from your browser via your browser’s plugin preferences.
Plugins

Microsoft restricts Cortana on Windows 10 to Bing and Edge

Source: Microsoft more
Microsoft-Cortana-Build-2014-000 Cortana is Microsoft’s version of Google Now and Apple’s Siri digital assistant. It’s built right into Windows 10 and, while I’ve generally not found it all that useful, it’s a core component of Microsoft’s attempt at making its operating system smarter. Starting today, whenever you use Cortana to do a search on Windows 10 that would typically take you to… Read More
Microsoft restricts Cortana on Windows 10 to Bing and Edge

Backing up Domain Controller — Best practices for AD protection

Source: Veeam

Microsoft Active Directory is a standard in corporate environments where authentication and central user-management are required. It’s almost impossible to imagine how system administrators would be able to do their jobs effectively if this technology didn’t exist. Not only is Active Directory a great power, but it’s also a great responsibility — and it requires spending a lot of time with it in order to maximize its capabilities.

The purpose of this series is intended to aid you with the successful backup and recovery of Active Directory Domain Services with Veeam, giving you all the keys to painless AD protection. Before reading this, you might want to take a look at the Active Directory design and implementation series we posted a while ago.

The actual series is going to discuss how Veeam can protect AD data — preserve Domain Controllers (DCs) or individual AD objects and recover either of them when required.

Today, I’m going to talk about the backup options Veeam offers for both physical and virtualized DCs, and backup considerations to keep in mind while you do that.

Backup DC considerations

As Active Directory Domain Services designed with a sort of redundancy, so the common backup rules and tactics can be mitigated and adapted to this level. It wouldn’t be right to apply the same backup policy you have for SQL or Exchange server here. Below are some considerations I believe might be helpful for creating your own AD policies:

  • Learn what domain controllers hold Flexible Single Master Operations (FSMO) roles in your environment. Hint: a simple command to check this via command line: >netdom query fsmo

When performing a full domain recovery, you might want to start from the DC with most FSMO roles, usually one with PDC emulator role. Otherwise, you will have to transfer roles manually after the restore with ntdsutil seize command. Be aware of that, when planning backup and prioritize DCs accordingly. Refer to Active Directory basics white paper to learn more about FSMO roles.

  • If you have multiple DCs for the site and you’re looking for individual objects protection, there’s no need to backup all DCs, as for item-level recovery, one copy of AD database (ntds.dit) would be sufficient
  • There are things that can always mitigate the risk of accidental/intentional deletion/change of AD objects. Consider administration operations’ delegation, setting up the restricted access to elevated groups and maintaining a “lag” site
  • It’s usually recommended to perform backup of one DC per time, not to interfere with DFS Replication — even if the modern backup applications (ex. Veeam Backup & Replication v7 with patch 3 and onwards) know how to deal with this
  • If you have a VMware virtual environment and it is not possible to connect to your DC over the network, as for example, it can be in DMZ. In this case Veeam will fail over to the VIX and should be able to process your DC.

Backup of a virtual Domain Controller

Microsoft’s Active Directory Services organize and keep information about individual objects within the forest and store it to a relational database (ntds.dit), hosted by a domain controller. Backup of a Domain Controller has previously been a tiresome process, involving backing up the server’s system state. It’s a well-known fact, that Active Directory services don’t consume a lot of resources of the system, so Domain Controllers are appearing to be the first servers that are always virtualized in the environment. If you happen to share the old belief of “physical DCs only”, please refer to this post.

Once virtualized, they are pretty easy to be managed by a domain/system administrator and can be easily backed up with Veeam Backup & Replication. As for details, you should have Veeam Backup & Replication installed and configured. The system requirements (of version 9.0) are as following:

Virtual platform: VMware vSphere 4.1 and newer; Microsoft Hyper-V 2008 R2 SP1 and newer

Veeam server: Windows Server 2008 SP2 and newer; Windows 7 SP1 and newer, 64-bit OS

Domain controller virtual machine (VM): Windows Server 2003 SP1 and newer, the minimum supported forest functional level of Windows 2003

Permissions: Administrative rights for target Active Directory. Account of an enterprise administrator or domain administrator.

This article doesn’t intend to cover a process of Veeam Backup & Replication installation and configuration, as it’s already been defined a few times. But, if you need help with that, please refer to the following video recorded by a Veeam system engineer.

I’m going to assume that you have everything running fine. Now you’d like to configure a backup task for your virtual DC. The process of configuration is rather simple (see figure 1 below):

1. Launch a Backup Job creation wizard

2. Add a desired DC to the task

3. Specify the retention policy for the backup chain

4. Make sure you enable application-aware image processing (AAIP) to ensure transactional consistency of backup files, including the Active Directory database, its supportive files and SYSVOL catalog

Note: AAIP is a Veeam technology that allows software to backup VMs in an application-aware way. That means a multi-step process of detecting applications of a guest OS system, quiescing them using corresponding VSS writers, applying specific application settings and truncating transaction logs if the backup task is successful. Please refer to the AAIP documentation for details.

Not enabling AAIP will not trigger Domain Controller guest OS to realize it was backed up and protected. So, a while later, you might notice an internal warning in server logs — event 2089, stating that there was no backup for “backup latency interval” days.

Edit Backup Job: Guest processing
Figure 1. Edit Backup Job: Guest processing 

 

5. Schedule a task or manually run it

6. Ensure the task successfully ran with no errors or warnings

Performing incremental backup of a DC
Figure 2. Performing incremental backup of a DC 

 

7. Find the newly created backup file at the backup repository — that’s it!

Additionally, you can store a backup in the cloud with Veeam Cloud Connect (VCC), copy it to another datastore or tape using Veeam Backup Copy jobs and much more. The most important thing is that backup is now safe and can be restored as soon as you need it.

How to back up a physical Domain Controller

Frankly speaking, I hope that you’ve been reconfiguring AD services in your company and that your DCs have been virtualized for a long time. If not, I hope that you’ve at least been updating your DCs, and that they’re running relatively modern Windows Server OS versions, Windows Server 2008 R2 or newer. (If managing older systems, skip below and go to the third article right away)

So, you have a physical DC — or a set of them — running at Windows Server 2008 R2 or newer, and you want to protect your AD? Meet Veeam Endpoint Backup, the utility aimed to ensure that data on your remaining physical endpoints and servers is safe and secure. Veeam Endpoint Backup catches the desired data of the physical machine and stores it in a backup file. Then, in case of a disaster, you are able to do a bare-metal or volume-level restore — while having full control of recovery procedures. Plus, item-level recovery with Veeam Explorer for Microsoft Active Directory.

In order to back up your physical DC with this tool you should:

  • Download the utility from this page and put it to on your DC
  • Launch the installation wizard, accept the license agreement and install the program

Note: read these instructions for installing in Unattended Mode.

  • Configure a backup task by selecting appropriate backup mode. If you’re configuring file-level backup mode, select Operating system as an object to backup (see Figure 1). This ensures that the program captures all files required for bare-metal restore, Active Directory database and SYSVOL catalog will be also saved. Feel free to refer to a product user guide for details
Selecting objects to backup in Veeam Endpoint Backup
Figure 3. Selecting objects to backup in Veeam Endpoint Backup 

 

Note: If you have Veeam Backup & Replication instance in your infrastructure and you’d like to use a configured Veeam Backup Repository to accept endpoint backups, please reconfigure it right from Veeam Backup & Replication (right click on a desired repository, allow access to the repository and enable backups encryption if needed, see Figure 4).

VBR: Endpoint Backup permissions
Figure 4. Setting Endpoint Backup Permission for backup repository
  • Run the backup, and make sure it’s done with no errors
Veeam Endpoint Backup FREE: Backup job statistics
Figure 5. Veeam Endpoint Backup FREE: Backup job statistics
  • Voila! The backup is done, and your DC is protected from now on. Go to the backup destination and find the backup or the backup chain
Incremental backup chain
Figure 6. Incremental backup chain

 

Note. If you configured a Veeam Backup & Replication repository as a target for DC backup, feel free to find the newly created backup at the backups-disk, placed to Endpoint Backups node.

Veeam Backup & Replication: Backups-disk
Figure 7. Veeam Backup & Replication: Backups-disk 

Conclusion

Is DC backup that simple? Yes and no. Successful backup is great for starters, but that’s not all you need. Like we say at Veeam, “Backup is not worth a penny if you can’t restore from it.”

The following articles in this series are dedicated to different AD recovery scenarios, including the restore of a particular DC, as well as the recovery of individual deleted and changed objects using native Microsoft utilities and Veeam Explorer for Active Directory.

Backing up Domain Controller — Best practices for AD protection

Anti-Virus

Source: SANS security tip
Make sure you have anti-virus software installed on your computer and that it is automatically updating. However, keep in mind that no anti-virus can catch all malware; your computer can still be infected. That is why it’s so important you use common sense and be wary of any messages that seem odd or suspicious.
Anti-Virus

Put your untrusted clients on ISE

Source: Meraki-Cisco

The last decade has seen a drastic increase in the number of network-connected devices.  Because of this, it has become more and more difficult for administrators to manage access, security, and traffic policies for all of the clients in their networks.  As with a lot of other IT challenges, the key to solving this problem lies in automation – removing as much of the manual work as possible by creating ways to dynamically and intelligently assign policies to clients.  One of the most effective ways to accomplish this is through a technology known as Change of Authorization (CoA).

At the most basic level, CoA is just a mechanism for changing the policy of an already-connected client.  While that might sound pretty simple, there are actually a variety of ways that CoA can be used to solve complex problems in a wireless network.  For example, you might want clients to have different levels of network access based on the current security status of the device, often referred to as its “security posture”.  A device’s posture includes things like whether it has up-to-date antivirus and anti-spyware software installed, whether the latest operating system security patches are installed, or even whether a certain application is installed on the device. Using CoA, you can send information from Cisco’s Identity Services Engine (ISE) or similar solutions to a Cisco Meraki AP informing it of any changes to a device’s posture.  The AP can then apply the appropriate policy to that client, even if it is already connected.  You can also leverage ISE to perform Central Web Authentication (CWA) in order to implement automatic authentication and policy application for guest users.

Like all Cisco Meraki features, we took care to ensure that CoA is simple to implement.  For administrators who wish to use Cisco ISE as their RADIUS and CoA server, it’s as easy as navigating to the Wireless>Access Control page and selecting ‘WPA2-Enterprise with my RADIUS server’ in the Association requirements section, and ‘Cisco Identity Services Engine (ISE) Authentication’ in the Splash page section.

Screen Shot 2016-04-26 at 10.21.22 AM

Add your ISE server information under RADIUS servers, and you’re good to go!  Your APs will now redirect users to the ISE web portal for authentication when they connect, and will respond to CoA messages sent by the ISE server.

For other popular solutions like PacketFence, the process is just as easy.  Instead of selecting ISE Authentication from the Splash page options, set RADIUS CoA support to ‘RADIUS CoA enabled’ in the RADIUS server options on the same page.

Screen Shot 2016-04-26 at 10.21.27 AM

The AP will now respond to CoA messages sent by the RADIUS server.

These features are currently in open beta.  If you want to try them out, you can reach out to our Support team or to your Cisco Meraki Systems Engineer to join the beta.  For more information on configuring CoA on Cisco Meraki MR access points or to learn more about this feature, check out our documentation.


Put your untrusted clients on ISE