What is a firewall

Hello everyone I here again. Today I am going to describe about firewall. It is a common question which I answered to my friend or users about firewall. So today I’ll explain about firewall. Whenever you work on internet in office/home/school you always listen about firewall. Yes of course some of us always complain about it also, well-well that’s the other side of the coin. In this and upcoming post I’ll describe about firewall and how its work.

Firewall is basically kind of roadblock to keep unwanted/insecure force away from your own area. The job a firewall is very similar to physical firewall that keeps fire from spreading from one place to another.

A firewall is a software or hardware that filters information pass through the internet into our LAN or computer system. If accessed information packet is marked by filters, it is not allowed through the network.

One example I would like to give to better understand the concept the Firewall. Suppose you have 200 employees with the internet connection to all with no firewall in network. All the computers don’t have any restrictions over the internet. Employees accessing public mails/Accessing LAN FTP over internet without any restrictions. In this case hackers have 100% freedom to enter in your network and they can fully control your network, they can easily still company’s important data.

In apposite case if this company installed firewall with limited rights to access internet. They can access only that service what is permitted to them. Suppose an employee need to access FTP service, so in that case this service can be permitted to that employee only not to everyone.

Methods using by Firewalls: Every firewall use one or more three methods to control traffic flowing in and out of the network –

• Packet Filtering: Packets (small piece of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded.

• Proxy Service: Information from the internet is retrieved by the firewall and then sent to the requesting system and vice versa.

• Stateful Inspection: A newer method that doesn’t examine the contents of each packet but instead of this compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, and then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded. In next post we will talk about Firewall configuration/ and why firewall is secure to protect our network.

DCPromo in Active Directory

Every system admin or system eng. knew the tool DCPromo. It is use to install or modify AD/DC. But during the last 10 years DCPromo brings so many changes in it. So today I’ll describe some more things about DCPromo including the changes which it brings in new OS.

DCpromo introduce first in Windows 2000 Beta version, although Microsoft improved DCPromo with the updates and in their new versions of server OS but largely it remain same. There are a number of options (some undocumented) that has made DCPromo a valuable tool (in fact, the only tool) in building an AD domain or forest. It is a local program that could be run from a Windows Server (in 2000 and 2003) and from Server Manager in Windows Server 2008 and later. Beginning in Windows Server 2008, Active Directory Domain Services role had to be installed prior to running DCPromo, but it still needed to run to make the server a DC.

One of the tricks DCpromo plays on you is lulling you into false security. When the installation finished and the server rebooted, you thought it was promoted and ready to roll. What isn’t obvious is what happens after the reboot; an outbound connection is made, AD Replication and file replication service (FRS) connections are made to complete the sync and get group policies and Netlogon and Sysvol shares are created.

To determine if a DC is really a DC do a Net Share command from a command line and see if these two shares show up. If not, the replication failed. AD replication forced sync with the other DCs where only a single sourcing DC was involved prior to the reboot. In Windows 2000, getting each DC to do a full sync was a serial process. Windows Server 2003 got smarter and synched updates from the other DCs.

If you wanted to add a DC from a newer Windows version, such as adding a Windows 2008 DC into a Windows 2003 domain/forest, it was a complicated process. This required a few things to happen.

 The first was the raising the domain and forest functional levels. All domain controllers had to be raised to the Windows 2008 level, the domain level and the forest level. But a major problem with doing this was the changes being irreversible.

 The second was running ADPrep. This required schema administrator privileges because it had to contact the Schema Master. Because there was a fear of messing up the Schema, this was usually done prior to promoting a new DC.

The one missing element was that you had to be on the machine, physically or via remote desktop, and there was not a way to mass deploy DCs until Windows Server 2012.

Other highlights include:

Manual demotion of a DC in 2003: DCPromo /ForceRemoval. This was not documented, but it is handy in demoting a DC when it wasn’t replicating, if it was the only DC with the problem and if it would take more than a couple hours to fix. This required cleaning AD objects of that server via NTDSUtil and Sites and Services snap-in.

Doing a forceful removal has serious consequences, which include removing the server from the domain, putting it into a work group and breaking applications that depend on AD association. Use it only if there is no other way to recover.

Install From Media (IFM): First introduced in Server 2003, IFM permitted a DC to be promoted off line using backup media. It also got around the issue of a GC with a large DIT file having to replicate across the WAN to be rebuilt. I know of a company that used to take anywhere from three to five days to replicate. When they went to IFM, the time was reduced to less than one hour. IFM was implemented in 2003 with the DCPromo /ADV option, (Figure 1) and moved into the NTDSUtil tool in 2008 and included the ability to create snapshots without a separate backup tool. IFM is also improved in Windows Server 2012.



Figure 1. IFM was implemented in Windows Server 2003

Windows 2003 tweaked DCPromo to make DNS easier to install, though they did introduce a few problems initially.

Windows 2008 made a radical departure in the implementation of AD by stuffing AD into a service (Figure 2). Beginning in this version the Active Directory Domain Services role had to be installed on a server before running DCPromo. This allowed stopping AD without rebooting to the old DSRM mode.

 



Figure 2. In Windows Server 2008, AD was moved into a service,
which meant ADDS needed to be installed before running DCPromo.





DCPromo also plays a vital role in disaster recovery of a domain or forest DC. You may think that losing an entire domain or multiple domain forest is a remote possibility, but I have seen it happen.Yes it is a new thing for me also and I was surprised in same way what you are after reading mine above line on recovery of domain forest.

Microsoft one of the whitepaper defines this in recommends restoring a domain from backups. You can do this by restoring one DC, preferably a DNS server, from media. Then, use DCPromo to create replica DCs. You will bump up against the performance issue on the wire and slow other operations on the network.

Microsoft also recommends a forest recovery in a similar manner. Its recommendation includes restoring one DC from media for each domain, creating a replica DC in each domain before restoring another domain.

You can do a disaster recovery of a domain or forest by following the steps in Microsoft’s forest recovery whitepaper.

Hope this post will be usefull , best of luck.