Open LDAP importing certificate and mapping user`s home directory in redhat7

The OpenLDAP logo

LDAP is a platform-independent protocol. Several common Linux distributions include OpenLDAP Software for LDAP support. The software also runs on BSD-variants, as well as AIX, Android, HP-UX, macOS, Solaris, Microsoft Windows (NT and derivatives, e.g. 2000, XP, Vista, Windows 7, etc.), and z/OS.

We have an open LDAP server :

First we need to check ldap package is installed or not in the LDAP server

#rpm -qa | grep openldap

#rpm -qa | grep nfs*

Here we created some users in home/guests

Next step go to Client server system or desktop system

configure static IP add LDAP server IP in /etc/hosts

Ping with the LDAP server IP

install yum install -y sssd*

The System Security Services Daemon is a software package originally developed for the Linux operating system that provides a set of daemons to manage access to remote directories and authentication mechanisms.

install authconfig*
the authconfig-tui command being deprecated (tui stands for Text User Interface), the only remaining options are the system-config-authentication and authconfig commands. One is a graphical command, this other a text one.

#yum install authconfig*

#authconfig-gtk in GNOME terminal
note: in TUI #authconfig-tui

check the URL certificate link :

Then check in /etc/openldap/cacerts/

you can see that .pem file

Restart sssd service

#systemctl restart sssd

Verification :

#getent passwd <username> here am using the user ldapuser0

or

#id ldapuser0

If you can see the userid details then you configured ldap certificate successfully.

Other wise you may check the URL link and the LDAP server URL name whether its correct or not .

You can check with ssh localhost also ;

Now you can check with the user with ldapuser0@localhost or su – ldapuser0

You can log in but you must get permission denied error .That we can fix with autofs configuration .

Mapping User`s home directory

#yum install -y autofs*

check the installed package

create a map file under # vi /etc/auto.ami (anyname you can give )

add the line

ldapuser0 -rw classroom.example.com:/home/guests/ldapuser0

Above command and URL should be corrected

Then save and quit

here i wanted ldapuser0 home directory should mount when log in to the server :

then add this in to auto.master file:

#systemctl restart autofs

#su – ldapuser0

For adding all other users by default read and write

ldapuser0 -fstype=auto classroom.example.com:/home/guests/ldapuser0 (for individual user)

* -fstype= auto classroom.example.com:/home/guests/& (for all the users)

If we are adding this entry all the users can get read and write ie won`t get permission denied error

Only single user home directory mount this will be the output : here ldapuser1 entry added so users can read and write :

Below example all the ldap users can able to read and write :

If you are getting error like mkdir: warning cannot create directory ‘home/guests’: permission denied then try

authconfig --enablemkhomedir --update

Thats it ……

Reset Root Passwords on RHEL 7 and CentOS 7 Linux Systems

Grub2

Select e for edit

come to the line linu16 end UTF-8 type rd.break

then ctrl + x

2

 

switch_root:/# mount -o remount,rw /sysroot
switch_root:/# chroot /sysroot

sh-4.2# echo “New-root-password” | passwd --stdin root

or 
#passwd root
#passwd 
sh-4.2# touch /.autorelabel (Note :relabel spelling is important)

# exit
# exit

restarted the system

Ticketing tools

Many ITIL based ticketing tools are avail in the market .These are among popular using

 

Service Now

Achieve end to end transformation for your IT services and infrastructure through a single cloud based platform. ServiceNow® IT Service Management (ITSM) lets you consolidate fragmented tools and legacy systems while automating service management processes. It’s simple to configure and fast to deploy, so you can go live quickly with confidence, while scaling to your business needs.

 

IBM SCCD Tool:

SCCD (SmartCloud Control Desk) Now IBM Control Desk

Benefits

IBM Control Desk features innovative, industry-leading functionality in many areas, including:

  • A simple, easy-to-use service catalog and self service interface
  • Tools for easily reporting problems and requesting services
  • Applications that enable IT staff to be productive and responsive in prioritizing, tracking, and resolving end-user issues
  • ITIL-aligned change, configuration, release, incident, problem, and asset management
  • Integrated service, asset, and configuration management
  • Built-in integrations with IBM and third-party applications
  • Policy-based automation of job plans, task assignments, notifications, and workflows to reduce labor costs
  • Advanced analytics tools that provide insight into your environment and help you manage change more efficiently

 

 

 BMC Remedy

People-centric user experiences help you to work smarter

  • Stunning reports and visualizations allow intuitive exploration of data
  • Native mobile apps let you use the full power of Remedy 9 anywhere
  • Embedded ITIL v3 processes, with industry best practice reports and KPIs available out-of-the-box
  • Develop your own apps with Innovation Suite, a rich portfolio of intuitive drag-and-drop designers and tools
  • Multi-Cloud Service Management provides a seamless service experience across multi-cloud environments

 

 

MBR (Master Boot Record) and GPT (GUID Partition Table)

Set up a new disk on Windows 8.x or 10 and you’ll be asked whether you want to use MBR or GPT. GPT is the new standard and is gradually replacing MBR.

GPT brings with it many advantages, but MBR is still the most compatible and is still necessary in some cases. This isn’t a Windows-only standard — Mac OS X, Linux, and other operating systems can also use GPT.

What Do GPT and MBR Do?

RELATED ARTICLE

Understanding Hard Drive Partitioning with Disk Management
In today’s edition of Geek School, we’re going to talk about how to use Disk Management… but we’re going to… [Read Article]

You have to partition a disk drive before you can use it. MBR (Master Boot Record) and GPT (GUID Partition Table) are two different ways of storing the partitioning information on a drive. This information includes where partitions start and begin, so your operating system knows which sectors belong to each partition and which partition is bootable. This is why you have to choose MBR or GPT before creating partitions on a drive.

mbr-or-gpt-initialize-disk

MBR’s Limitations

RELATED ARTICLE

Beginner Geek: Hard Disk Partitions Explained
Hard disks, USB drives, SD cards — anything with storage space must be partitioned. An unpartitioned drive can’t be used… [Read Article]

MBR standards for Master Boot Record. It was introduced with IBM PC DOS 2.0 in 1983.

It’s called Master Boot Record because the MBR is a special boot sector located at the beginning of a drive. This sector contains a boot loader for the installed operating system and information about the drive’s logical partitions. The boot loader is a small bit of code that generally loads the larger boot loader from another partition on a drive. If you have Windows installed, the initial bits of the Windows boot loader reside here — that’s why you may have to repair your MBR if it’s overwritten and Windows won’t boot. If you have Linux installed, the GRUB boot loader will typically be located in the MBR.

MBR works with disks up to 2 TB in size, but it can’t handle disks with more than 2 TB of space. MBR also only supports up to four primary partitions — if you want more, you have to make one of your primary partitions an “extended partition” and create logical partitions inside it. This is a silly little hack and shouldn’t be necessary.

MBR became the industry standard everyone used for partitioning and booting from disks. Developers have been piling on hacks like extended partitions ever since.

windows-disk-management-extended-partitions-with-mbr

GPT’s Advantages

RELATED ARTICLE

HTG Explains: Learn How UEFI Will Replace Your PC’s BIOS
While most people may be familiar with a PC’s BIOS, they may not know what it is or what it… [Read Article]

GPT stands for GUID Partition Table. It’s a new standard that’s gradually replacing MBR. It’s associated with UEFI — UEFI replaces the clunky old BIOS with something more modern, and GPT replaces the clunky old MBR partitioning system with something more modern. It’s called GUID Partition Table because every partition on your drive has a “globally unique identifier,” or GUID — a random string so long that every GPT partition on earth likely has its own unique identifier.

This system doesn’t have MBR’s limits. Drives can be much, much larger and size limits will depend on the operating system and its file systems. GPT allows for a nearly unlimited amount of partitions, and the limit here will be your operating system — Windows allows up to 128 partitions on a GPT drive, and you don’t have to create an extended partition.

On an MBR disk, the partitioning and boot data is stored in one place. If this data is overwritten or corrupted, you’re in trouble. In contrast, GPT stores multiple copies of this data across the disk, so it’s much more robust and can recover if the data is correupted. GPT also stores cyclic redundancy check (CRC) values to check that its data is intact — if the data is corrupted, GPT can notice the problem and attempt to recover the damaged data from another location on the disk. MBR had no way of knowing if its data was corrupted — you’d only see there was a problem when the boot process failed or your drive’s partitions vanished.

windows-8.1-gpt-disk-management-with-more-than-four-primary-partitions

Compatibility

GPT drives tend to include a “protective MBR.” This type of MBR says that the GPT drive has a single partition that extends across the entire drive. If you try to manage a GPT disk with an old tool that can only read MBRs, it will see a single partition that extends across the entire drive. The MBR ensures the old tools won’t mistake the GPT drive for an unpartitioned drive and overwrite its GPT data with a new MBR. In other words, the protective MBR protects the GPT data from being overwritten.

Windows can only boot from GPT on UEFI-based computers running 64-bit versions of Windows 10, 8.1, 8, 7, Vista, and corresponding server versions. All versions of Windows 10, 8.1, 8, 7, and Vista can read GPT drives and use them for data — they just can’t boot from them without UEFI.

Other modern operating systems can also use GPT. Linux has built-in support for GPT. Apple’s Intel Macs no longer use Apple’s APT (Apple Partition Table) scheme and use GPT instead.

gparted-gpt-on-linux


You’ll probably want to use GPT when setting up a drive. It’s a more modern, robust standard that all computers are moving toward. If you need compatibility with old systems — for example, the ability to boot Windows off a drive on a computer with a traditional BIOS — you’ll have to stick with MBR for now.

Active Directory (AD)

Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.[1][2] Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services.[3]

A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.[4]

Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft’s version of Kerberos, and DNS.

Contents

History

Active Directory, like many information-technology efforts, originated out of a democratization of design using Request for Comments or RFCs. The Internet Engineering Task Force (IETF), which oversees the RFC process, has accepted numerous RFCs initiated by widespread participants. Active Directory incorporates decades of communication technologies into the overarching Active Directory concept then makes improvements upon them.[citation needed] For example, LDAP underpins Active Directory. Also X.500 directories and the Organizational Unit preceded the Active Directory concept that makes use of those methods. The LDAP concept began to emerge even before the founding of Microsoft in April 1975, with RFCs as early as 1971. RFCs contributing to LDAP include RFC 1823 (on the LDAP API, August 1995),[5] RFC 2307, RFC 3062, and RFC 4533. [6] [7] [8]

Microsoft previewed Active Directory in 1999, released it first with Windows 2000 Server edition, and revised it to extend functionality and improve administration in Windows Server 2003. Additional improvements came with subsequent versions of Windows Server. In Windows Server 2008, additional services were added to Active Directory, such as Active Directory Federation Services.[9] The part of the directory in charge of management of domains, which was previously a core part of the operating system,[9] was renamed Active Directory Domain Services (ADDS) and became a server role like others.[3] “Active Directory” became the umbrella title of a broader range of directory-based services.[10] According to Bryon Hynes, everything related to identity was brought under Active Directory’s banner.[3]

Active Directory Services

Active Directory Services consist of multiple directory services. The best known is Active Directory Domain Services. Commonly abbreviated as ADDS or simply AD.[11]

Domain Services

Active Directory Domain Services (AD DS) is the cornerstone of every Windows domain network. It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights. The server (or the cluster of servers) running this service is called a domain controller. A domain controller is contacted when a user logs into a device, accesses another device across the network, or runs a line-of-business Metro-style app sideloaded into a device.

Other Active Directory services (excluding LDS, as described below) as well as most of Microsoft server technologies rely on or use Domain Services; examples include Group Policy, Encrypting File System, BitLocker, Domain Name Services, Remote Desktop Services, Exchange Server and SharePoint Server.

Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM),[12] is a light-weight implementation of AD DS.[13] AD LDS runs as a service on Windows Server. AD LDS shares the code base with AD DS and provides the same functionality, including an identical API, but does not require the creation of domains or domain controllers. It provides a Data Store for storage of directory data and a Directory Service with an LDAP Directory Service Interface. Unlike AD DS, however, multiple AD LDS instances can run on the same server.

Certificate Services

Active Directory Certificate Services (AD CS) establishes an on-premises public key infrastructure. It can create, validate and revoke public key certificates for internal uses of an organization. These certificates can be used to encrypt files (when used with Encrypting File System), emails (per S/MIME standard), network traffic (when used by virtual private networks, Transport Layer Security protocol or IPSec protocol).

AD CS predates Windows Server 2008, but its name was simply Certificate Services.[14]

AD CS requires an AD DS infrastructure.[15]

Federation Services

Active Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place, users may use several web-based service (e.g. internet forum, blog, online shopping, webmail) or network resources using only one set of credentials stored at a central location, as opposed to having to be granted a dedicated set of credentials for each service. AD FS’s purpose is an extension of that of AD DS: The latter enables users to authenticate with and use the devices that are part of the same network, using one set of credentials. The former enables them use this same set in a different network.

As the name suggests, AD FS works based on the concept of federated identity.

AD FS requires an AD DS infrastructure, although its federation partner may not.[16]

Rights Management Services

Active Directory Rights Management Services (AD RMS, known as Rights Management Services or RMS before Windows Server 2008) is a server software for information rights management shipped with Windows Server. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations authorized users can perform on them.

Logical structure

As a directory service, an Active Directory instance consists of a database and corresponding executable code responsible for servicing requests and maintaining the database. The executable part, known as Directory System Agent, is a collection of Windows services and processes that run on Windows 2000 and later.[1] Objects in Active Directory databases can be accessed via LDAP, ADSI (a component object model interface), messaging API and Security Accounts Manager services.[2]

Objects

A simplified example of a publishing company’s internal network. The company has four groups with varying permissions to the three shared folders on the network.

Active Directory structures are arrangements of information about objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs).

Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a schema, which also determines the kinds of objects that can be stored in Active Directory.

The schema object lets administrators extend or modify the schema when necessary. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can fundamentally change or disrupt a deployment. Schema changes automatically propagate throughout the system. Once created, an object can only be deactivated—not deleted. Changing the schema usually requires planning.[17]

Forests, trees, and domains

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network.

Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace.

A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database.

A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy.

At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.

Icons-mini-page url.gif Domain-Boston
Icons-mini-page url.gif Domain-New York
Icons-mini-page url.gif Domain-Philly
Icons-mini-page tree.gif Tree-Southern
Icons-mini-page url.gif Domain-Atlanta
Icons-mini-page url.gif Domain-Dallas
Icons-mini-page url.gif Domain-Dallas
Icons-mini-folder.gif OU-Marketing
Icons-mini-icon user.gif Hewitt
Icons-mini-icon user.gif Aon
Icons-mini-icon user.gif Steve
Icons-mini-folder.gif OU-Sales
Icons-mini-icon user.gif Bill
Icons-mini-icon user.gif Ralph
Example of the geographical organizing of zones of interest within trees and domains.

Organizational units

The objects held within a domain can be grouped into Organizational Units (OUs).[18] OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization’s structure in managerial or geographical terms. OUs can contain other OUs—domains are containers in this sense. Microsoft recommends using OUs rather than domains for structure and to simplify the implementation of policies and administration. The OU is the recommended level at which to apply group policies, which are Active Directory objects formally named Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but delegation can be performed on individual objects or attributes as well.

Organizational units do not each have a separate namespace; e.g. user accounts with an identical username (sAMAccountName) in separate OUs within a domain are not allowed, such as “fred.staff-ou.domain” and “fred.student-ou.domain”, where “staff-ou” and “student-ou” are the OUs. This is because sAMAccountName, a user object attribute, must be unique within the domain.[19] However, two users in different OUs can have the same Common Name (CN), the name under which they are stored in the directory itself.

In general the reason for this lack of allowance for duplicate names through hierarchical directory placement, is that Microsoft primarily relies on the principles of NetBIOS, which is a flat-file method of network object management that for Microsoft software, goes all the way back to Windows NT 3.1 and MS-DOS LAN Manager. Allowing for duplication of object names in the directory, or completely removing the use of NetBIOS names, would prevent backward compatibility with legacy software and equipment. However, disallowing duplicate object names in this way is a violation of the LDAP RFCs on which Active Directory is supposedly based.

As the number of users in a domain increases, conventions such as “first initial, middle initial, last name” (Western order) or the reverse (Eastern order) fail for common family names like Li (李), Smith or Garcia. Workarounds include adding a digit to the end of the username. Alternatives include creating a separate ID system of unique employee/student id numbers to use as account names in place of actual user’s names, and allowing users to nominate their preferred word sequence within an acceptable use policy.

Because duplicate usernames cannot exist within a domain, account name generation poses a significant challenge for large organizations that cannot be easily subdivided into separate domains, such as students in a public school system or university who must be able to use any computer across the network.

Shadow groups

In Active Directory, organizational units cannot be assigned as owners or trustees. Only groups are selectable, and members of OUs cannot be collectively assigned rights to directory objects.

In Microsoft’s Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other competing directories such as Novell NDS are able to assign access privileges through object placement within an OU.

Active Directory requires a separate step for an administrator to assign an object in an OU as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU.

A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU’s account membership, but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools.

Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[20]

The division of an organization’s information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[21]

Partitions

The Active Directory database is organized in partitions, each holding specific object types and following a specific replication pattern. Microsoft often refers to these partitions as ‘naming contexts’.[22] The ‘Schema’ partition contains the definition of object classes and attributes within the Forest. The ‘Configuration’ partition contains information on the physical structure and configuration of the forest (such as the site topology). Both replicate to all domains in the Forest. The ‘Domain’ partition holds all objects created in that domain and replicates only within its domain.

Physical structure

Sites are physical (rather than logical) groupings defined by one or more IP subnets.[23] AD also holds the definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links. Site definitions are independent of the domain and OU structure and are common across the forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers (DCs). Microsoft Exchange Server 2007 uses the site topology for mail routing. Policies can also be defined at the site level.

Physically, the Active Directory information is held on one or more peer domain controllers, replacing the NT PDC/BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that are not domain controllers are called Member Servers.[24] A subset of objects in the domain partition replicate to domain controllers that are configured as global catalogs. Global catalog (GC) servers provide a global listing of all objects in the Forest.[25][26] Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest. However, to minimize replication traffic and keep the GC’s database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC.[27] Earlier versions of Windows used NetBIOS to communicate. Active Directory is fully integrated with DNS and requires TCP/IP—DNS. To be fully functional, the DNS server must support SRV resource records, also known as service records.

Replication

Active Directory synchronizes changes using multi-master replication.[28] Replication by default is ‘pull’ rather than ‘push’, meaning that replicas pull changes from the server where the change was effected.[29] The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are typically less frequent and do not use change notification by default, although this is configurable and can be made identical to intrasite replication.

Each link can have a ‘cost’ (e.g., DS3, T1, ISDN etc.) and the KCC alters the site link topology accordingly. Replication may occur transitively through several site links on same-protocol site link bridges, if the cost is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site. Replication for Active Directory zones is automatically configured when DNS is activated in the domain based by site.

Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites SMTP can be used for replication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global Catalog) GCs. SMTP cannot be used for replicating the default Domain partition.[30]

Implementation

In general, a network utilizing Active Directory has more than one licensed Windows server computer. Backup and restore of Active Directory is possible for a network with a single domain controller,[31] but Microsoft recommends more than one domain controller to provide automatic failover protection of the directory.[32] Domain controllers are also ideally single-purpose for directory operations only, and should not run any other software or role.[33]

Certain Microsoft products such as SQL Server[34][35] and Exchange[36] can interfere with the operation of a domain controller, necessitating isolation of these products on additional Windows servers. Combining them can make configuration or troubleshooting of either the domain controller or the other installed software more difficult.[37] A business intending to implement Active Directory is therefore recommended to purchase a number of Windows server licenses, to provide for at least two separate domain controllers, and optionally, additional domain controllers for performance or redundancy, a separate file server, a separate Exchange server, a separate SQL Server,[38] and so forth to support the various server roles.

Physical hardware costs for the many separate servers can be reduced through the use of virtualization, although for proper failover protection, Microsoft recommends not running multiple virtualized domain controllers on the same physical hardware.[39]

Database

The Active-Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based Extensible Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals) in each domain controller’s database. Microsoft has created NTDS databases with more than 2 billion objects.[40] (NT4’s Security Account Manager could support no more than 40,000 objects). Called NTDS.DIT, it has two main tables: the data table and the link table. Windows Server 2003 added a third main table for security descriptor single instancing.[40]

Programs may access the features of Active Directory[41] via the COM interfaces provided by Active Directory Service Interfaces.[42]

Single server operations

Flexible Single Master Operations Roles (FSMO, pronounced “fizz-mo”) operations are also known as operations master roles. Although domain controllers allow simultaneous updates in multiple places, certain operations are supported only on a single server. These operations are performed using the roles listed below:

Role name Scope Description
Schema Master 1 per forest Schema modifications
Domain Naming Master 1 per forest Addition and removal of domains if present in root domain
PDC Emulator 1 per domain Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDC runs domain specific processes such as the Security Descriptor Propagator (SDP), and is the master time server within the domain. It also handles external trusts, the DFS consistency check, holds current passwords and manages all GPOs as default server.
RID Master 1 per domain Allocates pools of unique identifiers to domain controllers for use when creating objects
Infrastructure Master 1 per domain/partition Synchronizes cross-domain group membership changes. The infrastructure master should not be run on a global catalog server (GCS) unless all DCs are also GCs, or the environment consists of a single domain.

Trusting

To allow users in one domain to access resources in another, Active Directory uses trusts.[43]

Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest.

Terminology

One-way trust
One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
Two-way trust
Two domains allow access to users on both domains.
Trusted domain
The domain that is trusted; whose users have access to the trusting domain.
Transitive trust
A trust that can extend beyond two domains to other trusted domains in the forest.
Intransitive trust
A one way trust that does not extend beyond two domains.
Explicit trust
A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust
An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
Shortcut
Joins two domains in different trees, transitive, one- or two-way.
Forest trust
Applies to the entire forest. Transitive, one- or two-way.
Realm
Can be transitive or nontransitive (intransitive), one- or two-way.
External
Connect to other forests or non-AD domains. Nontransitive, one- or two-way.[44]

Forest trusts

Windows Server 2003 introduced the forest root trust. This trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos-based (as opposed to NTLM).

Forest trusts are transitive for all the domains within the trusted forests. However, forest trusts are not transitive between forests.

Example: Suppose that a two-way transitive forest trust exists between the forest root domains in Forest A and Forest B, and another two-way transitive forest trust exists between the forest root domains in Forest B and Forest C. Such a configuration lets users in Forest B access resources in any domain in either Forest A or Forest C, and users in Forest A or C can access resources in any domain in Forest B. However, it does not let users in Forest A access resources in Forest C, or vice versa. To let users in Forest A and Forest C share resources, a two-way transitive trust must exist between both forests.

Management solutions

Microsoft Active Directory management tools include:

  • Active Directory Users and Computers,
  • Active Directory Domains and Trusts,
  • Active Directory Sites and Services,
  • ADSI Edit,
  • Local Users and Groups,
  • Active Directory Schema snap-ins for Microsoft Management Console (MMC),

These management tools may not provide enough functionality for efficient workflow in large environments. Some third-party solutions extend the administration and management capabilities. They provide essential features for a more convenient administration processes, such as automation, reports, integration with other services, etc.

Dynamic DNS (DDNS or DynDNS)

 

 

Dynamic DNS (DDNS or DynDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.

Create an account in

http://www.noip.com/

 

after that go to your router here TP-Link :

noip

You can see connection status succeed.

We have to enable RDP for port forwarding

 

then go  to run type  mstsc type the domain name ,username and password .

 

its ready…..

 

 

Setup SVN server on Ubuntu 14.04

 

 

SVN (Subversion) is an opensource version control system. it is used to store previous changes of your project files like documentation, coding etc. also you can track and identify who made the particular changes in the project files . Here in this article we can see how to setup SVN server on ubuntu 14.04 .

Setup SVN server on ubuntu 14.04

Let’s start the installation .
Step 1 » Issue the below command to update the repositories.
sudo apt-get update
Step 2 » After updating repositories , Issue the below command to install SVN and apache webserver (To access SVN through http ) .
sudo apt-get install subversion apache2 libapache2-svn apache2-utils
Step 3 » Now create a directory and create a new repository in that directory ( Here i’m using testrepo as repository name ).
sudo mkdir -p /svn/repos/
sudo svnadmin create /svn/repos/testrepo

Step 4 » Now change ownership for the repository.
sudo chown -R www-data:www-data /svn/repos/testrepo
Step 5 » Create a file testrepo.conf in /etc/apache2/sites-available/ and add the below lines for creating apache virtual host.

SVNParentPath /svn/repos/ : Parent Directory without repository name.
AuthUserFile /etc/svnpasswd : File need to be created ( Step 8) for user details.

Step 6 » Issue the below command to enable the Site ( testrepo in the below command should match the file name created in the previous step )
sudo a2ensite testrepo
Step 7 » Now restart or reload apache service.
sudo service apache2 reload
Step 8 » Issue the command to create user for accessing repository and add the user details to /etc/svnpasswd file.
Use this command to create first user.
sudo htpasswd -cm /etc/svnpasswd user1
Use the same command without c option to create additional users.
sudo htpasswd -m /etc/svnpasswd ami
Step 9 » Now you can access http://yourip/svn/testrepo in your browser ( Eg http://192.168.1.7/svn/testrepo ) Enter your username and password:

svn

you can see the page like below after successful authentication.

svn login

 

That’t it , your server is ready.
You could use svn clients such as Tortoisesvn on windows and Rapidsvn on ubuntu for commiting and updating repository.

                                                       For Windows

Here i am using Tortoisesvn so my client is windows

first we need to install Tortoisesvn 

After that click all programmes>tortoisesvn>tortoise repository browser  to open

enter your url info my case http://192.168.1.7/svn/testrepo/

It will ask your username and password see below :

resp browser

 

This html file was created in windows through pop up menu add file option  ie ami.html

2

User info:

3

Now check with your url : you can see the revision 3 I made three changes

 

4

We can go with revision 1 or 2 what we wanted later if we made anything done wrong coding.

 

 

 

 

What is HDR in new smartphones ?

High-dynamic-range imaging (HDRI or HDR) is a technique used in imaging and photography to reproduce a greater dynamic range of luminosity than is possible with standard digital imaging or photographic techniques. The aim is to present the human eye with a similar range of luminance as that which, through the visual system, is familiar in everyday life. The human eye, through adaptation of the iris (and other methods) adjusts constantly to the broad dynamic changes ubiquitous in our environment. The brain continuously interprets this information so that most of us can see in a wide range of light conditions. Most cameras, on the other hand, cannot.

 

When You Shouldn’t Use HDR

Of course, as you’ve discovered, sometimes HDR actually makes your pictures look worse. Here are some situations in which HDR is better off ignored:

  • Photos with Movement (see above): If any of your subjects are moving (or might move), HDR increases the chance of a blurry photo. Remember, HDR takes three pictures, so if your subject moves between the first and second shot, your final picture won’t look very good.
  • High-Contrast Scenes: Some photos look better with stark contrast between the dark and light parts of the photo, like if you have a dark shadow or silhouette you want to highlight. HDR will make this less intense, resulting in a less interesting photo.
  • Vivid Colors: If your scene is too dark or too light, HDR can bring some of the color back. However, if you’re dealing with colors that are already very vivid, HDR can wash them out.

An HDR Image :

IMG_20160102_114630_HDR

 

When do we use HDR?
HDR can be used to take better photos under certain circumstances:

 

  • Landscape photos: In a large open-area, the land and the sky displays great contrast, thus if your camera takes only one shot, it’s hard for the camera to process this kind of difference. With HDR, you can capture the details in the sky while keeping the exposures of the earth from being too dark, same goes for the shots to capture details on the ground.
  • Portraits under bright lighting: We all know that good lighting is crucial for a great photo, but too much light on your subject can produce shadows, glare and other unwanted artifacts. HDR can remove these artifacts and make your subject better-looking
  • Poorly lit or backlitted scenes: If your photo comes out to be a little dark (happens usually when the background is bright), HDR mode can bring out the details on the front part without sacrificing details and the lighting from the back.

When not to use HDR?
HDR is, of course, not omnipotent. It will be a nuisance under certain situations, for example:


  • Shooting moving subjects: If you’re capturing images of a moving object (or bound to move), activating HDR will blur the end product. As HDR relies on the three shots, the motion between the first, second or third shot will ruin the desired effect.
  • High contrast scenes: For certain scenes where the contrast is just right, activating HDR will decrease the contrast and render the image bland
  • Brightly-coloured scenes: For certain scenes where the colours are bright and lively, activating HDR will make the colours turn dull and unattractive.

Types of RAM

Types of RAM

The following are some common types of RAM:

  • SRAM: Static random access memory uses multiple transistors, typically four to six, for each memory cell but doesn’t have a capacitor in each cell. It is used primarily for cache.
  • DRAM: Dynamic random access memory has memory cells with a paired transistor and capacitor requiring constant refreshing.
  • FPM DRAM: Fast page mode dynamic random access memory was the original form of DRAM. It waits through the entire process of locating a bit of data by column and row and then reading the bit before it starts on the next bit. Maximum transfer rate to L2 cache is approximately 176 MBps.
  • EDO DRAM: Extended data-out dynamic random access memory does not wait for all of the processing of the first bit before continuing to the next one. As soon as the address of the first bit is located, EDO DRAM begins looking for the next bit. It is about five percent faster than FPM. Maximum transfer rate to L2 cache is approximately 264 MBps.
  • SDRAM: Synchronous dynamic random access memory takes advantage of the burst mode concept to greatly improve performance. It does this by staying on the row containing the requested bit and moving rapidly through the columns, reading each bit as it goes. The idea is that most of the time the data needed by the CPU will be in sequence. SDRAM is about five percent faster than EDO RAM and is the most common form in desktops today. Maximum transfer rate to L2 cache is approximately 528 MBps.
  • DDR SDRAM: Double data rate synchronous dynamic RAM is just like SDRAM except that is has higher bandwidth, meaning greater speed. Maximum transfer rate to L2 cache is approximately 1,064 MBps (for DDR SDRAM 133 MHZ).
  • RDRAM: Rambus dynamic random access memory is a radical departure from the previous DRAM architecture. Designed by Rambus, RDRAM uses a Rambus in-line memory module (RIMM), which is similar in size and pin configuration to a standard DIMM. What makes RDRAM so different is its use of a special high-speed data bus called the Rambus channel. RDRAM memory chips work in parallel to achieve a data rate of 800 MHz, or 1,600 MBps. Since they operate at such high speeds, they generate much more heat than other types of chips. To help dissipate the excess heat Rambus chips are fitted with a heat spreader, which looks like a long thin wafer. Just like there are smaller versions of DIMMs, there are also SO-RIMMs, designed for notebook computers.
  • Credit Card Memory: Credit card memory is a proprietary self-contained DRAM memory module that plugs into a special slot for use in notebook computers.
  • PCMCIA Memory Card: Another self-contained DRAM module for notebooks, cards of this type are not proprietary and should work with any notebook computer whose system bus matches the memory card’s configuration.
  • CMOS RAM: CMOS RAM is a term for the small amount of memory used by your computer and some other devices to remember things like hard disk settings — see Why does my computer need a battery? for details. This memory uses a small battery to provide it with the power it needs to maintain the memory contents.
  • VRAM: VideoRAM, also known as multiport dynamic random access memory (MPDRAM), is a type of RAM used specifically for video adapters or 3-D accelerators. The “multiport” part comes from the fact that VRAM normally has two independent access ports instead of one, allowing the CPU and graphics processor to access the RAM simultaneously. VRAM is located on the graphics card and comes in a variety of formats, many of which are proprietary. The amount of VRAM is a determining factor in the resolution and color depth of the display. VRAM is also used to hold graphics-specific information such as 3-D geometry data and texture maps. True multiport VRAM tends to be expensive, so today, many graphics cards use SGRAM (synchronous graphics RAM) instead. Performance is nearly the same, but SGRAM is cheaper.

Hard Disk Interface(s)

There are a few ways in which a hard disk can connect/interface with:

There are variants of each interface, and this article will not do justice to the different types of ATA, SATA and SCSI interfaces. Thus, it will only highlight the more common interfaces as used by the home user.

ATA (IDE, ATAPI, PATA)

PATA HARD DISK

Data Cable

Power Connector

 

 ATA is a common interface used in many personal computers before the emergence of SATA. It is the least expensive of the interfaces.

Disadvantages

  • Older ATA adapters will limit transfer rates according to the slower attached device (debatable)
  • Only ONE device on the ATA cable is able to read/write at one time
  • Limited standard for cable length (up to 18inches/46cm)

Advantages

  • Low costs
  • Large capacity

SATA

SATA HARD DISK

Power Connector

 

 

Data Cable

 SATA is basically an advancement of ATA.

Disadvantages

  • Slower transfer rates compared to SCSI
  • Not supported in older systems without the use of additional components

Advantages

  • Low costs
  • Large capacity
  • Faster transfer rates compared to ATA (difference is marginal at times though)
  • Smaller cables for better heat dissipation

SCSI(Small Computer System Interface)

SCSI HARD DISK

https://i0.wp.com/i.ebayimg.com/00/s/Mjk5WDUwMA==/z/vqgAAOxySoJTVhiU/$_35.JPG

Cable

SCSI is commonly used in servers, and more in industrial applications than home uses.

Disadvantages

  • Costs
  • Not widely supported
  • Many, many different kinds of SCSI interfaces
  • SCSI drives have a higher RPM, creating more noise and heat

Advantages

  • Faster
  • Wide range of applications
  • Better scalability and flexibility in Arrays (RAID)
  • Backward compatible with older SCSI devices
  • Better for storing and moving large amounts of data
  • Tailor made for 24/7 operations
  • Reliability

SSD (Solid State Drive)

SSD

solid-state storage device that uses integrated circuit assemblies as memory to store data persistently. SSD technology primarily uses electronic interfaces compatible with traditional block input/output (I/O) hard disk drives, which permit simple replacements in common applications