Colin’s IT, Security and Working Life blog

June 28, 2010

Getting IT experience – self-taught exercises

Filed under: Uncategorized — chaplic @ 11:47 am

I often get asked “how do I get into IT” or “what’s the best route”. Here’s some advise along these lines, but different from the usual guidance on certs and training.

Below are a series of suggested tasks to get you up-and-running in the IT infrastructure world. Intentionally I’ve not explained every step in great detail, nor included everything you have to do. Nor will performing these tasks make you an expert in these technologies. In fact, one of the goals of the exercise is to get to comfortable and familiar with new technology, googling for information, doing some “try and see” in a safe environment

1. Build yourself a PC
In years gone by, building a PC from components was a good way to get a cheap PC. These days, less so. However, we have particular needs from this PC, and the actual building and fault-finding process will help us along the path. Exact spec is up-to-you, but we need:
• As much RAM as possible (suggest 8GB)
• Processor capable of 64 bit OS and virtualisation
• DVD Drive
Otherwise, it needn’t be the highest spec. You should check all drivers are available in 64 bit versions, however happily it’s very unusual these days for this not to be the case

2. Microsoft Technet Direct
A Microsoft Techet Direct subscription is something every windows techie should have. For just over a hundred pounds a year, it gives you full access to all Microsoft business software, and is great for testing and evaluating –just as we’re doing here. So get yourself a subscription and make the first thing you download Windows 2008R2 as we’re going to build a ..

3. Virtual environment
Now we’ve got a shiny new PC, lets start to do something with it. Burn your Windows 2008 R2 to a DVD and pop it in your machine. Build the OS as you see fit, and have the Hyper-V role installed. We’re going to use that as our virtualisation software. Other than basic software you need to manage the server (I’d also suggest 7-zip is a good tool), you shouldn’t modify the base server. That’s what VMs are for!
First things first, let’s build a basic server image VM. Fire up the Hyper V console and configure it up with settings you think make sense. Copy the Windows 2008 R2 ISO file to the machine and mount that. Turn on your virtual machine and install Windows 2008 R2. When it was finished building, ensure you install the Hyper-V tools.
Close the virtual machine down, and take a copy of the VHD. We’ll use that as a “gold” image to build other hyper-V machines.

4. Build an Active Directory
Our first server is going to be an Active Directory server – this is used by almost all other windows server system components so makes sense to build first. Copy the Gold VM VHD and configure a new VM – I’d give it say 4GB of RAM whilst we’re using the machine and when it’s just running in a steady state reduce the amount of RAM.
Use the NEWSID tool to ensure the machine has a unique identifier.
Installing this will also install DNS – setup forwarding so that it forwards to your ISPs DNS servers.
Decide on the structure of your OUs, where you will put users, computers and servers
Create some users and groups called
• Admins
• Managers
• Staff

5. Install WSUS

This might be a learning environment, but we want to follow best practise! So download WSUS from Microsoft. I’ll leave it for you to decide if you want to install it on the Active Directory Sever, or build a new server to host it.
The next thing to do is to build a GPO to ensure all machines refer to the local WSUS server for updates. Decide on your update strategy both in terms of WSUS approvals and application of patches. I’d be included to have automated approvals and install as much as possible as this is only a trial environment.

6. PC Image
If possible, this should be on a “real PC”. If we don’t have the kit, then a virtual machine will have to do. I’ll leave the operating system choice up to you, but XP is still a valid choice as it’s still used everywhere – although it might have added complexity with your automated deployment tool.
What we’re doing here is building a PC in the anticipation that it’s going to be rolled out to thousands of desktops. So we want the initial install scripted (i.e. automated input of user details, serial number and so on).
Include any drivers that your target machines are likely to need, service packs and patches. Don’t install any software (that will follow)
Then, follow the instructions for preparing the machine for imaging, which will include resetting the SID, wiping the swap files and so on.
You need to decide on a deployment method: RIS or WDS. WDS is the newer technology but there might be a reason you want to choose RIS especially if you have XP as your OS.
Once you have that up-and-running, image a few PCs (virtual or real) and see how you get on.

7. Install Software
Most big companies will have a heavyweight deployment tool to package and deploy software, here we’re going to keep It simple and use the builtin windows software deployment.
Download some Microsoft software (suggest Office and Visio) and configure these packages so AD will deploy it to all PCs (not servers though!)

8. File and Print Server
We want to setup a file share with particular access rights..
This should be
• Admins – Full Control
• Managers – Change
• Staff – Read only
Also, all users should have this drive mapped as their “X: Drive” upon login automatically.
It’s your choice whether to setup another dedicated file server VM or “piggy back” upon another one.
Your next task is to setup a network printer. This should be
configured so that users can connect to \\servername\printername and have drivers for that printer automatically installed. Note if you have a USB printer it may well be easier to share this from the "real" server

9. Exchange
This is a big one! I would actually suggest installing Exchange 2003 as many companies still use it, and migrating away from it is a useful exercise in itself. However, your gold VM image will not be sufficient as Exchange 2003 needs a 32 bit OS.
Build a new VM, Install Exchange 2003 and create exchange mailboxes for your users.
Now here comes the clever bit. We’re going to setup email routing to and from the internet. Go to a provider of dynamic DNS services like dyndns.com and setup a DNS name for your organisation that’s registered against your current connections IP address. Now, also setup an MX record to the same address. You now need to configure your ADSL router/ Cable modem/ etc/ to forward port 25 traffic from the internet to the IP address of your Exchange Server
Automatically create email addresses for your users in the format of name@your-dynamic-dns-entry
Finally you should configure outlook so that it automatically creaes a profile for end users to connect to the their new mailbox.

10. Document
Now that we’ve got a cracking IT infrastructure, let’s have a go at documenting it (OK, we should probably do that first, but hey, this is only an exercise. Fire up visio (downloaded from your technet subscription) and describe your environment. Your diagram should include
• All your servers, names, IP address, function
• Active Directory
• Exchange
• Internet connection
• How mail is routed in an out
• Virtual versus real machines

June 3, 2010

Inventory Audit of a complex IT network

Filed under: Uncategorized — chaplic @ 5:49 pm

I’ve been spending some time doing a complete inventory of a rather complex IT environment, with more firewalls, servers, weird networking and all-round oddness that imaginable. The network has around 10,000 IP devices and has grown fairly organically, with various organisations having been responsible for it’s upkeep – to various levels of quality.

The need was for a “point in time” inventory of what’s out there. A we didn’t have use of a big tool like centinel nor wish to use the existing network management tools (to provide an independent result). Oh, and I had limited admin access rights.

Here’s how I did it

Largely, the work was split into two pieces, a Wintel Audit and an “non Wintel” – encompassing networks, printers, switches, SANs…

The Wintel Audit was fairly easy – I cobbled together a VBScript to query machines using WMI and pull back installed software, machine spec, and so on – just the basic in you might want if you need to take migration decisions. I’ll post the script up in my next blog entry.

The Non-Wintel was more involved. Firstly, i used nmap to scan every IP device. It takes an “educated guess” as to what the device is, and does a reasonable job. The most surprising fact was there was quite a lot wintel kit in here I hadn’t picked up. This was because machines were in different domains and workgroups. These were then added to the wintel audit.

This gave me an outline of what to look for and how to investigate.

There was hundreds of printers on the estate, almost all HP. The nmap tool had done a reasonable job of guessing the type, but it wasn’t precise. To do this,  I fired up HP Jet Direct tools, which is a little light-weight tool that HP no longer provide in this basic form. Shame, because it’s all that’s needed. I just gave the IP addresses relating to HP printers and it went off an queried them. Minutes later, I had netbios names and proper printer models. Lovely.

I didn’t have full access to networking devices, but I did have the SNMP community strings. Therefore I used Billy the Kid’s cisco SNMP tool.

I simply fired in the switches IP address, the community string and the tool got the switches CDP neighbours, helpfully giving me the model names and IP addresses of Layer-2 connected switches. From this, I was not only able to build a network map,  I was able to make the inventory far more accurate.

However, there was an area that was, by design, hidden from view. The client has multiple connections to multiple systems, so has a myriad of firewalls and DMZ’s. I peered through the firewall rulesets to see if I could find equipment on the network that was hidden from ICMP scans. Easy on the Cisco ASDM, Checkpoint FW1 and the Juniper – slightly more complex reading the config of an old PIX! Doing this enabled me to find servers, switches and more Firewalls behind Firewalls.

Then is was just a case of manually picking off the oddities. The nmap scan found lots of Sun boxes, helpfully for me they all revealed their machine name when I FTPd to them,  or finger @machinename. Almost all other devices tell me enough to be useful by connecting via Telnet, SSH, http or https – APC power strips and specialised printers. I even found an plasma screen that talks IP!

The result? An asset list that’s about double the previous list…. and a lot of “must improve housekeeping” to do !

Blog at WordPress.com.