Category: Active Directory

Posted in Active Directory, AWS, Azure, Windows

VPN TUNNEL (AWS-AZURE) V-NET

Posted on by Akhil

Pre-requisites :

  • Two virtual networks with different Address spaces in different cloud platforms.
  • A virtual machine in each virtual network.
  • In the following scenario,
AZURE V-NETAWS-V-NET
Virtual network namevnet-Azurevnet-Aws
Address space10.0.0.0/16192.168.0.0/16
Subnetsu-1 (10.0.1.0/24)su-1-aws (192.168.1.0/24)
Virtual machineazure-serveraws-server
Private IP10.0.1.4192.168.1.214
RegionEast-USN.Virginia
Domainakhil.com

Procedure :

Azure

  • Create a gateway subnet in the virtual network. // Home > Virtual Networks > Select the virtual network > Subnets > Gateway subnet
  • Specify the IP Address range > OK. Carry out the same procedure for the both networks.
  • Create Virtual network gateways for both the virtual networks, which acts as the gateway for the traffic incoming and outgoing.
  • Home > Virtual network gateways > Add > type a valid vng name (vng-azure) > select the virtual network (vnet-Azure) > make sure the region is same as that of v-net (vnet-Azure) > create a new public IP (pip-azure-vng) > review and create. Note : A valid amount of time is taken to get vng created.

AWS

  • Create a Customer gateway (cg-aws) that communicates with the Azure virtual network gateway.
  • VPC > Virtual private network > Customer gateways > Create customer gateway and mention public IP of the virtual network gateway (pip-azure-vng) as shown below.
  • Create Virtual Private Gateway (vpn-aws) in VPC > Virtual private network > Virtual private gateways > create virtual private gateway.
  • Select the Virtual Private Gateway (vpn-aws) > Actions > Attach to vpc > Select the vpc > create.
  • Create the vpn connection in VPC (tunnel-aws-azure) > Virtual private network > site to site vpn connections > create vpn connection > select virtual private gateway (vpn-aws) > select customer gateway (cg-aws) > routing option (static) > mention IP CIDR (Azure) > create vpc connection.

Azure

  • Select the vpn connection (tunnel-aws-azure) > Tunnel details > copy IP of tunnel-1
  • Open Azure > Local network gateways > create local network gateway (lng-aws) > paste the public IP address of tunnel-1 > mention the address space of AWS-VNet (vnet-aws)
  • Create connection (aws-tunnel-1) between the cloud platforms in Home > Virtual network gateways > Select the virtual network gateway (vng-azure) > Connections > Add > vpn connection type (Site to Site (IPsec)) > select the local network gateway (lng-aws) > Paste the PSK obtained from downloaded text file

AWS

  • VPC > route tables > select the route table that is attached to the vnet > routes > edit routes > Add route > destination IP CIDR (that of Azure) > target virtual private gateway (vpn-aws)

Status of tunnel :

The status of the tunnel can be verified both in Azure and AWS cloud platforms

  • In Azure ; Home > Virtual network gateways > virtual network gateway (vng-azure) > Connections
  • In AWS ; VPC > Virtual private network > site to site vpn connections > select the vpn connection > tunnel details
Posted in Active Directory, Windows

ACTIVE DIRECTORY DOMAIN RENAME

Posted on by Akhil

Pre-requisites :

  • A valid Active directory domain (first.com)
  • Multiple Domain controllers (best practice)

Procedure :

  • Logon to the domain controller using domain Administrator credentials.
  • Server Manager > Tools > DNS > Expand the domain controller > Right click Forward Lookup Zones > New zone > Primary Zone > Next > new domain name (second.com) > Allow both non-secure and secure dynamic updates > Finish
  • Run command prompt as an Administrator and run the following commands.
cd C:\Windows
cd temp
rendom /list
  • Edit C:\Windows\Temp\Domainlist and rename old domain name (first.com) to new domain name (second.com) as shown below.
  • Save the file and run the following command in the previous opened command prompt session.
rendom /upload
  • Followed by the following command
rendom /prepare
  • Continue to execute the procedure with the following command
rendom /execute
  • Once the server gets restarted, the domain name will be successfully renamed to the new domain name (second.com)
  • Logon to the server using new domain credentials.
  • Rename the server full name if required in the control panel.
Posted in Active Directory, Azure, Migration, Windows

AZURE STACK DEPLOYMENT

Posted on by Akhil

Azure Stack is Azure technology built on vetted hardware and distributed by approved vendors that bring Azure cloud technology into your data center. The vendors manage the hardware and the Microsoft manages the software.

Prerequisites :

  • Check for the prerequisites and considerations for the Azure Stack hub deployment here.
  • Make sure there are minimum 5 hard drives including OS disk (200 GB) with each 350 GB. (This can be achieved using smart array controller)
  • Deploy the OS only through Intelligence provisioning (best practice), which helps in proper installation of drives.
  • Make sure the attached physical/ logical disks can be pooled.

Azure stack deployment :

  • Download the Azure stack hub development kit installer.
  • Follow the registration process to download the installer on the server, where ASDK environment is going to be established.
  • Run the installer as the Administrator and browse for the location where to save the ASDK and download the ASDK.
  • After the completion of the download, run the installer and extract the files to a specified folder.
  • To download the installer, run the following powershell script
$URI = 'https://raw.githubusercontent.com/Azure/AzureStack-Tools/master/Deployment/asdk-installer.ps1'
$LocalPath = 'C:\AzureStack_Installer'
New-Item $LocalPath -Type Directory
Invoke-WebRequest $URI -OutFile ($LocalPath + '\' + 'asdk-installer.ps1')
cd $LocalPath
  • Once the above powershell script has been executed successfully, a powershell script has been downloaded in the defined local path, run the powershell script that has been downloaded as shown below.
  • A GUI will be prompted. Select Prepare environment and browse the previously downloaded CloudBuilder VHDX.
  • Click next to populate accordingly,
CategoryValue
UsernameAdministrator
Password*****
Computer NameASDK-1
Static IP configurationEnable
  • Select the ultimate NIC adapter and click next.
  • Make sure the IP CIDR and the gateways are exemplary.
  • Once Completed > Next > Reboot Now.
  • Following reboot, disable the network adapters that are not in use to provide a clean path to the Azure Stack Development kit in Control Panel\Network and Internet\Network Connections.
  • Re-download the powershell script using following command and run the downloaded powershell script.
$URI = 'https://raw.githubusercontent.com/Azure/AzureStack-Tools/master/Deployment/asdk-installer.ps1'
$LocalPath = 'C:\AzureStack_Installer'
New-Item $LocalPath -Type Directory
Invoke-WebRequest $URI -OutFile ($LocalPath + '\' + 'asdk-installer.ps1')
cd $LocalPath
  • Select Install from the prompted GUI console.
  • Populate the fields accordingly,
CategoryValue
TypeAzure Cloud
AAD Directorydigiphinixstack.onmicrosoft.com (it should be primary domain)
Passwordsame as the local administrator
  • Select the NIC adapter and click next to crowd the network configuration details. (Time server IP : 216.239.35.0 ; DNS forwarder IP : 8.8.8.8)
  • Once Completed > Next > Deploy.
  • In about two minutes or so you’ll be asked to enter the credentials for a global administrator in your AAD directory, enter the credentials accordingly.

NOTE: The user credentials provided should be administrator of the Azure Active Directory tenant.

  • The deployment process will takes almost 8 to 9 hours, during which the host server will automatically reboot (approximately 1 hr 20 min ). Sign in as azurestack\AzureStackAdmin after the ASDK host restarts and password remains same as the host server.
  • After a successful completion of the deployment the message COMPLETE : Action ‘Deployment’ is shown as following,

Post-deployment :

  • Run the following powershell script for installing and configuring Azure powershell for ASDK.
Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted
Get-Module -Name Azs.* -ListAvailable | Uninstall-Module -Force -Verbose
Get-Module -Name Azure* -ListAvailable | Uninstall-Module -Force -Verbose
#Install the AzureRM.BootStrapper module. Select Yes when prompted to install NuGet
Install-Module -Name AzureRM.BootStrapper
#Install and import the API Version Profile required by Azure Stack into the current PowerShell session.
Use-AzureRmProfile -Profile 2019-03-01-hybrid -Force
Install-Module -Name AzureStack -RequiredVersion 1.8.2
  • Download the Azure stack tools using following powershell script.
#Change directory to the root directory.
cd \
#Enforce usage of TLSv1.2 to download the Azure Stack tools archive from GitHub
Invoke-WebRequest
-Uri https://github.com/Azure/AzureStack-Tools/archive/master.zip`
-OutFile master.zip
#Expand the downloaded files.
Expand-Archive -Path master.zip -DestinationPath . -Force
#Change to the tools directory.
cd AzureStack-Tools-master

Portal access to Azure stack :

  • Register the local environment with the Azure.
  • AzS-ERCS01 is one of the virtual machines that is deployed during the process of ASDK deployment. This VM is responsible for the Connection establishment between Azure and ASDK host server.
  • Validate the VM AzS-ERCS01 using following powershell script before local environment registration with Azure.
Enter-PSSession -ComputerName AzS-ERCS01 -ConfigurationName PrivilegedEndpoint
Test-AzureStack
  • Sign-in to the Azure stack account using
Login-AzureRmAccount
  • Register the ASDK using following powershell script.
#Add the Azure cloud subscription environment name.
#Supported environment names are AzureCloud, AzureChinaCloud, or AzureUSGovernment depending which Azure subscription you're using.
Add-AzureRmAccount -EnvironmentName "<environment name>"

#Register the Azure Stack resource provider in your Azure subscription
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.AzureStack

#Import the registration module that was downloaded with the GitHub tools
Import-Module C:\AzureStack-Tools-master\Registration\RegisterWithAzure.psm1

#If you have multiple subscriptions, run the following command to select the one you want to use:
#Get-AzureRmSubscription -SubscriptionID "" | Select-AzureRmSubscription

#Register Azure Stack
$AzureContext = Get-AzureRmContext
$CloudAdminCred = Get-Credential -UserName AZURESTACK\CloudAdmin -Message "Enter the credentials to access the privileged endpoint."
$RegistrationName = "<unique-registration-name>"
Set-AzsRegistration -PrivilegedEndpointCredential $CloudAdminCred
-PrivilegedEndpoint AzS-ERCS01 -BillingModel Development
-RegistrationName $RegistrationName `
-UsageReportingEnabled:$true
  • Approximately around 10 min the following output is obtained confirming that the environment is registered successfully.
  • Redeem the activation key to C:\ using following command
$RegistrationResourceName = "<unique-registration-name>"
#File path to save the activation key. This example saves the file as C:\ActivationKey.txt.
$KeyOutputFilePath = "$env:SystemDrive\ActivationKey.txt"
$ActivationKey = Get-AzsActivationKey -RegistrationName $RegistrationResourceName `
-KeyOutputFilePath $KeyOutputFilePath
  • This confirms that the activation key file is generated in C:\ .
  • Run the following powershell script to create an activation resource using the previously generated Activationkey.txt.
#Import the registration module that was downloaded with the GitHub tools
Import-Module C:\AzureStack-Tools-master\Registration\RegisterWithAzure.psm1
$CloudAdminCred = Get-Credential -UserName AZURESTACK\CloudAdmin -Message "Enter the credentials to access the privileged endpoint."
#This example uses the C:\ActivationKey.txt file.
$ActivationKey = Get-Content -Path "$env:SystemDrive\Activationkey.txt"
New-AzsActivationResource -PrivilegedEndpointCredential $CloudAdminCred -PrivilegedEndpoint AzS-ERCS01
-ActivationKey $ActivationKey
  • Your environment has finished the registration and activation process is returned as the output.
  • Sign in to the Azure Stack administrator portal using following URL in the local host https://adminportal.local.azurestack.external.

Congratulations in advance.

My hearty congratulations in successful deployment of Azure Stack Development Kit.
Posted in Active Directory, Azure, Migration, Windows

SQL SERVER MIGRATION (On-premises to cloud) USING DMA TOOL

Posted on by Akhil

On-premise setup :

  • Domain (ravvarapu.com)
  • Sql server (2012)
  • Sql database (weblocal)
  • Consummate Network settings.

Cloud setup :

  • Cloud platform (Microsoft Azure)
  • Valid subscription.
  • Azure Migrate project with a valid project name and location.
  • Sql Managed instance (Deploying can take up to 6 hrs.) or Sql Database.

Procedure :

  • Download DMA tool (Data Migration Assistant) on the sql instance (On-premise).
  • Install the DMA tool on the server and run as administrator.
  • Create New project with type Assessment.
  • Populate the fields as described below and create the project.
Project NameA valid project name
Assessment typeDatabase engine
Source server typeSql server
Target server typeAzure sql database managed instance
  • Click next to define the source sql server, define the server name and authenticate accordingly.
  • Add the required source databases that can be migrated to azure.
  • Start the assessment. (while this takes a quite good amount of time depending on the individual.)
  • Verify and rectify, if any feature parity or any compatibility issues. More database compatibility can be learned at aka.ms/dbcompat.
  • If everything is perfect upload to Azure Migrate and select the desired Azure environment (Azure) and connect to the Azure account for both feature parity and compatibility issues.
  • Select the created migration project in the Azure and upload.
  • Refresh the Azure migrate screen to update the details of data assessment.
  • Click on Accessed database instances to check the status of the database readiness.
  • Plunge into the on-premise sql server DMA tool and create a new project.
  • Populate the fields as shown below.
  • Create the migration by populating the fields.
  • Connect to the sql server and authenticate accordingly. (Enable the Trust server certificate).
  • Select the databases that needed to be migrated.
  • Connect to the target server (Sql database or sql managed instance) with default sql authentication (Enable the Trust server certificate).
  • Select the newly created database in the target server and generate the script.
  • Deploy the generated script and select the desired tabled to migrate the data.

Substantiation :

Once the data has been successfully migrated to the target server, connect to the target server from the local sql server and check the migrated data. The latency of the migrated sql database depends upon the region in which the target sql database or target sql managed instance is in.

Posted in Active Directory, AWS, Azure, Windows

VPN TUNNEL( V-NET TO V-NET )

Posted on by Akhil

A VPN Tunnel is an encoded connection or a encrypted path way between two different organizations or networks. This private tunnel can give an approach to cloak online activities.

Pre-requisites :

  • Two virtual networks with different Address spaces in different regions.
  • A virtual machine in each virtual network.
  • In the following scenario,
VIRTUAL NETWORK-1VIRTUAL NETWORK-2
Virtual network namev-net-1v-net-2
Address space10.0.0.0/16192.168.0.0/16
Subnetdefault (10.0.0.0/24)default (192.168.0.0/24)
Virtual machinecm-1cm-2
Private IP10.0.0.4192.168.0.4
RegionEast-USCentral-India

Procedure :

  • Create a gateway subnet in both the virtual networks. // Home > Virtual Networks > Select the virtual network > Subnets > Gateway subnet
  • Specify the IP Address range > OK. Carry out the same procedure for the both networks.
  • Create Virtual network gateways for both the virtual networks, which acts as the gateway for the traffic incoming and outgoing.
  • Home > Virtual network gateways > Add > type a valid vgn name (vgn-1) > select the virtual network (v-net-1) > make sure the region is same as that of v-net (v-net-1) > create a new public ip (pip-vgn-1) > review and create. Note : A valid amount of time is taken to get vgn created.
  • Create a second virtual network gateway (vgn-2) for the second virtual network (v-net-2) along side with public IP (pip-vgn-2) for the gateway in the similar process in the same region that of the virtual network (v-net-2).

Configuring VGN :

  • After successful creation of the virtual network gateways resources, go to the first virtual network gateway (vgn-1)
  • Home > Virtual network gateways > connections > Add.
  • Give a valid name and select the second virtual network gateway (vgn-2) and give a pre shared key as shown below.
  • The given shared key is used to establish connection from the other end.
  • Dive back to the second virtual network gateway (vgn-2) and establish a connection to the first virtual network gateway.
  • Home > Virtual network gateway > select the second virtual network gateway (vgn-2) > Connections > Add > create the connection with the same pre shared key.

Note : It takes a few minutes to get the status change from unknown to connected.

Configure the security rules :

  • Configure the security rules of the virtual machines such that the incoming traffic is allowed from the other virtual network as shown below (if required).
  • Similarly configure the security groups of other virtual machine to allow the required traffic from the other virtual network gateway.
  • Check the connection by pinging the private ip of the opposite virtual machine.
Posted in Active Directory, Migration, Windows

PASSWORD MIGRATION USING ADMT

Posted on by Akhil

Prerequisites:

SOURCE DOMAIN (sd.com)TARGET DOMAIN (td.com)
Domain controller (S-DC)Domain controller (T-DC)
ADMT-Server (T-ADMT)
Two-way trust b\w domainsTwo-way trust b\w domains

Procedure:

Step 1 :

  • Download both sql server and ADMT tool in the ADMT-Server (T-ADMT).
  • Install sql server by following default onscreen commands on ADMT-Server (T-ADMT).
  • Install ADMT tool in the server mentioning the previously installed sql instance.
  • Create encryption key on the ADMT-Server (T-ADMT) using following command in the command prompt.
admt key /option:create /sourcedomain:source.local /keyfile:"c:\KEY.pes" /keypassword:*
  • The source domain and the key password need to be changed as per the requirement as shown below.
  • Copy the created key to the source domain controller (S-DC).

Step 2 :

  • Download and install PES (Password export server) onto the source domain controller (S-DC).
  • Choose the key that is created in the previous step, when it is required during the installation.
  • Enter the given password for the confirmation and to install.
  • Choose Log on as and enter the user credentials of Source Domain Administrator or Target Domain Administrator as shown below and restart the server (S-DC).
  • Start the password export server service manually in the services of source domain controller (S-DC)

Step 3 :

  • Add the target domain administrator (TD\Azureuser) in the Administrators (built-in) group of source domain (sd.com)
  • Similarly add source domain administrator (SD\Azureuser) in the Administrators (built-in) group of target domain (td.com)

Step 4 :

  • Open the ADMT tool in the target ADMT-Server (T-ADMT) and run the ADMT tool.
  • Right-click on the Active Directory Migration tool > User Account Migration Wizard > define the source and target domain details as shown.
  • Select users from domain > Add > type the user name > select the users > next > select the target OU > migrate passwords > target same as source > follow the onscreen commands with the required properties to complete the migration of users along with their passwords.
  • Migration process status will be changed to completed with no errors as the following.
Posted in Active Directory, logs, Windows

SPLUNK DEPLOYMENT FOR WINDOWS ENVIRONMENT – 2

Posted on by Akhil

Installing and configuration of universal forwarders

step-1:

  • Download the executable file of splunk universal forwarder in the universal forwarder server (UF-1)
  • Copy it to every windows host that need to be monitored.
  • Right click the executable file to install > check the check this box to accept the license agreement > Customize options > next > next > make sure Local system is enabled and click next > next > create the default administrative cred for the local server > Ip_Address of the deployment-server or the indexer and default 8089 port no. > next > install.

step-2:

  • In the deployment server (Indexer), open the splunk enterprise in the browser click Settings > Forwarder management > clients (UF-1 should be visible) > server class > Edit (Edit Clients) > UF-1 (in the include list) > preview > save.

step-3:

  • Download the splunk add on app for windows from here.
  • Extract the splunk app for windows infrastructure (Splunk_TA_windows) and create a local directory.
  • In the local directory create a conf file named inputs.conf with the following text.
# Copyright (C) 2020 Splunk Inc. All Rights Reserved.
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.
#



###### OS Logs ######
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index = wineventlog

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
index = wineventlog

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index = wineventlog


###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=true
host=WinEventLogForwardHost
index = wineventlog


###### WinEventLog Inputs for Active Directory ######

## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 0
renderXml=true
index = wineventlog
 
## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 0
renderXml=true
index = wineventlog
 
## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 0
renderXml=true
index = wineventlog
 
## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 0
renderXml=true
index = wineventlog


###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
disabled = 0
renderXml=true
index = wineventlog


###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows


###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows

## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## Below stanza will automatically generate WindowsUpdate.log daily
[powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 0
index = msad

## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows

###### Monitor Inputs for Active Directory ######
[monitor://$WINDIR\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled = 0
index = msad

###### Monitor Inputs for DNS ######
[MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
sourcetype=MSAD:NT6:DNS
disabled = 0
index = msad


###### Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts
index = windows

[script://.\bin\win_installed_apps.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index = windows

[script://.\bin\win_timesync_status.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
index = windows

[script://.\bin\win_timesync_configuration.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
index = windows

[script://.\bin\netsh_address.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration

###### Scripted/Powershell Mod inputs Active Directory ######

## Replication Information NT6
[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
source=Powershell
sourcetype=MSAD:NT6:Replication
interval=300
disabled = 0
index = msad
 
## Replication Information 2012r2 and 2016
[powershell://Replication-Stats]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype=MSAD:NT6:Replication
disabled = 0
index = msad
 
## Health and Topology Information NT6
[script://.\bin\runpowershell.cmd nt6-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:Health
interval=300
disabled = 0
index = msad
 
## Health and Topology Information 2012r2 and 2016
[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
schedule = 0 */5 * ? * *
source=Powershell
sourcetype=MSAD:NT6:Health
disabled = 0
index = msad 
 
## Site, Site Link and Subnet Information NT6
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:SiteInfo
interval=3600
disabled = 0
index = msad
 
## Site, Site Link and Subnet Information 2012r2 and 2016
[powershell://Siteinfo]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
schedule = 0 15 * ? * *
source = Powershell
sourcetype=MSAD:NT6:SiteInfo
disabled = 0
index = msad


##### Scripted Inputs for DNS #####

## DNS Zone Information Collection
[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:DNS-Zone-Information
interval=3600
disabled = 0
index = msad
 
## DNS Health Information Collection
[script://.\bin\runpowershell.cmd dns-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:DNS-Health
interval=3600
disabled = 0
index = msad


###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
type = Computer
index = windows

[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index = windows

[WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index = windows

[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
type = NetworkAdapter
index = windows

[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index = windows

[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index = windows

[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index = windows

[WinHostMon://Driver]
interval = 600
disabled = 0
type = Driver
index = windows

[WinHostMon://Roles]
interval = 600
disabled = 0
type = Roles
index = windows

###### Print monitoring ######
[WinPrintMon://printer]
type = printer
interval = 600
baseline = 1
disabled = 0
index = windows

[WinPrintMon://driver]
type = driver
interval = 600
baseline = 1
disabled = 0
index = windows

[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 0
index = windows

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 0
index = windows

[WinNetMon://outbound]
direction = outbound
disabled = 0
index = windows

###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = perfmon

## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
mode = single
object = LogicalDisk
useEnglishOnly=true
index = perfmon

## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
mode = single
object = PhysicalDisk
useEnglishOnly=true
index = perfmon

## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 10
mode = single
object = Memory
useEnglishOnly=true
index = perfmon

## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size  
disabled = 0
instances = *
interval = 10
mode = single
object = Network Interface
useEnglishOnly=true
index = perfmon

## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 10
mode = single
object = Process
useEnglishOnly=true
index = perfmon

## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 10
mode = single
object = Processor Information
useEnglishOnly=true
index = perfmon

## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
instances = *
interval = 10
mode = single
object = System
useEnglishOnly=true
index = perfmon


###### Perfmon Inputs from TA-AD/TA-DNS ######
[perfmon://Processor]
object = Processor
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly=true
index = perfmon
 
[perfmon://Network_Interface]
object = Network Interface
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size 
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly=true
index = perfmon
 
[perfmon://DFS_Replicated_Folders]
object = DFS Replicated Folders
counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
instances = *
interval = 30
disabled = 0
mode = single
useEnglishOnly=true
index = perfmon
 
[perfmon://NTDS]
object = NTDS
counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run   
interval = 10
disabled = 0
mode = single
useEnglishOnly=true
index = perfmon

[perfmon://DNS]
object = DNS
counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received 
interval = 10
disabled = 0
mode = single
useEnglishOnly=true
index = perfmon


[admon://default]
disabled = 0
monitorSubtree = 1
index = windows


[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = windows

[WinRegMon://hkcu_run]
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

[WinRegMon://hklm_run]
disabled = 0
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows
  • Move the entire Splunk_TA_windows folder to C:\Program Files\Splunk\etc\deployment-apps on the deployment server.
  • Reload the deploy server using following command in the command prompt.
> cd \Program Files\Splunk\bin
> .\splunk reload deploy-server
  • From the browser in the deployment server, logon back to splunk enterprise and follow the steps
  • Settings > Forwarder management > Apps > Splunk_TA_Windows > Edit > (+) Add the Universal_Forwarders server class.
Posted in Active Directory, logs, Windows

SPLUNK DEPLOYMENT FOR WINDOWS ENVIRONMENT – 1

Posted on by Akhil

Pre-requisites:

Setup of Active directory with 3 servers that includes,

  • Domain controller (DC-1)
  • Indexer or Deployment server (Indexer)
  • Universal forwarder (UF-1)

Make sure that all the servers are intact and are in contact with the domain controller with no issues.

Installing and configuring deployment server or indexer

step-1:

  • Download the splunk software from here.
  • Run the downloaded executable file, check the check this box to accept the license agreement and click next.
  • Create the account credentials and follow the onscreen commands to install the splunk.

step-2:

  • Proceed to download the splunk app for windows infrastructure.
  • Create a new directory named local in the folder of splunk_app_windows_infrastructure.
  • Create a new conf file indexes.conf with the following text in the local directory using notepad.
[msad]
homePath = $SPLUNK_DB/msad/db
coldPath = $SPLUNK_DB/msad/colddb
thawedPath = $SPLUNK_DB/msad/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

[perfmon]
homePath = $SPLUNK_DB/perfmon/db
coldPath = $SPLUNK_DB/perfmon/colddb
thawedPath = $SPLUNK_DB/perfmon/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

[wineventlog]
homePath = $SPLUNK_DB/wineventlog/db
coldPath = $SPLUNK_DB/wineventlog/colddb
thawedPath = $SPLUNK_DB/wineventlog/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

[windows]
homePath = $SPLUNK_DB/windows/db
coldPath = $SPLUNK_DB/windows/colddb
thawedPath = $SPLUNK_DB/windows/thaweddb
maxDataSize = 10000
maxHotBuckets = 10
  • Copy the entire folder splunk_app_windows_infrastructure to C:\Program Files\Splunk\etc\apps directory.
  • Restart the splunk application through command line using the following command
cd\Program Files\Splunk\bin
.\splunk restart

step-3:

  • Login back to the splunk enterprise from the browser (localhost:8000/) on the deployment server.
  • Settings > Forwarding and Receiving > Configure receiving > Add New > 9997 > save.

step-4 :

  • In the browser of the deployment server create a new application in Apps > Manage apps > Create App
NAMESend_to_indexer
FOLDER NAMEsendtoindexer
VERSION1.0.0
VISIBLENo
AUTHOR–anything–
TEMPLATEbarebones
  • Click save.
  • Create a conf file named outputs.conf with the following text in C:\Program Files\Splunk\etc\apps\sendtoindexer\local directory of deployment server.
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = <indexer_hostname_or_ip_address>:<9997>

[tcpout-server://<indexer_hostname_or_ip_address>:<9997>]
  • Indexer hostname or the ip address of the deployment server need to be replaced in the above context as shown below.
  • Move the sendtoindexer app from C:\Program Files\Splunk\etc\apps to C:\Program Files\Splunk\etc\deployment apps.
  • Reload the deploy server using following commands,
cd\Program Files\Splunk\bin
.\splunk reload deploy-server
  • In the browser of the deployment server direct to Settings > Forwarder Management > Apps.
  • Click Edit > (+) Add new server class > Universal_Forwarder > Save.

Adding data of the local server

  • In the Splunk Enterprise of the deployment server click Splunk_enterprise > Add data > Monitor > Local event logs > Add all and click next > Name the desired host field value > review and submit.
  • In the Apps > searching & reporting > data summary, the host is found and can be monitored from now.

Continuation….

Note: Make sure all the required ports are opened in all the three servers with no block of the windows firewall.
Posted in Active Directory, Migration, O365

MAILBOX MIGRATION (G-MAIL TO O365)

Posted on by Akhil

Migration of the mailboxes from G-mail to O365 does need a few pre-requisites like,

  1. Enabling IMAP protocol.
  2. Selecting out the labels that need to be visible for the IMAP migration.
  3. Allowing Less Secure App Access to establish a vulnerable connection between O365 and G-mail.

Enabling IMAP protocol

  • For enabling the IMAP, follow the steps,
  • Open G-mail > settings > Forwarding and POP/IMAP > Enable IMAP in IMAP access tab.

Labels

  • Selection of labels enables the third party tools to both differentiate between the items that have migrated and also detect the items in the mailbox.
  • Show or hide the desired items that are involved in the process of migration.
  • Removing a label will not remove the messages with that label.

Less Secure App Access

  • TURNING ON the less secure app access will make the account vulnerable which in-turn makes the third party tools to access the account. (what precisely is required)
  • Open G-mail > Manage your google account > Security > Turn on Less secure app access.

Migration process

Dive to the O365 portal with the login credentials of the Exchange administrator.

  • Admin > Show all > Exchange > recipients > migration > more > migration endpoints.
  • Add a new migration end point > IMAP > (imap.gmail.com) imap server name > next > (imap.gmail.com) imap end point name > (20) maximum concurrent migrations > (10) maximum concurrent incremental syncs > new
  • Divert back to recipients > migration > migration to exchange online (plus sign) > IMAP migration > Choose the CSV file with the following format as shown > follow the onscreen commands to successfully start the migration process.
  • A good amount of time is taken by the O365 individually to complete the migration process depending on the size of the mailbox that need to be migrated.
Email addressUsernamePassword
Target email addressSource email address (Gmail)Source mail address password (Gmail)
Posted in Active Directory, Patch Management, Windows

ACTIVE DIRECTORY RECYCLE BIN AND SERVER BACKUP

Posted on by Akhil

Enabling Active Directory Recycle bin

The Recycle Bin is an organizer where records and folders that one have deleted are put away. They have not been for all time expelled from your hard drive(s), they were just moved to this unique folder called Recycle Bin. In a similar manner, any firm would definitely show interest in having a recycle bin enabled for the Active Directory for various reasons.

  • Start > server manager > Tools > Active Directory Administrative Center > Open the Domain > In the Tasks click on Enable the Recycle bin...> OK as shown in the figure.

Active Directory server Backup

  • Start > Server Manager > Tools > Windows Server Backup > Local Backup > In the Actions menu select Backup once.. > Follow the onscreen commands > Select Full server backup (Recommended) / Custom backup > Local Drives are the preferred storage type > Select the supported hard drive for the backup destination.

A system hard drive is an unsupported volume for the server backup

It is a best practice to create a separate non sys-drive for in particular with the server backup.