Register to new IT seminar. Bootcamp for SMB IT sysadmins.

February 13, 2017 by Munkhtuvshin Baatar
No comments

Building from scratch SMB IT infrastructure. Common mistakes, pitfalls.

Intro:

This seminar was designed for IT sysadmins, IT engineers who needs to systematize own field experience and fill the gaps in practical and theoretical knowledge. The agenda of seminar deliberately organized to embrace as much as possible practical skills, specifics from real life needs in Mongolia. The topics which included in the seminar are missing in other official courses or too spread over different resources and never before collected in a such way in one place interconnected.

[spoiler effect=”blind”]

Other our courses are more formal and official, but this one is digest of recommendations collected, processed and analyzed during multiple projects in Mongolia, in other words this course are more customized and targeted to real life company needs.

Unlike other developed countries my colleagues (except very big companies like OT and so on) don’t have luxury to be narrowly specialized in own profession. So it means each of us are forced to be electrician, network administrator, system administrator, communication specialist, repair service technician, helpdesk, IT manager, procurement employee and so on at the same time.

The main goal of my training is to provide the minimal, but mandatory to have technical knowledge for a such role. It’s all about specifics. Role of IT in business, awareness about IT and as consequence IT budget is completely different from other countries. The quality of IT human resources provided by local and average Asian colleges, small size of IT market in Mongolia are another specifics. All these specifics didn’t allow to invest enough into local IT pros competence. [/spoiler] …. But times change. Almost each SMB company starts to feel something wrong with IT, and starts to understand the need in changes, the need in new generation of IT admins who more proactively (preventively) solves problem, not reactively as now (more innovative, intensive and appropriate approaches instead of extensive IT management when IT issues solved mainly by increasing number of cheap IT employees)

Agenda:

day 1 – Building basement[spoiler]

  1. Construction and design of affordable server room. SCS topology and design, choice of equipment, where never economize.
  2. Choice of platform for your business, Mainstream Microsoft Windows + Office, or free Linux, or mix? Pros and cons of each option.
  3. How to balance budget between mandatory and optional IT expenses? What is mandatory, and what is optional?
    • How to create affordable Server Room, and is it really necessary?
    • Mistakes with planning power sources in company renting buildings:
      • Electrics considerations
      • BackUPS vs SmartUPS. Lab 01. Environment conditions for UPS.
      • For what Data cable for UPS, and why it’s so important.
    • SCS mistakes
    • How to choose network equipment, common mistakes
    • Do you really need server and why
    • Do you need Dell server or maybe Desktop computer PC is enough.
    • Requirement and affordable improvements to use Virtualization on budget PC server.
    • When it’s justified to use Software firewalls, VPN server, proxy servers
    • Microsoft licensing in details, how KMS server can help you to stop installing cracks on each computer. Lab 02
  4. Dell servers as the most popular and available servers in Mongolia.
    • how to decide what Dell server we need to buy?
    • how to conduct express diagnostics of newly bought server
    • Why we need to upgrade hardware firmware and how
    • Storage recommendations
    • Lifecycle Controller and iDRAC. Express vs Enterprise iDRAC. What’s the difference and do you need it? Mistakes with installing OS on Dell servers (not updated “OS deploy” drivers, wrong RAID configurations for specific tasks, BIOS booting instead of UEFI for large disks and so on) Lab 03.
    • how to configure hardware monitoring using iDRAC alert notifications thru SNMP or email. Why it’s so important? Lab 04.
  5. What is vPro/AMT? Why nobody uses it in Mongolia. And why nobody orders it from hardware suppliers?
    • almost workstation iDRAC
    • types of vPro, which one do you need and for what
    • how to determine does your computer supports what kind of vPro.
    • how to configure lab 05.
  6. WDS. How quickly distribute standardized images to servers and workstations. Re-imaging of computers – “format” of computers on enterprise level. Lab 06
  7. What is WSUS. Why total software piracy suppress the usage of WSUS.
    • Why it’s so important. IT audit, security, stability of IT and  WSUS.
    • Quick start.
    • Common mistakes with WSUS
  8. Why Backup and Disaster Recovery are always forgotten and ignored? Review of options, starting from builtin and free solutions to robust backup solutions like Veeam Backup and Replication server, MS SC DPM and so on.
    • tape devices – do you really need them now?
    • backup to local disks, network shares, cloud
    • backup or replication? or both?
    • storage redundancy and backup
    • Cluster and backup
    • Bare metal backups vs backup of only DBs and data
    • Disaster Recovery policy, test labs
    • Lab 07. Demo of Veeam BR to illustrate and compare features.

[/spoiler]

day 2 – Virtualization, VMWARE and Hyper-V.

[spoiler effect=”blind”]

  1. What is virtualization. Advantages of virtualization. Comparison of two main hypervisors.
    • Virtualization and Backup, Replication, DR (VM hardware abstraction layer, synthetic vs emulated drivers)
    • Virtualization and clusters
  2. Vmware essentials.
    • installation of VMware ESXi to USB stick, redirection of logs to datastore
    • installation from USB, DVD
    • installation by iDRAC
    • installation from network
    • initial
  3. Subject: Microsoft Hyper-V virtualization essentials
    1. 9.00-9.10 Coffee break, registration
    2. 9.10-10.00 Theory, short introduction presentation
    3. 10.00-13.00 Installation on single host server with external storage system.Planning and designing Microsoft virtualization, prerequisites
    4. Performance optimizations, synthetic drivers, integration tools
    5. Creation of new VMs from a scratch or from template’s library
    6. Methodology of system administration in virtualized environment. New paradigm for system management – differences from conventional way
    7. New aspects of backup for virtualization. MSSC DPM
    8. Conversion of legacy physical server to virtual server – consideration of the servers with SCVMM
    9. 13.00-14.00 break
    10. 14.00 – 17.00 Clustered installation of Hyper-V on two node cluster with external storageServer specification recommendations (choice of UPS and UPS software, antivirus for virtualization, storage issues and so on
    11. Storage configuration
    12. Classic Microsoft HA cluster, new features for virtualization
    13. Installation and initial configuration
    14. Live Migration demo
    15. 17.00-17.15 Q&A session
    16. 17.15-18.00 Comparison with VMware ESX

[/spoiler]

day 3 – Active Directory essentials

[spoiler effect=”blind”]

Subject: Common questions, installation, configurations

  1. 9.00-9.45 Introduction, Why Active Directory/AD
  2. Pre-history
  3. For whom, how to convince management to implement AD, the main obvious benefits of AD implementation
  4. What is AD for system administration, network admin, for IT manager, business owners
  5. 9.45-10.15 The main definitions and terms. Forest, tree, Domain, DC, GC,OU, security groups
  6. GPO
  7. Subnet and site, DNS for sites (glue records and delegation of zones for forest)
  8. Fsmo roles (PDC emulator, RID, infrastructure, domain naming, schema masters) and GC
  9. Functional levels
  10. Kerberos protocol, NTLM protocols, SAM and NTDS, KDC service
  11. Schema considerations (precautions, how activate snap-in, Schema changes for Exchange, Lync and so on)
  12. 10.15-11.15 Installation and Initial configurations Pre-requisites (compatible BIND, static IP, unique name of server, unique domain name)
  13. What network changes(conflicts between DNS, DHCP setting for ISP and AD) are required in typical Mongolian company
  14. Types of AD, functional levels, when and how to rise functional levels
  15. Insides of AD (database files, used TCP/IP ports and so on)
  16. How to install AD in multisite, multi subnet and multi domain environment
  17. 11.15-11.30 Q&A
  18. 11.30-11.45 break
  19. 11.45-13.00 Standard basic operations sometimes ignored or wrongly used by Mongolian sysadmins, common mistakes; Deleting domain
  20. Adding computer into domain, removing computer from domain. Duplicated netbios names for domains and computers, wrong length of names or wrong symbols. Naming computers in corporate environment – why it’s important
  21. Why pre-installed Windows versions on the notebooks cannot be added to AD
  22. Why Desktop Windows is not good as a fileservers and printer servers
  23. Sysprep – why, for what?
  24. Grouping computer accounts, user accounts by OU for GPO
  25. Usage of only one DC despite the vendor recommendations
  26. DNS considerations, proper configurations recommended by the best configurations
  27. How to promote server in AD, how to demote, how to re-add workstation/member servers to AD
  28. How to add user, group (local, global, universal) why it’s necessary to re-login after changing the membership in group
  29. Groups, which of them to use and when
  30. Assigning rights to groups for sharing, how to correctly share, how to automatically map shares, how automatically empty content of temporarily share folders
  31. Printers in AD, publishing in AD, default print rights and how to administrate printers in AD, print monitor software (who, when, what, how many pages printed)
  32. Time Service and Kerberos (time zones, NTP server, virtualization aspects, net time command, how auto check time on multiple servers by script)
  33. 13.00-14.00 break
  34. 14.00-15.00Demonstration of the provisioning stereotype AD domain in average Mongolian company. IT policy best practices for AD. Restricting LocalAdmins, and what resistance it causes from user side, how to solve
  35. How to solve problems to launch some programs without LocalAdmin rights
  36. Fileserver and AD, advantages, pitfalls (for comparison – example of how to setup it without AD on workstations with max 10 connections) Automatically mounted users shared folders, quotas, backuping and redirection, re-assigning to new employee. Samba protocol/CIFS, ports 135, 138,139, 445, Windows Browser Service (elections and network neighborhood lists)
  37. How to give LocalAdmin rights for somebody not making him/her DomainAdmin
  38. 15.00-15.30 Once again DNS server setting for ADZones, domains – the difference
  39. DNS server at multi homed server, round robin for DNS, listening IPs of DNS server
  40. Forwarders and root servers, conditional forwarders and stub zones, primary and secondary zones
  41. Storing AD in filesystem or AD integrated?
  42. New type of records – SRV, connection dynamic records with Netlogon service
  43. Why dhcp client should be used even for servers and workstation with static IPs
  44. How to add static records (A, CNAME, MX) in case of existence of public Internet domain with the exactly same as an AD domain name, troubleshooting
  45. Reverse lookup zones – for what
  46. Caching DNS – when and how to utilize, ipconfig /flushdns
  47. 15.30-16.00 Theory of authorization and authentication. Kerberos (Kerberos and DNS, predecessors like NTLMv1/v2) ticket system
  48. SQL and AD/windows authorizations, vendor recommendations
  49. Syskey for SAM, digests and how passwords are stored, LC and saminside
  50. PKI/CA and AD
  51. Certificates for web SSL, SSH, Wi-Fi AccessPoints, VPN, e-mail and so on
  52. Smart cards/eTokens for winlogon
  53. 16.00-17.00 Management and administration in AD environment. Brief review of standard tools/snap-ins for work with AD
  54. Password policy – pitfalls which can ruin whole implementation of AD in the company, unlocking accounts, why you shouldn’t to disable a strong password policy, resetting LocalAdmin passwords, removing local users+profiles, new in password policy for functional level win2008r2.
  55. c. Remote work (RDP, regedit, shutdown, net time, firewall settings, $resources, remote execution shells like powershell, remotely computer/server management, GPO, WMI and so on)
  56. 17.00-17.30 Q&A

[/spoiler]

day 4 – Mastering Active Directory

[spoiler effect=”blind”]

Subject: Maintenance and troubleshooting of AD

  1. 09.00-10.00Insides of Group PolicyGPC and GPT, locations and storage of them, how it works
  2. GP extension templates for Microsoft Office, WSUS and so on
  3. How to target GP to OU, domain, site and so on
  4. Merging GPO (LSDOU), loopbackes, WMI filters
  5. Troubleshooting of Group Policy (gpedit.msc, gpresult, Rsop, gpotool, gpupdate /force), FRS
  6. 10.00-13.00Group Policy best practices:WMI and security filters
  7. Disabling shutdown tracker, autorun, Windows Browser service on non-DCs and so on
  8. Enabling RDP, DHCP client, DNS client, eventlog,remote registry, print spooler, windows update,time service on everywhere in domains and so on
  9. Enabling remote Device management
  10. GPO for Terminal Service lockdown
  11. WSUS and GPO
  12. PKI/CA and GPO
  13. IPsec, VPN and GPO
  14. PKI and GPO (certificates)
  15. Software distribution (assigning and publishing, patching, removing msi)
  16. Software restriction (restrict running gtalk, yahoo messenger and so on)
  17. Domain wide setup of services
  18. Logon messages configuration
  19. Configure EvenLog thru GPO
  20. Scripting and GPO
  21. 13.00-14.00 break
  22. 14.00-15.00Sites, multi domain implementations, trusts, replications (bridgeheads, various topologies)USN milestones
  23. SPN (setspn and ADCU delegation, for what)
  24. What is site, for what, what’s the difference from subnets,topologies
  25. RPC, smtp replications, KCC, Read-onlyDC (password caching)
  26. Troubleshooting AD/frs replication (Repadmin, replmon, ADSites and Services, eventlog, time, DNS, dcdiag and on) Everything is wsused.
  27. 15.00-15.30 Seizing/moving fsmo role (for example after crush of DC)
  28. 15.30-16.45 Q&A
  29. 16.45-17.00 break
  30. 17.00-18.00 Backup and restore of DCs, restoring objects in AD by ntdsutil, authoritative and non-authoritative restores, other tools like adsiedit, ldp, netdom and so on. New features of AD in the last Windows versions

[/spoiler]

day 5 – PKI

[spoiler effect=”blind”]

  • Why Microsoft PKI/CA? Alternatives. Internal and public CAs.
  • Internal SMB CA objectives. Precautions (backup of private keys, key archival, recovery agents, templates)
  • Software and hardware keyloggers vs 2fa/certificates
  • Ransomware, backup encryption/auto detach.
  • Multifactor authentication, 2fa in lastpass, joomla, wordpress. Labs: how to configure 2fa/2sv for gmail, microsoft accounts.
  • CA and smart cards (eToken and conventional smart cards) used for windows login. Labs: how to configure etoken to protect user credentials with elevated permissions.
  • Bitlocker, TrueCrypt and so on (why it’s recommended to use encrypted mobile storages)
  • EFS, pitfalls of usage, non-documented weak sides. Why it’s so crucial to carefully plan EFS usage.
  • CA and mail servers, S/MIME, PGP, how to protect email correspondence (as examples google/yahoo PGP)
  • CA and SSL certs for web services, common mistakes (SSL certificate for Lync, Exchange web services like Outlook Anywhere, ActiveSync and so on)
  • CA and VPN (IPsec and AD GroupPolicy)
  • ADRMS, what is it? How to use properly, how to restore access, backup ADRMS

 

[/spoiler]