Monthly Archives: May 2011

What is the USC?

Posted on by

The Dell™ Unified Server Configurator is a pre-installed configuration utility that enables systems and storage management tasks from an embedded environment throughout the server’s lifecycle.

Residing on an embedded flash memory card on the system board of supported servers, the Unified Server Configurator is similar to a BIOS utility in that it can be started during the POST (Power On Self Test) sequence and functions independently of the operating system (OS).

Using the Unified Server Configurator, you can quickly identify, download, and apply system updates without needing to search the Dell support site (support.dell.com). You can also deploy an OS with drivers (the USC stores Operating System drivers contained within a driver pack), configure a Redundant Array of Independent Disks (RAID), and run 32 -bit diagnostics to validate the system and attached hardware.

NOTE:
Certain platforms or servers may not support the full set of features provided by the Unified Server Configurator.

Starting the Unified Server Configurator

To start the Unified Server Configurator, press the <F10> key within 10 seconds of the Dell logo being displayed during the system boot process.

The first time you boot the system, the Unified Server Configurator starts with the User Settings wizard displayed so that you can configure your preferred language and network settings.

USC and Diagnostics

Dell has built into the Unified Server Configurator the ability to launch the system DMRK diagnostics.

CE TIP:
Learning about how the USC can be used to launch and utilize the DRMK diagnostics can be an advantage for you when addressing customer issues. Especially those that require diagnostics to be performed to identify the problem, as the diagnostics will always be on the system board, and there is no need to download them from support.dell.com, as long as the USC on the system is viable and functioning.

When launching the DRMK diagnostics please keep in mind the following:

  • The BIOS provides “thunking” mechanism to allow DRMK DOS to run the tools.
  • When the Diagnostics are complete a reboot of the system is required, sometime after initial launch a reboot will not be required.

The process below illustrates how to launch these diagnostics from the USC.

Platform Update Using FTP Repository
1. To perfom the following procedure you need the following.1.     A server booted into the Unified Server Configurator, F10 on P.O.S.T.
2. Select the Diagnostics option from the left menu of the Unified Server Configurator.
3. On the next screen of the USC Diagnostics Launching Wizard, you will see a single option for Run Diagnostics, select this option.
4. You will now see a screen saying the system is “Loading DRMK V8.00,” indicating the system is loading the diagnostic files.
5. The DMRK diagnostics is now loaded, from here the diagnostics is identical in form and function when compared to the media loaded diags.

Platform Update using FTP Repository

With the Unified Server Configurator Dell has provided the ability to update the USC platform, OS driver pack and system diagnostics using an FTP repository. By default the repository would be ftp.dell.com, but customers can create there own FTP repository and point to it for updates. The image below provides a high level overview of how the Platform Update works using an FTP repository.

The process below explains how to initiate a platform update using an FTP repository, like ftp.dell.com.

Platform Update Using FTP Repository
1. To perform the following procedure you need the following.

  1. A server booted into the Unified Server Configurator, F10 on P.O.S.T.
  2. One of the NICs on the server must be connected, and have properly configured access to the internet to gain access to ftp.dell.com.
2. Select the Platform Update option from the left menu of the Unified Server Configurator.
3. On the next screen of the Platform Update Wizard, you will see a single option for Launch Platform Update, select this option.
4. This next screen select an FTP server or USB Key containing the Platform Update Repository files. Select FTP Server, and configure the FTP server address, proxy server information proxy port, proxy type, proxy user name and proxy user password information. Once all the information is populated click the next button to continue.
5. The next screen in the platform updates wizard allows the user to select the available updates on the repository. Notice that this page shows the current version diagnostics, OS Drivers Pack and the USC platform version as well as the versions to be updated to during the update process.
6. Once the user sees this screen, the system is now performing the Platform Updates.
7. Once the system completes each task for the update, the system will now reboot. You will notice on P.O.S.T. that the system will state it is entering system services, this is the normal and expected behavior.
8. Once the system gets to the welcome screen of the USC after the first reboot, it will reboot again. However, upon the second reboot it will default to the normal boot process, as configured in the system BIOS.

!!It is very important that you update the USC itself!!

Download this as a document: [wpdm_file id=”23″]

AdminSDHolder (ACL’s disappeared on object)

Posted on by

Source: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx

Symptom
Usually you delegate permission in Active Directory via OUs. Those permissions apply (if configured so) to objects like users underneath that OU. However you may experience that they don’t apply to all user-accounts (e.g. a delegated admin is able to change the phonenumber for most users, but not on a few others), or that the permissions are being reset/lost on some accounts. If you look at the permissions of that user-account you’ll find that the accounts security-descriptor is set not to inherit permissions from parent objects. If you set the security-descriptor to inherit permissions again, you’ll see that this will be reset after a while. If you configure permissions directly on the object they will be reset after a while as well.

Reason
Active Directory protects certain accounts not to inherit delegated permission. This behavior applies to direct and nested members of the following security-groups:

Windows 2000 SP3:
Enterprise Admins
Schema Admins
Domain Admins
Administrators

Windows 2000 SP4 or Windows Server 2003 additional:
Account Operators
Server Operators
Print Operators
Backup Operators
Cert Publishers

Additional the accounts Administrator and krbtgt are protected.

Why are those accounts protected?
Delegation via AD permissions is usually used to delegate administrative rights to regular user-accounts, to implement administrative roles like Site-Administrator. Those might be assigned to reset passwords, deactivate accounts or other tasks. The AdminSdHolder-Thread assures that such an administrative roles gains not more permissions or is able to compromise the privileged accounts.

How are those accounts protected?
The AdminSdHolder/Ds Propagator tread modifies all accounts which are direct or nested members of one of those groups and increases the attribut adminCount to a value higher than 0. This thread runs once an hour on the Domaincontroller holding the PDC-Emulator role. The thread further resets the security-descriptor of those accounts with the default permissions for administrative accounts which is defined by the security-descriptor of the object cn=AdminSdHolder,cn=System,dc=yourdomain,dc=com. This also resets the flag to disable inheritance of parent objects.

But what can I do if I need different permissions?
If you need different permissions on those accounts there are a few approaches you can take:

  1. Usually you should avoid using administrative accounts for the daily routine. Use a regular user-account, and just start administrative applications (such as Active Directory-Users and -Computers) with administrative credentials (via RunAs or Context-Menu, Open with…).
    Active Directory enabled applications or Site-Admins would be able to change the regular user-account of the Administrators, which is usually sufficient, but their administrative accounts are protected. This protects the Administrator from administrative errors of delegated administrators, and he’s further protected against virusses/worms when surfing the web/reading e-mail.
  2. You could use a domain-admin account for AD-enabled applications: This would be a solution, but should be avoided whenever possible. It’s quite easy to delegate AD-integrated applications only write-permissions to the attributes they need, so use that feature to protect your AD. Many times those applications only need permissions to add/modify/delete objects which are defined by their schema extension, and write-permissions on attributes on existing objects their schema extension also added.
  3. If absolutely necessary you are able to change the default permissions on administrative accounts to reflect the need of those applications. You can easily do this by modifying the permissions on cn=AdminSdHolder,cn=System,dc=yourdomain,dc=com. This can be accomblished using ADSIEdit.msc or DsAcls.exe. DsAcls is a commandline-tool for modifying AD-permissions, which every administrator who delegates rights in AD should know. Be sure to test in advance which attributes of which objects are being modifies by the application.

What else is important to know?

  1. AdminSdHolder also applies the permissions to accounts which are nested members through distribution groups. E.g. if User1 is a member of the distribution group Maillist-KnowHow, which is a member of account operators, then User1 is considered as one of the protected accounts (since the distribution group could be converted to a security group).
    Be aware that the command whoami /all does show nested group memberships, but not nested groups through distribution groups.
    Usually you should avoid nesting distribution groups in one of the protected groups.
  2. Users, which are removed out of one of the protected groups (or their nested groups) do not inherit permissions from parent objects. You need to check the box to inherit permissions when removing those users out of the group manually, or use a script to check your users.
    If you have many accounts which are protected by the AdminSdHolder/DS Propagation-Thread, you might notice that the lsass-process on the Domaincontrller holding the PDC-Emultor raises to 100% once an hour. Therefore you should avoid putting loads of users in the protected groups, and rather use delegated administration whenever possible.
  3. Depending on your need you might want to remove Backup Operators, Printer Operators, Server Operators or Account Operators out of the AdminSdHolder protection. You can get a Hotfix at Microsoft PSS which allows to configure that. See the following KB for more informations on that:
    http://support.microsoft.com?id=817433

Backup file permissions [icacls.exe]

Posted on by

A simple tool to backup/restore file permissions is the tool: icacls.exe

To backup the file permissions on the e:\folder\* run the following program:
>icacls.exe E:\folder\* /save E:\cacls.txt /t /c

To restore them later you can run:
>icacls.exe E:\folder\ /restore E:\cacls.txt

Icacls.exe can handle logical drives, network drives and UNC paths.