What is System Administration?

System Administration

The field in IT that’s responsible for maintaining reliable computer systems in a multi-user environment.

What is System Administration?

IT Infrastructure

IT Infrastructure encompasses the software, the hardware, network, services required for an organization to operate in an enterprise IT environment.

• Sysadmins work in the background to make sure the company’s IT infrastructure is always up and running.

• In large companies, sysadmin can be split-up into:

  • Network Administrators

  • Database Administrators

  

Servers Revisited

• Sysadmins, responsible for managing things like
  • Email
  • File storage
  • Running a website and more.
• These services are stored on servers.

Server

Software or a machine that provides services to other software or machines.

Servers include:

• Web server
• Email server
• SSH server

The servers can be of three of the most common types in terms of their space efficiency:

• Tower Servers
• Rack Servers
• Blade Servers

KVM Switch

Keyboard, Video, and Mouse (KVM) is an industry standard hardware device for connecting directly to the servers.

The Cloud

• Cloud computing, a concept in which you can access your files, emails etc. from anywhere in the world.
• Cloud is not a magical thing, rather hundreds and even thousands of computer act as a server to form a cloud, somewhere in the data center.

Data Center

A facility that stores hundreds, if not thousands, of servers.

System Administration

Organizational Policies

• In a small company, it’s usually a Sysadmin’s responsibility to decide what computer policies to use.
• In larger companies with hundreds of employees or more, this responsibility typically falls under the chief security officer or CSO.

User and Hardware Provisioning

In other responsibilities, Sysadmins have is managing users and hardware.

There are four stages of hardware life cycle

Routine Maintenance

To affectively update a fleet of hardware, you set up a Batch update, once every month or so, depending upon company policies.

Good practice is to install security and critical bug fixes routinely.

Vendors

• Not only do sysadmins in a small company work with using computers, they also have to deal with printers and phone, too.

• Whether your employees have cellphones or desk phones, their phone lines have to be setup.

  Other hardware generally used in companies is:

  • Printers
  • Fax machines
  • Audio/video conferencing equipment

• Sysadmins might be responsible for making sure printers are working or, if renting a commercial printer, they have to make sure that someone can be on site to fix it.

• Setting up businesses account with vendors like **Hewlett Packard, Dell, Apple, etc. is usually beneficial since they generally offer discounts for businesses.

Troubleshooting and Managing Issues

While working in an organization, sysadmins have to constantly troubleshoot and fix issues on machines.

You need to prioritize the issues all the time.

In Case of Fire, Break Glass

As a sysadmin, you need to have some recovery plan for companies critical data and IT infrastructure in case of a critical failure.

Applying Changes

With Great Power Comes Great Responsibility

• Avoid using administrator’s rights for tasks that don’t require them.
• When using Admin rights, make sure to:
  • Respect the privacy of others.
  • Think before you type or do anything.
  • With great power comes great responsibility.
• Documenting what you do is pretty important, for future you or someone else in the company to troubleshoot the same issues.
  • script Command used to record a group of commands as they’re being issued on Linux
  • Start-Transcript is an equivalent command on Windows
  • We can record the desktop with some GUI application.
• Some commands are easy to rollback than others, so be careful of what you’re doing.

Script

In the case of script you can call it like this:

script session.log

This writes the contents of your session to the session.log file. When you want to stop, you can write exit or press CTRL+D.

The generated file will be in ANSI format, which includes the colors that were displayed on scree. In order to read them, you can use CLI tools like, ansi2txt or ansi2html to convert it to plain text or HTML respectively.

Start-Script

In the case of Start-Script, you can call it like this:

Start-Script -Path <drive>:\Transcript.txt # File name can be anything.

To stop recording, you need to call Stop-Transcript. The file created is a plain text file where the commands executed, and their outputs, are stored.

Rollback

Reverting to the previous state is called a rollback.

Never Test in Production

• Before pushing any changes to Production, test them first on the Test environment to make sure, they are bug free.
• If you’re in charge of an important service that you need to keep running during a configuration change, it’s recommended that you have a secondary or stand-by machine.
• First apply the changes after testing them in the test environment, to the stand-by or secondary machine, then make that machine primary, and apply changes to the production machine.
• For even bigger services, when you have lots of servers providing the service, you may want to have canaries. (canaries: small group of servers, if anything still doesn’t work, it shouldn’t take down the whole infrastructure.)

Production

The parts of the infrastructure where a certain service is executed and served to its users.

Test environment

A virtual machine running the same configuration as the production environment, but isn’t actually serving any users of the service.

Secondary or stand-by machine

This machine will be exactly the same as a production machine, but won’t receive any traffic from actual suers until you enable it to do so.

Assessing Risk

There is no point of having test/secondary servers, when nobody cares about the downtime.

So, it’s very important to assess the risk before going forward to invest in the backup plans.

In general, the more users your service reaches, the more you’ll want to ensure that changes aren’t disruptive.

The more important your service is to your company’s operations, the more you’ll work to keep the serve up

Fixing Things the Right Way

Reproduction case

Creating a roadmap to retrace the steps that led the user to an unexpected outcome.

When looking for a Reproduction case, there are three questions you need to look for:

• What steps did you take to get to this point?
• What is the unexpected or bad result?
• What is the expected result?

After applying your fix, retrace the same steps that took you to the bad experience. If your fix worked, the expected experience should now take place.

Network and Infrastructure Services

Types of IT Infrastructure Services

• You can use Cloud Infrastructure Services or IaaS, if you don’t want to use own hardware. Some common IaaS providers are:

  • Amazon EC2
  • Linode
  • Windows Azure
  • Google Compute Engine (GCP)

  

• Networks can be integrated into an IaaS

• But in recent years, Network as a Service or NaaS has emerged.

  

• Every company needs, some email service, word processor, ppt makers, CMS, etc. Software as a Service or SaaS can handle it for you.

  

• Some companies have a product built around a software application. In this case, there are some things that software developers need to be able to code, build and shape their software.

  • First, specific applications have to be installed for their programming development environment.
  • Then, depending on the product, they might need a database to store information.
  • Finally, if they’re serving web content like a website, they might need to publish their product on the Internet.
  • For all in one solution, Platform as a Service or PaaS, is used.

  

• The last IT Infrastructure service we’ll discuss is the management of users, access, and authorization. A directory service, centralizes your organization’s users and computers in one location so that you can add, update, and remove users and computers. Some popular directory services are:

  • Windows Active Directory (AD)
  • OpenLDAP

• The directory services can be directly deployed in the cloud via Directory as a Service or DaaS.

Physical Infrastructure Services

Server Operating Systems

Regular operating systems that are optimized for server functionality.

• Windows Server
• Linux Servers
• macOS Servers

Virtualization

Advantages:

• Resource Utilization
• Maintenance
• Point of Failure
• Cost
• Connectivity

Limitations:

• Performance

Network Services

FTP, SFTP, and TFTP

• Network service commonly used in an organization is File transfer service.

  

PXE Boot (Preboot Execution)

It allows you to boot into software available on the network.

NTP (Network Time Protocol)

• One of the oldest network protocols

• You can use Public NTP server, or deploy your own if you have a fleet of hundreds and thousands of computers.

  

Network Support Services Revisited

• There are a few services that are used internally in an IT enterprise environment, to improve employee productivity, privacy, and security.
  • Intranet
  • Proxy servers

Intranet

An internal network inside a company; accessible if you’re on a company network.

Proxy server

Acts as an intermediary between a company’s network and the Internet.

DNS

Maps human-understandable names to IP addresses.

DNS for Web Servers

• First, we need a domain name.

  

• We can also have own server, pointed to the domain name.

  

DNS for Internal Networks

• The other reason we might want our own DNS servers is, so we can map our internal computers to IP addresses. That way, we can reference a computer by name, instead of IP address.
  • You can do this through hosts files.
  • Hosts, files allow us to map IP addresses to host name manually.
  • AD/OpenLDAP can be used to handle user and machine information in its central location. Once local DNS servers is set, it will automatically populate with machine to IP address mappings.
• Option for Custom DNS server setup:
  • BIND¹
  • PowerDNS²
  • DNSmasq³
  • Erl-DNS⁴

DHCP

• When connecting to a network, you have two options for IP address assignment:
  • Static IP
  • DHCP assigned IP

Troubleshooting Network Services

Unable to Resolve a Hostname or Domain Name

• To check if website accepts ping requests

  ping google.com

• To verify if your DNS is giving you correct address for <google.com>

  nslookup google.com

• Remember that when a DNS query is performed, your computer first checks the host file. To access a host file:

  sudo vim /etc/hosts

Managing System Services

What do Services Look Like in Action

• We have looked at many services so far:
  • DHCP
  • DNS
  • NTP etc.
• It’s important to understand how the programs that provide these services operate. So, that you can manage them and fix any problems that pop-up.
• These programs as background processes, also known as daemons, or just services.
  • This means that the program doesn’t need to interact with a user through the graphical interface or the CLI to provide the necessary service.
• Each service has one or more configuration file, you as Sysadmin will determine how to operate.
• Some services offer interactive interface for configuration and changes, others may rely on the system’s infrastructure.
  • It means you need to edit the configuration file yourself.
  • You should also know how to start or stop a service.
• Services are usually configured to start when the machine boots, so that if there’s a power outage or a similar event that causes the machine to reboot, you won’t need a system administrator to manually start the service.

Managing Services on Linux

• To check if NTP daemon running on a system

  timedatectl

• If there is a change of more than 120ms, the NTP daemon will not adjust for the change.

• Stopping and starting the NTP service manually, will adjust the clock to correct settings.

• Restart first stops and then start the service.

Managing Services on Windows

Here, for example, we will deal with Windows Update Service

To check the status of the service:

Get-Service wuauserv # Short hand for Windows Update Service

To get more information about the service:

Get-Service wuauserv | Format-List *

To stop service (Admin required):

Stop-Service wuauserv

To start a service (Admin required):

Start-Service wuauserv

To list all services running in the system:

Get-Service

**Same actions can be performed via Service Management Console in GUI.

Configuring Services on Linux

• Most services are enabled as you install them, they are default services ship with the program itself.

• The configuration files for the installed services are located in the /etc directory.

• Here we will use the example of ftp client.

• After installing ftp client vsftpd, it will start the service automatically.

• We can start ftp client

  lftp localhost

  • It requires username and password to view contents

• To enable anonymous ftp logins, we can edit the configuration file in /etc/vsftpd.conf

  • Then reload the ftp client

  sudo service vsftpd reload

lftp

A ftp client program that allows us to connect to a ftp server.

Reload

The service re-reads the configuration without having to stop and start.

Configuring Services on Windows

Here as an example we will use Internet Information Services, the feature offered by Windows to serve the web pages.

• First, Turn the Feature ON and OFF in the settings to first enable it.

  To Feature ON/OFF from the CLI

  Install-WindowsFeature Web-WebServer,Web-Mgmt-Tools -IncludeAllSubFeature

• Then we can add and remove IIS in the server manager, where IIS tab is now available after applying the above changes.

Configuring DNS with Dnsmasq

dnsmasq

A program that provides DNS, DHCP, TFTP, and PXE services in a simple package.

To install it:

sudo apt install dnsmasq

It immediately gets enabled with basic functionality, provides cache for DNS queries. This means you can make DNS request to it, and it’ll remember answers, so your machine doesn’t need to ask an external DNS server each time.

To check this functionality, we’ll use dig command, which lets us query DNS servers and see their answers:

dig www.example.com @localhost

Part after @ sign specifies which DNS server to use for query.

To see what’s happening in the background, we can run dnsmasq in the debug mode.

First stop the service:

sudo service dnsmasq stop

Now, run it in debug mode:

sudo dnsmasq -d -q

Now open a second console, and run dig command again, dnsmasq console running with flags -d (debug), q (query logging)

Configuring DHCP with Dnsmasq

• A DHCP server is usually set up on a machine or a device that has a static IP address configured to the network interface which is being used to serve the DHCP queries. That interface is then connected to the physical network that you want to configure through DHCP, which can have any number of machines on it. In real life, the DHCP server and the DHCP client typically run on two separate machines.

• For this example, we’ll use a single machine

• In this machine, we have an interface called eth_srv, that’s configured to be the DHCP server’s interface.

• We also have an interface called eth_cli, which is the interface that we’ll use to simulate a client requesting an address using DHCP. This interface doesn’t have an IP configured yet.

• So, I’m going to type in

  ip address show eth_cli

  We can see that this interface doesn’t have an IPV4 address configured. We will change this by using our DHCP server. To do this, we need to provide additional configuration to dnsmasq. There are lots of things we can configure. We’re going to use a very basic set of options. Let’s look at the configuration file.

  cat DHCP config.

  The interface option tells dnsmasq that it should listen for DHCP queries on the eth_srv interface. The bind interfaces option tells it not to listen on any other interfaces for any kind of queries. This allows us to have more than one dnsmasq server running at the same time, each on its own interface. The domain option tells the clients, the networks’ domain name and will be used for querying host names. Then, we have two different DHCP options, which are additional information that will be transmitted to DHCP clients when the IP is assigned. In this case, we’re telling clients what to configure as a default gateway and which DNS servers should be used. There are a lot more options that we can set, but these two are the most common ones.

• Finally, we configure the DHCP range. This is the range of IP addresses that the DHCP server can hand out. Depending on your specific setup, you may want to reserve some addresses in your network for machines that need to have a static address. If you don’t plan to do that, you can make the range larger, but make sure you don’t include the address of the DHCP server itself. The last value in the DHCP range Line is the length of the lease time for the IP address. In this case, it’s 12 hours, which means that once an address is assigned to a machine, it will be reserved for that machine for those 12 hours. If the lease expires without the client renewing it, the address can be assigned to a different machine.

  Let’s tell dnsmasq to start listening for queries using this config.

  sudo dnsmasq -d -q -c dhcp.conf

  We can see in the output that dnsmasq is listening for DHCP queries on the eth_srv interface with the options that we set in our configuration file. Now, let’s run a DHCP client on a second terminal.

  sudo dhclient -i eth_cli -v 

  We’re using dhclient which is a very common DHCP client on Linux. We’re telling it to run on the eth_cli interface, and we’re using the -v flag to see the full output of what’s happening.

  ip address show eth_cli

  Our eth_cli interface has successfully acquired an IP address.

References

Software and Platform Services

Platform services

Provide a platform for developers to code, build, and manage software applications.

Software Services

Services that employees use that allow them to do their daily job functions.

Major software services are

• Communication services
• Security services
• User productivity services

Communication services

Some instant chat communication services are:

• Internet Chat relay (IRC)

• Paid for options: HipChat and Slack

• IM protocols: XMPP or Extensible Messaging and Presence Protocol

Configuring Email Services

• Domain name for company

  • Google Suite

  Some email protocols are:

  • POP3 or Post Office Protocol 3

  It first downloads the email from the server and onto your local device. It then deletes the email from the email server. If you want to retrieve your email through POP3, you can view it from one device.

  • IMAP or Internet Message Protocol

  Allows you to download emails from your email server onto multiple devices. It keeps your messages on the email server.

  • SMTP or Simple Mail Transfer Protocol

  It is an only protocol for sending emails.

  

Configuring User Productivity Services

When considering software licenses, it’s important to review the terms and agreements.

Software used has consumer won’t be the same as the software used as business.

Configuring Security Services

Different protocols for managing the security of the online services

Hyper Text Transfer Protocol Secure (HTTPS)

The secure version of HTTP, which makes sure the communication your web browser has with the website is secured through encryption.

• Transport layer security protocol or TLS
• Secure Socket layer or SSL (deprecated)

To enable TLS, so a website can use HTTP over TLS, you need to get an SSL certificate for Trust authority.

File Services

What are File Services?

Network File Storage

• Only few file systems are cross-compatible. Like FAT32.

• Network File System (NFS), allows us to share files over a network, cross-compatible.

  

• NFS is even through cross-compatible, but there are some compatibility issues on Windows.

• Even your fleet is mostly Windows, you can use Samba, though Samba is also cross-platform.

  • SMB or Server Message Block is a protocol that Samba uses.

• An affordable solution is to use Network Attached Storage or NAS. They are optimized for network storage and comes with the OS stripped down and optimized for file transfer and storage.

Print Services

Configuring Print Services

• On Windows, print feature can be enabled
• In Linux, CUPS, or Common Unix Printing Service.

Platform Services

Web Servers Revisited

Web server

Stores and serves content to clients through the Internet.

Some server software:

• Apache2
• Nginx
• Microsoft IIS

What is a database server?

Databases

Allow us to store, query, filter, and manage large amounts of data.

Common databases:

• MySQL
• PostgreSQL

There is a specialized field within IT that handles databases:

• Database Administration

Troubleshooting Platform Services

Is the Website down?

HTTP status codes are of great help for troubleshooting web servers errors.

Knowing common HTTP status codes comes handy for fixing website errors.

HTTP status Codes

HTTP status Codes are codes or numbers that indicate some sort of error or info messages that occurred when trying to access a web resource.

• HTTP status codes that start with 4xx indicate an issue on the client-side.
• The other common HTTP status codes you might see start with 5xx. These errors indicate an issue on the server-side.

They tell us more than just errors. They can also tell us when our request is successful, which is denoted by the codes that begin with 2xx.

404 Not Found

A 404 error indicates that the URL you entered doesn’t point to anything.

Managing Cloud Resources

Cloud Concepts

• When setting up cloud server, region is important

SaaS

The software is already pre-configured and the user isn’t deeply involved in the cloud configuration.

IaaS

You’re hosting your own services in the cloud. You need to decide how you want the infrastructure to look, depending on what you want to run on it.

Regions

A geographical location containing a number of data centers.

• Each of these data centers are called zones.
• If one of them fails for some reason, the others are still available and services can be migrated without visibly affecting users.

Public cloud

Cloud services provided to you by a third party.

Private cloud

When your company owns the services and the rest of your infrastructure – whether on-site or in a remote data center.

Hybrid cloud

A mixture of both private and public clouds.

Typical Cloud Infrastructure Setups

Let’s say you have a web server providing a website to a client. In a typical setup for this kind of service running in a cloud, a number of virtual machines will be serving this same website using Load balancers.

To make sure servers running properly, you can set:

• Monitoring
• Alerting

Load Balancer

Ensures that each VM receives a balanced number of queries.

Auto-scaling

It allows the service to increase or reduce capacity as needed, while the service owner only pays for the cost of the machines that are in use at any given time.

Directory Services

Introduction to Directory Services

What is a directory server?

“Contains a lookup service that provides mapping between network resources and their network addresses.”

A sysadmin will be responsible for directory server:

• Setup
• Configuration
• Maintenance

Replication

The stored directory data can be copied and distributed across a number of physically distributed servers, but still appear as one, unified data store for querying and administrating.

Directory services

Useful for organizing data and making it searchable for an organization.

Implementing Directory Services

Directory services became an open network standard for interoperability among different vendors.

• Directory Access Protocol or DAP

• Directory System Protocol or DSP

• Directory Information Shadowing Protocol or DISP

• Directory Operational Bindings Management Protocol or DOP The most popular of these alternatives was:

• Lightweight Directory Access Protocol or LDAP

The popular industry implementation of these protocols are:

• Microsoft Active Directory or AD
• OpenLDAP

Centralized Management

What is centralized management?

“A central service that provides instructions to all the different parts of the company’s IT infrastructure.”

• Directory services provide centralized authentication, authorization, and accounting, also known as AAA.
• Role base access control or RBAC is super important in centralized management to restrict access to authorized users only.

They’re super powerful configuration management, and automation software tools like:

• Chef
• Puppet
• SCCM

LDAP

What is LDAP?

“Used to access information in directory services, like over a network.”

The most famous one which use LDAP:

• AD
• OpenLDAP

LDIF (LDAP data Interchange Format) has the following fields

• dn (distinguished name)

This refers to the name that uniquely identifies an entry in the directory.

• dc (domain component)

This refers to each component of the domain.

• ou (organizational unit)

This refers to the organizational unit (or sometimes the user group) that the user is part of.

• cn (common name)

This refers to the individual object (person’s name; meeting room; recipe name; job title; etc.) for whom/which you are querying.

What is LDAP Authentication

There are three ways of LDAP authentication:

• Anonymous
• Simple
• SASL - Simple Authentication & Security Layer

The common SASL authentication technique is Kerberos.

Kerberos

A network authentication protocol that’s used to authenticate user identity, secure the transfer of user credentials, and more.

Active Directory

What is Active Directory?

The native directory service for Microsoft Windows.

• Central point for managing Group Policy Objects or GPOs.

Managing Active Directory Users and Groups

Local user accounts and security groups are managed by the **Security Accounts Manager (SAM) on a local computer.

There are three group scopes:

• Universal
• global
• domain local

Managing Active Directory User Passwords

Passwords are stored as cryptographic hash.

If there’s more than one person who can authenticate using the same username and passwords, then auditing become difficult or even impossible.

• If a user forgets his/her password, you as a sysadmin can reset their password for them.
• Password reset will wipe out any encrypted files on the user’s computer.
• Designated user accounts, called recovery agents > accounts, are issued recovery agent certificates with public keys and private keys that are used for EFS data recovery operations.

Joining an Active Directory Domain

A computer not part of the AD is called a WorkGroup computer.

Settings > System and Security > System > Computer name, domain, and workgroup settings

From CLI:

Add-Computer -DomainName 'example.com' -Server 'dc1'

To get domain functional level:

Get-AdForest

Get-AdDomain

Forest and Domain Functional Levels

Functional levels determine the available AD Domain Service (AD DS) domain or forest capabilities. They also determine which Windows Server OS you can run on domain controllers in the domain or forest.

What is Group Policy?

Group Policy Object (GPO)

A set of policies and preferences that can be applied to a group of objects in the directory.

• When you link a GPO, all the computers or users under that domain, site, or OU will have that policy applied.
• A GPO can contain computer configuration, user configuration, or both.

• Group Policy Management tool, or gpms.msc, to change GPOs.

Policies

Settings that are reapplied every few minutes, and aren’t meant to be changed even by the local administrators.

• By default, a GPO, will be applied every 90 mins, so OUs don’t drift away from policies.

Group policy preferences

Settings that, in many cases, are meant to be a template for settings.

Windows Registry

A hierarchical database of settings that Windows, and many Windows applications, use for storing configuration data.

• GPOs are applied by changing Windows Registry settings.

Group Policy Creation and Editing

Always make backup before creating new policies or editing existing ones.

Group Policy Inheritance and Precedence

When a computer is processing GPO that apply to it, all of these policies will be applied in Precedence rules.

• The Resultant Set of Policy or RSOP report is used to review applied policies and preferences.

When GPOs collide, they’re applied:

Site → Domain → OU (Applied from least specific to the most specific)

Group Policy Troubleshooting

One of the most common issues you might encounter is when a user isn’t able to log in to their computer, or isn’t able to authenticate to the Active Directory domain.

• Maybe user locked out due to multiple failed log-in attempts.
• Sometimes they just forget their password.
• Start with the simplest problem statement, like perhaps there is a network connectivity issue, not directly from AD troubleshooting.
• Possibly there is a problem with DNS record and computer cannot find src-record.
• The SRV records that we’re interested in are _ldap._tcp.dc_msdcs.Domain.Name, where DOMAIN.NAME is the DNS name of our domain.

Resolve-DNSName -Type SRV -Name _ldap._tcp.dc._msdcs.example.com

• Maybe there is clock sync issue

A common issue that you might have to troubleshoot is when a GPO-defined policy or preference fails to apply to a computer.

• Perhaps issue with application of GPOs, Fast Logon Optimization.
• GPO update may partially apply.

gpupdate /force /sync

• Some time of policies are only applied when computer is rebooted or user logoff and logon back.
• Replication failure may occur.

$env:LOGONSERVER

To know why a particular isn’t applying to a computer, generate a RSOP (Resultant Set of Policy) report.

gpresult /R

To get the full report:

gpresult /H test.html

Mobile Device Management (MDM)

The mobile OS takes MDM profiles or policies that contain settings for the device. You can use MDM to do a bunch of things:

• Automatically installing apps
• Pre-configuring wireless networks
• Enforcing security settings like turning on encryption of the device’s storage
• Remote wipe, a device

MDM policy settings are specific to each OS. Those policies can be created and distributed Enterprise mobility management (EMM).

Remote wipe

A factory reset that you can trigger from your central MDM, rather than having to do it in person on the device.

OpenLDAP¹

What is OpenLDAP?

OpenLDAP is an open source implementation of Lightweight Directory Access Protocol (LDAP)

• Using LDAP Data Interchange Format (LDIF), you can authenticate, add, remove users, groups and so on in the active directory service.
• Works on Linux, Windows, and macOS.

To install it on Debian and Debian-based distros:

sudo apt install slapd ldap-utils

Then we’ll reconfigure the slapd package:

sudo dpkg-recofigure slapd

Now you have a running ldap server.

To get Web Interface:

sudo apt install phpldapadmin

The web server is now configured to serve the application, but we need to make additional changes. We need to configure phpldapadmin to use our domain, and not to autofill the LDAP login information.

sudo vim /etc/phpldapadmin/config.php

Look for the line that start with $ servers->setValue('server','name

$server->setValue('server','name','Example LDAP')

Next, move down to the $servers->setValue('server','base' line.

$servers->setValue('server','base', array('dc=example,dc=com'));

Now find the login bind_id configuration line, and comment it out with #

#$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

The last thing that we need to adjust is a setting that controls the visibility of some phpLDAPadmin warning messages. By default, the application will show quite a few warning messages about template files. These have no impact on our current use of the software. We can hide them by searching for the hide_template_warning parameter, uncommenting the line that contains it, and setting it to true:

$config->custom->appearance['hide_template_warning'] = true;

Now login to Web-Interface

https://example.com/phpldapadmin

Managing OpenLDAP

ldapadd

Takes the input of an LDIF file² and adds the context of the files.

ldapmodify

Modifies an existing object.

ldapdelete

Will remove the object that the LDIF file refers to.

ldapsearch

Will search for entries in your directory database.

References

Data Recovery and Backups

Planning for Data Recovery

What is Data Recovery?

“The process of trying to restore data after an unexpected even that results in data loss or corruption.”

How you go for data recovery depends on few factors:

• Nature of Data Loss
• Backups already in place

When an unexpected even occurs, your main objective is to resume normal operations asap, while minimizing the disruption to business functions.

The best way to be prepared for a data-loss event is to have a well-thought-out disaster plan and procedure in place.

• Disaster plans should involve making regular backups of any and all critical data that’s necessary for your ongoing business processes.

Postmortem

A Postmortem is a way for you to document any problems you discovered along the way, and most importantly, the ways you fixed them so, you can make sure they don’t happen again.

Backing Up Your Data

Absolutely necessary data should be backed up.

Backed up data as well as, data in transit for backup, both should be encrypted.

Backup Solutions

Too many backup solutions are there, some of them are:

rsync

A file transfer utility that’s designed to efficiently transfer and synchronize files between locations or computers.

Time Machine

Apple’s backup solution, that can restore entire snapshot or individual files.

Microsoft Backup and Restore

Backup and restore is used to back up files as well as, system snapshots in the disk.

This tool can do following tasks:

• Back up
• Create a system image
• Create a restore point

Testing Backups

Disaster recovery testing should be done every year or so.

Restoration procedure

Should be documented and accessible so that anyone with the right access can restore operations when needed.

Types of Backup

Ways to Perform Regular Backups:

• Full backup
• Differential backup
• Regular incremental backups

It’s a good practice to perform infrequent full backups, while also doing more frequent differential backups.

• While a differential backup backs up files that have been change or created since the last full backup, an incremental backup is when only the data that’s changed in files since the last incremental backup is backed up**.
• RAID array can solve the problem of failing disks on on-site backups.

Redundant Array of Independent Disks (RAID)

A method of taking multiple physical disks and combining them into one large virtual disk.

• RAID isn’t a replacement for backups
• It’s data storage solution which can save you from accidental deletion, or malware.

User Backups

For user backups:

• Dropbox
• Apple iCloud
• Google Drive

Disaster Recovery Plans

What’s Disaster Recovery Plan?

“A collection of documented procedures and plans on how to react and handle an emergency or disaster scenario, from the operational perspective.”

Preventive measures

Any procedures or systems in place that will proactively minimize the impact of a disaster.

Detection measures

Meant to alert you and your team that a disaster has occurred that can impact operations.

• Environmental Sensors
• Flood sensors
• Temp and Humidity Sensors
• Evacuation procedures

Corrective or recovery measures

Those enacted after a disaster has occurred.

Designing Disaster Recovery Plan

No fit for all plan, there is a lot to go into a disaster recovery plan.

Designing a Disaster Recovery Plan:

• Perform Risk Assessment
• Determine Backup and Recovery Systems
• Determine Detection & Alert Measures & Test Systems
• Determine recovery measures

Risk assessment

Allows you to prioritize certain aspects of the organizations that are more at risk if there’s an unforeseen event.

Postmortems

What’s a Postmortem?

“A Postmortem is a way for you to document any problems you discovered along the way, and most importantly, the ways you fixed them so, you can make sure they don’t happen again.”

• We create a Postmortem after an incident, an outage, or some event when something goes wrong, or at the end of a project to analyze how it went.

Writing a Postmortem

Typical postmortem report consists of:

• Brief Summary of the incident happened

• Detailed Timeline of Key events

• Root Cause

• Resolution and Recovery Efforts

• Actions to Avoid Same Scenario

• What went well?

  

  

Final Project: SysAdmin and IT Infrastructure Services

System Administration for Network Funtime Company

Scenario 1

You’re doing systems administration work for Network Funtime Company. Evaluate their current IT infrastructure needs and limitations, then provide at least five process improvements and rationale behind those improvements. Write a 200-400 word process review for this consultation. Remember, there’s no right or wrong answer, but make sure to provide your reasoning.

The company overview:

Network Funtime Company is a small company, that builds open-source software.

The Company is made up of 100 employees:

• Software engineers
• Designers
• A Single HR Department
• A Small Sales Team

Problem Statement

• There is no technical support personnel.
• The HR, is responsible for buying hardware for new resources.
• Due to lack of funds, company go for the cheapest hardware possible.
• Due to lack of funds, everyone in the company has different laptops models.
• There are no backups for hardware, which creates additional wait time for new employees to start working.
• Due to missing standardized labeling convention, when a laptop or computer goes missing/stolen, there is no way to audit it.
• No Inventory system.
• HR manages System setups for engineers as well as answer their support queries through email.
• No standard way for login management, password management and recovery.
• The company use cloud applications like:
  • Email
  • Word Processor
  • Spreadsheets
  • Slack – Instant Communication

The Improvements

The company should hire an IT Support specialist, who will take care of:

• Buying new hardware, and disposing off the retired machines
• According to company budget, selecting a hardware with similar specs.
• Keep the inventory record, and labeling each and every machine before handing over to new employees.
• Keeping a few machines as a backup in the inventory.
• Managing a ticking system for employees’ support question.
• Keeping the documentation of the fixes and issues.
• Keeping a bootable USB of the OSs used in the company.
• When the company hires a new resource, he/she sets up their machine for them.

The company should move to OpenLDAP or Active Directory for centralized passwords and permissions management and recovery.

The HR should be responsible for his/her tasks instead of providing IT Support, Hardware management, and Employees’ software installation and setup.

The Rationale Behind Improvements

Hiring an IT support specialist:

• Will reduce the work of an HR
• Keep the inventory record, which will make auditing very easy.
• Selecting a standardized hardware, will make troubleshooting and tracking issues and fixes much easier, which in turn lessen the time spent in fixing and more in doing the work.
• Keeping backups in the inventory, reduce time wastage for the new employees, they can start working asap.
• Having a ticketing system or some centralized way of tracking issues and fixes, will create a documentation for future reference, and if the same issue arises again, it will be solved in no time.
• Keeping bootable USB, saves in hunting down the software and makes the setup process easy, so reduces the overhead for new employees. And They can start working immediately.

Centralized management:

• OpenLDAP/Active Directory, will make sure to centrally manage users and permissions, so everyone has only required access to the company’s sensitive documents.
• Password resets will become more easy, there be less time wastage.

Scenario 2

You’re doing systems administration work for W.D. Widgets. Evaluate their current IT infrastructure needs and limitations, then provide at least five process improvements and rationale behind those improvements. Please write a 200-400 word process review for this consultation. Remember, there’s no right or wrong answer, but make sure to provide your reasoning.

The Company Overview

The company is in the business of selling widgets. There are mostly sales persons in the company.

The company size is 80–100 people.

Problem Statement

• Sole IT person
• Manual installation of the software on new machines.
• Direct emails for IT support related issues.
• Almost every software is kept in house:
  • Email server
  • Local Machine Software
  • Instant messenger
• The Single file server for customers data.
  • No centralized management of the data.
  • No backups
  • Everyone has their copy with their unique data.
• The company growth is exponential. They expect to hire hundreds of new employees.

The Improvements

The company should hire new talent for IT Support related stuff.

The automation for the following should be done:

• Installation of software on the new machines.
• Automated backups should be in place for critical data.
• Storage server should be redundant.

A centralized management of the data is required:

• To manage customers information in a single place
• The company should move from one server to many redundant storage solutions.
• Permissions, and access to the data, should be limited to the role of the person. To answer IT Support questions:
• There should be a ticketing system in place.
• There should be documentation of the common issues.

The company should move some of their services to the cloud, like:

• Email
• Instant Chats

The Rationale

Hiring new tech talent:

• Will make sure you’re ready for next big step of your expansion
• Will distribute the work load, so fewer burnouts.

The automation will make sure:

• There is no manual input, so fewer chances of errors.
• No hours wasted on installing software, and configuring the new machines.

The cloud will make the company:

• Less reliant on local servers, which require more maintenance, and security related complex configuration.
• It will reduce the number of the people required for managing those servers.
• There will be almost zero maintenance overhead for the cloud.
• The data will be centrally available and backed up.
• Email and chat servers are pretty complex to manage, and require a lot of security knowledge.

The centralized management:

• Will make sure the right person has access to the right information
• Removing the access of Ex-employees will become easy.
• Role based access control, will make sure sensitive internal documents are exposed to wrong persons.

Scenario 3

You’re doing systems administration work for Dewgood. Evaluate their current IT infrastructure needs and limitations, then provide at least five process improvements and rationale behind those improvements. Please write a 200-400 word process review for this consultation. Remember, there’s no right or wrong answer, but make sure to provide your reasoning.

The Company Overview

A small local non-profit of 50 employees.

• Sole IT person

Problem Statement

• Computers are bought directly in a physical store on the day new talent is hired.
• Due to budget issue, they can’t keep extra stock.
• The company has a single server with multiple services:
  • Email
  • File server
• Don’t have an internal chat system.
• AD is used, but Ex-employees are not disabled.
• Ticketing system is confusing and difficult to use, so:
  • Many employees reach out to IT person, to know how to use it.
  • Employees are always asking around the questions of how to use it.
• IT person, takes backups on a personal Drive and takes it home.
• A website with single HTML page is hosted on internal server, and remain down many times, no one know why.

The Improvements and Rationale

The computer should be purchased directly from vendors:

• Vendors offer special discounts to businesses and non-profits, so it will save cost.
• There should some standardization to which hardware to buy to avoid fix issues every time for new hardware type.

The company should move their email sever to the cloud:

• The cloud solutions are cheap.
• There’s virtually no maintenance is involved.
• Maintaining own email servers, requires a lot of complex configuration to make sure the security and redundancy, which isn’t possible with Single IT Person.

Should use some cloud-based solution for internal instant chats:

• The teams can keep track of each other progress.
• The teams can discuss issues, plans, and procedure without any hiccups.

To improve the customer ticketing system:

• There should be proper documentation of to use it, so every time an employee doesn’t have to go to the IT person for help.
• The common issues and fixes should properly document and stored on the server, so employees can access them, and fix the common issues themselves to reduce time wastage.

For the backups:

• There should be on-site and off-site backups for sensitive data for redundancy purposes.
• The cloud backup solutions can also be used for a small company.
• Self-hosted backups should be automatic, and redundant.
• Backups tests and recovery should be done once every year or so, to make sure in the case of an emergency, your backups will prove reliable.